Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

6

Static

static

1

Soundpad_x....1.msi

windows10-2004-x64

6

Analysis

  • max time kernel
    105s
  • max time network
    106s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/05/2024, 21:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Soundpad_x64-4.0.1.msi

  • Size

    6.6MB

  • MD5

    42e8dd5f84f7d0384df0845312298110

  • SHA1

    75f78634b56c2f87e8a85e23a2608b02971ae90a

  • SHA256

    ca73ea0832176c89fa19a0361acf8e66f3d811d289ef4437f5a026a632c435d9

  • SHA512

    bd6f4ae8c392cc585407704a6d40e10d7edd337084f6c060e6af94759ccffeaa57c7c7bc238862a0fc03c6d0764125801c5558c1acb16f6ae9c1c054dbc87a69

  • SSDEEP

    98304:mSAajJtbtGzMDW9KbkWlQenYxwgxQEOb6cPn9TMdQUKsXcMxGNkte2rsiW+:mSzIMqUQWl1nYDkPn9TsQVKukw2wi

Score
6/10
persistence

Malware Config

Signatures

  • Blocklisted process makes network request 4 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 10 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 4 IoCs
  • Registers COM server for autorun 1 TTPs 3 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 11 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Soundpad_x64-4.0.1.msi
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:928
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4388
    • C:\Windows\System32\MsiExec.exe
      C:\Windows\System32\MsiExec.exe -Embedding ABC8D6279F303E2079D12B6B997C8DCD C
      2⤵
      • Loads dropped DLL
      PID:3000
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
        PID:5020
      • C:\Program Files\Soundpad\Soundpad.exe
        "C:\Program Files\Soundpad\Soundpad.exe" -i -s
        2⤵
        • Drops file in System32 directory
        • Executes dropped EXE
        • Registers COM server for autorun
        • Modifies data under HKEY_USERS
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1516
        • C:\Windows\System32\regsvr32.exe
          "C:\Windows\System32\regsvr32.exe" /s "C:\Windows\system32\UniteFx1.8.0.dll"
          3⤵
          • Loads dropped DLL
          • Modifies registry class
          PID:1832
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Checks SCSI registry key(s)
      PID:552
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x338 0x354
      1⤵
      • Loads dropped DLL
      PID:4656
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:5016
      • C:\Program Files\Soundpad\Soundpad.exe
        "C:\Program Files\Soundpad\Soundpad.exe"
        1⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Modifies registry class
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4620
        • C:\Program Files\Soundpad\SoundpadService.exe
          "C:\Program Files\Soundpad\SoundpadService.exe"
          2⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:4580

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Config.Msi\e57b1bd.rbs
        Filesize

        20KB

        MD5

        ebb5ea9177a4aa95354ae98affc6dd7f

        SHA1

        b73d7d2c1171a6c96260938d63192a9971481eeb

        SHA256

        034d3f6f7dd44ffe9d47c2bdb22ffc7b97e17a09c30fdc40be835b9712263474

        SHA512

        845ae514bf59e43fbd71f45e168bcf18cebed52cbb68af5da7d5605f2a6364a7a9aec6af6c53d2c1b5ec171bc90606ed145cf40bd959dfc9835a058e8d639238

        Download Submit

      • C:\Program Files\Soundpad\Soundpad.exe
        Filesize

        14.7MB

        MD5

        f8622a89bc48dcb9cea7d20128846159

        SHA1

        82758fe0214230c363a5f6e2e8d6ebf5da950670

        SHA256

        29ba2a79749137bb59cde27c6873b157586ed8684bb440ae194ea186e07de50c

        SHA512

        097722a534fe99bc551f46dce7f6accf6ec7163ea64d5850ee523e1f14889ff8578dc654bbf811bf4ce2d15ca918d74939b8f0770ad07478df6e80eddc2da176

        Download Submit

      • C:\Program Files\Soundpad\SoundpadService.exe
        Filesize

        555KB

        MD5

        f371d266e03582a758a34bda017df9fc

        SHA1

        780a7ce280fdfe9298e9ac061ba2da9bcf11e143

        SHA256

        b70f747d64773fcb16c97ab40567edf6f6827800bb9e3e9e67650e5288906920

        SHA512

        5bf7ae453c877f2b7116aed46178611080b8db07fb83a2ccf696d60143b5959473beeec748457ccd696eeab1ef8c8675ca243168669a288e37e4a69a0ca54a71

        Download Submit

      • C:\Program Files\Soundpad\UniteFx.dll
        Filesize

        584KB

        MD5

        bedfb49d331aa755c8e3cc1a4688d8ce

        SHA1

        e24b32c6cdfba6bd470a3fc613dcde4d6932874b

        SHA256

        f7f2e23661c4dd53ae5b7fd5c3733d9c82f8467b75f7f0bca738426356f85c17

        SHA512

        9782a8696a8a11f9a6a012e931a1b9e76c1d5a8c5e3460af851bb62e238829b83f9eabb615d65940ff9870cb57fb647798cf05394477ed35346cd0390868ccdd

        Download Submit

      • C:\Program Files\Soundpad\languages\de\translation.mo
        Filesize

        66KB

        MD5

        2e19463d9f8d2192f8fc35febf0eae32

        SHA1

        6a3ce06834376b73e7844aa68154b309dc576bf1

        SHA256

        67c8e7e3be1fc9da05c65053f115e304fa92e510f3732e8f69ca09879c68791b

        SHA512

        7ed88bb3e3cf30d48cb990bb6fb4526f00439cdb6219f877ead0242ca92962cf81b989ba6c386374713c29795ad2f64535b1ba41f19f1705c5e895c2011ff593

        Download Submit

      • C:\Program Files\Soundpad\sounds\ba dum tss.mp3
        Filesize

        43KB

        MD5

        ecfd36db4cd603fe69fb216ec96314f3

        SHA1

        e773f5862cae36da5b2c94bd9ba19f6a3b30ae2c

        SHA256

        0f346c69f70725b3c0f37d26774fd530d5fc331584a6cfd4eb90857c9be305e5

        SHA512

        644271db61503904fe8a5de3e95e3617f3faf9287862739c929be85e71d8813c30939eb5104072e11dcda71e6f66717077b2e242c33bc7fc49b22fbf5c318673

        Download Submit

      • C:\Program Files\Soundpad\sounds\cue.mp3
        Filesize

        72KB

        MD5

        6048a9609cb4d0a5d2a7d833903d1f75

        SHA1

        1c76f5538c9977dbe2ab0d0e259d049410a43ee5

        SHA256

        c27d55a0413a61b5fb3f30628a2a398602405cc68b2e4e26dc7c196419bba0c6

        SHA512

        cb4a5389e1f8cf7c702522bf2bd54fbef82ad8417a5d46ef3348a35f4912b70801824eef193efe033902487c9deca37fd29782061857c9390819d381d88eccf1

        Download Submit

      • C:\Program Files\Soundpad\sounds\firework.mp3
        Filesize

        40KB

        MD5

        6b19a6bf2f055cc832a8c3b8a7a520ba

        SHA1

        155d3d969d3a87e35c7aef64674baee3e95d2a49

        SHA256

        a4d6fe757479e9a99523f654cedfc5f3d062d02e7d5313d96ad5bf77f58713c6

        SHA512

        36a491302001051ba265e201ebdd9b7a637f3eadfa258f60943ce7ab333e6aa4548c448d70874fe3794fc5c5734e3bbdf3789d9e9ab67b64e9d24f1a32c20498

        Download Submit

      • C:\Program Files\Soundpad\sounds\scream.mp3
        Filesize

        60KB

        MD5

        3fd3a3b313d14a4f8db4e979c38f7fc5

        SHA1

        75d00502088a8f545e1b6225d2985f0e806fd5ef

        SHA256

        d435c1e228e64b5c6883822399026b144827b54d5b06d2ab1df1462710703fc7

        SHA512

        70504de941cda487977a689e6ca2cb46505e92838b083df82a70853f876dbcf6745e42d657e90cf7a9ac5d6d6e43a443e4bef643da950e32f6ab1a30f1c44a8f

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\18E6B4A57A6BC7EC9B861CDF2D6D0D02_C3B142D2C5374581DC2FDFFDEDBDEDDB
        Filesize

        765B

        MD5

        fbaf71e6e81cb4b9435b01c6f3b0837c

        SHA1

        c510e1d3adafbc39feacb5635a4ca436e15474ed

        SHA256

        b8ebb46ac02355c67e13fe34d381542ecf1be621c71abf565f12e33383069fb4

        SHA512

        d881b8042399b3c8736f7f26e2440b50dace4a643931b37aebfd7d8e84d42dd1385f6a696e901e236b9968d460c11769cae0dc9477845f338993b91eb16b5150

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AEACCDA8653DD8D7B2EA32F21D15D44F_FFE9A242DFD3700E990131874134F0DA
        Filesize

        637B

        MD5

        52db0b8d0012c7f1828a31e33a1831aa

        SHA1

        92316326b79f1f92046205276abceec6e131c4ba

        SHA256

        54f94e4230ad626b2efd4d42e6f4d1d47b9d73478d94aafef6b229a701769637

        SHA512

        b10edd833c329224c05a1fc5beaae8137c8b2334e4f9d0392e04bfb7fc4b133757d3354ca6fbe07654fa62c7094fed3f2461c560c790339fb5463f79b830e4f0

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_93702E680A5530C052C8D2BA33A2225F
        Filesize

        1KB

        MD5

        4f30daadb21efad2f053597776cf5499

        SHA1

        b079774896759fc832be437f6e1319b40371b5fc

        SHA256

        9cba6a870a50f51a7508301cb3c6a754c3455cff5cc22eeb5803b9fd5c6ad8ba

        SHA512

        8c5582309b56279c59f12ef9978cc3c05b852be2cb8cb2a0bbf96a58231d83f9edec7fd61e67901af32f1d1a5f7876f654fd85438590b914512abf694380c2f5

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\18E6B4A57A6BC7EC9B861CDF2D6D0D02_C3B142D2C5374581DC2FDFFDEDBDEDDB
        Filesize

        484B

        MD5

        e52c2282b4ee5a23344e32580e552839

        SHA1

        7e6b40770a738df945113016cb6519b6dfcb5756

        SHA256

        2fc02bb14def0c1621806a99a37775e88777168ceff384629f5d6e8c4767b010

        SHA512

        e1ba8e255ab091a941933f23ba5bfe6c67c21805ca44f9cb8a500a2f007b2a7a67d0d8d9e5504f3d1bfdcf8b8990fc60589dfa0225fbb54cd50fc98f3ac77490

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AEACCDA8653DD8D7B2EA32F21D15D44F_FFE9A242DFD3700E990131874134F0DA
        Filesize

        484B

        MD5

        85a8d925779e12ab934fbe7fed18a0ab

        SHA1

        931ad53f9654350cfd005ab792ee50e727e95fbe

        SHA256

        b2fa047804a58b9c3f7119453ef00d6d475c1e165aa7e32bf8861690157f4898

        SHA512

        71700cf0f25d0569690092ef0229e9748e67c2f4f9879bb397b6c97acab38a09e15e25a2dc263af8d0fa1adddc04afa5510b78cb151cc9503abfb19d0a40190e

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_93702E680A5530C052C8D2BA33A2225F
        Filesize

        482B

        MD5

        aea2d612fc5e29cc48fd1a3c45fa36e0

        SHA1

        073b84610b100fa1202bb28a3895b00b98d6c99c

        SHA256

        4dec8aeec11c32f148a141d1f864952b4c4c84871b98c2273f39947a925852da

        SHA512

        df935f153d539a50795fbd5a519d7c83ace20019c58da400ba708a56e4c24078f6e6baa84b95260f7f443780d6704169214fc59a2459289c1457bfa4fd14d502

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\MSI6E4A.tmp
        Filesize

        179KB

        MD5

        6b18fc09471ae51e50c34d49403a4900

        SHA1

        08b4d884f9e40cebc73ac220ae23bf7222cb3646

        SHA256

        fa07ee084691932f1d733b7e4c9fbcb5ebfc7b58ab6923c16108ba36cce55e9b

        SHA512

        01512525ab2f74335035c6bc4149e2b5bea176297f96ec18dafc326405d9e59b66ecc9c849cfa5d68bff0e2ffc61872050eab1db8a97faefd98d8c0eb29d639d

        Download Submit

      • C:\Windows\Installer\e57b1bc.msi
        Filesize

        6.6MB

        MD5

        42e8dd5f84f7d0384df0845312298110

        SHA1

        75f78634b56c2f87e8a85e23a2608b02971ae90a

        SHA256

        ca73ea0832176c89fa19a0361acf8e66f3d811d289ef4437f5a026a632c435d9

        SHA512

        bd6f4ae8c392cc585407704a6d40e10d7edd337084f6c060e6af94759ccffeaa57c7c7bc238862a0fc03c6d0764125801c5558c1acb16f6ae9c1c054dbc87a69

        Download Submit

      • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
        Filesize

        24.1MB

        MD5

        630f6eb7003bca6d411bb41c9c336684

        SHA1

        d92088d0841f4b4b2cf817ac1cc37ee19d192302

        SHA256

        34f4834b0d7e9a0e6cdb4a3d984f419d6b0584203139b106f55eb831b9264028

        SHA512

        7b8652bed638a197fbed57e95269b91d2c472e7e0c738e3d3e9ee88c719503df6bdb6d23b8936b390e6ad85cad180eecbfc56d430424c5e5159a45cc2d3600f4

        Download Submit

      • \??\Volume{bb0c4c32-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{e92c71de-3b4a-49dc-9754-bf7e3a9a0a97}_OnDiskSnapshotProp
        Filesize

        6KB

        MD5

        af057a664506263d3aeee9f4ea933b2b

        SHA1

        0c7882d171f066fc8eb930998f7e9d4571bfe089

        SHA256

        a30710f7c5649651aeb6872aa04e84b31233481e47908b5fb2a67da0a56dc8c1

        SHA512

        08ff15d6cf0c7542c3e4ad2e354a94ca96840fe2f98d5ac4e75c4ed6822ba277c50370c484e9ecdf27ad04b362235cf01fc4337c2e466a9f901bace129ee29e9

        Download Submit