2018fc40b0faeb1ddd7406ec68677a55164633ee245966a07688329459f6da7d

General

Target

Cheat.exe
Size

65KB
MD5

596bb1dd5ae0ac50a9218910d193d4cf
SHA1

377563b67e5601266d711345f78df4a7d95cad27
SHA256

2018fc40b0faeb1ddd7406ec68677a55164633ee245966a07688329459f6da7d
SHA512

b543f966b174f59384e0579935ae194bff479576007ef966c7bf1a3e3f256e9686383c21f5c239df9e28970106f7770b09fbb498400b7a26cc981a37a9555299
SSDEEP

1536:fj+u2LoN36tcQviFw1A+HIBnvbLfLteF3nLrB9z3nUaF9b6S9vM:fj+uIoN36tcQviFC9oBnnfWl9zkaF9bC

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

Cheat.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation Cheat.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	Cheat.exe

Drops startup file 3 IoCs

Processes:

HDAudio.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HDAudio.exe	HDAudio.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HDAudio.exe	HDAudio.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HDAudio.url	HDAudio.exe

Executes dropped EXE 10 IoCs

Processes:

HDAudio.exeHDAudio.exeHDAudio.exeHDAudio.exeHDAudio.exeHDAudio.exeHDAudio.exeHDAudio.exeHDAudio.exeHDAudio.exe

pid	process
3252	HDAudio.exe
3656	HDAudio.exe
1540	HDAudio.exe
2532	HDAudio.exe
1136	HDAudio.exe
3288	HDAudio.exe
688	HDAudio.exe
4900	HDAudio.exe
2444	HDAudio.exe
3456	HDAudio.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

HDAudio.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HDAudio.exe = "\"C:\\Windows\\HDAudio.exe\" .."	HDAudio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HDAudio.exe = "\"C:\\Windows\\HDAudio.exe\" .."	HDAudio.exe

Drops file in Windows directory 2 IoCs

Processes:

Cheat.exeHDAudio.exe

description ioc process

File created C:\Windows\HDAudio.exe Cheat.exe
File opened for modification C:\Windows\HDAudio.exe HDAudio.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\HDAudio.exe	Cheat.exe
File opened for modification	C:\Windows\HDAudio.exe	HDAudio.exe

Creates scheduled task(s) 1 TTPs 26 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
224	schtasks.exe
2560	schtasks.exe
2640	schtasks.exe
3012	schtasks.exe
3780	schtasks.exe
4360	schtasks.exe
4116	schtasks.exe
5052	schtasks.exe
1152	schtasks.exe
4632	schtasks.exe
2600	schtasks.exe
3384	schtasks.exe
4592	schtasks.exe
4600	schtasks.exe
4880	schtasks.exe
552	schtasks.exe
1776	schtasks.exe
2128	schtasks.exe
2432	schtasks.exe
3268	schtasks.exe
3548	schtasks.exe
3748	schtasks.exe
2988	schtasks.exe
1564	schtasks.exe
5028	schtasks.exe
4636	schtasks.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

HDAudio.exe

description	pid	process
Token: SeDebugPrivilege	3252	HDAudio.exe
Token: 33	3252	HDAudio.exe
Token: SeIncBasePriorityPrivilege	3252	HDAudio.exe
Token: 33	3252	HDAudio.exe
Token: SeIncBasePriorityPrivilege	3252	HDAudio.exe
Token: 33	3252	HDAudio.exe
Token: SeIncBasePriorityPrivilege	3252	HDAudio.exe
Token: 33	3252	HDAudio.exe
Token: SeIncBasePriorityPrivilege	3252	HDAudio.exe
Token: 33	3252	HDAudio.exe
Token: SeIncBasePriorityPrivilege	3252	HDAudio.exe
Token: 33	3252	HDAudio.exe
Token: SeIncBasePriorityPrivilege	3252	HDAudio.exe
Token: 33	3252	HDAudio.exe
Token: SeIncBasePriorityPrivilege	3252	HDAudio.exe
Token: 33	3252	HDAudio.exe
Token: SeIncBasePriorityPrivilege	3252	HDAudio.exe
Token: 33	3252	HDAudio.exe
Token: SeIncBasePriorityPrivilege	3252	HDAudio.exe
Token: 33	3252	HDAudio.exe
Token: SeIncBasePriorityPrivilege	3252	HDAudio.exe
Token: 33	3252	HDAudio.exe
Token: SeIncBasePriorityPrivilege	3252	HDAudio.exe
Token: 33	3252	HDAudio.exe
Token: SeIncBasePriorityPrivilege	3252	HDAudio.exe
Token: 33	3252	HDAudio.exe
Token: SeIncBasePriorityPrivilege	3252	HDAudio.exe
Token: 33	3252	HDAudio.exe
Token: SeIncBasePriorityPrivilege	3252	HDAudio.exe
Token: 33	3252	HDAudio.exe
Token: SeIncBasePriorityPrivilege	3252	HDAudio.exe
Token: 33	3252	HDAudio.exe
Token: SeIncBasePriorityPrivilege	3252	HDAudio.exe
Token: 33	3252	HDAudio.exe
Token: SeIncBasePriorityPrivilege	3252	HDAudio.exe
Token: 33	3252	HDAudio.exe
Token: SeIncBasePriorityPrivilege	3252	HDAudio.exe
Token: 33	3252	HDAudio.exe
Token: SeIncBasePriorityPrivilege	3252	HDAudio.exe
Token: 33	3252	HDAudio.exe
Token: SeIncBasePriorityPrivilege	3252	HDAudio.exe
Token: 33	3252	HDAudio.exe
Token: SeIncBasePriorityPrivilege	3252	HDAudio.exe
Token: 33	3252	HDAudio.exe
Token: SeIncBasePriorityPrivilege	3252	HDAudio.exe
Token: 33	3252	HDAudio.exe
Token: SeIncBasePriorityPrivilege	3252	HDAudio.exe
Token: 33	3252	HDAudio.exe
Token: SeIncBasePriorityPrivilege	3252	HDAudio.exe
Token: 33	3252	HDAudio.exe
Token: SeIncBasePriorityPrivilege	3252	HDAudio.exe
Token: 33	3252	HDAudio.exe
Token: SeIncBasePriorityPrivilege	3252	HDAudio.exe
Token: 33	3252	HDAudio.exe
Token: SeIncBasePriorityPrivilege	3252	HDAudio.exe
Token: 33	3252	HDAudio.exe
Token: SeIncBasePriorityPrivilege	3252	HDAudio.exe
Token: 33	3252	HDAudio.exe
Token: SeIncBasePriorityPrivilege	3252	HDAudio.exe
Token: 33	3252	HDAudio.exe
Token: SeIncBasePriorityPrivilege	3252	HDAudio.exe
Token: 33	3252	HDAudio.exe
Token: SeIncBasePriorityPrivilege	3252	HDAudio.exe
Token: 33	3252	HDAudio.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Cheat.exeHDAudio.exe

description	pid	process	target process
PID 640 wrote to memory of 3252	640	Cheat.exe	HDAudio.exe
PID 640 wrote to memory of 3252	640	Cheat.exe	HDAudio.exe
PID 640 wrote to memory of 3252	640	Cheat.exe	HDAudio.exe
PID 3252 wrote to memory of 5004	3252	HDAudio.exe	schtasks.exe
PID 3252 wrote to memory of 5004	3252	HDAudio.exe	schtasks.exe
PID 3252 wrote to memory of 5004	3252	HDAudio.exe	schtasks.exe
PID 3252 wrote to memory of 4592	3252	HDAudio.exe	schtasks.exe
PID 3252 wrote to memory of 4592	3252	HDAudio.exe	schtasks.exe
PID 3252 wrote to memory of 4592	3252	HDAudio.exe	schtasks.exe
PID 3252 wrote to memory of 4572	3252	HDAudio.exe	schtasks.exe
PID 3252 wrote to memory of 4572	3252	HDAudio.exe	schtasks.exe
PID 3252 wrote to memory of 4572	3252	HDAudio.exe	schtasks.exe
PID 3252 wrote to memory of 4600	3252	HDAudio.exe	schtasks.exe
PID 3252 wrote to memory of 4600	3252	HDAudio.exe	schtasks.exe
PID 3252 wrote to memory of 4600	3252	HDAudio.exe	schtasks.exe
PID 3252 wrote to memory of 2768	3252	HDAudio.exe	schtasks.exe
PID 3252 wrote to memory of 2768	3252	HDAudio.exe	schtasks.exe
PID 3252 wrote to memory of 2768	3252	HDAudio.exe	schtasks.exe
PID 3252 wrote to memory of 4880	3252	HDAudio.exe	schtasks.exe
PID 3252 wrote to memory of 4880	3252	HDAudio.exe	schtasks.exe
PID 3252 wrote to memory of 4880	3252	HDAudio.exe	schtasks.exe
PID 3252 wrote to memory of 4708	3252	HDAudio.exe	schtasks.exe
PID 3252 wrote to memory of 4708	3252	HDAudio.exe	schtasks.exe
PID 3252 wrote to memory of 4708	3252	HDAudio.exe	schtasks.exe
PID 3252 wrote to memory of 2640	3252	HDAudio.exe	schtasks.exe
PID 3252 wrote to memory of 2640	3252	HDAudio.exe	schtasks.exe
PID 3252 wrote to memory of 2640	3252	HDAudio.exe	schtasks.exe
PID 3252 wrote to memory of 5076	3252	HDAudio.exe	schtasks.exe
PID 3252 wrote to memory of 5076	3252	HDAudio.exe	schtasks.exe
PID 3252 wrote to memory of 5076	3252	HDAudio.exe	schtasks.exe
PID 3252 wrote to memory of 2128	3252	HDAudio.exe	schtasks.exe
PID 3252 wrote to memory of 2128	3252	HDAudio.exe	schtasks.exe
PID 3252 wrote to memory of 2128	3252	HDAudio.exe	schtasks.exe
PID 3252 wrote to memory of 3356	3252	HDAudio.exe	schtasks.exe
PID 3252 wrote to memory of 3356	3252	HDAudio.exe	schtasks.exe
PID 3252 wrote to memory of 3356	3252	HDAudio.exe	schtasks.exe
PID 3252 wrote to memory of 3012	3252	HDAudio.exe	schtasks.exe
PID 3252 wrote to memory of 3012	3252	HDAudio.exe	schtasks.exe
PID 3252 wrote to memory of 3012	3252	HDAudio.exe	schtasks.exe
PID 3252 wrote to memory of 2016	3252	HDAudio.exe	schtasks.exe
PID 3252 wrote to memory of 2016	3252	HDAudio.exe	schtasks.exe
PID 3252 wrote to memory of 2016	3252	HDAudio.exe	schtasks.exe
PID 3252 wrote to memory of 1564	3252	HDAudio.exe	schtasks.exe
PID 3252 wrote to memory of 1564	3252	HDAudio.exe	schtasks.exe
PID 3252 wrote to memory of 1564	3252	HDAudio.exe	schtasks.exe
PID 3252 wrote to memory of 2652	3252	HDAudio.exe	schtasks.exe
PID 3252 wrote to memory of 2652	3252	HDAudio.exe	schtasks.exe
PID 3252 wrote to memory of 2652	3252	HDAudio.exe	schtasks.exe
PID 3252 wrote to memory of 5028	3252	HDAudio.exe	schtasks.exe
PID 3252 wrote to memory of 5028	3252	HDAudio.exe	schtasks.exe
PID 3252 wrote to memory of 5028	3252	HDAudio.exe	schtasks.exe
PID 3252 wrote to memory of 2376	3252	HDAudio.exe	schtasks.exe
PID 3252 wrote to memory of 2376	3252	HDAudio.exe	schtasks.exe
PID 3252 wrote to memory of 2376	3252	HDAudio.exe	schtasks.exe
PID 3252 wrote to memory of 2988	3252	HDAudio.exe	schtasks.exe
PID 3252 wrote to memory of 2988	3252	HDAudio.exe	schtasks.exe
PID 3252 wrote to memory of 2988	3252	HDAudio.exe	schtasks.exe
PID 3252 wrote to memory of 3160	3252	HDAudio.exe	schtasks.exe
PID 3252 wrote to memory of 3160	3252	HDAudio.exe	schtasks.exe
PID 3252 wrote to memory of 3160	3252	HDAudio.exe	schtasks.exe
PID 3252 wrote to memory of 2432	3252	HDAudio.exe	schtasks.exe
PID 3252 wrote to memory of 2432	3252	HDAudio.exe	schtasks.exe
PID 3252 wrote to memory of 2432	3252	HDAudio.exe	schtasks.exe
PID 3252 wrote to memory of 2564	3252	HDAudio.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\Cheat.exe
"C:\Users\Admin\AppData\Local\Temp\Cheat.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:640

C:\Windows\HDAudio.exe
"C:\Windows\HDAudio.exe"
2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3252

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "RealtekHDAudio" /f
3⤵
PID:5004

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "RealtekHDAudio" /tr C:\Windows\HDAudio.exe
3⤵
- Creates scheduled task(s)
PID:4592

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "RealtekHDAudio" /f
3⤵
PID:4572

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "RealtekHDAudio" /tr C:\Windows\HDAudio.exe
3⤵
- Creates scheduled task(s)
PID:4600

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "RealtekHDAudio" /f
3⤵
PID:2768

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "RealtekHDAudio" /tr C:\Windows\HDAudio.exe
3⤵
- Creates scheduled task(s)
PID:4880

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "RealtekHDAudio" /f
3⤵
PID:4708

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "RealtekHDAudio" /tr C:\Windows\HDAudio.exe
3⤵
- Creates scheduled task(s)
PID:2640

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "RealtekHDAudio" /f
3⤵
PID:5076

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "RealtekHDAudio" /tr C:\Windows\HDAudio.exe
3⤵
- Creates scheduled task(s)
PID:2128

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "RealtekHDAudio" /f
3⤵
PID:3356

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "RealtekHDAudio" /tr C:\Windows\HDAudio.exe
3⤵
- Creates scheduled task(s)
PID:3012

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "RealtekHDAudio" /f
3⤵
PID:2016

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "RealtekHDAudio" /tr C:\Windows\HDAudio.exe
3⤵
- Creates scheduled task(s)
PID:1564

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "RealtekHDAudio" /f
3⤵
PID:2652

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "RealtekHDAudio" /tr C:\Windows\HDAudio.exe
3⤵
- Creates scheduled task(s)
PID:5028

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "RealtekHDAudio" /f
3⤵
PID:2376

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "RealtekHDAudio" /tr C:\Windows\HDAudio.exe
3⤵
- Creates scheduled task(s)
PID:2988

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "RealtekHDAudio" /f
3⤵
PID:3160

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "RealtekHDAudio" /tr C:\Windows\HDAudio.exe
3⤵
- Creates scheduled task(s)
PID:2432

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "RealtekHDAudio" /f
3⤵
PID:2564

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "RealtekHDAudio" /tr C:\Windows\HDAudio.exe
3⤵
- Creates scheduled task(s)
PID:4116

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "RealtekHDAudio" /f
3⤵
PID:4160

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "RealtekHDAudio" /tr C:\Windows\HDAudio.exe
3⤵
- Creates scheduled task(s)
PID:5052

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "RealtekHDAudio" /f
3⤵
PID:3264

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "RealtekHDAudio" /tr C:\Windows\HDAudio.exe
3⤵
- Creates scheduled task(s)
PID:3268

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "RealtekHDAudio" /f
3⤵
PID:4056

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "RealtekHDAudio" /tr C:\Windows\HDAudio.exe
3⤵
- Creates scheduled task(s)
PID:552

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "RealtekHDAudio" /f
3⤵
PID:3744

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "RealtekHDAudio" /tr C:\Windows\HDAudio.exe
3⤵
- Creates scheduled task(s)
PID:4632

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "RealtekHDAudio" /f
3⤵
PID:5036

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "RealtekHDAudio" /tr C:\Windows\HDAudio.exe
3⤵
- Creates scheduled task(s)
PID:1152

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "RealtekHDAudio" /f
3⤵
PID:2452

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "RealtekHDAudio" /tr C:\Windows\HDAudio.exe
3⤵
- Creates scheduled task(s)
PID:3780

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "RealtekHDAudio" /f
3⤵
PID:2036

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "RealtekHDAudio" /tr C:\Windows\HDAudio.exe
3⤵
- Creates scheduled task(s)
PID:224

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "RealtekHDAudio" /f
3⤵
PID:4064

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "RealtekHDAudio" /tr C:\Windows\HDAudio.exe
3⤵
- Creates scheduled task(s)
PID:4636

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "RealtekHDAudio" /f
3⤵
PID:1116

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "RealtekHDAudio" /tr C:\Windows\HDAudio.exe
3⤵
- Creates scheduled task(s)
PID:2600

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "RealtekHDAudio" /f
3⤵
PID:4756

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "RealtekHDAudio" /tr C:\Windows\HDAudio.exe
3⤵
- Creates scheduled task(s)
PID:3548

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "RealtekHDAudio" /f
3⤵
PID:208

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "RealtekHDAudio" /tr C:\Windows\HDAudio.exe
3⤵
- Creates scheduled task(s)
PID:3384

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "RealtekHDAudio" /f
3⤵
PID:3092

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "RealtekHDAudio" /tr C:\Windows\HDAudio.exe
3⤵
- Creates scheduled task(s)
PID:1776

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "RealtekHDAudio" /f
3⤵
PID:4460

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "RealtekHDAudio" /tr C:\Windows\HDAudio.exe
3⤵
- Creates scheduled task(s)
PID:2560

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "RealtekHDAudio" /f
3⤵
PID:3040

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "RealtekHDAudio" /tr C:\Windows\HDAudio.exe
3⤵
- Creates scheduled task(s)
PID:4360

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "RealtekHDAudio" /f
3⤵
PID:5020

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "RealtekHDAudio" /tr C:\Windows\HDAudio.exe
3⤵
- Creates scheduled task(s)
PID:3748

C:\Windows\HDAudio.exe
C:\Windows\HDAudio.exe
1⤵
- Executes dropped EXE
PID:3656

C:\Windows\HDAudio.exe
C:\Windows\HDAudio.exe
1⤵
- Executes dropped EXE
PID:1540

C:\Windows\HDAudio.exe
C:\Windows\HDAudio.exe
1⤵
- Executes dropped EXE
PID:2532

C:\Windows\HDAudio.exe
C:\Windows\HDAudio.exe
1⤵
- Executes dropped EXE
PID:1136

C:\Windows\HDAudio.exe
C:\Windows\HDAudio.exe
1⤵
- Executes dropped EXE
PID:3288

C:\Windows\HDAudio.exe
C:\Windows\HDAudio.exe
1⤵
- Executes dropped EXE
PID:688

C:\Windows\HDAudio.exe
C:\Windows\HDAudio.exe
1⤵
- Executes dropped EXE
PID:4900

C:\Windows\HDAudio.exe
C:\Windows\HDAudio.exe
1⤵
- Executes dropped EXE
PID:2444

C:\Windows\HDAudio.exe
C:\Windows\HDAudio.exe
1⤵
- Executes dropped EXE
PID:3456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\HDAudio.exe.log
Filesize
319B

MD5
da4fafeffe21b7cb3a8c170ca7911976

SHA1
50ef77e2451ab60f93f4db88325b897d215be5ad

SHA256
7341a4a13e81cbb5b7f39ec47bb45f84836b08b8d8e3ea231d2c7dad982094f7

SHA512
0bc24b69460f31a0ebc0628b99908d818ee85feb7e4b663271d9375b30cced0cd55a0bbf8edff1281a4c886ddf4476ffc989c283069cdcb1235ffcb265580fc6

Download Submit
C:\Windows\HDAudio.exe
Filesize
65KB

MD5
596bb1dd5ae0ac50a9218910d193d4cf

SHA1
377563b67e5601266d711345f78df4a7d95cad27

SHA256
2018fc40b0faeb1ddd7406ec68677a55164633ee245966a07688329459f6da7d

SHA512
b543f966b174f59384e0579935ae194bff479576007ef966c7bf1a3e3f256e9686383c21f5c239df9e28970106f7770b09fbb498400b7a26cc981a37a9555299

Download Submit
memory/640-0-0x0000000074F52000-0x0000000074F53000-memory.dmp

Filesize
4KB

Download
memory/640-1-0x0000000074F50000-0x0000000075501000-memory.dmp

Filesize
5.7MB

Download
memory/640-2-0x0000000074F50000-0x0000000075501000-memory.dmp

Filesize
5.7MB

Download
memory/640-12-0x0000000074F50000-0x0000000075501000-memory.dmp

Filesize
5.7MB

Download
memory/3252-13-0x0000000074F50000-0x0000000075501000-memory.dmp

Filesize
5.7MB

Download
memory/3252-14-0x0000000074F50000-0x0000000075501000-memory.dmp

Filesize
5.7MB

Download
memory/3252-21-0x0000000074F50000-0x0000000075501000-memory.dmp

Filesize
5.7MB

Download
memory/3656-19-0x0000000074F50000-0x0000000075501000-memory.dmp

Filesize
5.7MB

Download
memory/3656-20-0x0000000074F50000-0x0000000075501000-memory.dmp

Filesize
5.7MB

Download
memory/3656-23-0x0000000074F50000-0x0000000075501000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads