a13fad0d43b3db3b1f78118c3591a42cca0ed4373414ed82f2351719b2901b92

Analysis

max time kernel
152s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
26-05-2024 06:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Triworks/乐音 3.0 (Demo)/EyeSong.exe
Size

937KB
MD5

6589954ba364e5c985f62b670bc2b2ed
SHA1

714e8bf7402571788bcbd1c18221410fe3673beb
SHA256

ba6b0fbc15c3a4a628c2397e630fd51240231aa7cd8eb5d5509fd59a7c7c9418
SHA512

defdcf8512ab166f8351fbf703f0a4c31e02891ae8a35ee6208eeb46f62f9da6246cf3b61032e4b15cbab38bdac91b1dff860f7561b34d9583eb10bb150b26ab
SSDEEP

24576:eKN50sRrx2c+/v5dcT3x6WKIlDadP1ucIRl:eCR12PnYB6hOC1yRl

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3708-0-0x0000000000400000-0x0000000000729000-memory.dmp	upx
behavioral2/memory/3708-9-0x0000000000400000-0x0000000000729000-memory.dmp	upx
behavioral2/memory/3708-10-0x0000000000400000-0x0000000000729000-memory.dmp	upx
behavioral2/memory/3708-13-0x0000000000400000-0x0000000000729000-memory.dmp	upx
behavioral2/memory/3708-14-0x0000000000400000-0x0000000000729000-memory.dmp	upx
behavioral2/memory/3708-15-0x0000000000400000-0x0000000000729000-memory.dmp	upx
behavioral2/memory/3708-16-0x0000000000400000-0x0000000000729000-memory.dmp	upx
behavioral2/memory/3708-17-0x0000000000400000-0x0000000000729000-memory.dmp	upx
behavioral2/memory/3708-18-0x0000000000400000-0x0000000000729000-memory.dmp	upx
behavioral2/memory/3708-19-0x0000000000400000-0x0000000000729000-memory.dmp	upx
behavioral2/memory/3708-20-0x0000000000400000-0x0000000000729000-memory.dmp	upx
behavioral2/memory/3708-21-0x0000000000400000-0x0000000000729000-memory.dmp	upx
behavioral2/memory/3708-22-0x0000000000400000-0x0000000000729000-memory.dmp	upx
behavioral2/memory/3708-23-0x0000000000400000-0x0000000000729000-memory.dmp	upx
behavioral2/memory/3708-24-0x0000000000400000-0x0000000000729000-memory.dmp	upx
behavioral2/memory/3708-25-0x0000000000400000-0x0000000000729000-memory.dmp	upx

Drops file in System32 directory 2 IoCs

Processes:

EyeSong.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\usesonic.dll EyeSong.exe
File created C:\Windows\SysWOW64\usesonic.dll EyeSong.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

AUDIODG.EXE

description pid process

Token: 33 1612 AUDIODG.EXE
Token: SeIncBasePriorityPrivilege 1612 AUDIODG.EXE
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

EyeSong.exe

pid process

3708 EyeSong.exe
3708 EyeSong.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\usesonic.dll	EyeSong.exe
File created	C:\Windows\SysWOW64\usesonic.dll	EyeSong.exe

description	pid	process
Token: 33	1612	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1612	AUDIODG.EXE

pid	process
3708	EyeSong.exe
3708	EyeSong.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

EyeSong.exe

description	pid	process	target process
PID 3708 wrote to memory of 3960	3708	EyeSong.exe	splwow64.exe
PID 3708 wrote to memory of 3960	3708	EyeSong.exe	splwow64.exe

C:\Users\Admin\AppData\Local\Temp\Triworks\乐音 3.0 (Demo)\EyeSong.exe
"C:\Users\Admin\AppData\Local\Temp\Triworks\乐音 3.0 (Demo)\EyeSong.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3708
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:3960

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x33c 0x3d0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1612

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:4844

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4272 --field-trial-handle=2744,i,16362475727591565961,3676688664819797550,262144 --variations-seed-version /prefetch:8
1⤵
PID:3272

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\usesonic.dll

Filesize
19B

MD5
800cdda1d76f35034879628ede428af8

SHA1
ba41c795c98ea3a2cc3f81384ec3bbd070593b91

SHA256
cd6e8c14438c16a5ec927c143056ee8efab890f0058b79440695aa296604550b

SHA512
dc09f4b2c408b1460c2a35955a0cc46bb140f9b9ebf603a0e9cd4f3dc241abdc9f88136167d1a980e25738a69a0685a5e23ce586dcebd4368a486b2d5662dd2c

Download Submit
memory/3708-15-0x0000000000400000-0x0000000000729000-memory.dmp

Filesize
3.2MB

Download
memory/3708-2-0x00000000008F0000-0x00000000008FF000-memory.dmp

Filesize
60KB

Download
memory/3708-17-0x0000000000400000-0x0000000000729000-memory.dmp

Filesize
3.2MB

Download
memory/3708-18-0x0000000000400000-0x0000000000729000-memory.dmp

Filesize
3.2MB

Download
memory/3708-10-0x0000000000400000-0x0000000000729000-memory.dmp

Filesize
3.2MB

Download
memory/3708-13-0x0000000000400000-0x0000000000729000-memory.dmp

Filesize
3.2MB

Download
memory/3708-14-0x0000000000400000-0x0000000000729000-memory.dmp

Filesize
3.2MB

Download
memory/3708-0-0x0000000000400000-0x0000000000729000-memory.dmp

Filesize
3.2MB

Download
memory/3708-25-0x0000000000400000-0x0000000000729000-memory.dmp

Filesize
3.2MB

Download
memory/3708-1-0x00000000008C0000-0x00000000008E2000-memory.dmp

Filesize
136KB

Download
memory/3708-9-0x0000000000400000-0x0000000000729000-memory.dmp

Filesize
3.2MB

Download
memory/3708-19-0x0000000000400000-0x0000000000729000-memory.dmp

Filesize
3.2MB

Download
memory/3708-20-0x0000000000400000-0x0000000000729000-memory.dmp

Filesize
3.2MB

Download
memory/3708-21-0x0000000000400000-0x0000000000729000-memory.dmp

Filesize
3.2MB

Download
memory/3708-22-0x0000000000400000-0x0000000000729000-memory.dmp

Filesize
3.2MB

Download
memory/3708-23-0x0000000000400000-0x0000000000729000-memory.dmp

Filesize
3.2MB

Download
memory/3708-24-0x0000000000400000-0x0000000000729000-memory.dmp

Filesize
3.2MB

Download
memory/3708-16-0x0000000000400000-0x0000000000729000-memory.dmp

Filesize
3.2MB

Download