fb0e1a5a8ce0287140caa53c632cde2d111014e14b7f42b8fae5b287aaa3736b

Analysis

max time kernel
138s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
29/05/2024, 16:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Work/SoundChanger.exe
Size

226KB
MD5

85c6cb4b878b49c4f73abd6316b58230
SHA1

2a3e616b036819035bbfe4e0a2dc49c82449a314
SHA256

7987fd74868b355632df577b9d18d449f696b2a96ea7633cae35cd07c600a588
SHA512

fc269c2f16b0adcdbcf5d5b2ac55ba079d46b6801508d5db82a7adf5085b9e11024dfe745d416c7fc5e09b05d057cdae8589891965b6534bcd07f8ecc8dfc606
SSDEEP

6144:nt5hBPi0BW69hd1MMdxPe9N9uA069TBnFuCndEJA:ntzww69T9FTWq

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	SoundChanger.exe

Executes dropped EXE 1 IoCs

pid	Process
3576	DefSound.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
4956	taskkill.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4956	taskkill.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 3696 wrote to memory of 3708	3696	SoundChanger.exe	92
PID 3696 wrote to memory of 3708	3696	SoundChanger.exe	92
PID 3708 wrote to memory of 4532	3708	cmd.exe	94
PID 3708 wrote to memory of 4532	3708	cmd.exe	94
PID 3708 wrote to memory of 3768	3708	cmd.exe	95
PID 3708 wrote to memory of 3768	3708	cmd.exe	95
PID 3708 wrote to memory of 3576	3708	cmd.exe	96
PID 3708 wrote to memory of 3576	3708	cmd.exe	96
PID 3708 wrote to memory of 4956	3708	cmd.exe	97
PID 3708 wrote to memory of 4956	3708	cmd.exe	97

C:\Users\Admin\AppData\Local\Temp\Work\SoundChanger.exe
"C:\Users\Admin\AppData\Local\Temp\Work\SoundChanger.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3696
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\E82D.tmp\E82E.tmp\E82F.bat C:\Users\Admin\AppData\Local\Temp\Work\SoundChanger.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3708
- - C:\Windows\system32\reg.exe
    reg query "HKCU\Software\SoundChanger"
    3⤵
    PID:4532
- - C:\Windows\system32\reg.exe
    reg add "HKCU\Software\SoundChanger" /f
    3⤵
    PID:3768
- - C:\Users\Admin\AppData\Local\Temp\E82D.tmp\DefSound.exe
    DefSound.exe 0
    3⤵
    - Executes dropped EXE
    PID:3576
- - C:\Windows\system32\taskkill.exe
    taskkill /im DefSound.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4956

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1344 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:8
1⤵
PID:2080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\E82D.tmp\DefSound.exe

Filesize
118KB

MD5
c8d0c8f724c4fa3eae9c174651e7682f

SHA1
4161b4f8425e6da4f3e43fa8116946997472bb29

SHA256
fb2c560d1a1fb987d3b1bed958226d82279ff3ba5c2e0955269172ed2028abed

SHA512
45fcf40f295580bb32d946702dcd3edff4284b3877871f266844ae4c92d727751ec5395199f45b1795aa42c3f9d1bfa11bd60eb2ee4ecdb21fa524cec29f65ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\E82D.tmp\E82E.tmp\E82F.bat

Filesize
371B

MD5
a347d822d94cb1ab02de9a18bce454f8

SHA1
d78a58b12d9a5cfa917f3a7857dc475c86861b7b

SHA256
537aa5762ac11b2b87f4c9915129ce5e4328b634f4ae514d2c9ef341ce33bcab

SHA512
505dd206332434659b30a73627601dd04b2c0395dfb17fc6c1761dd55c9640d7b93efb3fbaf772803cc64fc5c4f9669d0357d927c3221750cc858e6647bb974b

Download Submit