Malware Analysis Report

2024-08-06 18:59

Sample ID 240619-gbjcxazaqm
Target ff28113fae2c68df81308c8a1b8ec036959316aede6053bb0ddeff5983749b93
SHA256 ff28113fae2c68df81308c8a1b8ec036959316aede6053bb0ddeff5983749b93
Tags
upx darkcomet persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ff28113fae2c68df81308c8a1b8ec036959316aede6053bb0ddeff5983749b93

Threat Level: Known bad

The file ff28113fae2c68df81308c8a1b8ec036959316aede6053bb0ddeff5983749b93 was found to be: Known bad.

Malicious Activity Summary

upx darkcomet persistence rat trojan

UPX dump on OEP (original entry point)

Darkcomet

UPX dump on OEP (original entry point)

Checks computer location settings

Loads dropped DLL

UPX packed file

Executes dropped EXE

Checks BIOS information in registry

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates system info in registry

Checks processor information in registry

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-19 05:37

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-19 05:37

Reported

2024-06-19 05:40

Platform

win7-20240508-en

Max time kernel

149s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ff28113fae2c68df81308c8a1b8ec036959316aede6053bb0ddeff5983749b93.exe"

Signatures

Darkcomet

trojan rat darkcomet

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Roaming\Soundcrd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Soundcrd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Soundcrd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Soundcrd.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ff28113fae2c68df81308c8a1b8ec036959316aede6053bb0ddeff5983749b93.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ff28113fae2c68df81308c8a1b8ec036959316aede6053bb0ddeff5983749b93.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ff28113fae2c68df81308c8a1b8ec036959316aede6053bb0ddeff5983749b93.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ff28113fae2c68df81308c8a1b8ec036959316aede6053bb0ddeff5983749b93.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ff28113fae2c68df81308c8a1b8ec036959316aede6053bb0ddeff5983749b93.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Soundcrd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Soundcrd.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\Mcrosoftt = "C:\\Users\\Admin\\AppData\\Roaming\\Soundcrd.exe" C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3004 set thread context of 2496 N/A C:\Users\Admin\AppData\Roaming\Soundcrd.exe C:\Users\Admin\AppData\Roaming\Soundcrd.exe
PID 3004 set thread context of 2460 N/A C:\Users\Admin\AppData\Roaming\Soundcrd.exe C:\Users\Admin\AppData\Roaming\Soundcrd.exe

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Roaming\Soundcrd.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Roaming\Soundcrd.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Roaming\Soundcrd.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Users\Admin\AppData\Roaming\Soundcrd.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier C:\Users\Admin\AppData\Roaming\Soundcrd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Roaming\Soundcrd.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\Soundcrd.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Roaming\Soundcrd.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Roaming\Soundcrd.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Roaming\Soundcrd.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Roaming\Soundcrd.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Roaming\Soundcrd.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\Soundcrd.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Roaming\Soundcrd.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Roaming\Soundcrd.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Roaming\Soundcrd.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Roaming\Soundcrd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Soundcrd.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Roaming\Soundcrd.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Roaming\Soundcrd.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Roaming\Soundcrd.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Roaming\Soundcrd.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Roaming\Soundcrd.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Roaming\Soundcrd.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Roaming\Soundcrd.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\Soundcrd.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Roaming\Soundcrd.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Roaming\Soundcrd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Soundcrd.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ff28113fae2c68df81308c8a1b8ec036959316aede6053bb0ddeff5983749b93.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Soundcrd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Soundcrd.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1632 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\ff28113fae2c68df81308c8a1b8ec036959316aede6053bb0ddeff5983749b93.exe C:\Windows\SysWOW64\cmd.exe
PID 1632 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\ff28113fae2c68df81308c8a1b8ec036959316aede6053bb0ddeff5983749b93.exe C:\Windows\SysWOW64\cmd.exe
PID 1632 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\ff28113fae2c68df81308c8a1b8ec036959316aede6053bb0ddeff5983749b93.exe C:\Windows\SysWOW64\cmd.exe
PID 1632 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\ff28113fae2c68df81308c8a1b8ec036959316aede6053bb0ddeff5983749b93.exe C:\Windows\SysWOW64\cmd.exe
PID 2580 wrote to memory of 2608 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2580 wrote to memory of 2608 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2580 wrote to memory of 2608 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2580 wrote to memory of 2608 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1632 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\ff28113fae2c68df81308c8a1b8ec036959316aede6053bb0ddeff5983749b93.exe C:\Users\Admin\AppData\Roaming\Soundcrd.exe
PID 1632 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\ff28113fae2c68df81308c8a1b8ec036959316aede6053bb0ddeff5983749b93.exe C:\Users\Admin\AppData\Roaming\Soundcrd.exe
PID 1632 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\ff28113fae2c68df81308c8a1b8ec036959316aede6053bb0ddeff5983749b93.exe C:\Users\Admin\AppData\Roaming\Soundcrd.exe
PID 1632 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\ff28113fae2c68df81308c8a1b8ec036959316aede6053bb0ddeff5983749b93.exe C:\Users\Admin\AppData\Roaming\Soundcrd.exe
PID 3004 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Roaming\Soundcrd.exe C:\Users\Admin\AppData\Roaming\Soundcrd.exe
PID 3004 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Roaming\Soundcrd.exe C:\Users\Admin\AppData\Roaming\Soundcrd.exe
PID 3004 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Roaming\Soundcrd.exe C:\Users\Admin\AppData\Roaming\Soundcrd.exe
PID 3004 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Roaming\Soundcrd.exe C:\Users\Admin\AppData\Roaming\Soundcrd.exe
PID 3004 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Roaming\Soundcrd.exe C:\Users\Admin\AppData\Roaming\Soundcrd.exe
PID 3004 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Roaming\Soundcrd.exe C:\Users\Admin\AppData\Roaming\Soundcrd.exe
PID 3004 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Roaming\Soundcrd.exe C:\Users\Admin\AppData\Roaming\Soundcrd.exe
PID 3004 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Roaming\Soundcrd.exe C:\Users\Admin\AppData\Roaming\Soundcrd.exe
PID 3004 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Roaming\Soundcrd.exe C:\Users\Admin\AppData\Roaming\Soundcrd.exe
PID 3004 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Roaming\Soundcrd.exe C:\Users\Admin\AppData\Roaming\Soundcrd.exe
PID 3004 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Roaming\Soundcrd.exe C:\Users\Admin\AppData\Roaming\Soundcrd.exe
PID 3004 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Roaming\Soundcrd.exe C:\Users\Admin\AppData\Roaming\Soundcrd.exe
PID 3004 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Roaming\Soundcrd.exe C:\Users\Admin\AppData\Roaming\Soundcrd.exe
PID 3004 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Roaming\Soundcrd.exe C:\Users\Admin\AppData\Roaming\Soundcrd.exe
PID 3004 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Roaming\Soundcrd.exe C:\Users\Admin\AppData\Roaming\Soundcrd.exe
PID 3004 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Roaming\Soundcrd.exe C:\Users\Admin\AppData\Roaming\Soundcrd.exe
PID 3004 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Roaming\Soundcrd.exe C:\Users\Admin\AppData\Roaming\Soundcrd.exe
PID 3004 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Roaming\Soundcrd.exe C:\Users\Admin\AppData\Roaming\Soundcrd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ff28113fae2c68df81308c8a1b8ec036959316aede6053bb0ddeff5983749b93.exe

"C:\Users\Admin\AppData\Local\Temp\ff28113fae2c68df81308c8a1b8ec036959316aede6053bb0ddeff5983749b93.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\YHXdC.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Mcrosoftt" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Soundcrd.exe" /f

C:\Users\Admin\AppData\Roaming\Soundcrd.exe

"C:\Users\Admin\AppData\Roaming\Soundcrd.exe"

C:\Users\Admin\AppData\Roaming\Soundcrd.exe

C:\Users\Admin\AppData\Roaming\Soundcrd.exe

C:\Users\Admin\AppData\Roaming\Soundcrd.exe

C:\Users\Admin\AppData\Roaming\Soundcrd.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 ygo.no-ip.info udp
US 8.8.8.8:53 ygo.no-ip.info udp
US 8.8.8.8:53 ygo.no-ip.info udp
US 8.8.8.8:53 ygo.no-ip.info udp
US 8.8.8.8:53 ygo.no-ip.info udp
US 8.8.8.8:53 ygo.no-ip.info udp
US 8.8.8.8:53 ygo.no-ip.info udp
US 8.8.8.8:53 ygo.no-ip.info udp
US 8.8.8.8:53 ygo.no-ip.info udp
US 8.8.8.8:53 ygo.no-ip.info udp
US 8.8.8.8:53 ygo.no-ip.info udp

Files

memory/1632-0-0x0000000000400000-0x00000000007EB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\YHXdC.bat

MD5 173bcce4810d4901872d0ef4f0bfea4e
SHA1 561b03fdfe68b6419fddf57f32e1aab9a6126a2f
SHA256 10ea37eceabbe80fe9814280b66b957636951dbeeed18a9b4d50a1d24a6f1d1d
SHA512 2401e0a5e3f7bf590a0767449da2249d09717e8c1cb71a7475e81d9615580001cfc38705cd1a5b4edc33f7df043bf195e28e4a5442a32bc879dffc6473bd545e

C:\Users\Admin\AppData\Roaming\Soundcrd.exe

MD5 0b43656403f534583fe573887fbae12d
SHA1 9de047351a6bde41e5ad3f173309d88c462f9662
SHA256 0ebd8e356229bcc193b8951c0f9040bbd7532d2ccb5191ecef263d91b4a34b0c
SHA512 a69c5f253a5ebd40291ace46c0a30d266989315650ecbae21457539162fbc2056f3231c70bf84ad2312900a3ac8be3899b0f60eb858ece836c5c964aa1f4fee9

memory/3004-45-0x0000000000400000-0x00000000007EB000-memory.dmp

memory/1632-44-0x0000000003910000-0x0000000003CFB000-memory.dmp

memory/1632-47-0x0000000000400000-0x00000000007EB000-memory.dmp

memory/1632-43-0x0000000003910000-0x0000000003CFB000-memory.dmp

memory/3004-52-0x0000000002E00000-0x00000000031EB000-memory.dmp

memory/2496-53-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/2496-55-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/2496-58-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/2496-62-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/2460-61-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2496-60-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/3004-59-0x0000000002E00000-0x00000000031EB000-memory.dmp

memory/2496-57-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/2496-63-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/2496-64-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/2496-65-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/2460-71-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3004-70-0x0000000000400000-0x00000000007EB000-memory.dmp

memory/2460-68-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2496-74-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/2460-75-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2496-76-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/2496-78-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/2496-82-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/2496-84-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/2496-88-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/2496-90-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/2496-94-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/2496-96-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/2496-100-0x0000000000400000-0x00000000004B5000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-19 05:37

Reported

2024-06-19 05:40

Platform

win10v2004-20240611-en

Max time kernel

148s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ff28113fae2c68df81308c8a1b8ec036959316aede6053bb0ddeff5983749b93.exe"

Signatures

Darkcomet

trojan rat darkcomet

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Roaming\Soundcrd.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ff28113fae2c68df81308c8a1b8ec036959316aede6053bb0ddeff5983749b93.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Soundcrd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Soundcrd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Soundcrd.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mcrosoftt = "C:\\Users\\Admin\\AppData\\Roaming\\Soundcrd.exe" C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1048 set thread context of 4836 N/A C:\Users\Admin\AppData\Roaming\Soundcrd.exe C:\Users\Admin\AppData\Roaming\Soundcrd.exe
PID 1048 set thread context of 3364 N/A C:\Users\Admin\AppData\Roaming\Soundcrd.exe C:\Users\Admin\AppData\Roaming\Soundcrd.exe

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Roaming\Soundcrd.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Roaming\Soundcrd.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Roaming\Soundcrd.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Users\Admin\AppData\Roaming\Soundcrd.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier C:\Users\Admin\AppData\Roaming\Soundcrd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Soundcrd.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Roaming\Soundcrd.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\Soundcrd.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Roaming\Soundcrd.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Roaming\Soundcrd.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Roaming\Soundcrd.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Roaming\Soundcrd.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Roaming\Soundcrd.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\Soundcrd.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Roaming\Soundcrd.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Roaming\Soundcrd.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Roaming\Soundcrd.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Roaming\Soundcrd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Soundcrd.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Roaming\Soundcrd.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Roaming\Soundcrd.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Roaming\Soundcrd.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Roaming\Soundcrd.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Roaming\Soundcrd.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Roaming\Soundcrd.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Roaming\Soundcrd.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\Soundcrd.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Roaming\Soundcrd.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Roaming\Soundcrd.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Roaming\Soundcrd.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ff28113fae2c68df81308c8a1b8ec036959316aede6053bb0ddeff5983749b93.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Soundcrd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Soundcrd.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1808 wrote to memory of 740 N/A C:\Users\Admin\AppData\Local\Temp\ff28113fae2c68df81308c8a1b8ec036959316aede6053bb0ddeff5983749b93.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 740 N/A C:\Users\Admin\AppData\Local\Temp\ff28113fae2c68df81308c8a1b8ec036959316aede6053bb0ddeff5983749b93.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 740 N/A C:\Users\Admin\AppData\Local\Temp\ff28113fae2c68df81308c8a1b8ec036959316aede6053bb0ddeff5983749b93.exe C:\Windows\SysWOW64\cmd.exe
PID 740 wrote to memory of 4016 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 740 wrote to memory of 4016 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 740 wrote to memory of 4016 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1808 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\ff28113fae2c68df81308c8a1b8ec036959316aede6053bb0ddeff5983749b93.exe C:\Users\Admin\AppData\Roaming\Soundcrd.exe
PID 1808 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\ff28113fae2c68df81308c8a1b8ec036959316aede6053bb0ddeff5983749b93.exe C:\Users\Admin\AppData\Roaming\Soundcrd.exe
PID 1808 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\ff28113fae2c68df81308c8a1b8ec036959316aede6053bb0ddeff5983749b93.exe C:\Users\Admin\AppData\Roaming\Soundcrd.exe
PID 1048 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Roaming\Soundcrd.exe C:\Users\Admin\AppData\Roaming\Soundcrd.exe
PID 1048 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Roaming\Soundcrd.exe C:\Users\Admin\AppData\Roaming\Soundcrd.exe
PID 1048 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Roaming\Soundcrd.exe C:\Users\Admin\AppData\Roaming\Soundcrd.exe
PID 1048 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Roaming\Soundcrd.exe C:\Users\Admin\AppData\Roaming\Soundcrd.exe
PID 1048 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Roaming\Soundcrd.exe C:\Users\Admin\AppData\Roaming\Soundcrd.exe
PID 1048 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Roaming\Soundcrd.exe C:\Users\Admin\AppData\Roaming\Soundcrd.exe
PID 1048 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Roaming\Soundcrd.exe C:\Users\Admin\AppData\Roaming\Soundcrd.exe
PID 1048 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Roaming\Soundcrd.exe C:\Users\Admin\AppData\Roaming\Soundcrd.exe
PID 1048 wrote to memory of 3364 N/A C:\Users\Admin\AppData\Roaming\Soundcrd.exe C:\Users\Admin\AppData\Roaming\Soundcrd.exe
PID 1048 wrote to memory of 3364 N/A C:\Users\Admin\AppData\Roaming\Soundcrd.exe C:\Users\Admin\AppData\Roaming\Soundcrd.exe
PID 1048 wrote to memory of 3364 N/A C:\Users\Admin\AppData\Roaming\Soundcrd.exe C:\Users\Admin\AppData\Roaming\Soundcrd.exe
PID 1048 wrote to memory of 3364 N/A C:\Users\Admin\AppData\Roaming\Soundcrd.exe C:\Users\Admin\AppData\Roaming\Soundcrd.exe
PID 1048 wrote to memory of 3364 N/A C:\Users\Admin\AppData\Roaming\Soundcrd.exe C:\Users\Admin\AppData\Roaming\Soundcrd.exe
PID 1048 wrote to memory of 3364 N/A C:\Users\Admin\AppData\Roaming\Soundcrd.exe C:\Users\Admin\AppData\Roaming\Soundcrd.exe
PID 1048 wrote to memory of 3364 N/A C:\Users\Admin\AppData\Roaming\Soundcrd.exe C:\Users\Admin\AppData\Roaming\Soundcrd.exe
PID 1048 wrote to memory of 3364 N/A C:\Users\Admin\AppData\Roaming\Soundcrd.exe C:\Users\Admin\AppData\Roaming\Soundcrd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ff28113fae2c68df81308c8a1b8ec036959316aede6053bb0ddeff5983749b93.exe

"C:\Users\Admin\AppData\Local\Temp\ff28113fae2c68df81308c8a1b8ec036959316aede6053bb0ddeff5983749b93.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\leXVQ.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Mcrosoftt" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Soundcrd.exe" /f

C:\Users\Admin\AppData\Roaming\Soundcrd.exe

"C:\Users\Admin\AppData\Roaming\Soundcrd.exe"

C:\Users\Admin\AppData\Roaming\Soundcrd.exe

C:\Users\Admin\AppData\Roaming\Soundcrd.exe

C:\Users\Admin\AppData\Roaming\Soundcrd.exe

C:\Users\Admin\AppData\Roaming\Soundcrd.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 ygo.no-ip.info udp
ES 94.73.33.36:1604 ygo.no-ip.info tcp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
ES 94.73.33.36:1604 ygo.no-ip.info tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
ES 94.73.33.36:1604 ygo.no-ip.info tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 ygo.no-ip.info udp
ES 94.73.33.36:1604 ygo.no-ip.info tcp
ES 94.73.33.36:1604 ygo.no-ip.info tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
ES 94.73.33.36:1604 ygo.no-ip.info tcp
US 8.8.8.8:53 ygo.no-ip.info udp
ES 94.73.33.36:1604 ygo.no-ip.info tcp

Files

memory/1808-0-0x0000000000400000-0x00000000007EB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\leXVQ.txt

MD5 173bcce4810d4901872d0ef4f0bfea4e
SHA1 561b03fdfe68b6419fddf57f32e1aab9a6126a2f
SHA256 10ea37eceabbe80fe9814280b66b957636951dbeeed18a9b4d50a1d24a6f1d1d
SHA512 2401e0a5e3f7bf590a0767449da2249d09717e8c1cb71a7475e81d9615580001cfc38705cd1a5b4edc33f7df043bf195e28e4a5442a32bc879dffc6473bd545e

C:\Users\Admin\AppData\Roaming\Soundcrd.txt

MD5 c2b2288c5f8fd9a54ea903df151ae88d
SHA1 2015bef53a310fc03316b93bd180d9f3863b1594
SHA256 9b295a09b2ba772fea10792bb826376ed671617e48d4c30a924255787c38da53
SHA512 6ed68cc7b7fd85738c66011a5ec151b4b8674fb325b12d9f9533bc2523d9c03f93fde0569168532e860a3d36e2dd70b3387bd6d0fadbbf5a636f1b704c9b801c

memory/1048-28-0x0000000000400000-0x00000000007EB000-memory.dmp

memory/1808-30-0x0000000000400000-0x00000000007EB000-memory.dmp

memory/4836-33-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/4836-35-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/4836-36-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/3364-42-0x0000000000400000-0x0000000000409000-memory.dmp

memory/4836-45-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/4836-51-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/1048-47-0x0000000000400000-0x00000000007EB000-memory.dmp

memory/4836-50-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/4836-49-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/3364-48-0x0000000000400000-0x0000000000409000-memory.dmp

memory/4836-46-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/3364-37-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3364-41-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3364-53-0x0000000000400000-0x0000000000409000-memory.dmp

memory/4836-52-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/4836-56-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/4836-60-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/4836-64-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/4836-68-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/4836-72-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/4836-76-0x0000000000400000-0x00000000004B5000-memory.dmp