f1f3466784f8757113fa3fc2f742b04202cb98cfa3e92f1b26c001bfcff2d207

General

Target

f1f3466784f8757113fa3fc2f742b04202cb98cfa3e92f1b26c001bfcff2d207.exe
Size

139.7MB
MD5

ab32fa6aaaf27e833cc65317b8fd6e98
SHA1

61b339765f53729fcd5a6631e7ef833de9dccad0
SHA256

f1f3466784f8757113fa3fc2f742b04202cb98cfa3e92f1b26c001bfcff2d207
SHA512

5338550de90d654400ed051670ef3670f17c3279777fab65da9a4afd87caffeac8466b5700b58ef99e3c627959c87c3a4db5a9a0dfa34a8afa9387e3cf402271
SSDEEP

786432:wMBFPmYEDLVqSOqZDq+ybW1h4uyrzMVX9yvjBIA1toV+dUbWN3KPqiVslIBKOMxT:wRYcLQvqkWLYUNw91toV+dgTVBZo

Score

7^/10

persistence privilege_escalation

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

f1f3466784f8757113fa3fc2f742b04202cb98cfa3e92f1b26c001bfcff2d207.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000\Control Panel\International\Geo\Nation	f1f3466784f8757113fa3fc2f742b04202cb98cfa3e92f1b26c001bfcff2d207.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Loads dropped DLL 6 IoCs

Processes:

f1f3466784f8757113fa3fc2f742b04202cb98cfa3e92f1b26c001bfcff2d207.exe

pid	process
3944	f1f3466784f8757113fa3fc2f742b04202cb98cfa3e92f1b26c001bfcff2d207.exe
3944	f1f3466784f8757113fa3fc2f742b04202cb98cfa3e92f1b26c001bfcff2d207.exe
3944	f1f3466784f8757113fa3fc2f742b04202cb98cfa3e92f1b26c001bfcff2d207.exe
3944	f1f3466784f8757113fa3fc2f742b04202cb98cfa3e92f1b26c001bfcff2d207.exe
3944	f1f3466784f8757113fa3fc2f742b04202cb98cfa3e92f1b26c001bfcff2d207.exe
3944	f1f3466784f8757113fa3fc2f742b04202cb98cfa3e92f1b26c001bfcff2d207.exe

Modifies registry class 17 IoCs

Processes:

f1f3466784f8757113fa3fc2f742b04202cb98cfa3e92f1b26c001bfcff2d207.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{59061e90-68e6-8fb9-ae4c-9414206328e2}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\f1f3466784f8757113fa3fc2f742b04202cb98cfa3e92f1b26c001bfcff2d207.exe\" -ToastActivated"	f1f3466784f8757113fa3fc2f742b04202cb98cfa3e92f1b26c001bfcff2d207.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{59061e90-68e6-8fb9-ae4c-9414206328e2}	f1f3466784f8757113fa3fc2f742b04202cb98cfa3e92f1b26c001bfcff2d207.exe
Key created	\REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000_Classes\AppUserModelId	f1f3466784f8757113fa3fc2f742b04202cb98cfa3e92f1b26c001bfcff2d207.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{59061e90-68e6-8fb9-ae4c-9414206328e2}\LocalServer32	f1f3466784f8757113fa3fc2f742b04202cb98cfa3e92f1b26c001bfcff2d207.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000_Classes\AppUserModelId\C:/Users/Admin/AppData/Local/Temp/f1f3466784f8757113fa3fc2f742b04202cb98cfa3e92f1b26c001bfcff2d207.exe\DisplayName = "CoyoteMIDI"	f1f3466784f8757113fa3fc2f742b04202cb98cfa3e92f1b26c001bfcff2d207.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000_Classes\AppUserModelId\C:/Users/Admin/AppData/Local/Temp/f1f3466784f8757113fa3fc2f742b04202cb98cfa3e92f1b26c001bfcff2d207.exe\IconUri = "C:\\Users\\Admin\\AppData\\Local\\ToastNotificationManagerCompat\\Apps\\59061E90-68E6-8FB9-AE4C-9414206328E2\\Icon.png"	f1f3466784f8757113fa3fc2f742b04202cb98cfa3e92f1b26c001bfcff2d207.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000_Classes\AppUserModelId\C:/Users/Admin/AppData/Local/Temp/f1f3466784f8757113fa3fc2f742b04202cb98cfa3e92f1b26c001bfcff2d207.exe\IconBackgroundColor = "FFDDDDDD"	f1f3466784f8757113fa3fc2f742b04202cb98cfa3e92f1b26c001bfcff2d207.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000_Classes\AppUserModelId\C:/Users/Admin/AppData/Local/Temp/f1f3466784f8757113fa3fc2f742b04202cb98cfa3e92f1b26c001bfcff2d207.exe\Has7.0.1Fix = "1"	f1f3466784f8757113fa3fc2f742b04202cb98cfa3e92f1b26c001bfcff2d207.exe
Key created	\REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000_Classes\CLSID	f1f3466784f8757113fa3fc2f742b04202cb98cfa3e92f1b26c001bfcff2d207.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{59061e90-68e6-8fb9-ae4c-9414206328e2}\AppId = "{59061e90-68e6-8fb9-ae4c-9414206328e2}"	f1f3466784f8757113fa3fc2f742b04202cb98cfa3e92f1b26c001bfcff2d207.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{59061e90-68e6-8fb9-ae4c-9414206328e2}\RunAs = "Interactive User"	f1f3466784f8757113fa3fc2f742b04202cb98cfa3e92f1b26c001bfcff2d207.exe
Key created	\REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000_Classes\AppUserModelId\C:/Users/Admin/AppData/Local/Temp/f1f3466784f8757113fa3fc2f742b04202cb98cfa3e92f1b26c001bfcff2d207.exe	f1f3466784f8757113fa3fc2f742b04202cb98cfa3e92f1b26c001bfcff2d207.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000_Classes\AppUserModelId\C:/Users/Admin/AppData/Local/Temp/f1f3466784f8757113fa3fc2f742b04202cb98cfa3e92f1b26c001bfcff2d207.exe\CustomActivator = "{59061e90-68e6-8fb9-ae4c-9414206328e2}"	f1f3466784f8757113fa3fc2f742b04202cb98cfa3e92f1b26c001bfcff2d207.exe
Key created	\REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000_Classes\CLSID\{59061e90-68e6-8fb9-ae4c-9414206328e2}\LocalServer32	f1f3466784f8757113fa3fc2f742b04202cb98cfa3e92f1b26c001bfcff2d207.exe
Key created	\REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000_Classes\CLSID\{59061e90-68e6-8fb9-ae4c-9414206328e2}	f1f3466784f8757113fa3fc2f742b04202cb98cfa3e92f1b26c001bfcff2d207.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000_Classes\CLSID\{59061e90-68e6-8fb9-ae4c-9414206328e2}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\f1f3466784f8757113fa3fc2f742b04202cb98cfa3e92f1b26c001bfcff2d207.exe\" -ToastActivated"	f1f3466784f8757113fa3fc2f742b04202cb98cfa3e92f1b26c001bfcff2d207.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{59061e90-68e6-8fb9-ae4c-9414206328e2}	f1f3466784f8757113fa3fc2f742b04202cb98cfa3e92f1b26c001bfcff2d207.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

f1f3466784f8757113fa3fc2f742b04202cb98cfa3e92f1b26c001bfcff2d207.exe

pid process

3944 f1f3466784f8757113fa3fc2f742b04202cb98cfa3e92f1b26c001bfcff2d207.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

AUDIODG.EXEf1f3466784f8757113fa3fc2f742b04202cb98cfa3e92f1b26c001bfcff2d207.exe

description	pid	process
Token: 33	4888	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4888	AUDIODG.EXE
Token: SeDebugPrivilege	3944	f1f3466784f8757113fa3fc2f742b04202cb98cfa3e92f1b26c001bfcff2d207.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

f1f3466784f8757113fa3fc2f742b04202cb98cfa3e92f1b26c001bfcff2d207.exe

pid	process
3944	f1f3466784f8757113fa3fc2f742b04202cb98cfa3e92f1b26c001bfcff2d207.exe
3944	f1f3466784f8757113fa3fc2f742b04202cb98cfa3e92f1b26c001bfcff2d207.exe

Suspicious use of SendNotifyMessage 2 IoCs

Processes:

f1f3466784f8757113fa3fc2f742b04202cb98cfa3e92f1b26c001bfcff2d207.exe

pid	process
3944	f1f3466784f8757113fa3fc2f742b04202cb98cfa3e92f1b26c001bfcff2d207.exe
3944	f1f3466784f8757113fa3fc2f742b04202cb98cfa3e92f1b26c001bfcff2d207.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

f1f3466784f8757113fa3fc2f742b04202cb98cfa3e92f1b26c001bfcff2d207.exe

pid	process
3944	f1f3466784f8757113fa3fc2f742b04202cb98cfa3e92f1b26c001bfcff2d207.exe
3944	f1f3466784f8757113fa3fc2f742b04202cb98cfa3e92f1b26c001bfcff2d207.exe

C:\Users\Admin\AppData\Local\Temp\f1f3466784f8757113fa3fc2f742b04202cb98cfa3e92f1b26c001bfcff2d207.exe
"C:\Users\Admin\AppData\Local\Temp\f1f3466784f8757113fa3fc2f742b04202cb98cfa3e92f1b26c001bfcff2d207.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3944

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x338 0x49c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

1

T1546

Component Object Model Hijacking

1

T1546.015

Privilege Escalation

Event Triggered Execution

1

T1546

Component Object Model Hijacking

1

T1546.015

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\.net\f1f3466784f8757113fa3fc2f742b04202cb98cfa3e92f1b26c001bfcff2d207\VkQR+XbK6hQojWx_lxl3Qp7ozg0URKc=\Melanchall_DryWetMidi_Native64.dll

Filesize
65KB

MD5
42b0ac2ff31833a75a04c50d2b393a6f

SHA1
b9f4cc5ff0622ac7a126a6ed6a5be86fc72f9e33

SHA256
2debc5d1046f513db6a920c29b16de23ee29fd713a3447ce4c3d97313e0d3547

SHA512
a454e4cb43eb18edef3a45a6720eb575c2ed2b497fc4deffa9a51e8f5bdfa805a007e6c10a496f03cd0f6e0a8c7ccd4b76d398521c163306fa09fe2df29f31e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\f1f3466784f8757113fa3fc2f742b04202cb98cfa3e92f1b26c001bfcff2d207\VkQR+XbK6hQojWx_lxl3Qp7ozg0URKc=\av_libglesv2.dll

Filesize
4.2MB

MD5
73d2fb4c35d323813a86e3bf5c85c345

SHA1
81f751a34e0c25bdea93902a19a94a49ce1495df

SHA256
85b3aee47c0e0eaf3a5ea5c75ba8131387a12639b6a0ef280c28531fb77695ae

SHA512
e81677cc9b99ff3d54f67000a60489603e01a896f90c4ef0c883b82e2fdb7b90d2899c078958b3f060a20373b99cb6c4deb7f64cc4c7e0ba2a708209f4684ca4

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\f1f3466784f8757113fa3fc2f742b04202cb98cfa3e92f1b26c001bfcff2d207\VkQR+XbK6hQojWx_lxl3Qp7ozg0URKc=\libHarfBuzzSharp.dll

Filesize
1.5MB

MD5
f121a2afb03f1b8ca1784e544464a346

SHA1
9346297a66989dbe88bc459ee8bf936e7acb3d24

SHA256
f13d0dae00a598620a436fd991219a2e0fe6157eac90faa025d4d76845cd996c

SHA512
ebbb8c2d7d97521286af0f6b02195890b193e660a28e6b1e5112ed9f1fcc081c66587a7a82c8a9468d1a55d477880487d1b3edf1deb2ea285e17d70fbd56c6f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\f1f3466784f8757113fa3fc2f742b04202cb98cfa3e92f1b26c001bfcff2d207\VkQR+XbK6hQojWx_lxl3Qp7ozg0URKc=\libSkiaSharp.dll

Filesize
9.0MB

MD5
26d723bd75b5c6591dfde18b71281920

SHA1
47c05d42af2968f83877bb9cbf744c938489f466

SHA256
2ca940b7c4621ecd27d2f07c5f46fafa0375f493692cd4e6e1e66c07fbc8109a

SHA512
90bbdd48588616177354402b91a3fac363f8eb7959af570e6cee1174eeab950077b71ed47645262daf0957ced5b90b3aa5a7146a5d04d52b5c7975a5d31c5ef7

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\f1f3466784f8757113fa3fc2f742b04202cb98cfa3e92f1b26c001bfcff2d207\VkQR+XbK6hQojWx_lxl3Qp7ozg0URKc=\portaudio.dll

Filesize
171KB

MD5
680ce7668780d32fbe25ad50ab4a45a1

SHA1
233e8bf31e7f571165419f2470bcfc6fed880c61

SHA256
b9b1d1dc5d05ad593325d38fb6f232d89bc326d6177da394b5f8fd5836abaac6

SHA512
d3d4fb79fbcafcab9d5361e6e47ec48947d1c8ae1bb5355544bc2f79522c62d753abbc0e1418d275300d9f597773139df9164c46b2e2b8640f2a448489c42d53

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\f1f3466784f8757113fa3fc2f742b04202cb98cfa3e92f1b26c001bfcff2d207\VkQR+XbK6hQojWx_lxl3Qp7ozg0URKc=\uiohook.dll

Filesize
647KB

MD5
05481d7a12e3dda1b46cd938eeca069c

SHA1
721ef7e9ef75b0eb7045fb2651e036c83748fc92

SHA256
cdd570722eec0beb4b7b79f99d1501a34f88b868b2dd1fdf4d7a1441dbc6c918

SHA512
7b552aeeaf556a5cd097e9abfdf780e3c5b303e440fc6815410e125744177a98045c93df135668733e045b592a51dbc61d9f93baecabc2c821854c23825cde74

Download Submit
C:\Users\Admin\Documents\CoyoteMIDI\userdata\translationsv2.json

Filesize
73B

MD5
04c5bdc839c0a7b7859e27b11111db97

SHA1
c0ef9f451efe9b4f1cdd09cc03283e3279fddb7f

SHA256
2fa9909f4181e8912b71a2b32378426f46290492dba8be0f77ba27572bd5774e

SHA512
8b2b4cf2331575390824acf419ef6d52a45527073dd7802c405a6861a9ada2c614eebb697b6aa5ab6773326fa650d59eea931f3390b4d9ea19cae2a1f7723ae3

Download Submit
memory/3944-16-0x00007FF620D8E000-0x00007FF620D8F000-memory.dmp

Filesize
4KB

Download
memory/3944-14-0x0000000180000000-0x0000000180A25000-memory.dmp

Filesize
10.1MB

Download
memory/3944-42-0x00007FF620D8E000-0x00007FF620D8F000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads