fdbdbc5fbea8a4ee9909b5fa2833df3e63a9f3786f49a2153ccdf23304d953ae

General

Target

fdbdbc5fbea8a4ee9909b5fa2833df3e63a9f3786f49a2153ccdf23304d953ae.exe
Size

139.7MB
MD5

ddd859f194236cdd7f77dc2e65817f16
SHA1

597cb86abd4dcd4efc0b9c9ea074f3c8dda61c3f
SHA256

fdbdbc5fbea8a4ee9909b5fa2833df3e63a9f3786f49a2153ccdf23304d953ae
SHA512

c46bc980c88fc3c707409b1be097fb533d66a3ac1474a06d40676dbb21ee9c9730aa24fdb8e50fc895fe901ad3acb138d3a5335ac60c13174c785e2dab67ac80
SSDEEP

786432:qxeyemYExLVqyOqZDd+ybW1h4uyrzMVX9yvjBIA1toV+c7BmVvJpXrK7IBK53xp:qAmYeLQPqfWLYUNw91toV+caJ6H

Score

7^/10

persistence privilege_escalation

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

fdbdbc5fbea8a4ee9909b5fa2833df3e63a9f3786f49a2153ccdf23304d953ae.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000\Control Panel\International\Geo\Nation	fdbdbc5fbea8a4ee9909b5fa2833df3e63a9f3786f49a2153ccdf23304d953ae.exe

Drops startup file 1 IoCs

Processes:

fdbdbc5fbea8a4ee9909b5fa2833df3e63a9f3786f49a2153ccdf23304d953ae.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CoyoteMIDI.lnk	fdbdbc5fbea8a4ee9909b5fa2833df3e63a9f3786f49a2153ccdf23304d953ae.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Loads dropped DLL 6 IoCs

Processes:

fdbdbc5fbea8a4ee9909b5fa2833df3e63a9f3786f49a2153ccdf23304d953ae.exe

pid	process
4380	fdbdbc5fbea8a4ee9909b5fa2833df3e63a9f3786f49a2153ccdf23304d953ae.exe
4380	fdbdbc5fbea8a4ee9909b5fa2833df3e63a9f3786f49a2153ccdf23304d953ae.exe
4380	fdbdbc5fbea8a4ee9909b5fa2833df3e63a9f3786f49a2153ccdf23304d953ae.exe
4380	fdbdbc5fbea8a4ee9909b5fa2833df3e63a9f3786f49a2153ccdf23304d953ae.exe
4380	fdbdbc5fbea8a4ee9909b5fa2833df3e63a9f3786f49a2153ccdf23304d953ae.exe
4380	fdbdbc5fbea8a4ee9909b5fa2833df3e63a9f3786f49a2153ccdf23304d953ae.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 17 IoCs

Processes:

fdbdbc5fbea8a4ee9909b5fa2833df3e63a9f3786f49a2153ccdf23304d953ae.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000_Classes\CLSID\{9126c647-205d-7c08-2c17-411954548698}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\fdbdbc5fbea8a4ee9909b5fa2833df3e63a9f3786f49a2153ccdf23304d953ae.exe\" -ToastActivated"	fdbdbc5fbea8a4ee9909b5fa2833df3e63a9f3786f49a2153ccdf23304d953ae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9126c647-205d-7c08-2c17-411954548698}	fdbdbc5fbea8a4ee9909b5fa2833df3e63a9f3786f49a2153ccdf23304d953ae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9126c647-205d-7c08-2c17-411954548698}\AppId = "{9126c647-205d-7c08-2c17-411954548698}"	fdbdbc5fbea8a4ee9909b5fa2833df3e63a9f3786f49a2153ccdf23304d953ae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{9126c647-205d-7c08-2c17-411954548698}\RunAs = "Interactive User"	fdbdbc5fbea8a4ee9909b5fa2833df3e63a9f3786f49a2153ccdf23304d953ae.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000_Classes\AppUserModelId\C:/Users/Admin/AppData/Local/Temp/fdbdbc5fbea8a4ee9909b5fa2833df3e63a9f3786f49a2153ccdf23304d953ae.exe\IconBackgroundColor = "FFDDDDDD"	fdbdbc5fbea8a4ee9909b5fa2833df3e63a9f3786f49a2153ccdf23304d953ae.exe
Key created	\REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000_Classes\CLSID\{9126c647-205d-7c08-2c17-411954548698}\LocalServer32	fdbdbc5fbea8a4ee9909b5fa2833df3e63a9f3786f49a2153ccdf23304d953ae.exe
Key created	\REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000_Classes\CLSID	fdbdbc5fbea8a4ee9909b5fa2833df3e63a9f3786f49a2153ccdf23304d953ae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9126c647-205d-7c08-2c17-411954548698}\LocalServer32	fdbdbc5fbea8a4ee9909b5fa2833df3e63a9f3786f49a2153ccdf23304d953ae.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000_Classes\AppUserModelId\C:/Users/Admin/AppData/Local/Temp/fdbdbc5fbea8a4ee9909b5fa2833df3e63a9f3786f49a2153ccdf23304d953ae.exe\Has7.0.1Fix = "1"	fdbdbc5fbea8a4ee9909b5fa2833df3e63a9f3786f49a2153ccdf23304d953ae.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000_Classes\AppUserModelId\C:/Users/Admin/AppData/Local/Temp/fdbdbc5fbea8a4ee9909b5fa2833df3e63a9f3786f49a2153ccdf23304d953ae.exe\CustomActivator = "{9126c647-205d-7c08-2c17-411954548698}"	fdbdbc5fbea8a4ee9909b5fa2833df3e63a9f3786f49a2153ccdf23304d953ae.exe
Key created	\REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000_Classes\CLSID\{9126c647-205d-7c08-2c17-411954548698}	fdbdbc5fbea8a4ee9909b5fa2833df3e63a9f3786f49a2153ccdf23304d953ae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{9126c647-205d-7c08-2c17-411954548698}	fdbdbc5fbea8a4ee9909b5fa2833df3e63a9f3786f49a2153ccdf23304d953ae.exe
Key created	\REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000_Classes\AppUserModelId\C:/Users/Admin/AppData/Local/Temp/fdbdbc5fbea8a4ee9909b5fa2833df3e63a9f3786f49a2153ccdf23304d953ae.exe	fdbdbc5fbea8a4ee9909b5fa2833df3e63a9f3786f49a2153ccdf23304d953ae.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000_Classes\AppUserModelId\C:/Users/Admin/AppData/Local/Temp/fdbdbc5fbea8a4ee9909b5fa2833df3e63a9f3786f49a2153ccdf23304d953ae.exe\IconUri = "C:\\Users\\Admin\\AppData\\Local\\ToastNotificationManagerCompat\\Apps\\9126C647-205D-7C08-2C17-411954548698\\Icon.png"	fdbdbc5fbea8a4ee9909b5fa2833df3e63a9f3786f49a2153ccdf23304d953ae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9126c647-205d-7c08-2c17-411954548698}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\fdbdbc5fbea8a4ee9909b5fa2833df3e63a9f3786f49a2153ccdf23304d953ae.exe\" -ToastActivated"	fdbdbc5fbea8a4ee9909b5fa2833df3e63a9f3786f49a2153ccdf23304d953ae.exe
Key created	\REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000_Classes\AppUserModelId	fdbdbc5fbea8a4ee9909b5fa2833df3e63a9f3786f49a2153ccdf23304d953ae.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000_Classes\AppUserModelId\C:/Users/Admin/AppData/Local/Temp/fdbdbc5fbea8a4ee9909b5fa2833df3e63a9f3786f49a2153ccdf23304d953ae.exe\DisplayName = "CoyoteMIDI"	fdbdbc5fbea8a4ee9909b5fa2833df3e63a9f3786f49a2153ccdf23304d953ae.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

fdbdbc5fbea8a4ee9909b5fa2833df3e63a9f3786f49a2153ccdf23304d953ae.exe

pid process

4380 fdbdbc5fbea8a4ee9909b5fa2833df3e63a9f3786f49a2153ccdf23304d953ae.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

AUDIODG.EXEfdbdbc5fbea8a4ee9909b5fa2833df3e63a9f3786f49a2153ccdf23304d953ae.exe

description	pid	process
Token: 33	5032	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	5032	AUDIODG.EXE
Token: SeDebugPrivilege	4380	fdbdbc5fbea8a4ee9909b5fa2833df3e63a9f3786f49a2153ccdf23304d953ae.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

fdbdbc5fbea8a4ee9909b5fa2833df3e63a9f3786f49a2153ccdf23304d953ae.exe

pid	process
4380	fdbdbc5fbea8a4ee9909b5fa2833df3e63a9f3786f49a2153ccdf23304d953ae.exe
4380	fdbdbc5fbea8a4ee9909b5fa2833df3e63a9f3786f49a2153ccdf23304d953ae.exe

Suspicious use of SendNotifyMessage 2 IoCs

Processes:

fdbdbc5fbea8a4ee9909b5fa2833df3e63a9f3786f49a2153ccdf23304d953ae.exe

pid	process
4380	fdbdbc5fbea8a4ee9909b5fa2833df3e63a9f3786f49a2153ccdf23304d953ae.exe
4380	fdbdbc5fbea8a4ee9909b5fa2833df3e63a9f3786f49a2153ccdf23304d953ae.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

fdbdbc5fbea8a4ee9909b5fa2833df3e63a9f3786f49a2153ccdf23304d953ae.exe

pid	process
4380	fdbdbc5fbea8a4ee9909b5fa2833df3e63a9f3786f49a2153ccdf23304d953ae.exe
4380	fdbdbc5fbea8a4ee9909b5fa2833df3e63a9f3786f49a2153ccdf23304d953ae.exe

C:\Users\Admin\AppData\Local\Temp\fdbdbc5fbea8a4ee9909b5fa2833df3e63a9f3786f49a2153ccdf23304d953ae.exe
"C:\Users\Admin\AppData\Local\Temp\fdbdbc5fbea8a4ee9909b5fa2833df3e63a9f3786f49a2153ccdf23304d953ae.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4380

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x520 0x41c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

1

T1546

Component Object Model Hijacking

1

T1546.015

Privilege Escalation

Event Triggered Execution

1

T1546

Component Object Model Hijacking

1

T1546.015

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\.net\fdbdbc5fbea8a4ee9909b5fa2833df3e63a9f3786f49a2153ccdf23304d953ae\xmLVbLulcqXg2OovSKQj+ZyNVzcEUlY=\Melanchall_DryWetMidi_Native64.dll

Filesize
65KB

MD5
42b0ac2ff31833a75a04c50d2b393a6f

SHA1
b9f4cc5ff0622ac7a126a6ed6a5be86fc72f9e33

SHA256
2debc5d1046f513db6a920c29b16de23ee29fd713a3447ce4c3d97313e0d3547

SHA512
a454e4cb43eb18edef3a45a6720eb575c2ed2b497fc4deffa9a51e8f5bdfa805a007e6c10a496f03cd0f6e0a8c7ccd4b76d398521c163306fa09fe2df29f31e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\fdbdbc5fbea8a4ee9909b5fa2833df3e63a9f3786f49a2153ccdf23304d953ae\xmLVbLulcqXg2OovSKQj+ZyNVzcEUlY=\av_libglesv2.dll

Filesize
4.2MB

MD5
73d2fb4c35d323813a86e3bf5c85c345

SHA1
81f751a34e0c25bdea93902a19a94a49ce1495df

SHA256
85b3aee47c0e0eaf3a5ea5c75ba8131387a12639b6a0ef280c28531fb77695ae

SHA512
e81677cc9b99ff3d54f67000a60489603e01a896f90c4ef0c883b82e2fdb7b90d2899c078958b3f060a20373b99cb6c4deb7f64cc4c7e0ba2a708209f4684ca4

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\fdbdbc5fbea8a4ee9909b5fa2833df3e63a9f3786f49a2153ccdf23304d953ae\xmLVbLulcqXg2OovSKQj+ZyNVzcEUlY=\libHarfBuzzSharp.dll

Filesize
1.5MB

MD5
f121a2afb03f1b8ca1784e544464a346

SHA1
9346297a66989dbe88bc459ee8bf936e7acb3d24

SHA256
f13d0dae00a598620a436fd991219a2e0fe6157eac90faa025d4d76845cd996c

SHA512
ebbb8c2d7d97521286af0f6b02195890b193e660a28e6b1e5112ed9f1fcc081c66587a7a82c8a9468d1a55d477880487d1b3edf1deb2ea285e17d70fbd56c6f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\fdbdbc5fbea8a4ee9909b5fa2833df3e63a9f3786f49a2153ccdf23304d953ae\xmLVbLulcqXg2OovSKQj+ZyNVzcEUlY=\libSkiaSharp.dll

Filesize
9.0MB

MD5
26d723bd75b5c6591dfde18b71281920

SHA1
47c05d42af2968f83877bb9cbf744c938489f466

SHA256
2ca940b7c4621ecd27d2f07c5f46fafa0375f493692cd4e6e1e66c07fbc8109a

SHA512
90bbdd48588616177354402b91a3fac363f8eb7959af570e6cee1174eeab950077b71ed47645262daf0957ced5b90b3aa5a7146a5d04d52b5c7975a5d31c5ef7

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\fdbdbc5fbea8a4ee9909b5fa2833df3e63a9f3786f49a2153ccdf23304d953ae\xmLVbLulcqXg2OovSKQj+ZyNVzcEUlY=\portaudio.dll

Filesize
171KB

MD5
680ce7668780d32fbe25ad50ab4a45a1

SHA1
233e8bf31e7f571165419f2470bcfc6fed880c61

SHA256
b9b1d1dc5d05ad593325d38fb6f232d89bc326d6177da394b5f8fd5836abaac6

SHA512
d3d4fb79fbcafcab9d5361e6e47ec48947d1c8ae1bb5355544bc2f79522c62d753abbc0e1418d275300d9f597773139df9164c46b2e2b8640f2a448489c42d53

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\fdbdbc5fbea8a4ee9909b5fa2833df3e63a9f3786f49a2153ccdf23304d953ae\xmLVbLulcqXg2OovSKQj+ZyNVzcEUlY=\uiohook.dll

Filesize
647KB

MD5
05481d7a12e3dda1b46cd938eeca069c

SHA1
721ef7e9ef75b0eb7045fb2651e036c83748fc92

SHA256
cdd570722eec0beb4b7b79f99d1501a34f88b868b2dd1fdf4d7a1441dbc6c918

SHA512
7b552aeeaf556a5cd097e9abfdf780e3c5b303e440fc6815410e125744177a98045c93df135668733e045b592a51dbc61d9f93baecabc2c821854c23825cde74

Download Submit
C:\Users\Admin\Documents\CoyoteMIDI\userdata\translationsv2.json

Filesize
73B

MD5
78aa1a7041910bc8a83fb51771779d85

SHA1
77b8074d0aef91a14558f1c9b73c1be5156f51a9

SHA256
2a59328f21e703c55f4646eddc2f0e02f1d3c84fb5ef26538676cad3a670dffb

SHA512
a0d16bbe6cf9d2fbdb4f0b3f5dd69027851c078fc0939bd4e2bcbce80d8b0b3334a4f8f045165be7f14f99fd81d5e9dd40583983975b57155253c67f02557e9e

Download Submit
memory/4380-13-0x0000000180000000-0x0000000180A25000-memory.dmp

Filesize
10.1MB

Download
memory/4380-16-0x00007FF6A955F000-0x00007FF6A9560000-memory.dmp

Filesize
4KB

Download
memory/4380-43-0x00007FF6A955F000-0x00007FF6A9560000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads