662989d40ce8865042f68aaf3f831cba019a74090a36471077f7b51d2f5989c1

Analysis

max time kernel
24s
max time network
20s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
21/08/2024, 09:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Soundpad.exe
Size

11.6MB
MD5

ecdde99f36da416560e91f7c9f97b390
SHA1

7957c54b11b2318e897b673bcc6aeafc92ac39c8
SHA256

0b6f4d707649f9913257c50692f86f79b7e942ea0eef2eaa30b53702a63621c7
SHA512

9ad6b5085cc12593c5c8dd094743d4e73b0693487f04f89705eb1ea09f057f4b5e1f4b2d03bd3b79b38074590c7bd75acd5484f878e1627a43549ebb3b38dcf5
SSDEEP

196608:8qELu/h0xDDF4ppftCyh+DdaIuqFkKz/1xqh0T0Q:87a/h0JF4ppsyh+DyQ

Score

5^/10

persistence privilege_escalation

Malware Config

Signatures

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\UniteFx1.8.0.dll	Soundpad.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Soundpad\SoundpadService.exe	Soundpad.exe
File opened for modification	C:\Program Files\Common Files\Soundpad\SoundpadService.exe	Soundpad.exe

Loads dropped DLL 7 IoCs

pid	Process
2824	regsvr32.exe
296	Soundpad.exe
296	Soundpad.exe
296	Soundpad.exe
296	Soundpad.exe
296	Soundpad.exe
296	Soundpad.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 49 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Soundpad.Soundlist\shell\open\command\	Soundpad.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Soundpad.Soundlist\shell	Soundpad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Soundpad\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Soundpad.exe,0"	Soundpad.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{27384E53-9860-0AC3-9519-C60EBCAA2C71}\InprocServer32\	Soundpad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Soundpad\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Soundpad.exe\" -c \"%1\""	Soundpad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC3-9519-C60EBCAA2C71}\FriendlyName = "UniteFx"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC3-9519-C60EBCAA2C71}\Copyright = "Copyright (C) 2016-2024 Leppsoft"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Soundpad\shell\open\command\	Soundpad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{27384E53-9860-0AC3-9519-C60EBCAA2C71}\InprocServer32\ = "C:\\Windows\\system32\\UniteFx1.8.0.dll"	Soundpad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC3-9519-C60EBCAA2C71}\APOInterface0 = "{FD7F2B29-24D0-4B5C-B177-592C39F9CA10}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{27384E53-9860-0AC3-9519-C60EBCAA2C71}\ = "UniteFx Class"	Soundpad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Soundpad.Soundlist\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Soundpad.exe\" \"%1\""	Soundpad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\.spl\PerceivedType = "audio"	Soundpad.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC3-9519-C60EBCAA2C71}\MinInputConnections = "1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{27384E53-9860-0AC3-9519-C60EBCAA2C71}\InprocServer32\ThreadingModel = "Both"	Soundpad.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Soundpad.Soundlist\shell\open\command	Soundpad.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Soundpad\shell\open\command	Soundpad.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Soundpad\shell\open	Soundpad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\.spl\Content Type = "audio/soundpadlist"	Soundpad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\.spl\OpenWithProgids\Soundpad.Soundlist	Soundpad.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Soundpad\shell	Soundpad.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Soundpad\DefaultIcon	Soundpad.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC3-9519-C60EBCAA2C71}\MajorVersion = "1"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC3-9519-C60EBCAA2C71}\MinorVersion = "8"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC3-9519-C60EBCAA2C71}\MinOutputConnections = "1"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC3-9519-C60EBCAA2C71}\MaxInstances = "4294967295"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\.spl	Soundpad.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\.spl\OpenWithList	Soundpad.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\.spl\OpenWithProgids	Soundpad.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{27384E53-9860-0AC3-9519-C60EBCAA2C71}\	Soundpad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Soundpad.Soundlist\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Soundpad.exe,1"	Soundpad.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Soundpad.Soundlist\shell\open	Soundpad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\.spl\ = "Soundpad.Soundlist"	Soundpad.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\.spl\OpenWithList\ehshell.exe	Soundpad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC3-9519-C60EBCAA2C71}	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Soundpad.Soundlist	Soundpad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Soundpad.Soundlist\ = "Soundpad sound list"	Soundpad.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Soundpad.Soundlist\\shell\open\command	Soundpad.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC3-9519-C60EBCAA2C71}\Flags = "14"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC3-9519-C60EBCAA2C71}\MaxInputConnections = "1"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC3-9519-C60EBCAA2C71}\MaxOutputConnections = "1"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Soundpad	Soundpad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Soundpad\ = "URL:Soundpad Protocol"	Soundpad.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Soundpad.Soundlist\\DefaultIcon	Soundpad.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC3-9519-C60EBCAA2C71}\NumAPOInterfaces = "1"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\.spl\OpenWithList\ehshell.exe\	Soundpad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Soundpad\URL Protocol	Soundpad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\.spl\OpenWithList\ehshell.exe\	Soundpad.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
296	Soundpad.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	296	Soundpad.exe
Token: SeTakeOwnershipPrivilege	296	Soundpad.exe
Token: SeTakeOwnershipPrivilege	296	Soundpad.exe
Token: SeTakeOwnershipPrivilege	296	Soundpad.exe
Token: SeTakeOwnershipPrivilege	296	Soundpad.exe
Token: 33	296	Soundpad.exe
Token: SeIncBasePriorityPrivilege	296	Soundpad.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
296	Soundpad.exe
296	Soundpad.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
296	Soundpad.exe
296	Soundpad.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
296	Soundpad.exe
296	Soundpad.exe
2340	SoundpadService.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 296 wrote to memory of 2340	296	Soundpad.exe	30
PID 296 wrote to memory of 2340	296	Soundpad.exe	30
PID 296 wrote to memory of 2340	296	Soundpad.exe	30
PID 296 wrote to memory of 2824	296	Soundpad.exe	31
PID 296 wrote to memory of 2824	296	Soundpad.exe	31
PID 296 wrote to memory of 2824	296	Soundpad.exe	31
PID 296 wrote to memory of 2824	296	Soundpad.exe	31
PID 296 wrote to memory of 2824	296	Soundpad.exe	31

C:\Users\Admin\AppData\Local\Temp\Soundpad.exe
"C:\Users\Admin\AppData\Local\Temp\Soundpad.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:296
- C:\Users\Admin\AppData\Local\Temp\SoundpadService.exe
  "C:\Users\Admin\AppData\Local\Temp\SoundpadService.exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2340
- C:\Windows\System32\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s "C:\Windows\system32\UniteFx1.8.0.dll"
  2⤵
  - Loads dropped DLL
  - Modifies registry class
  PID:2824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system32\UniteFx1.8.0.dll

Filesize
584KB

MD5
232182083ec6ddf266b81811c1d26a3a

SHA1
ef8c258977752887a0e5d9688fccaf74cb53201d

SHA256
b7b8218f1c386cb5a703023b6f1871809dcb9a1cb981c7dc6538a4d4fd08272a

SHA512
e299e0bcfa46e21a718e5eb61b9b3f273ad8c4f5fcd4aa291045b43b62456e4893b37be76e14802ed011532ac914f42b00096d07b117e784f9f195b1380f70ad

Download Submit