662989d40ce8865042f68aaf3f831cba019a74090a36471077f7b51d2f5989c1

Analysis

max time kernel
39s
max time network
43s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21-08-2024 09:55

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

Soundpad.exe
Size

11.6MB
MD5

ecdde99f36da416560e91f7c9f97b390
SHA1

7957c54b11b2318e897b673bcc6aeafc92ac39c8
SHA256

0b6f4d707649f9913257c50692f86f79b7e942ea0eef2eaa30b53702a63621c7
SHA512

9ad6b5085cc12593c5c8dd094743d4e73b0693487f04f89705eb1ea09f057f4b5e1f4b2d03bd3b79b38074590c7bd75acd5484f878e1627a43549ebb3b38dcf5
SSDEEP

196608:8qELu/h0xDDF4ppftCyh+DdaIuqFkKz/1xqh0T0Q:87a/h0JF4ppsyh+DyQ

Score

5^/10

persistence privilege_escalation

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	Soundpad.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\UniteFx1.8.0.dll	Soundpad.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Soundpad\SoundpadService.exe	Soundpad.exe
File opened for modification	C:\Program Files\Common Files\Soundpad\SoundpadService.exe	Soundpad.exe

Loads dropped DLL 2 IoCs

pid	Process
1836	regsvr32.exe
3592	AUDIODG.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "103"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe

Modifies registry class 48 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\.spl\OpenWithProgids	Soundpad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Soundpad\URL Protocol	Soundpad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC3-9519-C60EBCAA2C71}\Copyright = "Copyright (C) 2016-2024 Leppsoft"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC3-9519-C60EBCAA2C71}\Flags = "14"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC3-9519-C60EBCAA2C71}\MaxOutputConnections = "1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{27384E53-9860-0AC3-9519-C60EBCAA2C71}\InprocServer32\ThreadingModel = "Both"	Soundpad.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Soundpad.Soundlist\shell\open\command	Soundpad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\.spl\Content Type = "audio/soundpadlist"	Soundpad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Soundpad.Soundlist\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Soundpad.exe,1"	Soundpad.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Soundpad.Soundlist\shell	Soundpad.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Soundpad\shell	Soundpad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Soundpad\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Soundpad.exe\" -c \"%1\""	Soundpad.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC3-9519-C60EBCAA2C71}\MaxInstances = "4294967295"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{27384E53-9860-0AC3-9519-C60EBCAA2C71}\ = "UniteFx Class"	Soundpad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Soundpad.Soundlist\ = "Soundpad sound list"	Soundpad.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Soundpad.Soundlist\DefaultIcon	Soundpad.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC3-9519-C60EBCAA2C71}\MinOutputConnections = "1"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\.spl\OpenWithList\ehshell.exe\	Soundpad.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Soundpad\shell\open\command	Soundpad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\.spl\PerceivedType = "audio"	Soundpad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{27384E53-9860-0AC3-9519-C60EBCAA2C71}\InprocServer32\ = "C:\\Windows\\system32\\UniteFx1.8.0.dll"	Soundpad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC3-9519-C60EBCAA2C71}\FriendlyName = "UniteFx"	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{27384E53-9860-0AC3-9519-C60EBCAA2C71}\InprocServer32\	Soundpad.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Soundpad.Soundlist	Soundpad.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Soundpad\DefaultIcon	Soundpad.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\.spl	Soundpad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\.spl\OpenWithProgids\Soundpad.Soundlist	Soundpad.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Soundpad	Soundpad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Soundpad\ = "URL:Soundpad Protocol"	Soundpad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Soundpad\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Soundpad.exe,0"	Soundpad.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Soundpad\shell\open\command\	Soundpad.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Soundpad.Soundlist\shell\open	Soundpad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Soundpad.Soundlist\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Soundpad.exe\" \"%1\""	Soundpad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC3-9519-C60EBCAA2C71}\APOInterface0 = "{FD7F2B29-24D0-4B5C-B177-592C39F9CA10}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{27384E53-9860-0AC3-9519-C60EBCAA2C71}\	Soundpad.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC3-9519-C60EBCAA2C71}\MinorVersion = "8"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC3-9519-C60EBCAA2C71}\MinInputConnections = "1"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Soundpad\shell\open	Soundpad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC3-9519-C60EBCAA2C71}	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC3-9519-C60EBCAA2C71}\MajorVersion = "1"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\.spl\OpenWithList	Soundpad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\.spl\OpenWithList\ehshell.exe\	Soundpad.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\.spl\OpenWithList\ehshell.exe	Soundpad.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC3-9519-C60EBCAA2C71}\MaxInputConnections = "1"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC3-9519-C60EBCAA2C71}\NumAPOInterfaces = "1"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Soundpad.Soundlist\shell\open\command\	Soundpad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\.spl\ = "Soundpad.Soundlist"	Soundpad.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3096	Soundpad.exe
Token: 33	3592	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3592	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3096	Soundpad.exe
3096	Soundpad.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
3096	Soundpad.exe
3096	Soundpad.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3096	Soundpad.exe
3096	Soundpad.exe
4632	SoundpadService.exe
1704	LogonUI.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3096 wrote to memory of 4632	3096	Soundpad.exe	86
PID 3096 wrote to memory of 4632	3096	Soundpad.exe	86
PID 3096 wrote to memory of 1836	3096	Soundpad.exe	89
PID 3096 wrote to memory of 1836	3096	Soundpad.exe	89

C:\Users\Admin\AppData\Local\Temp\Soundpad.exe
"C:\Users\Admin\AppData\Local\Temp\Soundpad.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3096
- C:\Users\Admin\AppData\Local\Temp\SoundpadService.exe
  "C:\Users\Admin\AppData\Local\Temp\SoundpadService.exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:4632
- C:\Windows\System32\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s "C:\Windows\system32\UniteFx1.8.0.dll"
  2⤵
  - Loads dropped DLL
  - Modifies registry class
  PID:1836

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4f0 0x464
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3592

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa390a855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\speech\Microsoft\Speech\Files\UserLexicons\SP_1B4B5D0E47BE49E4A1B13C74EDB05ADA.dat

Filesize
940B

MD5
1fecfb347130a64b374d069da2648911

SHA1
2033faadb9f38817ad2d193b4ae5a570bb3af35d

SHA256
16c04f2f0c200b2f30d0a95b6c5a2aeb123e605b0673c7054fe89a3bea7d93c6

SHA512
cfa782c7e99a39b1e252dfa04a2a011f6c354d380806f53ed5e3f787e03b0bb4f716bc5721065425e426c7775da5a64fff9c397b6f5ad984293ac1e45f4c5357

Download Submit
C:\Windows\system32\UniteFx1.8.0.dll

Filesize
584KB

MD5
232182083ec6ddf266b81811c1d26a3a

SHA1
ef8c258977752887a0e5d9688fccaf74cb53201d

SHA256
b7b8218f1c386cb5a703023b6f1871809dcb9a1cb981c7dc6538a4d4fd08272a

SHA512
e299e0bcfa46e21a718e5eb61b9b3f273ad8c4f5fcd4aa291045b43b62456e4893b37be76e14802ed011532ac914f42b00096d07b117e784f9f195b1380f70ad

Download Submit