Analysis
-
max time kernel
146s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
08/09/2024, 23:46
Static task
static1
Behavioral task
behavioral1
Sample
SoundBridge_64-bit.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
SoundBridge_64-bit.exe
Resource
win10v2004-20240802-en
General
-
Target
SoundBridge_64-bit.exe
-
Size
173.5MB
-
MD5
edeb6e3bc1bb8ae249f0afae975503c4
-
SHA1
f2e0bce9857bb3aecc2daa4b46df0318d32bb98d
-
SHA256
eed0eb60d42f15d8704cb8792c5f431953ce48fb195296b3c064113620db0b19
-
SHA512
b06f64c022eb9abe18f0b81dda35fbdea6142d7782b4bf19ee9a36992558c93bc5c3b620a98ec5d98c84b26887456978c2902836df9f5cd6bcda7c50e070bfd5
-
SSDEEP
3145728:TQxCNTi9qmjpm7qcpWglalOW4DQ5/nr+jGSVnqbKEv7fbcz9/LYs:TsiU7pm7jWglEiDg/reGSVnqeW7gh/Lr
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation SoundBridge_64-bit.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation wscript.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation vcredist.exe -
Executes dropped EXE 4 IoCs
pid Process 1584 vcredist.exe 1848 vcredist.exe 1392 VC_redist.x64.exe 3908 setup.exe -
Loads dropped DLL 13 IoCs
pid Process 1848 vcredist.exe 3908 setup.exe 3908 setup.exe 3908 setup.exe 3908 setup.exe 3908 setup.exe 3908 setup.exe 3908 setup.exe 3908 setup.exe 3908 setup.exe 3908 setup.exe 3908 setup.exe 3908 setup.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{3746f21b-c990-4045-bb33-1cf98cff7a68} = "\"C:\\ProgramData\\Package Cache\\{3746f21b-c990-4045-bb33-1cf98cff7a68}\\VC_redist.x64.exe\" /burn.runonce" VC_redist.x64.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 3924 1848 WerFault.exe 89 -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vcredist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vcredist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language VC_redist.x64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SoundBridge_64-bit.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000a2808484d8f468e90000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000a28084840000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900a2808484000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1da2808484000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000a280848400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
Modifies registry class 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.32,bundle VC_redist.x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.32,bundle\ = "{3746f21b-c990-4045-bb33-1cf98cff7a68}" VC_redist.x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.32,bundle\Version = "14.32.31332.0" VC_redist.x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.32,bundle\DisplayName = "Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.32.31332" VC_redist.x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.32,bundle\Dependents\{3746f21b-c990-4045-bb33-1cf98cff7a68} VC_redist.x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.32,bundle\Dependents VC_redist.x64.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 3908 setup.exe 3908 setup.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeBackupPrivilege 3468 vssvc.exe Token: SeRestorePrivilege 3468 vssvc.exe Token: SeAuditPrivilege 3468 vssvc.exe Token: SeBackupPrivilege 3444 srtasks.exe Token: SeRestorePrivilege 3444 srtasks.exe Token: SeSecurityPrivilege 3444 srtasks.exe Token: SeTakeOwnershipPrivilege 3444 srtasks.exe Token: SeBackupPrivilege 3444 srtasks.exe Token: SeRestorePrivilege 3444 srtasks.exe Token: SeSecurityPrivilege 3444 srtasks.exe Token: SeTakeOwnershipPrivilege 3444 srtasks.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 3908 setup.exe 3908 setup.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 772 wrote to memory of 664 772 SoundBridge_64-bit.exe 85 PID 772 wrote to memory of 664 772 SoundBridge_64-bit.exe 85 PID 772 wrote to memory of 664 772 SoundBridge_64-bit.exe 85 PID 664 wrote to memory of 3708 664 wscript.exe 86 PID 664 wrote to memory of 3708 664 wscript.exe 86 PID 664 wrote to memory of 3708 664 wscript.exe 86 PID 3708 wrote to memory of 1584 3708 cmd.exe 88 PID 3708 wrote to memory of 1584 3708 cmd.exe 88 PID 3708 wrote to memory of 1584 3708 cmd.exe 88 PID 1584 wrote to memory of 1848 1584 vcredist.exe 89 PID 1584 wrote to memory of 1848 1584 vcredist.exe 89 PID 1584 wrote to memory of 1848 1584 vcredist.exe 89 PID 1848 wrote to memory of 1392 1848 vcredist.exe 90 PID 1848 wrote to memory of 1392 1848 vcredist.exe 90 PID 1848 wrote to memory of 1392 1848 vcredist.exe 90 PID 3708 wrote to memory of 3908 3708 cmd.exe 105 PID 3708 wrote to memory of 3908 3708 cmd.exe 105 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\SoundBridge_64-bit.exe"C:\Users\Admin\AppData\Local\Temp\SoundBridge_64-bit.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:772 -
C:\Windows\SysWOW64\wscript.exe"C:\Windows\System32\wscript.exe" setup.vbs2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:664 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7zS403E0EB7\setup.cmd" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3708 -
C:\Users\Admin\AppData\Local\Temp\7zS403E0EB7\vcredist.exevcredist.exe /install /passive /norestart4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1584 -
C:\Windows\Temp\{1F9D81CA-8557-4161-A12C-ADC5DA12CF1C}\.cr\vcredist.exe"C:\Windows\Temp\{1F9D81CA-8557-4161-A12C-ADC5DA12CF1C}\.cr\vcredist.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\7zS403E0EB7\vcredist.exe" -burn.filehandle.attached=540 -burn.filehandle.self=548 /install /passive /norestart5⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Windows\Temp\{91A9254D-D230-4F74-8E3B-C5C308CA2887}\.be\VC_redist.x64.exe"C:\Windows\Temp\{91A9254D-D230-4F74-8E3B-C5C308CA2887}\.be\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{39F1C331-1E53-4E4B-ADF8-C1091C75454C} {812D2C29-B70D-4EC8-ADC0-F65A35A33195} 18486⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1392
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1848 -s 11366⤵
- Program crash
PID:3924
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS403E0EB7\setup.exesetup.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
PID:3908
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3468
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:21⤵
- Suspicious use of AdjustPrivilegeToken
PID:3444
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1848 -ip 18481⤵PID:2932
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD594a153cc30cb8a857e89fc6c7c2b77e0
SHA1cd1d33ce91c30e1facf13040ec079ca5cec9bcff
SHA2569c4e7fbd58dba9d53ba405fe11189dce29bc7f718fdc66e397875a51ca29e5bd
SHA512eb4743c49952a536cc7354dd56eb35461a460779cbf691b7ce7a61e4d718ade195a51250582919bd418bde431c8f240238d5f6b3c491be19dddd4357335a7829
-
Filesize
5.8MB
MD521f255a26a9808d39f001e9f759910e7
SHA1c9c436fd118f65959e130f7d0aa1f87a8c80d07c
SHA256171b097109539ffb924c326c9b32d541752f99e8add13f5bca8a372c384b881f
SHA512effe9ba83613b2e4e0f63a21727996489b31ff65689684ffd4352e6786a2c95727e739b47b6a1cef169cfa33483c7d55137e26b41beb0a940085bc1a6204a91d
-
Filesize
6.5MB
MD560baaa13bfd7dc3590c769297be16d61
SHA19548ca37cc7988e1d0634c56193d6706b89a18d4
SHA25697c165d01582ff0d222c92ecfd5731fce62a01106bdb40c5a6dcefc10c0c487d
SHA512c72a82fc9ff86915449258e1f1104623aa155ea58841076ba644185230bd0db414cb20e99a6194ad3b3c3435aba6de1fcebe01e4abc51e3072fe9ba5e3cca8ba
-
Filesize
1.3MB
MD598193d63d39bd6e23bb7da4bbc7c4daf
SHA19d2e0b860fd8ddd376d596a70c9036b7bd5a8a9a
SHA2563e79db9012a262ebd7799922a414be10c645eb3f7e2ce98bfdc54f9f2f21db21
SHA512d26fbfb9e42467bda9416564772c293fc948aad87822c3ffdee7a6352d0c21102261aeb6e9dc4dd7981a7f6b5e53e7c189ff6a1cb29baaa34ede45ac854db5c7
-
Filesize
304KB
MD5ece6b35e45e23169e5dd1221c8e57557
SHA113b3f065d4a8a1c732cd3dd49aa5a81445c586fe
SHA25692a93e55c6e51e9ea0947cba059a2a4042a240b669c24a20d01e495b6e0841d3
SHA5124b7b69517ba6bd7e80c3db3d964b54ccdf2a76aa79176c481f6ac29655b44c9222875515fb15ea2cd9fb3054abd4184424f5a533581c55f28cd8b7dd5d5d25c0
-
Filesize
3.4MB
MD53b374977280929693282eb0d2284dc9f
SHA1ff74d02b430b35f4901ae6bb13e59a950b358f46
SHA256438c9cfd9be471332e67a54755550c35b23c87def94534018c2e9165a942eaa6
SHA512d5fa7de5de1b37a5f9b673cc00311cd3646e6005c75c0d9b9c68119ab5b39de8829e04ca19d4026930dbdcc69aac54a04ba1e0a6eb7f085731b7ae5c94a24fa9
-
Filesize
318KB
MD51b799e0b812f9a28958eef62de335ecb
SHA106a9a071de4daae53225bafcd888d50bb5c7dbb5
SHA256af06e98c8bcc4c794c06c61df7723f910b41632ba50e803f060ee5689cd7508c
SHA51261c54869d540ce1448a6a11b4a74b5045fbea9f9f04f3524a44e1cb9cc89edaf30a7e7dcd5ef3016613ac9173c08e8b93dd82466bd3bee18c20778a46e342f98
-
Filesize
5.3MB
MD52aec9dd5ef70293bf180be0b5044fb23
SHA168453ae2d1fc8aeb74f505139dfcbce9fffa99ee
SHA256ae3401cd2463fe759a021bb7a72ed694055ab702f40f37677602a4e16a17a81a
SHA512e52fa0e275377a6ff792217c49bd02e9aaed96d9f55d03644cd637dc7e33261e44ea9b288dae57afad8cea51893d2d16a7de2ac98e1eb510e4d74b105710ae11
-
Filesize
225KB
MD594239aa589f365dc679d82cf3c02cc96
SHA199d97f28cd87c5eb4453020d45bc2240ec2d8fb2
SHA256671d5a2a8f0317d1843625d031a8143d243cb2345b880ef2a974a2b1e451e7ab
SHA51263259e5fa5c4db133bcab32d6e892d8e11019a643110ee7e653fedd282c7a45f65d3b5266a5c140905cf31448a9ceb0ad73d33941c694bb298298d3c2d9fc86b
-
Filesize
204KB
MD54dc5e9da1174eef7745ea9a3cb931797
SHA1584127e12c7a6ac8f2e795713dde61629d6f611d
SHA256752f9d95e78f4fb8381397d0178dc49c0fdc1a94172b0c9a8d76c9a805d0dfdf
SHA512a8659a0f4ecb5f0eaececa8ff23265f9691609e95d717bad873bb20581d92523f0a2852ca2124e6e1b4125e31a9af4edbae36cf7d6663c4fb7f2874f863bd4f4
-
Filesize
288KB
MD5eef72757cb0b597a5c71b9a0fddda882
SHA16010251ce2a463e86a5871dcb21a2eab0c1b817f
SHA25689ac9dcee25fc0074bb7d04c798ac751c6e70e9cd87f633705ae7a3a58e88e6b
SHA512e0a2ebf047c5d304b9558805606f44d2fb633a142a50feefede994af3420841fbd396016b35721138ddac545499491fc544387b5c5444b35bbefcfdc0c0968e5
-
Filesize
2.8MB
MD568d3f2da6ab5afaa7819bcda17244374
SHA1c410977dc7f3d1d6f206a3b2e920a3684c746dfe
SHA256f83cf2ec6bf9e5c774ffc47cc31de963e319cf60c947d31b12ab158c03439408
SHA512306ed3fe34d54de317fdf28696c42f5a11fc9b23d8b3dfd53a77d10577a49bad5af879a95e490808a2a6b28ce1de263290ae0d8aa912942b49cf5d84a13bd02c
-
Filesize
835KB
MD5df58920d7110bf1c93deac14af18d3a9
SHA1c6dfa0394cc4bd7ac4b606588e91051fa20e37b8
SHA25607a8440164b1c555b574a41f3dc50f650305e95945024ab810fdf16e804b1f21
SHA5128dd3d8c28bf455ac94cd192ab302dd9638dad18db5a454e41422e6d3a3b94476f5512ac3e0472b9d79288271f77a736cd17987bf1fae6871d31a4f84e9ee9df7
-
Filesize
63B
MD5e948291c4586b9303b373bdcfb106967
SHA18279d56d7fa22a484a15ef747222de898b07e3cc
SHA256e4fd53f1000b09e769de22a36179efd2f004738cdd883502e4fc75718a2516e9
SHA5123ece91b775eeb7b5812fec67a90427411a6cec7c15ad8076ac56a565b789b3a2cfcb0657743383a122228e710be213729f82dac99d7f4af724de5487455845c3
-
Filesize
109B
MD563521b3ae360c9cc4db03e67b8228302
SHA113066493684d93bf66d528231860c20476490ca2
SHA256786e9220071a8d5f060c0e152c75cfe8c17995557e1ba8b433b66e7b7583c8d6
SHA512c985a325953a442e808af4cdf4c94b0319a7dcfb983f3f75ada949ff4491608109418beb648dbf6ab07385fe9f9b94256118bf6d76057b3d75f3e6b1cc894e02
-
Filesize
24.1MB
MD5cdce5d5ee259d8071fa82f522c5c7d6e
SHA1d4f9181e70e3f1aa6c8edffcc15b3c3d4babe36b
SHA256ce6593a1520591e7dea2b93fd03116e3fc3b3821a0525322b0a430faa6b3c0b4
SHA5128f86693bf9fb4ee0ba021b826663028158d580a0424417a30d8f95ef8853fcd224b5a213beba5d99b48be0607a0a6870158bf1899fe1445da9ca19a208608527
-
Filesize
635KB
MD5d940ea062ed6e99f6d873c2f5f09d1c9
SHA16abec3341d3bca045542c7b812947b55ddaf6b64
SHA256a0fce2b6c865ae4f00145c9b366c39484daf3160b526c77005e59f6f65adb202
SHA512e4069e41311e8bd4599de0a1bdf0ee0b76316359a0c83ac663c23da8833e5dc0effa260fe8d0e47f4befa94c87fc7bf93bce2b79792abe8befc59acf5401cfe1
-
Filesize
1KB
MD5d6bd210f227442b3362493d046cea233
SHA1ff286ac8370fc655aea0ef35e9cf0bfcb6d698de
SHA256335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef
SHA512464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b
-
Filesize
191KB
MD5eab9caf4277829abdf6223ec1efa0edd
SHA174862ecf349a9bedd32699f2a7a4e00b4727543d
SHA256a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041
SHA51245b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2