Analysis
-
max time kernel
80s -
max time network
86s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
08-09-2024 08:52
Behavioral task
behavioral1
Sample
RealtekHDAudioManager.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
RealtekHDAudioManager.exe
Resource
win10-20240404-en
General
-
Target
RealtekHDAudioManager.exe
-
Size
9.9MB
-
MD5
66dcb8e404e39465f21e8c17c223cbce
-
SHA1
7e2f220191e06da058b76257e71c707378721c4f
-
SHA256
80b9912b40dbbba68f9b83c2f18495149cc120a285ab7fae0a333e223412eb3f
-
SHA512
85a0bd29d8ed2f77d561b9c60565a11defe65885ef5783d77ea13b374bf3d5b0cf10fa996d623e526faf65e3b7ab2423ff3810638c18c32a9936b8a2d5a80164
-
SSDEEP
98304:6QI9wzKxmhMIIKfGTibiyCC9cK8yE2ICafZmwjsEejd:6IzKxmhhtbiyCicRfDUjd
Malware Config
Extracted
skuld
https://discord.com/api/webhooks/1281798080831684654/97q8rBV9oGoDnjnN72iLt4FY_BkQfULH9HMX-mbmcq4SFeqjHV9Up44HYqKZGhBj6eoL
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RealtekHDAudioManager.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe" RealtekHDAudioManager.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 1 api.ipify.org 3 api.ipify.org -
Suspicious use of AdjustPrivilegeToken 43 IoCs
Processes:
RealtekHDAudioManager.exewmic.exedescription pid process Token: SeDebugPrivilege 1768 RealtekHDAudioManager.exe Token: SeIncreaseQuotaPrivilege 4748 wmic.exe Token: SeSecurityPrivilege 4748 wmic.exe Token: SeTakeOwnershipPrivilege 4748 wmic.exe Token: SeLoadDriverPrivilege 4748 wmic.exe Token: SeSystemProfilePrivilege 4748 wmic.exe Token: SeSystemtimePrivilege 4748 wmic.exe Token: SeProfSingleProcessPrivilege 4748 wmic.exe Token: SeIncBasePriorityPrivilege 4748 wmic.exe Token: SeCreatePagefilePrivilege 4748 wmic.exe Token: SeBackupPrivilege 4748 wmic.exe Token: SeRestorePrivilege 4748 wmic.exe Token: SeShutdownPrivilege 4748 wmic.exe Token: SeDebugPrivilege 4748 wmic.exe Token: SeSystemEnvironmentPrivilege 4748 wmic.exe Token: SeRemoteShutdownPrivilege 4748 wmic.exe Token: SeUndockPrivilege 4748 wmic.exe Token: SeManageVolumePrivilege 4748 wmic.exe Token: 33 4748 wmic.exe Token: 34 4748 wmic.exe Token: 35 4748 wmic.exe Token: 36 4748 wmic.exe Token: SeIncreaseQuotaPrivilege 4748 wmic.exe Token: SeSecurityPrivilege 4748 wmic.exe Token: SeTakeOwnershipPrivilege 4748 wmic.exe Token: SeLoadDriverPrivilege 4748 wmic.exe Token: SeSystemProfilePrivilege 4748 wmic.exe Token: SeSystemtimePrivilege 4748 wmic.exe Token: SeProfSingleProcessPrivilege 4748 wmic.exe Token: SeIncBasePriorityPrivilege 4748 wmic.exe Token: SeCreatePagefilePrivilege 4748 wmic.exe Token: SeBackupPrivilege 4748 wmic.exe Token: SeRestorePrivilege 4748 wmic.exe Token: SeShutdownPrivilege 4748 wmic.exe Token: SeDebugPrivilege 4748 wmic.exe Token: SeSystemEnvironmentPrivilege 4748 wmic.exe Token: SeRemoteShutdownPrivilege 4748 wmic.exe Token: SeUndockPrivilege 4748 wmic.exe Token: SeManageVolumePrivilege 4748 wmic.exe Token: 33 4748 wmic.exe Token: 34 4748 wmic.exe Token: 35 4748 wmic.exe Token: 36 4748 wmic.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
RealtekHDAudioManager.exedescription pid process target process PID 1768 wrote to memory of 4500 1768 RealtekHDAudioManager.exe attrib.exe PID 1768 wrote to memory of 4500 1768 RealtekHDAudioManager.exe attrib.exe PID 1768 wrote to memory of 992 1768 RealtekHDAudioManager.exe attrib.exe PID 1768 wrote to memory of 992 1768 RealtekHDAudioManager.exe attrib.exe PID 1768 wrote to memory of 4748 1768 RealtekHDAudioManager.exe wmic.exe PID 1768 wrote to memory of 4748 1768 RealtekHDAudioManager.exe wmic.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 4500 attrib.exe 992 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\RealtekHDAudioManager.exe"C:\Users\Admin\AppData\Local\Temp\RealtekHDAudioManager.exe"1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Windows\system32\attrib.exeattrib +h +s C:\Users\Admin\AppData\Local\Temp\RealtekHDAudioManager.exe2⤵
- Views/modifies file attributes
PID:4500
-
-
C:\Windows\system32\attrib.exeattrib +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe2⤵
- Views/modifies file attributes
PID:992
-
-
C:\Windows\System32\Wbem\wmic.exewmic csproduct get UUID2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4748
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9.9MB
MD566dcb8e404e39465f21e8c17c223cbce
SHA17e2f220191e06da058b76257e71c707378721c4f
SHA25680b9912b40dbbba68f9b83c2f18495149cc120a285ab7fae0a333e223412eb3f
SHA51285a0bd29d8ed2f77d561b9c60565a11defe65885ef5783d77ea13b374bf3d5b0cf10fa996d623e526faf65e3b7ab2423ff3810638c18c32a9936b8a2d5a80164