e1f5f78f744ddd0c1d9392ac2f19b1a7077ee27043a09355a60de06980fc4963

Analysis

max time kernel
13s
max time network
17s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05-10-2024 20:40

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

Crack SoundPad , By Burdix/Soundpad - Raccourci.lnk
Size

1KB
MD5

428f4ea8cf531b3c3540c90fcc7a27c9
SHA1

fd1c2217d0a6d270d3c3ac460528c3199e7c12dc
SHA256

f89ff09ecad2ef5a98b85ef5b47ac1e3faba33152a02fee4880972858e1e0e1e
SHA512

439886fc561259e6bd3f502c4dc65b99f6aea8604c9e2102110d2f425d6f7ec66a0bd1f51198df7d66a5c3d73d348c831848cf293c1f72733bb18e17043cbdae

Score

7^/10

persistence privilege_escalation upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	cmd.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Loads dropped DLL 2 IoCs

pid	Process
4784	regsvr32.exe
3816	regsvr32.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\UniteFx.dll	Soundpad.exe
File opened for modification	C:\Windows\system32\UniteFx.dll	Soundpad.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral8/memory/1640-2-0x00007FFCEFA60000-0x00007FFCF0AB0000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "182"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe

Modifies registry class 63 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\MinOutputConnections = "1"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\.spl\OpenWithProgids	Soundpad.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\Flags = "14"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\InprocServer32\ThreadingModel = "Both"	Soundpad.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Soundpad\shell\open	Soundpad.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\MaxOutputConnections = "1"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\MajorVersion = "1"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\MajorVersion = "1"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\.spl\OpenWithList\ehshell.exe\	Soundpad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\FriendlyName = "UniteFx"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\MinInputConnections = "1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\APOInterface0 = "{FD7F2B29-24D0-4B5C-B177-592C39F9CA10}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\	Soundpad.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\MaxInputConnections = "1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\APOInterface0 = "{FD7F2B29-24D0-4B5C-B177-592C39F9CA10}"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Soundpad.Soundlist	Soundpad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\Copyright = "Copyright (C) 2016-2019 Leppsoft"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\.spl\OpenWithList\ehshell.exe	Soundpad.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\.spl\OpenWithList	Soundpad.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\MaxInstances = "4294967295"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\MinorVersion = "6"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\.spl\PerceivedType = "audio"	Soundpad.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\MaxInputConnections = "1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\FriendlyName = "UniteFx"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\MinInputConnections = "1"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Soundpad\ = "URL:Soundpad Protocol"	Soundpad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Soundpad\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Crack SoundPad , By Burdix\\Soundpad.exe,0"	Soundpad.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Soundpad\DefaultIcon	Soundpad.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Soundpad\shell	Soundpad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Soundpad\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Crack SoundPad , By Burdix\\Soundpad.exe\" -c \"%1\""	Soundpad.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\Flags = "14"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\MinOutputConnections = "1"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Soundpad.Soundlist\shell\open\command\	Soundpad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Soundpad\URL Protocol	Soundpad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\Copyright = "Copyright (C) 2016-2019 Leppsoft"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Soundpad\shell\open\command\	Soundpad.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\NumAPOInterfaces = "1"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\.spl\Content Type = "audio/soundpadlist"	Soundpad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Soundpad.Soundlist\ = "Soundpad sound list"	Soundpad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Soundpad.Soundlist\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Crack SoundPad , By Burdix\\Soundpad.exe,1"	Soundpad.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Soundpad.Soundlist\shell\open	Soundpad.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Soundpad	Soundpad.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Soundpad\shell\open\command	Soundpad.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\MinorVersion = "6"	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\InprocServer32\	Soundpad.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\MaxInstances = "4294967295"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Soundpad.Soundlist\DefaultIcon	Soundpad.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Soundpad.Soundlist\shell	Soundpad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\ = "UniteFx Class"	Soundpad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\InprocServer32\ = "C:\\Windows\\system32\\UniteFx.dll"	Soundpad.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\.spl	Soundpad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\.spl\OpenWithList\ehshell.exe\	Soundpad.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Soundpad.Soundlist\shell\open\command	Soundpad.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\MaxOutputConnections = "1"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\.spl\ = "Soundpad.Soundlist"	Soundpad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\.spl\OpenWithProgids\Soundpad.Soundlist	Soundpad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Soundpad.Soundlist\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Crack SoundPad , By Burdix\\Soundpad.exe\" \"%1\""	Soundpad.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{27384E53-9860-0AC1-9519-C60EBCAA2C71}\NumAPOInterfaces = "1"	regsvr32.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1640	Soundpad.exe
Token: 33	3244	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3244	AUDIODG.EXE
Token: SeShutdownPrivilege	1640	Soundpad.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1640	Soundpad.exe
1640	Soundpad.exe
1640	Soundpad.exe
1640	Soundpad.exe
1248	LogonUI.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 224 wrote to memory of 1640	224	cmd.exe	83
PID 224 wrote to memory of 1640	224	cmd.exe	83
PID 1640 wrote to memory of 4784	1640	Soundpad.exe	85
PID 1640 wrote to memory of 4784	1640	Soundpad.exe	85
PID 1640 wrote to memory of 3816	1640	Soundpad.exe	86
PID 1640 wrote to memory of 3816	1640	Soundpad.exe	86

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Crack SoundPad , By Burdix\Soundpad - Raccourci.lnk"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:224
- C:\Users\Admin\AppData\Local\Temp\Crack SoundPad , By Burdix\Soundpad.exe
  "C:\Users\Admin\AppData\Local\Temp\Crack SoundPad , By Burdix\Soundpad.exe"
  2⤵
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1640
- - C:\Windows\System32\regsvr32.exe
    "C:\Windows\System32\regsvr32.exe" /s "C:\Windows\system32\UniteFx.dll"
    3⤵
    - Loads dropped DLL
    - Modifies registry class
    PID:4784
- - C:\Windows\System32\regsvr32.exe
    "C:\Windows\System32\regsvr32.exe" /s "C:\Windows\system32\UniteFx.dll"
    3⤵
    - Loads dropped DLL
    - Modifies registry class
    PID:3816

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x32c 0x4d0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3244

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa399d055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\UniteFx.dll

Filesize
442KB

MD5
0ee743073ee6b68f8222be2661d95315

SHA1
2e642772ec19edf73422fe25a8d45db1a006ff85

SHA256
562b17370c7283e92a3353b76ab2aefd301c2e78782fa60ec9ee35676ad44f96

SHA512
c3f2037bd37cef7978187f67f1d0633ee3067b4837e0ad9ae2a5c8efab8ec4ce6a14c1d88e200ffaa8677f74fd5995789297e6a7b5ac18d19dc9d53b4d9170ba

Download Submit
memory/1640-2-0x00007FFCEFA60000-0x00007FFCF0AB0000-memory.dmp

Filesize
16.3MB

Download
memory/1640-6-0x00007FFCCDAC0000-0x00007FFCCDAC1000-memory.dmp

Filesize
4KB

Download