Overview
overview
8Static
static
3csaudioint...er.exe
windows7-x64
7csaudioint...er.exe
windows10-2004-x64
8$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3drivers/cs...42.sys
windows10-2004-x64
1drivers/cs...of.sys
windows10-2004-x64
1drivers/da...19.sys
windows10-2004-x64
1drivers/dpinst.exe
windows7-x64
4drivers/dpinst.exe
windows10-2004-x64
4drivers/ma...7a.sys
windows10-2004-x64
1drivers/ma...90.sys
windows10-2004-x64
1drivers/na...25.sys
windows10-2004-x64
1drivers/op...ec.sys
windows10-2004-x64
1drivers/rt...11.sys
windows10-2004-x64
1drivers/rt...15.sys
windows10-2004-x64
1drivers/rt...82.sys
windows10-2004-x64
1drivers/rt...2s.sys
windows10-2004-x64
1drivers/sk...us.sys
windows10-2004-x64
1uninstall.exe
windows7-x64
8uninstall.exe
windows10-2004-x64
8$PLUGINSDI...ss.dll
windows7-x64
3$PLUGINSDI...ss.dll
windows10-2004-x64
3utils/csau...er.exe
windows7-x64
1utils/csau...er.exe
windows10-2004-x64
1Analysis
-
max time kernel
124s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
13-11-2024 21:47
Static task
static1
Behavioral task
behavioral1
Sample
csaudiointcsof.1.0.4-installer.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
csaudiointcsof.1.0.4-installer.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240729-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
drivers/cs42l42/cs42l42.sys
Resource
win10v2004-20241007-en
Behavioral task
behavioral6
Sample
drivers/csaudiointcsof/csaudiointcsof.sys
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
drivers/da7219/da7219.sys
Resource
win10v2004-20241007-en
Behavioral task
behavioral8
Sample
drivers/dpinst.exe
Resource
win7-20241010-en
Behavioral task
behavioral9
Sample
drivers/dpinst.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral10
Sample
drivers/max98357a/max98357a.sys
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
drivers/max98390/max98390.sys
Resource
win10v2004-20241007-en
Behavioral task
behavioral12
Sample
drivers/nau8825/nau8825.sys
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
drivers/opengmaxcodec/opengmaxcodec.sys
Resource
win10v2004-20241007-en
Behavioral task
behavioral14
Sample
drivers/rt1011/rt1011.sys
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
drivers/rt1015/rt1015.sys
Resource
win10v2004-20241007-en
Behavioral task
behavioral16
Sample
drivers/rt5682/rt5682.sys
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
drivers/rt5682s/rt5682s.sys
Resource
win10v2004-20241007-en
Behavioral task
behavioral18
Sample
drivers/sklhdaudbus/sklhdaudbus.sys
Resource
win10v2004-20241007-en
Behavioral task
behavioral19
Sample
uninstall.exe
Resource
win7-20241010-en
Behavioral task
behavioral20
Sample
uninstall.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral21
Sample
$PLUGINSDIR/nsProcess.dll
Resource
win7-20240708-en
Behavioral task
behavioral22
Sample
$PLUGINSDIR/nsProcess.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral23
Sample
utils/csaudioendpointswitcher.exe
Resource
win7-20240903-en
Behavioral task
behavioral24
Sample
utils/csaudioendpointswitcher.exe
Resource
win10v2004-20241007-en
General
-
Target
csaudiointcsof.1.0.4-installer.exe
-
Size
1.8MB
-
MD5
7081d418a756bd4975a0b816b3a1e480
-
SHA1
ae7bfffa37531eb277bbd6301e613436ede660ed
-
SHA256
fd2cd5d65cb83a0c03a4f3bd5ace284d271369afe14672234d79f68a006ca3e8
-
SHA512
1e1a2bd8a85b8cceef05043b6b7d6422d2af53d115d03c04406423b8afdd74e106ae02972747edcd5253700aef10a27616e79841c63ff0d13aa57ce51b387432
-
SSDEEP
49152:kdY6XW38XFtwVkRwFAqrco1uE3DrBImRuijVomG:ku85XFdrqrxTDFImhoz
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
dpinst.exedpinst.exepid Process 2248 dpinst.exe 1656 dpinst.exe -
Loads dropped DLL 5 IoCs
Processes:
csaudiointcsof.1.0.4-installer.exepid Process 2516 csaudiointcsof.1.0.4-installer.exe 2516 csaudiointcsof.1.0.4-installer.exe 860 860 2516 csaudiointcsof.1.0.4-installer.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 41 IoCs
Processes:
DrvInst.exeDrvInst.exedpinst.exedescription ioc Process File opened for modification C:\Windows\System32\DriverStore\Temp\{6231063d-a1a3-1255-c650-bc3660e3eb0f}\csaudiointcsof.inf DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{6231063d-a1a3-1255-c650-bc3660e3eb0f}\SETBD6.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{6231063d-a1a3-1255-c650-bc3660e3eb0f}\SETBF9.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{6231063d-a1a3-1255-c650-bc3660e3eb0f}\sof-jsl.ri DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{4c10c17b-431d-2684-3ff6-1c6e26956503}\SETC747.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{6231063d-a1a3-1255-c650-bc3660e3eb0f}\SETB85.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{6231063d-a1a3-1255-c650-bc3660e3eb0f}\SETBA5.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{6231063d-a1a3-1255-c650-bc3660e3eb0f}\SETBD6.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\sklhdaudbus.inf_amd64_neutral_ef7fd6994108efdc\sklhdaudbus.PNF DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{6231063d-a1a3-1255-c650-bc3660e3eb0f}\SETBF8.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{4c10c17b-431d-2684-3ff6-1c6e26956503}\sklhdaudbus.sys DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{6231063d-a1a3-1255-c650-bc3660e3eb0f}\sof-cnl.ri DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{6231063d-a1a3-1255-c650-bc3660e3eb0f}\sof-glk.ri DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{6231063d-a1a3-1255-c650-bc3660e3eb0f}\SETBA6.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{4c10c17b-431d-2684-3ff6-1c6e26956503}\SETC746.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{4c10c17b-431d-2684-3ff6-1c6e26956503}\SETC746.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{4c10c17b-431d-2684-3ff6-1c6e26956503}\SETC747.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{6231063d-a1a3-1255-c650-bc3660e3eb0f}\SETBA5.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{4c10c17b-431d-2684-3ff6-1c6e26956503}\SETC745.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{4c10c17b-431d-2684-3ff6-1c6e26956503} DrvInst.exe File opened for modification C:\Windows\System32\CatRoot2\dberr.txt dpinst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{6231063d-a1a3-1255-c650-bc3660e3eb0f}\csaudiointcsof.sys DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{6231063d-a1a3-1255-c650-bc3660e3eb0f}\SETBE8.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{4c10c17b-431d-2684-3ff6-1c6e26956503}\sklhdaudbus.cat DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{6231063d-a1a3-1255-c650-bc3660e3eb0f}\SETBF8.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{6231063d-a1a3-1255-c650-bc3660e3eb0f}\SETBF9.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{6231063d-a1a3-1255-c650-bc3660e3eb0f}\SETBE7.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{4c10c17b-431d-2684-3ff6-1c6e26956503}\sklhdaudbus.inf DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\infpub.dat DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\infstrng.dat DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\infstor.dat DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\sklhdaudbus.inf_amd64_neutral_ef7fd6994108efdc\sklhdaudbus.PNF DrvInst.exe File created C:\Windows\System32\DriverStore\INFCACHE.0 DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{6231063d-a1a3-1255-c650-bc3660e3eb0f}\SETB85.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{4c10c17b-431d-2684-3ff6-1c6e26956503}\SETC745.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{6231063d-a1a3-1255-c650-bc3660e3eb0f}\SETBA6.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{6231063d-a1a3-1255-c650-bc3660e3eb0f}\sof-apl.ri DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{6231063d-a1a3-1255-c650-bc3660e3eb0f}\SETBE7.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{6231063d-a1a3-1255-c650-bc3660e3eb0f}\SETBE8.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{6231063d-a1a3-1255-c650-bc3660e3eb0f}\sof-tgl.ri DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{6231063d-a1a3-1255-c650-bc3660e3eb0f}\csaudiointcsof.cat DrvInst.exe -
Drops file in Program Files directory 55 IoCs
Processes:
csaudiointcsof.1.0.4-installer.exedpinst.exedescription ioc Process File created C:\Program Files\csaudiointcsof\drivers\max98390\dsm_param_R_Google_Gimble4ES.bin csaudiointcsof.1.0.4-installer.exe File created C:\Program Files\csaudiointcsof\drivers\csaudiointcsof\csaudiointcsof.sys csaudiointcsof.1.0.4-installer.exe File created C:\Program Files\csaudiointcsof\drivers\csaudiointcsof\sof-apl.ri csaudiointcsof.1.0.4-installer.exe File created C:\Program Files\csaudiointcsof\drivers\max98390\max98390.sys csaudiointcsof.1.0.4-installer.exe File created C:\Program Files\csaudiointcsof\drivers\opengmaxcodec\opengmaxcodec.cat csaudiointcsof.1.0.4-installer.exe File created C:\Program Files\csaudiointcsof\drivers\rt1015\rt1015.inf csaudiointcsof.1.0.4-installer.exe File created C:\Program Files\csaudiointcsof\drivers\max98357a\max98357a.cat csaudiointcsof.1.0.4-installer.exe File created C:\Program Files\csaudiointcsof\drivers\max98390\dsm_param_L_Google_Redrix.bin csaudiointcsof.1.0.4-installer.exe File created C:\Program Files\csaudiointcsof\drivers\rt5682\rt5682.sys csaudiointcsof.1.0.4-installer.exe File created C:\Program Files\csaudiointcsof\drivers\dpinst.exe csaudiointcsof.1.0.4-installer.exe File created C:\Program Files\csaudiointcsof\drivers\csaudiointcsof\sof-glk.ri csaudiointcsof.1.0.4-installer.exe File created C:\Program Files\csaudiointcsof\drivers\csaudiointcsof\sof-tgl.ri csaudiointcsof.1.0.4-installer.exe File created C:\Program Files\csaudiointcsof\drivers\csaudiointcsof\sof-jsl.ri csaudiointcsof.1.0.4-installer.exe File created C:\Program Files\csaudiointcsof\drivers\max98357a\max98357a.inf csaudiointcsof.1.0.4-installer.exe File created C:\Program Files\csaudiointcsof\drivers\nau8825\nau8825.inf csaudiointcsof.1.0.4-installer.exe File created C:\Program Files\csaudiointcsof\drivers\rt5682s\rt5682s.cat csaudiointcsof.1.0.4-installer.exe File created C:\Program Files\csaudiointcsof\drivers\cs42l42\cs42l42.sys csaudiointcsof.1.0.4-installer.exe File created C:\Program Files\csaudiointcsof\drivers\da7219\da7219.sys csaudiointcsof.1.0.4-installer.exe File created C:\Program Files\csaudiointcsof\drivers\max98390\dsm_param_Google_Redrix.bin csaudiointcsof.1.0.4-installer.exe File created C:\Program Files\csaudiointcsof\drivers\nau8825\nau8825.sys csaudiointcsof.1.0.4-installer.exe File created C:\Program Files\csaudiointcsof\drivers\rt1015\rt1015.cat csaudiointcsof.1.0.4-installer.exe File created C:\Program Files\csaudiointcsof\drivers\rt5682s\rt5682s.sys csaudiointcsof.1.0.4-installer.exe File created C:\Program Files\csaudiointcsof\drivers\sklhdaudbus\sklhdaudbus.sys csaudiointcsof.1.0.4-installer.exe File created C:\Program Files\csaudiointcsof\drivers\da7219\da7219.inf csaudiointcsof.1.0.4-installer.exe File created C:\Program Files\csaudiointcsof\drivers\max98390\dsm_param_L_Google_Gimble4ES.bin csaudiointcsof.1.0.4-installer.exe File created C:\Program Files\csaudiointcsof\drivers\max98390\dsm_param_tt_R_Google_Redrix.bin csaudiointcsof.1.0.4-installer.exe File created C:\Program Files\csaudiointcsof\drivers\nau8825\nau8825.cat csaudiointcsof.1.0.4-installer.exe File created C:\Program Files\csaudiointcsof\drivers\max98357a\max98357a.sys csaudiointcsof.1.0.4-installer.exe File created C:\Program Files\csaudiointcsof\drivers\max98390\dsm_param_R_Google_Gimble.bin csaudiointcsof.1.0.4-installer.exe File created C:\Program Files\csaudiointcsof\drivers\rt1011\rt1011.cat csaudiointcsof.1.0.4-installer.exe File created C:\Program Files\csaudiointcsof\drivers\da7219\da7219.cat csaudiointcsof.1.0.4-installer.exe File created C:\Program Files\csaudiointcsof\drivers\max98390\dsm_param_L_Google_Gimble.bin csaudiointcsof.1.0.4-installer.exe File created C:\Program Files\csaudiointcsof\drivers\max98390\dsm_param_R_Google_Redrix.bin csaudiointcsof.1.0.4-installer.exe File created C:\Program Files\csaudiointcsof\drivers\cs42l42\cs42l42.cat csaudiointcsof.1.0.4-installer.exe File created C:\Program Files\csaudiointcsof\drivers\csaudiointcsof\csaudiointcsof.cat csaudiointcsof.1.0.4-installer.exe File created C:\Program Files\csaudiointcsof\drivers\max98390\dsm_param_tt_L_Google_Redrix.bin csaudiointcsof.1.0.4-installer.exe File created C:\Program Files\csaudiointcsof\drivers\csaudiointcsof\csaudiointcsof.inf csaudiointcsof.1.0.4-installer.exe File created C:\Program Files\csaudiointcsof\drivers\csaudiointcsof\sof-cnl.ri csaudiointcsof.1.0.4-installer.exe File created C:\Program Files\csaudiointcsof\drivers\rt5682\rt5682.cat csaudiointcsof.1.0.4-installer.exe File created C:\Program Files\csaudiointcsof\drivers\max98390\dsm_param_Google_Nightfury.bin csaudiointcsof.1.0.4-installer.exe File created C:\Program Files\csaudiointcsof\drivers\rt5682s\rt5682s.inf csaudiointcsof.1.0.4-installer.exe File created C:\PROGRA~1\DIFX\D29FE547208FE130\dpinst.exe dpinst.exe File created C:\Program Files\csaudiointcsof\drivers\max98390\dsm_param_tt_Google_Redrix.bin csaudiointcsof.1.0.4-installer.exe File created C:\Program Files\csaudiointcsof\drivers\max98390\max98390.inf csaudiointcsof.1.0.4-installer.exe File created C:\Program Files\csaudiointcsof\drivers\opengmaxcodec\opengmaxcodec.sys csaudiointcsof.1.0.4-installer.exe File created C:\Program Files\csaudiointcsof\drivers\sklhdaudbus\sklhdaudbus.cat csaudiointcsof.1.0.4-installer.exe File created C:\Program Files\csaudiointcsof\drivers\max98390\max98390.cat csaudiointcsof.1.0.4-installer.exe File created C:\Program Files\csaudiointcsof\drivers\rt1015\rt1015.sys csaudiointcsof.1.0.4-installer.exe File created C:\Program Files\csaudiointcsof\drivers\rt1011\rt1011.sys csaudiointcsof.1.0.4-installer.exe File created C:\Program Files\csaudiointcsof\drivers\sklhdaudbus\sklhdaudbus.inf csaudiointcsof.1.0.4-installer.exe File created C:\Program Files\csaudiointcsof\drivers\cs42l42\cs42l42.inf csaudiointcsof.1.0.4-installer.exe File created C:\Program Files\csaudiointcsof\drivers\max98390\dsm_param_Google_Gimble.bin csaudiointcsof.1.0.4-installer.exe File created C:\Program Files\csaudiointcsof\drivers\opengmaxcodec\opengmaxcodec.inf csaudiointcsof.1.0.4-installer.exe File created C:\Program Files\csaudiointcsof\drivers\rt1011\rt1011.inf csaudiointcsof.1.0.4-installer.exe File created C:\Program Files\csaudiointcsof\drivers\rt5682\rt5682.inf csaudiointcsof.1.0.4-installer.exe -
Drops file in Windows directory 11 IoCs
Processes:
DrvInst.exedpinst.exeDrvInst.exedpinst.exeDrvInst.exedescription ioc Process File created C:\Windows\INF\oem2.inf DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log dpinst.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log dpinst.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\DPINST.LOG dpinst.exe File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File opened for modification C:\Windows\INF\oem2.inf DrvInst.exe File opened for modification C:\Windows\DPINST.LOG dpinst.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
csaudiointcsof.1.0.4-installer.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csaudiointcsof.1.0.4-installer.exe -
Modifies data under HKEY_USERS 45 IoCs
Processes:
DrvInst.exeDrvInst.exeDrvInst.exedescription ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
rundll32.exepid Process 1676 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
dpinst.exeDrvInst.exerundll32.exevssvc.exeDrvInst.exedpinst.exedescription pid Process Token: SeRestorePrivilege 2248 dpinst.exe Token: SeRestorePrivilege 2248 dpinst.exe Token: SeRestorePrivilege 2248 dpinst.exe Token: SeRestorePrivilege 2248 dpinst.exe Token: SeRestorePrivilege 2248 dpinst.exe Token: SeRestorePrivilege 2248 dpinst.exe Token: SeRestorePrivilege 2248 dpinst.exe Token: SeRestorePrivilege 2248 dpinst.exe Token: SeRestorePrivilege 2248 dpinst.exe Token: SeRestorePrivilege 2248 dpinst.exe Token: SeRestorePrivilege 2248 dpinst.exe Token: SeRestorePrivilege 2248 dpinst.exe Token: SeRestorePrivilege 2248 dpinst.exe Token: SeRestorePrivilege 2248 dpinst.exe Token: SeRestorePrivilege 2668 DrvInst.exe Token: SeRestorePrivilege 2668 DrvInst.exe Token: SeRestorePrivilege 2668 DrvInst.exe Token: SeRestorePrivilege 2668 DrvInst.exe Token: SeRestorePrivilege 2668 DrvInst.exe Token: SeRestorePrivilege 2668 DrvInst.exe Token: SeRestorePrivilege 2668 DrvInst.exe Token: SeRestorePrivilege 1952 rundll32.exe Token: SeRestorePrivilege 1952 rundll32.exe Token: SeRestorePrivilege 1952 rundll32.exe Token: SeRestorePrivilege 1952 rundll32.exe Token: SeRestorePrivilege 1952 rundll32.exe Token: SeRestorePrivilege 1952 rundll32.exe Token: SeRestorePrivilege 1952 rundll32.exe Token: SeRestorePrivilege 2668 DrvInst.exe Token: SeRestorePrivilege 2668 DrvInst.exe Token: SeRestorePrivilege 2668 DrvInst.exe Token: SeRestorePrivilege 2668 DrvInst.exe Token: SeRestorePrivilege 2668 DrvInst.exe Token: SeRestorePrivilege 2668 DrvInst.exe Token: SeRestorePrivilege 2668 DrvInst.exe Token: SeBackupPrivilege 1444 vssvc.exe Token: SeRestorePrivilege 1444 vssvc.exe Token: SeAuditPrivilege 1444 vssvc.exe Token: SeBackupPrivilege 2668 DrvInst.exe Token: SeRestorePrivilege 2668 DrvInst.exe Token: SeRestorePrivilege 1756 DrvInst.exe Token: SeRestorePrivilege 1756 DrvInst.exe Token: SeRestorePrivilege 1756 DrvInst.exe Token: SeRestorePrivilege 1756 DrvInst.exe Token: SeRestorePrivilege 1756 DrvInst.exe Token: SeRestorePrivilege 1756 DrvInst.exe Token: SeRestorePrivilege 1756 DrvInst.exe Token: SeLoadDriverPrivilege 1756 DrvInst.exe Token: SeLoadDriverPrivilege 1756 DrvInst.exe Token: SeLoadDriverPrivilege 1756 DrvInst.exe Token: SeRestorePrivilege 1656 dpinst.exe Token: SeRestorePrivilege 1656 dpinst.exe Token: SeRestorePrivilege 1656 dpinst.exe Token: SeRestorePrivilege 1656 dpinst.exe Token: SeRestorePrivilege 1656 dpinst.exe Token: SeRestorePrivilege 1656 dpinst.exe Token: SeRestorePrivilege 1656 dpinst.exe Token: SeRestorePrivilege 1656 dpinst.exe Token: SeRestorePrivilege 1656 dpinst.exe Token: SeRestorePrivilege 1656 dpinst.exe Token: SeRestorePrivilege 1656 dpinst.exe Token: SeRestorePrivilege 1656 dpinst.exe Token: SeRestorePrivilege 1656 dpinst.exe Token: SeRestorePrivilege 1656 dpinst.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
csaudiointcsof.1.0.4-installer.exeDrvInst.exeDrvInst.exedescription pid Process procid_target PID 2516 wrote to memory of 2248 2516 csaudiointcsof.1.0.4-installer.exe 30 PID 2516 wrote to memory of 2248 2516 csaudiointcsof.1.0.4-installer.exe 30 PID 2516 wrote to memory of 2248 2516 csaudiointcsof.1.0.4-installer.exe 30 PID 2516 wrote to memory of 2248 2516 csaudiointcsof.1.0.4-installer.exe 30 PID 2516 wrote to memory of 2248 2516 csaudiointcsof.1.0.4-installer.exe 30 PID 2516 wrote to memory of 2248 2516 csaudiointcsof.1.0.4-installer.exe 30 PID 2516 wrote to memory of 2248 2516 csaudiointcsof.1.0.4-installer.exe 30 PID 2668 wrote to memory of 1952 2668 DrvInst.exe 32 PID 2668 wrote to memory of 1952 2668 DrvInst.exe 32 PID 2668 wrote to memory of 1952 2668 DrvInst.exe 32 PID 2516 wrote to memory of 1656 2516 csaudiointcsof.1.0.4-installer.exe 37 PID 2516 wrote to memory of 1656 2516 csaudiointcsof.1.0.4-installer.exe 37 PID 2516 wrote to memory of 1656 2516 csaudiointcsof.1.0.4-installer.exe 37 PID 2516 wrote to memory of 1656 2516 csaudiointcsof.1.0.4-installer.exe 37 PID 2516 wrote to memory of 1656 2516 csaudiointcsof.1.0.4-installer.exe 37 PID 2516 wrote to memory of 1656 2516 csaudiointcsof.1.0.4-installer.exe 37 PID 2516 wrote to memory of 1656 2516 csaudiointcsof.1.0.4-installer.exe 37 PID 616 wrote to memory of 1676 616 DrvInst.exe 39 PID 616 wrote to memory of 1676 616 DrvInst.exe 39 PID 616 wrote to memory of 1676 616 DrvInst.exe 39 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\csaudiointcsof.1.0.4-installer.exe"C:\Users\Admin\AppData\Local\Temp\csaudiointcsof.1.0.4-installer.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Program Files\csaudiointcsof\drivers\dpinst.exe"C:\Program Files\csaudiointcsof\drivers\dpinst.exe" /sw /f /path "C:\Program Files\csaudiointcsof\drivers\sklhdaudbus"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2248
-
-
C:\Program Files\csaudiointcsof\drivers\dpinst.exe"C:\Program Files\csaudiointcsof\drivers\dpinst.exe" /sw /f /path "C:\Program Files\csaudiointcsof\drivers\csaudiointcsof"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1656
-
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{2aabbc59-c36f-78b5-52e1-cf5b61cd8124}\sklhdaudbus.inf" "9" "66424e113" "0000000000000540" "WinSta0\Default" "00000000000005A0" "208" "c:\program files\csaudiointcsof\drivers\sklhdaudbus"1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\system32\rundll32.exerundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 10 Global\{3f64f511-497d-5df4-1b36-3717af083b65} Global\{2390e7f4-05ba-1cfd-6af0-4722227eff12} C:\Windows\System32\DriverStore\Temp\{4c10c17b-431d-2684-3ff6-1c6e26956503}\sklhdaudbus.inf C:\Windows\System32\DriverStore\Temp\{4c10c17b-431d-2684-3ff6-1c6e26956503}\sklhdaudbus.cat2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1952
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1444
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005D8" "00000000000005DC"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1756
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{1df8e362-6edf-1535-ab13-bf7fce545e22}\csaudiointcsof.inf" "9" "612162d9b" "00000000000005A0" "WinSta0\Default" "000000000000005C" "208" "c:\program files\csaudiointcsof\drivers\csaudiointcsof"1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:616 -
C:\Windows\system32\rundll32.exerundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 10 Global\{75c8a1d2-2c22-2b04-d20e-0d4066b08e72} Global\{11aa417d-57ae-0eb9-6274-a55276966034} C:\Windows\System32\DriverStore\Temp\{6231063d-a1a3-1255-c650-bc3660e3eb0f}\csaudiointcsof.inf C:\Windows\System32\DriverStore\Temp\{6231063d-a1a3-1255-c650-bc3660e3eb0f}\csaudiointcsof.cat2⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:1676
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6KB
MD522cae599b4328a14b8278e2463d623a0
SHA18bdcd473eedb708e5d91e943e5085c067d57730e
SHA2560bb7e0638d31a0b646d026f164ffa89a12926a4b9b3d92b149b08adc3ff3ec4e
SHA51239306e87da191d88335ac214a1adbb90456bb0d311413bc192ba523b71ba74cb38acb29b68ce1d5f956961a1fd27648dd86dd9fc518cddc52647b1b338baf18b
-
C:\Windows\System32\DriverStore\FileRepository\sklhdaudbus.inf_amd64_neutral_ef7fd6994108efdc\sklhdaudbus.PNF
Filesize8KB
MD589d3c9c559af9347b1cdfe938339128b
SHA1e5c9d2e20ee5f3ac35ef314c0703dee6fafaf42d
SHA256e3489a5059d5b18e5d3c2ef40dd5485702b373deff7d47d74dae1255b6882580
SHA51279da35685957a6a81ab67d9d42ad00319765d2081f6536191b0b5547caf33628d24b0b6f1783bc6985e8506ad9683643746e0d16057e92e73270e484284720d1
-
Filesize
1.4MB
MD5153032a740c07609491288393d11ab2e
SHA1f8426a6ce82e3cc7082a68ced28619a778ea5113
SHA256529a36160295a26b8b692d59fe9ead327211bbeebca54e2b6c88059607534aa6
SHA512346299fd54896dce8876a985672a32c2f8985f69e0800bb7b6c531954155e12b23f02bd45b7ff95e31a63b917fe431630a0cf92df4a447a923ea822b47d458d7
-
Filesize
156KB
MD5b29472b5ff4ddb9dbd675cb6e3130358
SHA14bcfb0070523f9c874770011fd6c22bbbf6d12f5
SHA2569bdf7476354993fd90871d386020a00e68ecec8264fe75183e4311286e19c52a
SHA51272f24040f834cb466bd37ca7f314176ae732f051767581f4eeb988f522dbfbe361e7910fe2ccdcbfdd830c7341190c597cfb969a33b96dfcc7231fbf898c64b0
-
Filesize
312KB
MD522b8ca5a4f0d8b9e9185b0d4e4fc8e7b
SHA17d0b06204ceeb24fdc0f7256d1eb8c402039dcad
SHA256d63499833bb20352e63907e2409f8246df278a15cf7c73a24aeefaff19fb1a43
SHA512c26dd00ed3cb8f01e226c35e49720c66e71734978913f81a818c6bc1582f2ea5a3c9d4cb2dbb06e3a36affac567c14b64dcb6f5d544d1d3367878eba34a4a6c5
-
Filesize
544KB
MD5e66cd88bdce8aee6d55d493333a2db22
SHA106f27838d84d03542e56439a4193464f84a6213e
SHA256d7fd6388946fffe83ac10a5449e58dd80cb21598149e4ef903cf26b3ad40f3e9
SHA512974b5fae537b2a177bfe5769141cb5c1b4e67a67392e2f19ef00a9d033b8589532da4b8f8f2692e179a1b7fbf51c513cb557f2f6dae4d4045f6fb4897d37a9e8
-
Filesize
312KB
MD51c991a6c34aa28f9af5cb9a7160e3992
SHA169bea4b579bcc5b92db79ff86056596c6debe801
SHA256054c7abedf89b20adf195faa14ca31d8c964e360fb5d5f8d9ee8e4596227c330
SHA5122115cc0beddae2eb2d77313135256ea0f460400c8471a7da5100aa9adb1d965629af10e2d69a34911e5086aa21109f953ec8e2fec3d51119f81b279e8a012e63
-
Filesize
416KB
MD5a6752528fcabeed55b6c66d6a6632c6c
SHA1758a2779e954c6844b63bf04280c57cb5eb7448a
SHA256dffa244bd450225fc953422cb63e1a331f030fcd54022baabde6399457408926
SHA512c7881e01b9adf79f7edd058915734c0ababe294287cd8694756b97da201d19e86de85bda6fc3db5da623220fd52eb208b7dc1427ac3be7ff28b20cbef1d7100d
-
Filesize
512KB
MD525a6b8c2201ac4da9fedb0bc2d06f487
SHA1c133ae0329a67ca725d3b60630db897074699058
SHA256e3489dcb277e87eee8bc091ab7d51163a63c85541c22522775122b54263769f3
SHA512f388b6f620820715dd2890f83e5872322fb4594cf557dde8a55db4af9701cb575fefdd5034b16888168a737dc9c177e4f0bd5a8aaa09cd8876bf960e987ef2f5
-
Filesize
55KB
MD5e1efa3f6114d47e0ec3964af7cfa8a12
SHA178baf560696faf22bda064b1a9357e6fce1f4c70
SHA256a1d91ef290e3ba1e6301a3392a5c04ed2e75c6e1a9cf74ac42fe012fc303f762
SHA512a4ac7d8a5f4ab3cb0750d8108015d1b9e363e7811824fccf890b5afb5000ae498abaa49ed172436cf773e97e198e0cee5bf05039aac82b71e6b203d94ed81d8f
-
Filesize
16KB
MD5c2799a0735f1511f63a17e3fc8561464
SHA1f0ddbb0db3902b2942c0faca33afe5230a812a08
SHA256592c82b8b6ca0dbd39572c45cde667b48cde3709f9585851815016b95999d628
SHA512bb0f33eabe3e08ccc6ef75c06345721c6ff1b46fd709ae1d65fa7e41c14d91b1ad4910337b61e881d6c1a671d6b2072ed4bd6526cf3988fe9f379561d917271d
-
Filesize
11KB
MD566a6e4d4d6621923a3fb4544ab7f07b9
SHA10da4e1f95713d51e4cf4523fdde4a573308f4938
SHA25676f111f65cce4c23a5345c15487242ab171004ba745cc28d5d500ee3d6e63762
SHA51290dfd4d63fb486e103a6591525432a0c7c98828ebc52c2787188cc171aba5525eea24346b17e99231f9a4061b00c7ad37a1d49c4091694afb9c9c28898283c8a
-
Filesize
13KB
MD59b6f279454c21341e6bd3033921307f7
SHA15a686938d33893838c15feedf0ce61f85458e7a5
SHA2565d78b7f328239669a8ef3632525efd91287af68a445db27fc13cb111f561b440
SHA512933d451f63c1c3a9668d9e96602924e408dac2accb7b7c3ea31a2cb4a244038881135bd4309cbd0604761ae77bea6ba9d921167f624c75f4105c3d4c959c5ca3
-
Filesize
3KB
MD579b5883efae94413ec7faecff62861e9
SHA1a03a536da44147e0f3a0c347dc17919b8ea88b89
SHA256818797e96ad303828f47decc00eae975373061c56042ccb8904b9379e5ec6f98
SHA5129b3c2f9afbbf13a9b7776f02df2ca485bb209c2f1bb97423474120cf656b5a465af79335d6418be29be5273b92b63ce5b2fa09104500aba76e53b2508d554e0a
-
Filesize
1016KB
MD54192a5b905374e423ec1e545599aa86e
SHA1908c09de28bb3cc09601da5d4e1f44becc9df18f
SHA256567f40a09f1d9e72396296ad194fa7cf48b72361d6e259d6b99da774c2cd8981
SHA51233a3c8e6565fb88f5cc72cfaa553bb0ddb654a8721f356e542c0346468357d38913db03d5035bcf2c45254df1baf83cf3cded55c5d22d677379a4d648a65500a
-
Filesize
12KB
MD5cff85c549d536f651d4fb8387f1976f2
SHA1d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e
SHA2568dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8
SHA512531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88