Analysis

  • max time kernel
    124s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    13-11-2024 21:47

General

  • Target

    csaudiointcsof.1.0.4-installer.exe

  • Size

    1.8MB

  • MD5

    7081d418a756bd4975a0b816b3a1e480

  • SHA1

    ae7bfffa37531eb277bbd6301e613436ede660ed

  • SHA256

    fd2cd5d65cb83a0c03a4f3bd5ace284d271369afe14672234d79f68a006ca3e8

  • SHA512

    1e1a2bd8a85b8cceef05043b6b7d6422d2af53d115d03c04406423b8afdd74e106ae02972747edcd5253700aef10a27616e79841c63ff0d13aa57ce51b387432

  • SSDEEP

    49152:kdY6XW38XFtwVkRwFAqrco1uE3DrBImRuijVomG:ku85XFdrqrxTDFImhoz

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 5 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in System32 directory 41 IoCs
  • Drops file in Program Files directory 55 IoCs
  • Drops file in Windows directory 11 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies data under HKEY_USERS 45 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\csaudiointcsof.1.0.4-installer.exe
    "C:\Users\Admin\AppData\Local\Temp\csaudiointcsof.1.0.4-installer.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2516
    • C:\Program Files\csaudiointcsof\drivers\dpinst.exe
      "C:\Program Files\csaudiointcsof\drivers\dpinst.exe" /sw /f /path "C:\Program Files\csaudiointcsof\drivers\sklhdaudbus"
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      PID:2248
    • C:\Program Files\csaudiointcsof\drivers\dpinst.exe
      "C:\Program Files\csaudiointcsof\drivers\dpinst.exe" /sw /f /path "C:\Program Files\csaudiointcsof\drivers\csaudiointcsof"
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      PID:1656
  • C:\Windows\system32\DrvInst.exe
    DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{2aabbc59-c36f-78b5-52e1-cf5b61cd8124}\sklhdaudbus.inf" "9" "66424e113" "0000000000000540" "WinSta0\Default" "00000000000005A0" "208" "c:\program files\csaudiointcsof\drivers\sklhdaudbus"
    1⤵
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2668
    • C:\Windows\system32\rundll32.exe
      rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 10 Global\{3f64f511-497d-5df4-1b36-3717af083b65} Global\{2390e7f4-05ba-1cfd-6af0-4722227eff12} C:\Windows\System32\DriverStore\Temp\{4c10c17b-431d-2684-3ff6-1c6e26956503}\sklhdaudbus.inf C:\Windows\System32\DriverStore\Temp\{4c10c17b-431d-2684-3ff6-1c6e26956503}\sklhdaudbus.cat
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1952
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1444
  • C:\Windows\system32\DrvInst.exe
    DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005D8" "00000000000005DC"
    1⤵
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    PID:1756
  • C:\Windows\system32\DrvInst.exe
    DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{1df8e362-6edf-1535-ab13-bf7fce545e22}\csaudiointcsof.inf" "9" "612162d9b" "00000000000005A0" "WinSta0\Default" "000000000000005C" "208" "c:\program files\csaudiointcsof\drivers\csaudiointcsof"
    1⤵
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious use of WriteProcessMemory
    PID:616
    • C:\Windows\system32\rundll32.exe
      rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 10 Global\{75c8a1d2-2c22-2b04-d20e-0d4066b08e72} Global\{11aa417d-57ae-0eb9-6274-a55276966034} C:\Windows\System32\DriverStore\Temp\{6231063d-a1a3-1255-c650-bc3660e3eb0f}\csaudiointcsof.inf C:\Windows\System32\DriverStore\Temp\{6231063d-a1a3-1255-c650-bc3660e3eb0f}\csaudiointcsof.cat
      2⤵
      • Suspicious behavior: GetForegroundWindowSpam
      PID:1676

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\DPINST.LOG

    Filesize

    6KB

    MD5

    22cae599b4328a14b8278e2463d623a0

    SHA1

    8bdcd473eedb708e5d91e943e5085c067d57730e

    SHA256

    0bb7e0638d31a0b646d026f164ffa89a12926a4b9b3d92b149b08adc3ff3ec4e

    SHA512

    39306e87da191d88335ac214a1adbb90456bb0d311413bc192ba523b71ba74cb38acb29b68ce1d5f956961a1fd27648dd86dd9fc518cddc52647b1b338baf18b

  • C:\Windows\System32\DriverStore\FileRepository\sklhdaudbus.inf_amd64_neutral_ef7fd6994108efdc\sklhdaudbus.PNF

    Filesize

    8KB

    MD5

    89d3c9c559af9347b1cdfe938339128b

    SHA1

    e5c9d2e20ee5f3ac35ef314c0703dee6fafaf42d

    SHA256

    e3489a5059d5b18e5d3c2ef40dd5485702b373deff7d47d74dae1255b6882580

    SHA512

    79da35685957a6a81ab67d9d42ad00319765d2081f6536191b0b5547caf33628d24b0b6f1783bc6985e8506ad9683643746e0d16057e92e73270e484284720d1

  • C:\Windows\System32\DriverStore\INFCACHE.1

    Filesize

    1.4MB

    MD5

    153032a740c07609491288393d11ab2e

    SHA1

    f8426a6ce82e3cc7082a68ced28619a778ea5113

    SHA256

    529a36160295a26b8b692d59fe9ead327211bbeebca54e2b6c88059607534aa6

    SHA512

    346299fd54896dce8876a985672a32c2f8985f69e0800bb7b6c531954155e12b23f02bd45b7ff95e31a63b917fe431630a0cf92df4a447a923ea822b47d458d7

  • \??\c:\PROGRA~1\CSAUDI~1\drivers\CSAUDI~1\csaudiointcsof.sys

    Filesize

    156KB

    MD5

    b29472b5ff4ddb9dbd675cb6e3130358

    SHA1

    4bcfb0070523f9c874770011fd6c22bbbf6d12f5

    SHA256

    9bdf7476354993fd90871d386020a00e68ecec8264fe75183e4311286e19c52a

    SHA512

    72f24040f834cb466bd37ca7f314176ae732f051767581f4eeb988f522dbfbe361e7910fe2ccdcbfdd830c7341190c597cfb969a33b96dfcc7231fbf898c64b0

  • \??\c:\PROGRA~1\CSAUDI~1\drivers\CSAUDI~1\sof-apl.ri

    Filesize

    312KB

    MD5

    22b8ca5a4f0d8b9e9185b0d4e4fc8e7b

    SHA1

    7d0b06204ceeb24fdc0f7256d1eb8c402039dcad

    SHA256

    d63499833bb20352e63907e2409f8246df278a15cf7c73a24aeefaff19fb1a43

    SHA512

    c26dd00ed3cb8f01e226c35e49720c66e71734978913f81a818c6bc1582f2ea5a3c9d4cb2dbb06e3a36affac567c14b64dcb6f5d544d1d3367878eba34a4a6c5

  • \??\c:\PROGRA~1\CSAUDI~1\drivers\CSAUDI~1\sof-cnl.ri

    Filesize

    544KB

    MD5

    e66cd88bdce8aee6d55d493333a2db22

    SHA1

    06f27838d84d03542e56439a4193464f84a6213e

    SHA256

    d7fd6388946fffe83ac10a5449e58dd80cb21598149e4ef903cf26b3ad40f3e9

    SHA512

    974b5fae537b2a177bfe5769141cb5c1b4e67a67392e2f19ef00a9d033b8589532da4b8f8f2692e179a1b7fbf51c513cb557f2f6dae4d4045f6fb4897d37a9e8

  • \??\c:\PROGRA~1\CSAUDI~1\drivers\CSAUDI~1\sof-glk.ri

    Filesize

    312KB

    MD5

    1c991a6c34aa28f9af5cb9a7160e3992

    SHA1

    69bea4b579bcc5b92db79ff86056596c6debe801

    SHA256

    054c7abedf89b20adf195faa14ca31d8c964e360fb5d5f8d9ee8e4596227c330

    SHA512

    2115cc0beddae2eb2d77313135256ea0f460400c8471a7da5100aa9adb1d965629af10e2d69a34911e5086aa21109f953ec8e2fec3d51119f81b279e8a012e63

  • \??\c:\PROGRA~1\CSAUDI~1\drivers\CSAUDI~1\sof-jsl.ri

    Filesize

    416KB

    MD5

    a6752528fcabeed55b6c66d6a6632c6c

    SHA1

    758a2779e954c6844b63bf04280c57cb5eb7448a

    SHA256

    dffa244bd450225fc953422cb63e1a331f030fcd54022baabde6399457408926

    SHA512

    c7881e01b9adf79f7edd058915734c0ababe294287cd8694756b97da201d19e86de85bda6fc3db5da623220fd52eb208b7dc1427ac3be7ff28b20cbef1d7100d

  • \??\c:\PROGRA~1\CSAUDI~1\drivers\CSAUDI~1\sof-tgl.ri

    Filesize

    512KB

    MD5

    25a6b8c2201ac4da9fedb0bc2d06f487

    SHA1

    c133ae0329a67ca725d3b60630db897074699058

    SHA256

    e3489dcb277e87eee8bc091ab7d51163a63c85541c22522775122b54263769f3

    SHA512

    f388b6f620820715dd2890f83e5872322fb4594cf557dde8a55db4af9701cb575fefdd5034b16888168a737dc9c177e4f0bd5a8aaa09cd8876bf960e987ef2f5

  • \??\c:\PROGRA~1\CSAUDI~1\drivers\SKLHDA~1\sklhdaudbus.sys

    Filesize

    55KB

    MD5

    e1efa3f6114d47e0ec3964af7cfa8a12

    SHA1

    78baf560696faf22bda064b1a9357e6fce1f4c70

    SHA256

    a1d91ef290e3ba1e6301a3392a5c04ed2e75c6e1a9cf74ac42fe012fc303f762

    SHA512

    a4ac7d8a5f4ab3cb0750d8108015d1b9e363e7811824fccf890b5afb5000ae498abaa49ed172436cf773e97e198e0cee5bf05039aac82b71e6b203d94ed81d8f

  • \??\c:\program files\csaudiointcsof\drivers\csaudiointcsof\csaudiointcsof.cat

    Filesize

    16KB

    MD5

    c2799a0735f1511f63a17e3fc8561464

    SHA1

    f0ddbb0db3902b2942c0faca33afe5230a812a08

    SHA256

    592c82b8b6ca0dbd39572c45cde667b48cde3709f9585851815016b95999d628

    SHA512

    bb0f33eabe3e08ccc6ef75c06345721c6ff1b46fd709ae1d65fa7e41c14d91b1ad4910337b61e881d6c1a671d6b2072ed4bd6526cf3988fe9f379561d917271d

  • \??\c:\program files\csaudiointcsof\drivers\csaudiointcsof\csaudiointcsof.inf

    Filesize

    11KB

    MD5

    66a6e4d4d6621923a3fb4544ab7f07b9

    SHA1

    0da4e1f95713d51e4cf4523fdde4a573308f4938

    SHA256

    76f111f65cce4c23a5345c15487242ab171004ba745cc28d5d500ee3d6e63762

    SHA512

    90dfd4d63fb486e103a6591525432a0c7c98828ebc52c2787188cc171aba5525eea24346b17e99231f9a4061b00c7ad37a1d49c4091694afb9c9c28898283c8a

  • \??\c:\program files\csaudiointcsof\drivers\sklhdaudbus\sklhdaudbus.cat

    Filesize

    13KB

    MD5

    9b6f279454c21341e6bd3033921307f7

    SHA1

    5a686938d33893838c15feedf0ce61f85458e7a5

    SHA256

    5d78b7f328239669a8ef3632525efd91287af68a445db27fc13cb111f561b440

    SHA512

    933d451f63c1c3a9668d9e96602924e408dac2accb7b7c3ea31a2cb4a244038881135bd4309cbd0604761ae77bea6ba9d921167f624c75f4105c3d4c959c5ca3

  • \??\c:\program files\csaudiointcsof\drivers\sklhdaudbus\sklhdaudbus.inf

    Filesize

    3KB

    MD5

    79b5883efae94413ec7faecff62861e9

    SHA1

    a03a536da44147e0f3a0c347dc17919b8ea88b89

    SHA256

    818797e96ad303828f47decc00eae975373061c56042ccb8904b9379e5ec6f98

    SHA512

    9b3c2f9afbbf13a9b7776f02df2ca485bb209c2f1bb97423474120cf656b5a465af79335d6418be29be5273b92b63ce5b2fa09104500aba76e53b2508d554e0a

  • \Program Files\csaudiointcsof\drivers\dpinst.exe

    Filesize

    1016KB

    MD5

    4192a5b905374e423ec1e545599aa86e

    SHA1

    908c09de28bb3cc09601da5d4e1f44becc9df18f

    SHA256

    567f40a09f1d9e72396296ad194fa7cf48b72361d6e259d6b99da774c2cd8981

    SHA512

    33a3c8e6565fb88f5cc72cfaa553bb0ddb654a8721f356e542c0346468357d38913db03d5035bcf2c45254df1baf83cf3cded55c5d22d677379a4d648a65500a

  • \Users\Admin\AppData\Local\Temp\nsoAF63.tmp\System.dll

    Filesize

    12KB

    MD5

    cff85c549d536f651d4fb8387f1976f2

    SHA1

    d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

    SHA256

    8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

    SHA512

    531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88