General
-
Target
Soundpad.exe
-
Size
10.9MB
-
Sample
241211-v9df7sspct
-
MD5
0ae4f60d72e0d1c159505500b8a08ebb
-
SHA1
bb352dafd3c3ebebb4414b799010fe5ebddbef44
-
SHA256
ed3371229647ef876b45cb5940e48b461df58d4e68ad4932f5877eba90c8d379
-
SHA512
88495911df544a04a4e09828ae10b57d3d945c41d6e28964c2d4d077afa43fec1c82a8ff6dcce57a3c7b9e5d02d1e47f800f557b022866f5f7be4a2db9b07536
-
SSDEEP
196608:fDRlger67uOemwy1LR/XU3gmsRM0wWM+wC89ooEvu:UerSwAVE3XsRMiJpsf
Malware Config
Targets
-
-
Target
Soundpad.exe
-
Size
10.9MB
-
MD5
0ae4f60d72e0d1c159505500b8a08ebb
-
SHA1
bb352dafd3c3ebebb4414b799010fe5ebddbef44
-
SHA256
ed3371229647ef876b45cb5940e48b461df58d4e68ad4932f5877eba90c8d379
-
SHA512
88495911df544a04a4e09828ae10b57d3d945c41d6e28964c2d4d077afa43fec1c82a8ff6dcce57a3c7b9e5d02d1e47f800f557b022866f5f7be4a2db9b07536
-
SSDEEP
196608:fDRlger67uOemwy1LR/XU3gmsRM0wWM+wC89ooEvu:UerSwAVE3XsRMiJpsf
Score10/10-
Modifies WinLogon for persistence
-
UAC bypass
-
Disables RegEdit via registry modification
-
A potential corporate email address has been identified in the URL: [email protected]
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Loads dropped DLL
-
Drops desktop.ini file(s)
-
Detected potential entity reuse from brand MICROSOFT.
-
Drops file in System32 directory
-
Sets desktop wallpaper using registry
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Event Triggered Execution
1Component Object Model Hijacking
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Event Triggered Execution
1Component Object Model Hijacking
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
3