Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
23-12-2024 15:44
Behavioral task
behavioral1
Sample
soundpad.exe
Resource
win7-20240903-en
General
-
Target
soundpad.exe
-
Size
110KB
-
MD5
3870690adc7c168e285a3c9b2c2b572a
-
SHA1
eeb416a6b4f9d052544f6845a5ec93ad063e2ba1
-
SHA256
cade54e2c8a16ec81171dcfd14e63d66cb81502625488b995197abd96e497058
-
SHA512
7aeebbea95f51cffb28d929d1f620a73873b96f3c3ece7448a50fed51f0fecff31e61b41b5e9ced58a9998eda83a30f08e1c0cd440b7eeb4c488e4b36bdc3df0
-
SSDEEP
1536:vKLmTn93wcPNoUb9h9eF3G0ZDurhWDlJY47qRIZU3upBn52158pqKmY7:vTL93toUb9KF3GIGAY4+CZU3k5215Xz
Malware Config
Extracted
asyncrat
Default
-
delay
1
-
install
true
-
install_file
update.exe
-
install_folder
%AppData%
-
pastebin_config
https://pastebin.com/raw/piJ4a3wb
Signatures
-
Asyncrat family
-
Async RAT payload 1 IoCs
resource yara_rule behavioral1/files/0x0004000000004ed7-15.dat family_asyncrat -
Executes dropped EXE 1 IoCs
pid Process 2596 update.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 4 pastebin.com 5 pastebin.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
pid Process 2832 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2732 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2844 soundpad.exe 2844 soundpad.exe 2844 soundpad.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2844 soundpad.exe Token: SeDebugPrivilege 2596 update.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2844 wrote to memory of 2288 2844 soundpad.exe 32 PID 2844 wrote to memory of 2288 2844 soundpad.exe 32 PID 2844 wrote to memory of 2288 2844 soundpad.exe 32 PID 2844 wrote to memory of 2820 2844 soundpad.exe 34 PID 2844 wrote to memory of 2820 2844 soundpad.exe 34 PID 2844 wrote to memory of 2820 2844 soundpad.exe 34 PID 2288 wrote to memory of 2732 2288 cmd.exe 36 PID 2288 wrote to memory of 2732 2288 cmd.exe 36 PID 2288 wrote to memory of 2732 2288 cmd.exe 36 PID 2820 wrote to memory of 2832 2820 cmd.exe 37 PID 2820 wrote to memory of 2832 2820 cmd.exe 37 PID 2820 wrote to memory of 2832 2820 cmd.exe 37 PID 2820 wrote to memory of 2596 2820 cmd.exe 38 PID 2820 wrote to memory of 2596 2820 cmd.exe 38 PID 2820 wrote to memory of 2596 2820 cmd.exe 38 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\soundpad.exe"C:\Users\Admin\AppData\Local\Temp\soundpad.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "update" /tr '"C:\Users\Admin\AppData\Roaming\update.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "update" /tr '"C:\Users\Admin\AppData\Roaming\update.exe"'3⤵
- Scheduled Task/Job: Scheduled Task
PID:2732
-
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpE7C0.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:2832
-
-
C:\Users\Admin\AppData\Roaming\update.exe"C:\Users\Admin\AppData\Roaming\update.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2596
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
150B
MD58d56b76ed7a7a0d421732c577f334120
SHA14c52a951f82caac3727c18806dd158f5d8ffbfbf
SHA2561fe77dba2c43695a7282cacc9b13aa8b35e66b67df81a25df60d94b6b94165a6
SHA51234f30d95b4173426f076f71615adbfac119e31657c3dc8921436e28945d0bc131e534d89ed5bbe532e6f48c0a03cd8f2c914fd5d76dc46a71fb131cb23deb749
-
Filesize
110KB
MD53870690adc7c168e285a3c9b2c2b572a
SHA1eeb416a6b4f9d052544f6845a5ec93ad063e2ba1
SHA256cade54e2c8a16ec81171dcfd14e63d66cb81502625488b995197abd96e497058
SHA5127aeebbea95f51cffb28d929d1f620a73873b96f3c3ece7448a50fed51f0fecff31e61b41b5e9ced58a9998eda83a30f08e1c0cd440b7eeb4c488e4b36bdc3df0