Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-12-2024 15:44
Behavioral task
behavioral1
Sample
soundpad.exe
Resource
win7-20240903-en
General
-
Target
soundpad.exe
-
Size
110KB
-
MD5
3870690adc7c168e285a3c9b2c2b572a
-
SHA1
eeb416a6b4f9d052544f6845a5ec93ad063e2ba1
-
SHA256
cade54e2c8a16ec81171dcfd14e63d66cb81502625488b995197abd96e497058
-
SHA512
7aeebbea95f51cffb28d929d1f620a73873b96f3c3ece7448a50fed51f0fecff31e61b41b5e9ced58a9998eda83a30f08e1c0cd440b7eeb4c488e4b36bdc3df0
-
SSDEEP
1536:vKLmTn93wcPNoUb9h9eF3G0ZDurhWDlJY47qRIZU3upBn52158pqKmY7:vTL93toUb9KF3GIGAY4+CZU3k5215Xz
Malware Config
Extracted
asyncrat
Default
-
delay
1
-
install
true
-
install_file
update.exe
-
install_folder
%AppData%
-
pastebin_config
https://pastebin.com/raw/piJ4a3wb
Signatures
-
Asyncrat family
-
Async RAT payload 1 IoCs
resource yara_rule behavioral2/files/0x000c000000023b9e-10.dat family_asyncrat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation soundpad.exe -
Executes dropped EXE 1 IoCs
pid Process 3404 update.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 16 pastebin.com 17 pastebin.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
pid Process 1020 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1660 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 23 IoCs
pid Process 4120 soundpad.exe 4120 soundpad.exe 4120 soundpad.exe 4120 soundpad.exe 4120 soundpad.exe 4120 soundpad.exe 4120 soundpad.exe 4120 soundpad.exe 4120 soundpad.exe 4120 soundpad.exe 4120 soundpad.exe 4120 soundpad.exe 4120 soundpad.exe 4120 soundpad.exe 4120 soundpad.exe 4120 soundpad.exe 4120 soundpad.exe 4120 soundpad.exe 4120 soundpad.exe 4120 soundpad.exe 4120 soundpad.exe 4120 soundpad.exe 4120 soundpad.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4120 soundpad.exe Token: SeDebugPrivilege 3404 update.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 4120 wrote to memory of 1048 4120 soundpad.exe 83 PID 4120 wrote to memory of 1048 4120 soundpad.exe 83 PID 4120 wrote to memory of 2660 4120 soundpad.exe 85 PID 4120 wrote to memory of 2660 4120 soundpad.exe 85 PID 2660 wrote to memory of 1020 2660 cmd.exe 88 PID 2660 wrote to memory of 1020 2660 cmd.exe 88 PID 1048 wrote to memory of 1660 1048 cmd.exe 87 PID 1048 wrote to memory of 1660 1048 cmd.exe 87 PID 2660 wrote to memory of 3404 2660 cmd.exe 89 PID 2660 wrote to memory of 3404 2660 cmd.exe 89 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\soundpad.exe"C:\Users\Admin\AppData\Local\Temp\soundpad.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4120 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "update" /tr '"C:\Users\Admin\AppData\Roaming\update.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
PID:1048 -
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "update" /tr '"C:\Users\Admin\AppData\Roaming\update.exe"'3⤵
- Scheduled Task/Job: Scheduled Task
PID:1660
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpB6AD.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:1020
-
-
C:\Users\Admin\AppData\Roaming\update.exe"C:\Users\Admin\AppData\Roaming\update.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3404
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
150B
MD5513038490927ec02120e8fddd8204386
SHA12fc68237debdaa7e119a0b3ed3a67cee3eb1fe2c
SHA2566791652d8901fb8fd17bf7f2e7a5f2d8c5dab1c2d58db126e6d15616dfca70ca
SHA5129c43df0e7ee3696b71ea9f47afb80e5d33ff4520a4021266855f7e7240e0a1a6c36a1bc138e2e295785bc94cd17cfc888598d210a1679f497b892dc1957eccc3
-
Filesize
110KB
MD53870690adc7c168e285a3c9b2c2b572a
SHA1eeb416a6b4f9d052544f6845a5ec93ad063e2ba1
SHA256cade54e2c8a16ec81171dcfd14e63d66cb81502625488b995197abd96e497058
SHA5127aeebbea95f51cffb28d929d1f620a73873b96f3c3ece7448a50fed51f0fecff31e61b41b5e9ced58a9998eda83a30f08e1c0cd440b7eeb4c488e4b36bdc3df0