Analysis
-
max time kernel
187s -
max time network
242s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
-
submitted
29-11-2022 19:00
General
-
Target
MAGIX Vegas Pro 20 build 214 [vacban.wtf]/Setup.exe
-
Size
574.9MB
-
MD5
059274e07bbf83ec5b5d4f1d957681eb
-
SHA1
b0dd598c4dd719ccfc80d769becf5d0589a74eaa
-
SHA256
e3e504169f03591d5ac617e027c124549f9073a2c357c64cac92cb2b83639145
-
SHA512
3e6b5305eca533809dac53be730c8f525bf28c54aa4e17d151272f05efa4da03172a700f932a2510ea0c349b822136ae8ad76ed47c621e4b0f34e4394616da43
-
SSDEEP
12582912:jDMbxgS/TLHSky47LmxRPF/ELbsnW4sxs2K53K2Cm/Fi2DPScaXm:jDyxgS/HXyGLmxRh4s+xs2w3KTm/Fi2T
Score
8/10
Malware Config
Signatures
-
Modifies Installed Components in the registry 2 TTPs 1 IoCs
-
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 3 IoCs
-
Checks SCSI registry key(s) 3 TTPs 26 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 2 IoCs
-
Modifies registry class 29 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 55 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\MAGIX Vegas Pro 20 build 214 [vacban.wtf]\Setup.exe"C:\Users\Admin\AppData\Local\Temp\MAGIX Vegas Pro 20 build 214 [vacban.wtf]\Setup.exe"1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\b6a46b1d3e0b44ecb15f5461f3996b19 /t 3056 /p 30321⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4780-116-0x0000000077C40000-0x0000000077DCE000-memory.dmpFilesize
1.6MB
-
memory/4780-117-0x0000000077C40000-0x0000000077DCE000-memory.dmpFilesize
1.6MB
-
memory/4780-118-0x0000000077C40000-0x0000000077DCE000-memory.dmpFilesize
1.6MB
-
memory/4780-119-0x0000000077C40000-0x0000000077DCE000-memory.dmpFilesize
1.6MB
-
memory/4780-120-0x0000000077C40000-0x0000000077DCE000-memory.dmpFilesize
1.6MB
-
memory/4780-121-0x0000000077C40000-0x0000000077DCE000-memory.dmpFilesize
1.6MB
-
memory/4780-122-0x0000000077C40000-0x0000000077DCE000-memory.dmpFilesize
1.6MB
-
memory/4780-123-0x0000000077C40000-0x0000000077DCE000-memory.dmpFilesize
1.6MB
-
memory/4780-124-0x0000000077C40000-0x0000000077DCE000-memory.dmpFilesize
1.6MB
-
memory/4780-125-0x0000000077C40000-0x0000000077DCE000-memory.dmpFilesize
1.6MB
-
memory/4780-126-0x0000000077C40000-0x0000000077DCE000-memory.dmpFilesize
1.6MB
-
memory/4780-127-0x0000000077C40000-0x0000000077DCE000-memory.dmpFilesize
1.6MB
-
memory/4780-128-0x0000000077C40000-0x0000000077DCE000-memory.dmpFilesize
1.6MB
-
memory/4780-129-0x0000000077C40000-0x0000000077DCE000-memory.dmpFilesize
1.6MB
-
memory/4780-130-0x0000000077C40000-0x0000000077DCE000-memory.dmpFilesize
1.6MB
-
memory/4780-131-0x0000000077C40000-0x0000000077DCE000-memory.dmpFilesize
1.6MB
-
memory/4780-132-0x0000000077C40000-0x0000000077DCE000-memory.dmpFilesize
1.6MB
-
memory/4780-133-0x0000000077C40000-0x0000000077DCE000-memory.dmpFilesize
1.6MB
-
memory/4780-134-0x0000000077C40000-0x0000000077DCE000-memory.dmpFilesize
1.6MB
-
memory/4780-135-0x0000000077C40000-0x0000000077DCE000-memory.dmpFilesize
1.6MB
-
memory/4780-136-0x0000000077C40000-0x0000000077DCE000-memory.dmpFilesize
1.6MB
-
memory/4780-137-0x0000000077C40000-0x0000000077DCE000-memory.dmpFilesize
1.6MB
-
memory/4780-138-0x0000000077C40000-0x0000000077DCE000-memory.dmpFilesize
1.6MB
-
memory/4780-139-0x0000000077C40000-0x0000000077DCE000-memory.dmpFilesize
1.6MB
-
memory/4780-140-0x0000000077C40000-0x0000000077DCE000-memory.dmpFilesize
1.6MB
-
memory/4780-141-0x0000000077C40000-0x0000000077DCE000-memory.dmpFilesize
1.6MB
-
memory/4780-142-0x0000000077C40000-0x0000000077DCE000-memory.dmpFilesize
1.6MB
-
memory/4780-143-0x0000000077C40000-0x0000000077DCE000-memory.dmpFilesize
1.6MB
-
memory/4780-144-0x0000000077C40000-0x0000000077DCE000-memory.dmpFilesize
1.6MB
-
memory/4780-145-0x0000000077C40000-0x0000000077DCE000-memory.dmpFilesize
1.6MB
-
memory/4780-146-0x0000000077C40000-0x0000000077DCE000-memory.dmpFilesize
1.6MB
-
memory/4780-147-0x0000000077C40000-0x0000000077DCE000-memory.dmpFilesize
1.6MB
-
memory/4780-148-0x0000000077C40000-0x0000000077DCE000-memory.dmpFilesize
1.6MB
-
memory/4780-150-0x0000000077C40000-0x0000000077DCE000-memory.dmpFilesize
1.6MB
-
memory/4780-151-0x0000000077C40000-0x0000000077DCE000-memory.dmpFilesize
1.6MB
-
memory/4780-152-0x0000000077C40000-0x0000000077DCE000-memory.dmpFilesize
1.6MB
-
memory/4780-154-0x0000000077C40000-0x0000000077DCE000-memory.dmpFilesize
1.6MB
-
memory/4780-153-0x0000000077C40000-0x0000000077DCE000-memory.dmpFilesize
1.6MB
-
memory/4780-149-0x0000000077C40000-0x0000000077DCE000-memory.dmpFilesize
1.6MB
-
memory/4780-155-0x0000000077C40000-0x0000000077DCE000-memory.dmpFilesize
1.6MB
-
memory/4780-156-0x0000000077C40000-0x0000000077DCE000-memory.dmpFilesize
1.6MB
-
memory/4780-157-0x0000000077C40000-0x0000000077DCE000-memory.dmpFilesize
1.6MB
-
memory/4780-158-0x0000000077C40000-0x0000000077DCE000-memory.dmpFilesize
1.6MB
-
memory/4780-159-0x0000000077C40000-0x0000000077DCE000-memory.dmpFilesize
1.6MB
-
memory/4780-160-0x0000000077C40000-0x0000000077DCE000-memory.dmpFilesize
1.6MB
-
memory/4780-161-0x0000000077C40000-0x0000000077DCE000-memory.dmpFilesize
1.6MB
-
memory/4780-162-0x0000000077C40000-0x0000000077DCE000-memory.dmpFilesize
1.6MB
-
memory/4780-164-0x0000000077C40000-0x0000000077DCE000-memory.dmpFilesize
1.6MB
-
memory/4780-163-0x0000000077C40000-0x0000000077DCE000-memory.dmpFilesize
1.6MB
-
memory/4780-165-0x0000000077C40000-0x0000000077DCE000-memory.dmpFilesize
1.6MB
-
memory/4780-166-0x0000000077C40000-0x0000000077DCE000-memory.dmpFilesize
1.6MB
-
memory/4780-167-0x0000000077C40000-0x0000000077DCE000-memory.dmpFilesize
1.6MB
-
memory/4780-168-0x0000000077C40000-0x0000000077DCE000-memory.dmpFilesize
1.6MB
-
memory/4780-169-0x0000000077C40000-0x0000000077DCE000-memory.dmpFilesize
1.6MB
-
memory/4780-170-0x0000000077C40000-0x0000000077DCE000-memory.dmpFilesize
1.6MB
-
memory/4780-171-0x0000000077C40000-0x0000000077DCE000-memory.dmpFilesize
1.6MB
-
memory/4780-172-0x0000000077C40000-0x0000000077DCE000-memory.dmpFilesize
1.6MB
-
memory/4780-173-0x0000000077C40000-0x0000000077DCE000-memory.dmpFilesize
1.6MB
-
memory/4780-174-0x0000000077C40000-0x0000000077DCE000-memory.dmpFilesize
1.6MB
-
memory/4780-175-0x0000000077C40000-0x0000000077DCE000-memory.dmpFilesize
1.6MB
-
memory/4780-176-0x0000000077C40000-0x0000000077DCE000-memory.dmpFilesize
1.6MB
-
memory/4780-177-0x0000000077C40000-0x0000000077DCE000-memory.dmpFilesize
1.6MB