99b8aec8ba4e9b5aa6743d25870ee3f5a3c802940b1f77eb50dd2f3931890c3c

Analysis

max time kernel
40s
max time network
48s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
10/01/2023, 16:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FL Studio 20.8.4.2576 Setup.exe
Size

982.0MB
MD5

2498bd6b962e3eb708cb8826a42ac0cc
SHA1

ac648200c24a614b1ae242f3326a96f3c7e53b57
SHA256

99b8aec8ba4e9b5aa6743d25870ee3f5a3c802940b1f77eb50dd2f3931890c3c
SHA512

9eef26ee768e140b272ba75268e5d4065f1c0c62221107e9c8e8ecdd00eeee01d8833293d3895888bc967945422cf0e155643e5af31caf7f45552c5de86096b5
SSDEEP

25165824:eKk3ALjdjnhakD3gzEwYKyGUSeJxNIgalPDNGcE:elIVhaLzEwYKyGZeJxNMlrNDE

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1968	FL Studio Setup.exe
2016	flstudio_win_20.8.4.2576.exe

Loads dropped DLL 5 IoCs

pid	Process
908	FL Studio 20.8.4.2576 Setup.exe
908	FL Studio 20.8.4.2576 Setup.exe
908	FL Studio 20.8.4.2576 Setup.exe
1968	FL Studio Setup.exe
1968	FL Studio Setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 908 wrote to memory of 1968	908	FL Studio 20.8.4.2576 Setup.exe	27
PID 908 wrote to memory of 1968	908	FL Studio 20.8.4.2576 Setup.exe	27
PID 908 wrote to memory of 1968	908	FL Studio 20.8.4.2576 Setup.exe	27
PID 908 wrote to memory of 1968	908	FL Studio 20.8.4.2576 Setup.exe	27
PID 908 wrote to memory of 1968	908	FL Studio 20.8.4.2576 Setup.exe	27
PID 908 wrote to memory of 1968	908	FL Studio 20.8.4.2576 Setup.exe	27
PID 908 wrote to memory of 1968	908	FL Studio 20.8.4.2576 Setup.exe	27
PID 1968 wrote to memory of 2016	1968	FL Studio Setup.exe	28
PID 1968 wrote to memory of 2016	1968	FL Studio Setup.exe	28
PID 1968 wrote to memory of 2016	1968	FL Studio Setup.exe	28
PID 1968 wrote to memory of 2016	1968	FL Studio Setup.exe	28

C:\Users\Admin\AppData\Local\Temp\FL Studio 20.8.4.2576 Setup.exe
"C:\Users\Admin\AppData\Local\Temp\FL Studio 20.8.4.2576 Setup.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:908
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\FL Studio Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\FL Studio Setup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1968
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\flstudio_win_20.8.4.2576.exe
    C:\Users\Admin\AppData\Local\Temp\RarSFX0\flstudio_win_20.8.4.2576.exe
    3⤵
    - Executes dropped EXE
    PID:2016

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\FL Studio Setup.exe

Filesize
592KB

MD5
f983dbf98f58c9e13e1e5ff89f72288b

SHA1
6fa128b473c9cc9904b0480ed84fd611e86cd9b4

SHA256
2ac730ee2e3be5b932979bafd0159a56f568ff896f19661ac7cc47844f606f9f

SHA512
954651bf6712473c94aa0d129731a4ad7172f5ba81af67ceb23d70ea9b310755174ce6bcef0cd813313729c7b189edb28b8b07acd37dba3f28a30e29ced0216d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\FL Studio Setup.exe

Filesize
592KB

MD5
f983dbf98f58c9e13e1e5ff89f72288b

SHA1
6fa128b473c9cc9904b0480ed84fd611e86cd9b4

SHA256
2ac730ee2e3be5b932979bafd0159a56f568ff896f19661ac7cc47844f606f9f

SHA512
954651bf6712473c94aa0d129731a4ad7172f5ba81af67ceb23d70ea9b310755174ce6bcef0cd813313729c7b189edb28b8b07acd37dba3f28a30e29ced0216d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\flstudio_win_20.8.4.2576.exe

Filesize
628.7MB

MD5
fccf6bf6458569e577f31ac8575589fc

SHA1
5f4b5fc153b4b4aa1f3f223b4ddfed2e12695b7b

SHA256
a1f8720c4fc361e377f6a9a1528f914ea06a1843c42ce0d6abb08208f399b92b

SHA512
10963ee8bf37e3c18e5ab4deb929ba6a0a70efb1ec11ae8163f885b08823935bc4b47fa5154cd63f34a00db4dc8b69dc6a445da8ab1c753c71ef67cf448969de

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\flstudio_win_20.8.4.2576.exe

Filesize
633.8MB

MD5
4bbe55bf16deed4abd8b9cdac91d83d5

SHA1
ba6306d75a35975a41a065b82033ff3fc3e8a84b

SHA256
f396d4618248e1355de853a9ed462137ae6099771f40dac6b5e24473550812ec

SHA512
1e957566c55456a0edfc1f7eae4c133bfb9405e0ae2ea8d1135f876e062ddc44bdfe39c8a75ab32c25999dfca8eeeec0ccaa9d7b5f7fc1a7c1d0ecfd01ca54b8

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\FL Studio Setup.exe

Filesize
592KB

MD5
f983dbf98f58c9e13e1e5ff89f72288b

SHA1
6fa128b473c9cc9904b0480ed84fd611e86cd9b4

SHA256
2ac730ee2e3be5b932979bafd0159a56f568ff896f19661ac7cc47844f606f9f

SHA512
954651bf6712473c94aa0d129731a4ad7172f5ba81af67ceb23d70ea9b310755174ce6bcef0cd813313729c7b189edb28b8b07acd37dba3f28a30e29ced0216d

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\FL Studio Setup.exe

Filesize
592KB

MD5
f983dbf98f58c9e13e1e5ff89f72288b

SHA1
6fa128b473c9cc9904b0480ed84fd611e86cd9b4

SHA256
2ac730ee2e3be5b932979bafd0159a56f568ff896f19661ac7cc47844f606f9f

SHA512
954651bf6712473c94aa0d129731a4ad7172f5ba81af67ceb23d70ea9b310755174ce6bcef0cd813313729c7b189edb28b8b07acd37dba3f28a30e29ced0216d

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\FL Studio Setup.exe

Filesize
592KB

MD5
f983dbf98f58c9e13e1e5ff89f72288b

SHA1
6fa128b473c9cc9904b0480ed84fd611e86cd9b4

SHA256
2ac730ee2e3be5b932979bafd0159a56f568ff896f19661ac7cc47844f606f9f

SHA512
954651bf6712473c94aa0d129731a4ad7172f5ba81af67ceb23d70ea9b310755174ce6bcef0cd813313729c7b189edb28b8b07acd37dba3f28a30e29ced0216d

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\flstudio_win_20.8.4.2576.exe

Filesize
628.1MB

MD5
67ce2ad3729b7fb84327e508ad1875c9

SHA1
05e2565db9efa39041f5ec47be026bc9bbc76f1c

SHA256
20600377d73eab7492088f6f17c7b977a408160244c01934a248686050f1ac71

SHA512
edd72fba299873dec7a6df4d74b4c753964b01312029974369c880c2b1c9c5eff13d062e2eac0f6ae7a9c5acbd42b066137e3ec88e1a50809fcbf482c870181b

Download Submit
\Users\Admin\AppData\Local\Temp\nsjBF3C.tmp\System.dll

Filesize
31KB

MD5
7a489d160d2495f4c19440ad71f736fc

SHA1
84b76d4dd8eea133a04b2617db7918392b1d8740

SHA256
bdbb8fb7286986260ecea91a3e7dde82a2ac3f56b9f4c445c43458fdef9d689f

SHA512
d3fb8c4076952f3241d638006647f924271028ea00c0cbe33784906a53f870ee0b7c30243b1217ef67eea81ca410542e866f80bf904ef50fa31f2323e97ee5b1

Download Submit
memory/908-54-0x0000000076871000-0x0000000076873000-memory.dmp

Filesize
8KB

Download