91f57e31b6042e5546dbf21502cbfe6e7e203b91ed9b7d6bed354afcfc30013d

Analysis

max time kernel
481s
max time network
506s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
16/01/2023, 02:22

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

VEGAS_Pro_20.0.0.139_DE-EN-FR-ES.exe
Size

573.0MB
MD5

a885c7648d8852f353a4ea3b20ea7f98
SHA1

ab975fc6e185b782f6023e55f3080626401c1a75
SHA256

91f57e31b6042e5546dbf21502cbfe6e7e203b91ed9b7d6bed354afcfc30013d
SHA512

3b30819e931e49bafa12812dd43f2a16f5ed7c909e606f961fe2ed364826c17c52ddef5ce204c3d3149524f9ace2a44efc1aa4471176f0c2ebd52f4c2877857e
SSDEEP

12582912:oOh9Kk23DOzMLgx/XFkt9nhUX4sxs2K53K2Cm/Fi2DPScaXy:oOh9v23DAB/XFwhYxs2w3KTm/Fi2+caC

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1344	VEGAS_Pro_20_setup.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	VEGAS_Pro_20.0.0.139_DE-EN-FR-ES.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	VEGAS_Pro_20_setup.exe
File opened (read-only)	\??\N:	VEGAS_Pro_20_setup.exe
File opened (read-only)	\??\P:	VEGAS_Pro_20_setup.exe
File opened (read-only)	\??\Q:	VEGAS_Pro_20_setup.exe
File opened (read-only)	\??\T:	VEGAS_Pro_20_setup.exe
File opened (read-only)	\??\V:	VEGAS_Pro_20_setup.exe
File opened (read-only)	\??\B:	VEGAS_Pro_20_setup.exe
File opened (read-only)	\??\G:	VEGAS_Pro_20_setup.exe
File opened (read-only)	\??\O:	VEGAS_Pro_20_setup.exe
File opened (read-only)	\??\S:	VEGAS_Pro_20_setup.exe
File opened (read-only)	\??\U:	VEGAS_Pro_20_setup.exe
File opened (read-only)	\??\Z:	VEGAS_Pro_20_setup.exe
File opened (read-only)	\??\A:	VEGAS_Pro_20_setup.exe
File opened (read-only)	\??\J:	VEGAS_Pro_20_setup.exe
File opened (read-only)	\??\L:	VEGAS_Pro_20_setup.exe
File opened (read-only)	\??\R:	VEGAS_Pro_20_setup.exe
File opened (read-only)	\??\X:	VEGAS_Pro_20_setup.exe
File opened (read-only)	\??\Y:	VEGAS_Pro_20_setup.exe
File opened (read-only)	\??\H:	VEGAS_Pro_20_setup.exe
File opened (read-only)	\??\F:	VEGAS_Pro_20_setup.exe
File opened (read-only)	\??\K:	VEGAS_Pro_20_setup.exe
File opened (read-only)	\??\M:	VEGAS_Pro_20_setup.exe
File opened (read-only)	\??\W:	VEGAS_Pro_20_setup.exe
File opened (read-only)	\??\E:	VEGAS_Pro_20_setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{B88D31BC-9019-446C-9DD7-02CF59B157FD}	VEGAS_Pro_20_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B88D31BC-9019-446C-9DD7-02CF59B157FD}\ID = "5156E4EC1D184BBFAC5DE0F36858C818"	VEGAS_Pro_20_setup.exe

Suspicious use of AdjustPrivilegeToken 30 IoCs

description	pid	Process
Token: SeSecurityPrivilege	4476	msiexec.exe
Token: SeCreateTokenPrivilege	1344	VEGAS_Pro_20_setup.exe
Token: SeAssignPrimaryTokenPrivilege	1344	VEGAS_Pro_20_setup.exe
Token: SeLockMemoryPrivilege	1344	VEGAS_Pro_20_setup.exe
Token: SeIncreaseQuotaPrivilege	1344	VEGAS_Pro_20_setup.exe
Token: SeMachineAccountPrivilege	1344	VEGAS_Pro_20_setup.exe
Token: SeTcbPrivilege	1344	VEGAS_Pro_20_setup.exe
Token: SeSecurityPrivilege	1344	VEGAS_Pro_20_setup.exe
Token: SeTakeOwnershipPrivilege	1344	VEGAS_Pro_20_setup.exe
Token: SeLoadDriverPrivilege	1344	VEGAS_Pro_20_setup.exe
Token: SeSystemProfilePrivilege	1344	VEGAS_Pro_20_setup.exe
Token: SeSystemtimePrivilege	1344	VEGAS_Pro_20_setup.exe
Token: SeProfSingleProcessPrivilege	1344	VEGAS_Pro_20_setup.exe
Token: SeIncBasePriorityPrivilege	1344	VEGAS_Pro_20_setup.exe
Token: SeCreatePagefilePrivilege	1344	VEGAS_Pro_20_setup.exe
Token: SeCreatePermanentPrivilege	1344	VEGAS_Pro_20_setup.exe
Token: SeBackupPrivilege	1344	VEGAS_Pro_20_setup.exe
Token: SeRestorePrivilege	1344	VEGAS_Pro_20_setup.exe
Token: SeShutdownPrivilege	1344	VEGAS_Pro_20_setup.exe
Token: SeDebugPrivilege	1344	VEGAS_Pro_20_setup.exe
Token: SeAuditPrivilege	1344	VEGAS_Pro_20_setup.exe
Token: SeSystemEnvironmentPrivilege	1344	VEGAS_Pro_20_setup.exe
Token: SeChangeNotifyPrivilege	1344	VEGAS_Pro_20_setup.exe
Token: SeRemoteShutdownPrivilege	1344	VEGAS_Pro_20_setup.exe
Token: SeUndockPrivilege	1344	VEGAS_Pro_20_setup.exe
Token: SeSyncAgentPrivilege	1344	VEGAS_Pro_20_setup.exe
Token: SeEnableDelegationPrivilege	1344	VEGAS_Pro_20_setup.exe
Token: SeManageVolumePrivilege	1344	VEGAS_Pro_20_setup.exe
Token: SeImpersonatePrivilege	1344	VEGAS_Pro_20_setup.exe
Token: SeCreateGlobalPrivilege	1344	VEGAS_Pro_20_setup.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2192	VEGAS_Pro_20.0.0.139_DE-EN-FR-ES.exe
1344	VEGAS_Pro_20_setup.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2192	VEGAS_Pro_20.0.0.139_DE-EN-FR-ES.exe
2192	VEGAS_Pro_20.0.0.139_DE-EN-FR-ES.exe
2192	VEGAS_Pro_20.0.0.139_DE-EN-FR-ES.exe
2192	VEGAS_Pro_20.0.0.139_DE-EN-FR-ES.exe
1344	VEGAS_Pro_20_setup.exe
1344	VEGAS_Pro_20_setup.exe
1344	VEGAS_Pro_20_setup.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2192 wrote to memory of 1344	2192	VEGAS_Pro_20.0.0.139_DE-EN-FR-ES.exe	88
PID 2192 wrote to memory of 1344	2192	VEGAS_Pro_20.0.0.139_DE-EN-FR-ES.exe	88
PID 2192 wrote to memory of 1344	2192	VEGAS_Pro_20.0.0.139_DE-EN-FR-ES.exe	88

C:\Users\Admin\AppData\Local\Temp\VEGAS_Pro_20.0.0.139_DE-EN-FR-ES.exe
"C:\Users\Admin\AppData\Local\Temp\VEGAS_Pro_20.0.0.139_DE-EN-FR-ES.exe"
1⤵
- Checks computer location settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2192
- C:\Users\Admin\AppData\Local\Temp\mgxzg53c5nv\product\VEGAS_Pro_20_setup.exe
  "C:\Users\Admin\AppData\Local\Temp\mgxzg53c5nv\product\VEGAS_Pro_20_setup.exe" -m C:\Users\Admin\AppData\Local\Temp\mgxzg53c5nv\SetupValues.dat
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:1344

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4476

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\mgxzg53c5nv\addon\WebView2\MicrosoftEdgeWebView2RuntimeInstallerX64.exe

Filesize
116.7MB

MD5
9eb3d6612f840bc508c55b715c5bd4ff

SHA1
40182a36d003d636d33ace168d6b62e29412ac3a

SHA256
f7a3fc30ee3bc14fa4bf60c216832da5ddd46852638b117d9937d310c8abe22c

SHA512
847c3825187304ee37924a14faea52c7ce423835f5d9fc72d8874e55068b12fbd416ac154ebb376225c10c1c398f5318aca78e44db7ea4c84705fbc905407477

Download Submit
C:\Users\Admin\AppData\Local\Temp\mgxzg53c5nv\addon\vcredist2013_12.0.40664\vcredist_x64.exe

Filesize
6.9MB

MD5
49b1164f8e95ec6409ea83cdb352d8da

SHA1
1194e6bf4153fa88f20b2a70ac15bc359ada4ee2

SHA256
a4bba7701e355ae29c403431f871a537897c363e215cafe706615e270984f17c

SHA512
29b65e45ce5233f5ad480673752529026f59a760466a1026bb92fc78d1ccc82396ecb8f07b0e49c9b2315dbef976cb417273c77f4209475036775fe687dd2d60

Download Submit
C:\Users\Admin\AppData\Local\Temp\mgxzg53c5nv\addon\vcredist2013_12.0.40664\vcredist_x86.exe

Filesize
6.2MB

MD5
38a1b890ce847167d16567cf7b7a5642

SHA1
0f5d66bcaf120f2d3f340e448a268fe4bbf7709d

SHA256
53b605d1100ab0a88b867447bbf9274b5938125024ba01f5105a9e178a3dcdbd

SHA512
907a9aac75f4f241a85ecb94690f74f5818eea0b2241d9ef6d4bf171f17da0f4bc702e2bb90c04f194592fcc61df5c250508d16b886ed837a74b9f45da9627cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\mgxzg53c5nv\product\VEGAS_Pro_20_SetupInfo.ini

Filesize
1KB

MD5
0f9b272995d5a4006119977e95fb2686

SHA1
b7f626600d693c1cf05cdf8cc00cc6fd5c412098

SHA256
b500fa16098cba0b9a60340834185c5d1c3b60528d1ef86b262785e37d727e11

SHA512
e4fdfac2f0c5ce1e90167bea82931590c99a73974bf6cfba6bfea4d56b919e2a47be158b458d90686c7a6badffbd2777b43c7492b092b71729551d6bbca664b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\mgxzg53c5nv\product\VEGAS_Pro_20_SetupRes.mxres

Filesize
2.3MB

MD5
106dc03b6e83113c84709cbd7fef4f2c

SHA1
1e4d1d835f82557ca17f1f5016eb525f42429514

SHA256
eb1e26006d02c6ee5f49b8f321f84bb9aaf167169a298f4b306539bbd85a3254

SHA512
55c135e7f22d479d383a592154125e217631a377e64426bd1c119b86f2bd3f9034723daa19af0012eaefff1b9369725a73ba932399057663672eca59080662a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\mgxzg53c5nv\product\VEGAS_Pro_20_en-US.mst

Filesize
48KB

MD5
a39462cb32fabbed15189cc0275cbf00

SHA1
ef209f952e0653b4a1a65827becffa9dd45b1b1a

SHA256
5e6e353911f45d829ca31b70f1d763730f1e8216785aa87e1ac57f9c9c23f2cd

SHA512
f8ac2f8556f3ea0d97f6bdd4c80c3c04d9474c0e36e80ec00b416ea688e253a1b206749d4ad58f6b584313388b9a5c9631e4015fb0feb4fda8c51e62524f33d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\mgxzg53c5nv\product\VEGAS_Pro_20_setup.exe

Filesize
4.6MB

MD5
917717e087557e261275260f84a3b276

SHA1
d087843ed032c2ebf87cd82cc76b3b8ccaba2d57

SHA256
6a562ea680d7300a582d8ddf204342a6bf332a2cf883f43668ce0bd4a3315346

SHA512
ddacad901355a3f3acefd1c4cf28de7799500d1cd512f5f9f1ef087e20d17c2b83d27926ed346a7607bafc55e7f81890e73ee7e502f1bdc38e1f44016fd9a2b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\mgxzg53c5nv\product\VEGAS_Pro_20_setup.exe

Filesize
4.6MB

MD5
917717e087557e261275260f84a3b276

SHA1
d087843ed032c2ebf87cd82cc76b3b8ccaba2d57

SHA256
6a562ea680d7300a582d8ddf204342a6bf332a2cf883f43668ce0bd4a3315346

SHA512
ddacad901355a3f3acefd1c4cf28de7799500d1cd512f5f9f1ef087e20d17c2b83d27926ed346a7607bafc55e7f81890e73ee7e502f1bdc38e1f44016fd9a2b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\mgxzg53c5nv\product\VEGAS_Pro_20_setup.xml

Filesize
5KB

MD5
165d5e68beedc583873611ecf592c4bd

SHA1
fa8dcd59626bdde8f0304ce6ec09567057f18ef3

SHA256
9c017fab68cdcaf3dfa8e27bc4d330a40e5e90d9faf8bdb26762adec0075b485

SHA512
11b8017a7d98a9c94dcb67c23ad3b7930995744029209cf976be043780c60eee4e1c1ff756a67bc16c634e62b1609ba774a436638d36c5896d10c957c5389e2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\mgxzg53c5nv\product\VEGAS_Pro_20_setup_x64.ms_

Filesize
2.8MB

MD5
b8c935669d29c9471636f2abdefc2b29

SHA1
49b85eabed1bda1e2d45633d674c30109d6f798a

SHA256
6a6f786ce2d44bce9ffc0622855e45f024a745ba194c08190dbbe5ed8427eb1b

SHA512
5657599417a38d635b6b5f55ad2f11ddaaeb7ff9deb6e66029b2a825471de0fbf1c529c2bac75e35200d750250a58f246cff09a6ec63bc56a2215a9db9cd48a3

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads