635f993a2d060d7c0ddc34db5c4301912ed17358113213f6cadbcc09eba3c9ec

Analysis

max time kernel
135s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
11/02/2023, 13:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ACTIVADOR OFICIAL 2018 by Hausky Tutoriales.exe
Size

9.5MB
MD5

18b2f30c6a31484de65fda1fa3f69419
SHA1

94d2da9d29c38e4e45e26f107eaa75981d7c582b
SHA256

635f993a2d060d7c0ddc34db5c4301912ed17358113213f6cadbcc09eba3c9ec
SHA512

5bba69f39fb996170b18813d082ca8cd16463050b6149e3e4cc36f614acafbb39ffe5e117eeb9e8502a197ca318534670a8809132f2d6edf2fabdb4337669342
SSDEEP

196608:Q5gw5Coaw/nh5Go9xgbq4Dr0Vhprt9FYJTrB9uIzu:W8oaYnbIb1D4Vhprt88x

Score

9^/10

Malware Config

Signatures

Nirsoft 10 IoCs

resource	yara_rule
behavioral2/files/0x0007000000022f7d-142.dat	Nirsoft
behavioral2/files/0x0007000000022f7d-144.dat	Nirsoft
behavioral2/files/0x0007000000022f7d-146.dat	Nirsoft
behavioral2/files/0x0007000000022f7d-148.dat	Nirsoft
behavioral2/files/0x0007000000022f7d-150.dat	Nirsoft
behavioral2/files/0x0007000000022f7d-152.dat	Nirsoft
behavioral2/files/0x0007000000022f7d-154.dat	Nirsoft
behavioral2/files/0x0007000000022f7d-156.dat	Nirsoft
behavioral2/files/0x0007000000022f7d-158.dat	Nirsoft
behavioral2/files/0x0007000000022f7d-160.dat	Nirsoft

Executes dropped EXE 11 IoCs

pid	Process
2380	ACTIVADOR OFICIAL 2018 by Hausky Tutoriales.tmp
2220	nircmd.exe
4560	nircmd.exe
1644	nircmd.exe
308	nircmd.exe
32	nircmd.exe
112	nircmd.exe
2348	nircmd.exe
1524	nircmd.exe
3924	nircmd.exe
4872	nircmd.exe

Loads dropped DLL 1 IoCs

pid	Process
2380	ACTIVADOR OFICIAL 2018 by Hausky Tutoriales.tmp

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{29460C4E-9A71-44D0-A717-69483CC86B23}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{0831BB1B-4ABE-42C0-A3D2-4FD6A15FD440}.catalogItem	svchost.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\VEGAS\VEGAS Pro 15.0\vegas150.exe	ACTIVADOR OFICIAL 2018 by Hausky Tutoriales.tmp
File opened for modification	C:\Program Files\VEGAS\VEGAS Pro 15.0\Protein\Protein_x64.3.16.dll	ACTIVADOR OFICIAL 2018 by Hausky Tutoriales.tmp

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	svchost.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	svchost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2380	ACTIVADOR OFICIAL 2018 by Hausky Tutoriales.tmp
2380	ACTIVADOR OFICIAL 2018 by Hausky Tutoriales.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2380	ACTIVADOR OFICIAL 2018 by Hausky Tutoriales.tmp

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 1544 wrote to memory of 2380	1544	ACTIVADOR OFICIAL 2018 by Hausky Tutoriales.exe	75
PID 1544 wrote to memory of 2380	1544	ACTIVADOR OFICIAL 2018 by Hausky Tutoriales.exe	75
PID 1544 wrote to memory of 2380	1544	ACTIVADOR OFICIAL 2018 by Hausky Tutoriales.exe	75
PID 2380 wrote to memory of 688	2380	ACTIVADOR OFICIAL 2018 by Hausky Tutoriales.tmp	85
PID 2380 wrote to memory of 688	2380	ACTIVADOR OFICIAL 2018 by Hausky Tutoriales.tmp	85
PID 688 wrote to memory of 2220	688	cmd.exe	87
PID 688 wrote to memory of 2220	688	cmd.exe	87
PID 688 wrote to memory of 4560	688	cmd.exe	88
PID 688 wrote to memory of 4560	688	cmd.exe	88
PID 688 wrote to memory of 1644	688	cmd.exe	89
PID 688 wrote to memory of 1644	688	cmd.exe	89
PID 688 wrote to memory of 308	688	cmd.exe	90
PID 688 wrote to memory of 308	688	cmd.exe	90
PID 688 wrote to memory of 32	688	cmd.exe	91
PID 688 wrote to memory of 32	688	cmd.exe	91
PID 688 wrote to memory of 112	688	cmd.exe	92
PID 688 wrote to memory of 112	688	cmd.exe	92
PID 688 wrote to memory of 2348	688	cmd.exe	93
PID 688 wrote to memory of 2348	688	cmd.exe	93
PID 688 wrote to memory of 1524	688	cmd.exe	94
PID 688 wrote to memory of 1524	688	cmd.exe	94
PID 688 wrote to memory of 3924	688	cmd.exe	95
PID 688 wrote to memory of 3924	688	cmd.exe	95
PID 688 wrote to memory of 4872	688	cmd.exe	96
PID 688 wrote to memory of 4872	688	cmd.exe	96

C:\Users\Admin\AppData\Local\Temp\ACTIVADOR OFICIAL 2018 by Hausky Tutoriales.exe
"C:\Users\Admin\AppData\Local\Temp\ACTIVADOR OFICIAL 2018 by Hausky Tutoriales.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1544
- C:\Users\Admin\AppData\Local\Temp\is-KDBO5.tmp\ACTIVADOR OFICIAL 2018 by Hausky Tutoriales.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-KDBO5.tmp\ACTIVADOR OFICIAL 2018 by Hausky Tutoriales.tmp" /SL5="$F0062,9484847,477184,C:\Users\Admin\AppData\Local\Temp\ACTIVADOR OFICIAL 2018 by Hausky Tutoriales.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2380
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-GN25I.tmp\nircmd.cmd""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:688
  - - C:\Users\Admin\AppData\Local\Temp\is-GN25I.tmp\nircmd.exe
      nircmd inisetval "c:\ProgramData\VEGAS\VEGAS_Pro_15\installation.ini" "Serial" "string" "P3-53391-69016-06314-74411-56680-45497"
      4⤵
      Executes dropped EXE
      PID:2220
  - - C:\Users\Admin\AppData\Local\Temp\is-GN25I.tmp\nircmd.exe
      nircmd inisetval "c:\ProgramData\VEGAS\VEGAS_Pro_15\installation.ini" "VersionUnlock" "NumberOfStarts" "0"
      4⤵
      Executes dropped EXE
      PID:4560
  - - C:\Users\Admin\AppData\Local\Temp\is-GN25I.tmp\nircmd.exe
      nircmd inisetval "c:\ProgramData\VEGAS\VEGAS_Pro_15\installation.ini" "VersionUnlock" "DontShowNagBox" "1"
      4⤵
      Executes dropped EXE
      PID:1644
  - - C:\Users\Admin\AppData\Local\Temp\is-GN25I.tmp\nircmd.exe
      nircmd inisetval "c:\ProgramData\VEGAS\VEGAS_Pro_15\installation.ini" "VersionUnlock" "IsRegisteredUser" "1"
      4⤵
      Executes dropped EXE
      PID:308
  - - C:\Users\Admin\AppData\Local\Temp\is-GN25I.tmp\nircmd.exe
      nircmd inisetval "c:\ProgramData\VEGAS\VEGAS_Pro_15\installation.ini" "VersionUnlock" "UserEMail" "uBusHTShXjdIakxgck01PRO5nuh8YfF4BDS17GWS/So3BnxxO66uwQ3meU0PEMwM"
      4⤵
      Executes dropped EXE
      PID:32
  - - C:\Users\Admin\AppData\Local\Temp\is-GN25I.tmp\nircmd.exe
      nircmd inisetval "c:\ProgramData\VEGAS\DVD_Architect_Pro_7\installation.ini" "Serial" "string" "P3-58806-10061-19148-13327-93646-07528"
      4⤵
      Executes dropped EXE
      PID:112
  - - C:\Users\Admin\AppData\Local\Temp\is-GN25I.tmp\nircmd.exe
      nircmd inisetval "c:\ProgramData\VEGAS\DVD_Architect_Pro_7\installation.ini" "VersionUnlock" "NumberOfStarts" "0"
      4⤵
      Executes dropped EXE
      PID:2348
  - - C:\Users\Admin\AppData\Local\Temp\is-GN25I.tmp\nircmd.exe
      nircmd inisetval "c:\ProgramData\VEGAS\DVD_Architect_Pro_7\installation.ini" "VersionUnlock" "DontShowNagBox" "1"
      4⤵
      Executes dropped EXE
      PID:1524
  - - C:\Users\Admin\AppData\Local\Temp\is-GN25I.tmp\nircmd.exe
      nircmd inisetval "c:\ProgramData\VEGAS\DVD_Architect_Pro_7\installation.ini" "VersionUnlock" "IsRegisteredUser" "1"
      4⤵
      Executes dropped EXE
      PID:3924
  - - C:\Users\Admin\AppData\Local\Temp\is-GN25I.tmp\nircmd.exe
      nircmd inisetval "c:\ProgramData\VEGAS\DVD_Architect_Pro_7\installation.ini" "VersionUnlock" "UserEMail" "uBusHTShXjdIakxgck01PRO5nuh8YfF4BDS17GWS/So3BnxxO66uwQ3meU0PEMwM"
      4⤵
      Executes dropped EXE
      PID:4872

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
PID:4588

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-GN25I.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-GN25I.tmp\nircmd.cmd

Filesize
1KB

MD5
cedbe24f85d979a10b7ffa6523b072ba

SHA1
55188cfdbac8e47a602a60caf7d833697793dd5a

SHA256
176a29af8753b2b743e4edf4ad90c38e62683cf0186b892074d6815922be5f4f

SHA512
9f0fb6efd440f113d82cf7bd3f7f672ee066e13668de20440ffce4dc15aad1a2264f99bebf945adf0d02e80a369a161b8dbd6824d8ab256d9f067a94a4d49d68

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-GN25I.tmp\nircmd.exe

Filesize
114KB

MD5
b417238213efb0d2a23562674406cdf9

SHA1
04bf7acc7d0aa74fa750f7c32fdebbbe1daf46f8

SHA256
5bfa034f7555a38e64c078af71b4ff8c49511579fa826a87661940b7e9a6e333

SHA512
881b420af6e7104ac1f2edf03fc905f30af8ee264d8279f7eeb18e6178e210e063ac3c3d9a47f0c7c36ad04b51773e28595f965b037b0a0305d6c9fdf18e96a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-GN25I.tmp\nircmd.exe

Filesize
114KB

MD5
b417238213efb0d2a23562674406cdf9

SHA1
04bf7acc7d0aa74fa750f7c32fdebbbe1daf46f8

SHA256
5bfa034f7555a38e64c078af71b4ff8c49511579fa826a87661940b7e9a6e333

SHA512
881b420af6e7104ac1f2edf03fc905f30af8ee264d8279f7eeb18e6178e210e063ac3c3d9a47f0c7c36ad04b51773e28595f965b037b0a0305d6c9fdf18e96a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-GN25I.tmp\nircmd.exe

Filesize
114KB

MD5
b417238213efb0d2a23562674406cdf9

SHA1
04bf7acc7d0aa74fa750f7c32fdebbbe1daf46f8

SHA256
5bfa034f7555a38e64c078af71b4ff8c49511579fa826a87661940b7e9a6e333

SHA512
881b420af6e7104ac1f2edf03fc905f30af8ee264d8279f7eeb18e6178e210e063ac3c3d9a47f0c7c36ad04b51773e28595f965b037b0a0305d6c9fdf18e96a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-GN25I.tmp\nircmd.exe

Filesize
114KB

MD5
b417238213efb0d2a23562674406cdf9

SHA1
04bf7acc7d0aa74fa750f7c32fdebbbe1daf46f8

SHA256
5bfa034f7555a38e64c078af71b4ff8c49511579fa826a87661940b7e9a6e333

SHA512
881b420af6e7104ac1f2edf03fc905f30af8ee264d8279f7eeb18e6178e210e063ac3c3d9a47f0c7c36ad04b51773e28595f965b037b0a0305d6c9fdf18e96a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-GN25I.tmp\nircmd.exe

Filesize
114KB

MD5
b417238213efb0d2a23562674406cdf9

SHA1
04bf7acc7d0aa74fa750f7c32fdebbbe1daf46f8

SHA256
5bfa034f7555a38e64c078af71b4ff8c49511579fa826a87661940b7e9a6e333

SHA512
881b420af6e7104ac1f2edf03fc905f30af8ee264d8279f7eeb18e6178e210e063ac3c3d9a47f0c7c36ad04b51773e28595f965b037b0a0305d6c9fdf18e96a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-GN25I.tmp\nircmd.exe

Filesize
114KB

MD5
b417238213efb0d2a23562674406cdf9

SHA1
04bf7acc7d0aa74fa750f7c32fdebbbe1daf46f8

SHA256
5bfa034f7555a38e64c078af71b4ff8c49511579fa826a87661940b7e9a6e333

SHA512
881b420af6e7104ac1f2edf03fc905f30af8ee264d8279f7eeb18e6178e210e063ac3c3d9a47f0c7c36ad04b51773e28595f965b037b0a0305d6c9fdf18e96a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-GN25I.tmp\nircmd.exe

Filesize
114KB

MD5
b417238213efb0d2a23562674406cdf9

SHA1
04bf7acc7d0aa74fa750f7c32fdebbbe1daf46f8

SHA256
5bfa034f7555a38e64c078af71b4ff8c49511579fa826a87661940b7e9a6e333

SHA512
881b420af6e7104ac1f2edf03fc905f30af8ee264d8279f7eeb18e6178e210e063ac3c3d9a47f0c7c36ad04b51773e28595f965b037b0a0305d6c9fdf18e96a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-GN25I.tmp\nircmd.exe

Filesize
114KB

MD5
b417238213efb0d2a23562674406cdf9

SHA1
04bf7acc7d0aa74fa750f7c32fdebbbe1daf46f8

SHA256
5bfa034f7555a38e64c078af71b4ff8c49511579fa826a87661940b7e9a6e333

SHA512
881b420af6e7104ac1f2edf03fc905f30af8ee264d8279f7eeb18e6178e210e063ac3c3d9a47f0c7c36ad04b51773e28595f965b037b0a0305d6c9fdf18e96a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-GN25I.tmp\nircmd.exe

Filesize
114KB

MD5
b417238213efb0d2a23562674406cdf9

SHA1
04bf7acc7d0aa74fa750f7c32fdebbbe1daf46f8

SHA256
5bfa034f7555a38e64c078af71b4ff8c49511579fa826a87661940b7e9a6e333

SHA512
881b420af6e7104ac1f2edf03fc905f30af8ee264d8279f7eeb18e6178e210e063ac3c3d9a47f0c7c36ad04b51773e28595f965b037b0a0305d6c9fdf18e96a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-GN25I.tmp\nircmd.exe

Filesize
114KB

MD5
b417238213efb0d2a23562674406cdf9

SHA1
04bf7acc7d0aa74fa750f7c32fdebbbe1daf46f8

SHA256
5bfa034f7555a38e64c078af71b4ff8c49511579fa826a87661940b7e9a6e333

SHA512
881b420af6e7104ac1f2edf03fc905f30af8ee264d8279f7eeb18e6178e210e063ac3c3d9a47f0c7c36ad04b51773e28595f965b037b0a0305d6c9fdf18e96a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-KDBO5.tmp\ACTIVADOR OFICIAL 2018 by Hausky Tutoriales.tmp

Filesize
1.5MB

MD5
0e2a6c24234dd8241d6305e1f69a0de0

SHA1
de1a764ff5fc23de24b6b62b8e46db301d3e06e6

SHA256
c9f5ad9b0c94a8727ec0af81f246a9d7505be85aacede83a59685edbd12cfd06

SHA512
fc58d6097032dfac9ae48e5ee0158858303c10d55850a5bfd6e033875f9fa42e3df8c082d52a4c61227c26aad676493d6d6264844453cc8e7a4bccf811f5f945

Download Submit
memory/1544-136-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1544-138-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1544-132-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1544-161-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download