88aadf26c5a6ef8b874d4c0e7ac5250aed2ab2491ee3f3ab0de850cd151f9f5b

General

Target

vocaloid4_4.2.1_setup.exe
Size

49.9MB
MD5

9fa0daa963c93a185fcd38056f1697cf
SHA1

a7eb2b5144f09020e0a526394f52fc20133f4c1f
SHA256

88aadf26c5a6ef8b874d4c0e7ac5250aed2ab2491ee3f3ab0de850cd151f9f5b
SHA512

3e6b8c4581c58c12e71733571186bcc6f0ec078f75d9b5d0b52a69996765b1f6e772f17e0d86052b844953200c7d44fe87567a66aa12bbeb5df364177fe83db7
SSDEEP

786432:THq33j8RcOkoGNrRjJnlF40K+mRLiuRcRWOFZ3N/rSckcVdg+Dp7ZcFz+t:rq3T8iboGNVjJn76rcJVbVLFust

Score

7^/10

upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\is-1NHGO.tmp\isgsg.dll	acprotect
C:\Users\Admin\AppData\Local\Temp\is-1NHGO.tmp\isgsg.dll	acprotect

Executes dropped EXE 1 IoCs

Processes:

vocaloid4_4.2.1_setup.tmp

pid process

4564 vocaloid4_4.2.1_setup.tmp

Loads dropped DLL 5 IoCs

Processes:

vocaloid4_4.2.1_setup.tmp

pid	process
4564	vocaloid4_4.2.1_setup.tmp
4564	vocaloid4_4.2.1_setup.tmp
4564	vocaloid4_4.2.1_setup.tmp
4564	vocaloid4_4.2.1_setup.tmp
4564	vocaloid4_4.2.1_setup.tmp

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\is-1NHGO.tmp\isgsg.dll	upx
C:\Users\Admin\AppData\Local\Temp\is-1NHGO.tmp\isgsg.dll	upx
behavioral2/memory/4564-146-0x0000000006860000-0x0000000006891000-memory.dmp	upx
behavioral2/memory/4564-147-0x0000000006860000-0x0000000006891000-memory.dmp	upx

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

vocaloid4_4.2.1_setup.tmp

pid process

4564 vocaloid4_4.2.1_setup.tmp
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

AUDIODG.EXE

description pid process

Token: 33 728 AUDIODG.EXE
Token: SeIncBasePriorityPrivilege 728 AUDIODG.EXE

description	pid	process
Token: 33	728	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	728	AUDIODG.EXE

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

vocaloid4_4.2.1_setup.exe

description	pid	process	target process
PID 4316 wrote to memory of 4564	4316	vocaloid4_4.2.1_setup.exe	vocaloid4_4.2.1_setup.tmp
PID 4316 wrote to memory of 4564	4316	vocaloid4_4.2.1_setup.exe	vocaloid4_4.2.1_setup.tmp
PID 4316 wrote to memory of 4564	4316	vocaloid4_4.2.1_setup.exe	vocaloid4_4.2.1_setup.tmp

C:\Users\Admin\AppData\Local\Temp\vocaloid4_4.2.1_setup.exe
"C:\Users\Admin\AppData\Local\Temp\vocaloid4_4.2.1_setup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4316

C:\Users\Admin\AppData\Local\Temp\is-OBSUB.tmp\vocaloid4_4.2.1_setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-OBSUB.tmp\vocaloid4_4.2.1_setup.tmp" /SL5="$701C6,52056677,56832,C:\Users\Admin\AppData\Local\Temp\vocaloid4_4.2.1_setup.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
PID:4564

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x33c 0x4a4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:728

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-1NHGO.tmp\bass.dll
Filesize
91KB

MD5
26295a0baf87955f2e37735af135ca45

SHA1
97f468d3ebaca4774ce69f6f55c998b93a912540

SHA256
0bd42c13dd0a5c881e80f161f7548b093c4fd99a747c13568af983e2c76cd71a

SHA512
6760c5fe3621b1d9c84a5c974c28d796cfba83dba4ff0e9f9eb0ed19cb47a6fc6a1322f58193eb4d638e214f7e61e9543f6f9235c2be8888bcd075fa7650b20a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-1NHGO.tmp\innocallback.dll
Filesize
63KB

MD5
1c55ae5ef9980e3b1028447da6105c75

SHA1
f85218e10e6aa23b2f5a3ed512895b437e41b45c

SHA256
6afa2d104be6efe3d9a2ab96dbb75db31565dad64dd0b791e402ecc25529809f

SHA512
1ec4d52f49747b29cfd83e1a75fc6ae4101add68ada0b9add5770c10be6dffb004bb47d0854d50871ed8d77acf67d4e0445e97f0548a95c182e83b94ddf2eb6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-1NHGO.tmp\innocallback.dll
Filesize
63KB

MD5
1c55ae5ef9980e3b1028447da6105c75

SHA1
f85218e10e6aa23b2f5a3ed512895b437e41b45c

SHA256
6afa2d104be6efe3d9a2ab96dbb75db31565dad64dd0b791e402ecc25529809f

SHA512
1ec4d52f49747b29cfd83e1a75fc6ae4101add68ada0b9add5770c10be6dffb004bb47d0854d50871ed8d77acf67d4e0445e97f0548a95c182e83b94ddf2eb6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-1NHGO.tmp\isgsg.dll
Filesize
34KB

MD5
09974eaff6defadde38b1328754dbe09

SHA1
001cfb5514444188e455b97acc369f037079ca9d

SHA256
9eeef28d82fc4db7d1269dfbc0ea282768ce5e2e4e4bdc867d80d6847468dca7

SHA512
da29b01ebebb454c004420c6b29bb8dca9fb50554a7a5db30035a5ec458d766049bf5502f708bf7eb210a4f9cbdb308cc0c8dcdad9f745b01a9e4f1455bbc846

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-1NHGO.tmp\isgsg.dll
Filesize
34KB

MD5
09974eaff6defadde38b1328754dbe09

SHA1
001cfb5514444188e455b97acc369f037079ca9d

SHA256
9eeef28d82fc4db7d1269dfbc0ea282768ce5e2e4e4bdc867d80d6847468dca7

SHA512
da29b01ebebb454c004420c6b29bb8dca9fb50554a7a5db30035a5ec458d766049bf5502f708bf7eb210a4f9cbdb308cc0c8dcdad9f745b01a9e4f1455bbc846

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-OBSUB.tmp\vocaloid4_4.2.1_setup.tmp
Filesize
692KB

MD5
9862c8171b748884c7749dd6a67da175

SHA1
0524efae9f5dbdde283d43b9e5e1ccb90f75c2c6

SHA256
5a972731e0bdac7422e0bf6dcee6a5cd763b065bb2a661420e468ac078b1f5b7

SHA512
a0733d42029673ecb07ece32380ec33eeeb38103626ef385afea1d9c09d691e2c8b2101fcc87dbd363eae1fc8990cd7a1956077a7f2d3724e5fee6599372aefc

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-OBSUB.tmp\vocaloid4_4.2.1_setup.tmp
Filesize
692KB

MD5
9862c8171b748884c7749dd6a67da175

SHA1
0524efae9f5dbdde283d43b9e5e1ccb90f75c2c6

SHA256
5a972731e0bdac7422e0bf6dcee6a5cd763b065bb2a661420e468ac078b1f5b7

SHA512
a0733d42029673ecb07ece32380ec33eeeb38103626ef385afea1d9c09d691e2c8b2101fcc87dbd363eae1fc8990cd7a1956077a7f2d3724e5fee6599372aefc

Download Submit
memory/4316-136-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4316-132-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4316-148-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4564-134-0x0000000000000000-mapping.dmp

Download
memory/4564-145-0x0000000010000000-0x0000000010041000-memory.dmp

Filesize
260KB

Download
memory/4564-146-0x0000000006860000-0x0000000006891000-memory.dmp

Filesize
196KB

Download
memory/4564-147-0x0000000006860000-0x0000000006891000-memory.dmp

Filesize
196KB

Download
memory/4564-149-0x0000000010000000-0x0000000010041000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads