916cd6dd10842970093444307954f2512c6b07b6e7023a2833d0e061cb8e6e20

Analysis

max time kernel
15s
max time network
18s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
07/03/2023, 09:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Plugin Alliance - Kiive Xtressor v1.0.1.exe
Size

42.3MB
MD5

5901cc02a785a5c3e68a4de13cc9d066
SHA1

e38ce48ef057875c803775a9cc39fba9e3c5960b
SHA256

916cd6dd10842970093444307954f2512c6b07b6e7023a2833d0e061cb8e6e20
SHA512

c675718a050ee92650d8594294b8f8925a4d4097d8a101efa009a0e9860142358a250ec76fac9f2ab773fc4d1750fb1d9657599722d56db42cb7b1301f89981f
SSDEEP

786432:+GSJ76kW5N0y+lluy90DjjWYI3z9iIRPgfUz7laJuxEu7XOyr0cn:6J2kqN0y+n90DjjW3D9iIVY+7luuxffZ

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4012	Plugin Alliance - Kiive Xtressor v1.0.1.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Plugin Alliance Kiive Xtressor\unins000.dat	Plugin Alliance - Kiive Xtressor v1.0.1.tmp
File created	C:\Program Files\Plugin Alliance Kiive Xtressor\unins000.dat	Plugin Alliance - Kiive Xtressor v1.0.1.tmp
File created	C:\Program Files\Plugin Alliance Kiive Xtressor\is-RB0UE.tmp	Plugin Alliance - Kiive Xtressor v1.0.1.tmp
File created	C:\Program Files\Common Files\VST3\is-IVRH5.tmp	Plugin Alliance - Kiive Xtressor v1.0.1.tmp
File created	C:\Program Files\Common Files\Avid\Audio\Plug-Ins\Xtressor.aaxplugin\Contents\x64\is-J3VR1.tmp	Plugin Alliance - Kiive Xtressor v1.0.1.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4012	Plugin Alliance - Kiive Xtressor v1.0.1.tmp

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4296 wrote to memory of 4012	4296	Plugin Alliance - Kiive Xtressor v1.0.1.exe	66
PID 4296 wrote to memory of 4012	4296	Plugin Alliance - Kiive Xtressor v1.0.1.exe	66
PID 4296 wrote to memory of 4012	4296	Plugin Alliance - Kiive Xtressor v1.0.1.exe	66

C:\Users\Admin\AppData\Local\Temp\Plugin Alliance - Kiive Xtressor v1.0.1.exe
"C:\Users\Admin\AppData\Local\Temp\Plugin Alliance - Kiive Xtressor v1.0.1.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4296
- C:\Users\Admin\AppData\Local\Temp\is-BU9FA.tmp\Plugin Alliance - Kiive Xtressor v1.0.1.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-BU9FA.tmp\Plugin Alliance - Kiive Xtressor v1.0.1.tmp" /SL5="$80072,43210131,1187328,C:\Users\Admin\AppData\Local\Temp\Plugin Alliance - Kiive Xtressor v1.0.1.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of FindShellTrayWindow
  PID:4012

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-BU9FA.tmp\Plugin Alliance - Kiive Xtressor v1.0.1.tmp

Filesize
3.4MB

MD5
dcca502525ea9107611e7bc8e8847906

SHA1
c4e5bd0334c3425ef6952cca1d199722914669b6

SHA256
67fee0e2e154bb4198175b8a833611548760762082547a979dcc7e70eb2d433e

SHA512
fcd060bdb3d234850a7dda720e81c616ff42e93fb35615748dd99a66e3b0bfa8a623373bfc0aeb43b020d5fa3e9ab97ff15a2c6f29a55b41f275383ce0101a71

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-BU9FA.tmp\Plugin Alliance - Kiive Xtressor v1.0.1.tmp

Filesize
3.4MB

MD5
dcca502525ea9107611e7bc8e8847906

SHA1
c4e5bd0334c3425ef6952cca1d199722914669b6

SHA256
67fee0e2e154bb4198175b8a833611548760762082547a979dcc7e70eb2d433e

SHA512
fcd060bdb3d234850a7dda720e81c616ff42e93fb35615748dd99a66e3b0bfa8a623373bfc0aeb43b020d5fa3e9ab97ff15a2c6f29a55b41f275383ce0101a71

Download Submit
memory/4012-122-0x0000000000890000-0x0000000000891000-memory.dmp

Filesize
4KB

Download
memory/4012-127-0x0000000000400000-0x000000000076A000-memory.dmp

Filesize
3.4MB

Download
memory/4012-137-0x0000000000400000-0x000000000076A000-memory.dmp

Filesize
3.4MB

Download
memory/4296-116-0x0000000000400000-0x000000000052F000-memory.dmp

Filesize
1.2MB

Download
memory/4296-126-0x0000000000400000-0x000000000052F000-memory.dmp

Filesize
1.2MB

Download
memory/4296-138-0x0000000000400000-0x000000000052F000-memory.dmp

Filesize
1.2MB

Download