785109a02929721c9c6b550f87377bffced9d6d3db38b4989324f36fc213bf95

Analysis

max time kernel
115s
max time network
159s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
15/06/2023, 05:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fl_patch_installer_20_6_2.exe
Size

81.1MB
MD5

0f7678a0bdf9e87662102f6ae7afc58e
SHA1

a206cd1542a3df31eda742ed776f178ed7eff450
SHA256

785109a02929721c9c6b550f87377bffced9d6d3db38b4989324f36fc213bf95
SHA512

a24bcea62ad1ca799875d65c6492200ab110eb1675c672f96afc01f4a30b51790b9efdddf8307b354ba86fed316ae7003acddf1d5cf1720562391e629076ab04
SSDEEP

1572864:p72B/p+5jpkwObyhNP+7VuY9ml1UFBSq709w+GQ0IL:NE0jpkwOb8NPbPCFBSW6LbL

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2496	fl_patch_installer_20_6_2.tmp

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	fl_patch_installer_20_6_2.tmp
File opened (read-only)	\??\G:	fl_patch_installer_20_6_2.tmp
File opened (read-only)	\??\Q:	fl_patch_installer_20_6_2.tmp
File opened (read-only)	\??\S:	fl_patch_installer_20_6_2.tmp
File opened (read-only)	\??\W:	fl_patch_installer_20_6_2.tmp
File opened (read-only)	\??\X:	fl_patch_installer_20_6_2.tmp
File opened (read-only)	\??\Y:	fl_patch_installer_20_6_2.tmp
File opened (read-only)	\??\B:	fl_patch_installer_20_6_2.tmp
File opened (read-only)	\??\K:	fl_patch_installer_20_6_2.tmp
File opened (read-only)	\??\M:	fl_patch_installer_20_6_2.tmp
File opened (read-only)	\??\N:	fl_patch_installer_20_6_2.tmp
File opened (read-only)	\??\T:	fl_patch_installer_20_6_2.tmp
File opened (read-only)	\??\U:	fl_patch_installer_20_6_2.tmp
File opened (read-only)	\??\I:	fl_patch_installer_20_6_2.tmp
File opened (read-only)	\??\R:	fl_patch_installer_20_6_2.tmp
File opened (read-only)	\??\P:	fl_patch_installer_20_6_2.tmp
File opened (read-only)	\??\V:	fl_patch_installer_20_6_2.tmp
File opened (read-only)	\??\A:	fl_patch_installer_20_6_2.tmp
File opened (read-only)	\??\F:	fl_patch_installer_20_6_2.tmp
File opened (read-only)	\??\H:	fl_patch_installer_20_6_2.tmp
File opened (read-only)	\??\J:	fl_patch_installer_20_6_2.tmp
File opened (read-only)	\??\L:	fl_patch_installer_20_6_2.tmp
File opened (read-only)	\??\O:	fl_patch_installer_20_6_2.tmp
File opened (read-only)	\??\Z:	fl_patch_installer_20_6_2.tmp

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Plugins\Fruity\Effects\Gross Beat\Gross Beat.dll	fl_patch_installer_20_6_2.tmp
File opened for modification	C:\Program Files (x86)\Plugins\Fruity\Effects\Newtime\Newtime_x64.dll	fl_patch_installer_20_6_2.tmp
File opened for modification	C:\Program Files (x86)\Plugins\Fruity\Generators\Fruity DrumSynth Live\Fruity DrumSynth Live_x64.dll	fl_patch_installer_20_6_2.tmp
File opened for modification	C:\Program Files (x86)\Plugins\Fruity\Generators\Fruity DX10\Fruity DX10.dll	fl_patch_installer_20_6_2.tmp
File opened for modification	C:\Program Files (x86)\Plugins\Fruity\Generators\Wasp\Wasp.dll	fl_patch_installer_20_6_2.tmp
File created	C:\Program Files (x86)\Plugins\Fruity\Generators\Harmless\is-HVRH9.tmp	fl_patch_installer_20_6_2.tmp
File opened for modification	C:\Program Files (x86)\Plugins\Fruity\Generators\Fruity DrumSynth Live\Fruity DrumSynth Live.dll	fl_patch_installer_20_6_2.tmp
File opened for modification	C:\Program Files (x86)\Plugins\Fruity\Generators\Harmless\Harmless_x64.dll	fl_patch_installer_20_6_2.tmp
File opened for modification	C:\Program Files (x86)\Plugins\Fruity\Generators\Slicex\Slicex.dll	fl_patch_installer_20_6_2.tmp
File opened for modification	C:\Program Files (x86)\Plugins\Fruity\Generators\Transistor Bass\Transistor Bass_x64.dll	fl_patch_installer_20_6_2.tmp
File created	C:\Program Files (x86)\Plugins\Fruity\Generators\Wasp XT\is-TG0V4.tmp	fl_patch_installer_20_6_2.tmp
File opened for modification	C:\Program Files (x86)\FLEngine.dll	fl_patch_installer_20_6_2.tmp
File opened for modification	C:\Program Files (x86)\Plugins\Fruity\Effects\Transient Processor\Transient Processor.dll	fl_patch_installer_20_6_2.tmp
File opened for modification	C:\Program Files (x86)\Plugins\Fruity\Effects\Vocodex\Synthesizer\Sytrus.dll	fl_patch_installer_20_6_2.tmp
File opened for modification	C:\Program Files (x86)\Plugins\Fruity\Generators\Harmless\Harmless.dll	fl_patch_installer_20_6_2.tmp
File opened for modification	C:\Program Files (x86)\Plugins\Fruity\Generators\Transistor Bass\Transistor Bass.dll	fl_patch_installer_20_6_2.tmp
File created	C:\Program Files (x86)\Plugins\Fruity\Generators\Fruity DrumSynth Live\is-VO7GA.tmp	fl_patch_installer_20_6_2.tmp
File created	C:\Program Files (x86)\Plugins\Fruity\Generators\Fruity DrumSynth Live\is-94A4U.tmp	fl_patch_installer_20_6_2.tmp
File created	C:\Program Files (x86)\Plugins\Fruity\Generators\Fruity Soundfont Player\is-DCSLP.tmp	fl_patch_installer_20_6_2.tmp
File created	C:\Program Files (x86)\Plugins\Fruity\Generators\Sytrus\is-NJSTP.tmp	fl_patch_installer_20_6_2.tmp
File created	C:\Program Files (x86)\Plugins\Fruity\Generators\Transistor Bass\is-HU662.tmp	fl_patch_installer_20_6_2.tmp
File opened for modification	C:\Program Files (x86)\Plugins\Fruity\Effects\Vocodex\Vocodex.dll	fl_patch_installer_20_6_2.tmp
File opened for modification	C:\Program Files (x86)\Plugins\Fruity\Effects\Vocodex\Vocodex_x64.dll	fl_patch_installer_20_6_2.tmp
File opened for modification	C:\Program Files (x86)\Plugins\Fruity\Generators\Slicex\Slicex_x64.dll	fl_patch_installer_20_6_2.tmp
File created	C:\Program Files (x86)\Plugins\Fruity\Generators\Transistor Bass\is-0LMSO.tmp	fl_patch_installer_20_6_2.tmp
File opened for modification	C:\Program Files (x86)\Plugins\Fruity\Generators\Fruity Soundfont Player\Fruity Soundfont Player.dll	fl_patch_installer_20_6_2.tmp
File opened for modification	C:\Program Files (x86)\Plugins\Fruity\Effects\Newtone\Newtone.dll	fl_patch_installer_20_6_2.tmp
File opened for modification	C:\Program Files (x86)\Plugins\Fruity\Effects\Newtone\Newtone_x64.dll	fl_patch_installer_20_6_2.tmp
File opened for modification	C:\Program Files (x86)\Plugins\Fruity\Generators\Harmor\Harmor.dll	fl_patch_installer_20_6_2.tmp
File opened for modification	C:\Program Files (x86)\Plugins\Fruity\Generators\SimSynth\SimSynth_x64.dll	fl_patch_installer_20_6_2.tmp
File created	C:\Program Files (x86)\Plugins\Fruity\Effects\Edison\is-PCJ2I.tmp	fl_patch_installer_20_6_2.tmp
File created	C:\Program Files (x86)\Plugins\Fruity\Effects\Newtime\is-Q4P35.tmp	fl_patch_installer_20_6_2.tmp
File created	C:\Program Files (x86)\Plugins\Fruity\Effects\Transient Processor\is-HAD2S.tmp	fl_patch_installer_20_6_2.tmp
File created	C:\Program Files (x86)\Plugins\Fruity\Generators\Harmor\is-L72PL.tmp	fl_patch_installer_20_6_2.tmp
File created	C:\Program Files (x86)\Plugins\Fruity\Generators\SimSynth\is-VMLS0.tmp	fl_patch_installer_20_6_2.tmp
File created	C:\Program Files (x86)\Plugins\Fruity\Generators\Wasp XT\is-5JIPU.tmp	fl_patch_installer_20_6_2.tmp
File opened for modification	C:\Program Files (x86)\Plugins\Fruity\Generators\Fruity Video Player\Fruity Video Player_x64.dll	fl_patch_installer_20_6_2.tmp
File opened for modification	C:\Program Files (x86)\Plugins\Fruity\Generators\Wasp XT\Wasp XT.dll	fl_patch_installer_20_6_2.tmp
File created	C:\Program Files (x86)\is-FO62Q.tmp	fl_patch_installer_20_6_2.tmp
File created	C:\Program Files (x86)\Plugins\Fruity\Effects\Newtone\is-CTDUS.tmp	fl_patch_installer_20_6_2.tmp
File created	C:\Program Files (x86)\Plugins\Fruity\Effects\Vocodex\Synthesizer\is-K613C.tmp	fl_patch_installer_20_6_2.tmp
File created	C:\Program Files (x86)\Plugins\Fruity\Generators\Fruity DX10\is-6VB4R.tmp	fl_patch_installer_20_6_2.tmp
File created	C:\Program Files (x86)\Plugins\Fruity\Generators\Fruity Video Player\is-5HPO7.tmp	fl_patch_installer_20_6_2.tmp
File opened for modification	C:\Program Files (x86)\Plugins\Fruity\Generators\Ogun\Ogun.dll	fl_patch_installer_20_6_2.tmp
File opened for modification	C:\Program Files (x86)\Plugins\Fruity\Generators\Ogun\Ogun_x64.dll	fl_patch_installer_20_6_2.tmp
File opened for modification	C:\Program Files (x86)\Plugins\Fruity\Generators\Wasp\Wasp_x64.dll	fl_patch_installer_20_6_2.tmp
File opened for modification	C:\Program Files (x86)\Plugins\Fruity\Generators\Sytrus\Sytrus.dll	fl_patch_installer_20_6_2.tmp
File created	C:\Program Files (x86)\Plugins\Fruity\Effects\Vocodex\is-6PFU1.tmp	fl_patch_installer_20_6_2.tmp
File opened for modification	C:\Program Files (x86)\_FLEngine.dll	fl_patch_installer_20_6_2.tmp
File opened for modification	C:\Program Files (x86)\Plugins\Fruity\Effects\Maximus\Maximus_x64.dll	fl_patch_installer_20_6_2.tmp
File opened for modification	C:\Program Files (x86)\Plugins\Fruity\Generators\SimSynth\SimSynth.dll	fl_patch_installer_20_6_2.tmp
File opened for modification	C:\Program Files (x86)\Plugins\Fruity\Generators\Harmor\Harmor_x64.dll	fl_patch_installer_20_6_2.tmp
File created	C:\Program Files (x86)\Plugins\Fruity\Effects\Maximus\is-UEBI3.tmp	fl_patch_installer_20_6_2.tmp
File opened for modification	C:\Program Files (x86)\Plugins\Fruity\Effects\Vocodex\Synthesizer\Sytrus_x64.dll	fl_patch_installer_20_6_2.tmp
File created	C:\Program Files (x86)\Plugins\Fruity\Effects\Gross Beat\is-K5IAE.tmp	fl_patch_installer_20_6_2.tmp
File created	C:\Program Files (x86)\Plugins\Fruity\Effects\Vocodex\is-1VSAH.tmp	fl_patch_installer_20_6_2.tmp
File created	C:\Program Files (x86)\Plugins\Fruity\Effects\Vocodex\Synthesizer\is-7632Q.tmp	fl_patch_installer_20_6_2.tmp
File created	C:\Program Files (x86)\Plugins\Fruity\Generators\Fruity Soundfont Player\is-LB3TF.tmp	fl_patch_installer_20_6_2.tmp
File opened for modification	C:\Program Files (x86)\_FLEngine_x64.dll	fl_patch_installer_20_6_2.tmp
File created	C:\Program Files (x86)\is-08E30.tmp	fl_patch_installer_20_6_2.tmp
File created	C:\Program Files (x86)\Plugins\Fruity\Generators\SimSynth\is-83QPU.tmp	fl_patch_installer_20_6_2.tmp
File created	C:\Program Files (x86)\Plugins\Fruity\Generators\Sytrus\is-NUKEI.tmp	fl_patch_installer_20_6_2.tmp
File created	C:\Program Files (x86)\Plugins\Fruity\Generators\Wasp\is-5KUGD.tmp	fl_patch_installer_20_6_2.tmp
File opened for modification	C:\Program Files (x86)\Plugins\Fruity\Effects\Maximus\Maximus.dll	fl_patch_installer_20_6_2.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2496	fl_patch_installer_20_6_2.tmp
2496	fl_patch_installer_20_6_2.tmp

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2496	fl_patch_installer_20_6_2.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2496	fl_patch_installer_20_6_2.tmp

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2288 wrote to memory of 2496	2288	fl_patch_installer_20_6_2.exe	66
PID 2288 wrote to memory of 2496	2288	fl_patch_installer_20_6_2.exe	66
PID 2288 wrote to memory of 2496	2288	fl_patch_installer_20_6_2.exe	66

C:\Users\Admin\AppData\Local\Temp\fl_patch_installer_20_6_2.exe
"C:\Users\Admin\AppData\Local\Temp\fl_patch_installer_20_6_2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2288
- C:\Users\Admin\AppData\Local\Temp\is-AQO6E.tmp\fl_patch_installer_20_6_2.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-AQO6E.tmp\fl_patch_installer_20_6_2.tmp" /SL5="$8004E,84654853,125440,C:\Users\Admin\AppData\Local\Temp\fl_patch_installer_20_6_2.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:2496

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:800

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Plugins\Fruity\Generators\Wasp XT\is-TG0V4.tmp

Filesize
3.4MB

MD5
8e641790c883e6ea791875d627653499

SHA1
c4e76c3c8b3db60e1c17e1eb2b35fc03c39c868e

SHA256
2e25e6ca2229cf09f3e22fb883f725b5e870410ea922f43cd7d0a75040a0bf0d

SHA512
212d81a9787b45542871d9a0eaaa54e5c8484c634f840ba726940f240bbbffbba04bb36d45689a37c051d15304f6b3426a7de14a49f1c16b111b07f8ad810e63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-AQO6E.tmp\fl_patch_installer_20_6_2.tmp

Filesize
1.1MB

MD5
006c402fd22016b5a5a1c2180ca5ccc9

SHA1
dc8dae24ef11181d145c8d9f6f245f3b67a3e1d0

SHA256
5b246db2dfc1a5d000b0662e2a58e1cb9f89fdc87945597ec1e1f2f245fd7898

SHA512
caea20f48421f7918c9ead0316decba60460c74ff878666e0a48ae1e5b2eb41a37b03c1a59bc3aa416990e49cae155e19894461c28c225f4f9b42e184db289b1

Download Submit
memory/2288-121-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2288-236-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2288-128-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2496-134-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2496-130-0x0000000000690000-0x0000000000691000-memory.dmp

Filesize
4KB

Download
memory/2496-136-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2496-144-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2496-214-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2496-129-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2496-234-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2496-127-0x0000000000690000-0x0000000000691000-memory.dmp

Filesize
4KB

Download