17f33fc2948678135831c58f5179572c04537f61f96ae0a6f4858c2264f288ae

Analysis

max time kernel
167s
max time network
199s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
02/11/2023, 23:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MAGIX.Vegas.Pro.v16.0.307.exe
Size

176.2MB
MD5

960c561779bf473de4ca03e7d7b1bf7e
SHA1

93bbb1078ec75f1c49fb5020948cc955a4ae65d1
SHA256

17f33fc2948678135831c58f5179572c04537f61f96ae0a6f4858c2264f288ae
SHA512

3f4d2ddfc869c26d8e5ba8ec8ba5524ee6e38ed95c7a2b61779758e446fa95df011b16efd1526b6e9f6d61fe144fad3d9d3a812fd1020f6d9abe529eaed4f8a7
SSDEEP

3145728:uI97T0J38xFNuZ3s/9gEbuDjYFoGR9MYcJlXmpT5WWBrlOL0JPJjnyh:nAJRZ8/CYM3lXm/RBZA4Jj0

Score

7^/10

upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 3 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x0006000000022e29-37.dat	acprotect
behavioral2/memory/2524-39-0x0000000074110000-0x0000000074119000-memory.dmp	acprotect
behavioral2/memory/2524-48-0x0000000074110000-0x0000000074119000-memory.dmp	acprotect

Loads dropped DLL 6 IoCs

pid	Process
2524	MAGIX.Vegas.Pro.v16.0.307.exe
2524	MAGIX.Vegas.Pro.v16.0.307.exe
2524	MAGIX.Vegas.Pro.v16.0.307.exe
2524	MAGIX.Vegas.Pro.v16.0.307.exe
2524	MAGIX.Vegas.Pro.v16.0.307.exe
2524	MAGIX.Vegas.Pro.v16.0.307.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0006000000022e29-37.dat	upx
behavioral2/memory/2524-39-0x0000000074110000-0x0000000074119000-memory.dmp	upx
behavioral2/memory/2524-48-0x0000000074110000-0x0000000074119000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3452	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3452	taskmgr.exe
Token: SeSystemProfilePrivilege	3452	taskmgr.exe
Token: SeCreateGlobalPrivilege	3452	taskmgr.exe
Token: SeSecurityPrivilege	2524	MAGIX.Vegas.Pro.v16.0.307.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe
3452	taskmgr.exe

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3452

C:\Users\Admin\AppData\Local\Temp\MAGIX.Vegas.Pro.v16.0.307.exe
"C:\Users\Admin\AppData\Local\Temp\MAGIX.Vegas.Pro.v16.0.307.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MVP16\Program Files\VEGAS\Shared Plug-Ins\Help Files\mchammer_x64_esp.chm

Filesize
11KB

MD5
174a41bafb43045e170b4419c3f518cb

SHA1
69150c318384d2109b286f5c195abee5212a7830

SHA256
b3fa12b21aa606ad6b8fe57141a081c675acf9ff078349859eb7eaf20cea7792

SHA512
e3f1db1bcd21c2aadf0fc805ab63223a296e77d076b72d32764f154c15cd67744b5194be096d8701199ea0b12ccf8edd1e72b358cc93538297227a8c4a560acb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfB65C.tmp\Aero.dll

Filesize
6KB

MD5
869c5949a10b32d3a31966cc5291301b

SHA1
329080c974d593ecdefd02afa38dd663a10331c4

SHA256
b19961de6ca07e08704d6372718542f70dbbb203e59bf9bbe3a58f6e069a625c

SHA512
3b9dde16e9ca803b1048243dbf29c717ac0472dffa764542c234318a960828834aa650b1dfb8bba66c4e7a9ce3aaf453829afc57dfb33dc8c311d203150d4fca

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfB65C.tmp\LangDLL.dll

Filesize
5KB

MD5
a1cd3f159ef78d9ace162f067b544fd9

SHA1
72671fdf4bfeeb99b392685bf01081b4a0b3ae66

SHA256
47b9e251c9c90f43e3524965aecc07bd53c8e09c5b9f9862b44c306667e2b0b6

SHA512
ccc70166c7d7746cd42cd0cec322b2adf4a478ff67c35d465f0f0f5b2b369c996a95557b678c09cb21b8311d8a91eed4196ddc218ea7d510f81464669b911362

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfB65C.tmp\System.dll

Filesize
11KB

MD5
bf712f32249029466fa86756f5546950

SHA1
75ac4dc4808ac148ddd78f6b89a51afbd4091c2e

SHA256
7851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af

SHA512
13f69959b28416e0b8811c962a49309dca3f048a165457051a28a3eb51377dcaf99a15e86d7eee8f867a9e25ecf8c44da370ac8f530eeae7b5252eaba64b96f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfB65C.tmp\newadvsplash.dll

Filesize
8KB

MD5
55a723e125afbc9b3a41d46f41749068

SHA1
01618b26fec6b8c6bdb866e6e4d0f7a0529fe97c

SHA256
0a70cc4b93d87ecd93e538cfbed7c9a4b8b5c6f1042c6069757bda0d1279ed06

SHA512
559157fa1b3eb6ae1f9c0f2c71ccc692a0a0affb1d6498a8b8db1436d236fd91891897ac620ed5a588beba2efa43ef064211a7fcadb5c3a3c5e2be1d23ef9d4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfB65C.tmp\nsDialogs.dll

Filesize
9KB

MD5
4ccc4a742d4423f2f0ed744fd9c81f63

SHA1
704f00a1acc327fd879cf75fc90d0b8f927c36bc

SHA256
416133dd86c0dff6b0fcaf1f46dfe97fdc85b37f90effb2d369164a8f7e13ae6

SHA512
790c5eb1f8b297e45054c855b66dfc18e9f3f1b1870559014dbefa3b9d5b6d33a993a9e089202e70f51a55d859b74e8605c6f633386fd9189b6f78941bf1bfdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfB65C.tmp\nsis7z.dll

Filesize
391KB

MD5
c6a070b3e68b292bb0efc9b26e85e9cc

SHA1
5a922b96eda6595a68fd0a9051236162ff2e2ada

SHA256
66ac8bd1f273a73e17a3f31d6add739d3cb0330a6417faeda11a9cae00b62d8b

SHA512
8eff8fc16f5bb574bd9483e3b217b67a8986e31497368c06fdaa3a1e93a40aee94a5b31729d01905157b0ae1e556a402f43cd29a4d30a0587e1ec334458a44e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfB65C.tmp\repackme.gif

Filesize
6KB

MD5
23d3840adb8f4f1efc083a1f7e640191

SHA1
adf0c7daa49637767b2abe2f390d1da4780eea9c

SHA256
82a1454402156d74f4f23c992d5d772b665546208eff44790871b8dcb36d2304

SHA512
7743a17141581ffa8023097678bf2eaf6db7d337af45052d00caba74f21f13e7ffa95097b629c3a28a3366eda873afdce240344adfdf7c0ef662a0ba0fe6db25

Download Submit
memory/2524-39-0x0000000074110000-0x0000000074119000-memory.dmp

Filesize
36KB

Download
memory/2524-48-0x0000000074110000-0x0000000074119000-memory.dmp

Filesize
36KB

Download
memory/3452-12-0x00000169C12B0000-0x00000169C12B1000-memory.dmp

Filesize
4KB

Download
memory/3452-11-0x00000169C12B0000-0x00000169C12B1000-memory.dmp

Filesize
4KB

Download
memory/3452-10-0x00000169C12B0000-0x00000169C12B1000-memory.dmp

Filesize
4KB

Download
memory/3452-8-0x00000169C12B0000-0x00000169C12B1000-memory.dmp

Filesize
4KB

Download
memory/3452-9-0x00000169C12B0000-0x00000169C12B1000-memory.dmp

Filesize
4KB

Download
memory/3452-6-0x00000169C12B0000-0x00000169C12B1000-memory.dmp

Filesize
4KB

Download
memory/3452-0-0x00000169C12B0000-0x00000169C12B1000-memory.dmp

Filesize
4KB

Download
memory/3452-7-0x00000169C12B0000-0x00000169C12B1000-memory.dmp

Filesize
4KB

Download
memory/3452-2-0x00000169C12B0000-0x00000169C12B1000-memory.dmp

Filesize
4KB

Download
memory/3452-1-0x00000169C12B0000-0x00000169C12B1000-memory.dmp

Filesize
4KB

Download