73f5eee95f0d5250f5d2f7a29702700537ebe6c08861d4ddfefc09d485f0f65e

Reason

Machine shutdown

General

Target

MAGIX VEGAS Pro v21.0 patch.exe
Size

4.6MB
MD5

4a027f5b895f161a0d0e26f8ec6f31a7
SHA1

2d8aa07828c92d4d9d85fc62ba82f0fe0bb5a789
SHA256

73f5eee95f0d5250f5d2f7a29702700537ebe6c08861d4ddfefc09d485f0f65e
SHA512

9b12840d6f2f9a277e7edded5830daf70713ea3f90ddf324bece98616d716400dc0247a47dc9d016fb02f9803fb0a2e2853f4a56e752b13a704132d4acfa23cb
SSDEEP

98304:0kLEAGg00ojGjm4EC/qQb4zldELsSqr7jkie3t:DEzg7AGUqqXHPjze3t

Score

9^/10

persistence

Malware Config

Signatures

Nirsoft 1 IoCs

resource	yara_rule
behavioral1/files/0x000600000001ac21-22.dat	Nirsoft

Sets file execution options in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options	MAGIX VEGAS Pro v21.0 patch.tmp
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DevOverrideEnable = "1"	MAGIX VEGAS Pro v21.0 patch.tmp

Executes dropped EXE 11 IoCs

pid	Process
4448	MAGIX VEGAS Pro v21.0 patch.tmp
3480	nircmd.exe
3068	nircmd.exe
3332	nircmd.exe
5092	nircmd.exe
1872	nircmd.exe
4828	nircmd.exe
4812	nircmd.exe
4512	nircmd.exe
4916	nircmd.exe
720	nircmd.exe

Loads dropped DLL 1 IoCs

pid	Process
4448	MAGIX VEGAS Pro v21.0 patch.tmp

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files\VEGAS\VEGAS Pro 21.0\vegas210.exe.local\is-4KUB1.tmp	MAGIX VEGAS Pro v21.0 patch.tmp
File opened for modification	C:\Program Files\VEGAS\VEGAS Pro 21.0\Protein\Protein_x64.4.2.dll	MAGIX VEGAS Pro v21.0 patch.tmp
File opened for modification	C:\Program Files\VEGAS\VEGAS Pro 21.0\vegas210.exe.local\wintrust.dll	MAGIX VEGAS Pro v21.0 patch.tmp
File opened for modification	C:\Program Files\VEGAS\VEGAS Pro 21.0\vegas210.exe.local	MAGIX VEGAS Pro v21.0 patch.tmp
File created	C:\Program Files\VEGAS\VEGAS Pro 21.0\Protein\is-4MBOT.tmp	MAGIX VEGAS Pro v21.0 patch.tmp

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4448	MAGIX VEGAS Pro v21.0 patch.tmp
4448	MAGIX VEGAS Pro v21.0 patch.tmp

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3876	MAGIX VEGAS Pro v21.0 patch.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4448	MAGIX VEGAS Pro v21.0 patch.tmp

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1080	LogonUI.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 3876 wrote to memory of 4448	3876	MAGIX VEGAS Pro v21.0 patch.exe	73
PID 3876 wrote to memory of 4448	3876	MAGIX VEGAS Pro v21.0 patch.exe	73
PID 3876 wrote to memory of 4448	3876	MAGIX VEGAS Pro v21.0 patch.exe	73
PID 4448 wrote to memory of 2708	4448	MAGIX VEGAS Pro v21.0 patch.tmp	74
PID 4448 wrote to memory of 2708	4448	MAGIX VEGAS Pro v21.0 patch.tmp	74
PID 2708 wrote to memory of 3480	2708	cmd.exe	76
PID 2708 wrote to memory of 3480	2708	cmd.exe	76
PID 2708 wrote to memory of 3068	2708	cmd.exe	77
PID 2708 wrote to memory of 3068	2708	cmd.exe	77
PID 2708 wrote to memory of 3332	2708	cmd.exe	78
PID 2708 wrote to memory of 3332	2708	cmd.exe	78
PID 2708 wrote to memory of 5092	2708	cmd.exe	79
PID 2708 wrote to memory of 5092	2708	cmd.exe	79
PID 2708 wrote to memory of 1872	2708	cmd.exe	80
PID 2708 wrote to memory of 1872	2708	cmd.exe	80
PID 2708 wrote to memory of 4828	2708	cmd.exe	81
PID 2708 wrote to memory of 4828	2708	cmd.exe	81
PID 2708 wrote to memory of 4812	2708	cmd.exe	82
PID 2708 wrote to memory of 4812	2708	cmd.exe	82
PID 2708 wrote to memory of 4512	2708	cmd.exe	83
PID 2708 wrote to memory of 4512	2708	cmd.exe	83
PID 2708 wrote to memory of 4916	2708	cmd.exe	84
PID 2708 wrote to memory of 4916	2708	cmd.exe	84
PID 2708 wrote to memory of 720	2708	cmd.exe	85
PID 2708 wrote to memory of 720	2708	cmd.exe	85

C:\Users\Admin\AppData\Local\Temp\MAGIX VEGAS Pro v21.0 patch.exe
"C:\Users\Admin\AppData\Local\Temp\MAGIX VEGAS Pro v21.0 patch.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3876
- C:\Users\Admin\AppData\Local\Temp\is-JTNHA.tmp\MAGIX VEGAS Pro v21.0 patch.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-JTNHA.tmp\MAGIX VEGAS Pro v21.0 patch.tmp" /SL5="$5022A,4018567,1141760,C:\Users\Admin\AppData\Local\Temp\MAGIX VEGAS Pro v21.0 patch.exe"
  2⤵
  - Sets file execution options in registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4448
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-30PNU.tmp\nircmd.cmd""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2708
  - - C:\Users\Admin\AppData\Local\Temp\is-30PNU.tmp\nircmd.exe
      nircmd inisetval "c:\ProgramData\VEGAS\VEGAS_Pro_21\installation.ini" "Serial" "string" "P3-64979-27462-07906-32757-21318-38872"
      4⤵
      Executes dropped EXE
      PID:3480
  - - C:\Users\Admin\AppData\Local\Temp\is-30PNU.tmp\nircmd.exe
      nircmd inisetval "c:\ProgramData\VEGAS\VEGAS_Pro_21\installation.ini" "VersionUnlock" "NumberOfStarts" "0"
      4⤵
      Executes dropped EXE
      PID:3068
  - - C:\Users\Admin\AppData\Local\Temp\is-30PNU.tmp\nircmd.exe
      nircmd inisetval "c:\ProgramData\VEGAS\VEGAS_Pro_21\installation.ini" "VersionUnlock" "DontShowNagBox" "1"
      4⤵
      Executes dropped EXE
      PID:3332
  - - C:\Users\Admin\AppData\Local\Temp\is-30PNU.tmp\nircmd.exe
      nircmd inisetval "c:\ProgramData\VEGAS\VEGAS_Pro_21\installation.ini" "VersionUnlock" "IsRegisteredUser" "1"
      4⤵
      Executes dropped EXE
      PID:5092
  - - C:\Users\Admin\AppData\Local\Temp\is-30PNU.tmp\nircmd.exe
      nircmd inisetval "c:\ProgramData\VEGAS\VEGAS_Pro_21\installation.ini" "VersionUnlock" "UserEMail" "uBusHTShXjdIakxgck01PRO5nuh8YfF4BDS17GWS/So3BnxxO66uwQ3meU0PEMwM"
      4⤵
      Executes dropped EXE
      PID:1872
  - - C:\Users\Admin\AppData\Local\Temp\is-30PNU.tmp\nircmd.exe
      nircmd inisetval "c:\ProgramData\VEGAS\DVD_Architect_Pro_7\installation.ini" "Serial" "string" "P3-77020-98979-63411-51090-66867-08191"
      4⤵
      Executes dropped EXE
      PID:4828
  - - C:\Users\Admin\AppData\Local\Temp\is-30PNU.tmp\nircmd.exe
      nircmd inisetval "c:\ProgramData\VEGAS\DVD_Architect_Pro_7\installation.ini" "VersionUnlock" "NumberOfStarts" "0"
      4⤵
      Executes dropped EXE
      PID:4812
  - - C:\Users\Admin\AppData\Local\Temp\is-30PNU.tmp\nircmd.exe
      nircmd inisetval "c:\ProgramData\VEGAS\DVD_Architect_Pro_7\installation.ini" "VersionUnlock" "DontShowNagBox" "1"
      4⤵
      Executes dropped EXE
      PID:4512
  - - C:\Users\Admin\AppData\Local\Temp\is-30PNU.tmp\nircmd.exe
      nircmd inisetval "c:\ProgramData\VEGAS\DVD_Architect_Pro_7\installation.ini" "VersionUnlock" "IsRegisteredUser" "1"
      4⤵
      Executes dropped EXE
      PID:4916
  - - C:\Users\Admin\AppData\Local\Temp\is-30PNU.tmp\nircmd.exe
      nircmd inisetval "c:\ProgramData\VEGAS\DVD_Architect_Pro_7\installation.ini" "VersionUnlock" "UserEMail" "uBusHTShXjdIakxgck01PRO5nuh8YfF4BDS17GWS/So3BnxxO66uwQ3meU0PEMwM"
      4⤵
      Executes dropped EXE
      PID:720

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3af3855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-30PNU.tmp\nircmd.cmd

Filesize
1KB

MD5
e153c13ea7e1ef949a96e82f8e8b8cd8

SHA1
c0ae954eaa465daad882dc1c85ce1b55bb40ad3c

SHA256
2589c520e0e088fb5813d187b46be8a4e28ffbdf138faa4fcaffaa09d3c86268

SHA512
2ae5d7fcb89ad1d25d6444635b43fc36be529779962a52bf6ad40f0dd6b445e58e20ecc5bf472c01002a5a938ca076f431c221ee23557d2903f7bed8f107c803

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-30PNU.tmp\nircmd.exe

Filesize
114KB

MD5
b417238213efb0d2a23562674406cdf9

SHA1
04bf7acc7d0aa74fa750f7c32fdebbbe1daf46f8

SHA256
5bfa034f7555a38e64c078af71b4ff8c49511579fa826a87661940b7e9a6e333

SHA512
881b420af6e7104ac1f2edf03fc905f30af8ee264d8279f7eeb18e6178e210e063ac3c3d9a47f0c7c36ad04b51773e28595f965b037b0a0305d6c9fdf18e96a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-JTNHA.tmp\MAGIX VEGAS Pro v21.0 patch.tmp

Filesize
3.3MB

MD5
90f19922d1ac82552f5e95036ea90ccb

SHA1
94ef714ab9c01d20371142d34cef56b7886138cd

SHA256
fca2fada59c1a0d1cd30c2023933036af4d3247b1bc0449d439be2d53771fd94

SHA512
39ee8a7e9f534807c1ee06fa0f145ef23990cb278f45a0fc22f71f474c7394540ce4040fa59ced9a0336e2f4fe0bb7603067208d15bc9f9bef1ec45f1adc316e

Download Submit
\Users\Admin\AppData\Local\Temp\is-30PNU.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
memory/3876-0-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download
memory/3876-2-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download
memory/3876-46-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download
memory/4448-6-0x00000000027D0000-0x00000000027D1000-memory.dmp

Filesize
4KB

Download
memory/4448-44-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads