c94d5307c3da0a385386d30f34c7d55c6c889e9d5ad1f31f805ae2826f4fd9e2

General

Target

MAGIX Vegas Pro 13 Build 545 (64Bit).zip
Size

391.8MB
MD5

8a1d863868b6ea962d6286e8a743f90c
SHA1

309d5275b54bf636de9c4b1e62dee1d31617c021
SHA256

c94d5307c3da0a385386d30f34c7d55c6c889e9d5ad1f31f805ae2826f4fd9e2
SHA512

7ca6a0f0959e484e9880ca712eb2731a506ee15729cdea3dfd44183821803d307f4916f259e8c6df966bf2ff09bd8373bba7119df4d1c517cca66106dc9251b2
SSDEEP

6291456:j9WnCmY4BheqP5r2irquWgPHiH0Y6J7ZXfmyEyzCXBg:ACxSeqPR2oqEHQbQ7VpCS

Score

4^/10

Malware Config

Signatures

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4268	Setup.exe
4268	Setup.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3272	7zFM.exe

Suspicious behavior: LoadsDriver 6 IoCs

pid	Process
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
680	Process not Found

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeRestorePrivilege	3272	7zFM.exe
Token: 35	3272	7zFM.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4268	Setup.exe
4268	Setup.exe

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\MAGIX Vegas Pro 13 Build 545 (64Bit).zip"
1⤵
PID:3888

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4560

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3272

C:\Users\Admin\AppData\Local\Temp\Temp1_MAGIX Vegas Pro 13 Build 545 (64Bit).zip\MAGIX Vegas Pro 13 Build 545 (64Bit)\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_MAGIX Vegas Pro 13 Build 545 (64Bit).zip\MAGIX Vegas Pro 13 Build 545 (64Bit)\Setup.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4268

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:424

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:1396

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
PID:2964

C:\Windows\system32\SystemSettingsAdminFlows.exe
"C:\Windows\system32\SystemSettingsAdminFlows.exe" SetNetworkAdapter {dac2bfaa-e48a-42ac-8dcd-4a846478edab} disable
1⤵
PID:3288

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SonyInstall_1\autorun.dat

Filesize
20B

MD5
5d388501abf64a0c9a9b8168ff9586b8

SHA1
53a00c9da0d8cb10c8cd815c56cec6e8ab97b706

SHA256
016d7ee408c08c1b7c787ca29b84298b902187ca544c3c2ebca461bf4c3cda85

SHA512
faa3a0164529974223bb6af58625dcb168cf5b7f63ef365cd89081eb2a00a6c83232849ad435bc7707878009520919bdfaa686fb3d81b1b237dc1506354b1df3

Download Submit
C:\Users\Admin\AppData\Local\Temp\SonyInstall_1\inst_banner.bmp

Filesize
210KB

MD5
397cdb87c21d20c0569724b6ed74667f

SHA1
c7a039d061c7df3b51ab64c7949d05cbb943a950

SHA256
12bc60f27fea4cf9ad03d62da3767d0e7ec7ba8819e568c10bab7037e84bc7ab

SHA512
a16f1623f1dda9318492aa829746c5cbee030066542b7babbf8d797fd450eeb51cf1038ecb895045d88ecdb3a9d76482bd5ffd8f49b92f97c5f855d9bad860e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\SonyInstall_1\request.ini

Filesize
151B

MD5
fa9ff3978ffde13fec5f6cb8298e750f

SHA1
b7f9a156ad1c5ba3802e7b6e9d12575bb89530ad

SHA256
83b31db9d0fb7204373e94e64de5a0442bc951e8071ede45bbe3b548977adeb6

SHA512
de2a2a6d30d3cb3cdfcb57883c564a015ce5b784d1895f5fe0034e3b241b4a9f71a2d3492611dd31fd118c052f4190ed3e3f8cc59e606ab012e56a6aa6d1b6e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\SonyInstall_1\sonyinstall_x64.dll

Filesize
3.0MB

MD5
280a5f90dab0b55865b3f8a7ccbc2946

SHA1
9cf0000ed84a547410096953f00bc325f9f1e0f8

SHA256
4468e985dbc13b4518c8f5fb472ca6f461bf9bb42a552c007e3600af0290c6f3

SHA512
e48826372bf224d158de8e460d71dd976e2e1ffd9a477a96efce4b15f2d245b81319e9dd282b3438d8af1d54a94ffd5671dd8f480c9f952396cdcbed0b778a70

Download Submit
C:\Users\Admin\AppData\Local\Temp\SonyInstall_1\vegas.ico

Filesize
53KB

MD5
8dfa60eedc94efaa39570d80276183b7

SHA1
5632837d633b75a15538752b710cf1fec0ccfeb7

SHA256
62810bd9490b8898b97614da038c23dfe3dc0b4f4034af1a45853850c1a6ffdc

SHA512
fce3862c56dd89ca9acb55e6ae918e2391f7222461fcf87df393f7208f7e539c1140d713160503c3d53d9335b5dc6b8bd876388bc2eab0b726d1721f4a7d43c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\SonyInstall_1\vegas130.msi

Filesize
924KB

MD5
b67d1178bfb16f771defdaa2256c2d09

SHA1
c91554e825aaa20dc1a204a5e02135e8edf6bc31

SHA256
40ed205dbcee43f037c3ec8d9a2e6d9111ac7e1b560ff564a67d1fc9c65f6564

SHA512
cfeb49c5defe2c27db2e653319be9773aec74b0a7d19c43d2367c6f39c7f6f84196c7398c78adae0b9beafdd7affd59e31b03bc6d5cd84fa6673e1732f4c27b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\SonyInstall_1\vegas130.udat

Filesize
604KB

MD5
e34227582523dd5d6450d2a48e742d79

SHA1
0e7ad3795405d5eb2122fde5f0fc66ce74e1c855

SHA256
883986d00df7669a1d573a76317f036521232b0ad80a1b5f9cefbbda788f8932

SHA512
cf1ae9fa909655e7a639e382006cefd35ed29805cfdc92d48beec484794f79933313f6c7b13070bb9300e5c7829a63266048b5fdeaf84cf27ea27640f673531c

Download Submit

Analysis

Sharing