96121624b8e5bd7560c1f4e55ae28faf7f252bca250707ccda38391cb62e4040

Analysis

max time kernel
313s
max time network
317s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
14/03/2024, 18:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

texstudio-4.7.3-win-qt6.exe
Size

137.5MB
MD5

868a99d73b47ab722921ea371b53399b
SHA1

76a288e302aa5c5a6798c6a9f8b1fdc206da91d1
SHA256

96121624b8e5bd7560c1f4e55ae28faf7f252bca250707ccda38391cb62e4040
SHA512

328a9cdd4ea8fc5ec606227ea2fc09d026790b64c749c6d26509349eb834e2182697822224530ad577d465f9af1385e8946429e8b885353d06b926a0d131f12d
SSDEEP

3145728:AGsNbXJBNC/+kwWT9cki21DqLSCM06qTqS85xZqSH:RsN9BNbpWTOmySCASUeSH

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 3 IoCs

pid	Process
1724	texstudio-4.7.3-win-qt6.exe
1724	texstudio-4.7.3-win-qt6.exe
1724	texstudio-4.7.3-win-qt6.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\texstudio\share\poppler\cMap\Adobe-Japan1\Adobe-Japan1-2	texstudio-4.7.3-win-qt6.exe
File created	C:\Program Files\texstudio\libsharpyuv-0.dll	texstudio-4.7.3-win-qt6.exe
File created	C:\Program Files\texstudio\translations\qt_help_ja.qm	texstudio-4.7.3-win-qt6.exe
File created	C:\Program Files\texstudio\share\poppler\cMap\Adobe-CNS1\HKscs-B5-H	texstudio-4.7.3-win-qt6.exe
File created	C:\Program Files\texstudio\share\poppler\cMap\Adobe-Japan1\UniJISPro-UTF8-V	texstudio-4.7.3-win-qt6.exe
File created	C:\Program Files\texstudio\share\poppler\cMap\Adobe-CNS1\B5-H	texstudio-4.7.3-win-qt6.exe
File created	C:\Program Files\texstudio\share\poppler\cMap\Adobe-Japan1\Adobe-Japan1-90pv-RKSJ	texstudio-4.7.3-win-qt6.exe
File created	C:\Program Files\texstudio\share\poppler\cidToUnicode\Adobe-Japan1	texstudio-4.7.3-win-qt6.exe
File created	C:\Program Files\texstudio\dictionaries\en_EN-EnglishUnitedKingdom.dic	texstudio-4.7.3-win-qt6.exe
File created	C:\Program Files\texstudio\help\_images\alignCols.svg	texstudio-4.7.3-win-qt6.exe
File created	C:\Program Files\texstudio\dictionaries\es_AR-SpanishArgentina.aff	texstudio-4.7.3-win-qt6.exe
File created	C:\Program Files\texstudio\Qt6Network.dll	texstudio-4.7.3-win-qt6.exe
File created	C:\Program Files\texstudio\help\_images\word.svg	texstudio-4.7.3-win-qt6.exe
File created	C:\Program Files\texstudio\share\poppler\unicodeMap\KOI8-R	texstudio-4.7.3-win-qt6.exe
File created	C:\Program Files\texstudio\dictionaries\es_ES.aff	texstudio-4.7.3-win-qt6.exe
File created	C:\Program Files\texstudio\share\poppler\cMap\Adobe-Korea1\Adobe-Korea1-H-Mac	texstudio-4.7.3-win-qt6.exe
File created	C:\Program Files\texstudio\translations\qtmultimedia_ru.qm	texstudio-4.7.3-win-qt6.exe
File created	C:\Program Files\texstudio\help\_images\completer_env.png	texstudio-4.7.3-win-qt6.exe
File created	C:\Program Files\texstudio\dictionaries\ltg_LTG-Latgalian.aff	texstudio-4.7.3-win-qt6.exe
File created	C:\Program Files\texstudio\translations\qtmultimedia_uk.qm	texstudio-4.7.3-win-qt6.exe
File created	C:\Program Files\texstudio\templates\template_Moderncv.json	texstudio-4.7.3-win-qt6.exe
File created	C:\Program Files\texstudio\help\_static\file.png	texstudio-4.7.3-win-qt6.exe
File created	C:\Program Files\texstudio\dictionaries\es_CO-SpanishColombia.dic	texstudio-4.7.3-win-qt6.exe
File created	C:\Program Files\texstudio\translations\qtbase_en.qm	texstudio-4.7.3-win-qt6.exe
File created	C:\Program Files\texstudio\templates\template_Article.json	texstudio-4.7.3-win-qt6.exe
File created	C:\Program Files\texstudio\help\_images\completer_filename.png	texstudio-4.7.3-win-qt6.exe
File created	C:\Program Files\texstudio\share\poppler\cMap\Adobe-Japan1\Hojo-EUC-H	texstudio-4.7.3-win-qt6.exe
File created	C:\Program Files\texstudio\share\poppler\cMap\Adobe-Korea1\UCS2-KSCpc-EUC	texstudio-4.7.3-win-qt6.exe
File created	C:\Program Files\texstudio\dictionaries\lt_LT-Lithuanian.dic	texstudio-4.7.3-win-qt6.exe
File created	C:\Program Files\texstudio\translations\texstudio_ca.qm	texstudio-4.7.3-win-qt6.exe
File created	C:\Program Files\texstudio\help\_images\down.svg	texstudio-4.7.3-win-qt6.exe
File created	C:\Program Files\texstudio\help\_images\findUsage.png	texstudio-4.7.3-win-qt6.exe
File created	C:\Program Files\texstudio\help\getting_started.html	texstudio-4.7.3-win-qt6.exe
File created	C:\Program Files\texstudio\share\poppler\cMap\Adobe-Korea1\UniKS-UTF8-H	texstudio-4.7.3-win-qt6.exe
File created	C:\Program Files\texstudio\share\poppler\cidToUnicode\Adobe-GB1	texstudio-4.7.3-win-qt6.exe
File created	C:\Program Files\texstudio\dictionaries\la_LA-Latin.aff	texstudio-4.7.3-win-qt6.exe
File created	C:\Program Files\texstudio\help\_images\doc18.png	texstudio-4.7.3-win-qt6.exe
File created	C:\Program Files\texstudio\dictionaries\en_GB.stopWords	texstudio-4.7.3-win-qt6.exe
File created	C:\Program Files\texstudio\libcrypto-3-x64.dll	texstudio-4.7.3-win-qt6.exe
File created	C:\Program Files\texstudio\translations\qt_ru.qm	texstudio-4.7.3-win-qt6.exe
File created	C:\Program Files\texstudio\templates\template_Prosper.tex	texstudio-4.7.3-win-qt6.exe
File created	C:\Program Files\texstudio\help\_images\spelling_error.png	texstudio-4.7.3-win-qt6.exe
File created	C:\Program Files\texstudio\help\_images\thesaurus.png	texstudio-4.7.3-win-qt6.exe
File created	C:\Program Files\texstudio\share\poppler\unicodeMap\GBK	texstudio-4.7.3-win-qt6.exe
File created	C:\Program Files\texstudio\dictionaries\lb_LB-Luxembourgish.dic	texstudio-4.7.3-win-qt6.exe
File created	C:\Program Files\texstudio\dictionaries\pt_PT-Portuguese.aff	texstudio-4.7.3-win-qt6.exe
File created	C:\Program Files\texstudio\share\poppler\cMap\Adobe-CNS1\UniCNS-UTF8-H	texstudio-4.7.3-win-qt6.exe
File created	C:\Program Files\texstudio\dictionaries\nb_NB-NorwegianBokmal.dic	texstudio-4.7.3-win-qt6.exe
File created	C:\Program Files\texstudio\dictionaries\es_PR-SpanishPuertoRico.aff	texstudio-4.7.3-win-qt6.exe
File created	C:\Program Files\texstudio\libopenjp2-7.dll	texstudio-4.7.3-win-qt6.exe
File created	C:\Program Files\texstudio\templates\tabletemplate_fullyframed_firstBold.png	texstudio-4.7.3-win-qt6.exe
File created	C:\Program Files\texstudio\dictionaries\tlh_LATN-KlingonLatin.dic	texstudio-4.7.3-win-qt6.exe
File created	C:\Program Files\texstudio\libidn2-0.dll	texstudio-4.7.3-win-qt6.exe
File created	C:\Program Files\texstudio\translations\qtmultimedia_bg.qm	texstudio-4.7.3-win-qt6.exe
File created	C:\Program Files\texstudio\templates\tabletemplate_plain_tabularx.js	texstudio-4.7.3-win-qt6.exe
File created	C:\Program Files\texstudio\share\poppler\cMap\Adobe-Japan1\78ms-RKSJ-H	texstudio-4.7.3-win-qt6.exe
File created	C:\Program Files\texstudio\translations\qt_help_bg.qm	texstudio-4.7.3-win-qt6.exe
File created	C:\Program Files\texstudio\tls\qopensslbackend.dll	texstudio-4.7.3-win-qt6.exe
File created	C:\Program Files\texstudio\dictionaries\sv_SV-Swedish.aff	texstudio-4.7.3-win-qt6.exe
File created	C:\Program Files\texstudio\translations\qt_help_ru.qm	texstudio-4.7.3-win-qt6.exe
File created	C:\Program Files\texstudio\templates\template_Article.tex	texstudio-4.7.3-win-qt6.exe
File created	C:\Program Files\texstudio\help\_images\wizard_tabbing.png	texstudio-4.7.3-win-qt6.exe
File created	C:\Program Files\texstudio\share\poppler\cMap\Adobe-Japan1\UniHojo-UTF16-H	texstudio-4.7.3-win-qt6.exe
File created	C:\Program Files\texstudio\dictionaries\lt_LT-Lithuanian.aff	texstudio-4.7.3-win-qt6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 30 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\txs Session File\DefaultIcon	texstudio-4.7.3-win-qt6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tex File\shell\ = "open"	texstudio-4.7.3-win-qt6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\txs Session File	texstudio-4.7.3-win-qt6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\txs Session File\shell	texstudio-4.7.3-win-qt6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txs Session File\shell\open\command\ = "\"C:\\Program Files\\texstudio\\texstudio.exe\" \"%1\""	texstudio-4.7.3-win-qt6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tex File\ = "tex File"	texstudio-4.7.3-win-qt6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tex File\shell\edit\command	texstudio-4.7.3-win-qt6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txs Session File\ = "txs Session File"	texstudio-4.7.3-win-qt6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.tex	texstudio-4.7.3-win-qt6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.tex\ = "tex File"	texstudio-4.7.3-win-qt6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tex File\shell\edit\ = "Edit tex File"	texstudio-4.7.3-win-qt6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.txss	texstudio-4.7.3-win-qt6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txs Session File\shell\edit\ = "Edit txs Session File"	texstudio-4.7.3-win-qt6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txs Session File\shell\edit\command\ = "\"C:\\Program Files\\texstudio\\texstudio.exe\" \"%1\""	texstudio-4.7.3-win-qt6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tex File	texstudio-4.7.3-win-qt6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tex File\DefaultIcon	texstudio-4.7.3-win-qt6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tex File\shell\open\command	texstudio-4.7.3-win-qt6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txs Session File\DefaultIcon\ = "C:\\Program Files\\texstudio\\texstudio.exe,0"	texstudio-4.7.3-win-qt6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\txs Session File\shell\edit\command	texstudio-4.7.3-win-qt6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tex File\shell\open	texstudio-4.7.3-win-qt6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tex File\shell\open\command\ = "\"C:\\Program Files\\texstudio\\texstudio.exe\" \"%1\""	texstudio-4.7.3-win-qt6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tex File\shell\edit	texstudio-4.7.3-win-qt6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\txs Session File\shell\edit	texstudio-4.7.3-win-qt6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tex File\shell\edit\command\ = "\"C:\\Program Files\\texstudio\\texstudio.exe\" \"%1\""	texstudio-4.7.3-win-qt6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tex File\shell	texstudio-4.7.3-win-qt6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tex File\DefaultIcon\ = "C:\\Program Files\\texstudio\\texstudio.exe,0"	texstudio-4.7.3-win-qt6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.txss\ = "txs Session File"	texstudio-4.7.3-win-qt6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txs Session File\shell\ = "open"	texstudio-4.7.3-win-qt6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\txs Session File\shell\open\command	texstudio-4.7.3-win-qt6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\txs Session File\shell\open	texstudio-4.7.3-win-qt6.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1724	texstudio-4.7.3-win-qt6.exe

C:\Users\Admin\AppData\Local\Temp\texstudio-4.7.3-win-qt6.exe
"C:\Users\Admin\AppData\Local\Temp\texstudio-4.7.3-win-qt6.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
PID:1724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\texstudio\dictionaries\es_CU-SpanishCuba.aff

Filesize
162KB

MD5
2c3165ee3fa3df590e81da76a28613ca

SHA1
e49999e6499ed9be1efed21f726bcc9d65e48c57

SHA256
bd3b3e63648d7522700fb729edae14b56f1b1f0b88cbc76350b89f12ab50ba7b

SHA512
42a0523baf405a1fe6bd0b84c7fe5466767149ae4b3e12a71786d6567f4e0ffb6bee742433670a13176442413b0d2b78549c72374f71b4529ce48a436ea8a848

Download Submit
\Users\Admin\AppData\Local\Temp\nsy228F.tmp\System.dll

Filesize
26KB

MD5
d6f185c5bb8b9d6ee47908be05135e4b

SHA1
135bb033c5c63d69d193d36447b036157f12cd09

SHA256
19d826cfdbdeb27fccecfbcfecc4f1bdce9f01df509f46b9ba1674f095d62659

SHA512
16addd64cd38a9e222e1d4b344d0d25e2a1c363116f3f1f77cf76db9b93ca0487f65bc82c601ccf3edc623f2ebbb929d5cda3e61ffa1f3f5a04d34a219ee36dc

Download Submit
\Users\Admin\AppData\Local\Temp\nsy228F.tmp\nsDialogs.dll

Filesize
14KB

MD5
2a95e9a70be1d165a1d8b8d79da1e2c7

SHA1
bf2209d255448a73a7ca5414043e631e99f5989b

SHA256
3f19ce87dc3fd1540104352afb61a9f3f816a164a184eed43742efeadec445cf

SHA512
779862fd67f6e6d161b47551a6129b5b390caab20407043d8f94890a4895f6544ae19bf40359451b3ec5ffc176b4816655d8474610c3d70f57c78bc35168c066

Download Submit
memory/1724-7-0x0000000140000000-0x000000014018F000-memory.dmp

Filesize
1.6MB

Download
memory/1724-8-0x000007FEFB300000-0x000007FEFB30D000-memory.dmp

Filesize
52KB

Download
memory/1724-62-0x0000000140000000-0x000000014018F000-memory.dmp

Filesize
1.6MB

Download
memory/1724-64-0x000007FEFB1B0000-0x000007FEFB1BF000-memory.dmp

Filesize
60KB

Download
memory/1724-63-0x000007FEFB300000-0x000007FEFB30D000-memory.dmp

Filesize
52KB

Download
memory/1724-991-0x0000000140000000-0x000000014018F000-memory.dmp

Filesize
1.6MB

Download
memory/1724-1007-0x0000000140000000-0x000000014018F000-memory.dmp

Filesize
1.6MB

Download