640a39669277a32fca4ebc639493a81aa5bdfdbd09587b48d59a6fcce65f1700

Analysis

max time kernel
142s
max time network
61s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09/04/2024, 10:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FL_Studio_21.2.3_Build_4004.exe
Size

987.8MB
MD5

69a586f5beb04b717624879e01104ec2
SHA1

7d779dc7713fda36250817ef776ffb2c468fb142
SHA256

640a39669277a32fca4ebc639493a81aa5bdfdbd09587b48d59a6fcce65f1700
SHA512

b93d63681a1b35f0e1494b7c9217b4ee3c690db8383d524d289554e0a2a1d0a8b7fd21a68c6a65de6f01c823d3bb233b72836dd2f7d0f1a6f94e4953896bac06
SSDEEP

25165824:ZuQ6hGbitDF718x3unBPnEDXxrQSLP41V4sVvqXMu4HvwS:H3bitDFxKXx8SLodgMx

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2572	FL.Studio.exe
1432	flstudio_win64_21.2.3.4004.exe

Loads dropped DLL 26 IoCs

pid	Process
2512	FL_Studio_21.2.3_Build_4004.exe
2512	FL_Studio_21.2.3_Build_4004.exe
2512	FL_Studio_21.2.3_Build_4004.exe
2512	FL_Studio_21.2.3_Build_4004.exe
2572	FL.Studio.exe
2572	FL.Studio.exe
1432	flstudio_win64_21.2.3.4004.exe
1432	flstudio_win64_21.2.3.4004.exe
1432	flstudio_win64_21.2.3.4004.exe
1432	flstudio_win64_21.2.3.4004.exe
1432	flstudio_win64_21.2.3.4004.exe
1432	flstudio_win64_21.2.3.4004.exe
1432	flstudio_win64_21.2.3.4004.exe
1432	flstudio_win64_21.2.3.4004.exe
1432	flstudio_win64_21.2.3.4004.exe
1432	flstudio_win64_21.2.3.4004.exe
1432	flstudio_win64_21.2.3.4004.exe
1432	flstudio_win64_21.2.3.4004.exe
1432	flstudio_win64_21.2.3.4004.exe
1432	flstudio_win64_21.2.3.4004.exe
1432	flstudio_win64_21.2.3.4004.exe
1432	flstudio_win64_21.2.3.4004.exe
1432	flstudio_win64_21.2.3.4004.exe
1432	flstudio_win64_21.2.3.4004.exe
1432	flstudio_win64_21.2.3.4004.exe
1432	flstudio_win64_21.2.3.4004.exe

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File created	C:\Program Files\Image-Line\FL Studio 21\AudioRestore.dll	flstudio_win64_21.2.3.4004.exe
File opened for modification	C:\Program Files\Image-Line\FL Studio 21\AudioRestore.dll	flstudio_win64_21.2.3.4004.exe
File created	C:\Program Files\Image-Line\FL Studio 21\FL64 (scaled).exe	flstudio_win64_21.2.3.4004.exe
File opened for modification	C:\Program Files\Image-Line\FL Studio 21\FL64 (scaled).exe	flstudio_win64_21.2.3.4004.exe
File created	C:\Program Files\Image-Line\FL Studio 21\FLEngine_x64.dll	flstudio_win64_21.2.3.4004.exe
File created	C:\Program Files\Image-Line\FL Studio 21\ChromaAppInfo.xml	flstudio_win64_21.2.3.4004.exe
File opened for modification	C:\Program Files\Image-Line\FL Studio 21\ChromaAppInfo.xml	flstudio_win64_21.2.3.4004.exe
File created	C:\Program Files\Image-Line\FL Studio 21\FL64.exe	flstudio_win64_21.2.3.4004.exe
File opened for modification	C:\Program Files\Image-Line\FL Studio 21\FL64.exe	flstudio_win64_21.2.3.4004.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2512	FL_Studio_21.2.3_Build_4004.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2512 wrote to memory of 2572	2512	FL_Studio_21.2.3_Build_4004.exe	30
PID 2512 wrote to memory of 2572	2512	FL_Studio_21.2.3_Build_4004.exe	30
PID 2512 wrote to memory of 2572	2512	FL_Studio_21.2.3_Build_4004.exe	30
PID 2512 wrote to memory of 2572	2512	FL_Studio_21.2.3_Build_4004.exe	30
PID 2572 wrote to memory of 1432	2572	FL.Studio.exe	31
PID 2572 wrote to memory of 1432	2572	FL.Studio.exe	31
PID 2572 wrote to memory of 1432	2572	FL.Studio.exe	31
PID 2572 wrote to memory of 1432	2572	FL.Studio.exe	31

C:\Users\Admin\AppData\Local\Temp\FL_Studio_21.2.3_Build_4004.exe
"C:\Users\Admin\AppData\Local\Temp\FL_Studio_21.2.3_Build_4004.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2512
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\FL.Studio.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\FL.Studio.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2572
- - C:\Users\Admin\AppData\Local\Temp\nse9BE3.tmp\flstudio_win64_21.2.3.4004.exe
    C:\Users\Admin\AppData\Local\Temp\nse9BE3.tmp\flstudio_win64_21.2.3.4004.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    PID:1432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\FL.Studio.exe

Filesize
81.1MB

MD5
1a938792687f5ad846a0074c8a82bcc1

SHA1
67235ba2b6e548738d8e52416c0bd553dc9e26ef

SHA256
3503a6d18406f6a2e8992f3d823213f5a987943f32cd5304ddefd2c4787bc637

SHA512
6285c10dd4a755b0b8883c6392a7ab661d7d38f8c55c3f7121df06930708f912934c98bcd4fbf056eaf3b085d4a3298075a81bfa756b82b6053104d35a180275

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\FL.Studio.exe

Filesize
82.8MB

MD5
c92b79eb3238b09d06f0a18ec217e267

SHA1
1b84ae51aac8670e0d90fa5143868968bae0b451

SHA256
e43226c243eafb74294d634ff484a6727c7d0a27a249f454bcde01308499fc05

SHA512
e6e881bf4791dbda75a86775e489e6b33c2e1688f1a50cdc0cf489478abbc0a7138a1943873009fa25460466efa13c39946fc9db89b755159f6ff399a006f6a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\FL.Studio.exe

Filesize
83.1MB

MD5
c679994f1e437bbaa4381a758c75dfbe

SHA1
9368c9e6410dc38c7100b841268f0147c6bd4efe

SHA256
cef231ab83911640e924624055ca02196fd9aec114ec0bd415d882185d3cb160

SHA512
7f176eae7e84cbc619a613f38154a94cdec34f9a4e06c057ce85a2f5513ac84577c54923be484c04977e530530a5dcdbb2e77f6209a7ade6763f76c625bad2f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse9BE3.tmp\flstudio_win64_21.2.3.4004.exe

Filesize
74.1MB

MD5
4f9ff109f470cc19b16e6e61b6ed3876

SHA1
8499e547e9975c1b09e62769859401fdc32bd01e

SHA256
815782d4ddb2335d6fd2485699ee0d6677f27a521d32805445f6a4d94bfc3cb4

SHA512
0bdf964062b06c1f10d5374126d24eaa05f7b919c60261a8652c4b98e2ccf013223abc1cfe84c700a050f76b85ad658522b35b226f12b138699f1048355dcd38

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse9BE3.tmp\flstudio_win64_21.2.3.4004.exe

Filesize
72.1MB

MD5
e1ebe75cf1e186d99f1a586d8b6927d5

SHA1
da9a0d6d05511a757d00ce0564e08e8608175be9

SHA256
cc0933bd9e0e4f9a3dcaff66a85068f322681d7934c9db029d37f3c2f908e7d8

SHA512
f37b0c3ba98695938df736ba529212d276103b228e0b1b7efe990b72bafcba2be8ab09a04132febde67d3c585cebe807896f329544767ad06b4c88ee8a3db7d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC553.tmp\ioA.ini

Filesize
1KB

MD5
c533bd0d2cc18a1663f3c5b06cc03205

SHA1
8995a61ca7d716c4c01c189e14382332026a0f15

SHA256
ea4f73cbb01287725966b6aedea648b1b97e04368587a6b166d04a87471f87d3

SHA512
5e9f6b6323a5dc1c8c4f23a4006c0025c7f7da0154f22c5f615d746b13d492e67fdc9b6d85a8b8dc805021bc1fbd7dbb82c3fa09e4aee8ef9ea3c451c9937377

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC553.tmp\ioA.ini

Filesize
1KB

MD5
9e79e9437e4256adb25dac49785b0971

SHA1
e2113fa0d8e237b180535d5911d4f2b7acf331a6

SHA256
f4cc9194a5e4aa940eee742e5e20fc50b9fe2423c269c9458e387aa9e6bf1e66

SHA512
6be650594347ef006a67116b8bf14667ce90de1ec9f6651b363eeeae717f7fd7d2f8a93a044a370414cae4f34a891868a80f35b8afa1e4c2d9c67adcd59a4da8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC553.tmp\ioAllUsersPage.ini

Filesize
1010B

MD5
634fd2633a884035690fd3635c7ae34f

SHA1
91af7c2af8a41563d33f944868d22673c6116e2d

SHA256
c0313e195465e521ef5cbd94e19a1abe70cf0d564ec38b017f1e09a276e30c15

SHA512
810389998f4eb641228e5b4e2ec43849102d2d9e1890c17aff5067cbcd0e46bac7850f732815746cbdf62d4f698cc47002cad2aa2f3b442cec3a5652558b058a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC553.tmp\ioAllUsersPage.ini

Filesize
1KB

MD5
67cac89c0e3a29e566e1f6de086b0f22

SHA1
bd349d467e86ffc6657baca6bc42e93546f017b6

SHA256
9660c64a7d99b423e693df36810625fd98223cdfaf7a1b17fe70cd5692a87dcc

SHA512
a1777754b809477f81d43ab8739689db7864b4086a5bd84767a44de4afce4fb1d26dca1816f959185223130b98da6877791d3a4b8c8c7d418d9a1712bcbd86d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC553.tmp\ioSpecial.ini

Filesize
1KB

MD5
81cf7f1d974f40ed3b3d707b4d347f2a

SHA1
98ad57cbd3daa578e790d0b5774bb4cc97f16519

SHA256
ade77e09a2265c7bb1c0dd7d095849510b8a8c7c02ca1d6f6141f1dde8bceb24

SHA512
48a515c01708ba52d6f45adf3a2c7255d030b970aeb6c19a671b170e3ea8786ff343acaf42f6c8394a737aa209a3fdead4677dbe63a4f3a1701404f00c470deb

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\FL.Studio.exe

Filesize
79.7MB

MD5
daf9f7c0a94d2e32bb8856762808e186

SHA1
840fb4ea25f987d8f2f992c85dbbe2d37e03e66f

SHA256
27c0b36145b10eb03d28340d9fd02e9843419eb9ed5e1931efb91ce9b67b9ee8

SHA512
5186e7dce8f74543b1ec2e6f61c5d90edbd38f2388f431e0c35993066957fd46758c6ef27c722890ec1d6ad2c495b1d5cc91ea8682ff90e333911913e29ca808

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\FL.Studio.exe

Filesize
83.5MB

MD5
3fb06c33080e7ca96f4a066098c22766

SHA1
5391b27ed43a3048da443a8b966e0b1a9f5be732

SHA256
fcb08846ebd2830996f7f53cad991c5013c0f89f8b51758ff1b25701f6b99473

SHA512
be571852a3f33e80894500ccc984ad1322a61f14a9f6a7e2fee7c64c46a5c4d4e2521d445167617168c65fa91698d3b736148689e2d51d8d3f80a197d0d569e5

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\FL.Studio.exe

Filesize
82.1MB

MD5
b1bb829785c84f0b0d28ac26111437c9

SHA1
5cf10bbcc3efc63d3f6fb29fdb376569b60f073e

SHA256
81de8856a45f730d3286a8450d13ef6ab1a485f6bf62a13a24d52d1183ca5277

SHA512
327fff5e4eaa96ec23254ae53be37ddab9ccde35e125bf0ec51e5ff40afb364206062c303533cf74a385d0fa4c98e91eeb799605218ec6309cd793d037e78dda

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\FL.Studio.exe

Filesize
77.6MB

MD5
bd3301fdc11e447ec1cb7251cca17452

SHA1
9cbaa1aeb1b21fa4e15ec8e5b610c5ef6b211910

SHA256
273e81d36f3138308588ff62aeaf4016fff42b6f567e6981ee2700b778ebf44d

SHA512
980087f9ae1dd29e17ffb30aa425615b0e46f4e00c311fdfd4c241e91cfb951ea471e8c2c1084f9e708928e9a4b972a1ab879eae455be0a3e7e89ec956274e3d

Download Submit
\Users\Admin\AppData\Local\Temp\nse9BE3.tmp\System.dll

Filesize
12KB

MD5
8cf2ac271d7679b1d68eefc1ae0c5618

SHA1
7cc1caaa747ee16dc894a600a4256f64fa65a9b8

SHA256
6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba

SHA512
ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3

Download Submit
\Users\Admin\AppData\Local\Temp\nse9BE3.tmp\flstudio_win64_21.2.3.4004.exe

Filesize
73.6MB

MD5
fd20b734148449eb12044a54f191b546

SHA1
1c534d8ca97bca55714413efe740ea03883d4ef2

SHA256
f4af4f85ce9d1df619981bbc3a092e6cce2d8795b4b6f8f6f9bf982f6e0247b2

SHA512
ebe284bde6a486933811e67b6622b9a3cec34721d3d7982e5aed106b8f96eba9d7cdc60bfbb3500c03f5f14422b43359e8fbfcb485a5be74e970c458a2cb90f8

Download Submit
\Users\Admin\AppData\Local\Temp\nseC553.tmp\ILSetup.dll

Filesize
1.0MB

MD5
cd50c47c010aa1e6abd8bd8ce98fb8c5

SHA1
547e445c42b39041204c012f95e146ba7bb3442b

SHA256
1ea1404b5e14ee8572575d941ef27437a534b46aa1d23e112cf40f4144cbb7ca

SHA512
f4c54f3403633167572e36867a0e99164de2cafe873505922b055b65b63809729a89ab3df092a634d18fe2fb8d3d1060a908349ef61b88ff0750815347a4fa53

Download Submit
\Users\Admin\AppData\Local\Temp\nseC553.tmp\InstallOptions.dll

Filesize
15KB

MD5
998189882c9f1be220c9faf0fd2bde15

SHA1
787d50c46c9a2a48565f684fabc7503aca8b0493

SHA256
f34385901206a3952fe2724edb3b0b123fd897119c774ab68c8745de6662d990

SHA512
e0c52ad851b476e7bcbadea8f993e5c6f9f70a9b46e2aebe8ee353a372b0bd5af95241240f880f49b9d91d240a4a2b7e7d2b7c8a18ca1654e607fa8d2772dfd6

Download Submit
\Users\Admin\AppData\Local\Temp\nseC553.tmp\System.dll

Filesize
11KB

MD5
24523fe14bb9ba400a3950016b187915

SHA1
6ec152b4e4ac04038d4608a8a206070185116036

SHA256
c4aaf80e3990185eeb5ea56bf841dbf5f3d02269d715f3bfdfe8b54aa797a7b9

SHA512
ae73351d27109187f7c4e312bc30a165202f29d74c65dd0feaee75dab72b97d27c6482b1e95771063afec7e9f2ca03a27a11cd25e39228072b69c33fffef7257

Download Submit
\Users\Admin\AppData\Local\Temp\nseC553.tmp\UAC.dll

Filesize
14KB

MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
\Users\Admin\AppData\Local\Temp\nseC553.tmp\UserMgr.dll

Filesize
23KB

MD5
9210597fba3dfab3c69b1eb490205419

SHA1
6e3ca39043756ed1cceaf2d4853e7cb6be1c64cb

SHA256
7696c255014a543f720e189ab3fe48f62fcf43435465062649c96138eedb222f

SHA512
4877daefdd34725791fba7c8cc2d85c4e91080ca7787a71ee9ffde71704ac40799b891f03d1f1805a31af6ddc35e335f74c9d620e87d517670a378c001cffb06

Download Submit
memory/1432-95-0x0000000003B90000-0x0000000003C9B000-memory.dmp

Filesize
1.0MB

Download
memory/1432-43-0x0000000003AE0000-0x0000000003BEB000-memory.dmp

Filesize
1.0MB

Download