b263dcd9df61abc5824b637e7cf12f3df626a7d6232e562a62995e0745272109

General

Target

Guitar Rig Setup 6.4.0.exe
Size

491.3MB
MD5

3e06410be3ade33bcec13877578d2df2
SHA1

6ca8cc81df6439df10c62a6bb94d1159a91e3376
SHA256

b263dcd9df61abc5824b637e7cf12f3df626a7d6232e562a62995e0745272109
SHA512

e9edea9ae0dd20a07da5b42cecd03d290209ca4524b0b0d41698f9d6fe9ea5760f684bf6e0ab1c4547ef257259c16bab3f812ad5c2fbf70379134b128329b6f1
SSDEEP

12582912:/3tP7Yqw/IUXRRRYqfl0jWJpfPRR4fCC+oe+cf+KwDw3Kn:/3tzbtUDGqSIp328B930

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2740	Guitar Rig 6 Setup PC.exe

Loads dropped DLL 5 IoCs

pid	Process
2740	Guitar Rig 6 Setup PC.exe
2740	Guitar Rig 6 Setup PC.exe
2740	Guitar Rig 6 Setup PC.exe
2740	Guitar Rig 6 Setup PC.exe
2740	Guitar Rig 6 Setup PC.exe

Drops desktop.ini file(s) 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\OFFLINE\7C89B8DA\DF299D4\desktop.ini	Guitar Rig Setup 6.4.0.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\OFFLINE\7C89B8DA\DF299D4\desktop.ini	Guitar Rig Setup 6.4.0.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	Guitar Rig 6 Setup PC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2740	Guitar Rig 6 Setup PC.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2740	Guitar Rig 6 Setup PC.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2844 wrote to memory of 2740	2844	Guitar Rig Setup 6.4.0.exe	28
PID 2844 wrote to memory of 2740	2844	Guitar Rig Setup 6.4.0.exe	28
PID 2844 wrote to memory of 2740	2844	Guitar Rig Setup 6.4.0.exe	28
PID 2844 wrote to memory of 2740	2844	Guitar Rig Setup 6.4.0.exe	28
PID 2844 wrote to memory of 2740	2844	Guitar Rig Setup 6.4.0.exe	28
PID 2844 wrote to memory of 2740	2844	Guitar Rig Setup 6.4.0.exe	28
PID 2844 wrote to memory of 2740	2844	Guitar Rig Setup 6.4.0.exe	28

C:\Users\Admin\AppData\Local\Temp\Guitar Rig Setup 6.4.0.exe
"C:\Users\Admin\AppData\Local\Temp\Guitar Rig Setup 6.4.0.exe"
1⤵
- Drops desktop.ini file(s)
- Suspicious use of WriteProcessMemory
PID:2844
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Guitar Rig 6 Setup PC.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Guitar Rig 6 Setup PC.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops desktop.ini file(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Guitar Rig 6 Setup PC.exe

Filesize
4.5MB

MD5
fc6b5eb4096e9badad076d372ef48c81

SHA1
b88c6e10b79429fbf42e4beee6c2cba7f65ddc1f

SHA256
d21f49548470140db1540ebedc05ce6d733c984dd53461e106be8b70b04b831a

SHA512
fec18a9574e3f3df4045b9409fe6fb5d0ecff47542a237ca90ff1703e55f402de56ff1195dd96b6f3b7a272188f5bf5cc8f85c359d55b4676e19829ed6793ca9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Guitar Rig 6 Setup PC.res

Filesize
10.9MB

MD5
52cedd0c4564a565f38d6c938be19855

SHA1
caad14dc9281722d07341a35a1b1ef0354a760c0

SHA256
a06d2b98c496d0cf6c9d4328b1ad5848b60d22fb18a724382c4c02957268c106

SHA512
ef2f996d5bdd3e60d93b77cf0b2673fd556ebe206c77eccc0abe9ad9411815f703da2db1202071e2d2b18740d475af40b21778e4d9b0c12c6b4115e768714fb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\OFFLINE\FEE43EB9\B62B0C94\Rammfire4x12A_room.grir

Filesize
77KB

MD5
2dfc932bc54dc8f31d26bbb51d992cae

SHA1
c72bf46b13f1ac62d0fb4f265edbd9c5ee3aa20e

SHA256
fb08e41073b889049090d0e0d86048a74f4008bf9603118bed2f002f86e970ad

SHA512
95d1ef52de4e26146f848c1e1c20d03d54b6aa8ab1145484816d4416c31de2ad7453958a5ba6f76971d996926b000ad1e5950426ebf360c97a2fda6e5eea18d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\OFFLINE\mIDEFunc.dll\mEXEFunc.dll

Filesize
99KB

MD5
b491a4eba59ab39c7705089523d0f0e0

SHA1
b0c266593160edc50bb49b6bd7a45a96d104c0d8

SHA256
a3d8bc6a70307e29ed11b05d5b52c1b3d5c2640f85dfc7f67e4e38f6cdacabed

SHA512
9ae066492a17d402dc21349d228866332e3a37bbfe29f38eb5aa0bdb6dbed925f21b51d4d4ddfe30b26c936f27f73aa9a58544c9781b4b11d2eae25d201c6158

Download Submit
C:\Users\Admin\AppData\Local\Temp\mia1\EULA_Native Instruments_deutsch.rtf

Filesize
80KB

MD5
83ac56627f98af42c6308a2855dc084a

SHA1
575c11204e10114d6ea183cab84d1fb205c3c837

SHA256
7366afba622abc7cb9b0487549897b6e898f197272b6aee4f94c306d6d79ce89

SHA512
de3661c59e614a44b37bd6fa4c5280a712ea98624d351df11a1ee2c631eb6a2abee3dd273eb84cf22df41b6e865ca24604e30900aa7cebc1eb95b834ef5d5662

Download Submit
C:\Users\Admin\AppData\Local\Temp\mia1\Guitar Rig 6 Setup PC.msi

Filesize
1.4MB

MD5
604d07e4568428c73034535b775df6c3

SHA1
6fe4118f3fb2f8f43084e50f796c617d652e45ec

SHA256
ac004cefda060893dac2da3794e041857c1e20d5857ad916b37bb79b0b967b65

SHA512
9ffdb4103e7008bc9b545821180109a3fd0b66a66da97a8049001216140642155434564d76856fa9335b9822d604fcde390f7fd6f1d5cab609351420cbb62145

Download Submit
C:\Users\Admin\AppData\Local\Temp\mia1\progressprereq.dfm.miaf

Filesize
282B

MD5
ba2f4a15151b83d1f96d22e147eb4163

SHA1
80fe11da4e4152abf8a8d0bc686b3dbabc19b6b2

SHA256
d34db8a59c8b1e66d66fffb62d4a2d81359f2a9fee299d999ef84a1582bd8b78

SHA512
b298197d5ae09353fa02e34d6cc9fbbe6f369e53c9d55d0ccf310962b41fc33717e4f60bf08de44accfcd2c45704709536ed9d01503d5a696e4396d8e55a302b

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\mia.lib

Filesize
565KB

MD5
e6c930ab2d929ce6ac088799b57ae430

SHA1
8d1628b4f816dc93b8f843e7a28d760ad0edccc6

SHA256
d3125717c7f99cee05045995d10f2986f9a2608ffdedfb29b34b472f3f36f952

SHA512
a3d082674d9a4314bdae8e9ac429bd22030bc7ff69c695afd53ba9a785c7a5ff44fd7599278bb0422378b0aae3102d652f2cc03574285729196078f2717bae4f

Download Submit
memory/2740-4839-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2740-4981-0x0000000000400000-0x00000000006E8000-memory.dmp

Filesize
2.9MB

Download
memory/2740-4983-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing