c655d27470498750efd7cd32a14b8bbdb421ce9f7012935d1e1014a7f8241ba5

Analysis

max time kernel
323s
max time network
277s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
20/05/2024, 18:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Xfer.Records.Serum.v1.36b8-R2R.zip
Size

176.2MB
MD5

fee15e40d50da2140ae84629b288ab72
SHA1

ea5cb5e2042fb51a805bc9b1fb58f8b4a89ad7b0
SHA256

c655d27470498750efd7cd32a14b8bbdb421ce9f7012935d1e1014a7f8241ba5
SHA512

440c8cc447644db276a67da2883447c41f51fd19e987e19ad574b4dc472bd110e2fb529326af0ae9d3d6326b5dd5502dc39761a8134d03024e050104a3b61188
SSDEEP

3145728:PpyR6xHq8EOUon92WYiojoIiW5cfq4nJ7GHP/BQbFCYT20coSMMjHEkGco:PkRcHq8GG2CPIilfJnJ7GvgDIHE6o

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4704	keygen.exe

Loads dropped DLL 6 IoCs

pid	Process
3268	Install_Xfer_Serum_136b8.exe
3268	Install_Xfer_Serum_136b8.exe
3268	Install_Xfer_Serum_136b8.exe
4704	keygen.exe
4704	keygen.exe
4704	keygen.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\VST3\Serum.vst3\desktop.ini	Install_Xfer_Serum_136b8.exe
File opened for modification	C:\Program Files\Common Files\VST3\Serum.vst3\desktop.ini	Install_Xfer_Serum_136b8.exe

Drops file in Program Files directory 17 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\VST3\Serum.vst3\desktop.ini	Install_Xfer_Serum_136b8.exe
File opened for modification	C:\Program Files\Common Files\VST3\Serum.vst3\Contents\Resources	Install_Xfer_Serum_136b8.exe
File created	C:\Program Files\Common Files\VST3\Serum.vst3\Contents\Resources\Snapshots\56535458667358736572756D00000000_snapshot.png	Install_Xfer_Serum_136b8.exe
File opened for modification	C:\Program Files\Common Files\VST3\Serum.vst3\Contents\Resources\Snapshots\56535458667358736572756D00000000_snapshot.png	Install_Xfer_Serum_136b8.exe
File opened for modification	C:\Program Files\Common Files\VST3\Serum.vst3\Contents\x86_64-win	Install_Xfer_Serum_136b8.exe
File opened for modification	C:\Program Files\Common Files\VST3\Serum.vst3\Contents\x86_64-win\Serum.vst3	Install_Xfer_Serum_136b8.exe
File created	C:\Program Files\Common Files\VST2\Serum.dll	Install_Xfer_Serum_136b8.exe
File opened for modification	C:\Program Files\Common Files\VST3\Serum.vst3\PlugIn.ico	Install_Xfer_Serum_136b8.exe
File opened for modification	C:\Program Files\Common Files\VST3\Serum.vst3\desktop.ini	Install_Xfer_Serum_136b8.exe
File opened for modification	C:\Program Files\Common Files\VST3\Serum.vst3\Contents\moduleinfo.json	Install_Xfer_Serum_136b8.exe
File opened for modification	C:\Program Files\Common Files\VST3\Serum.vst3\Contents\Resources\Snapshots	Install_Xfer_Serum_136b8.exe
File opened for modification	C:\Program Files\Common Files\VST3\Serum.vst3\Contents	Install_Xfer_Serum_136b8.exe
File created	C:\Program Files\Common Files\VST3\Serum.vst3\Contents\moduleinfo.json	Install_Xfer_Serum_136b8.exe
File created	C:\Program Files\Common Files\VST3\Serum.vst3\Contents\Resources\Snapshots\56535458667358736572756D00000000_snapshot_2.0x.png	Install_Xfer_Serum_136b8.exe
File created	C:\Program Files\Common Files\VST3\Serum.vst3\PlugIn.ico	Install_Xfer_Serum_136b8.exe
File opened for modification	C:\Program Files\Common Files\VST3\Serum.vst3\Contents\Resources\Snapshots\56535458667358736572756D00000000_snapshot_2.0x.png	Install_Xfer_Serum_136b8.exe
File created	C:\Program Files\Common Files\VST3\Serum.vst3\Contents\x86_64-win\Serum.vst3	Install_Xfer_Serum_136b8.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Install_Xfer_Serum_136b8.exe
Key created	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Install_Xfer_Serum_136b8.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3268	Install_Xfer_Serum_136b8.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	4472	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4472	AUDIODG.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1520	Xfer_KeyGen.exe
4704	keygen.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1520 wrote to memory of 4704	1520	Xfer_KeyGen.exe	90
PID 1520 wrote to memory of 4704	1520	Xfer_KeyGen.exe	90
PID 1520 wrote to memory of 4704	1520	Xfer_KeyGen.exe	90

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\Xfer.Records.Serum.v1.36b8-R2R.zip
1⤵
PID:2836

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2748

C:\Users\Admin\Documents\Xfer.Records.Serum.v1.36b8-R2R\Xfer.Records.Serum.v1.36b8-R2R\Install_Xfer_Serum_136b8.exe
"C:\Users\Admin\Documents\Xfer.Records.Serum.v1.36b8-R2R\Xfer.Records.Serum.v1.36b8-R2R\Install_Xfer_Serum_136b8.exe"
1⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
PID:3268

C:\Users\Admin\Documents\Xfer.Records.Serum.v1.36b8-R2R\Xfer.Records.Serum.v1.36b8-R2R\R2R\Xfer_KeyGen.exe
"C:\Users\Admin\Documents\Xfer.Records.Serum.v1.36b8-R2R\Xfer.Records.Serum.v1.36b8-R2R\R2R\Xfer_KeyGen.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1520
- C:\Users\Admin\AppData\Local\Temp\keygen.exe
  C:\Users\Admin\AppData\Local\Temp\keygen.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:4704

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004D0 0x00000000000004B4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4472

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BASSMOD.dll

Filesize
33KB

MD5
e4ec57e8508c5c4040383ebe6d367928

SHA1
b22bcce36d9fdeae8ab7a7ecc0b01c8176648d06

SHA256
8ad9e47693e292f381da42ddc13724a3063040e51c26f4ca8e1f8e2f1ddd547f

SHA512
77d5cf66caf06e192e668fae2b2594e60a498e8e0ccef5b09b9710721a4cdb0c852d00c446fd32c5b5c85e739de2e73cb1f1f6044879fe7d237341bbb6f27822

Download Submit
C:\Users\Admin\AppData\Local\Temp\R2RXFEKG.dll

Filesize
3KB

MD5
fb235a312dbde4daf45aa6d62923d2c4

SHA1
67580595f059640b974cd585b3deac25aba5928e

SHA256
fb2ef28d03f1bbc60cb564cc8d90b3469f3ad393d81020b4afe2501c1b60da9c

SHA512
14c7ba743221520753266119b4f91023321fdead7e3f941e4c6ede1b439886fcdfe7565eefd00d03f7c93686234ccd7369e150f2ad344d365ed0447c6aa6f898

Download Submit
C:\Users\Admin\AppData\Local\Temp\bgm.mod

Filesize
459KB

MD5
27bb415f94ed6f7bbbe60147e256d806

SHA1
311558f88abe5095c46641368982f1effc8dabc5

SHA256
09eb0d54924d998add82d73ba86350ac09c1f5714d895e08c77f34441da1c2c3

SHA512
161dbae65d5ef4f2bbb4c57fa18c72b3c2b2a5993bc763d673832899eaa3d120697d4192362d2270e0d9630b0dc9429b3e221bb44cf0ff59de46e949d2a4cc70

Download Submit
C:\Users\Admin\AppData\Local\Temp\keygen.exe

Filesize
249KB

MD5
39940bef79a1d23adf86979d4d4cceed

SHA1
593f9ea0cd0c1c4ec35c92a4473ed05437fb22ce

SHA256
941267a1bd1328f21bbaf3a1ba5abe12196c3d57e4c49134c6764e7b143767d8

SHA512
12b8f61bb8c1c661d7d4c7aff5e2e3f2915cd1b3c923bf9b17dd3bcc8b3ffb4145aa86b284bedd2695c6e62117cc1257a896dfe3227961deac35e8e9836d12c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv13D2.tmp\System.dll

Filesize
12KB

MD5
564bb0373067e1785cba7e4c24aab4bf

SHA1
7c9416a01d821b10b2eef97b80899d24014d6fc1

SHA256
7a9ddee34562cd3703f1502b5c70e99cd5bba15de2b6845a3555033d7f6cb2a5

SHA512
22c61a323cb9293d7ec5c7e7e60674d0e2f7b29d55be25eb3c128ea2cd7440a1400cee17c43896b996278007c0d247f331a9b8964e3a40a0eb1404a9596c4472

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv13D2.tmp\advsplash.dll

Filesize
6KB

MD5
1871af84805057b5ebc05ee46b56625d

SHA1
50e1c315ad30f5f3f300c7cd9dd0d5d626fe0167

SHA256
62b3db0446750ca9fd693733eec927acc1f50012a47785343286e63b650b7621

SHA512
c1979ee98dfdb807776c439218528d80b4b244a87e692f1538e40f9c2c82db8b77485eb1429325b6f44419bf1f4cd454e43ff381eff077a8b4f4d9eb0d7e54d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv13D2.tmp\modern-wizard.bmp

Filesize
150KB

MD5
fd944873f187518849e6e3336c45f968

SHA1
3ba4d7d455372a329eb44200ecdd2e3075869047

SHA256
54eec84988f8d5d5f1cdfefd74333dbcd85b1ff525b2b1f9cac6de9905cefe1d

SHA512
d2bbbc19e4114fc68c695664bf8c5ba4f04e96f24b002f4e37c8147f946c32c043a97723f6536c4a8895384a2c119fd2fb8042e3e27a16fdf55d4f779e0e1f3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv13D2.tmp\nsDialogs.dll

Filesize
9KB

MD5
48f3e7860e1de2b4e63ec744a5e9582a

SHA1
420c64d802a637c75a53efc8f748e1aede3d6dc6

SHA256
6bf9cccd8a600f4d442efe201e8c07b49605ba35f49a4b3ab22fa2641748e156

SHA512
28716ddea580eeb23d93d1ff6ea0cf79a725e13c8f8a17ec9dfacb1fe29c7981ad84c03aed05663adc52365d63d19ec2f366762d1c685e3a9d93037570c3c583

Download Submit
C:\Users\Admin\Documents\Xfer\Serum Presets\Skins\Default\1x\bmp00180.png

Filesize
1KB

MD5
5bb22ab624d9c111ccff980846e21c99

SHA1
a200fec196a8f0a4b798d3fa73f2e715ed547835

SHA256
a0a1c6ea69b0a6a1aa6d6bd6bd295e8df710ab4f819c1aeecf2c5786f26d1059

SHA512
0b9c2a9a0b18bebe29790355affeab7cdfcf4955e7464c9660c08d737850ad3ec7c8457be8980e567a8d922fe28beec8f29ed4ae30ca4a1e05896669ea26736d

Download Submit
C:\Users\Admin\Documents\Xfer\Serum Presets\Skins\Promethium\1x\bmp00177.png

Filesize
1KB

MD5
c2636cab1581b01001bd665189fda63c

SHA1
76b394eea28541efc8574bd7773a35e1fca67ce5

SHA256
7f489f7a78e8153edd85b24f6f724a21895d10d5c8f40197c7af7e68960bda66

SHA512
5387376cc01d2d638c628d20c0471d582896641b9a5236bd78f76331a92b173d59a3d09cdda38fa2c648a07c3716972e657f5ab4868557d5bc928bcb36d721d7

Download Submit
C:\Users\Admin\Documents\Xfer\Serum Presets\Skins\Promethium\1x\bmp00180.png

Filesize
1KB

MD5
3d370826d1b4c223b7975cbc2a064eb1

SHA1
8eabeabf9798ee63cf7cbe3df3f2c22c5aa4798c

SHA256
d34652d56f2a61d28d1c350fc180a1ce1642c29bcb5fe05a77b9b256711468f4

SHA512
b502d2dd5e572705a7d7a75060ecd5c20e8f0f7307dfad659ebd3c62079d48bba0b3ba80117b62412ad2bc0eb114e8037c9e8ae9201b30acd72e9217861e4d6a

Download Submit
C:\Users\Admin\Documents\Xfer\Serum Presets\Skins\Promethium\2x\bmp20177.png

Filesize
2KB

MD5
5d857b9000d78b502e2ffb8d0e6647de

SHA1
0e27ede07ddb9dcc6ddf1f9831c4c70988ca066c

SHA256
f8e352e45b99c51541c641e79336b0ac71bed60de31f866caed96e42b42adae4

SHA512
d3ebb20a9cff226947e477aa990982e0a8a4b27202e7b915d66622531e9e7832a3a1e9ecb86c5d27688498a88d3fbcec3b4272a340be8a4a03e52db99d5161f7

Download Submit
C:\Users\Admin\Documents\Xfer\Serum Presets\Skins\Promethium\2x\bmp20180.png

Filesize
2KB

MD5
2b4d9090fdb2bdedb973155412b06ab8

SHA1
11d7b407d00d081414fbed0f35b8cfb491e0e90f

SHA256
981ca03de861ee80f0049bd33abbbcc2322aaa23499f31c6bf274750cc14dfd8

SHA512
6d0428b866103203b38fb06b22364c8e3591adf23fcc0b32d7f5de048348a4af1e2d7913f39de84e7e47eca3c41995365959c2a1c77243a3d5f42809c5d14072

Download Submit
memory/4704-2807-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/4704-2813-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/4704-2806-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/4704-2798-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4704-2808-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/4704-2809-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/4704-2810-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/4704-2811-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/4704-2812-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/4704-2804-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/4704-2814-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/4704-2815-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/4704-2816-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/4704-2817-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/4704-2818-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/4704-2819-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/4704-2820-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/4704-2821-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/4704-2822-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/4704-2823-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download