Malware Analysis Report

2024-09-11 16:51

Sample ID 240615-e5qb7ssgmr
Target fl_patch_installer_20_7_2_1863.exe
SHA256 5f89eb141d955c2e678cbb3b36b110f93f807ff7ef2b125fb99092fd6f0f668c
Tags
vidar 948 stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5f89eb141d955c2e678cbb3b36b110f93f807ff7ef2b125fb99092fd6f0f668c

Threat Level: Known bad

The file fl_patch_installer_20_7_2_1863.exe was found to be: Known bad.

Malicious Activity Summary

vidar 948 stealer

Vidar

Vidar Stealer

Executes dropped EXE

Loads dropped DLL

Drops file in Program Files directory

Program crash

Unsigned PE

Enumerates physical storage devices

Modifies system certificate store

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Privilege Escalation
TA0004
Defense Evasion
TA0005
Subvert Trust Controls
T1553
Install Root Certificate
T1553.004
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-15 04:31

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-15 04:31

Reported

2024-06-15 04:32

Platform

win7-20240221-en

Max time kernel

25s

Max time network

17s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fl_patch_installer_20_7_2_1863.exe"

Signatures

Vidar

stealer vidar

Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fl_patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uninstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-IQ4VG.tmp\fl_patch.tmp N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uninstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uninstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uninstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fl_patch.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Image-Line\FL Studio 20\Plugins\Fruity\Effects\Vocodex\Vocodex.dll C:\Users\Admin\AppData\Local\Temp\is-IQ4VG.tmp\fl_patch.tmp N/A
File created C:\Program Files\Image-Line\FL Studio 20\Plugins\Fruity\Effects\Newtone\is-C205J.tmp C:\Users\Admin\AppData\Local\Temp\is-IQ4VG.tmp\fl_patch.tmp N/A
File created C:\Program Files\Image-Line\FL Studio 20\Plugins\Fruity\Generators\Fruity DrumSynth Live\is-F9DCL.tmp C:\Users\Admin\AppData\Local\Temp\is-IQ4VG.tmp\fl_patch.tmp N/A
File opened for modification C:\Program Files\Image-Line\FL Studio 20\FLEngine_x64.dll C:\Users\Admin\AppData\Local\Temp\is-IQ4VG.tmp\fl_patch.tmp N/A
File opened for modification C:\Program Files\Image-Line\FL Studio 20\Plugins\Fruity\Generators\Wasp XT\Wasp XT_x64.dll C:\Users\Admin\AppData\Local\Temp\is-IQ4VG.tmp\fl_patch.tmp N/A
File opened for modification C:\Program Files\Image-Line\FL Studio 20\Plugins\Fruity\Generators\Fruity Video Player\Fruity Video Player.dll C:\Users\Admin\AppData\Local\Temp\is-IQ4VG.tmp\fl_patch.tmp N/A
File opened for modification C:\Program Files\Image-Line\FL Studio 20\Plugins\Fruity\Generators\Wasp\Wasp_x64.dll C:\Users\Admin\AppData\Local\Temp\is-IQ4VG.tmp\fl_patch.tmp N/A
File opened for modification C:\Program Files\Image-Line\FL Studio 20\Plugins\Fruity\Effects\Edison\Edison.dll C:\Users\Admin\AppData\Local\Temp\is-IQ4VG.tmp\fl_patch.tmp N/A
File opened for modification C:\Program Files\Image-Line\FL Studio 20\Plugins\Fruity\Effects\Newtime\Newtime.dll C:\Users\Admin\AppData\Local\Temp\is-IQ4VG.tmp\fl_patch.tmp N/A
File opened for modification C:\Program Files\Image-Line\FL Studio 20\Plugins\Fruity\Effects\Newtone\Newtone_x64.dll C:\Users\Admin\AppData\Local\Temp\is-IQ4VG.tmp\fl_patch.tmp N/A
File opened for modification C:\Program Files\Image-Line\FL Studio 20\Plugins\Fruity\Generators\Transistor Bass\Transistor Bass_x64.dll C:\Users\Admin\AppData\Local\Temp\is-IQ4VG.tmp\fl_patch.tmp N/A
File created C:\Program Files\Image-Line\FL Studio 20\is-21JMR.tmp C:\Users\Admin\AppData\Local\Temp\is-IQ4VG.tmp\fl_patch.tmp N/A
File created C:\Program Files\Image-Line\FL Studio 20\Plugins\Fruity\Generators\Wasp XT\is-6JSUV.tmp C:\Users\Admin\AppData\Local\Temp\is-IQ4VG.tmp\fl_patch.tmp N/A
File opened for modification C:\Program Files\Image-Line\FL Studio 20\Plugins\Fruity\Effects\Edison\Edison_x64.dll C:\Users\Admin\AppData\Local\Temp\is-IQ4VG.tmp\fl_patch.tmp N/A
File opened for modification C:\Program Files\Image-Line\FL Studio 20\Plugins\Fruity\Generators\SimSynth\SimSynth.dll C:\Users\Admin\AppData\Local\Temp\is-IQ4VG.tmp\fl_patch.tmp N/A
File opened for modification C:\Program Files\Image-Line\FL Studio 20\Plugins\Fruity\Generators\Ogun\Ogun_x64.dll C:\Users\Admin\AppData\Local\Temp\is-IQ4VG.tmp\fl_patch.tmp N/A
File created C:\Program Files\Image-Line\FL Studio 20\Plugins\Fruity\Generators\Fruity Video Player\is-5HT43.tmp C:\Users\Admin\AppData\Local\Temp\is-IQ4VG.tmp\fl_patch.tmp N/A
File opened for modification C:\Program Files\Image-Line\FL Studio 20\Plugins\Fruity\Generators\Fruity DrumSynth Live\Fruity DrumSynth Live_x64.dll C:\Users\Admin\AppData\Local\Temp\is-IQ4VG.tmp\fl_patch.tmp N/A
File opened for modification C:\Program Files\Image-Line\FL Studio 20\Plugins\Fruity\Generators\Slicex\Slicex_x64.dll C:\Users\Admin\AppData\Local\Temp\is-IQ4VG.tmp\fl_patch.tmp N/A
File created C:\Program Files\Image-Line\FL Studio 20\is-895ET.tmp C:\Users\Admin\AppData\Local\Temp\is-IQ4VG.tmp\fl_patch.tmp N/A
File created C:\Program Files\Image-Line\FL Studio 20\Plugins\Fruity\Effects\Edison\is-RTICG.tmp C:\Users\Admin\AppData\Local\Temp\is-IQ4VG.tmp\fl_patch.tmp N/A
File created C:\Program Files\Image-Line\FL Studio 20\Plugins\Fruity\Effects\Maximus\is-RJ1D5.tmp C:\Users\Admin\AppData\Local\Temp\is-IQ4VG.tmp\fl_patch.tmp N/A
File created C:\Program Files\Image-Line\FL Studio 20\Plugins\Fruity\Effects\Newtime\is-KA2RJ.tmp C:\Users\Admin\AppData\Local\Temp\is-IQ4VG.tmp\fl_patch.tmp N/A
File created C:\Program Files\Image-Line\FL Studio 20\Plugins\Fruity\Generators\Fruity Video Player\is-H3CEU.tmp C:\Users\Admin\AppData\Local\Temp\is-IQ4VG.tmp\fl_patch.tmp N/A
File created C:\Program Files\Image-Line\FL Studio 20\Plugins\Fruity\Generators\Harmless\is-T7VS5.tmp C:\Users\Admin\AppData\Local\Temp\is-IQ4VG.tmp\fl_patch.tmp N/A
File opened for modification C:\Program Files\Image-Line\FL Studio 20\Plugins\Fruity\Generators\Sytrus\Sytrus.dll C:\Users\Admin\AppData\Local\Temp\is-IQ4VG.tmp\fl_patch.tmp N/A
File opened for modification C:\Program Files\Image-Line\FL Studio 20\Plugins\Fruity\Effects\Newtone\Newtone.dll C:\Users\Admin\AppData\Local\Temp\is-IQ4VG.tmp\fl_patch.tmp N/A
File opened for modification C:\Program Files\Image-Line\FL Studio 20\Plugins\Fruity\Generators\Harmor\Harmor_x64.dll C:\Users\Admin\AppData\Local\Temp\is-IQ4VG.tmp\fl_patch.tmp N/A
File created C:\Program Files\Image-Line\FL Studio 20\Plugins\Fruity\Generators\SimSynth\is-UEASN.tmp C:\Users\Admin\AppData\Local\Temp\is-IQ4VG.tmp\fl_patch.tmp N/A
File created C:\Program Files\Image-Line\FL Studio 20\Plugins\Fruity\Generators\Wasp\is-1H9E3.tmp C:\Users\Admin\AppData\Local\Temp\is-IQ4VG.tmp\fl_patch.tmp N/A
File created C:\Program Files\Image-Line\FL Studio 20\Plugins\Fruity\Generators\Fruity DrumSynth Live\is-6DJIB.tmp C:\Users\Admin\AppData\Local\Temp\is-IQ4VG.tmp\fl_patch.tmp N/A
File created C:\Program Files\Image-Line\FL Studio 20\Plugins\Fruity\Generators\Harmor\is-583TO.tmp C:\Users\Admin\AppData\Local\Temp\is-IQ4VG.tmp\fl_patch.tmp N/A
File created C:\Program Files\Image-Line\FL Studio 20\Plugins\Fruity\Generators\Slicex\is-OMCI3.tmp C:\Users\Admin\AppData\Local\Temp\is-IQ4VG.tmp\fl_patch.tmp N/A
File created C:\Program Files\Image-Line\FL Studio 20\Plugins\Fruity\Generators\Transistor Bass\is-GI7GC.tmp C:\Users\Admin\AppData\Local\Temp\is-IQ4VG.tmp\fl_patch.tmp N/A
File opened for modification C:\Program Files\Image-Line\FL Studio 20\Plugins\Fruity\Generators\Slicex\Slicex.dll C:\Users\Admin\AppData\Local\Temp\is-IQ4VG.tmp\fl_patch.tmp N/A
File opened for modification C:\Program Files\Image-Line\FL Studio 20\Plugins\Fruity\Generators\Wasp\Wasp.dll C:\Users\Admin\AppData\Local\Temp\is-IQ4VG.tmp\fl_patch.tmp N/A
File opened for modification C:\Program Files\Image-Line\FL Studio 20\Plugins\Fruity\Effects\Transient Processor\Transient Processor.dll C:\Users\Admin\AppData\Local\Temp\is-IQ4VG.tmp\fl_patch.tmp N/A
File opened for modification C:\Program Files\Image-Line\FL Studio 20\Plugins\Fruity\Generators\Fruity Soundfont Player\Fruity Soundfont Player.dll C:\Users\Admin\AppData\Local\Temp\is-IQ4VG.tmp\fl_patch.tmp N/A
File opened for modification C:\Program Files\Image-Line\FL Studio 20\Plugins\Fruity\Effects\Gross Beat\Gross Beat.dll C:\Users\Admin\AppData\Local\Temp\is-IQ4VG.tmp\fl_patch.tmp N/A
File created C:\Program Files\Image-Line\FL Studio 20\is-Q0B05.tmp C:\Users\Admin\AppData\Local\Temp\is-IQ4VG.tmp\fl_patch.tmp N/A
File created C:\Program Files\Image-Line\FL Studio 20\Plugins\Fruity\Effects\Newtone\is-7BMET.tmp C:\Users\Admin\AppData\Local\Temp\is-IQ4VG.tmp\fl_patch.tmp N/A
File opened for modification C:\Program Files\Image-Line\FL Studio 20\Plugins\Fruity\Generators\Ogun\Ogun.dll C:\Users\Admin\AppData\Local\Temp\is-IQ4VG.tmp\fl_patch.tmp N/A
File opened for modification C:\Program Files\Image-Line\FL Studio 20\Plugins\Fruity\Generators\Fruity DX10\Fruity DX10_x64.dll C:\Users\Admin\AppData\Local\Temp\is-IQ4VG.tmp\fl_patch.tmp N/A
File opened for modification C:\Program Files\Image-Line\FL Studio 20\Plugins\Fruity\Effects\Maximus\Maximus.dll C:\Users\Admin\AppData\Local\Temp\is-IQ4VG.tmp\fl_patch.tmp N/A
File created C:\Program Files\Image-Line\FL Studio 20\is-A9FQ1.tmp C:\Users\Admin\AppData\Local\Temp\is-IQ4VG.tmp\fl_patch.tmp N/A
File created C:\Program Files\Image-Line\FL Studio 20\Plugins\Fruity\Generators\Slicex\is-9M311.tmp C:\Users\Admin\AppData\Local\Temp\is-IQ4VG.tmp\fl_patch.tmp N/A
File opened for modification C:\Program Files\Image-Line\FL Studio 20\Plugins\Fruity\Effects\Transient Processor\Transient Processor_x64.dll C:\Users\Admin\AppData\Local\Temp\is-IQ4VG.tmp\fl_patch.tmp N/A
File opened for modification C:\Program Files\Image-Line\FL Studio 20\Plugins\Fruity\Generators\Fruity Soundfont Player\Fruity SoundFont Player_x64.dll C:\Users\Admin\AppData\Local\Temp\is-IQ4VG.tmp\fl_patch.tmp N/A
File opened for modification C:\Program Files\Image-Line\FL Studio 20\Plugins\Fruity\Generators\SimSynth\SimSynth_x64.dll C:\Users\Admin\AppData\Local\Temp\is-IQ4VG.tmp\fl_patch.tmp N/A
File opened for modification C:\Program Files\Image-Line\FL Studio 20\Plugins\Fruity\Generators\Transistor Bass\Transistor Bass.dll C:\Users\Admin\AppData\Local\Temp\is-IQ4VG.tmp\fl_patch.tmp N/A
File created C:\Program Files\Image-Line\FL Studio 20\Plugins\Fruity\Effects\Edison\is-KP9NT.tmp C:\Users\Admin\AppData\Local\Temp\is-IQ4VG.tmp\fl_patch.tmp N/A
File created C:\Program Files\Image-Line\FL Studio 20\Plugins\Fruity\Effects\Transient Processor\is-LM0HP.tmp C:\Users\Admin\AppData\Local\Temp\is-IQ4VG.tmp\fl_patch.tmp N/A
File created C:\Program Files\Image-Line\FL Studio 20\Plugins\Fruity\Effects\Vocodex\is-9A8IG.tmp C:\Users\Admin\AppData\Local\Temp\is-IQ4VG.tmp\fl_patch.tmp N/A
File created C:\Program Files\Image-Line\FL Studio 20\Plugins\Fruity\Effects\Vocodex\Synthesizer\is-4ISSU.tmp C:\Users\Admin\AppData\Local\Temp\is-IQ4VG.tmp\fl_patch.tmp N/A
File opened for modification C:\Program Files\Image-Line\FL Studio 20\Plugins\Fruity\Effects\Newtime\Newtime_x64.dll C:\Users\Admin\AppData\Local\Temp\is-IQ4VG.tmp\fl_patch.tmp N/A
File opened for modification C:\Program Files\Image-Line\FL Studio 20\Plugins\Fruity\Generators\Fruity Video Player\Fruity Video Player_x64.dll C:\Users\Admin\AppData\Local\Temp\is-IQ4VG.tmp\fl_patch.tmp N/A
File opened for modification C:\Program Files\Image-Line\FL Studio 20\Plugins\Fruity\Effects\Vocodex\Vocodex_x64.dll C:\Users\Admin\AppData\Local\Temp\is-IQ4VG.tmp\fl_patch.tmp N/A
File created C:\Program Files\Image-Line\FL Studio 20\Plugins\Fruity\Generators\Wasp XT\is-O6A5O.tmp C:\Users\Admin\AppData\Local\Temp\is-IQ4VG.tmp\fl_patch.tmp N/A
File created C:\Program Files\Image-Line\FL Studio 20\Plugins\Fruity\Generators\Fruity DX10\is-5R0SG.tmp C:\Users\Admin\AppData\Local\Temp\is-IQ4VG.tmp\fl_patch.tmp N/A
File created C:\Program Files\Image-Line\FL Studio 20\Plugins\Fruity\Generators\Transistor Bass\is-3M42G.tmp C:\Users\Admin\AppData\Local\Temp\is-IQ4VG.tmp\fl_patch.tmp N/A
File created C:\Program Files\Image-Line\FL Studio 20\Plugins\Fruity\Generators\Wasp\is-M9ERR.tmp C:\Users\Admin\AppData\Local\Temp\is-IQ4VG.tmp\fl_patch.tmp N/A
File created C:\Program Files\Image-Line\FL Studio 20\Plugins\Fruity\Generators\Ogun\is-UCDU3.tmp C:\Users\Admin\AppData\Local\Temp\is-IQ4VG.tmp\fl_patch.tmp N/A
File opened for modification C:\Program Files\Image-Line\FL Studio 20\FLEngine.dll C:\Users\Admin\AppData\Local\Temp\is-IQ4VG.tmp\fl_patch.tmp N/A
File created C:\Program Files\Image-Line\FL Studio 20\Plugins\Fruity\Effects\Newtime\is-RVC61.tmp C:\Users\Admin\AppData\Local\Temp\is-IQ4VG.tmp\fl_patch.tmp N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\uninstaller.exe

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\uninstaller.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\uninstaller.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\uninstaller.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-IQ4VG.tmp\fl_patch.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-IQ4VG.tmp\fl_patch.tmp N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-IQ4VG.tmp\fl_patch.tmp N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 360 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\fl_patch_installer_20_7_2_1863.exe C:\Windows\SysWOW64\cmd.exe
PID 360 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\fl_patch_installer_20_7_2_1863.exe C:\Windows\SysWOW64\cmd.exe
PID 360 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\fl_patch_installer_20_7_2_1863.exe C:\Windows\SysWOW64\cmd.exe
PID 360 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\fl_patch_installer_20_7_2_1863.exe C:\Windows\SysWOW64\cmd.exe
PID 2728 wrote to memory of 2628 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\fl_patch.exe
PID 2728 wrote to memory of 2628 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\fl_patch.exe
PID 2728 wrote to memory of 2628 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\fl_patch.exe
PID 2728 wrote to memory of 2628 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\fl_patch.exe
PID 2728 wrote to memory of 2628 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\fl_patch.exe
PID 2728 wrote to memory of 2628 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\fl_patch.exe
PID 2728 wrote to memory of 2628 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\fl_patch.exe
PID 2728 wrote to memory of 2664 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\uninstaller.exe
PID 2728 wrote to memory of 2664 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\uninstaller.exe
PID 2728 wrote to memory of 2664 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\uninstaller.exe
PID 2728 wrote to memory of 2664 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\uninstaller.exe
PID 2728 wrote to memory of 2664 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\uninstaller.exe
PID 2728 wrote to memory of 2664 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\uninstaller.exe
PID 2728 wrote to memory of 2664 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\uninstaller.exe
PID 2628 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\fl_patch.exe C:\Users\Admin\AppData\Local\Temp\is-IQ4VG.tmp\fl_patch.tmp
PID 2628 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\fl_patch.exe C:\Users\Admin\AppData\Local\Temp\is-IQ4VG.tmp\fl_patch.tmp
PID 2628 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\fl_patch.exe C:\Users\Admin\AppData\Local\Temp\is-IQ4VG.tmp\fl_patch.tmp
PID 2628 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\fl_patch.exe C:\Users\Admin\AppData\Local\Temp\is-IQ4VG.tmp\fl_patch.tmp
PID 2628 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\fl_patch.exe C:\Users\Admin\AppData\Local\Temp\is-IQ4VG.tmp\fl_patch.tmp
PID 2628 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\fl_patch.exe C:\Users\Admin\AppData\Local\Temp\is-IQ4VG.tmp\fl_patch.tmp
PID 2628 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\fl_patch.exe C:\Users\Admin\AppData\Local\Temp\is-IQ4VG.tmp\fl_patch.tmp
PID 2664 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\uninstaller.exe C:\Windows\SysWOW64\WerFault.exe
PID 2664 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\uninstaller.exe C:\Windows\SysWOW64\WerFault.exe
PID 2664 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\uninstaller.exe C:\Windows\SysWOW64\WerFault.exe
PID 2664 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\uninstaller.exe C:\Windows\SysWOW64\WerFault.exe
PID 2664 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\uninstaller.exe C:\Windows\SysWOW64\WerFault.exe
PID 2664 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\uninstaller.exe C:\Windows\SysWOW64\WerFault.exe
PID 2664 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\uninstaller.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\fl_patch_installer_20_7_2_1863.exe

"C:\Users\Admin\AppData\Local\Temp\fl_patch_installer_20_7_2_1863.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\start.bat" "

C:\Users\Admin\AppData\Local\Temp\fl_patch.exe

fl_patch.exe

C:\Users\Admin\AppData\Local\Temp\uninstaller.exe

uninstaller.exe

C:\Users\Admin\AppData\Local\Temp\is-IQ4VG.tmp\fl_patch.tmp

"C:\Users\Admin\AppData\Local\Temp\is-IQ4VG.tmp\fl_patch.tmp" /SL5="$401AA,116119095,125440,C:\Users\Admin\AppData\Local\Temp\fl_patch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2664 -s 952

Network

Country Destination Domain Proto
US 8.8.8.8:53 romkaxarit.tumblr.com udp
US 74.114.154.18:443 romkaxarit.tumblr.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\start.bat

MD5 31d9a703e474b8308b47fcc645b6639f
SHA1 e4b0b1df8b05dd2ab9c319c7cd901ffc5ce5ccea
SHA256 95bbf6860fb9ccca9d9b41df75294f86f9bd6fbfee3ebe42306875145d62b357
SHA512 cee2921e71e364d5f9eee10c643f250e6c872996b7781f58058d6b19e0c9c67425a7f73df82efbfd56c57ee3760e1dd1264eea03038ce7213c5a4bb92caa756b

C:\Users\Admin\AppData\Local\Temp\uninstaller.exe

MD5 96732cbc61bf97fbebebead194f07184
SHA1 12c1a5e772df670a110bd1ec0eed21b319f19286
SHA256 54b401a0fc715c1548cf451d93f3da3413af7609af37eee20c6f007f8b52a1f3
SHA512 55026ef2afdd8875f9fbc86bbfec95fc9e48bd4fc68d9c7966b72a1cbf48c447c88814344e607ab4f25d65458a5a96c77108b11be6465e2c822e9f8712989f63

memory/2628-26-0x0000000000400000-0x0000000000429000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-IQ4VG.tmp\fl_patch.tmp

MD5 006c402fd22016b5a5a1c2180ca5ccc9
SHA1 dc8dae24ef11181d145c8d9f6f245f3b67a3e1d0
SHA256 5b246db2dfc1a5d000b0662e2a58e1cb9f89fdc87945597ec1e1f2f245fd7898
SHA512 caea20f48421f7918c9ead0316decba60460c74ff878666e0a48ae1e5b2eb41a37b03c1a59bc3aa416990e49cae155e19894461c28c225f4f9b42e184db289b1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar4F7E.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

memory/2796-105-0x0000000000400000-0x000000000052E000-memory.dmp

memory/2628-104-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Program Files\Image-Line\FL Studio 20\Plugins\Fruity\Generators\Wasp XT\is-O6A5O.tmp

MD5 7b5f389263a80605a4770c80d8ae5af3
SHA1 7a226991aec4e0ff2761c92340d934ae7e91856d
SHA256 d7aa3d5081c199e35a9eb320e2b132bba9e4a7e48b535660833b85ffc662fef3
SHA512 6370800120f52f1106a672c868b4a97175a5435a54c737b7b81a410cceb3c698277aec9eb8e051dd25c71762e0fce513c6499d5d683a06a71fb621c5161b0c33

memory/2628-195-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2796-193-0x0000000000400000-0x000000000052E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-15 04:31

Reported

2024-06-15 04:37

Platform

win10v2004-20240508-en

Max time kernel

298s

Max time network

54s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fl_patch_installer_20_7_2_1863.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\fl_patch_installer_20_7_2_1863.exe

"C:\Users\Admin\AppData\Local\Temp\fl_patch_installer_20_7_2_1863.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A