Malware Analysis Report

2024-11-30 13:14

Sample ID 240620-stp4ysvaqd
Target reFX Nexus v4.5.17 CE.exe
SHA256 068ed5b08f522874db963f10c2e0e137fb8a94b7b2b2bad4f9f1aa67286ed6d2
Tags
discovery pyinstaller
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

068ed5b08f522874db963f10c2e0e137fb8a94b7b2b2bad4f9f1aa67286ed6d2

Threat Level: Shows suspicious behavior

The file reFX Nexus v4.5.17 CE.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery pyinstaller

Executes dropped EXE

Loads dropped DLL

Checks installed software on the system

Drops file in Program Files directory

Detects Pyinstaller

Unsigned PE

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-20 15:25

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-20 15:25

Reported

2024-06-20 15:29

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

52s

Command Line

"C:\Users\Admin\AppData\Local\Temp\reFX Nexus v4.5.17 CE.exe"

Signatures

Checks installed software on the system

discovery

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\Avid\Audio\Plug-Ins\Nexus.aaxplugin\is-J851D.tmp C:\Users\Admin\AppData\Local\Temp\is-NR47Q.tmp\reFX Nexus v4.5.17 CE.tmp N/A
File created C:\Program Files\Common Files\Avid\Audio\Plug-Ins\Nexus.aaxplugin\is-AS92E.tmp C:\Users\Admin\AppData\Local\Temp\is-NR47Q.tmp\reFX Nexus v4.5.17 CE.tmp N/A
File created C:\Program Files\Common Files\Avid\Audio\Plug-Ins\Nexus.aaxplugin\Contents\x64\is-FQGTU.tmp C:\Users\Admin\AppData\Local\Temp\is-NR47Q.tmp\reFX Nexus v4.5.17 CE.tmp N/A
File created C:\Program Files\Steinberg\VSTPlugins\is-0G2MI.tmp C:\Users\Admin\AppData\Local\Temp\is-NR47Q.tmp\reFX Nexus v4.5.17 CE.tmp N/A
File created C:\Program Files\Common Files\VST3\is-PANTU.tmp C:\Users\Admin\AppData\Local\Temp\is-NR47Q.tmp\reFX Nexus v4.5.17 CE.tmp N/A
File opened for modification C:\Program Files\Steinberg\VSTPlugins\Nexus.dll C:\Users\Admin\AppData\Local\Temp\is-NR47Q.tmp\reFX Nexus v4.5.17 CE.tmp N/A
File opened for modification C:\Program Files\Common Files\Avid\Audio\Plug-Ins\Nexus.aaxplugin C:\Users\Admin\AppData\Local\Temp\is-NR47Q.tmp\reFX Nexus v4.5.17 CE.tmp N/A

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-NR47Q.tmp\reFX Nexus v4.5.17 CE.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-NR47Q.tmp\reFX Nexus v4.5.17 CE.tmp N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-NR47Q.tmp\reFX Nexus v4.5.17 CE.tmp N/A

Processes

C:\Users\Admin\AppData\Local\Temp\reFX Nexus v4.5.17 CE.exe

"C:\Users\Admin\AppData\Local\Temp\reFX Nexus v4.5.17 CE.exe"

C:\Users\Admin\AppData\Local\Temp\is-NR47Q.tmp\reFX Nexus v4.5.17 CE.tmp

"C:\Users\Admin\AppData\Local\Temp\is-NR47Q.tmp\reFX Nexus v4.5.17 CE.tmp" /SL5="$401CC,16815311,833536,C:\Users\Admin\AppData\Local\Temp\reFX Nexus v4.5.17 CE.exe"

C:\Users\Public\Documents\reFX\NEXUS library\update_nexus_library_location.exe

"C:\Users\Public\Documents\reFX\NEXUS library\update_nexus_library_location.exe"

C:\Users\Public\Documents\reFX\NEXUS library\update_nexus_library_location.exe

"C:\Users\Public\Documents\reFX\NEXUS library\update_nexus_library_location.exe"

Network

Files

memory/2156-2-0x0000000000401000-0x00000000004C1000-memory.dmp

memory/2156-0-0x0000000000400000-0x00000000004DC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-NR47Q.tmp\reFX Nexus v4.5.17 CE.tmp

MD5 8783b6e042387cd97a88f6c6cf049506
SHA1 b1d5fadec05175204bfb8f1d1a68c676e4edb1b4
SHA256 3d821c065bd06d7a537ad7bda123e49db5ee6aea8e98ea4cd786ec4be2704e49
SHA512 3d4b44fd891c34ce154004f3bd8d3fc6b12ca94e1484c08c38a1e9e7469a8206bbbdcec16d0952976e5a5f5433a70cdceaaf0f39bddf1a9622d330712ef93c33

memory/6052-6-0x0000000000400000-0x0000000000724000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-1FU8H.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

memory/2156-11-0x0000000000400000-0x00000000004DC000-memory.dmp

memory/6052-12-0x0000000000400000-0x0000000000724000-memory.dmp

memory/6052-16-0x0000000000400000-0x0000000000724000-memory.dmp

memory/6052-34-0x0000000000400000-0x0000000000724000-memory.dmp

C:\Users\Public\Documents\reFX\NEXUS library\update_nexus_library_location.exe

MD5 9b636915e620b369dfb9f5995a010eb3
SHA1 5e80f0e8f3076d541b85ca8530c30d71dc94a7d5
SHA256 78e7192751e4edf5eb48df9b1c7c6724c17213e7a209e28375b24df339179f67
SHA512 c79e1767408fa650a6e0ba9ac0ea097aa13e6af8a27e418f11ecf6e3d88ba3a6538887adb0dcbccb8f057c079258c152c1b90203da526ef7a39193007e0bdfd7

C:\Users\Admin\AppData\Local\Temp\_MEI46442\ucrtbase.dll

MD5 2c8fe06966d5085a595ffa3c98fe3098
SHA1 e82945e3e63ffef0974d6dd74f2aef2bf6d0a908
SHA256 de8d08d01291df93821314176381f3d1ae863e6c5584a7f8ea42f0b94b15ef65
SHA512 fb08838983c16082a362b3fc89d5b82e61ae629207c13c3cb76b8a0af557ad95c842ce5197ae458b5af61e5449cbab579f509fa72866308aa6fbd3d751522d0f

C:\Users\Admin\AppData\Local\Temp\_MEI46442\python310.dll

MD5 e9c0fbc99d19eeedad137557f4a0ab21
SHA1 8945e1811ceb4b26f21edcc7a36dcf2b1d34f0bf
SHA256 5783c5c5a3ffce181691f19d27de376a03010d32e41360b72bcdbd28467cfcc5
SHA512 74e1289683642ae2bc3cf780a07af1f27fed2011ef6cc67380f9c066c59d17a2fb2394a45a5c6cd75dad812a61093fdbd0f2108925f5c58fc6644c1c98be5c0b

C:\Users\Admin\AppData\Local\Temp\_MEI46442\VCRUNTIME140.dll

MD5 f34eb034aa4a9735218686590cba2e8b
SHA1 2bc20acdcb201676b77a66fa7ec6b53fa2644713
SHA256 9d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1
SHA512 d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af

C:\Users\Admin\AppData\Local\Temp\_MEI46442\base_library.zip

MD5 2d0755498d6e89f50ac623ae455bd3ac
SHA1 17d4ecd4c287cb560c078bdce0f3a918ca58f4e9
SHA256 024a2f6a0d2ff800db3777ec568f21a543d1a3de8ad6f78793035a85b40d536d
SHA512 7fed7cd062d2de0e23eb7fcd204295918e546e414cf1234340f73eb0e6a9c06eac55bafc28f7c6adea487d6b234d9e95bc49fd5e88cef23cf7eaf2ba1e00af76

C:\Users\Public\Documents\reFX\nexus\settings.json

MD5 34f97fb0198667f755e9a7a25af7588f
SHA1 88144505129f267f007130062767b317abe267af
SHA256 1197dd3512d7a26a7ebf1576c2e795a399fbaca2662fc8562f9ccdc0de9a4668
SHA512 73f3d159239dd7dad841c340745c3c9decb8485a38f719cca16aac678fca419435b97e9408cabb79775c69f93752ad8674457126e070e1dc41f8aa6c56a76e9e

memory/6052-616-0x0000000000400000-0x0000000000724000-memory.dmp

memory/2156-617-0x0000000000400000-0x00000000004DC000-memory.dmp