44ccbfa290da0ee7b940747f925789f66152b0bee5eec3380766d09d9b518f0d

Analysis

max time kernel
148s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
03-07-2024 13:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Keyscape_Patch_Library_Update_1_6_0c.7z
Size

115.5MB
MD5

a081c39479edc4ff4de4095e99cbbc30
SHA1

547feb409db1aec87e169136508d216ef7714946
SHA256

44ccbfa290da0ee7b940747f925789f66152b0bee5eec3380766d09d9b518f0d
SHA512

8425d240bdb07a441424037c2f6e2995fb282a8a375950e33487a5904525910b3f2cd6f69856246d84efbe4d5989791b1326121b5668567bcaec5e4f89415a70
SSDEEP

3145728:73it/h2wvRCxIsv8Nro6y7txE6FDdlZ1ax:7ive0PUE0ax

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
1204	Spectrasonics - Keyscape v1.5.0c -MORiA.exe
1248	Spectrasonics - Keyscape v1.5.0c -MORiA.tmp
3828	Keyscape Data Updater.exe
2188	Keyscape Data Updater.tmp
1184	Keyscape Data Updater.exe
2364	Keyscape Data Updater.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	Keyscape Data Updater.tmp
File opened (read-only)	\??\K:	Keyscape Data Updater.tmp
File opened (read-only)	\??\Y:	Keyscape Data Updater.tmp
File opened (read-only)	\??\H:	Keyscape Data Updater.tmp
File opened (read-only)	\??\O:	Keyscape Data Updater.tmp
File opened (read-only)	\??\H:	Keyscape Data Updater.tmp
File opened (read-only)	\??\N:	Keyscape Data Updater.tmp
File opened (read-only)	\??\U:	Keyscape Data Updater.tmp
File opened (read-only)	\??\W:	Keyscape Data Updater.tmp
File opened (read-only)	\??\G:	Keyscape Data Updater.tmp
File opened (read-only)	\??\A:	Keyscape Data Updater.tmp
File opened (read-only)	\??\P:	Keyscape Data Updater.tmp
File opened (read-only)	\??\P:	Keyscape Data Updater.tmp
File opened (read-only)	\??\Q:	Keyscape Data Updater.tmp
File opened (read-only)	\??\S:	Keyscape Data Updater.tmp
File opened (read-only)	\??\T:	Keyscape Data Updater.tmp
File opened (read-only)	\??\M:	Keyscape Data Updater.tmp
File opened (read-only)	\??\B:	Keyscape Data Updater.tmp
File opened (read-only)	\??\L:	Keyscape Data Updater.tmp
File opened (read-only)	\??\M:	Keyscape Data Updater.tmp
File opened (read-only)	\??\O:	Keyscape Data Updater.tmp
File opened (read-only)	\??\R:	Keyscape Data Updater.tmp
File opened (read-only)	\??\U:	Keyscape Data Updater.tmp
File opened (read-only)	\??\W:	Keyscape Data Updater.tmp
File opened (read-only)	\??\X:	Keyscape Data Updater.tmp
File opened (read-only)	\??\Z:	Keyscape Data Updater.tmp
File opened (read-only)	\??\Q:	Keyscape Data Updater.tmp
File opened (read-only)	\??\X:	Keyscape Data Updater.tmp
File opened (read-only)	\??\Z:	Keyscape Data Updater.tmp
File opened (read-only)	\??\R:	Keyscape Data Updater.tmp
File opened (read-only)	\??\G:	Keyscape Data Updater.tmp
File opened (read-only)	\??\B:	Keyscape Data Updater.tmp
File opened (read-only)	\??\J:	Keyscape Data Updater.tmp
File opened (read-only)	\??\K:	Keyscape Data Updater.tmp
File opened (read-only)	\??\L:	Keyscape Data Updater.tmp
File opened (read-only)	\??\E:	Keyscape Data Updater.tmp
File opened (read-only)	\??\V:	Keyscape Data Updater.tmp
File opened (read-only)	\??\S:	Keyscape Data Updater.tmp
File opened (read-only)	\??\T:	Keyscape Data Updater.tmp
File opened (read-only)	\??\V:	Keyscape Data Updater.tmp
File opened (read-only)	\??\Y:	Keyscape Data Updater.tmp
File opened (read-only)	\??\I:	Keyscape Data Updater.tmp
File opened (read-only)	\??\A:	Keyscape Data Updater.tmp
File opened (read-only)	\??\E:	Keyscape Data Updater.tmp
File opened (read-only)	\??\I:	Keyscape Data Updater.tmp
File opened (read-only)	\??\N:	Keyscape Data Updater.tmp

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Steinberg\VSTPlugins\Keyscape.dll	Spectrasonics - Keyscape v1.5.0c -MORiA.tmp
File created	C:\Program Files\Steinberg\VSTPlugins\is-4OF7U.tmp	Spectrasonics - Keyscape v1.5.0c -MORiA.tmp
File created	C:\Program Files\Common Files\VST3\is-GJU8B.tmp	Spectrasonics - Keyscape v1.5.0c -MORiA.tmp
File created	C:\Program Files\Common Files\Avid\Audio\Plug-Ins\Keyscape.aaxplugin\is-ESDLK.tmp	Spectrasonics - Keyscape v1.5.0c -MORiA.tmp
File created	C:\Program Files\Common Files\Avid\Audio\Plug-Ins\Keyscape.aaxplugin\is-OLOGC.tmp	Spectrasonics - Keyscape v1.5.0c -MORiA.tmp
File created	C:\Program Files\Common Files\Avid\Audio\Plug-Ins\Keyscape.aaxplugin\Contents\x64\is-VVBFA.tmp	Spectrasonics - Keyscape v1.5.0c -MORiA.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Keyscape Data Updater.tmp
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Keyscape Data Updater.tmp

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1248	Spectrasonics - Keyscape v1.5.0c -MORiA.tmp
1248	Spectrasonics - Keyscape v1.5.0c -MORiA.tmp

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
2160	7zFM.exe
2188	Keyscape Data Updater.tmp
2364	Keyscape Data Updater.tmp

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	2160	7zFM.exe
Token: 35	2160	7zFM.exe
Token: SeSecurityPrivilege	2160	7zFM.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
2160	7zFM.exe
2160	7zFM.exe
1248	Spectrasonics - Keyscape v1.5.0c -MORiA.tmp
2364	Keyscape Data Updater.tmp
2364	Keyscape Data Updater.tmp

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2688	OpenWith.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1204 wrote to memory of 1248	1204	Spectrasonics - Keyscape v1.5.0c -MORiA.exe	99
PID 1204 wrote to memory of 1248	1204	Spectrasonics - Keyscape v1.5.0c -MORiA.exe	99
PID 1204 wrote to memory of 1248	1204	Spectrasonics - Keyscape v1.5.0c -MORiA.exe	99
PID 3828 wrote to memory of 2188	3828	Keyscape Data Updater.exe	104
PID 3828 wrote to memory of 2188	3828	Keyscape Data Updater.exe	104
PID 3828 wrote to memory of 2188	3828	Keyscape Data Updater.exe	104
PID 1184 wrote to memory of 2364	1184	Keyscape Data Updater.exe	107
PID 1184 wrote to memory of 2364	1184	Keyscape Data Updater.exe	107
PID 1184 wrote to memory of 2364	1184	Keyscape Data Updater.exe	107

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Keyscape_Patch_Library_Update_1_6_0c.7z
1⤵
- Modifies registry class
PID:1456

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2688

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2696

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Keyscape_Patch_Library_Update_1_6_0c.7z"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2160

C:\Users\Admin\Desktop\Keyscape_Patch_Library_Update_1_6_0c\Spectrasonics - Keyscape v1.5.0c -MORiA.exe
"C:\Users\Admin\Desktop\Keyscape_Patch_Library_Update_1_6_0c\Spectrasonics - Keyscape v1.5.0c -MORiA.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1204
- C:\Users\Admin\AppData\Local\Temp\is-FPJOS.tmp\Spectrasonics - Keyscape v1.5.0c -MORiA.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-FPJOS.tmp\Spectrasonics - Keyscape v1.5.0c -MORiA.tmp" /SL5="$2024A,16753967,1187328,C:\Users\Admin\Desktop\Keyscape_Patch_Library_Update_1_6_0c\Spectrasonics - Keyscape v1.5.0c -MORiA.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  PID:1248

C:\Users\Admin\Desktop\Keyscape_Patch_Library_Update_1_6_0c\Windows\Keyscape Data Updater.exe
"C:\Users\Admin\Desktop\Keyscape_Patch_Library_Update_1_6_0c\Windows\Keyscape Data Updater.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3828
- C:\Users\Admin\AppData\Local\Temp\is-748RT.tmp\Keyscape Data Updater.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-748RT.tmp\Keyscape Data Updater.tmp" /SL5="$A01F4,57856,57856,C:\Users\Admin\Desktop\Keyscape_Patch_Library_Update_1_6_0c\Windows\Keyscape Data Updater.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2188

C:\Users\Admin\Desktop\Keyscape_Patch_Library_Update_1_6_0c\Windows\Keyscape Data Updater.exe
"C:\Users\Admin\Desktop\Keyscape_Patch_Library_Update_1_6_0c\Windows\Keyscape Data Updater.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1184
- C:\Users\Admin\AppData\Local\Temp\is-1TSQQ.tmp\Keyscape Data Updater.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-1TSQQ.tmp\Keyscape Data Updater.tmp" /SL5="$7021C,57856,57856,C:\Users\Admin\Desktop\Keyscape_Patch_Library_Update_1_6_0c\Windows\Keyscape Data Updater.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:2364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Spectrasonics\Keyscape.exe

Filesize
4.6MB

MD5
aa806a4551f668e6b07f6698faea0c73

SHA1
feab23804a39666e3f15910b8828bbe032044404

SHA256
19feb9bd6d8430a7a6a3e710879ae5ae58d81875151b883c0cce6f12aa671f2e

SHA512
a3fadb75538cae874851f451ffd38d3c936d02b35beb98af28161b4b00a19a25691d277b25737735b5557c32a0e0522753cf25aa42e971506e773c6b24d7c0ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zE078E88C7\Keyscape_Patch_Library_Update_1_6_0c\Data\Lite\STEAM\Keyscape\Defaults\Factory\default multi.mlt_key

Filesize
152KB

MD5
3924b50a894d15e508b6389caee45c06

SHA1
7d4a0e852ef5300f46637c83af21fb193d95212d

SHA256
7dfd62c24ed6612343a62c094cf9173dced77a831b43901e1002bfaacee0f8a0

SHA512
0e862fefc99014cf9ddcbd4c1bc04ad0faeaad53f4aee8b555064b9401254fde32285aca67d49af75e28ae8188bef58d8139bdca05915ee5de2d1e300130ead0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-748RT.tmp\Keyscape Data Updater.tmp

Filesize
707KB

MD5
2ab84137ba148b292a6a512a9d8f88f5

SHA1
327785b814c047feff518c2f337f8cc6218283a4

SHA256
f58d6e78753cbd29a5d087aac2ff2f91217567d122e60477c778244227c50911

SHA512
b0dca8f5f9755c761cd4d5508e21866fb1c9bf1b909a4a6cb8754d0700042012ed29234154a8e757ec505bff33bb265c1a5123bd285cba731772ab95db633de8

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-FPJOS.tmp\Spectrasonics - Keyscape v1.5.0c -MORiA.tmp

Filesize
3.4MB

MD5
68c9f08c2029666317669ec67d3a6ea6

SHA1
f00d16dc4886c83bf9e244b32780ba488fd21714

SHA256
7abed03a5bfd9ebb03a1efa1ef23ed9956a98b8453e699a349abc68c893f7e99

SHA512
35fd278f9863c7650818547acd02b49ebfa13bcfb931f274b746fb638922d14b79a4f390d93627d7a321102daa37431682b69c5f5177f3640b9a6ed956fcea09

Download Submit
C:\Users\Admin\Desktop\Keyscape_Patch_Library_Update_1_6_0c\.InstallationAttributes.dat

Filesize
433B

MD5
cce52e6ad54ade4baca104c02562e8a5

SHA1
302ec23849ce90c08db2448ccfeb249bf02640b8

SHA256
dbbbffb1022e2bd33585ed10d4175eafc92d1e6f36b95b63a4539bf5aaa0022a

SHA512
baa9224853d77c06751ceb51acebb3cb74a1fc1188270523aad9f878f28e57cec407c34897461f4c1fd90ae1b695fd9f678969354b18b5094157afc5d401227f

Download Submit
C:\Users\Admin\Desktop\Keyscape_Patch_Library_Update_1_6_0c\Spectrasonics - Keyscape v1.5.0c -MORiA.exe

Filesize
17.2MB

MD5
00d47637e1b24cf64a6f2659637aa2ae

SHA1
76da58e7fe1c4eb7ed8e94c4fe5b9188b28889f1

SHA256
a8962e90f77681782aa1fc5049d294d3700997aec2590af93b2e98d0bfeca0a0

SHA512
2177a85f7c418290b367b60f0cb9efbae1af9611a6e6fdb4018ec4b34e9312e23515415888d29d279f43db693255b28a4fd2a0d0f7d016fbce48e2758c165cf1

Download Submit
C:\Users\Admin\Desktop\Keyscape_Patch_Library_Update_1_6_0c\Windows\Keyscape Data Updater.exe

Filesize
369KB

MD5
577d37ac619f06898e7e617f64969e64

SHA1
d88405f90cb92becde70725dfc7bdc875750b9d0

SHA256
6f139c4520456940f954cf09675fcd32a23e54547e2824c24192974a6714ac2a

SHA512
5b825e6ec7c0f6daaa3a2cc411f249274eb7f3239f5215e82be33e09ed1d73a2330c299bdaac93ec3c93ef97f8cb872c5f71202cf0f5134d4903b375e4e73332

Download Submit
memory/1184-112-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1184-118-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1204-52-0x0000000000400000-0x000000000052F000-memory.dmp

Filesize
1.2MB

Download
memory/1204-92-0x0000000000400000-0x000000000052F000-memory.dmp

Filesize
1.2MB

Download
memory/1248-91-0x0000000000400000-0x000000000076A000-memory.dmp

Filesize
3.4MB

Download
memory/2188-104-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2188-106-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2188-109-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2364-119-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2364-121-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2364-123-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2364-125-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/3828-110-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3828-103-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3828-95-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download