238bb5eac0449a8a05b28ce605cd638f1e70ff843b99c2453e36b451d6ffb218

Analysis

max time kernel
107s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
10/08/2024, 06:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Diva-146-Winstaller.exe
Size

33.0MB
MD5

908bd2a2b3f9db23de9e89c80bf90cea
SHA1

401287aa321e8b8ac0510aecf0edf09287ae0f5d
SHA256

238bb5eac0449a8a05b28ce605cd638f1e70ff843b99c2453e36b451d6ffb218
SHA512

c15f917ef97e04af7007b4c0fe1a6fbfaa7d5fe6003496b7ab00cd90349fcf68567a8f131936972e144e7617a9ccadeb5dfab8bb2241b2403c0ea70e87e02227
SSDEEP

786432:Sv1ejxhKdRKMWytYl9KA0JdZJf6mjZWgdb:1XElNte9KA0TZZ6MZWgdb

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3528	Diva-146-Winstaller.tmp

Loads dropped DLL 3 IoCs

pid	Process
3528	Diva-146-Winstaller.tmp
3528	Diva-146-Winstaller.tmp
3528	Diva-146-Winstaller.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\VST3\Diva.data.lnk	Diva-146-Winstaller.tmp
File created	C:\Program Files\Common Files\CLAP\u-he\is-0GCDP.tmp	Diva-146-Winstaller.tmp
File created	C:\Program Files\Common Files\is-BAM2N.tmp	Diva-146-Winstaller.tmp
File opened for modification	C:\Program Files\Common Files\Diva(x64).dll	Diva-146-Winstaller.tmp
File created	C:\Program Files\Common Files\Avid\Audio\Plug-Ins\Diva.aaxplugin\Contents\x64\Diva.data.lnk	Diva-146-Winstaller.tmp
File created	C:\Program Files\Common Files\Diva.data.lnk	Diva-146-Winstaller.tmp
File created	C:\Program Files (x86)\Common Files\VST3\is-MQ3K2.tmp	Diva-146-Winstaller.tmp
File created	C:\Program Files\Common Files\VST3\is-DGGD0.tmp	Diva-146-Winstaller.tmp
File created	C:\Program Files\Common Files\Avid\Audio\Plug-Ins\Diva.aaxplugin\Contents\x64\is-0P5KV.tmp	Diva-146-Winstaller.tmp
File created	C:\Program Files\Common Files\Native Instruments\Service Center\is-AVPR2.tmp	Diva-146-Winstaller.tmp
File created	C:\Program Files (x86)\Common Files\VST3\Diva.data.lnk	Diva-146-Winstaller.tmp
File created	C:\Program Files\Common Files\CLAP\u-he\Diva.data.lnk	Diva-146-Winstaller.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Diva-146-Winstaller.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Diva-146-Winstaller.tmp

Modifies registry class 14 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.uhe-soundset	Diva-146-Winstaller.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.uhm	Diva-146-Winstaller.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Diva-146-Winstaller.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.uhe-soundset\DefaultIcon	Diva-146-Winstaller.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.h2p	Diva-146-Winstaller.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.uhm\DefaultIcon	Diva-146-Winstaller.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.uhm\DefaultIcon\ = "C:\\Users\\Admin\\Documents\\u-he\\Common\\Icons\\uhm.ico"	Diva-146-Winstaller.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.uhe-fav\DefaultIcon	Diva-146-Winstaller.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.uhe-fav	Diva-146-Winstaller.tmp
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Diva-146-Winstaller.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.uhe-soundset\DefaultIcon\ = "C:\\Users\\Admin\\Documents\\u-he\\Common\\Icons\\soundset.ico"	Diva-146-Winstaller.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.h2p\DefaultIcon	Diva-146-Winstaller.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.uhe-fav\DefaultIcon\ = "C:\\Users\\Admin\\Documents\\u-he\\Common\\Icons\\fav.ico"	Diva-146-Winstaller.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.h2p\DefaultIcon\ = "C:\\Users\\Admin\\Documents\\u-he\\Common\\Icons\\h2p.ico"	Diva-146-Winstaller.tmp

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3528	Diva-146-Winstaller.tmp
3528	Diva-146-Winstaller.tmp

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3528	Diva-146-Winstaller.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3528	Diva-146-Winstaller.tmp

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3088 wrote to memory of 3528	3088	Diva-146-Winstaller.exe	87
PID 3088 wrote to memory of 3528	3088	Diva-146-Winstaller.exe	87
PID 3088 wrote to memory of 3528	3088	Diva-146-Winstaller.exe	87

C:\Users\Admin\AppData\Local\Temp\Diva-146-Winstaller.exe
"C:\Users\Admin\AppData\Local\Temp\Diva-146-Winstaller.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3088
- C:\Users\Admin\AppData\Local\Temp\is-MBFAN.tmp\Diva-146-Winstaller.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-MBFAN.tmp\Diva-146-Winstaller.tmp" /SL5="$7027A,33516112,899072,C:\Users\Admin\AppData\Local\Temp\Diva-146-Winstaller.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:3528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\VST3\Diva.data.lnk

Filesize
784B

MD5
a1659743da5f117c1492940713b2701a

SHA1
8a5785e38265ea91386cc81c78042f4a047c4193

SHA256
6ea2c65223e219339674bc805bf3938ee38fc8c9c3ad60b2859bb28e4d3e83a3

SHA512
1183fd2f3dee3252970fb1575128579c07543286ad587ec5a7af9aaa1df3c8d8c59c265a5014c2b40d2330a06658a6cc779996ce87006e7cffe2fa74041c6d62

Download Submit
C:\Program Files\Common Files\Avid\Audio\Plug-Ins\Diva.aaxplugin\Contents\x64\Diva.data.lnk

Filesize
814B

MD5
96adcd2ccec92667aa6590220879e0bf

SHA1
3ba7a8693f59f566fb2f200f44cf251a6400f2a6

SHA256
03c22cea7428ca6ab080155ca5102fb22e1d5329559005ba676bd7cdbc4d84d9

SHA512
1161afb7a14104e20240f5eccf7507a5e24535fad38b0ccc5c00e019b74473cee57988f681f8cbdcdb6c0ea8e4431151876ec4709cdeb085df5b12c01ae11f17

Download Submit
C:\Program Files\Common Files\CLAP\u-he\Diva.data.lnk

Filesize
790B

MD5
466f756564cd7b5afaea4e2f6ec15001

SHA1
4407afc51845c36c81121f2d1e920c5066d8ff74

SHA256
f43479cd5c31ef8dc597a1c0a2490929ffe1e39d8bac075cc1ec66a4ca6da2dd

SHA512
6a06a3b6052c303bd53b4dbc067ac2dae0e4da9c96df95aadb7aa0d91e37f92c0603f0ce4b4f17f8942ea7173bbe1f1e1d4adf9f02dff3d7ece300f378ccb3d3

Download Submit
C:\Program Files\Common Files\Diva(x64).dll

Filesize
14.3MB

MD5
5224c9441a93bd8bde0ebdd76ab85850

SHA1
0723cc7d6c4b020d79f67c7b699edd921a737821

SHA256
6747034d9daaef3845506e78f209c5386e4c635a614b709aa014f0110e5affe9

SHA512
0a8c62c5a760d2ae6593bb2710422302211233e0cf861d0841a62e54029e95b55ea16758a420ca48faacdd2c36c3d34a7f0b16e5e3e244898ebaa005ba1f7e6c

Download Submit
C:\Program Files\Common Files\Diva.data.lnk

Filesize
778B

MD5
e958964db653a1d0b1b40450d8e8d932

SHA1
d166b26525874b6d8aa7c932b7bea04efbb20bb5

SHA256
c259b699aab2f8abfaed02053638b497a87a6dc9fb40ef1f58e30528bae33391

SHA512
61fd875e1156f93a3b9d1df1aea6aa3d416c1010d7e660524c3c55480e0a33ad9d89fcfd1476e5e046da404c68daff72bd7b63c5524048b0c72378565ca88907

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-EEIU1.tmp\Diva.dll

Filesize
12.4MB

MD5
238014c960d0f7f361f6d7bdc7172089

SHA1
db7bf0d2f183c05788dfa997c86ec313fd53cca6

SHA256
c35917aae56899f570aa9495b596df85a39b477839bcee4e8794a5e4052457bf

SHA512
a55c407b3ca644a458177df074729add6022457521acc4320e0b078244864f483d82d1b76721db8534b94eebfcab27252ac23119535d086f23a83bc6bfcf04ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-EEIU1.tmp\SetupUtils.dll

Filesize
81KB

MD5
48557473e909c3bd449175c7e23f54e9

SHA1
49e395bc501943a742aed2698dd1883729e6065c

SHA256
87497c9871aa474fcd9faee86f806d7294764d084c110da00e087b5bf38ce438

SHA512
ec3c99f0fa0cd81aaa3cf8450742c26e31c40f3a22c7d5ba64f097ad469255bef6b31ae6e7207c8876c726fe3757902ca8d7094c9b19c432eb269ebc5397904a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-MBFAN.tmp\Diva-146-Winstaller.tmp

Filesize
3.1MB

MD5
94886ca6658b3a1acf424f622f40aaca

SHA1
3b04ffb6f21391cd09c171a46df1449ed5aa2fdc

SHA256
6d2c509c0364b5f92829e4610a5f8f5f8a1ee1e4fffaa93ae41a370839adaddd

SHA512
a2b9fcbd63ec2047ccb34248c3bc7e9a71efd711d1dc5f3bfc745c82194e86fc74def015904525245dd435567811b8294fbda25be5dd493d99a008b03cce3e42

Download Submit
C:\Users\Admin\Documents\vst\Diva.data.lnk

Filesize
728B

MD5
c6ff6d4358e1f4cc721b5b710337011b

SHA1
a0935c433410c002e9865710024312767d9c3d6c

SHA256
92fd90a0dd0b5da08aee68db9b9083fb20e517e78364a571c104020341e73726

SHA512
a80b61fc4064f98fcf597fa0c29a39a5868e47f972971f6fb508754f9f9c51b945c9c8678e50b7addd25a772b7eae8da8130d0ccdccf03e18cb0f2f17fb66ee6

Download Submit
memory/3088-8274-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/3088-2-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/3088-18-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/3088-0-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/3528-25-0x0000000000400000-0x0000000000724000-memory.dmp

Filesize
3.1MB

Download
memory/3528-35-0x0000000000400000-0x0000000000724000-memory.dmp

Filesize
3.1MB

Download
memory/3528-41-0x0000000000400000-0x0000000000724000-memory.dmp

Filesize
3.1MB

Download
memory/3528-67-0x0000000000400000-0x0000000000724000-memory.dmp

Filesize
3.1MB

Download
memory/3528-28-0x0000000000400000-0x0000000000724000-memory.dmp

Filesize
3.1MB

Download
memory/3528-6564-0x0000000000400000-0x0000000000724000-memory.dmp

Filesize
3.1MB

Download
memory/3528-22-0x0000000000400000-0x0000000000724000-memory.dmp

Filesize
3.1MB

Download
memory/3528-23-0x0000000003740000-0x000000000375E000-memory.dmp

Filesize
120KB

Download
memory/3528-19-0x0000000000400000-0x0000000000724000-memory.dmp

Filesize
3.1MB

Download
memory/3528-20-0x0000000003740000-0x000000000375E000-memory.dmp

Filesize
120KB

Download
memory/3528-16-0x0000000003740000-0x000000000375E000-memory.dmp

Filesize
120KB

Download
memory/3528-8273-0x0000000000400000-0x0000000000724000-memory.dmp

Filesize
3.1MB

Download
memory/3528-6-0x0000000000400000-0x0000000000724000-memory.dmp

Filesize
3.1MB

Download