fb83741f29e99b8af74f9e182c3f1eaebeb2f401a5c6886f1c045d406e282c23

Analysis

max time kernel
142s
max time network
125s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
02-09-2024 03:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Antares Auto-Tune bundle V9 CE.exe
Size

110.0MB
MD5

cda53632778d1ced63a7c0809b71cb86
SHA1

f7d30963a0d45f35cc015f5c5e5ed58276b0e628
SHA256

fb83741f29e99b8af74f9e182c3f1eaebeb2f401a5c6886f1c045d406e282c23
SHA512

8b6cd507fc76d75aa2d96d5546ef1d12f0c25c015bd195cee914d5501ec277b41801f1adb171ba67b164a3e7e68fd3d232ea9f7903cf11443f9a83db0be18b2e
SSDEEP

3145728:8aDfXHRtVR2oE76WDIJZZPlPZrbsAjHMZN1cy:86vHRtVRu7JsnN5ZfsAjsn1H

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2076	Antares Auto-Tune bundle V9 CE.tmp

Loads dropped DLL 2 IoCs

pid	Process
2392	Antares Auto-Tune bundle V9 CE.exe
2076	Antares Auto-Tune bundle V9 CE.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Avid\Audio\Plug-Ins\Antares\desktop.ini	Antares Auto-Tune bundle V9 CE.tmp
File opened for modification	C:\Program Files\Steinberg\VSTPlugins\Antares\desktop.ini	Antares Auto-Tune bundle V9 CE.tmp
File opened for modification	C:\Program Files\Common Files\VST3\Antares\desktop.ini	Antares Auto-Tune bundle V9 CE.tmp

Drops file in Program Files directory 53 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Avid\Audio\Plug-Ins\Antares\Auto-Tune EFX.aaxplugin\is-1J2HM.tmp	Antares Auto-Tune bundle V9 CE.tmp
File created	C:\Program Files\Common Files\Avid\Audio\Plug-Ins\Antares\Auto-Tune Artist.aaxplugin\is-9FGAB.tmp	Antares Auto-Tune bundle V9 CE.tmp
File created	C:\Program Files\Steinberg\VSTPlugins\Antares\is-3RQQ7.tmp	Antares Auto-Tune bundle V9 CE.tmp
File created	C:\Program Files\Antares Audio Technologies\Auto-Tune Access\is-V9HGG.tmp	Antares Auto-Tune bundle V9 CE.tmp
File created	C:\Program Files\Antares Audio Technologies\Auto-Tune Pro\is-5L2PQ.tmp	Antares Auto-Tune bundle V9 CE.tmp
File opened for modification	C:\Program Files\Common Files\Avid\Audio\Plug-Ins\Antares	Antares Auto-Tune bundle V9 CE.tmp
File created	C:\Program Files\Common Files\VST3\Antares\is-OFMEL.tmp	Antares Auto-Tune bundle V9 CE.tmp
File created	C:\Program Files\Common Files\Avid\Audio\Plug-Ins\Antares\Auto-Tune EFX.aaxplugin\Contents\x64\is-75LEP.tmp	Antares Auto-Tune bundle V9 CE.tmp
File created	C:\Program Files\Common Files\VST3\Antares\is-DQ82F.tmp	Antares Auto-Tune bundle V9 CE.tmp
File created	C:\Program Files\Steinberg\VSTPlugins\Antares\is-ARTTO.tmp	Antares Auto-Tune bundle V9 CE.tmp
File opened for modification	C:\Program Files\Common Files\Avid\Audio\Plug-Ins\Antares\Auto-Key.aaxplugin	Antares Auto-Tune bundle V9 CE.tmp
File created	C:\Program Files\Steinberg\VSTPlugins\Antares\is-E6IES.tmp	Antares Auto-Tune bundle V9 CE.tmp
File opened for modification	C:\Program Files\Common Files\VST3\Antares\PlugIn.ico	Antares Auto-Tune bundle V9 CE.tmp
File opened for modification	C:\Program Files\Common Files\Avid\Audio\Plug-Ins\Antares\desktop.ini	Antares Auto-Tune bundle V9 CE.tmp
File created	C:\Program Files\Common Files\Avid\Audio\Plug-Ins\Antares\Auto-Tune Access.aaxplugin\Contents\x64\is-Q97VT.tmp	Antares Auto-Tune bundle V9 CE.tmp
File created	C:\Program Files\Common Files\VST3\Antares\is-6A8C0.tmp	Antares Auto-Tune bundle V9 CE.tmp
File opened for modification	C:\Program Files\Steinberg\VSTPlugins\Antares	Antares Auto-Tune bundle V9 CE.tmp
File created	C:\Program Files\Common Files\Avid\Audio\Plug-Ins\Antares\is-I77GO.tmp	Antares Auto-Tune bundle V9 CE.tmp
File opened for modification	C:\Program Files\Common Files\Avid\Audio\Plug-Ins\Antares\PlugIn.ico	Antares Auto-Tune bundle V9 CE.tmp
File created	C:\Program Files\Common Files\VST3\Antares\is-40R5P.tmp	Antares Auto-Tune bundle V9 CE.tmp
File created	C:\Program Files\Common Files\Avid\Audio\Plug-Ins\Antares\Auto-Key.aaxplugin\is-URV2R.tmp	Antares Auto-Tune bundle V9 CE.tmp
File created	C:\Program Files\Common Files\Avid\Audio\Plug-Ins\Antares\Auto-Tune EFX.aaxplugin\is-89E9T.tmp	Antares Auto-Tune bundle V9 CE.tmp
File created	C:\Program Files\Steinberg\VSTPlugins\Antares\is-79NDO.tmp	Antares Auto-Tune bundle V9 CE.tmp
File created	C:\Program Files\Common Files\Avid\Audio\Plug-Ins\Antares\Auto-Tune Access.aaxplugin\is-KECGS.tmp	Antares Auto-Tune bundle V9 CE.tmp
File created	C:\Program Files\Antares Audio Technologies\is-93P34.tmp	Antares Auto-Tune bundle V9 CE.tmp
File created	C:\Program Files\Common Files\Avid\Audio\Plug-Ins\Antares\Auto-Key.aaxplugin\is-3949J.tmp	Antares Auto-Tune bundle V9 CE.tmp
File opened for modification	C:\Program Files\Common Files\Avid\Audio\Plug-Ins\Antares\Auto-Tune Artist.aaxplugin	Antares Auto-Tune bundle V9 CE.tmp
File created	C:\Program Files\Common Files\Avid\Audio\Plug-Ins\Antares\Auto-Tune Artist.aaxplugin\is-TPAMU.tmp	Antares Auto-Tune bundle V9 CE.tmp
File created	C:\Program Files\Common Files\Avid\Audio\Plug-Ins\Antares\Auto-Tune Artist.aaxplugin\Contents\Resources\is-6MFAA.tmp	Antares Auto-Tune bundle V9 CE.tmp
File created	C:\Program Files\Common Files\Avid\Audio\Plug-Ins\Antares\Auto-Key.aaxplugin\Contents\x64\is-DHLA5.tmp	Antares Auto-Tune bundle V9 CE.tmp
File created	C:\Program Files\Common Files\Avid\Audio\Plug-Ins\Antares\Auto-Tune_AAX.aaxplugin\Contents\x64\is-KFS1S.tmp	Antares Auto-Tune bundle V9 CE.tmp
File created	C:\Program Files\Common Files\VST3\Antares\is-PSJL1.tmp	Antares Auto-Tune bundle V9 CE.tmp
File opened for modification	C:\Program Files\Antares Audio Technologies\Antares Central.exe	Antares Auto-Tune bundle V9 CE.tmp
File opened for modification	C:\Program Files\Common Files\Avid\Audio\Plug-Ins\Antares\Auto-Tune EFX.aaxplugin	Antares Auto-Tune bundle V9 CE.tmp
File created	C:\Program Files\Antares Audio Technologies\Auto-Tune Artist\is-R1VVK.tmp	Antares Auto-Tune bundle V9 CE.tmp
File created	C:\Program Files\Antares Audio Technologies\Auto-Tune Pro\is-HJJ7O.tmp	Antares Auto-Tune bundle V9 CE.tmp
File opened for modification	C:\Program Files\Steinberg\VSTPlugins\Antares\Auto-Tune Access.dll	Antares Auto-Tune bundle V9 CE.tmp
File opened for modification	C:\Program Files\Steinberg\VSTPlugins\Antares\desktop.ini	Antares Auto-Tune bundle V9 CE.tmp
File opened for modification	C:\Program Files\Common Files\VST3\Antares\desktop.ini	Antares Auto-Tune bundle V9 CE.tmp
File created	C:\Program Files\Antares Audio Technologies\Auto-Tune EFX\is-AQM8K.tmp	Antares Auto-Tune bundle V9 CE.tmp
File opened for modification	C:\Program Files\Common Files\VST3\Antares	Antares Auto-Tune bundle V9 CE.tmp
File opened for modification	C:\Program Files\Common Files\Avid\Audio\Plug-Ins\Antares\Auto-Tune_AAX.aaxplugin	Antares Auto-Tune bundle V9 CE.tmp
File created	C:\Program Files\Common Files\Avid\Audio\Plug-Ins\Antares\Auto-Tune Access.aaxplugin\is-TMPPE.tmp	Antares Auto-Tune bundle V9 CE.tmp
File opened for modification	C:\Program Files\Steinberg\VSTPlugins\Antares\PlugIn.ico	Antares Auto-Tune bundle V9 CE.tmp
File created	C:\Program Files\Common Files\Avid\Audio\Plug-Ins\Antares\Auto-Tune Artist.aaxplugin\Contents\x64\is-JO7A1.tmp	Antares Auto-Tune bundle V9 CE.tmp
File created	C:\Program Files\Antares Audio Technologies\Auto-Tune Pro\is-ETFUN.tmp	Antares Auto-Tune bundle V9 CE.tmp
File opened for modification	C:\Program Files\Steinberg\VSTPlugins\Antares\Auto-Tune EFX.dll	Antares Auto-Tune bundle V9 CE.tmp
File opened for modification	C:\Program Files\Common Files\Avid\Audio\Plug-Ins\Antares\Auto-Tune Access.aaxplugin	Antares Auto-Tune bundle V9 CE.tmp
File created	C:\Program Files\Common Files\Avid\Audio\Plug-Ins\Antares\is-3NII0.tmp	Antares Auto-Tune bundle V9 CE.tmp
File created	C:\Program Files\Common Files\VST3\Antares\is-AEMT4.tmp	Antares Auto-Tune bundle V9 CE.tmp
File created	C:\Program Files\Common Files\Avid\Audio\Plug-Ins\Antares\Auto-Tune_AAX.aaxplugin\is-44HRM.tmp	Antares Auto-Tune bundle V9 CE.tmp
File created	C:\Program Files\Common Files\Avid\Audio\Plug-Ins\Antares\Auto-Tune_AAX.aaxplugin\is-TP38U.tmp	Antares Auto-Tune bundle V9 CE.tmp
File created	C:\Program Files\Common Files\VST3\Antares\is-K33GI.tmp	Antares Auto-Tune bundle V9 CE.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Antares Auto-Tune bundle V9 CE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Antares Auto-Tune bundle V9 CE.tmp

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2076	Antares Auto-Tune bundle V9 CE.tmp
2076	Antares Auto-Tune bundle V9 CE.tmp

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2076	Antares Auto-Tune bundle V9 CE.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2076	Antares Auto-Tune bundle V9 CE.tmp

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2392 wrote to memory of 2076	2392	Antares Auto-Tune bundle V9 CE.exe	30
PID 2392 wrote to memory of 2076	2392	Antares Auto-Tune bundle V9 CE.exe	30
PID 2392 wrote to memory of 2076	2392	Antares Auto-Tune bundle V9 CE.exe	30
PID 2392 wrote to memory of 2076	2392	Antares Auto-Tune bundle V9 CE.exe	30
PID 2392 wrote to memory of 2076	2392	Antares Auto-Tune bundle V9 CE.exe	30
PID 2392 wrote to memory of 2076	2392	Antares Auto-Tune bundle V9 CE.exe	30
PID 2392 wrote to memory of 2076	2392	Antares Auto-Tune bundle V9 CE.exe	30

C:\Users\Admin\AppData\Local\Temp\Antares Auto-Tune bundle V9 CE.exe
"C:\Users\Admin\AppData\Local\Temp\Antares Auto-Tune bundle V9 CE.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2392
- C:\Users\Admin\AppData\Local\Temp\is-4MG8E.tmp\Antares Auto-Tune bundle V9 CE.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-4MG8E.tmp\Antares Auto-Tune bundle V9 CE.tmp" /SL5="$400F4,114584709,763392,C:\Users\Admin\AppData\Local\Temp\Antares Auto-Tune bundle V9 CE.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops desktop.ini file(s)
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:2076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Steinberg\VSTPlugins\Antares\is-79NDO.tmp

Filesize
126B

MD5
798095cd31340606c8e81d0a5107d57e

SHA1
39d058c4d45ef84b188f7ece620106124eb3d74e

SHA256
5526ef6345adee7c693e58354dd72b095df152be62ff7298b4c6f6d0f91e2f83

SHA512
9ca995c89d3f23cd2a977fb2826da1f75dc4caa4fe965f9aac3a6d486f6558429a44eaeea35217f85d94ba6d7c2c54ab520c9a1786133b2edd103e36159e53a1

Download Submit
C:\Program Files\Steinberg\VSTPlugins\Antares\is-E6IES.tmp

Filesize
45KB

MD5
6e03b680fbee54e69e52a15245989862

SHA1
0136100d693fa2cf4eba38ac0314951b7be22c9b

SHA256
00999004190475604537034d99d9a2cc84355579e4b199045dc6c8c3479e3600

SHA512
1a2e8770e676bfe9c84f81185584fdf347271897637f18ccbcb1f1dfb7f4afac4cf65ab0d19d7f34044b5f5b304d7b54c9c85c8049fee0a4a3e4cabe3ae7c578

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-4MG8E.tmp\Antares Auto-Tune bundle V9 CE.tmp

Filesize
2.5MB

MD5
ebbb655a85d61e4adad34d9ade0ea184

SHA1
41d3a5ab6de2cd4c45bd9545906c53ba9eaf345d

SHA256
4cfcbcffe82bc6943890fa818ded2708f46c4f85ec368de00836ac708acdb080

SHA512
a84a4104356c23fa5a618368fa4ba2793435832f3eefb6b243d1513d7ac586002449f127abc6bbb3cf199a930bdd718c6d1ec273738e1d9796d423ddb312eb50

Download Submit
\ProgramData\Antares\unins000.exe

Filesize
2.5MB

MD5
f9f5ebf1286b47f1a57486bea7506ede

SHA1
776b3b46334e0ea2db686a24524526e131f74869

SHA256
0ec27dff2bd94ac109857f4995e51b1ca6054debf988ae60536f950abaab2884

SHA512
7ca8d4d9b60f4523e4ff24eab49c4e87c9e0e3462cb822c25c473af8a83076fba95d33615546bd7d6344b873b8197bec25ddb4d273f1cda451844ab9f176bc1f

Download Submit
memory/2076-9-0x0000000000400000-0x0000000000683000-memory.dmp

Filesize
2.5MB

Download
memory/2076-11-0x0000000000400000-0x0000000000683000-memory.dmp

Filesize
2.5MB

Download
memory/2076-72-0x0000000000400000-0x0000000000683000-memory.dmp

Filesize
2.5MB

Download
memory/2076-325-0x0000000000400000-0x0000000000683000-memory.dmp

Filesize
2.5MB

Download
memory/2392-0-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/2392-2-0x0000000000401000-0x00000000004A9000-memory.dmp

Filesize
672KB

Download
memory/2392-10-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download