73f5eee95f0d5250f5d2f7a29702700537ebe6c08861d4ddfefc09d485f0f65e

Analysis

max time kernel
140s
max time network
119s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
27/09/2024, 16:15

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

MAGIXVEGASProv21.0patch.exe
Size

4.6MB
MD5

4a027f5b895f161a0d0e26f8ec6f31a7
SHA1

2d8aa07828c92d4d9d85fc62ba82f0fe0bb5a789
SHA256

73f5eee95f0d5250f5d2f7a29702700537ebe6c08861d4ddfefc09d485f0f65e
SHA512

9b12840d6f2f9a277e7edded5830daf70713ea3f90ddf324bece98616d716400dc0247a47dc9d016fb02f9803fb0a2e2853f4a56e752b13a704132d4acfa23cb
SSDEEP

98304:0kLEAGg00ojGjm4EC/qQb4zldELsSqr7jkie3t:DEzg7AGUqqXHPjze3t

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2884	MAGIXVEGASProv21.0patch.tmp

Loads dropped DLL 2 IoCs

pid	Process
2708	MAGIXVEGASProv21.0patch.exe
2884	MAGIXVEGASProv21.0patch.tmp

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MAGIXVEGASProv21.0patch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MAGIXVEGASProv21.0patch.tmp

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2884	MAGIXVEGASProv21.0patch.tmp

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2708 wrote to memory of 2884	2708	MAGIXVEGASProv21.0patch.exe	30
PID 2708 wrote to memory of 2884	2708	MAGIXVEGASProv21.0patch.exe	30
PID 2708 wrote to memory of 2884	2708	MAGIXVEGASProv21.0patch.exe	30
PID 2708 wrote to memory of 2884	2708	MAGIXVEGASProv21.0patch.exe	30
PID 2708 wrote to memory of 2884	2708	MAGIXVEGASProv21.0patch.exe	30
PID 2708 wrote to memory of 2884	2708	MAGIXVEGASProv21.0patch.exe	30
PID 2708 wrote to memory of 2884	2708	MAGIXVEGASProv21.0patch.exe	30

C:\Users\Admin\AppData\Local\Temp\MAGIXVEGASProv21.0patch.exe
"C:\Users\Admin\AppData\Local\Temp\MAGIXVEGASProv21.0patch.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2708
- C:\Users\Admin\AppData\Local\Temp\is-MII52.tmp\MAGIXVEGASProv21.0patch.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-MII52.tmp\MAGIXVEGASProv21.0patch.tmp" /SL5="$30144,4018567,1141760,C:\Users\Admin\AppData\Local\Temp\MAGIXVEGASProv21.0patch.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\is-LCCJO.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-MII52.tmp\MAGIXVEGASProv21.0patch.tmp

Filesize
3.3MB

MD5
90f19922d1ac82552f5e95036ea90ccb

SHA1
94ef714ab9c01d20371142d34cef56b7886138cd

SHA256
fca2fada59c1a0d1cd30c2023933036af4d3247b1bc0449d439be2d53771fd94

SHA512
39ee8a7e9f534807c1ee06fa0f145ef23990cb278f45a0fc22f71f474c7394540ce4040fa59ced9a0336e2f4fe0bb7603067208d15bc9f9bef1ec45f1adc316e

Download Submit
memory/2708-0-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download
memory/2708-2-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/2708-13-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download
memory/2884-8-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/2884-15-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download