d6b7d9152fb33488f4618cd609d61d53b30d9608d9fafbeabd98bc7f31dcc0e9

General

Target

Cableguys.Nicky.Romero.Kickstart.2.v2.0.6-TeamCubeadooby.exe
Size

4.6MB
MD5

f57303ea0592088dc7efc67469008966
SHA1

8d922cc263730b21f44f85d12579e9241ff651e1
SHA256

d6b7d9152fb33488f4618cd609d61d53b30d9608d9fafbeabd98bc7f31dcc0e9
SHA512

a3c0caf864f8ddeb3206a5ea9e815bddb63996372a409c2ab8ecf5293b03bf3c99bb9e3be439c6f189f82b127ab46f20c38bd6ba226d5ae9a016145874f88e96
SSDEEP

98304:xkLQThyHj51/hngst7GFlO/tZmCfJPJDJk5NSsxWxc0Ry8C1c7P1ESGoHMpBVbhy:i6hyHf/xpGstZmCBPbMZxEfRPl9TzyXy

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3472	Cableguys.Nicky.Romero.Kickstart.2.v2.0.6-TeamCubeadooby.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 26 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Avid\Audio\Plug-Ins\Cableguys\Kickstart 2.aaxplugin	Cableguys.Nicky.Romero.Kickstart.2.v2.0.6-TeamCubeadooby.tmp
File created	C:\Program Files\Cableguys\Kickstart2\unins000.dat	Cableguys.Nicky.Romero.Kickstart.2.v2.0.6-TeamCubeadooby.tmp
File opened for modification	C:\Program Files\Cableguys\Kickstart2\unins000.dat	Cableguys.Nicky.Romero.Kickstart.2.v2.0.6-TeamCubeadooby.tmp
File created	C:\Program Files\Vstplugins\Cableguys\is-36712.tmp	Cableguys.Nicky.Romero.Kickstart.2.v2.0.6-TeamCubeadooby.tmp
File opened for modification	C:\Program Files\Common Files\VST3\Cableguys	Cableguys.Nicky.Romero.Kickstart.2.v2.0.6-TeamCubeadooby.tmp
File opened for modification	C:\Program Files\Cableguys\Kickstart2	Cableguys.Nicky.Romero.Kickstart.2.v2.0.6-TeamCubeadooby.tmp
File created	C:\Program Files\Cableguys\Kickstart2\is-FS6QH.tmp	Cableguys.Nicky.Romero.Kickstart.2.v2.0.6-TeamCubeadooby.tmp
File created	C:\Program Files\Common Files\VST3\Cableguys\is-SO35H.tmp	Cableguys.Nicky.Romero.Kickstart.2.v2.0.6-TeamCubeadooby.tmp
File created	C:\Program Files\Common Files\Avid\Audio\Plug-Ins\Cableguys\Kickstart 2.aaxplugin\is-5GP8P.tmp	Cableguys.Nicky.Romero.Kickstart.2.v2.0.6-TeamCubeadooby.tmp
File created	C:\Program Files\Common Files\Avid\Audio\Plug-Ins\Cableguys\is-DITCL.tmp	Cableguys.Nicky.Romero.Kickstart.2.v2.0.6-TeamCubeadooby.tmp
File created	C:\Program Files\Common Files\Avid\Audio\Plug-Ins\Cableguys\is-OBVN8.tmp	Cableguys.Nicky.Romero.Kickstart.2.v2.0.6-TeamCubeadooby.tmp
File created	C:\Program Files\Cableguys\Kickstart2\is-LVK8I.tmp	Cableguys.Nicky.Romero.Kickstart.2.v2.0.6-TeamCubeadooby.tmp
File created	C:\Program Files\Cableguys\Kickstart2\is-LC737.tmp	Cableguys.Nicky.Romero.Kickstart.2.v2.0.6-TeamCubeadooby.tmp
File opened for modification	C:\Program Files\Vstplugins\Cableguys\Kickstart 2.dll	Cableguys.Nicky.Romero.Kickstart.2.v2.0.6-TeamCubeadooby.tmp
File opened for modification	C:\Program Files\Vstplugins\Cableguys	Cableguys.Nicky.Romero.Kickstart.2.v2.0.6-TeamCubeadooby.tmp
File opened for modification	C:\Program Files\Cableguys	Cableguys.Nicky.Romero.Kickstart.2.v2.0.6-TeamCubeadooby.tmp
File created	C:\Program Files\Vstplugins\Cableguys\is-15TLO.tmp	Cableguys.Nicky.Romero.Kickstart.2.v2.0.6-TeamCubeadooby.tmp
File created	C:\Program Files\Vstplugins\Cableguys\is-UQP6Q.tmp	Cableguys.Nicky.Romero.Kickstart.2.v2.0.6-TeamCubeadooby.tmp
File created	C:\Program Files\Cableguys\is-O1GJN.tmp	Cableguys.Nicky.Romero.Kickstart.2.v2.0.6-TeamCubeadooby.tmp
File opened for modification	C:\Program Files\Common Files\Avid\Audio\Plug-Ins\Cableguys	Cableguys.Nicky.Romero.Kickstart.2.v2.0.6-TeamCubeadooby.tmp
File created	C:\Program Files\Cableguys\Kickstart2\is-FDAF4.tmp	Cableguys.Nicky.Romero.Kickstart.2.v2.0.6-TeamCubeadooby.tmp
File created	C:\Program Files\Common Files\Avid\Audio\Plug-Ins\Cableguys\Kickstart 2.aaxplugin\Contents\x64\is-30F85.tmp	Cableguys.Nicky.Romero.Kickstart.2.v2.0.6-TeamCubeadooby.tmp
File created	C:\Program Files\Common Files\Avid\Audio\Plug-Ins\Cableguys\Kickstart 2.aaxplugin\is-K2PMD.tmp	Cableguys.Nicky.Romero.Kickstart.2.v2.0.6-TeamCubeadooby.tmp
File created	C:\Program Files\Common Files\VST3\Cableguys\is-5N2KF.tmp	Cableguys.Nicky.Romero.Kickstart.2.v2.0.6-TeamCubeadooby.tmp
File created	C:\Program Files\Common Files\VST3\Cableguys\is-13DFQ.tmp	Cableguys.Nicky.Romero.Kickstart.2.v2.0.6-TeamCubeadooby.tmp
File created	C:\Program Files\Cableguys\is-JC0IO.tmp	Cableguys.Nicky.Romero.Kickstart.2.v2.0.6-TeamCubeadooby.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cableguys.Nicky.Romero.Kickstart.2.v2.0.6-TeamCubeadooby.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cableguys.Nicky.Romero.Kickstart.2.v2.0.6-TeamCubeadooby.tmp

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3472	Cableguys.Nicky.Romero.Kickstart.2.v2.0.6-TeamCubeadooby.tmp
3472	Cableguys.Nicky.Romero.Kickstart.2.v2.0.6-TeamCubeadooby.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3472	Cableguys.Nicky.Romero.Kickstart.2.v2.0.6-TeamCubeadooby.tmp

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3268 wrote to memory of 3472	3268	Cableguys.Nicky.Romero.Kickstart.2.v2.0.6-TeamCubeadooby.exe	85
PID 3268 wrote to memory of 3472	3268	Cableguys.Nicky.Romero.Kickstart.2.v2.0.6-TeamCubeadooby.exe	85
PID 3268 wrote to memory of 3472	3268	Cableguys.Nicky.Romero.Kickstart.2.v2.0.6-TeamCubeadooby.exe	85

C:\Users\Admin\AppData\Local\Temp\Cableguys.Nicky.Romero.Kickstart.2.v2.0.6-TeamCubeadooby.exe
"C:\Users\Admin\AppData\Local\Temp\Cableguys.Nicky.Romero.Kickstart.2.v2.0.6-TeamCubeadooby.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3268
- C:\Users\Admin\AppData\Local\Temp\is-8V0E0.tmp\Cableguys.Nicky.Romero.Kickstart.2.v2.0.6-TeamCubeadooby.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-8V0E0.tmp\Cableguys.Nicky.Romero.Kickstart.2.v2.0.6-TeamCubeadooby.tmp" /SL5="$9004E,3740709,808448,C:\Users\Admin\AppData\Local\Temp\Cableguys.Nicky.Romero.Kickstart.2.v2.0.6-TeamCubeadooby.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  PID:3472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Cableguys\Kickstart2\Plugin.ico

Filesize
31KB

MD5
d2db8c23f67f42e0784bcd393fed5aff

SHA1
464bc68cde14868b9e3ea779c5a30d6774fba368

SHA256
2336a52a3c35a472045a20d38fb9978c90b665dad77184f4fe59a3287a6be3cd

SHA512
c4aa9ae07e20f5d9c8edbd4850deacf81817e295ff2eddc2a4590f1e844c82278cbc3684dfe0c2d5746b218450f2f42b029b780fd4b47f34b4dc52ba075edda9

Download Submit
C:\Program Files\Common Files\Avid\Audio\Plug-Ins\Cableguys\desktop.ini

Filesize
46B

MD5
92872f8ac2aed2db0b07e0bd2a2cc207

SHA1
6f7560add23274d6e0482754c186b59518269112

SHA256
524c4940611c5338397e0bbdd9f23c030da1e5387f772a38b1599b467be78732

SHA512
17b4a82fe65178e7701c61239d951155929a1b950c1ad35cd214286fa05032b10f1300bb01ef25910d4685e67dcd511da5f13de531e2210fc413ad77528969df

Download Submit
C:\Program Files\Common Files\VST3\Cableguys\Plugin.ico

Filesize
20KB

MD5
02684ed2859a72684fe37a4b9a2ed8c1

SHA1
9bc396ec9b8855a4179cb0ffa94a1560cd28ab15

SHA256
32e6e5fa0b708996560b229f8a20b56b4fcdd3a74982c660b834f61db327ce60

SHA512
041d45c5f4b65000a5d3581df6ec681fd3374f5602c1a7e3a686d603e87bcf4b054830ba3a28c15bd893efe9b9ed597b711d9a8384c7dd09cbf282bd4320fe62

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-8V0E0.tmp\Cableguys.Nicky.Romero.Kickstart.2.v2.0.6-TeamCubeadooby.tmp

Filesize
3.0MB

MD5
2ac9f67bcf969baca37ad2485709d999

SHA1
9ad72faa583059023db7e50d5aa237b3c180ae9c

SHA256
d2e1308870a8f00775c43504a0d2d2e77deac507d9893489ebc0d15cef7f864e

SHA512
e3c3a824d41631f0b07212d325ac8875355db98434f0902bf9ca234d4988ef012f58e6508147c0b475317adbbe5a4a1b873beac3710878a4825477191e5906a0

Download Submit
memory/3268-2-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/3268-0-0x0000000000400000-0x00000000004D3000-memory.dmp

Filesize
844KB

Download
memory/3268-8-0x0000000000400000-0x00000000004D3000-memory.dmp

Filesize
844KB

Download
memory/3268-75-0x0000000000400000-0x00000000004D3000-memory.dmp

Filesize
844KB

Download
memory/3472-6-0x0000000000400000-0x000000000070E000-memory.dmp

Filesize
3.1MB

Download
memory/3472-16-0x0000000000400000-0x000000000070E000-memory.dmp

Filesize
3.1MB

Download
memory/3472-14-0x0000000000400000-0x000000000070E000-memory.dmp

Filesize
3.1MB

Download
memory/3472-12-0x0000000000400000-0x000000000070E000-memory.dmp

Filesize
3.1MB

Download
memory/3472-74-0x0000000000400000-0x000000000070E000-memory.dmp

Filesize
3.1MB

Download
memory/3472-10-0x0000000000400000-0x000000000070E000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing