Analysis
-
max time kernel
13s -
max time network
14s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
13/11/2024, 08:30
Static task
static1
Behavioral task
behavioral1
Sample
MAGIX VEGAS Pro v22.0 patch.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
MAGIX VEGAS Pro v22.0 patch.exe
Resource
win10v2004-20241007-en
Errors
General
-
Target
MAGIX VEGAS Pro v22.0 patch.exe
-
Size
4.8MB
-
MD5
ff4bc7a206b856502dd647e94dec5c8f
-
SHA1
4a3d0e4fb6fb2a7ac633a288a0d2ce8f14286cda
-
SHA256
b3688db852d9a57834ef758cd54a9507fad2de1854a2faed23bda53411000383
-
SHA512
f93170b9fe1b06e9c48a255bede5a1150e8125d09d6c5d1fe8438525b40b648f8bcb86a79d3453d6f45f4392cc946214088ac3aa24ee298ff36579f22da1c1cc
-
SSDEEP
98304:8L1CNqRBQsRE+Mv2RJlmQJu6A3ty6gVLPysH:81H42RJs+ODzY
Malware Config
Signatures
-
Detected Nirsoft tools 1 IoCs
Free utilities often used by attackers which can steal passwords, product keys, etc.
resource yara_rule behavioral1/files/0x0009000000018678-23.dat Nirsoft -
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options MAGIX VEGAS Pro v22.0 patch.tmp Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DevOverrideEnable = "1" MAGIX VEGAS Pro v22.0 patch.tmp -
Executes dropped EXE 11 IoCs
pid Process 2508 MAGIX VEGAS Pro v22.0 patch.tmp 3060 nircmd.exe 2788 nircmd.exe 2852 nircmd.exe 2732 nircmd.exe 2896 nircmd.exe 2872 nircmd.exe 2892 nircmd.exe 2844 nircmd.exe 2604 nircmd.exe 2712 nircmd.exe -
Loads dropped DLL 22 IoCs
pid Process 2496 MAGIX VEGAS Pro v22.0 patch.exe 2508 MAGIX VEGAS Pro v22.0 patch.tmp 2668 cmd.exe 2668 cmd.exe 2668 cmd.exe 2668 cmd.exe 2668 cmd.exe 2668 cmd.exe 2668 cmd.exe 2668 cmd.exe 2668 cmd.exe 2668 cmd.exe 2668 cmd.exe 2668 cmd.exe 2668 cmd.exe 2668 cmd.exe 2668 cmd.exe 2668 cmd.exe 2668 cmd.exe 2668 cmd.exe 2668 cmd.exe 2668 cmd.exe -
Drops file in Program Files directory 5 IoCs
description ioc Process File opened for modification C:\Program Files\VEGAS\VEGAS Pro 22.0\vegas220.exe.local MAGIX VEGAS Pro v22.0 patch.tmp File created C:\Program Files\VEGAS\VEGAS Pro 22.0\Protein\is-VT7VH.tmp MAGIX VEGAS Pro v22.0 patch.tmp File created C:\Program Files\VEGAS\VEGAS Pro 22.0\vegas220.exe.local\is-UECDC.tmp MAGIX VEGAS Pro v22.0 patch.tmp File opened for modification C:\Program Files\VEGAS\VEGAS Pro 22.0\Protein\Protein_x64.4.2.dll MAGIX VEGAS Pro v22.0 patch.tmp File opened for modification C:\Program Files\VEGAS\VEGAS Pro 22.0\vegas220.exe.local\wintrust.dll MAGIX VEGAS Pro v22.0 patch.tmp -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MAGIX VEGAS Pro v22.0 patch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MAGIX VEGAS Pro v22.0 patch.tmp -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2508 MAGIX VEGAS Pro v22.0 patch.tmp 2508 MAGIX VEGAS Pro v22.0 patch.tmp -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeShutdownPrivilege 2496 MAGIX VEGAS Pro v22.0 patch.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2508 MAGIX VEGAS Pro v22.0 patch.tmp -
Suspicious use of WriteProcessMemory 41 IoCs
description pid Process procid_target PID 2496 wrote to memory of 2508 2496 MAGIX VEGAS Pro v22.0 patch.exe 30 PID 2496 wrote to memory of 2508 2496 MAGIX VEGAS Pro v22.0 patch.exe 30 PID 2496 wrote to memory of 2508 2496 MAGIX VEGAS Pro v22.0 patch.exe 30 PID 2496 wrote to memory of 2508 2496 MAGIX VEGAS Pro v22.0 patch.exe 30 PID 2496 wrote to memory of 2508 2496 MAGIX VEGAS Pro v22.0 patch.exe 30 PID 2496 wrote to memory of 2508 2496 MAGIX VEGAS Pro v22.0 patch.exe 30 PID 2496 wrote to memory of 2508 2496 MAGIX VEGAS Pro v22.0 patch.exe 30 PID 2508 wrote to memory of 2668 2508 MAGIX VEGAS Pro v22.0 patch.tmp 31 PID 2508 wrote to memory of 2668 2508 MAGIX VEGAS Pro v22.0 patch.tmp 31 PID 2508 wrote to memory of 2668 2508 MAGIX VEGAS Pro v22.0 patch.tmp 31 PID 2508 wrote to memory of 2668 2508 MAGIX VEGAS Pro v22.0 patch.tmp 31 PID 2668 wrote to memory of 3060 2668 cmd.exe 33 PID 2668 wrote to memory of 3060 2668 cmd.exe 33 PID 2668 wrote to memory of 3060 2668 cmd.exe 33 PID 2668 wrote to memory of 2788 2668 cmd.exe 34 PID 2668 wrote to memory of 2788 2668 cmd.exe 34 PID 2668 wrote to memory of 2788 2668 cmd.exe 34 PID 2668 wrote to memory of 2852 2668 cmd.exe 35 PID 2668 wrote to memory of 2852 2668 cmd.exe 35 PID 2668 wrote to memory of 2852 2668 cmd.exe 35 PID 2668 wrote to memory of 2732 2668 cmd.exe 36 PID 2668 wrote to memory of 2732 2668 cmd.exe 36 PID 2668 wrote to memory of 2732 2668 cmd.exe 36 PID 2668 wrote to memory of 2896 2668 cmd.exe 37 PID 2668 wrote to memory of 2896 2668 cmd.exe 37 PID 2668 wrote to memory of 2896 2668 cmd.exe 37 PID 2668 wrote to memory of 2872 2668 cmd.exe 38 PID 2668 wrote to memory of 2872 2668 cmd.exe 38 PID 2668 wrote to memory of 2872 2668 cmd.exe 38 PID 2668 wrote to memory of 2892 2668 cmd.exe 39 PID 2668 wrote to memory of 2892 2668 cmd.exe 39 PID 2668 wrote to memory of 2892 2668 cmd.exe 39 PID 2668 wrote to memory of 2844 2668 cmd.exe 40 PID 2668 wrote to memory of 2844 2668 cmd.exe 40 PID 2668 wrote to memory of 2844 2668 cmd.exe 40 PID 2668 wrote to memory of 2604 2668 cmd.exe 41 PID 2668 wrote to memory of 2604 2668 cmd.exe 41 PID 2668 wrote to memory of 2604 2668 cmd.exe 41 PID 2668 wrote to memory of 2712 2668 cmd.exe 42 PID 2668 wrote to memory of 2712 2668 cmd.exe 42 PID 2668 wrote to memory of 2712 2668 cmd.exe 42
Processes
-
C:\Users\Admin\AppData\Local\Temp\MAGIX VEGAS Pro v22.0 patch.exe"C:\Users\Admin\AppData\Local\Temp\MAGIX VEGAS Pro v22.0 patch.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Users\Admin\AppData\Local\Temp\is-7727U.tmp\MAGIX VEGAS Pro v22.0 patch.tmp"C:\Users\Admin\AppData\Local\Temp\is-7727U.tmp\MAGIX VEGAS Pro v22.0 patch.tmp" /SL5="$400F8,4046882,1178624,C:\Users\Admin\AppData\Local\Temp\MAGIX VEGAS Pro v22.0 patch.exe"2⤵
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-844P7.tmp\nircmd.cmd""3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Users\Admin\AppData\Local\Temp\is-844P7.tmp\nircmd.exenircmd inisetval "c:\ProgramData\VEGAS\VEGAS_Pro_22\installation.ini" "Serial" "string" "P3-64979-27462-07906-32757-21318-38872"4⤵
- Executes dropped EXE
PID:3060
-
-
C:\Users\Admin\AppData\Local\Temp\is-844P7.tmp\nircmd.exenircmd inisetval "c:\ProgramData\VEGAS\VEGAS_Pro_22\installation.ini" "VersionUnlock" "NumberOfStarts" "0"4⤵
- Executes dropped EXE
PID:2788
-
-
C:\Users\Admin\AppData\Local\Temp\is-844P7.tmp\nircmd.exenircmd inisetval "c:\ProgramData\VEGAS\VEGAS_Pro_22\installation.ini" "VersionUnlock" "DontShowNagBox" "1"4⤵
- Executes dropped EXE
PID:2852
-
-
C:\Users\Admin\AppData\Local\Temp\is-844P7.tmp\nircmd.exenircmd inisetval "c:\ProgramData\VEGAS\VEGAS_Pro_22\installation.ini" "VersionUnlock" "IsRegisteredUser" "1"4⤵
- Executes dropped EXE
PID:2732
-
-
C:\Users\Admin\AppData\Local\Temp\is-844P7.tmp\nircmd.exenircmd inisetval "c:\ProgramData\VEGAS\VEGAS_Pro_22\installation.ini" "VersionUnlock" "UserEMail" "uBusHTShXjdIakxgck01PRO5nuh8YfF4BDS17GWS/So3BnxxO66uwQ3meU0PEMwM"4⤵
- Executes dropped EXE
PID:2896
-
-
C:\Users\Admin\AppData\Local\Temp\is-844P7.tmp\nircmd.exenircmd inisetval "c:\ProgramData\VEGAS\DVD_Architect_Pro_7\installation.ini" "Serial" "string" "P3-77020-98979-63411-51090-66867-08191"4⤵
- Executes dropped EXE
PID:2872
-
-
C:\Users\Admin\AppData\Local\Temp\is-844P7.tmp\nircmd.exenircmd inisetval "c:\ProgramData\VEGAS\DVD_Architect_Pro_7\installation.ini" "VersionUnlock" "NumberOfStarts" "0"4⤵
- Executes dropped EXE
PID:2892
-
-
C:\Users\Admin\AppData\Local\Temp\is-844P7.tmp\nircmd.exenircmd inisetval "c:\ProgramData\VEGAS\DVD_Architect_Pro_7\installation.ini" "VersionUnlock" "DontShowNagBox" "1"4⤵
- Executes dropped EXE
PID:2844
-
-
C:\Users\Admin\AppData\Local\Temp\is-844P7.tmp\nircmd.exenircmd inisetval "c:\ProgramData\VEGAS\DVD_Architect_Pro_7\installation.ini" "VersionUnlock" "IsRegisteredUser" "1"4⤵
- Executes dropped EXE
PID:2604
-
-
C:\Users\Admin\AppData\Local\Temp\is-844P7.tmp\nircmd.exenircmd inisetval "c:\ProgramData\VEGAS\DVD_Architect_Pro_7\installation.ini" "VersionUnlock" "UserEMail" "uBusHTShXjdIakxgck01PRO5nuh8YfF4BDS17GWS/So3BnxxO66uwQ3meU0PEMwM"4⤵
- Executes dropped EXE
PID:2712
-
-
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x01⤵PID:2620
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x11⤵PID:1880
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD514d3f2a3efbfe535fa0958da17d565fa
SHA1958c79de8f3dc821d4c9c89e1f3b92bc7c48637a
SHA256915357dfb71b907b64b18a198160e8962ffaaed4d5278d5ac4ee0208b6f089c0
SHA51279ae0e1c73558546d7f61ae5ff0576ddb303e15f3a2be549a0bf32b54f0336bb20357203796341646a53b6c8a6449ccbd9c63174db16b5310ebdbe976aadae75
-
Filesize
3.5MB
MD5cd0e5319f235a458802e284c1d7fb7c7
SHA1716d6347b01df04b96c32db414361ae828dec3d9
SHA2567a8924b753dbbd168b822d7c483f0150697c6bb31d19cfd1fd872f1090254fcf
SHA5125d3873d79783e7f123f618e41087c59b59ac4e5e932057bc649415d34b4465b29ba84d6390ca2cbea9de2a33f5b7f60300fd722e5ca78d0a9b8d83a804a68406
-
Filesize
2KB
MD5a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63
-
Filesize
114KB
MD5b417238213efb0d2a23562674406cdf9
SHA104bf7acc7d0aa74fa750f7c32fdebbbe1daf46f8
SHA2565bfa034f7555a38e64c078af71b4ff8c49511579fa826a87661940b7e9a6e333
SHA512881b420af6e7104ac1f2edf03fc905f30af8ee264d8279f7eeb18e6178e210e063ac3c3d9a47f0c7c36ad04b51773e28595f965b037b0a0305d6c9fdf18e96a3