Resubmissions

13/11/2024, 08:47

241113-kp7t7syfmk 9

13/11/2024, 08:30

241113-kearqaydrq 9

Analysis

  • max time kernel
    13s
  • max time network
    14s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    13/11/2024, 08:30

Errors

Reason
Machine shutdown

General

  • Target

    MAGIX VEGAS Pro v22.0 patch.exe

  • Size

    4.8MB

  • MD5

    ff4bc7a206b856502dd647e94dec5c8f

  • SHA1

    4a3d0e4fb6fb2a7ac633a288a0d2ce8f14286cda

  • SHA256

    b3688db852d9a57834ef758cd54a9507fad2de1854a2faed23bda53411000383

  • SHA512

    f93170b9fe1b06e9c48a255bede5a1150e8125d09d6c5d1fe8438525b40b648f8bcb86a79d3453d6f45f4392cc946214088ac3aa24ee298ff36579f22da1c1cc

  • SSDEEP

    98304:8L1CNqRBQsRE+Mv2RJlmQJu6A3ty6gVLPysH:81H42RJs+ODzY

Malware Config

Signatures

  • Detected Nirsoft tools 1 IoCs

    Free utilities often used by attackers which can steal passwords, product keys, etc.

  • Event Triggered Execution: Image File Execution Options Injection 1 TTPs 2 IoCs
  • Executes dropped EXE 11 IoCs
  • Loads dropped DLL 22 IoCs
  • Drops file in Program Files directory 5 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 41 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\MAGIX VEGAS Pro v22.0 patch.exe
    "C:\Users\Admin\AppData\Local\Temp\MAGIX VEGAS Pro v22.0 patch.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2496
    • C:\Users\Admin\AppData\Local\Temp\is-7727U.tmp\MAGIX VEGAS Pro v22.0 patch.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-7727U.tmp\MAGIX VEGAS Pro v22.0 patch.tmp" /SL5="$400F8,4046882,1178624,C:\Users\Admin\AppData\Local\Temp\MAGIX VEGAS Pro v22.0 patch.exe"
      2⤵
      • Event Triggered Execution: Image File Execution Options Injection
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:2508
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-844P7.tmp\nircmd.cmd""
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2668
        • C:\Users\Admin\AppData\Local\Temp\is-844P7.tmp\nircmd.exe
          nircmd inisetval "c:\ProgramData\VEGAS\VEGAS_Pro_22\installation.ini" "Serial" "string" "P3-64979-27462-07906-32757-21318-38872"
          4⤵
          • Executes dropped EXE
          PID:3060
        • C:\Users\Admin\AppData\Local\Temp\is-844P7.tmp\nircmd.exe
          nircmd inisetval "c:\ProgramData\VEGAS\VEGAS_Pro_22\installation.ini" "VersionUnlock" "NumberOfStarts" "0"
          4⤵
          • Executes dropped EXE
          PID:2788
        • C:\Users\Admin\AppData\Local\Temp\is-844P7.tmp\nircmd.exe
          nircmd inisetval "c:\ProgramData\VEGAS\VEGAS_Pro_22\installation.ini" "VersionUnlock" "DontShowNagBox" "1"
          4⤵
          • Executes dropped EXE
          PID:2852
        • C:\Users\Admin\AppData\Local\Temp\is-844P7.tmp\nircmd.exe
          nircmd inisetval "c:\ProgramData\VEGAS\VEGAS_Pro_22\installation.ini" "VersionUnlock" "IsRegisteredUser" "1"
          4⤵
          • Executes dropped EXE
          PID:2732
        • C:\Users\Admin\AppData\Local\Temp\is-844P7.tmp\nircmd.exe
          nircmd inisetval "c:\ProgramData\VEGAS\VEGAS_Pro_22\installation.ini" "VersionUnlock" "UserEMail" "uBusHTShXjdIakxgck01PRO5nuh8YfF4BDS17GWS/So3BnxxO66uwQ3meU0PEMwM"
          4⤵
          • Executes dropped EXE
          PID:2896
        • C:\Users\Admin\AppData\Local\Temp\is-844P7.tmp\nircmd.exe
          nircmd inisetval "c:\ProgramData\VEGAS\DVD_Architect_Pro_7\installation.ini" "Serial" "string" "P3-77020-98979-63411-51090-66867-08191"
          4⤵
          • Executes dropped EXE
          PID:2872
        • C:\Users\Admin\AppData\Local\Temp\is-844P7.tmp\nircmd.exe
          nircmd inisetval "c:\ProgramData\VEGAS\DVD_Architect_Pro_7\installation.ini" "VersionUnlock" "NumberOfStarts" "0"
          4⤵
          • Executes dropped EXE
          PID:2892
        • C:\Users\Admin\AppData\Local\Temp\is-844P7.tmp\nircmd.exe
          nircmd inisetval "c:\ProgramData\VEGAS\DVD_Architect_Pro_7\installation.ini" "VersionUnlock" "DontShowNagBox" "1"
          4⤵
          • Executes dropped EXE
          PID:2844
        • C:\Users\Admin\AppData\Local\Temp\is-844P7.tmp\nircmd.exe
          nircmd inisetval "c:\ProgramData\VEGAS\DVD_Architect_Pro_7\installation.ini" "VersionUnlock" "IsRegisteredUser" "1"
          4⤵
          • Executes dropped EXE
          PID:2604
        • C:\Users\Admin\AppData\Local\Temp\is-844P7.tmp\nircmd.exe
          nircmd inisetval "c:\ProgramData\VEGAS\DVD_Architect_Pro_7\installation.ini" "VersionUnlock" "UserEMail" "uBusHTShXjdIakxgck01PRO5nuh8YfF4BDS17GWS/So3BnxxO66uwQ3meU0PEMwM"
          4⤵
          • Executes dropped EXE
          PID:2712
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x0
    1⤵
      PID:2620
    • C:\Windows\system32\LogonUI.exe
      "LogonUI.exe" /flags:0x1
      1⤵
        PID:1880

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\is-844P7.tmp\nircmd.cmd

              Filesize

              1KB

              MD5

              14d3f2a3efbfe535fa0958da17d565fa

              SHA1

              958c79de8f3dc821d4c9c89e1f3b92bc7c48637a

              SHA256

              915357dfb71b907b64b18a198160e8962ffaaed4d5278d5ac4ee0208b6f089c0

              SHA512

              79ae0e1c73558546d7f61ae5ff0576ddb303e15f3a2be549a0bf32b54f0336bb20357203796341646a53b6c8a6449ccbd9c63174db16b5310ebdbe976aadae75

            • \Users\Admin\AppData\Local\Temp\is-7727U.tmp\MAGIX VEGAS Pro v22.0 patch.tmp

              Filesize

              3.5MB

              MD5

              cd0e5319f235a458802e284c1d7fb7c7

              SHA1

              716d6347b01df04b96c32db414361ae828dec3d9

              SHA256

              7a8924b753dbbd168b822d7c483f0150697c6bb31d19cfd1fd872f1090254fcf

              SHA512

              5d3873d79783e7f123f618e41087c59b59ac4e5e932057bc649415d34b4465b29ba84d6390ca2cbea9de2a33f5b7f60300fd722e5ca78d0a9b8d83a804a68406

            • \Users\Admin\AppData\Local\Temp\is-844P7.tmp\_isetup\_iscrypt.dll

              Filesize

              2KB

              MD5

              a69559718ab506675e907fe49deb71e9

              SHA1

              bc8f404ffdb1960b50c12ff9413c893b56f2e36f

              SHA256

              2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

              SHA512

              e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

            • \Users\Admin\AppData\Local\Temp\is-844P7.tmp\nircmd.exe

              Filesize

              114KB

              MD5

              b417238213efb0d2a23562674406cdf9

              SHA1

              04bf7acc7d0aa74fa750f7c32fdebbbe1daf46f8

              SHA256

              5bfa034f7555a38e64c078af71b4ff8c49511579fa826a87661940b7e9a6e333

              SHA512

              881b420af6e7104ac1f2edf03fc905f30af8ee264d8279f7eeb18e6178e210e063ac3c3d9a47f0c7c36ad04b51773e28595f965b037b0a0305d6c9fdf18e96a3

            • memory/2496-0-0x0000000000400000-0x0000000000531000-memory.dmp

              Filesize

              1.2MB

            • memory/2496-2-0x0000000000401000-0x00000000004C1000-memory.dmp

              Filesize

              768KB

            • memory/2496-54-0x0000000000400000-0x0000000000531000-memory.dmp

              Filesize

              1.2MB

            • memory/2496-60-0x0000000000400000-0x0000000000531000-memory.dmp

              Filesize

              1.2MB

            • memory/2508-12-0x0000000000400000-0x000000000078B000-memory.dmp

              Filesize

              3.5MB

            • memory/2508-55-0x0000000000400000-0x000000000078B000-memory.dmp

              Filesize

              3.5MB

            • memory/2508-58-0x0000000000400000-0x000000000078B000-memory.dmp

              Filesize

              3.5MB