b0526edf3193587ad8572d7cfccbb337bbe39bba8146d0a09b7fe9543a229498

General

Target

reFX - Nexus v4.5.4/reFX Nexus v4.5.4 CE.exe
Size

14.8MB
MD5

916bb1e135a5303ec950d1d863cda8a1
SHA1

6a018e6ca8e64037959dbab39aad8cdf2fb0f964
SHA256

4f405b6012422e227aba366494a8bf12bc6460b4246b2176ea0e850f188220c8
SHA512

385e37b7b53decaf16c09ab0bbf11b05c58c72bf8f583e2c16a82dfd3af3020eb92892287e7204aae318d6e7a3d986f72681063791c313b30d943d68f87b550b
SSDEEP

393216:jbZLzYDaKbkXxW6nxX6NSr0n4DXKfu+YKr5sa:j1nWZ4xXiSo4D0uSdsa

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
3980	reFX Nexus v4.5.4 CE.tmp
1404	update_nexus_library_location.exe
2660	update_nexus_library_location.exe

Loads dropped DLL 3 IoCs

pid	Process
2660	update_nexus_library_location.exe
2660	update_nexus_library_location.exe
2660	update_nexus_library_location.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Avid\Audio\Plug-Ins\Nexus.aaxplugin	reFX Nexus v4.5.4 CE.tmp
File created	C:\Program Files\Common Files\Avid\Audio\Plug-Ins\Nexus.aaxplugin\is-0TN4E.tmp	reFX Nexus v4.5.4 CE.tmp
File created	C:\Program Files\Common Files\Avid\Audio\Plug-Ins\Nexus.aaxplugin\is-ERB03.tmp	reFX Nexus v4.5.4 CE.tmp
File created	C:\Program Files\Common Files\Avid\Audio\Plug-Ins\Nexus.aaxplugin\Contents\x64\is-VKFQL.tmp	reFX Nexus v4.5.4 CE.tmp
File created	C:\Program Files\Common Files\VST3\is-13NGP.tmp	reFX Nexus v4.5.4 CE.tmp

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral2/files/0x001900000002ab46-424.dat	pyinstaller

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reFX Nexus v4.5.4 CE.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reFX Nexus v4.5.4 CE.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3980	reFX Nexus v4.5.4 CE.tmp
3980	reFX Nexus v4.5.4 CE.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3980	reFX Nexus v4.5.4 CE.tmp

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1320 wrote to memory of 3980	1320	reFX Nexus v4.5.4 CE.exe	79
PID 1320 wrote to memory of 3980	1320	reFX Nexus v4.5.4 CE.exe	79
PID 1320 wrote to memory of 3980	1320	reFX Nexus v4.5.4 CE.exe	79
PID 3980 wrote to memory of 1404	3980	reFX Nexus v4.5.4 CE.tmp	82
PID 3980 wrote to memory of 1404	3980	reFX Nexus v4.5.4 CE.tmp	82
PID 1404 wrote to memory of 2660	1404	update_nexus_library_location.exe	84
PID 1404 wrote to memory of 2660	1404	update_nexus_library_location.exe	84

C:\Users\Admin\AppData\Local\Temp\reFX - Nexus v4.5.4\reFX Nexus v4.5.4 CE.exe
"C:\Users\Admin\AppData\Local\Temp\reFX - Nexus v4.5.4\reFX Nexus v4.5.4 CE.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1320
- C:\Users\Admin\AppData\Local\Temp\is-33DB4.tmp\reFX Nexus v4.5.4 CE.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-33DB4.tmp\reFX Nexus v4.5.4 CE.tmp" /SL5="$60274,14571176,791040,C:\Users\Admin\AppData\Local\Temp\reFX - Nexus v4.5.4\reFX Nexus v4.5.4 CE.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3980
- - C:\Users\Public\Documents\reFX\NEXUS library\update_nexus_library_location.exe
    "C:\Users\Public\Documents\reFX\NEXUS library\update_nexus_library_location.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1404
  - - C:\Users\Public\Documents\reFX\NEXUS library\update_nexus_library_location.exe
      "C:\Users\Public\Documents\reFX\NEXUS library\update_nexus_library_location.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI14042\VCRUNTIME140.dll

Filesize
95KB

MD5
f34eb034aa4a9735218686590cba2e8b

SHA1
2bc20acdcb201676b77a66fa7ec6b53fa2644713

SHA256
9d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1

SHA512
d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14042\base_library.zip

Filesize
1.0MB

MD5
2d0755498d6e89f50ac623ae455bd3ac

SHA1
17d4ecd4c287cb560c078bdce0f3a918ca58f4e9

SHA256
024a2f6a0d2ff800db3777ec568f21a543d1a3de8ad6f78793035a85b40d536d

SHA512
7fed7cd062d2de0e23eb7fcd204295918e546e414cf1234340f73eb0e6a9c06eac55bafc28f7c6adea487d6b234d9e95bc49fd5e88cef23cf7eaf2ba1e00af76

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14042\python310.dll

Filesize
4.2MB

MD5
e9c0fbc99d19eeedad137557f4a0ab21

SHA1
8945e1811ceb4b26f21edcc7a36dcf2b1d34f0bf

SHA256
5783c5c5a3ffce181691f19d27de376a03010d32e41360b72bcdbd28467cfcc5

SHA512
74e1289683642ae2bc3cf780a07af1f27fed2011ef6cc67380f9c066c59d17a2fb2394a45a5c6cd75dad812a61093fdbd0f2108925f5c58fc6644c1c98be5c0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14042\ucrtbase.dll

Filesize
1020KB

MD5
2c8fe06966d5085a595ffa3c98fe3098

SHA1
e82945e3e63ffef0974d6dd74f2aef2bf6d0a908

SHA256
de8d08d01291df93821314176381f3d1ae863e6c5584a7f8ea42f0b94b15ef65

SHA512
fb08838983c16082a362b3fc89d5b82e61ae629207c13c3cb76b8a0af557ad95c842ce5197ae458b5af61e5449cbab579f509fa72866308aa6fbd3d751522d0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-33DB4.tmp\reFX Nexus v4.5.4 CE.tmp

Filesize
3.0MB

MD5
dfad9a5455ab06d766d297cb9b0aec5a

SHA1
d28a41145cab1f3c48e76d1e5a0e856cfbc42ded

SHA256
e054198d6d446c069df80af7628fb0cfe5ed8cc3fca233c5921ea4b4199c5805

SHA512
aff5da772cede3014e59e370bc8a32f349bc37722a57a5235f9e1e59277a3d2dede83e145ddb11d18281095b61c396e8bd0989c2ee99485696451010b2b0ea22

Download Submit
C:\Users\Public\Documents\reFX\NEXUS library\update_nexus_library_location.exe

Filesize
6.5MB

MD5
9b636915e620b369dfb9f5995a010eb3

SHA1
5e80f0e8f3076d541b85ca8530c30d71dc94a7d5

SHA256
78e7192751e4edf5eb48df9b1c7c6724c17213e7a209e28375b24df339179f67

SHA512
c79e1767408fa650a6e0ba9ac0ea097aa13e6af8a27e418f11ecf6e3d88ba3a6538887adb0dcbccb8f057c079258c152c1b90203da526ef7a39193007e0bdfd7

Download Submit
C:\Users\Public\Documents\reFX\nexus\settings.json

Filesize
610B

MD5
8cec97f590dc65aef59aba5b38f608ec

SHA1
c223d0c434262810f7e7697a2b3a17108e86ebe9

SHA256
ef49b7b477f47cc6ce8cd5cf049de3fd2332598b21f4b2b35aaa7ec4696ae003

SHA512
a27dd2359bc862b9cfaffaed2d4ca9c9f46191731f46a642f8200d906fdbd0044068a138216d2869b6b08295ed9049853a4e6507fa5b70cb0c34b3773ad8d059

Download Submit
memory/1320-8-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/1320-2-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/1320-0-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/1320-539-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/3980-16-0x0000000000400000-0x0000000000707000-memory.dmp

Filesize
3.0MB

Download
memory/3980-14-0x0000000000400000-0x0000000000707000-memory.dmp

Filesize
3.0MB

Download
memory/3980-12-0x0000000000400000-0x0000000000707000-memory.dmp

Filesize
3.0MB

Download
memory/3980-10-0x0000000000400000-0x0000000000707000-memory.dmp

Filesize
3.0MB

Download
memory/3980-6-0x0000000000400000-0x0000000000707000-memory.dmp

Filesize
3.0MB

Download
memory/3980-538-0x0000000000400000-0x0000000000707000-memory.dmp

Filesize
3.0MB

Download

Analysis

Sharing