b621031c6029ac7ec082dc7cffcae364515f10cbae2dc6da6661b3695708dc12

Analysis

max time kernel
122s
max time network
128s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
19/11/2024, 15:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ValhallaDSPbundle2024.3CE.exe
Size

11.9MB
MD5

7188ec6ca7be6f4c803f1ba22392902e
SHA1

83bd03410ae89f313e51a70d9b6e877a4e519820
SHA256

b621031c6029ac7ec082dc7cffcae364515f10cbae2dc6da6661b3695708dc12
SHA512

0c012876c9fe1312a06f23644834094d7a41e85d95e3a60f729119044c5b08bafa8aac92df7184ecca08e59ff5f0ea34bd40870c11b3d969aa844f0753fca37d
SSDEEP

196608:mk2OY0+pmLp3NM29YhD2JDJHswPG/Dy88QO3GiOTbC7uEqPgtbHhkebR7pmMHbqV:rY0+p43NJ9YA9JHTAVgOT+7uvgtbqeZ8

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1268	ValhallaDSPbundle2024.3CE.tmp

Loads dropped DLL 2 IoCs

pid	Process
2044	ValhallaDSPbundle2024.3CE.exe
1268	ValhallaDSPbundle2024.3CE.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\VST3\ValhallaDSP\desktop.ini	ValhallaDSPbundle2024.3CE.tmp
File opened for modification	C:\Program Files\Common Files\Avid\Audio\Plug-Ins\ValhallaDSP\desktop.ini	ValhallaDSPbundle2024.3CE.tmp
File opened for modification	C:\Program Files\Steinberg\VSTPlugins\ValhallaDSP\desktop.ini	ValhallaDSPbundle2024.3CE.tmp

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Steinberg\VSTPlugins\ValhallaDSP\is-9PU88.tmp	ValhallaDSPbundle2024.3CE.tmp
File created	C:\Program Files\Common Files\VST3\ValhallaDSP\is-IHR4F.tmp	ValhallaDSPbundle2024.3CE.tmp
File opened for modification	C:\Program Files\Common Files\Avid\Audio\Plug-Ins\ValhallaDSP\ValhallaFreqEcho.aaxplugin	ValhallaDSPbundle2024.3CE.tmp
File opened for modification	C:\Program Files\Common Files\Avid\Audio\Plug-Ins\ValhallaDSP\ValhallaRoom.aaxplugin	ValhallaDSPbundle2024.3CE.tmp
File opened for modification	C:\Program Files\Common Files\Avid\Audio\Plug-Ins\ValhallaDSP\PlugIn.ico	ValhallaDSPbundle2024.3CE.tmp
File created	C:\Program Files\Common Files\VST3\ValhallaDSP\is-VIQ6C.tmp	ValhallaDSPbundle2024.3CE.tmp
File created	C:\Program Files\Common Files\Avid\Audio\Plug-Ins\ValhallaDSP\ValhallaVintageVerb.aaxplugin\is-HQ7N3.tmp	ValhallaDSPbundle2024.3CE.tmp
File created	C:\Program Files\Common Files\Avid\Audio\Plug-Ins\ValhallaDSP\ValhallaShimmer.aaxplugin\is-HSV12.tmp	ValhallaDSPbundle2024.3CE.tmp
File created	C:\Program Files\Common Files\Avid\Audio\Plug-Ins\ValhallaDSP\ValhallaSupermassive.aaxplugin\is-MI054.tmp	ValhallaDSPbundle2024.3CE.tmp
File opened for modification	C:\Program Files\Steinberg\VSTPlugins\ValhallaDSP\ValhallaShimmer_x64.dll	ValhallaDSPbundle2024.3CE.tmp
File opened for modification	C:\Program Files\Steinberg\VSTPlugins\ValhallaDSP\ValhallaSpaceModulator_x64.dll	ValhallaDSPbundle2024.3CE.tmp
File opened for modification	C:\Program Files\Common Files\Avid\Audio\Plug-Ins\ValhallaDSP\ValhallaSupermassive.aaxplugin	ValhallaDSPbundle2024.3CE.tmp
File opened for modification	C:\Program Files\Steinberg\VSTPlugins\ValhallaDSP\PlugIn.ico	ValhallaDSPbundle2024.3CE.tmp
File created	C:\Program Files\Steinberg\VSTPlugins\ValhallaDSP\is-1CP81.tmp	ValhallaDSPbundle2024.3CE.tmp
File created	C:\Program Files\Common Files\Avid\Audio\Plug-Ins\ValhallaDSP\ValhallaRoom.aaxplugin\is-57M6M.tmp	ValhallaDSPbundle2024.3CE.tmp
File created	C:\Program Files\Common Files\Avid\Audio\Plug-Ins\ValhallaDSP\ValhallaSpaceModulator.aaxplugin\Contents\x64\is-KBUE7.tmp	ValhallaDSPbundle2024.3CE.tmp
File created	C:\Program Files\Common Files\Avid\Audio\Plug-Ins\ValhallaDSP\ValhallaVintageVerb.aaxplugin\Contents\x64\is-4JBVK.tmp	ValhallaDSPbundle2024.3CE.tmp
File created	C:\Program Files\Common Files\Avid\Audio\Plug-Ins\ValhallaDSP\ValhallaRoom.aaxplugin\is-GJJ87.tmp	ValhallaDSPbundle2024.3CE.tmp
File opened for modification	C:\Program Files\Common Files\Avid\Audio\Plug-Ins\ValhallaDSP\ValhallaPlate.aaxplugin	ValhallaDSPbundle2024.3CE.tmp
File opened for modification	C:\Program Files\Common Files\Avid\Audio\Plug-Ins\ValhallaDSP\ValhallaVintageVerb.aaxplugin	ValhallaDSPbundle2024.3CE.tmp
File opened for modification	C:\Program Files\Common Files\Avid\Audio\Plug-Ins\ValhallaDSP\ValhallaDelay.aaxplugin	ValhallaDSPbundle2024.3CE.tmp
File created	C:\Program Files\Common Files\VST3\ValhallaDSP\is-JF48N.tmp	ValhallaDSPbundle2024.3CE.tmp
File opened for modification	C:\Program Files\Steinberg\VSTPlugins\ValhallaDSP\ValhallaFreqEcho_x64.dll	ValhallaDSPbundle2024.3CE.tmp
File opened for modification	C:\Program Files\Steinberg\VSTPlugins\ValhallaDSP\ValhallaVintageVerb_x64.dll	ValhallaDSPbundle2024.3CE.tmp
File created	C:\Program Files\Common Files\Avid\Audio\Plug-Ins\ValhallaDSP\is-EUM2B.tmp	ValhallaDSPbundle2024.3CE.tmp
File created	C:\Program Files\Common Files\VST3\ValhallaDSP\is-7GEV8.tmp	ValhallaDSPbundle2024.3CE.tmp
File created	C:\Program Files\Steinberg\VSTPlugins\ValhallaDSP\is-690VI.tmp	ValhallaDSPbundle2024.3CE.tmp
File created	C:\Program Files\Steinberg\VSTPlugins\ValhallaDSP\is-CDLRI.tmp	ValhallaDSPbundle2024.3CE.tmp
File created	C:\Program Files\Common Files\Avid\Audio\Plug-Ins\ValhallaDSP\ValhallaPlate.aaxplugin\is-KMLRL.tmp	ValhallaDSPbundle2024.3CE.tmp
File created	C:\Program Files\Common Files\Avid\Audio\Plug-Ins\ValhallaDSP\ValhallaSpaceModulator.aaxplugin\is-47EIU.tmp	ValhallaDSPbundle2024.3CE.tmp
File created	C:\Program Files\Common Files\Avid\Audio\Plug-Ins\ValhallaDSP\ValhallaSupermassive.aaxplugin\is-E6C8Q.tmp	ValhallaDSPbundle2024.3CE.tmp
File opened for modification	C:\Program Files\Steinberg\VSTPlugins\ValhallaDSP\ValhallaSupermassive_x64.dll	ValhallaDSPbundle2024.3CE.tmp
File opened for modification	C:\Program Files\Common Files\Avid\Audio\Plug-Ins\ValhallaDSP\ValhallaSpaceModulator.aaxplugin	ValhallaDSPbundle2024.3CE.tmp
File created	C:\Program Files\Common Files\VST3\ValhallaDSP\is-I68KG.tmp	ValhallaDSPbundle2024.3CE.tmp
File created	C:\Program Files\Steinberg\VSTPlugins\ValhallaDSP\is-OLJPC.tmp	ValhallaDSPbundle2024.3CE.tmp
File created	C:\Program Files\Steinberg\VSTPlugins\ValhallaDSP\is-T4HUH.tmp	ValhallaDSPbundle2024.3CE.tmp
File created	C:\Program Files\Common Files\Avid\Audio\Plug-Ins\ValhallaDSP\ValhallaDelay.aaxplugin\Contents\x64\is-6G67J.tmp	ValhallaDSPbundle2024.3CE.tmp
File created	C:\Program Files\Common Files\Avid\Audio\Plug-Ins\ValhallaDSP\ValhallaDelay.aaxplugin\is-CSPKB.tmp	ValhallaDSPbundle2024.3CE.tmp
File created	C:\Program Files\Common Files\Avid\Audio\Plug-Ins\ValhallaDSP\ValhallaPlate.aaxplugin\is-OGF8N.tmp	ValhallaDSPbundle2024.3CE.tmp
File created	C:\Program Files\Common Files\Avid\Audio\Plug-Ins\ValhallaDSP\ValhallaVintageVerb.aaxplugin\is-7BTLS.tmp	ValhallaDSPbundle2024.3CE.tmp
File opened for modification	C:\Program Files\Steinberg\VSTPlugins\ValhallaDSP	ValhallaDSPbundle2024.3CE.tmp
File opened for modification	C:\Program Files\Steinberg\VSTPlugins\ValhallaDSP\desktop.ini	ValhallaDSPbundle2024.3CE.tmp
File created	C:\Program Files\Common Files\VST3\ValhallaDSP\is-1BDDF.tmp	ValhallaDSPbundle2024.3CE.tmp
File created	C:\Program Files\Common Files\Avid\Audio\Plug-Ins\ValhallaDSP\ValhallaFreqEcho.aaxplugin\Contents\x64\is-UHRBL.tmp	ValhallaDSPbundle2024.3CE.tmp
File created	C:\Program Files\Common Files\Avid\Audio\Plug-Ins\ValhallaDSP\ValhallaFreqEcho.aaxplugin\is-BB9K3.tmp	ValhallaDSPbundle2024.3CE.tmp
File opened for modification	C:\Program Files\Steinberg\VSTPlugins\ValhallaDSP\ValhallaDelay_x64.dll	ValhallaDSPbundle2024.3CE.tmp
File opened for modification	C:\Program Files\Common Files\Avid\Audio\Plug-Ins\ValhallaDSP\desktop.ini	ValhallaDSPbundle2024.3CE.tmp
File created	C:\Program Files\Common Files\Avid\Audio\Plug-Ins\ValhallaDSP\ValhallaDelay.aaxplugin\is-BDV9R.tmp	ValhallaDSPbundle2024.3CE.tmp
File opened for modification	C:\Program Files\Common Files\VST3\ValhallaDSP	ValhallaDSPbundle2024.3CE.tmp
File created	C:\Program Files\Common Files\Avid\Audio\Plug-Ins\ValhallaDSP\is-NKGVF.tmp	ValhallaDSPbundle2024.3CE.tmp
File created	C:\Program Files\Steinberg\VSTPlugins\ValhallaDSP\is-ODA8F.tmp	ValhallaDSPbundle2024.3CE.tmp
File created	C:\Program Files\Common Files\Avid\Audio\Plug-Ins\ValhallaDSP\ValhallaRoom.aaxplugin\Contents\x64\is-DQBT0.tmp	ValhallaDSPbundle2024.3CE.tmp
File opened for modification	C:\Program Files\Common Files\Avid\Audio\Plug-Ins\ValhallaDSP\ValhallaUberMod.aaxplugin	ValhallaDSPbundle2024.3CE.tmp
File created	C:\Program Files\Common Files\Avid\Audio\Plug-Ins\ValhallaDSP\ValhallaShimmer.aaxplugin\Contents\x64\is-O01VG.tmp	ValhallaDSPbundle2024.3CE.tmp
File created	C:\Program Files\Common Files\Avid\Audio\Plug-Ins\ValhallaDSP\ValhallaSpaceModulator.aaxplugin\is-BFP5H.tmp	ValhallaDSPbundle2024.3CE.tmp
File opened for modification	C:\Program Files\Steinberg\VSTPlugins\ValhallaDSP\ValhallaPlate_x64.dll	ValhallaDSPbundle2024.3CE.tmp
File created	C:\Program Files\Common Files\VST3\ValhallaDSP\is-1PVLG.tmp	ValhallaDSPbundle2024.3CE.tmp
File created	C:\Program Files\Common Files\Avid\Audio\Plug-Ins\ValhallaDSP\ValhallaShimmer.aaxplugin\is-T2FO6.tmp	ValhallaDSPbundle2024.3CE.tmp
File opened for modification	C:\Program Files\Common Files\Avid\Audio\Plug-Ins\ValhallaDSP\ValhallaShimmer.aaxplugin	ValhallaDSPbundle2024.3CE.tmp
File created	C:\Program Files\Common Files\VST3\ValhallaDSP\is-63UEQ.tmp	ValhallaDSPbundle2024.3CE.tmp
File created	C:\Program Files\Common Files\VST3\ValhallaDSP\is-JTP9I.tmp	ValhallaDSPbundle2024.3CE.tmp
File created	C:\Program Files\Common Files\Avid\Audio\Plug-Ins\ValhallaDSP\ValhallaPlate.aaxplugin\Contents\x64\is-DRHV5.tmp	ValhallaDSPbundle2024.3CE.tmp
File created	C:\Program Files\Common Files\Avid\Audio\Plug-Ins\ValhallaDSP\ValhallaFreqEcho.aaxplugin\is-8H3IR.tmp	ValhallaDSPbundle2024.3CE.tmp
File created	C:\Program Files\Common Files\Avid\Audio\Plug-Ins\ValhallaDSP\ValhallaUberMod.aaxplugin\is-730HC.tmp	ValhallaDSPbundle2024.3CE.tmp

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ValhallaDSPbundle2024.3CE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ValhallaDSPbundle2024.3CE.tmp

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1268	ValhallaDSPbundle2024.3CE.tmp
1268	ValhallaDSPbundle2024.3CE.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1268	ValhallaDSPbundle2024.3CE.tmp

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2044 wrote to memory of 1268	2044	ValhallaDSPbundle2024.3CE.exe	30
PID 2044 wrote to memory of 1268	2044	ValhallaDSPbundle2024.3CE.exe	30
PID 2044 wrote to memory of 1268	2044	ValhallaDSPbundle2024.3CE.exe	30
PID 2044 wrote to memory of 1268	2044	ValhallaDSPbundle2024.3CE.exe	30
PID 2044 wrote to memory of 1268	2044	ValhallaDSPbundle2024.3CE.exe	30
PID 2044 wrote to memory of 1268	2044	ValhallaDSPbundle2024.3CE.exe	30
PID 2044 wrote to memory of 1268	2044	ValhallaDSPbundle2024.3CE.exe	30

C:\Users\Admin\AppData\Local\Temp\ValhallaDSPbundle2024.3CE.exe
"C:\Users\Admin\AppData\Local\Temp\ValhallaDSPbundle2024.3CE.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2044
- C:\Users\Admin\AppData\Local\Temp\is-1M50S.tmp\ValhallaDSPbundle2024.3CE.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-1M50S.tmp\ValhallaDSPbundle2024.3CE.tmp" /SL5="$30156,11297297,1001472,C:\Users\Admin\AppData\Local\Temp\ValhallaDSPbundle2024.3CE.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops desktop.ini file(s)
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  PID:1268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Steinberg\VSTPlugins\ValhallaDSP\is-9PU88.tmp

Filesize
46B

MD5
ced966b256027c7576f4d08463bca394

SHA1
39c7ddf93498f447a6f0fdd1be3d91faac907e7d

SHA256
300441ba697e1d2e0f3249f4222be4b09d35be0ce5269e97a7ba9848b2b183a6

SHA512
3f22a6b4e3cf2bb1d5001fea84eb1f533e5e7311c27682b08a44a75d2cd0f019f2a73d6ba65f90fc5cca9ca4ae2ddabd9230c6cd920c799fbb478ff432234555

Download Submit
C:\Program Files\Steinberg\VSTPlugins\ValhallaDSP\is-ODA8F.tmp

Filesize
178KB

MD5
695b004536aabd6d8ffb38747a15097f

SHA1
72c4e3c21f22ba6fa7315695cc953dc3cdad936b

SHA256
f82a564cd705adcb96c6f90ab850ebcb85a4b78546725696348c64f995dd6195

SHA512
a908c76e731316bb57eb8e6837575bfbf82e2d812a7e6e7ffbc80ca68cd965083132d681769fc5291286439f72a943432c5ea51a6a75770983ccfddb2c0e560c

Download Submit
\Users\Admin\AppData\Local\Temp\is-1M50S.tmp\ValhallaDSPbundle2024.3CE.tmp

Filesize
3.2MB

MD5
8de54b402d10a45071050e2cff84f4f6

SHA1
5cbbbc9b32d81c93531bb26fe90b19ed6b004c2a

SHA256
462ab941a7491a778b9bdfac5f79283c142e7b1524376bf04d7236e4ca7a527e

SHA512
0834caf48b33328b18749fb8b84563b09edbe0bdedd0e7cab58e378194def698d37c57469ce2429ec69c44ad24d2f064dcc48c4a71dac9e808d855c2d96687e9

Download Submit
\Users\Admin\AppData\Local\Temp\is-USUQS.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
memory/1268-15-0x0000000000400000-0x000000000074D000-memory.dmp

Filesize
3.3MB

Download
memory/1268-8-0x0000000000400000-0x000000000074D000-memory.dmp

Filesize
3.3MB

Download
memory/1268-72-0x0000000000400000-0x000000000074D000-memory.dmp

Filesize
3.3MB

Download
memory/1268-1952-0x0000000000400000-0x000000000074D000-memory.dmp

Filesize
3.3MB

Download
memory/1268-4348-0x0000000000400000-0x000000000074D000-memory.dmp

Filesize
3.3MB

Download
memory/1268-4494-0x0000000000400000-0x000000000074D000-memory.dmp

Filesize
3.3MB

Download
memory/2044-13-0x0000000000400000-0x0000000000505000-memory.dmp

Filesize
1.0MB

Download
memory/2044-2-0x0000000000401000-0x00000000004C1000-memory.dmp

Filesize
768KB

Download
memory/2044-0-0x0000000000400000-0x0000000000505000-memory.dmp

Filesize
1.0MB

Download
memory/2044-4495-0x0000000000400000-0x0000000000505000-memory.dmp

Filesize
1.0MB

Download