47e38f1ebc4915debeabaa9d71b1fba07d507a16653e96b9cb2a2949a925d969

Analysis

max time kernel
144s
max time network
19s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
21-11-2024 12:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ArturiaFXCollection2024.6CE.exe
Size

5.8MB
MD5

29bdb025acc065096ffee3f91acb6bb5
SHA1

5c84379d350a5306b8dda94f18a3838d6f7c5ece
SHA256

47e38f1ebc4915debeabaa9d71b1fba07d507a16653e96b9cb2a2949a925d969
SHA512

133e487dfd0eea9491145dd7255a98d92b38e0ab9b0572711126f847134ee8f7cb9d767d446545dc6156a7d13c300244454ad855ecdbbb9dd391ca982ee0aa16
SSDEEP

98304:bDNtpjA9dPkbc/2qwZEAhZxl2wCmIDbcqOELBQEJE:8dkmA+mIXcvEe

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2644	ArturiaFXCollection2024.6CE.tmp

Loads dropped DLL 1 IoCs

pid	Process
2344	ArturiaFXCollection2024.6CE.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Avid\Audio\Plug-Ins\Arturia	ArturiaFXCollection2024.6CE.tmp
File opened for modification	C:\Program Files\Common Files\VST3\Arturia	ArturiaFXCollection2024.6CE.tmp
File opened for modification	C:\Program Files\Steinberg\VSTPlugins	ArturiaFXCollection2024.6CE.tmp

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ArturiaFXCollection2024.6CE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ArturiaFXCollection2024.6CE.tmp

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2644	ArturiaFXCollection2024.6CE.tmp
2644	ArturiaFXCollection2024.6CE.tmp

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2644	ArturiaFXCollection2024.6CE.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2644	ArturiaFXCollection2024.6CE.tmp

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2344 wrote to memory of 2644	2344	ArturiaFXCollection2024.6CE.exe	29
PID 2344 wrote to memory of 2644	2344	ArturiaFXCollection2024.6CE.exe	29
PID 2344 wrote to memory of 2644	2344	ArturiaFXCollection2024.6CE.exe	29
PID 2344 wrote to memory of 2644	2344	ArturiaFXCollection2024.6CE.exe	29
PID 2344 wrote to memory of 2644	2344	ArturiaFXCollection2024.6CE.exe	29
PID 2344 wrote to memory of 2644	2344	ArturiaFXCollection2024.6CE.exe	29
PID 2344 wrote to memory of 2644	2344	ArturiaFXCollection2024.6CE.exe	29

C:\Users\Admin\AppData\Local\Temp\ArturiaFXCollection2024.6CE.exe
"C:\Users\Admin\AppData\Local\Temp\ArturiaFXCollection2024.6CE.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2344
- C:\Users\Admin\AppData\Local\Temp\is-JRMJ9.tmp\ArturiaFXCollection2024.6CE.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-JRMJ9.tmp\ArturiaFXCollection2024.6CE.tmp" /SL5="$401B2,980480,0,C:\Users\Admin\AppData\Local\Temp\ArturiaFXCollection2024.6CE.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:2644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\is-JRMJ9.tmp\ArturiaFXCollection2024.6CE.tmp

Filesize
3.3MB

MD5
bbcb1251e0629a07425fa4d3823efea9

SHA1
a0d38beeea30c0858c577364a671786fe583f1dd

SHA256
2967bd0f69011957d62b020b5bccd98561e4707e3cfb740482f0a0004b8a88b3

SHA512
a663e15f986879ddd96b68a6e056df58b040f48e8589ada8b16584daffa4f155d20216e63bb7fa667caa3bfb04323aae18feb6194e11f23fd09156420d781c08

Download Submit
memory/2344-2-0x0000000000401000-0x00000000004C1000-memory.dmp

Filesize
768KB

Download
memory/2344-0-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/2344-10-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/2644-8-0x0000000000400000-0x000000000075D000-memory.dmp

Filesize
3.4MB

Download
memory/2644-11-0x0000000000400000-0x000000000075D000-memory.dmp

Filesize
3.4MB

Download
memory/2644-13-0x0000000000400000-0x000000000075D000-memory.dmp

Filesize
3.4MB

Download
memory/2644-18-0x0000000000400000-0x000000000075D000-memory.dmp

Filesize
3.4MB

Download