4b54d71c16a277f89613eed4f073fc4e0ca02451df90588d7bd250af6a169c68

General

Target

PortableApps.comLauncher_2.2.3.paf.exe
Size

2.6MB
MD5

5d2f6a8aa1bc967741776afd1c7452d1
SHA1

fa6df99a1913f64a949d8b3032c9e0abf278fa0a
SHA256

4b54d71c16a277f89613eed4f073fc4e0ca02451df90588d7bd250af6a169c68
SHA512

df1c38f07621168e05f40a4d188ed5946cee2a5135f1e3b417631f8416a9d561f3b2618a3ec2cc80ced0b9c2e1bbd2d57d13c98e36f501bb05ae7f5175467bf8
SSDEEP

49152:bLJ9qkmQ2V5miFo1KWviZ0dBslCbhYDRzUZfNqoY5JDnnE2SQhfWkB9:v2kyH+KqAGUQhuRzafNqpJT7rB9

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 5 IoCs

pid	Process
2032	PortableApps.comLauncher_2.2.3.paf.exe
2032	PortableApps.comLauncher_2.2.3.paf.exe
2032	PortableApps.comLauncher_2.2.3.paf.exe
2032	PortableApps.comLauncher_2.2.3.paf.exe
2032	PortableApps.comLauncher_2.2.3.paf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main	Eula.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	Eula.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	Eula.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2032	PortableApps.comLauncher_2.2.3.paf.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2032	PortableApps.comLauncher_2.2.3.paf.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	1128	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1128	AUDIODG.EXE
Token: 33	1128	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1128	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2032	PortableApps.comLauncher_2.2.3.paf.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
584	AcroRd32.exe
584	AcroRd32.exe
584	AcroRd32.exe
292	Eula.exe
292	Eula.exe

C:\Users\Admin\AppData\Local\Temp\PortableApps.comLauncher_2.2.3.paf.exe
"C:\Users\Admin\AppData\Local\Temp\PortableApps.comLauncher_2.2.3.paf.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:2032

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:584

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:544

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x190
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1128

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe"
1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:292

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nso4E4.tmp\System.dll

Filesize
12KB

MD5
6e55a6e7c3fdbd244042eb15cb1ec739

SHA1
070ea80e2192abc42f358d47b276990b5fa285a9

SHA256
acf90ab6f4edc687e94aaf604d05e16e6cfb5e35873783b50c66f307a35c6506

SHA512
2d504b74da38edc967e3859733a2a9cacd885db82f0ca69bfb66872e882707314c54238344d45945dc98bae85772aceef71a741787922d640627d3c8ae8f1c35

Download Submit
\Users\Admin\AppData\Local\Temp\nso4E4.tmp\LangDLL.dll

Filesize
5KB

MD5
08de81a4584f5201086f57a7a93ed83b

SHA1
266a6ecc8fb7dca115e6915cd75e2595816841a8

SHA256
4883cd4231744be2dca4433ef62824b7957a3c16be54f8526270402d9413ebe6

SHA512
b72e7cea5ce1f4dc64e65a1f683a3ef9e3fa2dc45cf421f569eb461f1fdcc0caf4ff62a872e62b400579f567c6ff9fc3c2e6e020cdca89d96015502c803a09b9

Download Submit
\Users\Admin\AppData\Local\Temp\nso4E4.tmp\System.dll

Filesize
12KB

MD5
6e55a6e7c3fdbd244042eb15cb1ec739

SHA1
070ea80e2192abc42f358d47b276990b5fa285a9

SHA256
acf90ab6f4edc687e94aaf604d05e16e6cfb5e35873783b50c66f307a35c6506

SHA512
2d504b74da38edc967e3859733a2a9cacd885db82f0ca69bfb66872e882707314c54238344d45945dc98bae85772aceef71a741787922d640627d3c8ae8f1c35

Download Submit
\Users\Admin\AppData\Local\Temp\nso4E4.tmp\System.dll

Filesize
12KB

MD5
6e55a6e7c3fdbd244042eb15cb1ec739

SHA1
070ea80e2192abc42f358d47b276990b5fa285a9

SHA256
acf90ab6f4edc687e94aaf604d05e16e6cfb5e35873783b50c66f307a35c6506

SHA512
2d504b74da38edc967e3859733a2a9cacd885db82f0ca69bfb66872e882707314c54238344d45945dc98bae85772aceef71a741787922d640627d3c8ae8f1c35

Download Submit
\Users\Admin\AppData\Local\Temp\nso4E4.tmp\nsDialogs.dll

Filesize
9KB

MD5
ca5bb0ee2b698869c41c087c9854487c

SHA1
4a8abbb2544f1a9555e57a142a147dfeb40c4ca4

SHA256
c719697d5ced17d97bbc48662327339ccec7e03f6552aa1d5c248f6fa5f16324

SHA512
363a80843d7601ba119bc981c4346188f490b388e3ed390a0667aaf5138b885eec6c69d4e7f60f93b069d6550277f4c926bd0f37bc893928111dc62494124770

Download Submit
\Users\Admin\AppData\Local\Temp\nso4E4.tmp\w7tbp.dll

Filesize
2KB

MD5
9a3031cc4cef0dba236a28eecdf0afb5

SHA1
708a76aa56f77f1b0ebc62b023163c2e0426f3ac

SHA256
53bb519e3293164947ac7cbd7e612f637d77a7b863e3534ba1a7e39b350d3c00

SHA512
8fddde526e7d10d77e247ea80b273beae9dde1d4112806f1f5c3e6a409247d54d8a4445ab5bdd77025a434c3d1dcfdf480dac21abbdb13a308d5eb74517fab53

Download Submit
memory/292-82-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing