36969ffc412303cc7f57bdaf324b9d44a331e71c37328d19b9c943b4d8298b4b

Analysis

max time kernel
96s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
15/06/2023, 12:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eset_nod32_antivirus_live_installer.exe
Size

4.1MB
MD5

70991b75ccf510518a8b84efe357db35
SHA1

784b1d3bd3b361e2d6931da580efd1ffead9a909
SHA256

36969ffc412303cc7f57bdaf324b9d44a331e71c37328d19b9c943b4d8298b4b
SHA512

5c67fdd86a1427148b1ef0b80a9538891d64ff5e492ba5800cb754dff7303bda83b65eaca6f8865c18877eaeca527de4146063e08f9b077c754389d3de83b1e5
SSDEEP

98304:Bs5Ru/VIJvoFlucukUxAWA8W3rPLLFgxecQmD:aiEJcukI+3HpbhmD

Score

5^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	eset_nod32_antivirus_live_installer.exe

Executes dropped EXE 2 IoCs

pid	Process
1536	eset_nod32_antivirus_live_installer.exe
1728	BootHelper.exe

Loads dropped DLL 4 IoCs

pid	Process
1536	eset_nod32_antivirus_live_installer.exe
1536	eset_nod32_antivirus_live_installer.exe
1536	eset_nod32_antivirus_live_installer.exe
1536	eset_nod32_antivirus_live_installer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1536	eset_nod32_antivirus_live_installer.exe
1536	eset_nod32_antivirus_live_installer.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5016 wrote to memory of 1536	5016	eset_nod32_antivirus_live_installer.exe	84
PID 5016 wrote to memory of 1536	5016	eset_nod32_antivirus_live_installer.exe	84
PID 5016 wrote to memory of 1536	5016	eset_nod32_antivirus_live_installer.exe	84
PID 1536 wrote to memory of 1728	1536	eset_nod32_antivirus_live_installer.exe	85
PID 1536 wrote to memory of 1728	1536	eset_nod32_antivirus_live_installer.exe	85
PID 1536 wrote to memory of 1728	1536	eset_nod32_antivirus_live_installer.exe	85

C:\Users\Admin\AppData\Local\Temp\eset_nod32_antivirus_live_installer.exe
"C:\Users\Admin\AppData\Local\Temp\eset_nod32_antivirus_live_installer.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5016
- C:\Users\Admin\AppData\Local\Temp\eset\bts.session\{02D83BBE-B27C-806B-AC6B-44C3F1238EEA}\eset_nod32_antivirus_live_installer.exe
  "C:\Users\Admin\AppData\Local\Temp\eset\bts.session\{02D83BBE-B27C-806B-AC6B-44C3F1238EEA}\eset_nod32_antivirus_live_installer.exe" --bts-container 5016 "C:\Users\Admin\AppData\Local\Temp\eset_nod32_antivirus_live_installer.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1536
- - C:\Users\Admin\AppData\Local\Temp\eset\bts.session\{02D83BBE-B27C-806B-AC6B-44C3F1238EEA}\BootHelper.exe
    BootHelper.exe --watchdog 1536 --product "ESET Live Installer" 11.0.15.0 1033
    3⤵
    - Executes dropped EXE
    PID:1728

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\eset\bts.session\{02D83BBE-B27C-806B-AC6B-44C3F1238EEA}\BootHelper.exe

Filesize
324KB

MD5
99dcd96eb8eaa50b9ae21225cb03df76

SHA1
c8ad8ba423b138d454ae19fc5da4216aa1e83f9f

SHA256
394a830c5e0d03bc489b091b33f286cea39cf7a8d96e34ddfcf10ca05c1883c7

SHA512
86b7cc1844669dcfb37251eafdd3bafe347ffb1f493dcf1a59dc53f2113f04b44a45311e621bc28351ceede9d2773ab166057fd2413906b72703b461aaf1d038

Download Submit
C:\Users\Admin\AppData\Local\Temp\eset\bts.session\{02D83BBE-B27C-806B-AC6B-44C3F1238EEA}\eguiActivation.dll

Filesize
779KB

MD5
541fb10c7f2f71204178179d20dbcda9

SHA1
0d60b81e2e03965079f91e35c1730096424bf1d1

SHA256
849a63da6ca3420a09e2084d44fd18991e6ed247346638319b9ab4b5586aed40

SHA512
a184c21af8b19168fef8abb27c27da12a6987047ff263e969135b46e0d3451119b5b7d1ac33cf4aab2bc736f2d7acb9c4317424b11bcb8fcd6a900b46acbb72b

Download Submit
C:\Users\Admin\AppData\Local\Temp\eset\bts.session\{02D83BBE-B27C-806B-AC6B-44C3F1238EEA}\eguiActivation.dll

Filesize
779KB

MD5
541fb10c7f2f71204178179d20dbcda9

SHA1
0d60b81e2e03965079f91e35c1730096424bf1d1

SHA256
849a63da6ca3420a09e2084d44fd18991e6ed247346638319b9ab4b5586aed40

SHA512
a184c21af8b19168fef8abb27c27da12a6987047ff263e969135b46e0d3451119b5b7d1ac33cf4aab2bc736f2d7acb9c4317424b11bcb8fcd6a900b46acbb72b

Download Submit
C:\Users\Admin\AppData\Local\Temp\eset\bts.session\{02D83BBE-B27C-806B-AC6B-44C3F1238EEA}\eset_nod32_antivirus_live_installer.exe

Filesize
880KB

MD5
8fbb273c1ba2699fabe73ce5fcfb0ba3

SHA1
3746629a29bcfe1058361f97bd3825ea85bf28df

SHA256
46e02f83582e2986551ad20c260d2988f02eca87574c0e628d3768ec94d6ed95

SHA512
06777f71a3ee183db33d8b373b397fc78407316fb4a33685cb057bc15abab8b3a6b40b3435cd29542e45e212b39d066f2d509f581b98a99ea92b7ee1267f5252

Download Submit
C:\Users\Admin\AppData\Local\Temp\eset\bts.session\{02D83BBE-B27C-806B-AC6B-44C3F1238EEA}\eset_nod32_antivirus_live_installer.exe

Filesize
880KB

MD5
8fbb273c1ba2699fabe73ce5fcfb0ba3

SHA1
3746629a29bcfe1058361f97bd3825ea85bf28df

SHA256
46e02f83582e2986551ad20c260d2988f02eca87574c0e628d3768ec94d6ed95

SHA512
06777f71a3ee183db33d8b373b397fc78407316fb4a33685cb057bc15abab8b3a6b40b3435cd29542e45e212b39d066f2d509f581b98a99ea92b7ee1267f5252

Download Submit
C:\Users\Admin\AppData\Local\Temp\eset\bts.session\{02D83BBE-B27C-806B-AC6B-44C3F1238EEA}\plgLiveInstaller.dll

Filesize
2.1MB

MD5
8ef021bc9e74299b312fb7e525c01cc9

SHA1
2b9a4c0ed930b44ce7e9412f328241587b79cca6

SHA256
bdec86fbe22480b3896ab567ca3a4d71768e8001beca9bfc8f0d4a16de26c12d

SHA512
e9961ced5f914e246033b69846f4434473fc8ec1c70ac44363cb8b1d9d69f641d434975320773a3b299cce353725908b5c6c96ea159b21edb9483a3446eb07d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\eset\bts.session\{02D83BBE-B27C-806B-AC6B-44C3F1238EEA}\plgLiveInstaller.dll

Filesize
2.1MB

MD5
8ef021bc9e74299b312fb7e525c01cc9

SHA1
2b9a4c0ed930b44ce7e9412f328241587b79cca6

SHA256
bdec86fbe22480b3896ab567ca3a4d71768e8001beca9bfc8f0d4a16de26c12d

SHA512
e9961ced5f914e246033b69846f4434473fc8ec1c70ac44363cb8b1d9d69f641d434975320773a3b299cce353725908b5c6c96ea159b21edb9483a3446eb07d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\eset\bts.session\{02D83BBE-B27C-806B-AC6B-44C3F1238EEA}\plgSciterBase.dll

Filesize
1.5MB

MD5
c665305b71d8a00ce349bba78df4753b

SHA1
5a68c0e0fc4ff272b1d89003ec51a5a61a98212f

SHA256
39280f7a2830393a085753045fb3a5c97314fe7fde6a8ed062a71237e5d9e6c5

SHA512
469f6908da3aab30ed4b4fb57d8d9a28f7aa31a849f88d592cf67c3517b891a6e412f42a012e031c58644447e3f9039c0b73a597f185b506f79859126a11cb7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\eset\bts.session\{02D83BBE-B27C-806B-AC6B-44C3F1238EEA}\plgSciterBase.dll

Filesize
1.5MB

MD5
c665305b71d8a00ce349bba78df4753b

SHA1
5a68c0e0fc4ff272b1d89003ec51a5a61a98212f

SHA256
39280f7a2830393a085753045fb3a5c97314fe7fde6a8ed062a71237e5d9e6c5

SHA512
469f6908da3aab30ed4b4fb57d8d9a28f7aa31a849f88d592cf67c3517b891a6e412f42a012e031c58644447e3f9039c0b73a597f185b506f79859126a11cb7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\eset\bts.session\{02D83BBE-B27C-806B-AC6B-44C3F1238EEA}\sciter-x.dll

Filesize
3.1MB

MD5
f921b08efd33e12ebefa5a7f3d265abb

SHA1
b6ca739145877002460ee262e2117f15e2ea8fb5

SHA256
80b7f849eef6f4cfedb6151a47571999427c79c6eaac79860a3b04b8be1ed623

SHA512
e229dd42eb525a7e19b66c2dc34b6bf0bb97514695fece0daa971709c104be016c4603d9f936debec5c6a50568c63b81ef955df60e5253ed8e2dfec8f68e4638

Download Submit
C:\Users\Admin\AppData\Local\Temp\eset\bts.session\{02D83BBE-B27C-806B-AC6B-44C3F1238EEA}\sciter-x.dll

Filesize
3.1MB

MD5
f921b08efd33e12ebefa5a7f3d265abb

SHA1
b6ca739145877002460ee262e2117f15e2ea8fb5

SHA256
80b7f849eef6f4cfedb6151a47571999427c79c6eaac79860a3b04b8be1ed623

SHA512
e229dd42eb525a7e19b66c2dc34b6bf0bb97514695fece0daa971709c104be016c4603d9f936debec5c6a50568c63b81ef955df60e5253ed8e2dfec8f68e4638

Download Submit