50f7819d7c68fa53847985279243b2cc8fe7489b9fef4354dddee05e57891361

Analysis

max time kernel
152s
max time network
163s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
05/11/2023, 21:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

empyra-setup.exe
Size

51.5MB
MD5

37ce00f8e12de66ae06cd62bf019bd99
SHA1

0b2dcd13bd84908c1f737de9e3f2cb9c7836a95e
SHA256

50f7819d7c68fa53847985279243b2cc8fe7489b9fef4354dddee05e57891361
SHA512

f15a1501af455cf1ce2a0591ac861eef33515b07e0ca92ee18043b37d72a640acab17d77a0813e60bab23fbb04c805288f6a21892280c959cc910280255829d0
SSDEEP

786432:b4wGjlJrrrK0WObuBKm4/3j1l62v7CkAwBMzD1BxtTVDLMiQP:Sl1rrEZlil62WkAoGZxdLMd

Score

7^/10

discovery

Malware Config

Signatures

.NET Reactor proctector 3 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral2/files/0x000a000000022e26-81.dat	net_reactor
behavioral2/files/0x000a000000022e26-82.dat	net_reactor
behavioral2/memory/3776-84-0x0000000000360000-0x0000000000724000-memory.dmp	net_reactor

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\Control Panel\International\Geo\Nation	Installer.exe

Executes dropped EXE 3 IoCs

pid	Process
3152	empyra-setup.tmp
1872	Installer.exe
3776	vmware.exe

Loads dropped DLL 3 IoCs

pid	Process
1872	Installer.exe
1872	Installer.exe
1872	Installer.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Empyra Defi\is-INPTM.tmp	empyra-setup.tmp
File created	C:\Program Files (x86)\Empyra Defi\is-GU34J.tmp	empyra-setup.tmp
File opened for modification	C:\Program Files (x86)\Empyra Defi\unins000.dat	empyra-setup.tmp
File opened for modification	C:\Program Files (x86)\Empyra Defi\Installer.exe	empyra-setup.tmp
File created	C:\Program Files (x86)\Empyra Defi\unins000.dat	empyra-setup.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 17 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\EmpyraDefiFile.exe\DefaultIcon	empyra-setup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\EmpyraDefiFile.exe\shell	empyra-setup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\EmpyraDefiFile.exe\shell\open\command	empyra-setup.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\EmpyraDefiFile.exe\shell\open\command\ = "\"C:\\Program Files (x86)\\Empyra Defi\\Installer.exe\" \"%1\""	empyra-setup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications	empyra-setup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\Installer.exe	empyra-setup.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\OpenWithProgids\EmpyraDefiFile.exe	empyra-setup.tmp
Key created	\REGISTRY\MACHINE\Software\Classes\EmpyraDefiFile.exe	empyra-setup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\EmpyraDefiFile.exe\shell\open	empyra-setup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\EmpyraDefiFile.exe	empyra-setup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\Installer.exe\SupportedTypes	empyra-setup.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\Installer.exe\SupportedTypes\.myp	empyra-setup.tmp
Key created	\REGISTRY\MACHINE\Software\Classes\.exe\OpenWithProgids	empyra-setup.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\EmpyraDefiFile.exe\ = "Empyra Defi File"	empyra-setup.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\EmpyraDefiFile.exe\DefaultIcon\ = "C:\\Program Files (x86)\\Empyra Defi\\Installer.exe,0"	empyra-setup.tmp
Key created	\REGISTRY\MACHINE\Software\Classes\EmpyraDefiFile.exe\shell\open\command	empyra-setup.tmp
Key created	\REGISTRY\MACHINE\Software\Classes\Applications\Installer.exe\SupportedTypes	empyra-setup.tmp

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3152	empyra-setup.tmp
3152	empyra-setup.tmp
1512	powershell.exe
1512	powershell.exe
4436	powershell.exe
4436	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1872	Installer.exe
Token: SeDebugPrivilege	1512	powershell.exe
Token: SeDebugPrivilege	4436	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3152	empyra-setup.tmp

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1872	Installer.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 4820 wrote to memory of 3152	4820	empyra-setup.exe	89
PID 4820 wrote to memory of 3152	4820	empyra-setup.exe	89
PID 4820 wrote to memory of 3152	4820	empyra-setup.exe	89
PID 1872 wrote to memory of 1512	1872	Installer.exe	114
PID 1872 wrote to memory of 1512	1872	Installer.exe	114
PID 1872 wrote to memory of 3776	1872	Installer.exe	116
PID 1872 wrote to memory of 3776	1872	Installer.exe	116
PID 1872 wrote to memory of 3776	1872	Installer.exe	116
PID 1872 wrote to memory of 4436	1872	Installer.exe	117
PID 1872 wrote to memory of 4436	1872	Installer.exe	117

C:\Users\Admin\AppData\Local\Temp\empyra-setup.exe
"C:\Users\Admin\AppData\Local\Temp\empyra-setup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4820
- C:\Users\Admin\AppData\Local\Temp\is-E1IAO.tmp\empyra-setup.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-E1IAO.tmp\empyra-setup.tmp" /SL5="$C020E,53193244,1047040,C:\Users\Admin\AppData\Local\Temp\empyra-setup.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  PID:3152

C:\Program Files (x86)\Empyra Defi\Installer.exe
"C:\Program Files (x86)\Empyra Defi\Installer.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1872
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\VMware
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1512
- C:\Users\Admin\AppData\Local\VMware\vmware.exe
  "C:\Users\Admin\AppData\Local\VMware\vmware.exe"
  2⤵
  - Executes dropped EXE
  PID:3776
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4436
- C:\Users\Admin\AppData\Local\VMware\vmwarehost.exe
  "C:\Users\Admin\AppData\Local\VMware\vmwarehost.exe"
  2⤵
  PID:1860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Empyra Defi\Installer.exe

Filesize
172.7MB

MD5
a018ce91c942a3fb149966a0ee51c738

SHA1
120561064106e32c21d15711b93a9c0a09bda96c

SHA256
44b12034203412af0b1e37aa4efc700c6329186a7e3e3ca1bd8a9852c0147fd8

SHA512
7d324a07902319b4df5730341ea960b5fb1d959a7eb28a298839c26a1979a5f34e7ed5d762b6c8dc0a23b4b8205d2470e1f6c0c5657bb4be72486463a07a1d96

Download Submit
C:\Program Files (x86)\Empyra Defi\Installer.exe

Filesize
172.7MB

MD5
a018ce91c942a3fb149966a0ee51c738

SHA1
120561064106e32c21d15711b93a9c0a09bda96c

SHA256
44b12034203412af0b1e37aa4efc700c6329186a7e3e3ca1bd8a9852c0147fd8

SHA512
7d324a07902319b4df5730341ea960b5fb1d959a7eb28a298839c26a1979a5f34e7ed5d762b6c8dc0a23b4b8205d2470e1f6c0c5657bb4be72486463a07a1d96

Download Submit
C:\Program Files (x86)\Empyra Defi\Installer.exe

Filesize
172.7MB

MD5
a018ce91c942a3fb149966a0ee51c738

SHA1
120561064106e32c21d15711b93a9c0a09bda96c

SHA256
44b12034203412af0b1e37aa4efc700c6329186a7e3e3ca1bd8a9852c0147fd8

SHA512
7d324a07902319b4df5730341ea960b5fb1d959a7eb28a298839c26a1979a5f34e7ed5d762b6c8dc0a23b4b8205d2470e1f6c0c5657bb4be72486463a07a1d96

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\Installer\_YoJHiFUKD9lPTKA_KKX67f9RG0SUwI=\D3DCompiler_47_cor3.dll

Filesize
4.7MB

MD5
03a60a6652caf4f49ea5912ce4e1b33c

SHA1
a0d949d4af7b1048dc55e39d1d1260a1e0660c4f

SHA256
b23e7b820ed5c6ea7dcd77817e2cd79f1cec9561d457172287ee634a8bd658c3

SHA512
6711d40d171ea200c92d062226a69f33eb41e9232d74291ef6f0202de73cf4dc54fbdd769104d2bb3e89dc2d81f2f2f3479e4258a5d6a54c545e56b07746b4c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\Installer\_YoJHiFUKD9lPTKA_KKX67f9RG0SUwI=\PresentationNative_cor3.dll

Filesize
1.2MB

MD5
d55999f0c7253cb904ae1673929a22ea

SHA1
cd8cfe2e50fec74bc89b10fd107f0d1c636b135f

SHA256
52b9415d61f9d19eb33561512b100969fc7d261586b4b24e3a36baa416afce00

SHA512
91efade068f125971b002d8e15592d6c56d8946dcceca879a7155769862ae3d00ea64623bb5a2857d95b7a75e77e5568b4e9815cc1a80be6b11d3db813d29d29

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\Installer\_YoJHiFUKD9lPTKA_KKX67f9RG0SUwI=\wpfgfx_cor3.dll

Filesize
1.9MB

MD5
f2a012b7a561162524efdb2dcffc05de

SHA1
732c4c23e6cbc9f331dc466bc7555fbdaa556837

SHA256
e27478b5b977331c8de319d752f7f728501480c6de377fb78ea3ed48bfa92894

SHA512
3b6165bf9361a60aa20f08a404f857727bc97cfa5f7de951c0fce0c8bc28474b8942f91bad2c0e0888a4253e2f9da204bf525c4492a1682a6f2b648d1b8a0ac4

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xh4cguct.4k5.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-E1IAO.tmp\empyra-setup.tmp

Filesize
3.2MB

MD5
2651781ab0f18e494c67806c48ac1e7b

SHA1
9dfbcf98285a9be20abcf7a139610e7a7239eb6a

SHA256
f7a17e81522dfadf4862ce5db15812e5f5c54f357dccdf44774c459d2e8f1f96

SHA512
b02bc395bb5085285f7b6551a51b581dad1e4c8afd9fdca6ff3bb5277c4ad58ded5ecc6f2eef19451cad3d50f10c5c13e2ca971f631333292f91a4fce06876e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-E1IAO.tmp\empyra-setup.tmp

Filesize
3.2MB

MD5
2651781ab0f18e494c67806c48ac1e7b

SHA1
9dfbcf98285a9be20abcf7a139610e7a7239eb6a

SHA256
f7a17e81522dfadf4862ce5db15812e5f5c54f357dccdf44774c459d2e8f1f96

SHA512
b02bc395bb5085285f7b6551a51b581dad1e4c8afd9fdca6ff3bb5277c4ad58ded5ecc6f2eef19451cad3d50f10c5c13e2ca971f631333292f91a4fce06876e4

Download Submit
C:\Users\Admin\AppData\Local\VMware\vmware.exe

Filesize
3.8MB

MD5
311637067e7fcfffa6d906388dd8fb3d

SHA1
09616192e9be85eaf231b3f53a8b26ac63d5f4d5

SHA256
73e1628a5fb070f76bdbef18c6b4602f6bc0edb7744384076ac565fd47fea202

SHA512
4ea8c8708dc39d440c39c8c8a6f7bd756ea51ec9015e59994dec47a8e0ff646d216c601a9303c8c1637499facb9af2d0a83a91e62990e237b00ea275b5adfb2d

Download Submit
C:\Users\Admin\AppData\Local\VMware\vmware.exe

Filesize
3.8MB

MD5
311637067e7fcfffa6d906388dd8fb3d

SHA1
09616192e9be85eaf231b3f53a8b26ac63d5f4d5

SHA256
73e1628a5fb070f76bdbef18c6b4602f6bc0edb7744384076ac565fd47fea202

SHA512
4ea8c8708dc39d440c39c8c8a6f7bd756ea51ec9015e59994dec47a8e0ff646d216c601a9303c8c1637499facb9af2d0a83a91e62990e237b00ea275b5adfb2d

Download Submit
memory/1512-69-0x00007FFFDB000000-0x00007FFFDBAC1000-memory.dmp

Filesize
10.8MB

Download
memory/1512-70-0x00000268FE810000-0x00000268FE820000-memory.dmp

Filesize
64KB

Download
memory/1512-71-0x00000268FE810000-0x00000268FE820000-memory.dmp

Filesize
64KB

Download
memory/1512-72-0x00000268FE810000-0x00000268FE820000-memory.dmp

Filesize
64KB

Download
memory/1512-75-0x00007FFFDB000000-0x00007FFFDBAC1000-memory.dmp

Filesize
10.8MB

Download
memory/1512-68-0x00000268FE8C0000-0x00000268FE8E2000-memory.dmp

Filesize
136KB

Download
memory/3152-32-0x0000000000400000-0x0000000000748000-memory.dmp

Filesize
3.3MB

Download
memory/3152-9-0x0000000000400000-0x0000000000748000-memory.dmp

Filesize
3.3MB

Download
memory/3152-39-0x0000000000400000-0x0000000000748000-memory.dmp

Filesize
3.3MB

Download
memory/3152-6-0x0000000002850000-0x0000000002851000-memory.dmp

Filesize
4KB

Download
memory/3152-29-0x0000000000400000-0x0000000000748000-memory.dmp

Filesize
3.3MB

Download
memory/3152-15-0x0000000000400000-0x0000000000748000-memory.dmp

Filesize
3.3MB

Download
memory/3152-10-0x0000000002850000-0x0000000002851000-memory.dmp

Filesize
4KB

Download
memory/3776-86-0x0000000005700000-0x0000000005710000-memory.dmp

Filesize
64KB

Download
memory/3776-84-0x0000000000360000-0x0000000000724000-memory.dmp

Filesize
3.8MB

Download
memory/3776-85-0x00000000051F0000-0x0000000005544000-memory.dmp

Filesize
3.3MB

Download
memory/3776-83-0x0000000075290000-0x0000000075A40000-memory.dmp

Filesize
7.7MB

Download
memory/3776-87-0x0000000005550000-0x00000000055EC000-memory.dmp

Filesize
624KB

Download
memory/3776-106-0x0000000005700000-0x0000000005710000-memory.dmp

Filesize
64KB

Download
memory/3776-105-0x0000000075290000-0x0000000075A40000-memory.dmp

Filesize
7.7MB

Download
memory/4436-104-0x00007FFFDCA20000-0x00007FFFDD4E1000-memory.dmp

Filesize
10.8MB

Download
memory/4436-99-0x00007FFFDCA20000-0x00007FFFDD4E1000-memory.dmp

Filesize
10.8MB

Download
memory/4436-100-0x0000022AED6C0000-0x0000022AED6D0000-memory.dmp

Filesize
64KB

Download
memory/4436-101-0x0000022AED6C0000-0x0000022AED6D0000-memory.dmp

Filesize
64KB

Download
memory/4436-102-0x0000022AED6C0000-0x0000022AED6D0000-memory.dmp

Filesize
64KB

Download
memory/4820-40-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/4820-1-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/4820-8-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download