16d0d399410366ffe6192ee385f69f23cad13513740117a20cac0190347908b9

Analysis

max time kernel
150s
max time network
125s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
28/08/2024, 20:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Eon_Launcher_1.0.6_x64_en-US.exe
Size

87.8MB
MD5

31d8373a7511deb336ed279202d1a3fa
SHA1

bc6f1610bb7aaef75e9a6efb3b9881326abdccde
SHA256

16d0d399410366ffe6192ee385f69f23cad13513740117a20cac0190347908b9
SHA512

f8d469be0ee70e7570c33b29ff4e017ce76257d1cf1c83157bcbb911b0d94bf1ab2e680e9da01e26945637edd1ac3cb4a4e06570c612666a454dd85e4dd31930
SSDEEP

1572864:WQ9WxSaqMKfOR7vaK+3m1Hgv+u3aFvwcdjmib/PKfwWZCifCKEWDMuLUt9:14aiSH3QHIsrdxPKkBWDMtz

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 6 IoCs

pid	Process
2016	MsiExec.exe
2816	MsiExec.exe
2816	MsiExec.exe
2816	MsiExec.exe
2816	MsiExec.exe
2816	MsiExec.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\R:	Eon_Launcher_1.0.6_x64_en-US.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\J:	Eon_Launcher_1.0.6_x64_en-US.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\M:	Eon_Launcher_1.0.6_x64_en-US.exe
File opened (read-only)	\??\G:	Eon_Launcher_1.0.6_x64_en-US.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\E:	Eon_Launcher_1.0.6_x64_en-US.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	Eon_Launcher_1.0.6_x64_en-US.exe
File opened (read-only)	\??\K:	Eon_Launcher_1.0.6_x64_en-US.exe
File opened (read-only)	\??\L:	Eon_Launcher_1.0.6_x64_en-US.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\H:	Eon_Launcher_1.0.6_x64_en-US.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Y:	Eon_Launcher_1.0.6_x64_en-US.exe
File opened (read-only)	\??\X:	Eon_Launcher_1.0.6_x64_en-US.exe
File opened (read-only)	\??\N:	Eon_Launcher_1.0.6_x64_en-US.exe
File opened (read-only)	\??\S:	Eon_Launcher_1.0.6_x64_en-US.exe
File opened (read-only)	\??\T:	Eon_Launcher_1.0.6_x64_en-US.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	Eon_Launcher_1.0.6_x64_en-US.exe
File opened (read-only)	\??\V:	Eon_Launcher_1.0.6_x64_en-US.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\A:	Eon_Launcher_1.0.6_x64_en-US.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	Eon_Launcher_1.0.6_x64_en-US.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\I:	Eon_Launcher_1.0.6_x64_en-US.exe
File opened (read-only)	\??\U:	Eon_Launcher_1.0.6_x64_en-US.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\O:	Eon_Launcher_1.0.6_x64_en-US.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	Eon_Launcher_1.0.6_x64_en-US.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Q:	Eon_Launcher_1.0.6_x64_en-US.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eon_Launcher_1.0.6_x64_en-US.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2868	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	2972	msiexec.exe
Token: SeTakeOwnershipPrivilege	2972	msiexec.exe
Token: SeSecurityPrivilege	2972	msiexec.exe
Token: SeCreateTokenPrivilege	2396	Eon_Launcher_1.0.6_x64_en-US.exe
Token: SeAssignPrimaryTokenPrivilege	2396	Eon_Launcher_1.0.6_x64_en-US.exe
Token: SeLockMemoryPrivilege	2396	Eon_Launcher_1.0.6_x64_en-US.exe
Token: SeIncreaseQuotaPrivilege	2396	Eon_Launcher_1.0.6_x64_en-US.exe
Token: SeMachineAccountPrivilege	2396	Eon_Launcher_1.0.6_x64_en-US.exe
Token: SeTcbPrivilege	2396	Eon_Launcher_1.0.6_x64_en-US.exe
Token: SeSecurityPrivilege	2396	Eon_Launcher_1.0.6_x64_en-US.exe
Token: SeTakeOwnershipPrivilege	2396	Eon_Launcher_1.0.6_x64_en-US.exe
Token: SeLoadDriverPrivilege	2396	Eon_Launcher_1.0.6_x64_en-US.exe
Token: SeSystemProfilePrivilege	2396	Eon_Launcher_1.0.6_x64_en-US.exe
Token: SeSystemtimePrivilege	2396	Eon_Launcher_1.0.6_x64_en-US.exe
Token: SeProfSingleProcessPrivilege	2396	Eon_Launcher_1.0.6_x64_en-US.exe
Token: SeIncBasePriorityPrivilege	2396	Eon_Launcher_1.0.6_x64_en-US.exe
Token: SeCreatePagefilePrivilege	2396	Eon_Launcher_1.0.6_x64_en-US.exe
Token: SeCreatePermanentPrivilege	2396	Eon_Launcher_1.0.6_x64_en-US.exe
Token: SeBackupPrivilege	2396	Eon_Launcher_1.0.6_x64_en-US.exe
Token: SeRestorePrivilege	2396	Eon_Launcher_1.0.6_x64_en-US.exe
Token: SeShutdownPrivilege	2396	Eon_Launcher_1.0.6_x64_en-US.exe
Token: SeDebugPrivilege	2396	Eon_Launcher_1.0.6_x64_en-US.exe
Token: SeAuditPrivilege	2396	Eon_Launcher_1.0.6_x64_en-US.exe
Token: SeSystemEnvironmentPrivilege	2396	Eon_Launcher_1.0.6_x64_en-US.exe
Token: SeChangeNotifyPrivilege	2396	Eon_Launcher_1.0.6_x64_en-US.exe
Token: SeRemoteShutdownPrivilege	2396	Eon_Launcher_1.0.6_x64_en-US.exe
Token: SeUndockPrivilege	2396	Eon_Launcher_1.0.6_x64_en-US.exe
Token: SeSyncAgentPrivilege	2396	Eon_Launcher_1.0.6_x64_en-US.exe
Token: SeEnableDelegationPrivilege	2396	Eon_Launcher_1.0.6_x64_en-US.exe
Token: SeManageVolumePrivilege	2396	Eon_Launcher_1.0.6_x64_en-US.exe
Token: SeImpersonatePrivilege	2396	Eon_Launcher_1.0.6_x64_en-US.exe
Token: SeCreateGlobalPrivilege	2396	Eon_Launcher_1.0.6_x64_en-US.exe
Token: SeCreateTokenPrivilege	2396	Eon_Launcher_1.0.6_x64_en-US.exe
Token: SeAssignPrimaryTokenPrivilege	2396	Eon_Launcher_1.0.6_x64_en-US.exe
Token: SeLockMemoryPrivilege	2396	Eon_Launcher_1.0.6_x64_en-US.exe
Token: SeIncreaseQuotaPrivilege	2396	Eon_Launcher_1.0.6_x64_en-US.exe
Token: SeMachineAccountPrivilege	2396	Eon_Launcher_1.0.6_x64_en-US.exe
Token: SeTcbPrivilege	2396	Eon_Launcher_1.0.6_x64_en-US.exe
Token: SeSecurityPrivilege	2396	Eon_Launcher_1.0.6_x64_en-US.exe
Token: SeTakeOwnershipPrivilege	2396	Eon_Launcher_1.0.6_x64_en-US.exe
Token: SeLoadDriverPrivilege	2396	Eon_Launcher_1.0.6_x64_en-US.exe
Token: SeSystemProfilePrivilege	2396	Eon_Launcher_1.0.6_x64_en-US.exe
Token: SeSystemtimePrivilege	2396	Eon_Launcher_1.0.6_x64_en-US.exe
Token: SeProfSingleProcessPrivilege	2396	Eon_Launcher_1.0.6_x64_en-US.exe
Token: SeIncBasePriorityPrivilege	2396	Eon_Launcher_1.0.6_x64_en-US.exe
Token: SeCreatePagefilePrivilege	2396	Eon_Launcher_1.0.6_x64_en-US.exe
Token: SeCreatePermanentPrivilege	2396	Eon_Launcher_1.0.6_x64_en-US.exe
Token: SeBackupPrivilege	2396	Eon_Launcher_1.0.6_x64_en-US.exe
Token: SeRestorePrivilege	2396	Eon_Launcher_1.0.6_x64_en-US.exe
Token: SeShutdownPrivilege	2396	Eon_Launcher_1.0.6_x64_en-US.exe
Token: SeDebugPrivilege	2396	Eon_Launcher_1.0.6_x64_en-US.exe
Token: SeAuditPrivilege	2396	Eon_Launcher_1.0.6_x64_en-US.exe
Token: SeSystemEnvironmentPrivilege	2396	Eon_Launcher_1.0.6_x64_en-US.exe
Token: SeChangeNotifyPrivilege	2396	Eon_Launcher_1.0.6_x64_en-US.exe
Token: SeRemoteShutdownPrivilege	2396	Eon_Launcher_1.0.6_x64_en-US.exe
Token: SeUndockPrivilege	2396	Eon_Launcher_1.0.6_x64_en-US.exe
Token: SeSyncAgentPrivilege	2396	Eon_Launcher_1.0.6_x64_en-US.exe
Token: SeEnableDelegationPrivilege	2396	Eon_Launcher_1.0.6_x64_en-US.exe
Token: SeManageVolumePrivilege	2396	Eon_Launcher_1.0.6_x64_en-US.exe
Token: SeImpersonatePrivilege	2396	Eon_Launcher_1.0.6_x64_en-US.exe
Token: SeCreateGlobalPrivilege	2396	Eon_Launcher_1.0.6_x64_en-US.exe
Token: SeCreateTokenPrivilege	2396	Eon_Launcher_1.0.6_x64_en-US.exe
Token: SeAssignPrimaryTokenPrivilege	2396	Eon_Launcher_1.0.6_x64_en-US.exe
Token: SeLockMemoryPrivilege	2396	Eon_Launcher_1.0.6_x64_en-US.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2396	Eon_Launcher_1.0.6_x64_en-US.exe
2868	msiexec.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2972 wrote to memory of 2016	2972	msiexec.exe	31
PID 2972 wrote to memory of 2016	2972	msiexec.exe	31
PID 2972 wrote to memory of 2016	2972	msiexec.exe	31
PID 2972 wrote to memory of 2016	2972	msiexec.exe	31
PID 2972 wrote to memory of 2016	2972	msiexec.exe	31
PID 2972 wrote to memory of 2016	2972	msiexec.exe	31
PID 2972 wrote to memory of 2016	2972	msiexec.exe	31
PID 2396 wrote to memory of 2868	2396	Eon_Launcher_1.0.6_x64_en-US.exe	32
PID 2396 wrote to memory of 2868	2396	Eon_Launcher_1.0.6_x64_en-US.exe	32
PID 2396 wrote to memory of 2868	2396	Eon_Launcher_1.0.6_x64_en-US.exe	32
PID 2396 wrote to memory of 2868	2396	Eon_Launcher_1.0.6_x64_en-US.exe	32
PID 2396 wrote to memory of 2868	2396	Eon_Launcher_1.0.6_x64_en-US.exe	32
PID 2396 wrote to memory of 2868	2396	Eon_Launcher_1.0.6_x64_en-US.exe	32
PID 2396 wrote to memory of 2868	2396	Eon_Launcher_1.0.6_x64_en-US.exe	32
PID 2972 wrote to memory of 2816	2972	msiexec.exe	33
PID 2972 wrote to memory of 2816	2972	msiexec.exe	33
PID 2972 wrote to memory of 2816	2972	msiexec.exe	33
PID 2972 wrote to memory of 2816	2972	msiexec.exe	33
PID 2972 wrote to memory of 2816	2972	msiexec.exe	33
PID 2972 wrote to memory of 2816	2972	msiexec.exe	33
PID 2972 wrote to memory of 2816	2972	msiexec.exe	33

C:\Users\Admin\AppData\Local\Temp\Eon_Launcher_1.0.6_x64_en-US.exe
"C:\Users\Admin\AppData\Local\Temp\Eon_Launcher_1.0.6_x64_en-US.exe"
1⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2396
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Eon\Eon Launcher 1.0.6\install\Eon Installer.x64.msi" AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\Eon_Launcher_1.0.6_x64_en-US.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1724617232 "
  2⤵
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:2868

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2972
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding C129DC5E0F57DBB24927E92979710391 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2016
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 99B25CA44633A8C05BA10E2785FCAA24 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSIBA5A.tmp

Filesize
719KB

MD5
c9c085c00bc24802f066e5412defcf50

SHA1
557f02469f3f236097d015327d7ca77260e2aecc

SHA256
a412b642de0e94db761ebd2834dde72eed86e65fc4a580670a300015b874ba24

SHA512
a6fa1f34cd630a7509a6441be7ad060de7e039967d2ec015e27c2a643b04e0eecf53902b7173c4c2e92e3a890bd7acb6a3307d9923838f0bfc71496fb184b1de

Download Submit
C:\Users\Admin\AppData\Roaming\Eon\Eon Launcher 1.0.6\install\Eon Installer.x64.msi

Filesize
1.9MB

MD5
dfee8c7263a5872b68c1b11ba40733a0

SHA1
f5b8f72f2a8bc798ec9f2cf3b71bc794fc8f3f5c

SHA256
c3b2cdffbfd760f207488cef4c726b9b5abf19da105741bd420412ebe4b35e8f

SHA512
b3bed3e3f1ea737ffdfd37617417ce67dc12038d71d43856290bb878bac1b656509689b7a866b2dedf0a436f8dd2c3ba2959ff3a2e368320bab36e90d8642d03

Download Submit