16d0d399410366ffe6192ee385f69f23cad13513740117a20cac0190347908b9

Analysis

max time kernel
132s
max time network
222s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
28-08-2024 20:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Eon_Launcher_1.0.6_x64_en-US.exe
Size

87.8MB
MD5

31d8373a7511deb336ed279202d1a3fa
SHA1

bc6f1610bb7aaef75e9a6efb3b9881326abdccde
SHA256

16d0d399410366ffe6192ee385f69f23cad13513740117a20cac0190347908b9
SHA512

f8d469be0ee70e7570c33b29ff4e017ce76257d1cf1c83157bcbb911b0d94bf1ab2e680e9da01e26945637edd1ac3cb4a4e06570c612666a454dd85e4dd31930
SSDEEP

1572864:WQ9WxSaqMKfOR7vaK+3m1Hgv+u3aFvwcdjmib/PKfwWZCifCKEWDMuLUt9:14aiSH3QHIsrdxPKkBWDMtz

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 14 IoCs

pid	Process
2684	MsiExec.exe
2684	MsiExec.exe
2684	MsiExec.exe
1680	MsiExec.exe
1680	MsiExec.exe
1680	MsiExec.exe
1680	MsiExec.exe
1680	MsiExec.exe
1680	MsiExec.exe
1680	MsiExec.exe
5736	MsiExec.exe
5736	MsiExec.exe
5736	MsiExec.exe
5736	MsiExec.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\V:	Eon_Launcher_1.0.6_x64_en-US.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Q:	Eon_Launcher_1.0.6_x64_en-US.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	Eon_Launcher_1.0.6_x64_en-US.exe
File opened (read-only)	\??\K:	Eon_Launcher_1.0.6_x64_en-US.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\S:	Eon_Launcher_1.0.6_x64_en-US.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\B:	Eon_Launcher_1.0.6_x64_en-US.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\G:	Eon_Launcher_1.0.6_x64_en-US.exe
File opened (read-only)	\??\T:	Eon_Launcher_1.0.6_x64_en-US.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	Eon_Launcher_1.0.6_x64_en-US.exe
File opened (read-only)	\??\Z:	Eon_Launcher_1.0.6_x64_en-US.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\E:	Eon_Launcher_1.0.6_x64_en-US.exe
File opened (read-only)	\??\U:	Eon_Launcher_1.0.6_x64_en-US.exe
File opened (read-only)	\??\O:	Eon_Launcher_1.0.6_x64_en-US.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\A:	Eon_Launcher_1.0.6_x64_en-US.exe
File opened (read-only)	\??\J:	Eon_Launcher_1.0.6_x64_en-US.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\P:	Eon_Launcher_1.0.6_x64_en-US.exe
File opened (read-only)	\??\W:	Eon_Launcher_1.0.6_x64_en-US.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\I:	Eon_Launcher_1.0.6_x64_en-US.exe
File opened (read-only)	\??\N:	Eon_Launcher_1.0.6_x64_en-US.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\X:	Eon_Launcher_1.0.6_x64_en-US.exe
File opened (read-only)	\??\Y:	Eon_Launcher_1.0.6_x64_en-US.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\L:	Eon_Launcher_1.0.6_x64_en-US.exe
File opened (read-only)	\??\M:	Eon_Launcher_1.0.6_x64_en-US.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9E4E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9F59.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAE21.tmp	msiexec.exe
File created	C:\Windows\Installer\e589dd3.msi	msiexec.exe
File created	C:\Windows\Installer\e589dd1.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e589dd1.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9FD7.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA0D2.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{DDA5438D-9EDB-4D86-A8A6-1E627C277637}	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eon_Launcher_1.0.6_x64_en-US.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000f7b83aff83bcb26e0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000f7b83aff0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900f7b83aff000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1df7b83aff000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000f7b83aff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe

Modifies registry class 23 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D8345ADDBDE968D48A6AE126C7726773\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D8345ADDBDE968D48A6AE126C7726773\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D8345ADDBDE968D48A6AE126C7726773\AuthorizedLUAApp = "0"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D8345ADDBDE968D48A6AE126C7726773\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\D8345ADDBDE968D48A6AE126C7726773\MainFeature	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D8345ADDBDE968D48A6AE126C7726773\Language = "1033"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D8345ADDBDE968D48A6AE126C7726773\ProductName = "Eon Launcher"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\C0CBFB2E5CBD40E4D9EF4ACDE33F503C	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D8345ADDBDE968D48A6AE126C7726773\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D8345ADDBDE968D48A6AE126C7726773\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Roaming\\Eon\\Eon Launcher 1.0.6\\install\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D8345ADDBDE968D48A6AE126C7726773\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Roaming\\Eon\\Eon Launcher 1.0.6\\install\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\D8345ADDBDE968D48A6AE126C7726773	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D8345ADDBDE968D48A6AE126C7726773	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D8345ADDBDE968D48A6AE126C7726773\SourceList\Media\1 = "Disk1;Disk1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D8345ADDBDE968D48A6AE126C7726773\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D8345ADDBDE968D48A6AE126C7726773\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D8345ADDBDE968D48A6AE126C7726773\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D8345ADDBDE968D48A6AE126C7726773\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\C0CBFB2E5CBD40E4D9EF4ACDE33F503C\D8345ADDBDE968D48A6AE126C7726773	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D8345ADDBDE968D48A6AE126C7726773\SourceList\PackageName = "Eon Installer.x64.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D8345ADDBDE968D48A6AE126C7726773\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D8345ADDBDE968D48A6AE126C7726773\PackageCode = "2584250A3B07D794682B5958A44EA801"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D8345ADDBDE968D48A6AE126C7726773\Version = "16777222"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2724	msiexec.exe
2724	msiexec.exe

Suspicious behavior: LoadsDriver 6 IoCs

pid	Process
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
684	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2724	msiexec.exe
Token: SeCreateTokenPrivilege	1840	Eon_Launcher_1.0.6_x64_en-US.exe
Token: SeAssignPrimaryTokenPrivilege	1840	Eon_Launcher_1.0.6_x64_en-US.exe
Token: SeLockMemoryPrivilege	1840	Eon_Launcher_1.0.6_x64_en-US.exe
Token: SeIncreaseQuotaPrivilege	1840	Eon_Launcher_1.0.6_x64_en-US.exe
Token: SeMachineAccountPrivilege	1840	Eon_Launcher_1.0.6_x64_en-US.exe
Token: SeTcbPrivilege	1840	Eon_Launcher_1.0.6_x64_en-US.exe
Token: SeSecurityPrivilege	1840	Eon_Launcher_1.0.6_x64_en-US.exe
Token: SeTakeOwnershipPrivilege	1840	Eon_Launcher_1.0.6_x64_en-US.exe
Token: SeLoadDriverPrivilege	1840	Eon_Launcher_1.0.6_x64_en-US.exe
Token: SeSystemProfilePrivilege	1840	Eon_Launcher_1.0.6_x64_en-US.exe
Token: SeSystemtimePrivilege	1840	Eon_Launcher_1.0.6_x64_en-US.exe
Token: SeProfSingleProcessPrivilege	1840	Eon_Launcher_1.0.6_x64_en-US.exe
Token: SeIncBasePriorityPrivilege	1840	Eon_Launcher_1.0.6_x64_en-US.exe
Token: SeCreatePagefilePrivilege	1840	Eon_Launcher_1.0.6_x64_en-US.exe
Token: SeCreatePermanentPrivilege	1840	Eon_Launcher_1.0.6_x64_en-US.exe
Token: SeBackupPrivilege	1840	Eon_Launcher_1.0.6_x64_en-US.exe
Token: SeRestorePrivilege	1840	Eon_Launcher_1.0.6_x64_en-US.exe
Token: SeShutdownPrivilege	1840	Eon_Launcher_1.0.6_x64_en-US.exe
Token: SeDebugPrivilege	1840	Eon_Launcher_1.0.6_x64_en-US.exe
Token: SeAuditPrivilege	1840	Eon_Launcher_1.0.6_x64_en-US.exe
Token: SeSystemEnvironmentPrivilege	1840	Eon_Launcher_1.0.6_x64_en-US.exe
Token: SeChangeNotifyPrivilege	1840	Eon_Launcher_1.0.6_x64_en-US.exe
Token: SeRemoteShutdownPrivilege	1840	Eon_Launcher_1.0.6_x64_en-US.exe
Token: SeUndockPrivilege	1840	Eon_Launcher_1.0.6_x64_en-US.exe
Token: SeSyncAgentPrivilege	1840	Eon_Launcher_1.0.6_x64_en-US.exe
Token: SeEnableDelegationPrivilege	1840	Eon_Launcher_1.0.6_x64_en-US.exe
Token: SeManageVolumePrivilege	1840	Eon_Launcher_1.0.6_x64_en-US.exe
Token: SeImpersonatePrivilege	1840	Eon_Launcher_1.0.6_x64_en-US.exe
Token: SeCreateGlobalPrivilege	1840	Eon_Launcher_1.0.6_x64_en-US.exe
Token: SeCreateTokenPrivilege	1840	Eon_Launcher_1.0.6_x64_en-US.exe
Token: SeAssignPrimaryTokenPrivilege	1840	Eon_Launcher_1.0.6_x64_en-US.exe
Token: SeLockMemoryPrivilege	1840	Eon_Launcher_1.0.6_x64_en-US.exe
Token: SeIncreaseQuotaPrivilege	1840	Eon_Launcher_1.0.6_x64_en-US.exe
Token: SeMachineAccountPrivilege	1840	Eon_Launcher_1.0.6_x64_en-US.exe
Token: SeTcbPrivilege	1840	Eon_Launcher_1.0.6_x64_en-US.exe
Token: SeSecurityPrivilege	1840	Eon_Launcher_1.0.6_x64_en-US.exe
Token: SeTakeOwnershipPrivilege	1840	Eon_Launcher_1.0.6_x64_en-US.exe
Token: SeLoadDriverPrivilege	1840	Eon_Launcher_1.0.6_x64_en-US.exe
Token: SeSystemProfilePrivilege	1840	Eon_Launcher_1.0.6_x64_en-US.exe
Token: SeSystemtimePrivilege	1840	Eon_Launcher_1.0.6_x64_en-US.exe
Token: SeProfSingleProcessPrivilege	1840	Eon_Launcher_1.0.6_x64_en-US.exe
Token: SeIncBasePriorityPrivilege	1840	Eon_Launcher_1.0.6_x64_en-US.exe
Token: SeCreatePagefilePrivilege	1840	Eon_Launcher_1.0.6_x64_en-US.exe
Token: SeCreatePermanentPrivilege	1840	Eon_Launcher_1.0.6_x64_en-US.exe
Token: SeBackupPrivilege	1840	Eon_Launcher_1.0.6_x64_en-US.exe
Token: SeRestorePrivilege	1840	Eon_Launcher_1.0.6_x64_en-US.exe
Token: SeShutdownPrivilege	1840	Eon_Launcher_1.0.6_x64_en-US.exe
Token: SeDebugPrivilege	1840	Eon_Launcher_1.0.6_x64_en-US.exe
Token: SeAuditPrivilege	1840	Eon_Launcher_1.0.6_x64_en-US.exe
Token: SeSystemEnvironmentPrivilege	1840	Eon_Launcher_1.0.6_x64_en-US.exe
Token: SeChangeNotifyPrivilege	1840	Eon_Launcher_1.0.6_x64_en-US.exe
Token: SeRemoteShutdownPrivilege	1840	Eon_Launcher_1.0.6_x64_en-US.exe
Token: SeUndockPrivilege	1840	Eon_Launcher_1.0.6_x64_en-US.exe
Token: SeSyncAgentPrivilege	1840	Eon_Launcher_1.0.6_x64_en-US.exe
Token: SeEnableDelegationPrivilege	1840	Eon_Launcher_1.0.6_x64_en-US.exe
Token: SeManageVolumePrivilege	1840	Eon_Launcher_1.0.6_x64_en-US.exe
Token: SeImpersonatePrivilege	1840	Eon_Launcher_1.0.6_x64_en-US.exe
Token: SeCreateGlobalPrivilege	1840	Eon_Launcher_1.0.6_x64_en-US.exe
Token: SeCreateTokenPrivilege	1840	Eon_Launcher_1.0.6_x64_en-US.exe
Token: SeAssignPrimaryTokenPrivilege	1840	Eon_Launcher_1.0.6_x64_en-US.exe
Token: SeLockMemoryPrivilege	1840	Eon_Launcher_1.0.6_x64_en-US.exe
Token: SeIncreaseQuotaPrivilege	1840	Eon_Launcher_1.0.6_x64_en-US.exe
Token: SeMachineAccountPrivilege	1840	Eon_Launcher_1.0.6_x64_en-US.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1840	Eon_Launcher_1.0.6_x64_en-US.exe
1548	msiexec.exe
1548	msiexec.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2724 wrote to memory of 2684	2724	msiexec.exe	100
PID 2724 wrote to memory of 2684	2724	msiexec.exe	100
PID 2724 wrote to memory of 2684	2724	msiexec.exe	100
PID 1840 wrote to memory of 1548	1840	Eon_Launcher_1.0.6_x64_en-US.exe	101
PID 1840 wrote to memory of 1548	1840	Eon_Launcher_1.0.6_x64_en-US.exe	101
PID 1840 wrote to memory of 1548	1840	Eon_Launcher_1.0.6_x64_en-US.exe	101
PID 2724 wrote to memory of 1680	2724	msiexec.exe	102
PID 2724 wrote to memory of 1680	2724	msiexec.exe	102
PID 2724 wrote to memory of 1680	2724	msiexec.exe	102
PID 2724 wrote to memory of 5656	2724	msiexec.exe	119
PID 2724 wrote to memory of 5656	2724	msiexec.exe	119
PID 2724 wrote to memory of 5736	2724	msiexec.exe	121
PID 2724 wrote to memory of 5736	2724	msiexec.exe	121
PID 2724 wrote to memory of 5736	2724	msiexec.exe	121

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\Eon_Launcher_1.0.6_x64_en-US.exe
"C:\Users\Admin\AppData\Local\Temp\Eon_Launcher_1.0.6_x64_en-US.exe"
1⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1840
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Eon\Eon Launcher 1.0.6\install\Eon Installer.x64.msi" AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\Eon_Launcher_1.0.6_x64_en-US.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1724636010 "
  2⤵
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  PID:1548

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2724
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding DDB861E91007C793C8A285080DA2B40E C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2684
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding D8D7E5B9AF5C4D289CD716056B3CB1F8 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1680
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:5656
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding D8DF68833B4AB229D476B07E30197130
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:5736

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:1476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e589dd2.rbs

Filesize
101KB

MD5
9360f5f49589dfd75e47f086397a32b0

SHA1
dc6630269a73a3b42372bd89f6221fc0dc6b75a0

SHA256
3fed527420009af77fccfff538539107c5340532af2e6742eecd5630a426d60e

SHA512
6d90d39cb32947eee57a257261541db12a83cdac15af1a3382a14fac8f116e03e33d4378d8a68f3c9187b8cfe39e25dfe61d807968d9b6790df0f1b7f42fb15f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI4B6D.tmp

Filesize
719KB

MD5
c9c085c00bc24802f066e5412defcf50

SHA1
557f02469f3f236097d015327d7ca77260e2aecc

SHA256
a412b642de0e94db761ebd2834dde72eed86e65fc4a580670a300015b874ba24

SHA512
a6fa1f34cd630a7509a6441be7ad060de7e039967d2ec015e27c2a643b04e0eecf53902b7173c4c2e92e3a890bd7acb6a3307d9923838f0bfc71496fb184b1de

Download Submit
C:\Users\Admin\AppData\Roaming\Eon\Eon Launcher 1.0.6\install\Eon Installer.x64.msi

Filesize
1.9MB

MD5
dfee8c7263a5872b68c1b11ba40733a0

SHA1
f5b8f72f2a8bc798ec9f2cf3b71bc794fc8f3f5c

SHA256
c3b2cdffbfd760f207488cef4c726b9b5abf19da105741bd420412ebe4b35e8f

SHA512
b3bed3e3f1ea737ffdfd37617417ce67dc12038d71d43856290bb878bac1b656509689b7a866b2dedf0a436f8dd2c3ba2959ff3a2e368320bab36e90d8642d03

Download Submit
C:\Windows\Installer\MSIA0D2.tmp

Filesize
837KB

MD5
2557173f4299722afce46cc3c0616406

SHA1
b0343c9a9552be977834e415783b486c4714fe97

SHA256
e25369e33c7ef36151769a86d833189b275f85045f35873e9e931547e0a6d591

SHA512
24a46359cb8e22534cbd875fe092d096e3280ca4c24936159894ba95832233ee318494a3eabbdf73ae6010e39a1b5897b4488b2771b416b472bb7f60ceddf40e

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.7MB

MD5
88f314558fa67f80707931d949dfd87f

SHA1
1419d392f3ca775e63a941fa4af258a74513df17

SHA256
475499e3b0e8f381d53dede3f6a56296690b38edf6db07e6531c25ec644a1056

SHA512
6fec9812c2eb09c2d89a8eb74e6b5d8c48e31cdb686a26cfc4f8adefcc6fe904358157dbdc4f4e3659e35272aeb744d1d354580ca97aeaf506c367d12b35dc69

Download Submit
\??\Volume{ff3ab8f7-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{948dac19-4e2a-46dd-b381-17ad7bd81974}_OnDiskSnapshotProp

Filesize
6KB

MD5
01f6bdf6ae7fd2d188dc00a3feddb122

SHA1
2a9b700a474e56905cd52efe481b00951ddad477

SHA256
792ab6c5d396d0609e9ed32770e924e592e2c5518901fa6f2d01a5c7ead297b2

SHA512
a64dfa408fe07cb8f5c0462628b7a91722b4a54437a28868ac053bedb8f394660cbcb7d88c39b763d494e4eb85ba3c34a4d80206d018d71fcafc6a163a57ae47

Download Submit