General
-
Target
EpicInstaller-15.17.1-twinmotion.msi
-
Size
176.5MB
-
Sample
241112-g84ecaxbmc
-
MD5
7a2cf04ac0c504a8ea5aed805dde484d
-
SHA1
0536d7a178d1a42cea1476ea6b44bc53ed26bc63
-
SHA256
6f3f486d7a8409fc174198818c039152c6268bd9fdf210ee6be1c91bf832b7e9
-
SHA512
42aeed1d015ab279df3065e04adff8001672a13180f4d73121ace3bc8989783f12c7a5d0b50c684c74fd138fc1b4f451439acd7b6342d4f60c7d3a18034e0988
-
SSDEEP
3145728:oyKHxXZR5bsPL+buxE4ynkX+kKbtt3V8mIeDLhZ8muXNNE7byK88OmTZbOW/rXi:IP4PAwUnkuk8BNbLIxg7bUQ
Static task
static1
Behavioral task
behavioral1
Sample
EpicInstaller-15.17.1-twinmotion.msi
Resource
win10ltsc2021-20241023-en
Malware Config
Targets
-
-
Target
EpicInstaller-15.17.1-twinmotion.msi
-
Size
176.5MB
-
MD5
7a2cf04ac0c504a8ea5aed805dde484d
-
SHA1
0536d7a178d1a42cea1476ea6b44bc53ed26bc63
-
SHA256
6f3f486d7a8409fc174198818c039152c6268bd9fdf210ee6be1c91bf832b7e9
-
SHA512
42aeed1d015ab279df3065e04adff8001672a13180f4d73121ace3bc8989783f12c7a5d0b50c684c74fd138fc1b4f451439acd7b6342d4f60c7d3a18034e0988
-
SSDEEP
3145728:oyKHxXZR5bsPL+buxE4ynkX+kKbtt3V8mIeDLhZ8muXNNE7byK88OmTZbOW/rXi:IP4PAwUnkuk8BNbLIxg7bUQ
-
Renames multiple (126) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Blocklisted process makes network request
-
Modifies file permissions
-
Adds Run key to start application
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops file in System32 directory
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
2Component Object Model Hijacking
1Installer Packages
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
2Component Object Model Hijacking
1Installer Packages
1Defense Evasion
File and Directory Permissions Modification
1Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1System Binary Proxy Execution
1Msiexec
1