79c50aee10f2db4bcb8d2a7789147bb4d98903fee459f822d4d1032fb4ccfc14

General

Target

TLauncher-2.75-Installer-0.6.9.exe
Size

16.3MB
MD5

3f43fd87ad3fb5483211285dfa586e2b
SHA1

ff0090f1b679bd19349d362d50ab00d9ec31215d
SHA256

79c50aee10f2db4bcb8d2a7789147bb4d98903fee459f822d4d1032fb4ccfc14
SHA512

08b0d1b643f396fac2ed984bdf35732c841f3bba586839b4f1d3b813b842cd63aabd33c95a6797be77fa8d89aa926803831700328612fd3546edf609c520974d

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

irsetup.exe

pid process

3560 irsetup.exe

pid	process
3560	irsetup.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	upx
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	upx

Loads dropped DLL 2 IoCs

Processes:

irsetup.exe

pid process

3560 irsetup.exe
3560 irsetup.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

irsetup.exe

pid process

3560 irsetup.exe
3560 irsetup.exe
3560 irsetup.exe
3560 irsetup.exe

pid	process
3560	irsetup.exe
3560	irsetup.exe

pid	process
3560	irsetup.exe
3560	irsetup.exe
3560	irsetup.exe
3560	irsetup.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

TLauncher-2.75-Installer-0.6.9.exe

description	pid	process	target process
PID 412 wrote to memory of 3560	412	TLauncher-2.75-Installer-0.6.9.exe	irsetup.exe
PID 412 wrote to memory of 3560	412	TLauncher-2.75-Installer-0.6.9.exe	irsetup.exe
PID 412 wrote to memory of 3560	412	TLauncher-2.75-Installer-0.6.9.exe	irsetup.exe

C:\Users\Admin\AppData\Local\Temp\TLauncher-2.75-Installer-0.6.9.exe
"C:\Users\Admin\AppData\Local\Temp\TLauncher-2.75-Installer-0.6.9.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:412

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1905626 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\TLauncher-2.75-Installer-0.6.9.exe" "__IRCT:1" "__IRTSS:17102180" "__IRSID:S-1-5-21-1985363256-3005190890-1182679451-1000"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3560

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
MD5
25e1062255400d258e68c8f8bc758c85

SHA1
29fcf2dcfa9f4acff85338d3e6bea2c11f453388

SHA256
707027d3ddb431258527b0bfe2b089d34b806f1a1cfbd124a74ed78f3ac1dc2c

SHA512
26179938523649444c8fd9853d3dad9661d42205da13be38819d1fc897575757286a5b658993145dfcf5c80b2480cca80bd55b5ded16c15c6887c991150a308d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
MD5
25e1062255400d258e68c8f8bc758c85

SHA1
29fcf2dcfa9f4acff85338d3e6bea2c11f453388

SHA256
707027d3ddb431258527b0bfe2b089d34b806f1a1cfbd124a74ed78f3ac1dc2c

SHA512
26179938523649444c8fd9853d3dad9661d42205da13be38819d1fc897575757286a5b658993145dfcf5c80b2480cca80bd55b5ded16c15c6887c991150a308d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll
MD5
80d93d38badecdd2b134fe4699721223

SHA1
e829e58091bae93bc64e0c6f9f0bac999cfda23d

SHA256
c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59

SHA512
9f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\Wow64.lmd
MD5
da1d0cd400e0b6ad6415fd4d90f69666

SHA1
de9083d2902906cacf57259cf581b1466400b799

SHA256
7a79b049bdc3b6e4d101691888360f4f993098f3e3a8beefff4ac367430b1575

SHA512
f12f64670f158c2e846e78b7b5d191158268b45ecf3c288f02bbee15ae10c4a62e67fb3481da304ba99da2c68ac44d713a44a458ef359db329b6fef3d323382a

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll
MD5
80d93d38badecdd2b134fe4699721223

SHA1
e829e58091bae93bc64e0c6f9f0bac999cfda23d

SHA256
c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59

SHA512
9f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4

Download Submit
memory/3560-2-0x0000000000000000-mapping.dmp

Download
memory/3560-12-0x0000000002F00000-0x0000000002F03000-memory.dmp

Filesize
12KB

Download

Analysis

Sharing