8a31cee12874ede5d2b4c541308d7d0c690b967bc635848720fb7501b6888bfa

Resubmissions

19-10-2022 20:47

221019-zk1bwsgbh5 7

19-10-2022 20:44

221019-zjfwvsgcbn 8

Analysis

max time kernel
44s
max time network
51s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
19-10-2022 20:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PrismLauncher-Windows-Setup-5.0.exe
Size

35.0MB
MD5

2795afccc98c080766219875d0385dea
SHA1

5b6375986292f1f9b0cf2c29c490da0d2a207fe6
SHA256

8a31cee12874ede5d2b4c541308d7d0c690b967bc635848720fb7501b6888bfa
SHA512

f2c005bc5f6553fe83fd8fc0f0fbc7eb101268017414dfc5567397ca7e58baef1d227b983097e1db629b9696ae602601ca1f4454dd9108ba161ca733920e507f
SSDEEP

786432:EH97iwpp+o9a5utFULkxfXd6VPzJCWC7F6gp80RcmoRgu8Lr8PH3J:EH97ipqa8tFU4xcBYiidLrEHZ

Score

8^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
812	prismlauncher.exe

Loads dropped DLL 8 IoCs

pid	Process
1308	PrismLauncher-Windows-Setup-5.0.exe
1308	PrismLauncher-Windows-Setup-5.0.exe
1308	PrismLauncher-Windows-Setup-5.0.exe
1308	PrismLauncher-Windows-Setup-5.0.exe
812	prismlauncher.exe
812	prismlauncher.exe
812	prismlauncher.exe
812	prismlauncher.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
1844	TaskKill.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1844	TaskKill.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1308 wrote to memory of 1844	1308	PrismLauncher-Windows-Setup-5.0.exe	27
PID 1308 wrote to memory of 1844	1308	PrismLauncher-Windows-Setup-5.0.exe	27
PID 1308 wrote to memory of 1844	1308	PrismLauncher-Windows-Setup-5.0.exe	27
PID 1308 wrote to memory of 1844	1308	PrismLauncher-Windows-Setup-5.0.exe	27
PID 1308 wrote to memory of 1844	1308	PrismLauncher-Windows-Setup-5.0.exe	27
PID 1308 wrote to memory of 1844	1308	PrismLauncher-Windows-Setup-5.0.exe	27
PID 1308 wrote to memory of 1844	1308	PrismLauncher-Windows-Setup-5.0.exe	27
PID 1308 wrote to memory of 812	1308	PrismLauncher-Windows-Setup-5.0.exe	30
PID 1308 wrote to memory of 812	1308	PrismLauncher-Windows-Setup-5.0.exe	30
PID 1308 wrote to memory of 812	1308	PrismLauncher-Windows-Setup-5.0.exe	30
PID 1308 wrote to memory of 812	1308	PrismLauncher-Windows-Setup-5.0.exe	30
PID 1308 wrote to memory of 812	1308	PrismLauncher-Windows-Setup-5.0.exe	30
PID 1308 wrote to memory of 812	1308	PrismLauncher-Windows-Setup-5.0.exe	30
PID 1308 wrote to memory of 812	1308	PrismLauncher-Windows-Setup-5.0.exe	30

C:\Users\Admin\AppData\Local\Temp\PrismLauncher-Windows-Setup-5.0.exe
"C:\Users\Admin\AppData\Local\Temp\PrismLauncher-Windows-Setup-5.0.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1308
- C:\Windows\SysWOW64\TaskKill.exe
  TaskKill /IM prismlauncher.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1844
- C:\Users\Admin\AppData\Local\Programs\PrismLauncher\prismlauncher.exe
  "C:\Users\Admin\AppData\Local\Programs\PrismLauncher\prismlauncher.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:812

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Programs\PrismLauncher\Qt6Core.dll

Filesize
8.6MB

MD5
83f31176e6c39aa085b5fe615bea6edf

SHA1
aa5e55fa34c6b65e4ac8e4ce48c1db2a215f001a

SHA256
363384a1c21929f4fed68e3d18ea4cdcd35e71520051a56d37e1922991b87696

SHA512
3b0255a01ec89c6cd32b88bb3b843690735cb4b5c4a8b90a5d081f7c5b0277d43388ac3e2a3bed94713201c5faea6b193d63590d9af8b9389cff9f84942e96b2

Download Submit
C:\Users\Admin\AppData\Local\Programs\PrismLauncher\libgcc_s_dw2-1.dll

Filesize
142KB

MD5
fa4c3c566aaaa158f0665956e18c807e

SHA1
4b96edd6e7514937cbc5bd51228784fea1cef49f

SHA256
f74a34d781c4db1403418ce29f5359206745f46f13e6e23d394f44eb49961593

SHA512
4cdc60f8a0a06734394946557a5edeafe6516e78b9976628bea39df212a4518b9baea1b6bfaf1cbc2a783224c017d332a5e9a7a97d946f903b56ed6edff57782

Download Submit
C:\Users\Admin\AppData\Local\Programs\PrismLauncher\libstdc++-6.dll

Filesize
2.1MB

MD5
f53687e44acbafb343871e596002145c

SHA1
ef1a14e45ce03329ae1f1b694523e36250b1dd22

SHA256
b1982f752158b0c61eaa44f54764bbcf97c779bb7a07c66ea02772a4299110d2

SHA512
fd736698ba16d83c273ba82a17af2b44eaf80c9ae436975ad50f4d67be3d1ef2e4ddbb2f8227a38e2f6c8aad2dd75648e025790db8eaf5db38e4fe3332c7ad17

Download Submit
C:\Users\Admin\AppData\Local\Programs\PrismLauncher\libwinpthread-1.dll

Filesize
67KB

MD5
d9a2a1df8ee3abc34d107224db728745

SHA1
c9cbc8105087b79cf3f21f059ae2652650be2854

SHA256
7f817bb550afd6d526b19133deb8a9b3e372d3e90ad6cd776d821191ac0347b9

SHA512
e1d98c5184c433151ed51d97c9ddf187b7cff415bfeade201f168a0d0597b3f0cc655af5dff3c58a4e57c12d24c6c3e75fa012ac32b3955d1bfe97d67f8dbd9e

Download Submit
C:\Users\Admin\AppData\Local\Programs\PrismLauncher\prismlauncher.exe

Filesize
9.3MB

MD5
a6f5b8bc61f0928a46eff7fdcb71ebdf

SHA1
edd7b293fccf082871a4cf5bff076669243f4dc9

SHA256
f39317f37ca84362a71d750a0b952848bb038ee13f2c86e894cd4401f05c6372

SHA512
8f041370fffa503f4fc8bd032073ff4315ef3dbefaea4e8ace899ca59ca958ec71903725469b9a1dfc57113dbd2954d2c1ce0473316d04e88c85efbe0ec0ea20

Download Submit
\Users\Admin\AppData\Local\Programs\PrismLauncher\Qt6Core.dll

Filesize
8.6MB

MD5
83f31176e6c39aa085b5fe615bea6edf

SHA1
aa5e55fa34c6b65e4ac8e4ce48c1db2a215f001a

SHA256
363384a1c21929f4fed68e3d18ea4cdcd35e71520051a56d37e1922991b87696

SHA512
3b0255a01ec89c6cd32b88bb3b843690735cb4b5c4a8b90a5d081f7c5b0277d43388ac3e2a3bed94713201c5faea6b193d63590d9af8b9389cff9f84942e96b2

Download Submit
\Users\Admin\AppData\Local\Programs\PrismLauncher\libgcc_s_dw2-1.dll

Filesize
142KB

MD5
fa4c3c566aaaa158f0665956e18c807e

SHA1
4b96edd6e7514937cbc5bd51228784fea1cef49f

SHA256
f74a34d781c4db1403418ce29f5359206745f46f13e6e23d394f44eb49961593

SHA512
4cdc60f8a0a06734394946557a5edeafe6516e78b9976628bea39df212a4518b9baea1b6bfaf1cbc2a783224c017d332a5e9a7a97d946f903b56ed6edff57782

Download Submit
\Users\Admin\AppData\Local\Programs\PrismLauncher\libstdc++-6.dll

Filesize
2.1MB

MD5
f53687e44acbafb343871e596002145c

SHA1
ef1a14e45ce03329ae1f1b694523e36250b1dd22

SHA256
b1982f752158b0c61eaa44f54764bbcf97c779bb7a07c66ea02772a4299110d2

SHA512
fd736698ba16d83c273ba82a17af2b44eaf80c9ae436975ad50f4d67be3d1ef2e4ddbb2f8227a38e2f6c8aad2dd75648e025790db8eaf5db38e4fe3332c7ad17

Download Submit
\Users\Admin\AppData\Local\Programs\PrismLauncher\libwinpthread-1.dll

Filesize
67KB

MD5
d9a2a1df8ee3abc34d107224db728745

SHA1
c9cbc8105087b79cf3f21f059ae2652650be2854

SHA256
7f817bb550afd6d526b19133deb8a9b3e372d3e90ad6cd776d821191ac0347b9

SHA512
e1d98c5184c433151ed51d97c9ddf187b7cff415bfeade201f168a0d0597b3f0cc655af5dff3c58a4e57c12d24c6c3e75fa012ac32b3955d1bfe97d67f8dbd9e

Download Submit
\Users\Admin\AppData\Local\Programs\PrismLauncher\prismlauncher.exe

Filesize
9.3MB

MD5
a6f5b8bc61f0928a46eff7fdcb71ebdf

SHA1
edd7b293fccf082871a4cf5bff076669243f4dc9

SHA256
f39317f37ca84362a71d750a0b952848bb038ee13f2c86e894cd4401f05c6372

SHA512
8f041370fffa503f4fc8bd032073ff4315ef3dbefaea4e8ace899ca59ca958ec71903725469b9a1dfc57113dbd2954d2c1ce0473316d04e88c85efbe0ec0ea20

Download Submit
\Users\Admin\AppData\Local\Temp\nsdE64.tmp\System.dll

Filesize
31KB

MD5
8d5d06ca42b3d9053e9cf72245e45e90

SHA1
bdc3c3c3ab87b0a6a8470ab14349d286efefe91d

SHA256
45f7082cb371ed939b7d4bf0b05ecb2b0b5848339502cd2dd2208fa385d4ada7

SHA512
13c239a2be9618e10c21c6b5c3d4e0e539e4e73ab6f32955d99d1f47ae97cd350ee2e472b8ce59fcce2bb72dec234d7dcf09f8722c2ca26c84ef68b693c01df6

Download Submit
\Users\Admin\AppData\Local\Temp\nsdE64.tmp\nsDialogs.dll

Filesize
14KB

MD5
e0e2338684545674776d3fb9cba7804d

SHA1
9da017c98085b314cb167a451819d6fba070686b

SHA256
f06e803222d4f0915027fca5f058b0e730097e0f282fe3f9a20cd113029e301d

SHA512
bd68a7e7ac60b4e1c92261821e9dfd465f038fc49d2237f610782eec80c742601514e2dc599e97fb91d221469b2a7c367243a9c893272c59230df050f72d6aa2

Download Submit
\Users\Admin\AppData\Local\Temp\nsdE64.tmp\nsExec.dll

Filesize
11KB

MD5
c5db5bad834ca8f40abacffd6d77c55f

SHA1
12322c863fb7e904360074cde64f810be2302c6b

SHA256
77d149713e3430f9944af7a96cc0257240c60b5add9f6231407089c10e791634

SHA512
a5378f6b63ebe140977ba7c505f4b332dd2cc03de67b9080d151ad7f4ece1993d1179cf9692cd4bf2207caf3726da6bf2da51f28dfebbe971cbbd9eb750d0cf9

Download Submit
memory/1308-54-0x0000000074DA1000-0x0000000074DA3000-memory.dmp

Filesize
8KB

Download