aaa97277a05d8f2ae63b523f08153871eef5fc50b498b9a6c75e9fe9e32da4b0

Analysis

max time kernel
137s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
31-01-2023 22:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CMClient Launcher Installer.exe
Size

2.2MB
MD5

9fb19562e873d638c70c270c028cb8fe
SHA1

8d696a1f7cbd398378ff323095c6fbcb04f3351c
SHA256

aaa97277a05d8f2ae63b523f08153871eef5fc50b498b9a6c75e9fe9e32da4b0
SHA512

adb3f6754ab1bf53a8d78a606ea7f2c8b156cc51a04f7809d9727d9b6110cbd83903b55446d0953b4233834b947fcfb2e6b4b8801d9eb265a1f03107cba5ff1d
SSDEEP

49152:5BuZrEUBTVPI7yXvxOvTdUr5JAQKfnVQ1aFR1QjU:PkLBTVP6yXvxQdUHgd8maU

Score

8^/10

discovery

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
4912	CMClient Launcher Installer.tmp
984	launcher.exe
3944	i4jdel0.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\CMClient Launcher\launcher.exe	CMClient Launcher Installer.tmp
File created	C:\Program Files\CMClient Launcher\unins000.dat	CMClient Launcher Installer.tmp
File created	C:\Program Files\CMClient Launcher\is-VDQE1.tmp	CMClient Launcher Installer.tmp
File created	C:\Program Files\CMClient Launcher\is-HKN91.tmp	CMClient Launcher Installer.tmp
File opened for modification	C:\Program Files\CMClient Launcher\unins000.dat	CMClient Launcher Installer.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4912	CMClient Launcher Installer.tmp
4912	CMClient Launcher Installer.tmp

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1928	wmic.exe
Token: SeSecurityPrivilege	1928	wmic.exe
Token: SeTakeOwnershipPrivilege	1928	wmic.exe
Token: SeLoadDriverPrivilege	1928	wmic.exe
Token: SeSystemProfilePrivilege	1928	wmic.exe
Token: SeSystemtimePrivilege	1928	wmic.exe
Token: SeProfSingleProcessPrivilege	1928	wmic.exe
Token: SeIncBasePriorityPrivilege	1928	wmic.exe
Token: SeCreatePagefilePrivilege	1928	wmic.exe
Token: SeBackupPrivilege	1928	wmic.exe
Token: SeRestorePrivilege	1928	wmic.exe
Token: SeShutdownPrivilege	1928	wmic.exe
Token: SeDebugPrivilege	1928	wmic.exe
Token: SeSystemEnvironmentPrivilege	1928	wmic.exe
Token: SeRemoteShutdownPrivilege	1928	wmic.exe
Token: SeUndockPrivilege	1928	wmic.exe
Token: SeManageVolumePrivilege	1928	wmic.exe
Token: 33	1928	wmic.exe
Token: 34	1928	wmic.exe
Token: 35	1928	wmic.exe
Token: 36	1928	wmic.exe
Token: SeIncreaseQuotaPrivilege	1928	wmic.exe
Token: SeSecurityPrivilege	1928	wmic.exe
Token: SeTakeOwnershipPrivilege	1928	wmic.exe
Token: SeLoadDriverPrivilege	1928	wmic.exe
Token: SeSystemProfilePrivilege	1928	wmic.exe
Token: SeSystemtimePrivilege	1928	wmic.exe
Token: SeProfSingleProcessPrivilege	1928	wmic.exe
Token: SeIncBasePriorityPrivilege	1928	wmic.exe
Token: SeCreatePagefilePrivilege	1928	wmic.exe
Token: SeBackupPrivilege	1928	wmic.exe
Token: SeRestorePrivilege	1928	wmic.exe
Token: SeShutdownPrivilege	1928	wmic.exe
Token: SeDebugPrivilege	1928	wmic.exe
Token: SeSystemEnvironmentPrivilege	1928	wmic.exe
Token: SeRemoteShutdownPrivilege	1928	wmic.exe
Token: SeUndockPrivilege	1928	wmic.exe
Token: SeManageVolumePrivilege	1928	wmic.exe
Token: 33	1928	wmic.exe
Token: 34	1928	wmic.exe
Token: 35	1928	wmic.exe
Token: 36	1928	wmic.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4912	CMClient Launcher Installer.tmp

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
984	launcher.exe
984	launcher.exe
4852	java.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4860 wrote to memory of 4912	4860	CMClient Launcher Installer.exe	82
PID 4860 wrote to memory of 4912	4860	CMClient Launcher Installer.exe	82
PID 4860 wrote to memory of 4912	4860	CMClient Launcher Installer.exe	82
PID 984 wrote to memory of 4064	984	launcher.exe	94
PID 984 wrote to memory of 4064	984	launcher.exe	94
PID 984 wrote to memory of 4852	984	launcher.exe	96
PID 984 wrote to memory of 4852	984	launcher.exe	96
PID 984 wrote to memory of 3944	984	launcher.exe	98
PID 984 wrote to memory of 3944	984	launcher.exe	98
PID 984 wrote to memory of 3944	984	launcher.exe	98
PID 4852 wrote to memory of 1928	4852	java.exe	99
PID 4852 wrote to memory of 1928	4852	java.exe	99

C:\Users\Admin\AppData\Local\Temp\CMClient Launcher Installer.exe
"C:\Users\Admin\AppData\Local\Temp\CMClient Launcher Installer.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4860
- C:\Users\Admin\AppData\Local\Temp\is-9KKCQ.tmp\CMClient Launcher Installer.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-9KKCQ.tmp\CMClient Launcher Installer.tmp" /SL5="$8005E,1494835,890880,C:\Users\Admin\AppData\Local\Temp\CMClient Launcher Installer.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  PID:4912

C:\Program Files\CMClient Launcher\launcher.exe
"C:\Program Files\CMClient Launcher\launcher.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:984
- \??\c:\PROGRA~1\java\JRE18~1.0_6\bin\java.exe
  "c:\PROGRA~1\java\JRE18~1.0_6\bin\java.exe" -version
  2⤵
  PID:4064
- \??\c:\program files\java\jre1.8.0_66\bin\java.exe
  java -jar C:\Users\Admin/.cmclient/launcher.jar
  2⤵
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4852
- - C:\Windows\System32\Wbem\wmic.exe
    wmic path win32_VideoController get name
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1928
- C:\Users\Admin\AppData\Local\Temp\i4jdel0.exe
  C:\Users\Admin\AppData\Local\Temp\i4jdel0.exe i4j4563631346554831233.tmp
  2⤵
  - Executes dropped EXE
  PID:3944

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\CMClient Launcher\launcher.exe

Filesize
645KB

MD5
cb4252ec1369b1537e697275ad08ef5f

SHA1
b5bf55def27db33de79da4dd73cc167f0fcd8c6c

SHA256
27faa1fba53791ffbcd52c22672165dcaed9b702e16f336134e751abc588fb82

SHA512
d81a97148094ca3d0e3eb25ba5e5483779fe7b62a913e608104255f522e21410951fa4050b349cfc59ce756a08e5775e84b805534f6b40cb40300b1fcde5070e

Download Submit
C:\Program Files\CMClient Launcher\launcher.exe

Filesize
645KB

MD5
cb4252ec1369b1537e697275ad08ef5f

SHA1
b5bf55def27db33de79da4dd73cc167f0fcd8c6c

SHA256
27faa1fba53791ffbcd52c22672165dcaed9b702e16f336134e751abc588fb82

SHA512
d81a97148094ca3d0e3eb25ba5e5483779fe7b62a913e608104255f522e21410951fa4050b349cfc59ce756a08e5775e84b805534f6b40cb40300b1fcde5070e

Download Submit
C:\Users\Admin\.cmclient\launcher.jar

Filesize
726KB

MD5
330af67c8de87ee0d77dd5c312c1edd8

SHA1
edabcc21f3a4b606f53df9eab5906d839111216d

SHA256
821c598d8eac52ba292a82e75e4f0affcc6c0ab9453e57518a58a2f99e11be99

SHA512
bbbd23a9f3d117188bf45f3a27bb520462e2b5f0a3a40b54049fa56c6e13942f5c48a87850e76be926a4b34a2c7514a5e328b5c9aaba2c262b6f6f45b5513aaa

Download Submit
C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp

Filesize
50B

MD5
e2cc12a21c2e28d540b7e51094b04387

SHA1
2c07e464cf059e48b9e25474f350f114997dd914

SHA256
897794ef52db7ffe1f52cbebccc19321da1cd1cf6e469632b87adf9d8488e7ec

SHA512
5f203821d4a1bca7b7fc4b32e2925bf6e230035ac208167585713ada8e1aba53199ae2869fd01dd89ffcaed458d126a7ca808c21b8c319d6333748dd122a1341

Download Submit
C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp

Filesize
50B

MD5
7b68b67a6cd479e861cdd5f631be8fe5

SHA1
9a896ae216055add290ee444d0850d4c2efcbe66

SHA256
39f5b3c92c01f2a93276aad77670a18c3e59d4d1579b87e406ecdef25873fb71

SHA512
ea0e27bfe084626be0a6efb2122d2cffa07c7a94b028c6d37f2396e00f21450b5e9921dbdbb00de4f400f71c3fc05a525bef265b4ef8c0d375f2ccef2814cff1

Download Submit
C:\Users\Admin\AppData\Local\Temp\e4jC20.tmp_dir1675207519\exe4jlib.jar

Filesize
61KB

MD5
c2dea2181fb59aea9d15de0d6a3168c4

SHA1
80eefb8dd12c799807781bf9d8698dae4bb414ba

SHA256
54506d5fba68d81da8bba68a510ba0b7234d25b60a0a85a1f4c994eee5bcc98a

SHA512
e4cff7d77a7216cfb3b5f3bfa61f39902400c1490ab39a1cc1a9ff6c701e7b76c6054671b033698554132c1173501e8653e68998c3646527a5bd0075ae904dc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\e4jC20.tmp_dir1675207519\i4jdel.exe

Filesize
91KB

MD5
8ea17fccb7319e49fb8f1b22b304c47d

SHA1
9885a6c4f6f7c8e06770838c93a647cedb940b0f

SHA256
c3d1e3ef9aeb3e05158c0a5df0b0724fd4c807a10c9910ef895a43c0fe789f91

SHA512
8dcd1307479a55332861c5d816efbef5b65527baca60a1021784c189537c2a75568844b05f4a8dd16f0951374eb3d68e0a6554105fd1f25da82f52a281160eef

Download Submit
C:\Users\Admin\AppData\Local\Temp\e4jC20.tmp_dir1675207519\loader.jar

Filesize
64KB

MD5
a3c81aec38e689bf37eb9c5ceebdfd81

SHA1
afc7d82103b0c8db1ccfd2048c20201b1460e473

SHA256
f3796b17989a596d9af212df6388b753af82c2d0e6b9fc93c4f9e3c2c62de556

SHA512
84d3178f7765cfc57b50bba3203c9343327679d718888b57b72f589c48570e6da34abc9092609ab174074ab9a8a3f3919db1a54962491bc325302f10213739e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\i4j4563631346554831233.tmp

Filesize
844B

MD5
b1e4bfd53d89f0d38a7d620556b5b30b

SHA1
c84ef277a5d59f3b95768a0cf13e698b2de47c31

SHA256
34387e3e2e5b30fe090d36a5905e98db4ce94bbf0d82dc4e1909db5d0b58d6b8

SHA512
0cd2499031b3b1f4cd43e315a0ddac7b5b5e29a92486114e63014a918cf52ffc106abcf4f58ce0b219ce866bcbe5a3210c78840ed1d31b0cddb6edb8d55119c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\i4jdel0.exe

Filesize
91KB

MD5
8ea17fccb7319e49fb8f1b22b304c47d

SHA1
9885a6c4f6f7c8e06770838c93a647cedb940b0f

SHA256
c3d1e3ef9aeb3e05158c0a5df0b0724fd4c807a10c9910ef895a43c0fe789f91

SHA512
8dcd1307479a55332861c5d816efbef5b65527baca60a1021784c189537c2a75568844b05f4a8dd16f0951374eb3d68e0a6554105fd1f25da82f52a281160eef

Download Submit
C:\Users\Admin\AppData\Local\Temp\i4jdel0.exe

Filesize
91KB

MD5
8ea17fccb7319e49fb8f1b22b304c47d

SHA1
9885a6c4f6f7c8e06770838c93a647cedb940b0f

SHA256
c3d1e3ef9aeb3e05158c0a5df0b0724fd4c807a10c9910ef895a43c0fe789f91

SHA512
8dcd1307479a55332861c5d816efbef5b65527baca60a1021784c189537c2a75568844b05f4a8dd16f0951374eb3d68e0a6554105fd1f25da82f52a281160eef

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-9KKCQ.tmp\CMClient Launcher Installer.tmp

Filesize
3.1MB

MD5
6c9f3e821b1dfa6dcaf36e4812ee553f

SHA1
b443f6984d73cb9bfba77cf797506b523489243c

SHA256
1651fa9780ebe952f68fcf3744dceedd5db11a4db1f398f3b5900f34274137f7

SHA512
662454b91e8024d2b22092c41fde3f575383f1dfdabdb3f423be9278cc4edac57d612b2c876c00702d77cbf20d3d2696e73bba5979f58c19b0c027bd05e9e0aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-9KKCQ.tmp\CMClient Launcher Installer.tmp

Filesize
3.1MB

MD5
6c9f3e821b1dfa6dcaf36e4812ee553f

SHA1
b443f6984d73cb9bfba77cf797506b523489243c

SHA256
1651fa9780ebe952f68fcf3744dceedd5db11a4db1f398f3b5900f34274137f7

SHA512
662454b91e8024d2b22092c41fde3f575383f1dfdabdb3f423be9278cc4edac57d612b2c876c00702d77cbf20d3d2696e73bba5979f58c19b0c027bd05e9e0aa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2386679933-1492765628-3466841596-1000\83aa4cc77f591dfc2374580bbd95f6ba_8329e3af-909b-464f-88cb-23d8b2c5eadf

Filesize
45B

MD5
c8366ae350e7019aefc9d1e6e6a498c6

SHA1
5731d8a3e6568a5f2dfbbc87e3db9637df280b61

SHA256
11e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238

SHA512
33c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd

Download Submit
memory/984-163-0x0000000002D10000-0x0000000003D10000-memory.dmp

Filesize
16.0MB

Download
memory/984-185-0x0000000002D10000-0x0000000003D10000-memory.dmp

Filesize
16.0MB

Download
memory/4852-193-0x0000000002370000-0x0000000003370000-memory.dmp

Filesize
16.0MB

Download
memory/4852-208-0x0000000002370000-0x0000000003370000-memory.dmp

Filesize
16.0MB

Download
memory/4852-223-0x0000000002370000-0x0000000003370000-memory.dmp

Filesize
16.0MB

Download
memory/4852-231-0x0000000002370000-0x0000000003370000-memory.dmp

Filesize
16.0MB

Download
memory/4852-245-0x0000000002370000-0x0000000003370000-memory.dmp

Filesize
16.0MB

Download
memory/4860-132-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/4860-134-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/4860-139-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/4860-138-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download