765cab48564743844b057e21eab768d5d84194a635b09d02d9d2909f632f5714

Analysis

max time kernel
75s
max time network
146s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
01/02/2023, 16:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TLauncher.exe
Size

5.2MB
MD5

58e22c0ee91280156cdaadacac7acddb
SHA1

189c552c94a9b0ae0208763bca77f2801debc224
SHA256

765cab48564743844b057e21eab768d5d84194a635b09d02d9d2909f632f5714
SHA512

9f510c896d641919b037e201f5ba9de476241e7cab1004d92a85df4b9240ff947737619921b1223cd926c8c5a6e667dc76cad37e818d2a9d144b826836d562c6
SSDEEP

98304:goW7Z7Wqa9a652L9kLttcV3hMfLOoUawcoU5Z/wx7ctxst7G8zUu:tWd7WqHxL2PctKfLOoURBU5Z/c7uxizF

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 38 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003bad9e5810411a41b405bdc87c3b0eb80000000002000000000010660000000100002000000010bd8cd61049756da722e695dd21e64cffdf9fcdab59b102d9607d5310a3c3bf000000000e800000000200002000000012dd6a3cf33b70b04e4cefd71c1325cba1831fca19abb75a22ade4fc728d8762900000009112d6dc4d4964eace026261274bdea1927ef24f1c55f97be4ad7ad7aab2929b12546be231f13f75bacf4dcd48b6b9965050bbfc06aa907f6dd981a20da0d8f0e74337e3fb93ea7201d57dcbcdef6244093881b0dea876c2f3cc80c0217697858a7ca37eb21ff28c27e1e9bc85082fd8d95ba18dc5800f3270ad0280a5f61f84f30876df748f4d21312d0d9c7231167e400000003c110bad39842b7b621bff4292ed7b393936ec01ad338872986d456e4dfd17208f83d7fa5e48404ab804c2e4efa1579df5467541ae6e0b4e714c185ff38b493e	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "382039362"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10b524116736d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003bad9e5810411a41b405bdc87c3b0eb8000000000200000000001066000000010000200000003765af5808ead4c2519217a9a729adb7b9a7f788f8fe72b8a8df6dc31e67079c000000000e8000000002000020000000172c89b8a1d9ef88f397fc1866e185d591ae38b6772cf80639d6bb19284acce5200000008ab61910585041dec51c47f5da4df8978a10e5ed0a99ffd88ae622206f748c3340000000c65299ac27e49511308804123ad5b2009d338ee730ecc817ddea9bc21bd9de06d92dce3a4cb385cdb44413a17452363f99fc76e492779392d18f78fa3bfdede4	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{369D0D61-A25A-11ED-96D9-C6AD45B766F5} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1232	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1232	iexplore.exe
1232	iexplore.exe
1720	IEXPLORE.EXE
1720	IEXPLORE.EXE
1720	IEXPLORE.EXE
1720	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1704 wrote to memory of 1232	1704	TLauncher.exe	28
PID 1704 wrote to memory of 1232	1704	TLauncher.exe	28
PID 1704 wrote to memory of 1232	1704	TLauncher.exe	28
PID 1704 wrote to memory of 1232	1704	TLauncher.exe	28
PID 1232 wrote to memory of 1720	1232	iexplore.exe	30
PID 1232 wrote to memory of 1720	1232	iexplore.exe	30
PID 1232 wrote to memory of 1720	1232	iexplore.exe	30
PID 1232 wrote to memory of 1720	1232	iexplore.exe	30
PID 1232 wrote to memory of 1720	1232	iexplore.exe	30
PID 1232 wrote to memory of 1720	1232	iexplore.exe	30
PID 1232 wrote to memory of 1720	1232	iexplore.exe	30

C:\Users\Admin\AppData\Local\Temp\TLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\TLauncher.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1704
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://java-for-minecraft.com/
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1232
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1232 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1720

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
99c331b24f451059e12838e960dba386

SHA1
800bd6ea3f1b8e9b075ee6a4711c14f141d68841

SHA256
734d8f14a0ff95d76b6b94f9318b1d38c52e2ac9e3335039bb4beaa8f4bead06

SHA512
80f235c2bb89719498d4977af152f1f8952a8d82cc82790a54e3bf51c9ab11f1c8d9aa4fd27f4fb608067d6ea42eac87e6d349194c85bb38b497efcf397fe856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\mlf2v8h\imagestore.dat

Filesize
28KB

MD5
28b6383fb4ee94f92ae4f6f4dfc87379

SHA1
bece660953fd0ce3280330757c0d54b718149eb9

SHA256
f9b08d0ebae91bac83d52190f105f5beee44c8969c8576d3d585a083a34ccbcf

SHA512
cbc17c1313cd64955b00e7770f87b7fb42eb83296a5cfab1fed7ffe7b20a87f3405602d26110349b6c097109b2adc40ef42fd088f7292a606486e2f311406cce

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\IRQON92X.txt

Filesize
601B

MD5
c2702a386b6851a6bec440975a0fd481

SHA1
a3c45cba86d264854805e5aa6db4e224a542df53

SHA256
8041b2f2b64b76109217494ab22f9d6f96b4f69b4c13fc28a4da8b4d0c2d2a78

SHA512
e7574783026afc82e91cad7f106a19a8c76ce4509da50279a3668f3c56a1514ebfee791265a88b5d1834710aed44d6912b37d1435b5cec4fae8355ebe4e1f560

Download Submit
memory/1704-54-0x0000000075831000-0x0000000075833000-memory.dmp

Filesize
8KB

Download