122bfbb9f67e355340991deeacb167be9c12ad726b5a7c5779448dd0cc4af0cb

Analysis

max time kernel
121s
max time network
140s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
01/02/2023, 21:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

LauncherFenix-Minecraft-v7.exe
Size

397KB
MD5

d99bb55b57712065bc88be297c1da38c
SHA1

fb6662dd31e8e5be380fbd7a33a50a45953fe1e7
SHA256

122bfbb9f67e355340991deeacb167be9c12ad726b5a7c5779448dd0cc4af0cb
SHA512

3eb5d57faea4c0146c2af40102deaac18235b379f5e81fe35a977b642e3edf70704c8cedd835e94f27b04c8413968f7469fccf82c1c9339066d38d3387c71b17
SSDEEP

3072:puzvch1rugYc4wqYSRR756K7ItBjgXHUYCnlK:Wch1aIqYSRVM+unlK

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 51 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\launcherfenix.com.ar\ = "26"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{015C3D91-A27F-11ED-A755-C22E595EE768} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "58"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\launcherfenix.com.ar\ = "58"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "382055164"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "26"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\launcherfenix.com.ar\Total = "58"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f0fa8ce08b36d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\launcherfenix.com.ar\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\launcherfenix.com.ar	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\launcherfenix.com.ar\Total = "15704"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "15704"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\launcherfenix.com.ar\ = "15704"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000bba3acf2e8606438f66f375fccaa284000000000200000000001066000000010000200000001d74ff874378405f173c520cd7af37c02f9f5159046f18e40acf6d4bb3ab55a2000000000e80000000020000200000004cddca32fde14313671cd7a018ea8827f05344d1a0dd024b482f8b51ceb80dfd20000000b600c804669f051ec037b4738bb506b8e213b6b2bd05b63f60415ac0be6031a140000000b06c38152a14b7495cd5bc4ef7a2798d8f0b392a9d335ce3dcb2b2b1c2ee981b0a56e0a5338b84dd63c372896452b50091ccedc98a97561ea963592fd608ff8d	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000bba3acf2e8606438f66f375fccaa284000000000200000000001066000000010000200000007e2bdfc2c583bda36f603ae95801df8106f566ecddcbbba66bf0e2386a432829000000000e8000000002000020000000eea22ae397176293acf6d825a41d88d645d5f19bc72c601beb4078f4be5d42f6900000004699bde48ffc7fc1f9d15f9fc57e52c135ad42c8bf2740c76d3824d1bb3c7bbd1e9e21fc9def43f32664136fe92a9fbe90cb3e77bad1215813057e7ab23a9bb2dbfb421bff33c8e9cce843d927620f661cc3c9516d043be81ce31f95344bf53edc4eeca3bb6642770b53d033aae53dbf5926b72e6f6c09f8a16c568a0edfafdc996a2e56189eab55197d2f38dcd853d040000000230d7470038a5673cee39a6cb596637063040bcb9df6613d74a75748d6c94a9a2614a5124de0e016860a7c9e2fcc34b6e8814d890504985c40d14ae4f0a67435	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\launcherfenix.com.ar\Total = "26"	IEXPLORE.EXE

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	788	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	788	AUDIODG.EXE
Token: 33	788	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	788	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
628	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1740	javaw.exe
1740	javaw.exe
628	iexplore.exe
628	iexplore.exe
1036	IEXPLORE.EXE
1036	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1236 wrote to memory of 1740	1236	LauncherFenix-Minecraft-v7.exe	26
PID 1236 wrote to memory of 1740	1236	LauncherFenix-Minecraft-v7.exe	26
PID 1236 wrote to memory of 1740	1236	LauncherFenix-Minecraft-v7.exe	26
PID 1236 wrote to memory of 1740	1236	LauncherFenix-Minecraft-v7.exe	26
PID 1740 wrote to memory of 628	1740	javaw.exe	27
PID 1740 wrote to memory of 628	1740	javaw.exe	27
PID 1740 wrote to memory of 628	1740	javaw.exe	27
PID 628 wrote to memory of 1036	628	iexplore.exe	29
PID 628 wrote to memory of 1036	628	iexplore.exe	29
PID 628 wrote to memory of 1036	628	iexplore.exe	29
PID 628 wrote to memory of 1036	628	iexplore.exe	29
PID 628 wrote to memory of 1036	628	iexplore.exe	29
PID 628 wrote to memory of 1036	628	iexplore.exe	29
PID 628 wrote to memory of 1036	628	iexplore.exe	29

C:\Users\Admin\AppData\Local\Temp\LauncherFenix-Minecraft-v7.exe
"C:\Users\Admin\AppData\Local\Temp\LauncherFenix-Minecraft-v7.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1236
- C:\Program Files\Java\jre7\bin\javaw.exe
  "C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\LauncherFenix-Minecraft-v7.exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1740
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" https://launcherfenix.com.ar/wope/register/
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:628
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:628 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1036

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1784

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x268
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:788

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
91aee11346fd2c29a9fa9789171868d3

SHA1
49eb13ef29c5a5fd01b785d1e08863e22f407ed2

SHA256
ec68e335351de113b5d290e77643e02911f343439c3e1941c96b4075d65bb57e

SHA512
bee781c60ccdbbfeba6156aa4cd2cbf7d653126208fb786243d46a9a9c1d777804ee51e406963dcb93ec6115eeabda31b65029b215e442147a41c8b39bb796cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\1evexod\imagestore.dat

Filesize
13KB

MD5
0c11aec4fe754cf759e6fcfff633ed0b

SHA1
cbe25250418142526343cf3b69154010589b7bdb

SHA256
35fdb9e7af58def84176303304d956cd51264b5a15e092fdee5e3109cbb2b4be

SHA512
e7cc2ecbea3a06ac960669a82c0987cf66112c8315c41e27f68010305ce710dcd36d7a0a13f10b22dd0496c431325cc75cce11760fab70c489dd3f43e06a57a4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\4WTFACK6.txt

Filesize
605B

MD5
795f998065f4f0a95f30cccfa5e21913

SHA1
3a101f3c4ce7b57b3e71be07137eb80c09407746

SHA256
c5ef71480da6fc1c27dda3466caa5e70bf9c1d9f9420f57994cbad39366728a8

SHA512
b8df4c2cfd36489e4cf749846d9d5cbdcca3c7e9236c063312088ccf0983bd20f90ec108f35838acdf7769511155d5ce1716fd3a439099078cb4b90b653b6b4e

Download Submit
memory/1236-54-0x0000000074F41000-0x0000000074F43000-memory.dmp

Filesize
8KB

Download
memory/1740-61-0x0000000002050000-0x0000000005050000-memory.dmp

Filesize
48.0MB

Download
memory/1740-72-0x00000000054A0000-0x00000000054AA000-memory.dmp

Filesize
40KB

Download
memory/1740-74-0x0000000002050000-0x0000000005050000-memory.dmp

Filesize
48.0MB

Download
memory/1740-75-0x00000000054A0000-0x00000000054AA000-memory.dmp

Filesize
40KB

Download
memory/1740-71-0x0000000000340000-0x000000000034A000-memory.dmp

Filesize
40KB

Download
memory/1740-70-0x0000000000340000-0x000000000034A000-memory.dmp

Filesize
40KB

Download
memory/1740-56-0x000007FEFBAE1000-0x000007FEFBAE3000-memory.dmp

Filesize
8KB

Download