983852aa78f3e7d52aa652eab80f80665617e2a80db0968660306220d408c19d

Resubmissions

03/02/2023, 20:35

230203-zc33taee2x 1

03/02/2023, 20:34

03/02/2023, 20:33

03/02/2023, 20:27

03/02/2023, 20:24

Analysis

max time kernel
141s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
03/02/2023, 20:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TLauncher-2.841-Installer-0.9.5.2.exe
Size

21.0MB
MD5

8652b28eb7ac27b0882377ad94f47aef
SHA1

d1c12a5402fbbd62d75e71c6fd2b8243c4ba2161
SHA256

983852aa78f3e7d52aa652eab80f80665617e2a80db0968660306220d408c19d
SHA512

0bb181feb4bad90b1e526b61b462472762a979a57086499190e340e9978ebfae861b7451411f1205b6385d9fb9fb2cc8e1ac0707536a77aaabe6e307360c50d3
SSDEEP

393216:UXN19opNQ9X0fs/dQETVlOBbpFEj9GZdqV56HpkV3sZH3oegny:UdcE6HExiTTqqHp8aH2y

Score

7^/10

discovery upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	TLauncher-2.841-Installer-0.9.5.2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	irsetup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	AdditionalExecuteTL.exe

Executes dropped EXE 3 IoCs

pid	Process
4928	irsetup.exe
4556	AdditionalExecuteTL.exe
3480	irsetup.exe

Loads dropped DLL 4 IoCs

pid	Process
4928	irsetup.exe
4928	irsetup.exe
4928	irsetup.exe
3480	irsetup.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0004000000022dcd-133.dat	upx
behavioral2/files/0x0004000000022dcd-134.dat	upx
behavioral2/memory/4928-137-0x00000000003B0000-0x0000000000798000-memory.dmp	upx
behavioral2/memory/4928-142-0x00000000003B0000-0x0000000000798000-memory.dmp	upx
behavioral2/files/0x0001000000022f01-147.dat	upx
behavioral2/files/0x0001000000022f01-148.dat	upx
behavioral2/memory/3480-151-0x00000000003A0000-0x0000000000788000-memory.dmp	upx
behavioral2/memory/3480-153-0x00000000003A0000-0x0000000000788000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
4928	irsetup.exe
4928	irsetup.exe
4928	irsetup.exe
4928	irsetup.exe
4928	irsetup.exe
4928	irsetup.exe
4928	irsetup.exe
4556	AdditionalExecuteTL.exe
3480	irsetup.exe
3480	irsetup.exe
3480	irsetup.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4956 wrote to memory of 4928	4956	TLauncher-2.841-Installer-0.9.5.2.exe	80
PID 4956 wrote to memory of 4928	4956	TLauncher-2.841-Installer-0.9.5.2.exe	80
PID 4956 wrote to memory of 4928	4956	TLauncher-2.841-Installer-0.9.5.2.exe	80
PID 4928 wrote to memory of 4556	4928	irsetup.exe	91
PID 4928 wrote to memory of 4556	4928	irsetup.exe	91
PID 4928 wrote to memory of 4556	4928	irsetup.exe	91
PID 4556 wrote to memory of 3480	4556	AdditionalExecuteTL.exe	92
PID 4556 wrote to memory of 3480	4556	AdditionalExecuteTL.exe	92
PID 4556 wrote to memory of 3480	4556	AdditionalExecuteTL.exe	92

C:\Users\Admin\AppData\Local\Temp\TLauncher-2.841-Installer-0.9.5.2.exe
"C:\Users\Admin\AppData\Local\Temp\TLauncher-2.841-Installer-0.9.5.2.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4956
- C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
  "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1908426 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\TLauncher-2.841-Installer-0.9.5.2.exe" "__IRCT:3" "__IRTSS:22003964" "__IRSID:S-1-5-21-929662420-1054238289-2961194603-1000"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4928
- - C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe
    "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe" /S:C:\Users\Admin\AppData\Local\Temp\setuparguments.ini
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4556
  - - C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe
      "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe" /S:C:\Users\Admin\AppData\Local\Temp\setuparguments.ini __IRAOFF:1814730 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe" "__IRCT:3" "__IRTSS:1839121" "__IRSID:S-1-5-21-929662420-1054238289-2961194603-1000"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:3480

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4136

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe

Filesize
1.8MB

MD5
48856036dda5d4c33584cd67be004e62

SHA1
b93c0f4b94d5e43ff457aa312615f06422fe1699

SHA256
f5592f8504cb203d3dccba9d85faedfe0590a297b2587c829621bb5e2a51a18e

SHA512
ef7c5c77a6a130fdd65834615da31cdb093365096c3709edf8ac37688abe2232817ce1bc7a2c3e3046acd1c70d8da7a923767f56ecebd22954088f3011e7ab60

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe

Filesize
1.8MB

MD5
48856036dda5d4c33584cd67be004e62

SHA1
b93c0f4b94d5e43ff457aa312615f06422fe1699

SHA256
f5592f8504cb203d3dccba9d85faedfe0590a297b2587c829621bb5e2a51a18e

SHA512
ef7c5c77a6a130fdd65834615da31cdb093365096c3709edf8ac37688abe2232817ce1bc7a2c3e3046acd1c70d8da7a923767f56ecebd22954088f3011e7ab60

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRZip.lmd

Filesize
1.7MB

MD5
1bbf5dd0b6ca80e4c7c77495c3f33083

SHA1
e0520037e60eb641ec04d1e814394c9da0a6a862

SHA256
bc6bd19ab0977ac794e18e2c82ace3116bf0537711a352638efd2d8d847c140b

SHA512
97bc810871868217f944bc5e60ab642f161c1f082bc9e4122094f10b4e309a6d96e3dd695553a20907cb8fea5aef4802f5a2f0a852328c1a1cd85944022abaab

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\Wow64.lmd

Filesize
97KB

MD5
da1d0cd400e0b6ad6415fd4d90f69666

SHA1
de9083d2902906cacf57259cf581b1466400b799

SHA256
7a79b049bdc3b6e4d101691888360f4f993098f3e3a8beefff4ac367430b1575

SHA512
f12f64670f158c2e846e78b7b5d191158268b45ecf3c288f02bbee15ae10c4a62e67fb3481da304ba99da2c68ac44d713a44a458ef359db329b6fef3d323382a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
c7f24c85b3cd0810c8d372f1e72c2f1a

SHA1
dbba15ced9ca592cb341224822e81c5f00ab088a

SHA256
305af9d4023fef7486a09cf9a17765c35da5f610de9ff9093e9aedc3023e1563

SHA512
93e4a221cd526e58d550675c99af80c22ff5c2f92a7bd365aadefc653fd4c493388fbddb9523e942a34200fc1605ab47501ec9a4936f018e40be9c748a2fd0a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
c7f24c85b3cd0810c8d372f1e72c2f1a

SHA1
dbba15ced9ca592cb341224822e81c5f00ab088a

SHA256
305af9d4023fef7486a09cf9a17765c35da5f610de9ff9093e9aedc3023e1563

SHA512
93e4a221cd526e58d550675c99af80c22ff5c2f92a7bd365aadefc653fd4c493388fbddb9523e942a34200fc1605ab47501ec9a4936f018e40be9c748a2fd0a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

Filesize
326KB

MD5
80d93d38badecdd2b134fe4699721223

SHA1
e829e58091bae93bc64e0c6f9f0bac999cfda23d

SHA256
c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59

SHA512
9f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

Filesize
326KB

MD5
80d93d38badecdd2b134fe4699721223

SHA1
e829e58091bae93bc64e0c6f9f0bac999cfda23d

SHA256
c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59

SHA512
9f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe

Filesize
1.3MB

MD5
3408418e1d8c9faebfb7f04fcab13117

SHA1
b9eb70a3c01922248956034e71699b9fb9f24a35

SHA256
a94527cac24bb6aae5b1e358b3b1ae7303a85ee4fe382cf28948e6dde9015208

SHA512
25a0fa922a65c821d8f2276ee5a55ee419768f5836519fb270dc3a74ce4d9f8ca147711be0e0b17558e2fc8afaa4f2fdf33985c163bebb2d7e8744cc3ac79bfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe

Filesize
1.3MB

MD5
3408418e1d8c9faebfb7f04fcab13117

SHA1
b9eb70a3c01922248956034e71699b9fb9f24a35

SHA256
a94527cac24bb6aae5b1e358b3b1ae7303a85ee4fe382cf28948e6dde9015208

SHA512
25a0fa922a65c821d8f2276ee5a55ee419768f5836519fb270dc3a74ce4d9f8ca147711be0e0b17558e2fc8afaa4f2fdf33985c163bebb2d7e8744cc3ac79bfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\lua5.1.dll

Filesize
326KB

MD5
80d93d38badecdd2b134fe4699721223

SHA1
e829e58091bae93bc64e0c6f9f0bac999cfda23d

SHA256
c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59

SHA512
9f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\lua5.1.dll

Filesize
326KB

MD5
80d93d38badecdd2b134fe4699721223

SHA1
e829e58091bae93bc64e0c6f9f0bac999cfda23d

SHA256
c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59

SHA512
9f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\setuparguments.ini

Filesize
650B

MD5
9beba936de088f0f67f48fc7c30d9d90

SHA1
e98fdf39edc1dc755328d00070af26e9a965ec75

SHA256
c23168593e3da78d67c9fbf28308794455f29b57e2995dd673a810e6e4f93019

SHA512
f00228535a098273f46be076b014e473d750f8569647c4fb788067d85ef5486d62c1ce9e38cac526b7bb2894d3b093bc71a353b2c1c45e23ed2fce43a2cc1026

Download Submit
memory/3480-153-0x00000000003A0000-0x0000000000788000-memory.dmp

Filesize
3.9MB

Download
memory/3480-151-0x00000000003A0000-0x0000000000788000-memory.dmp

Filesize
3.9MB

Download
memory/4928-137-0x00000000003B0000-0x0000000000798000-memory.dmp

Filesize
3.9MB

Download
memory/4928-142-0x00000000003B0000-0x0000000000798000-memory.dmp

Filesize
3.9MB

Download
memory/4928-141-0x0000000006760000-0x0000000006763000-memory.dmp

Filesize
12KB

Download
memory/4928-140-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/4928-154-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download