765cab48564743844b057e21eab768d5d84194a635b09d02d9d2909f632f5714

Analysis

max time kernel
143s
max time network
139s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
04/02/2023, 00:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TLauncher.exe
Size

5.2MB
MD5

58e22c0ee91280156cdaadacac7acddb
SHA1

189c552c94a9b0ae0208763bca77f2801debc224
SHA256

765cab48564743844b057e21eab768d5d84194a635b09d02d9d2909f632f5714
SHA512

9f510c896d641919b037e201f5ba9de476241e7cab1004d92a85df4b9240ff947737619921b1223cd926c8c5a6e667dc76cad37e818d2a9d144b826836d562c6
SSDEEP

98304:goW7Z7Wqa9a652L9kLttcV3hMfLOoUawcoU5Z/wx7ctxst7G8zUu:tWd7WqHxL2PctKfLOoURBU5Z/c7uxizF

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 38 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{3F63AD31-A42D-11ED-8589-FE63F52BA449} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000256ed27e8919d04f83812f84ee5c95da0000000002000000000010660000000100002000000099b02b5e5eb57f39628ca596c89fa3d0b8abc997e4c6f85cfc94939d9e82624c000000000e80000000020000200000008645d3f02300b7487946a2e1cd6335b37472a24fae1bc3c56fd24e518f0cb5279000000072f5449039363481e1d8e7694ec5ac0caf6b6da962181e75dca5048e9335ef30348556c338354120fabb84e4abb6d6b2f2966c56fc664c83a8977c815430b25c8561982fe8bd268c85e95beb2cccf19eae3827ec69e4f237d43137d49db0beb0cef6bf073806c4f9d72b00474eb3b6e18332686528068977a796bb1a1ceb4d4b47b28b83b457d4870b638c3514a6c7fe400000000d3884bd8b7c55aa7082472592cae05d2e1269017197e45303ceee5555d945fe8cc334353b9a4e97b146e67b1ac23d3123a86fc9ff3e6fcc123bfb397ba4742b	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000256ed27e8919d04f83812f84ee5c95da0000000002000000000010660000000100002000000008937ca6a1d704070966766a8ecee83dcc9a9bc21baf91e3cd0ff5bee7ad026e000000000e80000000020000200000006d954c0257bcb11f38054caa3586b8ca7a0e5a71f22523ca1cd2cc9f1549b75a20000000a833274f34f3d706ead61f55e65063d6508a48e21f1d455ca37ac1fc332ab54f40000000a286c066ec90100d5365bda13d62170a9442433525d7269b5dcb5e4c6330a0bcae83a47e86274bee4d28deb4f954c36caa388e6b5a4a656c4e3c04b5f7f1d080	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 90017f1a3a38d901	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "382239952"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1256	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1256	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1256	iexplore.exe
1256	iexplore.exe
1780	IEXPLORE.EXE
1780	IEXPLORE.EXE
1780	IEXPLORE.EXE
1780	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1588 wrote to memory of 1256	1588	TLauncher.exe	28
PID 1588 wrote to memory of 1256	1588	TLauncher.exe	28
PID 1588 wrote to memory of 1256	1588	TLauncher.exe	28
PID 1588 wrote to memory of 1256	1588	TLauncher.exe	28
PID 1256 wrote to memory of 1780	1256	iexplore.exe	30
PID 1256 wrote to memory of 1780	1256	iexplore.exe	30
PID 1256 wrote to memory of 1780	1256	iexplore.exe	30
PID 1256 wrote to memory of 1780	1256	iexplore.exe	30
PID 1256 wrote to memory of 1780	1256	iexplore.exe	30
PID 1256 wrote to memory of 1780	1256	iexplore.exe	30
PID 1256 wrote to memory of 1780	1256	iexplore.exe	30

C:\Users\Admin\AppData\Local\Temp\TLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\TLauncher.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1588
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://java-for-minecraft.com/
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1256
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1256 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1780

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8e00e790eb589118c883448abf24bdc3

SHA1
3f46e7ff84c441d4b15de04d7dbbe4ff1346b698

SHA256
710e091c39b03d85d869fa51ee4304899658b544ca61436b088cdee6241708a8

SHA512
c819048a9c5708c87af9013611a5d42cc3a78da80f4d678f8bb779ee1c82cc8d3159cca51411462729264018492a5871a869937b558c4ced514cedf184f2db95

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\t9o3c8r\imagestore.dat

Filesize
28KB

MD5
71a7567956c40bb945524ea2bdcb16b8

SHA1
7d71a5e287df881f398d64b64c4196a8a79ce792

SHA256
22e24246b8cc2ce617086175a0bb29bbf07cbacdd9ab7e91eff0881ad66db4cb

SHA512
2bfa21fd8e153e6c33daa53c50bf0cab90591df91b49dd1933724fc9020a05e87c76042d7eaaecfe1f3d39b07b3080ebb655554ce32745fca0bacd356ba3bb1d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\OV73KFHY.txt

Filesize
601B

MD5
f2171e19859151611e841e6013598326

SHA1
258a06ae48c507727f0488572849de5589151fd6

SHA256
805276d94f158a0d44af1fd2c0ca35c5b7cf6a83fc0af1e8a3a90bc6376f779a

SHA512
3bf9c73ee3c2e870085556644dd0ab668c3ede52e4967b36cc108f5f1be625343122942cb02238c1f975895b1474fa056a14e8d85e823226febe163961586a6c

Download Submit
memory/1588-54-0x0000000075BE1000-0x0000000075BE3000-memory.dmp

Filesize
8KB

Download