107bb526c374d6fd9f45317c0c16e83ab50076f2bcd630caf3d6794596fae69b

Resubmissions

05/02/2023, 00:36

230205-ayff7sfc59 8

05/02/2023, 00:32

230205-av41dsae71 8

Analysis

max time kernel
161s
max time network
168s
platform
windows10-2004_x64
resource
win10v2004-20221111-es
resource tags

arch:x64arch:x86image:win10v2004-20221111-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
05/02/2023, 00:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SKlauncher 3.0.exe
Size

1.2MB
MD5

32c7e3347f8e532e675d154eb07f4ccf
SHA1

5ca004745e2cdab497a7d6ef29c7efb25dc4046d
SHA256

107bb526c374d6fd9f45317c0c16e83ab50076f2bcd630caf3d6794596fae69b
SHA512

c82f3a01719f30cbb876a1395fda713ddba07b570bc188515b1b705e54e15a7cca5f71f741d51763f63aa5f40e00df06f63b341ed4db6b1be87b3ee59460dbe2
SSDEEP

24576:Dh199z42ojP6a7HJlF9eu5XFQZSIZeNGdmEE8H17UBcegl:R9zbgH3euNFQZr/oEE892cfl

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
4792	jre-8u361-windows-x64.exe
4736	jre-8u361-windows-x64.exe

Loads dropped DLL 1 IoCs

pid	Process
4884	javaw.exe

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\ntdll.pdb	javaw.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	firefox.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\jre-8u361-windows-x64.exe:Zone.Identifier	firefox.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1552	firefox.exe
Token: SeDebugPrivilege	1552	firefox.exe
Token: SeDebugPrivilege	1552	firefox.exe
Token: SeDebugPrivilege	1552	firefox.exe

Suspicious use of FindShellTrayWindow 10 IoCs

pid	Process
1552	firefox.exe
1552	firefox.exe
1552	firefox.exe
1552	firefox.exe
1552	firefox.exe
1552	firefox.exe
1552	firefox.exe
1552	firefox.exe
1552	firefox.exe
1552	firefox.exe

Suspicious use of SendNotifyMessage 9 IoCs

pid	Process
1552	firefox.exe
1552	firefox.exe
1552	firefox.exe
1552	firefox.exe
1552	firefox.exe
1552	firefox.exe
1552	firefox.exe
1552	firefox.exe
1552	firefox.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
4884	javaw.exe
4884	javaw.exe
1552	firefox.exe
1552	firefox.exe
1552	firefox.exe
1552	firefox.exe
4736	jre-8u361-windows-x64.exe
4736	jre-8u361-windows-x64.exe
4736	jre-8u361-windows-x64.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1116 wrote to memory of 4884	1116	SKlauncher 3.0.exe	81
PID 1116 wrote to memory of 4884	1116	SKlauncher 3.0.exe	81
PID 3824 wrote to memory of 1552	3824	firefox.exe	92
PID 3824 wrote to memory of 1552	3824	firefox.exe	92
PID 3824 wrote to memory of 1552	3824	firefox.exe	92
PID 3824 wrote to memory of 1552	3824	firefox.exe	92
PID 3824 wrote to memory of 1552	3824	firefox.exe	92
PID 3824 wrote to memory of 1552	3824	firefox.exe	92
PID 3824 wrote to memory of 1552	3824	firefox.exe	92
PID 3824 wrote to memory of 1552	3824	firefox.exe	92
PID 3824 wrote to memory of 1552	3824	firefox.exe	92
PID 1552 wrote to memory of 1840	1552	firefox.exe	93
PID 1552 wrote to memory of 1840	1552	firefox.exe	93
PID 1552 wrote to memory of 4748	1552	firefox.exe	96
PID 1552 wrote to memory of 4748	1552	firefox.exe	96
PID 1552 wrote to memory of 4748	1552	firefox.exe	96
PID 1552 wrote to memory of 4748	1552	firefox.exe	96
PID 1552 wrote to memory of 4748	1552	firefox.exe	96
PID 1552 wrote to memory of 4748	1552	firefox.exe	96
PID 1552 wrote to memory of 4748	1552	firefox.exe	96
PID 1552 wrote to memory of 4748	1552	firefox.exe	96
PID 1552 wrote to memory of 4748	1552	firefox.exe	96
PID 1552 wrote to memory of 4748	1552	firefox.exe	96
PID 1552 wrote to memory of 4748	1552	firefox.exe	96
PID 1552 wrote to memory of 4748	1552	firefox.exe	96
PID 1552 wrote to memory of 4748	1552	firefox.exe	96
PID 1552 wrote to memory of 4748	1552	firefox.exe	96
PID 1552 wrote to memory of 4748	1552	firefox.exe	96
PID 1552 wrote to memory of 4748	1552	firefox.exe	96
PID 1552 wrote to memory of 4748	1552	firefox.exe	96
PID 1552 wrote to memory of 4748	1552	firefox.exe	96
PID 1552 wrote to memory of 4748	1552	firefox.exe	96
PID 1552 wrote to memory of 4748	1552	firefox.exe	96
PID 1552 wrote to memory of 4748	1552	firefox.exe	96
PID 1552 wrote to memory of 4748	1552	firefox.exe	96
PID 1552 wrote to memory of 4748	1552	firefox.exe	96
PID 1552 wrote to memory of 4748	1552	firefox.exe	96
PID 1552 wrote to memory of 4748	1552	firefox.exe	96
PID 1552 wrote to memory of 4748	1552	firefox.exe	96
PID 1552 wrote to memory of 4748	1552	firefox.exe	96
PID 1552 wrote to memory of 4748	1552	firefox.exe	96
PID 1552 wrote to memory of 4748	1552	firefox.exe	96
PID 1552 wrote to memory of 4748	1552	firefox.exe	96
PID 1552 wrote to memory of 4748	1552	firefox.exe	96
PID 1552 wrote to memory of 4748	1552	firefox.exe	96
PID 1552 wrote to memory of 4748	1552	firefox.exe	96
PID 1552 wrote to memory of 4748	1552	firefox.exe	96
PID 1552 wrote to memory of 4748	1552	firefox.exe	96
PID 1552 wrote to memory of 4748	1552	firefox.exe	96
PID 1552 wrote to memory of 4748	1552	firefox.exe	96
PID 1552 wrote to memory of 4748	1552	firefox.exe	96
PID 1552 wrote to memory of 4748	1552	firefox.exe	96
PID 1552 wrote to memory of 4748	1552	firefox.exe	96
PID 1552 wrote to memory of 4748	1552	firefox.exe	96
PID 1552 wrote to memory of 4748	1552	firefox.exe	96
PID 1552 wrote to memory of 4748	1552	firefox.exe	96
PID 1552 wrote to memory of 2272	1552	firefox.exe	97
PID 1552 wrote to memory of 2272	1552	firefox.exe	97
PID 1552 wrote to memory of 2272	1552	firefox.exe	97
PID 1552 wrote to memory of 2272	1552	firefox.exe	97
PID 1552 wrote to memory of 2272	1552	firefox.exe	97
PID 1552 wrote to memory of 2272	1552	firefox.exe	97
PID 1552 wrote to memory of 2272	1552	firefox.exe	97
PID 1552 wrote to memory of 2272	1552	firefox.exe	97

C:\Users\Admin\AppData\Local\Temp\SKlauncher 3.0.exe
"C:\Users\Admin\AppData\Local\Temp\SKlauncher 3.0.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1116
- C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
  "C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -Xms32m -Xmx256m -jar "C:\Users\Admin\AppData\Local\Temp\SKlauncher 3.0.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of SetWindowsHookEx
  PID:4884

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3824
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1552
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1552.0.1489872047\1707603143" -parentBuildID 20200403170909 -prefsHandle 1684 -prefMapHandle 1648 -prefsLen 1 -prefMapSize 219944 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1552 "\\.\pipe\gecko-crash-server-pipe.1552" 1780 gpu
    3⤵
    PID:1840
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1552.3.1351849491\321188789" -childID 1 -isForBrowser -prefsHandle 2236 -prefMapHandle 2400 -prefsLen 112 -prefMapSize 219944 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1552 "\\.\pipe\gecko-crash-server-pipe.1552" 2436 tab
    3⤵
    PID:4748
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1552.13.1027399543\1177296364" -childID 2 -isForBrowser -prefsHandle 3724 -prefMapHandle 3692 -prefsLen 6894 -prefMapSize 219944 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1552 "\\.\pipe\gecko-crash-server-pipe.1552" 3732 tab
    3⤵
    PID:2272

C:\Users\Admin\Downloads\jre-8u361-windows-x64.exe
"C:\Users\Admin\Downloads\jre-8u361-windows-x64.exe"
1⤵
- Executes dropped EXE
PID:4792
- C:\Users\Admin\AppData\Local\Temp\jds240674546.tmp\jre-8u361-windows-x64.exe
  "C:\Users\Admin\AppData\Local\Temp\jds240674546.tmp\jre-8u361-windows-x64.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4736

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4912

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\flatlaf.temp\flatlaf-windows-x86_64-4215019691000.dll

Filesize
9KB

MD5
697d496ac9f5aaab8ae025322358c61e

SHA1
2043eac8cdcc2e24b854af1eacd77a5f2a395a27

SHA256
a7273a4cf48ab3413f2c186cc95a3367a73ce99f8d45329383219d4cc27003aa

SHA512
b6702cd49a3af9f97f697565136f140692af9f8b271e672f2e91c920a23212b778583786f2377078117113647926338614a92c4a2423318b7a21ba2fe3a89838

Download Submit
C:\Users\Admin\AppData\Local\Temp\jds240674546.tmp\jre-8u361-windows-x64.exe

Filesize
61.7MB

MD5
e920cf3e63612868ed4b6cd9612bae77

SHA1
ef64fb46f8e955430d6fbd3778ff03e4c1f0e1b0

SHA256
a45104f8bf9a356b538f74aec9c7d25b92bef2d8e97cc27ed6d7232294a8ed82

SHA512
b02af44d9a87e06b0309e842d550b54b92575ba36a3ea74184bba40d4665751d91c8547ddd9c1c009d413f56829f7fcc604592ba51118c916cd1e039930571b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\jds240674546.tmp\jre-8u361-windows-x64.exe

Filesize
61.7MB

MD5
e920cf3e63612868ed4b6cd9612bae77

SHA1
ef64fb46f8e955430d6fbd3778ff03e4c1f0e1b0

SHA256
a45104f8bf9a356b538f74aec9c7d25b92bef2d8e97cc27ed6d7232294a8ed82

SHA512
b02af44d9a87e06b0309e842d550b54b92575ba36a3ea74184bba40d4665751d91c8547ddd9c1c009d413f56829f7fcc604592ba51118c916cd1e039930571b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
267KB

MD5
446b74740374855952cc28f06e11db10

SHA1
2d06db2bb02ca6566b27dd6aa04346c6ce811765

SHA256
8e40bce8c56632a8cf4e42cfa68df7b716cd06b8b39310c88fd7529b22820f25

SHA512
70ed134d0bf0cb57ca15f9555365e0f6bf7847118233e28ac0194b09350de22eb6e24fa7d924a3013cb3c21b39e0d77d3d23468db4708678570d3b69b347ac7b

Download Submit
C:\Users\Admin\Downloads\jre-8u361-windows-x64.exe

Filesize
62.1MB

MD5
e70de386ebc763932a181fc37a2ad042

SHA1
18e76e452b289ae2fc167667b55a81b11ec2693f

SHA256
419328f3a2325b1dc27f710abd73e232e9deac47915b4dba61a697b925b5b83d

SHA512
a45cb9c665a867042d0d52f085d095ac774c3f9b10febd858b26d2c899f7c2b5024586156ec572be384b226a8efc44d6757bbbc920843ce58119345bea155a0d

Download Submit
C:\Users\Admin\Downloads\jre-8u361-windows-x64.exe

Filesize
62.1MB

MD5
e70de386ebc763932a181fc37a2ad042

SHA1
18e76e452b289ae2fc167667b55a81b11ec2693f

SHA256
419328f3a2325b1dc27f710abd73e232e9deac47915b4dba61a697b925b5b83d

SHA512
a45cb9c665a867042d0d52f085d095ac774c3f9b10febd858b26d2c899f7c2b5024586156ec572be384b226a8efc44d6757bbbc920843ce58119345bea155a0d

Download Submit
memory/4884-137-0x0000000002590000-0x0000000003590000-memory.dmp

Filesize
16.0MB

Download
memory/4884-153-0x0000000002590000-0x0000000003590000-memory.dmp

Filesize
16.0MB

Download
memory/4884-160-0x0000000002590000-0x0000000003590000-memory.dmp

Filesize
16.0MB

Download
memory/4884-161-0x0000000002590000-0x0000000003590000-memory.dmp

Filesize
16.0MB

Download