Resubmissions
12-03-2023 06:21
230312-g4gd1sfa4y 712-03-2023 06:12
230312-gx614afa3t 822-02-2023 07:56
230222-js3tzscb51 722-02-2023 07:52
230222-jqm1raac95 722-02-2023 07:50
230222-jn8vfacb41 718-02-2023 19:33
230218-x9t53acf2s 8Analysis
-
max time kernel
202s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
22-02-2023 07:50
Static task
static1
Behavioral task
behavioral1
Sample
TLauncher-2.69-Installer-0.5.2.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
TLauncher-2.69-Installer-0.5.2.exe
Resource
win10v2004-20230220-en
General
-
Target
TLauncher-2.69-Installer-0.5.2.exe
-
Size
14.3MB
-
MD5
5d9aaf4088910768120e081fbbffce80
-
SHA1
fa8643e5bbf4cdebddd0bd1af6568540c630fe46
-
SHA256
4c1993ff60a9013a1e7226bf737f84beefeb6b69677d6bc1f544959640479e79
-
SHA512
398c4c2bb0968ee258fb0adb3ebb5516a24c8f5297605ff58aa6de59cb451d480ea289376e7755b66f847abf87ad43c0da310a5a5220c0908c3bde8c878eb886
-
SSDEEP
393216:MXgumBb5fsD441ffz4e4oQL1CbfvIzAtdB7l7RPupq:Mwu05+1Hz4e4tCEzuB7l7RR
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
irsetup.exepid process 1028 irsetup.exe -
Loads dropped DLL 6 IoCs
Processes:
TLauncher-2.69-Installer-0.5.2.exeirsetup.exepid process 1928 TLauncher-2.69-Installer-0.5.2.exe 1928 TLauncher-2.69-Installer-0.5.2.exe 1928 TLauncher-2.69-Installer-0.5.2.exe 1928 TLauncher-2.69-Installer-0.5.2.exe 1028 irsetup.exe 1028 irsetup.exe -
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe upx C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe upx \Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe upx \Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe upx \Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe upx C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe upx C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe upx behavioral1/memory/1028-73-0x0000000000FC0000-0x00000000013A8000-memory.dmp upx behavioral1/memory/1028-126-0x0000000000FC0000-0x00000000013A8000-memory.dmp upx behavioral1/memory/1028-150-0x0000000000FC0000-0x00000000013A8000-memory.dmp upx behavioral1/memory/1028-162-0x0000000000FC0000-0x00000000013A8000-memory.dmp upx behavioral1/memory/1028-176-0x0000000000FC0000-0x00000000013A8000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
irsetup.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Main irsetup.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
irsetup.exepid process 1028 irsetup.exe 1028 irsetup.exe 1028 irsetup.exe 1028 irsetup.exe 1028 irsetup.exe 1028 irsetup.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
TLauncher-2.69-Installer-0.5.2.exedescription pid process target process PID 1928 wrote to memory of 1028 1928 TLauncher-2.69-Installer-0.5.2.exe irsetup.exe PID 1928 wrote to memory of 1028 1928 TLauncher-2.69-Installer-0.5.2.exe irsetup.exe PID 1928 wrote to memory of 1028 1928 TLauncher-2.69-Installer-0.5.2.exe irsetup.exe PID 1928 wrote to memory of 1028 1928 TLauncher-2.69-Installer-0.5.2.exe irsetup.exe PID 1928 wrote to memory of 1028 1928 TLauncher-2.69-Installer-0.5.2.exe irsetup.exe PID 1928 wrote to memory of 1028 1928 TLauncher-2.69-Installer-0.5.2.exe irsetup.exe PID 1928 wrote to memory of 1028 1928 TLauncher-2.69-Installer-0.5.2.exe irsetup.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\TLauncher-2.69-Installer-0.5.2.exe"C:\Users\Admin\AppData\Local\Temp\TLauncher-2.69-Installer-0.5.2.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1905626 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\TLauncher-2.69-Installer-0.5.2.exe" "__IRCT:1" "__IRTSS:14984508" "__IRSID:S-1-5-21-3948302646-268491222-1934009652-1000"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\200.icoFilesize
116KB
MD5e043a9cb014d641a56f50f9d9ac9a1b9
SHA161dc6aed3d0d1f3b8afe3d161410848c565247ed
SHA2569dd7020d04753294c8fb694ac49f406de9adad45d8cdd43fefd99fec3659e946
SHA5124ae5df94fd590703b7a92f19703d733559d600a3885c65f146db04e8bbf6ead9ab5a1748d99c892e6bde63dd4e1592d6f06e02e4baf5e854c8ce6ea0cce1984f
-
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG1.PNGFilesize
339B
MD567510c285d37f5baeea565363bd3be76
SHA1dbd5e91a769a07833e086078067789bf34ecdbd4
SHA25659deb2dd2435e4b0fbb3aca2b391c124f4c32769dcad7aadb015488f323965f9
SHA512bf7b109c978a182c5c74d9fe8db0167750e5597403cd5e98666222229b561f069a6eaf1877420abe74f1b2cffde825e56f178834ca59f949319df240a6aefa62
-
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG2.PNGFilesize
280B
MD58e1c30a8b847f121aea0d1de0fd2bab3
SHA19c41ea0a30d8d149322c2f36aa158bf966cc8d57
SHA2568deff78bc2e2d6471b64d4d94feadee385eedfa3e78f704c9effd880abd10b95
SHA5125e2e470fab64f73782d303da1bd155fb4d1cc4bc80fb967f23414a4f9ae1d0cdb41619b584da70747377a84717835c9b6efb42dd6d279d11a3b272a928b3c614
-
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG3.PNGFilesize
281B
MD5d30c4f18d275ba0d682c1aeb8742d52d
SHA1f67a75000edb681e359d7dfb0d887010ea100ffc
SHA25624f59e16e5795f33426a676419c6397cf48062b59e6b1535453d9a438d3ad658
SHA512f3dd23e4b3d69462321c5350edc678c1ee5244a3a19b5dae3fdbc88bcd055887a43c5007da02d31af76c437d2a5199e233c9b62f1d40cbc9f920a4f1bf517351
-
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeFilesize
1.3MB
MD54240de83a3f64b1c933d526bf12ef208
SHA1a640594deabe61478da767cdec444b8de950c5f1
SHA256e31afb1d2477da49daa2c4d8c74b3f317becf27bcb46a8e4c58f0439b3c2b5e4
SHA5120e072b3378cf99832697e80c3ad0585175e5fcdba1b6cc7b92be993f76bb49c88166a24f3a353daa4f08e8757f0a2610769c02495cf855a913345141fd92edbd
-
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeFilesize
1.3MB
MD54240de83a3f64b1c933d526bf12ef208
SHA1a640594deabe61478da767cdec444b8de950c5f1
SHA256e31afb1d2477da49daa2c4d8c74b3f317becf27bcb46a8e4c58f0439b3c2b5e4
SHA5120e072b3378cf99832697e80c3ad0585175e5fcdba1b6cc7b92be993f76bb49c88166a24f3a353daa4f08e8757f0a2610769c02495cf855a913345141fd92edbd
-
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeFilesize
1.3MB
MD54240de83a3f64b1c933d526bf12ef208
SHA1a640594deabe61478da767cdec444b8de950c5f1
SHA256e31afb1d2477da49daa2c4d8c74b3f317becf27bcb46a8e4c58f0439b3c2b5e4
SHA5120e072b3378cf99832697e80c3ad0585175e5fcdba1b6cc7b92be993f76bb49c88166a24f3a353daa4f08e8757f0a2610769c02495cf855a913345141fd92edbd
-
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dllFilesize
326KB
MD580d93d38badecdd2b134fe4699721223
SHA1e829e58091bae93bc64e0c6f9f0bac999cfda23d
SHA256c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59
SHA5129f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4
-
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\Wow64.lmdFilesize
97KB
MD5da1d0cd400e0b6ad6415fd4d90f69666
SHA1de9083d2902906cacf57259cf581b1466400b799
SHA2567a79b049bdc3b6e4d101691888360f4f993098f3e3a8beefff4ac367430b1575
SHA512f12f64670f158c2e846e78b7b5d191158268b45ecf3c288f02bbee15ae10c4a62e67fb3481da304ba99da2c68ac44d713a44a458ef359db329b6fef3d323382a
-
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeFilesize
1.3MB
MD54240de83a3f64b1c933d526bf12ef208
SHA1a640594deabe61478da767cdec444b8de950c5f1
SHA256e31afb1d2477da49daa2c4d8c74b3f317becf27bcb46a8e4c58f0439b3c2b5e4
SHA5120e072b3378cf99832697e80c3ad0585175e5fcdba1b6cc7b92be993f76bb49c88166a24f3a353daa4f08e8757f0a2610769c02495cf855a913345141fd92edbd
-
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeFilesize
1.3MB
MD54240de83a3f64b1c933d526bf12ef208
SHA1a640594deabe61478da767cdec444b8de950c5f1
SHA256e31afb1d2477da49daa2c4d8c74b3f317becf27bcb46a8e4c58f0439b3c2b5e4
SHA5120e072b3378cf99832697e80c3ad0585175e5fcdba1b6cc7b92be993f76bb49c88166a24f3a353daa4f08e8757f0a2610769c02495cf855a913345141fd92edbd
-
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeFilesize
1.3MB
MD54240de83a3f64b1c933d526bf12ef208
SHA1a640594deabe61478da767cdec444b8de950c5f1
SHA256e31afb1d2477da49daa2c4d8c74b3f317becf27bcb46a8e4c58f0439b3c2b5e4
SHA5120e072b3378cf99832697e80c3ad0585175e5fcdba1b6cc7b92be993f76bb49c88166a24f3a353daa4f08e8757f0a2610769c02495cf855a913345141fd92edbd
-
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeFilesize
1.3MB
MD54240de83a3f64b1c933d526bf12ef208
SHA1a640594deabe61478da767cdec444b8de950c5f1
SHA256e31afb1d2477da49daa2c4d8c74b3f317becf27bcb46a8e4c58f0439b3c2b5e4
SHA5120e072b3378cf99832697e80c3ad0585175e5fcdba1b6cc7b92be993f76bb49c88166a24f3a353daa4f08e8757f0a2610769c02495cf855a913345141fd92edbd
-
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dllFilesize
326KB
MD580d93d38badecdd2b134fe4699721223
SHA1e829e58091bae93bc64e0c6f9f0bac999cfda23d
SHA256c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59
SHA5129f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4
-
memory/1028-151-0x0000000010000000-0x0000000010051000-memory.dmpFilesize
324KB
-
memory/1028-126-0x0000000000FC0000-0x00000000013A8000-memory.dmpFilesize
3.9MB
-
memory/1028-125-0x0000000000500000-0x0000000000503000-memory.dmpFilesize
12KB
-
memory/1028-124-0x0000000010000000-0x0000000010051000-memory.dmpFilesize
324KB
-
memory/1028-150-0x0000000000FC0000-0x00000000013A8000-memory.dmpFilesize
3.9MB
-
memory/1028-73-0x0000000000FC0000-0x00000000013A8000-memory.dmpFilesize
3.9MB
-
memory/1028-162-0x0000000000FC0000-0x00000000013A8000-memory.dmpFilesize
3.9MB
-
memory/1028-165-0x0000000010000000-0x0000000010051000-memory.dmpFilesize
324KB
-
memory/1028-176-0x0000000000FC0000-0x00000000013A8000-memory.dmpFilesize
3.9MB
-
memory/1928-132-0x0000000002F10000-0x00000000032F8000-memory.dmpFilesize
3.9MB
-
memory/1928-71-0x0000000002F10000-0x00000000032F8000-memory.dmpFilesize
3.9MB