4c1993ff60a9013a1e7226bf737f84beefeb6b69677d6bc1f544959640479e79

Resubmissions

11-03-2023 13:44

230311-q153mshg23 7

11-03-2023 13:38

230311-qxrqvahf94 8

Analysis

max time kernel
145s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
11-03-2023 13:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TLauncher-2.69-Installer-0.5.2.exe
Size

14.3MB
MD5

5d9aaf4088910768120e081fbbffce80
SHA1

fa8643e5bbf4cdebddd0bd1af6568540c630fe46
SHA256

4c1993ff60a9013a1e7226bf737f84beefeb6b69677d6bc1f544959640479e79
SHA512

398c4c2bb0968ee258fb0adb3ebb5516a24c8f5297605ff58aa6de59cb451d480ea289376e7755b66f847abf87ad43c0da310a5a5220c0908c3bde8c878eb886
SSDEEP

393216:MXgumBb5fsD441ffz4e4oQL1CbfvIzAtdB7l7RPupq:Mwu05+1Hz4e4tCEzuB7l7RR

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	TLauncher-2.69-Installer-0.5.2.exe

Executes dropped EXE 1 IoCs

pid	Process
3016	irsetup.exe

Loads dropped DLL 2 IoCs

pid	Process
3016	irsetup.exe
3016	irsetup.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000800000002315d-138.dat	upx
behavioral2/files/0x000800000002315d-143.dat	upx
behavioral2/files/0x000800000002315d-144.dat	upx
behavioral2/memory/3016-146-0x0000000000160000-0x0000000000548000-memory.dmp	upx
behavioral2/memory/3016-201-0x0000000000160000-0x0000000000548000-memory.dmp	upx
behavioral2/memory/3016-301-0x0000000000160000-0x0000000000548000-memory.dmp	upx
behavioral2/memory/3016-359-0x0000000000160000-0x0000000000548000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
3016	irsetup.exe
3016	irsetup.exe
3016	irsetup.exe
3016	irsetup.exe
3016	irsetup.exe
3016	irsetup.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1344 wrote to memory of 3016	1344	TLauncher-2.69-Installer-0.5.2.exe	85
PID 1344 wrote to memory of 3016	1344	TLauncher-2.69-Installer-0.5.2.exe	85
PID 1344 wrote to memory of 3016	1344	TLauncher-2.69-Installer-0.5.2.exe	85

C:\Users\Admin\AppData\Local\Temp\TLauncher-2.69-Installer-0.5.2.exe
"C:\Users\Admin\AppData\Local\Temp\TLauncher-2.69-Installer-0.5.2.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1344
- C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
  "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1905626 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\TLauncher-2.69-Installer-0.5.2.exe" "__IRCT:1" "__IRTSS:14984508" "__IRSID:S-1-5-21-2275444769-3691835758-4097679484-1000"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:3016
- - C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe
    "C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe"
    3⤵
    PID:1704
  - - C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
      "C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe"
      4⤵
      PID:4892

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\200.ico

Filesize
116KB

MD5
e043a9cb014d641a56f50f9d9ac9a1b9

SHA1
61dc6aed3d0d1f3b8afe3d161410848c565247ed

SHA256
9dd7020d04753294c8fb694ac49f406de9adad45d8cdd43fefd99fec3659e946

SHA512
4ae5df94fd590703b7a92f19703d733559d600a3885c65f146db04e8bbf6ead9ab5a1748d99c892e6bde63dd4e1592d6f06e02e4baf5e854c8ce6ea0cce1984f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG1.PNG

Filesize
339B

MD5
67510c285d37f5baeea565363bd3be76

SHA1
dbd5e91a769a07833e086078067789bf34ecdbd4

SHA256
59deb2dd2435e4b0fbb3aca2b391c124f4c32769dcad7aadb015488f323965f9

SHA512
bf7b109c978a182c5c74d9fe8db0167750e5597403cd5e98666222229b561f069a6eaf1877420abe74f1b2cffde825e56f178834ca59f949319df240a6aefa62

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG19.PNG

Filesize
438B

MD5
d4c60c0b841271306df0b670800480ce

SHA1
d4b9acfad9a8dc06f71c59ead9367a00e49300db

SHA256
238558af2083ce123f00649509ffda957b18e36bf378414ce7919c938f9bed39

SHA512
d1b54c1a8b56947770939a4a6ceb9889e4dab6172b03c9030b3708d546f34191df997b3ed5ffe4a089a9e2ba7089eef7dbb49e32e97779e83319e7c5f036848c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG2.PNG

Filesize
280B

MD5
8e1c30a8b847f121aea0d1de0fd2bab3

SHA1
9c41ea0a30d8d149322c2f36aa158bf966cc8d57

SHA256
8deff78bc2e2d6471b64d4d94feadee385eedfa3e78f704c9effd880abd10b95

SHA512
5e2e470fab64f73782d303da1bd155fb4d1cc4bc80fb967f23414a4f9ae1d0cdb41619b584da70747377a84717835c9b6efb42dd6d279d11a3b272a928b3c614

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG3.PNG

Filesize
281B

MD5
d30c4f18d275ba0d682c1aeb8742d52d

SHA1
f67a75000edb681e359d7dfb0d887010ea100ffc

SHA256
24f59e16e5795f33426a676419c6397cf48062b59e6b1535453d9a438d3ad658

SHA512
f3dd23e4b3d69462321c5350edc678c1ee5244a3a19b5dae3fdbc88bcd055887a43c5007da02d31af76c437d2a5199e233c9b62f1d40cbc9f920a4f1bf517351

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\Wow64.lmd

Filesize
97KB

MD5
da1d0cd400e0b6ad6415fd4d90f69666

SHA1
de9083d2902906cacf57259cf581b1466400b799

SHA256
7a79b049bdc3b6e4d101691888360f4f993098f3e3a8beefff4ac367430b1575

SHA512
f12f64670f158c2e846e78b7b5d191158268b45ecf3c288f02bbee15ae10c4a62e67fb3481da304ba99da2c68ac44d713a44a458ef359db329b6fef3d323382a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\Wow64.lmd

Filesize
97KB

MD5
da1d0cd400e0b6ad6415fd4d90f69666

SHA1
de9083d2902906cacf57259cf581b1466400b799

SHA256
7a79b049bdc3b6e4d101691888360f4f993098f3e3a8beefff4ac367430b1575

SHA512
f12f64670f158c2e846e78b7b5d191158268b45ecf3c288f02bbee15ae10c4a62e67fb3481da304ba99da2c68ac44d713a44a458ef359db329b6fef3d323382a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
4240de83a3f64b1c933d526bf12ef208

SHA1
a640594deabe61478da767cdec444b8de950c5f1

SHA256
e31afb1d2477da49daa2c4d8c74b3f317becf27bcb46a8e4c58f0439b3c2b5e4

SHA512
0e072b3378cf99832697e80c3ad0585175e5fcdba1b6cc7b92be993f76bb49c88166a24f3a353daa4f08e8757f0a2610769c02495cf855a913345141fd92edbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
4240de83a3f64b1c933d526bf12ef208

SHA1
a640594deabe61478da767cdec444b8de950c5f1

SHA256
e31afb1d2477da49daa2c4d8c74b3f317becf27bcb46a8e4c58f0439b3c2b5e4

SHA512
0e072b3378cf99832697e80c3ad0585175e5fcdba1b6cc7b92be993f76bb49c88166a24f3a353daa4f08e8757f0a2610769c02495cf855a913345141fd92edbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
4240de83a3f64b1c933d526bf12ef208

SHA1
a640594deabe61478da767cdec444b8de950c5f1

SHA256
e31afb1d2477da49daa2c4d8c74b3f317becf27bcb46a8e4c58f0439b3c2b5e4

SHA512
0e072b3378cf99832697e80c3ad0585175e5fcdba1b6cc7b92be993f76bb49c88166a24f3a353daa4f08e8757f0a2610769c02495cf855a913345141fd92edbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

Filesize
326KB

MD5
80d93d38badecdd2b134fe4699721223

SHA1
e829e58091bae93bc64e0c6f9f0bac999cfda23d

SHA256
c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59

SHA512
9f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

Filesize
326KB

MD5
80d93d38badecdd2b134fe4699721223

SHA1
e829e58091bae93bc64e0c6f9f0bac999cfda23d

SHA256
c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59

SHA512
9f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe

Filesize
2.7MB

MD5
cb027aa142f066c4f4fb9de5ff6ff493

SHA1
70a3ecaae4728c2a97c99f5fc7c12268e349ec91

SHA256
682500d7ea4034f74fc2387b77a7a6cd3d6e06d6bd992ebbbb29978a33d1bd01

SHA512
79a973dfd3c1a860a495672a07f6f17286cdbebe04492117d03cbcf9e3a383b8140102f2e6cf700bdbe9821f0ae93e5fe52c3604c1be593040e9cc64e76e576e

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe

Filesize
2.7MB

MD5
cb027aa142f066c4f4fb9de5ff6ff493

SHA1
70a3ecaae4728c2a97c99f5fc7c12268e349ec91

SHA256
682500d7ea4034f74fc2387b77a7a6cd3d6e06d6bd992ebbbb29978a33d1bd01

SHA512
79a973dfd3c1a860a495672a07f6f17286cdbebe04492117d03cbcf9e3a383b8140102f2e6cf700bdbe9821f0ae93e5fe52c3604c1be593040e9cc64e76e576e

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe

Filesize
2.7MB

MD5
cb027aa142f066c4f4fb9de5ff6ff493

SHA1
70a3ecaae4728c2a97c99f5fc7c12268e349ec91

SHA256
682500d7ea4034f74fc2387b77a7a6cd3d6e06d6bd992ebbbb29978a33d1bd01

SHA512
79a973dfd3c1a860a495672a07f6f17286cdbebe04492117d03cbcf9e3a383b8140102f2e6cf700bdbe9821f0ae93e5fe52c3604c1be593040e9cc64e76e576e

Download Submit
memory/1704-358-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3016-202-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/3016-226-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/3016-301-0x0000000000160000-0x0000000000548000-memory.dmp

Filesize
3.9MB

Download
memory/3016-302-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/3016-201-0x0000000000160000-0x0000000000548000-memory.dmp

Filesize
3.9MB

Download
memory/3016-190-0x0000000005A00000-0x0000000005A03000-memory.dmp

Filesize
12KB

Download
memory/3016-189-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/3016-146-0x0000000000160000-0x0000000000548000-memory.dmp

Filesize
3.9MB

Download
memory/3016-359-0x0000000000160000-0x0000000000548000-memory.dmp

Filesize
3.9MB

Download