4c1993ff60a9013a1e7226bf737f84beefeb6b69677d6bc1f544959640479e79

Resubmissions

12-03-2023 06:21

230312-g4gd1sfa4y 7

12-03-2023 06:12

22-02-2023 07:56

22-02-2023 07:52

22-02-2023 07:50

18-02-2023 19:33

Analysis

max time kernel
141s
max time network
147s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
12-03-2023 06:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TLauncher-2.69-Installer-0.5.2.exe
Size

14.3MB
MD5

5d9aaf4088910768120e081fbbffce80
SHA1

fa8643e5bbf4cdebddd0bd1af6568540c630fe46
SHA256

4c1993ff60a9013a1e7226bf737f84beefeb6b69677d6bc1f544959640479e79
SHA512

398c4c2bb0968ee258fb0adb3ebb5516a24c8f5297605ff58aa6de59cb451d480ea289376e7755b66f847abf87ad43c0da310a5a5220c0908c3bde8c878eb886
SSDEEP

393216:MXgumBb5fsD441ffz4e4oQL1CbfvIzAtdB7l7RPupq:Mwu05+1Hz4e4tCEzuB7l7RR

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

irsetup.exe

pid process

1476 irsetup.exe

pid	process
1476	irsetup.exe

Loads dropped DLL 6 IoCs

Processes:

TLauncher-2.69-Installer-0.5.2.exeirsetup.exe

pid	process
928	TLauncher-2.69-Installer-0.5.2.exe
928	TLauncher-2.69-Installer-0.5.2.exe
928	TLauncher-2.69-Installer-0.5.2.exe
928	TLauncher-2.69-Installer-0.5.2.exe
1476	irsetup.exe
1476	irsetup.exe

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	upx
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	upx
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	upx
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	upx
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	upx
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	upx
behavioral1/memory/1476-73-0x0000000000B70000-0x0000000000F58000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	upx
behavioral1/memory/1476-127-0x0000000000B70000-0x0000000000F58000-memory.dmp	upx
behavioral1/memory/1476-129-0x0000000000B70000-0x0000000000F58000-memory.dmp	upx
behavioral1/memory/1476-164-0x0000000000B70000-0x0000000000F58000-memory.dmp	upx
behavioral1/memory/1476-176-0x0000000000B70000-0x0000000000F58000-memory.dmp	upx
behavioral1/memory/1476-178-0x0000000000B70000-0x0000000000F58000-memory.dmp	upx
behavioral1/memory/1476-248-0x0000000000B70000-0x0000000000F58000-memory.dmp	upx
behavioral1/memory/1476-250-0x0000000000B70000-0x0000000000F58000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

irsetup.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main irsetup.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main	irsetup.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

AUDIODG.EXE

description	pid	process
Token: 33	1944	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1944	AUDIODG.EXE
Token: 33	1944	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1944	AUDIODG.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

irsetup.exe

pid process

1476 irsetup.exe
1476 irsetup.exe
1476 irsetup.exe
1476 irsetup.exe
1476 irsetup.exe
1476 irsetup.exe

pid	process
1476	irsetup.exe
1476	irsetup.exe
1476	irsetup.exe
1476	irsetup.exe
1476	irsetup.exe
1476	irsetup.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

TLauncher-2.69-Installer-0.5.2.exe

description	pid	process	target process
PID 928 wrote to memory of 1476	928	TLauncher-2.69-Installer-0.5.2.exe	irsetup.exe
PID 928 wrote to memory of 1476	928	TLauncher-2.69-Installer-0.5.2.exe	irsetup.exe
PID 928 wrote to memory of 1476	928	TLauncher-2.69-Installer-0.5.2.exe	irsetup.exe
PID 928 wrote to memory of 1476	928	TLauncher-2.69-Installer-0.5.2.exe	irsetup.exe
PID 928 wrote to memory of 1476	928	TLauncher-2.69-Installer-0.5.2.exe	irsetup.exe
PID 928 wrote to memory of 1476	928	TLauncher-2.69-Installer-0.5.2.exe	irsetup.exe
PID 928 wrote to memory of 1476	928	TLauncher-2.69-Installer-0.5.2.exe	irsetup.exe

C:\Users\Admin\AppData\Local\Temp\TLauncher-2.69-Installer-0.5.2.exe
"C:\Users\Admin\AppData\Local\Temp\TLauncher-2.69-Installer-0.5.2.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:928

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1905626 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\TLauncher-2.69-Installer-0.5.2.exe" "__IRCT:1" "__IRTSS:14984508" "__IRSID:S-1-5-21-1283023626-844874658-3193756055-1000"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1476

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2004

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x55c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1944

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\200.ico
Filesize
116KB

MD5
e043a9cb014d641a56f50f9d9ac9a1b9

SHA1
61dc6aed3d0d1f3b8afe3d161410848c565247ed

SHA256
9dd7020d04753294c8fb694ac49f406de9adad45d8cdd43fefd99fec3659e946

SHA512
4ae5df94fd590703b7a92f19703d733559d600a3885c65f146db04e8bbf6ead9ab5a1748d99c892e6bde63dd4e1592d6f06e02e4baf5e854c8ce6ea0cce1984f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG1.PNG
Filesize
339B

MD5
67510c285d37f5baeea565363bd3be76

SHA1
dbd5e91a769a07833e086078067789bf34ecdbd4

SHA256
59deb2dd2435e4b0fbb3aca2b391c124f4c32769dcad7aadb015488f323965f9

SHA512
bf7b109c978a182c5c74d9fe8db0167750e5597403cd5e98666222229b561f069a6eaf1877420abe74f1b2cffde825e56f178834ca59f949319df240a6aefa62

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG19.PNG
Filesize
438B

MD5
d4c60c0b841271306df0b670800480ce

SHA1
d4b9acfad9a8dc06f71c59ead9367a00e49300db

SHA256
238558af2083ce123f00649509ffda957b18e36bf378414ce7919c938f9bed39

SHA512
d1b54c1a8b56947770939a4a6ceb9889e4dab6172b03c9030b3708d546f34191df997b3ed5ffe4a089a9e2ba7089eef7dbb49e32e97779e83319e7c5f036848c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG2.PNG
Filesize
280B

MD5
8e1c30a8b847f121aea0d1de0fd2bab3

SHA1
9c41ea0a30d8d149322c2f36aa158bf966cc8d57

SHA256
8deff78bc2e2d6471b64d4d94feadee385eedfa3e78f704c9effd880abd10b95

SHA512
5e2e470fab64f73782d303da1bd155fb4d1cc4bc80fb967f23414a4f9ae1d0cdb41619b584da70747377a84717835c9b6efb42dd6d279d11a3b272a928b3c614

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG3.PNG
Filesize
281B

MD5
d30c4f18d275ba0d682c1aeb8742d52d

SHA1
f67a75000edb681e359d7dfb0d887010ea100ffc

SHA256
24f59e16e5795f33426a676419c6397cf48062b59e6b1535453d9a438d3ad658

SHA512
f3dd23e4b3d69462321c5350edc678c1ee5244a3a19b5dae3fdbc88bcd055887a43c5007da02d31af76c437d2a5199e233c9b62f1d40cbc9f920a4f1bf517351

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
Filesize
1.3MB

MD5
4240de83a3f64b1c933d526bf12ef208

SHA1
a640594deabe61478da767cdec444b8de950c5f1

SHA256
e31afb1d2477da49daa2c4d8c74b3f317becf27bcb46a8e4c58f0439b3c2b5e4

SHA512
0e072b3378cf99832697e80c3ad0585175e5fcdba1b6cc7b92be993f76bb49c88166a24f3a353daa4f08e8757f0a2610769c02495cf855a913345141fd92edbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
Filesize
1.3MB

MD5
4240de83a3f64b1c933d526bf12ef208

SHA1
a640594deabe61478da767cdec444b8de950c5f1

SHA256
e31afb1d2477da49daa2c4d8c74b3f317becf27bcb46a8e4c58f0439b3c2b5e4

SHA512
0e072b3378cf99832697e80c3ad0585175e5fcdba1b6cc7b92be993f76bb49c88166a24f3a353daa4f08e8757f0a2610769c02495cf855a913345141fd92edbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
Filesize
1.3MB

MD5
4240de83a3f64b1c933d526bf12ef208

SHA1
a640594deabe61478da767cdec444b8de950c5f1

SHA256
e31afb1d2477da49daa2c4d8c74b3f317becf27bcb46a8e4c58f0439b3c2b5e4

SHA512
0e072b3378cf99832697e80c3ad0585175e5fcdba1b6cc7b92be993f76bb49c88166a24f3a353daa4f08e8757f0a2610769c02495cf855a913345141fd92edbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll
Filesize
326KB

MD5
80d93d38badecdd2b134fe4699721223

SHA1
e829e58091bae93bc64e0c6f9f0bac999cfda23d

SHA256
c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59

SHA512
9f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\Wow64.lmd
Filesize
97KB

MD5
da1d0cd400e0b6ad6415fd4d90f69666

SHA1
de9083d2902906cacf57259cf581b1466400b799

SHA256
7a79b049bdc3b6e4d101691888360f4f993098f3e3a8beefff4ac367430b1575

SHA512
f12f64670f158c2e846e78b7b5d191158268b45ecf3c288f02bbee15ae10c4a62e67fb3481da304ba99da2c68ac44d713a44a458ef359db329b6fef3d323382a

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
Filesize
1.3MB

MD5
4240de83a3f64b1c933d526bf12ef208

SHA1
a640594deabe61478da767cdec444b8de950c5f1

SHA256
e31afb1d2477da49daa2c4d8c74b3f317becf27bcb46a8e4c58f0439b3c2b5e4

SHA512
0e072b3378cf99832697e80c3ad0585175e5fcdba1b6cc7b92be993f76bb49c88166a24f3a353daa4f08e8757f0a2610769c02495cf855a913345141fd92edbd

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
Filesize
1.3MB

MD5
4240de83a3f64b1c933d526bf12ef208

SHA1
a640594deabe61478da767cdec444b8de950c5f1

SHA256
e31afb1d2477da49daa2c4d8c74b3f317becf27bcb46a8e4c58f0439b3c2b5e4

SHA512
0e072b3378cf99832697e80c3ad0585175e5fcdba1b6cc7b92be993f76bb49c88166a24f3a353daa4f08e8757f0a2610769c02495cf855a913345141fd92edbd

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
Filesize
1.3MB

MD5
4240de83a3f64b1c933d526bf12ef208

SHA1
a640594deabe61478da767cdec444b8de950c5f1

SHA256
e31afb1d2477da49daa2c4d8c74b3f317becf27bcb46a8e4c58f0439b3c2b5e4

SHA512
0e072b3378cf99832697e80c3ad0585175e5fcdba1b6cc7b92be993f76bb49c88166a24f3a353daa4f08e8757f0a2610769c02495cf855a913345141fd92edbd

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
Filesize
1.3MB

MD5
4240de83a3f64b1c933d526bf12ef208

SHA1
a640594deabe61478da767cdec444b8de950c5f1

SHA256
e31afb1d2477da49daa2c4d8c74b3f317becf27bcb46a8e4c58f0439b3c2b5e4

SHA512
0e072b3378cf99832697e80c3ad0585175e5fcdba1b6cc7b92be993f76bb49c88166a24f3a353daa4f08e8757f0a2610769c02495cf855a913345141fd92edbd

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll
Filesize
326KB

MD5
80d93d38badecdd2b134fe4699721223

SHA1
e829e58091bae93bc64e0c6f9f0bac999cfda23d

SHA256
c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59

SHA512
9f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4

Download Submit
memory/928-71-0x0000000002FC0000-0x00000000033A8000-memory.dmp

Filesize
3.9MB

Download
memory/928-72-0x0000000002FC0000-0x00000000033A8000-memory.dmp

Filesize
3.9MB

Download
memory/1476-164-0x0000000000B70000-0x0000000000F58000-memory.dmp

Filesize
3.9MB

Download
memory/1476-115-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/1476-134-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/1476-73-0x0000000000B70000-0x0000000000F58000-memory.dmp

Filesize
3.9MB

Download
memory/1476-116-0x0000000000AC0000-0x0000000000AC3000-memory.dmp

Filesize
12KB

Download
memory/1476-127-0x0000000000B70000-0x0000000000F58000-memory.dmp

Filesize
3.9MB

Download
memory/1476-165-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/1476-129-0x0000000000B70000-0x0000000000F58000-memory.dmp

Filesize
3.9MB

Download
memory/1476-176-0x0000000000B70000-0x0000000000F58000-memory.dmp

Filesize
3.9MB

Download
memory/1476-178-0x0000000000B70000-0x0000000000F58000-memory.dmp

Filesize
3.9MB

Download
memory/1476-128-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/1476-248-0x0000000000B70000-0x0000000000F58000-memory.dmp

Filesize
3.9MB

Download
memory/1476-249-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/1476-250-0x0000000000B70000-0x0000000000F58000-memory.dmp

Filesize
3.9MB

Download