df2d2516e905cdc87a68ec456f881664a5b158ba810934251d7b70a740679588

General

Target

LegacyLauncher_legacy.jar
Size

9.2MB
MD5

45e7627b8542f033fc67ac7fb6d22537
SHA1

e6149d3d7d34f1ba3d8214e66433ce7dd25fb0bb
SHA256

df2d2516e905cdc87a68ec456f881664a5b158ba810934251d7b70a740679588
SHA512

a573ce983c6c93ef53459bffe16b9d442ca1906e58064e53444f74573f43ea2e62c7516823a3eb0f17fc3beadf6dc4fb4ba9b0094b6ef7f02c26d97e0f579f48
SSDEEP

196608:91SdSZ9fzJ+vzQWTvG5RORTW5mcqyd+Tt9t4y:9US+TqRZ2yd+h0y

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
1452	java.exe

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\dll\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\dll\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\dll\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\dll\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\ntdll.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\jvm.pdb	java.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jvm.pdb	java.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
2988	taskmgr.exe
2988	taskmgr.exe
2988	taskmgr.exe
2988	taskmgr.exe
2988	taskmgr.exe
2988	taskmgr.exe
2988	taskmgr.exe
2988	taskmgr.exe
2988	taskmgr.exe
2988	taskmgr.exe
2988	taskmgr.exe
2988	taskmgr.exe
2988	taskmgr.exe
2988	taskmgr.exe
2988	taskmgr.exe
2988	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2988	taskmgr.exe
Token: SeSystemProfilePrivilege	2988	taskmgr.exe
Token: SeCreateGlobalPrivilege	2988	taskmgr.exe

Suspicious use of FindShellTrayWindow 28 IoCs

pid	Process
2988	taskmgr.exe
2988	taskmgr.exe
2988	taskmgr.exe
2988	taskmgr.exe
2988	taskmgr.exe
2988	taskmgr.exe
2988	taskmgr.exe
2988	taskmgr.exe
2988	taskmgr.exe
2988	taskmgr.exe
2988	taskmgr.exe
2988	taskmgr.exe
2988	taskmgr.exe
2988	taskmgr.exe
2988	taskmgr.exe
2988	taskmgr.exe
2988	taskmgr.exe
2988	taskmgr.exe
2988	taskmgr.exe
2988	taskmgr.exe
2988	taskmgr.exe
2988	taskmgr.exe
2988	taskmgr.exe
2988	taskmgr.exe
2988	taskmgr.exe
2988	taskmgr.exe
2988	taskmgr.exe
2988	taskmgr.exe

Suspicious use of SendNotifyMessage 28 IoCs

pid	Process
2988	taskmgr.exe
2988	taskmgr.exe
2988	taskmgr.exe
2988	taskmgr.exe
2988	taskmgr.exe
2988	taskmgr.exe
2988	taskmgr.exe
2988	taskmgr.exe
2988	taskmgr.exe
2988	taskmgr.exe
2988	taskmgr.exe
2988	taskmgr.exe
2988	taskmgr.exe
2988	taskmgr.exe
2988	taskmgr.exe
2988	taskmgr.exe
2988	taskmgr.exe
2988	taskmgr.exe
2988	taskmgr.exe
2988	taskmgr.exe
2988	taskmgr.exe
2988	taskmgr.exe
2988	taskmgr.exe
2988	taskmgr.exe
2988	taskmgr.exe
2988	taskmgr.exe
2988	taskmgr.exe
2988	taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1452	java.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 1944 wrote to memory of 1452	1944	java.exe	86
PID 1944 wrote to memory of 1452	1944	java.exe	86

C:\ProgramData\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\LegacyLauncher_legacy.jar
1⤵
- Suspicious use of WriteProcessMemory
PID:1944
- C:\Program Files\Java\jre1.8.0_66\bin\java.exe
  "C:\Program Files\Java\jre1.8.0_66\bin\java.exe" -Xmx128m -Dfile.encoding=UTF-8 -Dtlauncher.systemCharset=windows-1252 -Dtlauncher.logFolder=C:\Users\Admin\AppData\Roaming\.tlauncher\logs -classpath C:\Users\Admin\AppData\Local\Temp\LegacyLauncher_legacy.jar ru.turikhay.tlauncher.bootstrap.Bootstrap
  2⤵
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of SetWindowsHookEx
  PID:1452

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2988

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp

Filesize
50B

MD5
1072993f4276d3979693b8a23d9a8349

SHA1
fcd3730fd5ad3a78bf26271d48d698b19b0138d3

SHA256
5b43c96e1fcffc8511993de7dfc19e497548e8eecef0e77d4ee372a7488759a4

SHA512
15b13bea113118af1a529b9b6888a2f21078511c42fef88e35b0b79645f1433907fe99617f7ed5dd8fbd6b1d682407f13736235c554815ca65087e2d399f0605

Download Submit
C:\Users\Admin\AppData\Local\Temp\flatlaf.temp\flatlaf-windows-x86_64-5234590255000.dll

Filesize
9KB

MD5
697d496ac9f5aaab8ae025322358c61e

SHA1
2043eac8cdcc2e24b854af1eacd77a5f2a395a27

SHA256
a7273a4cf48ab3413f2c186cc95a3367a73ce99f8d45329383219d4cc27003aa

SHA512
b6702cd49a3af9f97f697565136f140692af9f8b271e672f2e91c920a23212b778583786f2377078117113647926338614a92c4a2423318b7a21ba2fe3a89838

Download Submit
memory/1452-178-0x0000000002170000-0x0000000002171000-memory.dmp

Filesize
4KB

Download
memory/1452-194-0x0000000002170000-0x0000000002171000-memory.dmp

Filesize
4KB

Download
memory/1452-157-0x00000000024A0000-0x00000000034A0000-memory.dmp

Filesize
16.0MB

Download
memory/1452-159-0x0000000002170000-0x0000000002171000-memory.dmp

Filesize
4KB

Download
memory/1452-160-0x0000000002170000-0x0000000002171000-memory.dmp

Filesize
4KB

Download
memory/1452-166-0x00000000024A0000-0x00000000034A0000-memory.dmp

Filesize
16.0MB

Download
memory/1452-172-0x0000000002170000-0x0000000002171000-memory.dmp

Filesize
4KB

Download
memory/1452-174-0x00000000024A0000-0x00000000034A0000-memory.dmp

Filesize
16.0MB

Download
memory/1452-253-0x00000000024A0000-0x00000000034A0000-memory.dmp

Filesize
16.0MB

Download
memory/1452-183-0x0000000002170000-0x0000000002171000-memory.dmp

Filesize
4KB

Download
memory/1452-190-0x00000000024A0000-0x00000000034A0000-memory.dmp

Filesize
16.0MB

Download
memory/1452-251-0x00000000024A0000-0x00000000034A0000-memory.dmp

Filesize
16.0MB

Download
memory/1452-199-0x00000000024A0000-0x00000000034A0000-memory.dmp

Filesize
16.0MB

Download
memory/1452-216-0x00000000024A0000-0x00000000034A0000-memory.dmp

Filesize
16.0MB

Download
memory/1452-249-0x0000000002170000-0x0000000002171000-memory.dmp

Filesize
4KB

Download
memory/1944-144-0x0000000002D90000-0x0000000002D91000-memory.dmp

Filesize
4KB

Download
memory/1944-148-0x0000000002D90000-0x0000000002D91000-memory.dmp

Filesize
4KB

Download
memory/1944-137-0x0000000003140000-0x0000000004140000-memory.dmp

Filesize
16.0MB

Download
memory/2988-256-0x000001B841750000-0x000001B841751000-memory.dmp

Filesize
4KB

Download
memory/2988-255-0x000001B841750000-0x000001B841751000-memory.dmp

Filesize
4KB

Download
memory/2988-257-0x000001B841750000-0x000001B841751000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing