Resubmissions
05-10-2024 21:24
241005-z9agrstapj 803-09-2023 03:11
230903-dpwcvagb5v 703-09-2023 03:06
230903-dl6peagb41 703-09-2023 02:48
230903-daplragd86 803-09-2023 02:45
230903-c8vpzsga9x 828-05-2023 20:42
230528-zg5gfaha3t 803-05-2023 06:50
230503-hlye9adh28 1003-05-2023 06:42
230503-hgglyaff81 8Analysis
-
max time kernel
254s -
max time network
259s -
platform
windows10-2004_x64 -
resource
win10v2004-20230831-en -
resource tags
-
submitted
03-09-2023 03:06
Errors
General
-
Target
TLauncher-2.879-Installer-1.1.1.exe
-
Size
22.6MB
-
MD5
c4ceda8c435298d23cc40a842f426d61
-
SHA1
c7337094f09852b00a815950e96f3292295e9e15
-
SHA256
e132be19bc7ae8a96d3d620710fa26b614e022abecccc161ad733eff732afcd6
-
SHA512
25e74422d3b7adeb0cc805bbe41298d4e0fcf984b038c63a3a4faeea16e10a18f113c9a7d946e16f377ad9e3a5ca0a6425d7650b62c1e5db9ee2299e9921f52b
-
SSDEEP
393216:LXfgqusAgbGPfs/dQETVlOBbpFEjdGphRqV56Hpkf+V4scTKAjENq3:LvtDpsHExi73qqHpg+Vvc+Amc
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 3 IoCs
-
UPX packed file 7 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in System32 directory 1 IoCs
-
Drops file in Windows directory 64 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Modifies data under HKEY_USERS 15 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 17 IoCs
-
Suspicious use of SetWindowsHookEx 7 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\TLauncher-2.879-Installer-1.1.1.exe"C:\Users\Admin\AppData\Local\Temp\TLauncher-2.879-Installer-1.1.1.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1910546 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\TLauncher-2.879-Installer-1.1.1.exe" "__IRCT:3" "__IRTSS:23652314" "__IRSID:S-1-5-21-2474409663-2236862430-1045297337-1000"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault25c22b1fhc5deh4886hbbbfhdb12d4140dda1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffd44e346f8,0x7ffd44e34708,0x7ffd44e347182⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,8399875266178859621,8394213502680831497,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,8399875266178859621,8394213502680831497,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,8399875266178859621,8394213502680831497,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2916 /prefetch:82⤵
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\SystemSettingsAdminFlows.exe"C:\Windows\system32\SystemSettingsAdminFlows.exe" FeaturedResetPC1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa39b4055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
109KB
MD5517205e83111b90a2d6664d51bc218f4
SHA1d88df7db81c6e3ac5bab7716919b4b4fb09921fc
SHA256d3160b9409e5d6dbbef1021ebfa6c1436f9d5e4e005ea381aaaa35985e1b9040
SHA512b8c40f41f5e5cd56d2253fb905dd04c4a622ec14d234fa29e2a8a4947d925267a41c049e6a3f1c5e6c844286c9c0b71adc06587760710c18d6a21727fbb5707e
-
Filesize
749B
MD5e972fa20aeab6c7e7c21cda5a9e25846
SHA1d90e4b999af1f44ceb94874cc8d09465a3b2380f
SHA256b5197398a7a1d02750d8f97b5230e20fb56e5fc73aed07d8e5b4a82a4bec46bc
SHA51263e2e92ffd6d27403659cc11bd85e05bcad0d2e275e6603aff2596fce43c6de5285ebafd64f7885ee82690e71c24421ac38a5a930d178f695ff3ba8b12102622
-
Filesize
152B
MD5d8294073f3582e3c0a607a60b6d6ca48
SHA13ee881f415563afd0c8265f37eb78235aae909bd
SHA25631900aacca28ff914c07a077cb9a39ec437ee059958564d718d04ae47426e286
SHA5128c256228dadfa577cdf938d25ac082a232f1e756cedd587f8e1855c0ff7c09571ebffc8221016ccfdfe0b17d356239685eadd72eaa7c32fe46fcfcdf4aa6cb07
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
5KB
MD5dc9a26c4461c32bc40305c88d4017537
SHA1a789a39d23bc9e7e34524d2985090a676d7d75c7
SHA2566669125be7654ce0b13d9b379852d429f5bb30583b3e27b276b28e341c43e9ce
SHA512b4db2eaa429066dbf65b499a556dfd2f739c393848cd2077f49002a4473ac0bda9870744fd233bb6f87ed0c6ed5a04e8fb155b336e4375ae9083c5fd1b4a3639
-
Filesize
3KB
MD59f20350878b52ae681a3971481dfaaa4
SHA1c1d6c8c14275f39ef51a4cc47a352a0accc9a374
SHA256114015a260b940e104e9fb974ed7b85208c01e329ab00426d247315b8d92ad71
SHA51245abfe01bf0334ccf78c57aed049492779e3a06b812b8f12556e006f3e2fb864226f749b76031465f7a6da4d71c41420fd681205400b53f926bf0d6356f767cb
-
Filesize
116KB
MD5e043a9cb014d641a56f50f9d9ac9a1b9
SHA161dc6aed3d0d1f3b8afe3d161410848c565247ed
SHA2569dd7020d04753294c8fb694ac49f406de9adad45d8cdd43fefd99fec3659e946
SHA5124ae5df94fd590703b7a92f19703d733559d600a3885c65f146db04e8bbf6ead9ab5a1748d99c892e6bde63dd4e1592d6f06e02e4baf5e854c8ce6ea0cce1984f
-
Filesize
1.8MB
MD58d26aecef0a7bdac2b104454d3ba1a87
SHA150c29c58dfece62d94ed01cb5b3d070e593dc9cf
SHA256e6c069c08e356b05465edb5aa9437e8af82c3cc8367d143d3ba6a8790f99490c
SHA5120daa8bc75d9a067c3f9c46e4fda2aa4811083a06fc0dac74b45dfcdce60623066dac0189538d48128e55850ba20da12ab5f2f748dfbb9a6ec546802a61065475
-
Filesize
1.7MB
MD51bbf5dd0b6ca80e4c7c77495c3f33083
SHA1e0520037e60eb641ec04d1e814394c9da0a6a862
SHA256bc6bd19ab0977ac794e18e2c82ace3116bf0537711a352638efd2d8d847c140b
SHA51297bc810871868217f944bc5e60ab642f161c1f082bc9e4122094f10b4e309a6d96e3dd695553a20907cb8fea5aef4802f5a2f0a852328c1a1cd85944022abaab
-
Filesize
1.7MB
MD51bbf5dd0b6ca80e4c7c77495c3f33083
SHA1e0520037e60eb641ec04d1e814394c9da0a6a862
SHA256bc6bd19ab0977ac794e18e2c82ace3116bf0537711a352638efd2d8d847c140b
SHA51297bc810871868217f944bc5e60ab642f161c1f082bc9e4122094f10b4e309a6d96e3dd695553a20907cb8fea5aef4802f5a2f0a852328c1a1cd85944022abaab
-
Filesize
97KB
MD5da1d0cd400e0b6ad6415fd4d90f69666
SHA1de9083d2902906cacf57259cf581b1466400b799
SHA2567a79b049bdc3b6e4d101691888360f4f993098f3e3a8beefff4ac367430b1575
SHA512f12f64670f158c2e846e78b7b5d191158268b45ecf3c288f02bbee15ae10c4a62e67fb3481da304ba99da2c68ac44d713a44a458ef359db329b6fef3d323382a
-
Filesize
97KB
MD5da1d0cd400e0b6ad6415fd4d90f69666
SHA1de9083d2902906cacf57259cf581b1466400b799
SHA2567a79b049bdc3b6e4d101691888360f4f993098f3e3a8beefff4ac367430b1575
SHA512f12f64670f158c2e846e78b7b5d191158268b45ecf3c288f02bbee15ae10c4a62e67fb3481da304ba99da2c68ac44d713a44a458ef359db329b6fef3d323382a
-
Filesize
1.3MB
MD50913b4c43b4a1c301353197c30e01f4f
SHA1245c343a7bb339d402ff8e9d442389a4f3dfc3a8
SHA256238d15cbb1a929fe19f4558c44fbc67d5d6b9a3176fd9d880345ae0174a8d87c
SHA5129d2da27264af71d7d1b9a3eac36e9b413041836de2559899d384a76b888cd495703a306c384752047bc9e1da3f8ee908da7218a58cfd9af1f81b51be4b27321f
-
Filesize
1.3MB
MD50913b4c43b4a1c301353197c30e01f4f
SHA1245c343a7bb339d402ff8e9d442389a4f3dfc3a8
SHA256238d15cbb1a929fe19f4558c44fbc67d5d6b9a3176fd9d880345ae0174a8d87c
SHA5129d2da27264af71d7d1b9a3eac36e9b413041836de2559899d384a76b888cd495703a306c384752047bc9e1da3f8ee908da7218a58cfd9af1f81b51be4b27321f
-
Filesize
1.3MB
MD50913b4c43b4a1c301353197c30e01f4f
SHA1245c343a7bb339d402ff8e9d442389a4f3dfc3a8
SHA256238d15cbb1a929fe19f4558c44fbc67d5d6b9a3176fd9d880345ae0174a8d87c
SHA5129d2da27264af71d7d1b9a3eac36e9b413041836de2559899d384a76b888cd495703a306c384752047bc9e1da3f8ee908da7218a58cfd9af1f81b51be4b27321f
-
Filesize
326KB
MD580d93d38badecdd2b134fe4699721223
SHA1e829e58091bae93bc64e0c6f9f0bac999cfda23d
SHA256c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59
SHA5129f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4
-
Filesize
326KB
MD580d93d38badecdd2b134fe4699721223
SHA1e829e58091bae93bc64e0c6f9f0bac999cfda23d
SHA256c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59
SHA5129f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4
-
Filesize
7KB
MD539b6b180f7e8f2ed8a6862fd24d23914
SHA1e2514bf6c6497172267532e84c9913065c680104
SHA2565cd27bbeea11fc46dec8e533a3fa2858a2c6c119be306bc1299cfe76de89a476
SHA512b32bad160386f97ed7b95ce7a7abae63d9a7a4003da588db1cb82be8a6c91275f3105005cc40e68dccc4e135daa5386c6a31b036ee88dcfd8130f257753232a1
-
Filesize
106B
MD5f2d056db2081c571096dbf165a780719
SHA12e62ed01d3b304ac415f27e7234f70c10aa3f20d
SHA25623cc615647fced94156cc5bf733f99675db0ddda132a5956aecf67b4073f40ca
SHA512c0d29ee1140af297134d72d4b64826132913e104c25b8c2a04720dcd1fbdce731d0cff45a0d8be303fa9d3801b6c7317f0a1adc194b67b6e3e27e598ed8bf604
-
Filesize
42B
MD5761d79925634b9d759ed325d06e6bdd5
SHA101021636ac68b840b2d815b9912f56b5f8abc8aa
SHA25647bd7cf444914e4259743d5dcac82e7e8b5a560391ec853d8eb5ca305b833c0a
SHA5122b323e15d2e85e853c9222b23fa68477e80c2d5ee9f0b6412e4bfcbed9388b401d8b0f681e3106e0c3a98bd7641fbca57a15c1f9b4f047670c9fca804d983b03
-
Filesize
66KB
MD53c08dea20e350ea34f7309e856576428
SHA1d7a048ccc07b4d16afc4d778d5601a067fb151b9
SHA256b7bbc3f2463000f52eadcce2e262512dc79bbbb3355c62c734f18db57e0fba82
SHA5121c1cdd554cbf98dcb7358808cfa2682bd09a596e24a3708ab73e379e5f8ae7dc394b8e88824589327e2f67487ca19dacba9e3288993e2e92463dc32aaef67f9d
-
Filesize
9KB
MD518a64fbb82819870d5113ac9c68ee8a2
SHA19d58d519b5634bdb9ffac02d781e8309b7c8f2a2
SHA256850c37f0b47e6ddbe1379d2bd41d008c65694c296a48d7125bbd82f2224d12cd
SHA51232d8b28561325b9945efeca1e63007e234b785ebc19ee92ed782c4756bb3ee81504f27728dc021405e22a28f4a76187502277f4b47d8f8a213b64bf3b8d3c4fc
-
Filesize
15KB
MD56655dc2f31804afca01be0fbbb2097b1
SHA1007489f084f43ee9f71537a5fc5630311a23d869
SHA25690f02d1313eaa0b83624863ea3ac5cd6b807b28ea62e3d4d8f80b271d3d1688e
SHA512045053356a5d848490c642f937a632e305790c6a28a47169e0c82833c45340db85b48b4f2a80477320a06616bbcce2fbf76c677becd50c22dc445541318b4a28
-
Filesize
1KB
MD51043a6fa0679f5065b1c2772b3551bbb
SHA110fd852be153823a4feaf1e0ea49e5267833e997
SHA256c0ffb25a00f3656445377f63738668f4692a8a8d788a211a8797eb5b56305301
SHA5123f03f1065757a561c27551a779e8e56c57beae7320e004cf0f5647c07bd2662281bb631f86bb8a8ca3abfd88b6667b26d8eaa623c952a48af13f0f28e12f6a1b
-
Filesize
3.9MB
-
Filesize
3.9MB
-
Filesize
324KB
-
Filesize
3.9MB
-
Filesize
12KB
-
Filesize
324KB
-
Filesize
3.9MB