9837ba580dc8e7d8da2e38c802a5ecbc3cda65cb97c51a98e9c3bdbf347071d9

Analysis

max time kernel
67s
max time network
75s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
25/11/2023, 16:11

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

TLauncher-2.839-Installer-0.9.3.6.exe
Size

21.0MB
MD5

b2c2ebd834393807f5cebe3c4bb4f307
SHA1

72c6cea49eb4fb89b84b013f4a9c99826c0e3298
SHA256

9837ba580dc8e7d8da2e38c802a5ecbc3cda65cb97c51a98e9c3bdbf347071d9
SHA512

99d90e2c1321bfc7919cae6afab9d41bb6383a27000febee2090a3cd8e7b422bd1d997a7575019c4e6fff3703ce67ea411e789e38eb8f9c8dadb97447fd740e4
SSDEEP

393216:fX8J8lM/XJJLJoq0fs/dQETVlOBbpFEj9GZdqV56Hpk9QZlpMR:fsJBL1oBHExiTTqqHpLpG

Score

7^/10

discovery upx

Malware Config

Signatures

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000400000001e7a7-5.dat	upx
behavioral1/files/0x000400000001e7a7-10.dat	upx
behavioral1/files/0x000400000001e7a7-11.dat	upx
behavioral1/memory/4344-14-0x0000000000B10000-0x0000000000EF8000-memory.dmp	upx
behavioral1/memory/4344-330-0x0000000000B10000-0x0000000000EF8000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Control Panel\International\Geo\Nation	TLauncher-2.839-Installer-0.9.3.6.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Executes dropped EXE 1 IoCs

pid	Process
4344	irsetup.exe

Loads dropped DLL 3 IoCs

pid	Process
4344	irsetup.exe
4344	irsetup.exe
4344	irsetup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
4344	irsetup.exe
4344	irsetup.exe
4344	irsetup.exe
4344	irsetup.exe
4344	irsetup.exe
4344	irsetup.exe
4344	irsetup.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3040 wrote to memory of 4344	3040	TLauncher-2.839-Installer-0.9.3.6.exe	88
PID 3040 wrote to memory of 4344	3040	TLauncher-2.839-Installer-0.9.3.6.exe	88
PID 3040 wrote to memory of 4344	3040	TLauncher-2.839-Installer-0.9.3.6.exe	88

C:\Users\Admin\AppData\Local\Temp\TLauncher-2.839-Installer-0.9.3.6.exe
"C:\Users\Admin\AppData\Local\Temp\TLauncher-2.839-Installer-0.9.3.6.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3040
- C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
  "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1908426 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\TLauncher-2.839-Installer-0.9.3.6.exe" "__IRCT:3" "__IRTSS:22055527" "__IRSID:S-1-5-21-1114462139-3090196418-29517368-1000"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:4344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\200.ico

Filesize
116KB

MD5
e043a9cb014d641a56f50f9d9ac9a1b9

SHA1
61dc6aed3d0d1f3b8afe3d161410848c565247ed

SHA256
9dd7020d04753294c8fb694ac49f406de9adad45d8cdd43fefd99fec3659e946

SHA512
4ae5df94fd590703b7a92f19703d733559d600a3885c65f146db04e8bbf6ead9ab5a1748d99c892e6bde63dd4e1592d6f06e02e4baf5e854c8ce6ea0cce1984f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG2.PNG

Filesize
280B

MD5
b2c721fa89e81b15ac36f4040426dddb

SHA1
2335c9e1e72bec2c8cbf60d3a8026f293e1b6897

SHA256
5d6c30c11a9c97b509c87de1b55281d6b10816ce2e6d82ebb81f46a8c3c77eba

SHA512
320e8af8db38b2329278f1cb4b5f6b3bf26e56d9a0256c914d97bcec04a3958863919e2c1f0fee6c1e32575abe90c96278093342bb03cdccaa27b5fa62b12dd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG3.PNG

Filesize
281B

MD5
65fa49ee1487cb4c551f1c0e6ed2f1c8

SHA1
88a3a0d6154455fd26340a326882ec001713ff73

SHA256
5477610f505d487e141ca8e624346cbd640c8df63c5f4b7a0539babc74f40298

SHA512
750122384baf8b90a95bde859d64266d5ed4ef594d052ad6634ec3c74a34f82eb61adf153da6996ffead278a45fd1af5fffd560848e5b0dcb26ddba87b0e0d5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRZip.lmd

Filesize
1.7MB

MD5
1bbf5dd0b6ca80e4c7c77495c3f33083

SHA1
e0520037e60eb641ec04d1e814394c9da0a6a862

SHA256
bc6bd19ab0977ac794e18e2c82ace3116bf0537711a352638efd2d8d847c140b

SHA512
97bc810871868217f944bc5e60ab642f161c1f082bc9e4122094f10b4e309a6d96e3dd695553a20907cb8fea5aef4802f5a2f0a852328c1a1cd85944022abaab

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRZip.lmd

Filesize
1.7MB

MD5
1bbf5dd0b6ca80e4c7c77495c3f33083

SHA1
e0520037e60eb641ec04d1e814394c9da0a6a862

SHA256
bc6bd19ab0977ac794e18e2c82ace3116bf0537711a352638efd2d8d847c140b

SHA512
97bc810871868217f944bc5e60ab642f161c1f082bc9e4122094f10b4e309a6d96e3dd695553a20907cb8fea5aef4802f5a2f0a852328c1a1cd85944022abaab

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\Wow64.lmd

Filesize
97KB

MD5
da1d0cd400e0b6ad6415fd4d90f69666

SHA1
de9083d2902906cacf57259cf581b1466400b799

SHA256
7a79b049bdc3b6e4d101691888360f4f993098f3e3a8beefff4ac367430b1575

SHA512
f12f64670f158c2e846e78b7b5d191158268b45ecf3c288f02bbee15ae10c4a62e67fb3481da304ba99da2c68ac44d713a44a458ef359db329b6fef3d323382a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\Wow64.lmd

Filesize
97KB

MD5
da1d0cd400e0b6ad6415fd4d90f69666

SHA1
de9083d2902906cacf57259cf581b1466400b799

SHA256
7a79b049bdc3b6e4d101691888360f4f993098f3e3a8beefff4ac367430b1575

SHA512
f12f64670f158c2e846e78b7b5d191158268b45ecf3c288f02bbee15ae10c4a62e67fb3481da304ba99da2c68ac44d713a44a458ef359db329b6fef3d323382a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
e9cb97b43bfa0b740358c9da22b7bfd8

SHA1
f7853e7c3a4eab9698ee6365b68b64afc8bff9b2

SHA256
2d892ff24a697039ff3be4d8cee76ce0622640483c9f84ac6121db0043337c86

SHA512
f83933ea7f172c23bbb1d1cbca99e5d202de9f37cccdee4890b5ebfdd2df33cdb91eb187e7f7a0af56e0711167b292d61f93433257f70e37669e9e0459650db0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
e9cb97b43bfa0b740358c9da22b7bfd8

SHA1
f7853e7c3a4eab9698ee6365b68b64afc8bff9b2

SHA256
2d892ff24a697039ff3be4d8cee76ce0622640483c9f84ac6121db0043337c86

SHA512
f83933ea7f172c23bbb1d1cbca99e5d202de9f37cccdee4890b5ebfdd2df33cdb91eb187e7f7a0af56e0711167b292d61f93433257f70e37669e9e0459650db0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
e9cb97b43bfa0b740358c9da22b7bfd8

SHA1
f7853e7c3a4eab9698ee6365b68b64afc8bff9b2

SHA256
2d892ff24a697039ff3be4d8cee76ce0622640483c9f84ac6121db0043337c86

SHA512
f83933ea7f172c23bbb1d1cbca99e5d202de9f37cccdee4890b5ebfdd2df33cdb91eb187e7f7a0af56e0711167b292d61f93433257f70e37669e9e0459650db0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

Filesize
326KB

MD5
80d93d38badecdd2b134fe4699721223

SHA1
e829e58091bae93bc64e0c6f9f0bac999cfda23d

SHA256
c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59

SHA512
9f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

Filesize
326KB

MD5
80d93d38badecdd2b134fe4699721223

SHA1
e829e58091bae93bc64e0c6f9f0bac999cfda23d

SHA256
c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59

SHA512
9f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4

Download Submit
memory/4344-14-0x0000000000B10000-0x0000000000EF8000-memory.dmp

Filesize
3.9MB

Download
memory/4344-297-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/4344-302-0x00000000035B0000-0x00000000035B3000-memory.dmp

Filesize
12KB

Download
memory/4344-330-0x0000000000B10000-0x0000000000EF8000-memory.dmp

Filesize
3.9MB

Download
memory/4344-331-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download