84896fbfb13875ac47d85739e4b55e34f0f60a183c27077426cf839020d91e13

Resubmissions

28/11/2023, 01:30

231128-bwwabaed2v 7

28/11/2023, 01:26

231128-btz6gseb73 7

Analysis

max time kernel
148s
max time network
121s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
28/11/2023, 01:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PrismLauncher-Windows-MSVC-Setup-8.0.exe
Size

18.1MB
MD5

64f959f2372d2fa8d6834156a9c57b5f
SHA1

256bd4ab54b5ba3b3b6694d4713e8e30353ab2e6
SHA256

84896fbfb13875ac47d85739e4b55e34f0f60a183c27077426cf839020d91e13
SHA512

11f1502b57b52bfc980ddb181295c8d3cff33cb3029be53d48ffa52039c70333bea45f2bac245ee42db932d1ecb802d9f7ebe0c421062622318fd5d967025ef2
SSDEEP

393216:zK1dO8BhfgnDojsDsn5rmoUw6gC9iCnh3Ujqa6pJu/:zQhfgDVM5J6gC9JnhkE

Score

4^/10

discovery

Malware Config

Signatures

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Executes dropped EXE 1 IoCs

pid	Process
1980	prismlauncher.exe

Loads dropped DLL 7 IoCs

pid	Process
2096	PrismLauncher-Windows-MSVC-Setup-8.0.exe
2096	PrismLauncher-Windows-MSVC-Setup-8.0.exe
2096	PrismLauncher-Windows-MSVC-Setup-8.0.exe
2096	PrismLauncher-Windows-MSVC-Setup-8.0.exe
2096	PrismLauncher-Windows-MSVC-Setup-8.0.exe
1980	prismlauncher.exe
1980	prismlauncher.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
2736	TaskKill.exe

Modifies registry class 6 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000_CLASSES\curseforge\URL Protocol	PrismLauncher-Windows-MSVC-Setup-8.0.exe
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000_CLASSES\curseforge\shell\open\command	PrismLauncher-Windows-MSVC-Setup-8.0.exe
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000_CLASSES\curseforge\shell	PrismLauncher-Windows-MSVC-Setup-8.0.exe
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000_CLASSES\curseforge\shell\open	PrismLauncher-Windows-MSVC-Setup-8.0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000_CLASSES\curseforge\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Programs\\PrismLauncher\\prismlauncher.exe\" \"%1\""	PrismLauncher-Windows-MSVC-Setup-8.0.exe
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000_CLASSES\curseforge	PrismLauncher-Windows-MSVC-Setup-8.0.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2096	PrismLauncher-Windows-MSVC-Setup-8.0.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2736	TaskKill.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2096 wrote to memory of 2736	2096	PrismLauncher-Windows-MSVC-Setup-8.0.exe	30
PID 2096 wrote to memory of 2736	2096	PrismLauncher-Windows-MSVC-Setup-8.0.exe	30
PID 2096 wrote to memory of 2736	2096	PrismLauncher-Windows-MSVC-Setup-8.0.exe	30
PID 2096 wrote to memory of 2736	2096	PrismLauncher-Windows-MSVC-Setup-8.0.exe	30
PID 2096 wrote to memory of 2736	2096	PrismLauncher-Windows-MSVC-Setup-8.0.exe	30
PID 2096 wrote to memory of 2736	2096	PrismLauncher-Windows-MSVC-Setup-8.0.exe	30
PID 2096 wrote to memory of 2736	2096	PrismLauncher-Windows-MSVC-Setup-8.0.exe	30
PID 2096 wrote to memory of 1980	2096	PrismLauncher-Windows-MSVC-Setup-8.0.exe	33
PID 2096 wrote to memory of 1980	2096	PrismLauncher-Windows-MSVC-Setup-8.0.exe	33
PID 2096 wrote to memory of 1980	2096	PrismLauncher-Windows-MSVC-Setup-8.0.exe	33
PID 2096 wrote to memory of 1980	2096	PrismLauncher-Windows-MSVC-Setup-8.0.exe	33

C:\Users\Admin\AppData\Local\Temp\PrismLauncher-Windows-MSVC-Setup-8.0.exe
"C:\Users\Admin\AppData\Local\Temp\PrismLauncher-Windows-MSVC-Setup-8.0.exe"
1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2096
- C:\Windows\SysWOW64\TaskKill.exe
  TaskKill /IM prismlauncher.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2736
- C:\Users\Admin\AppData\Local\Programs\PrismLauncher\prismlauncher.exe
  "C:\Users\Admin\AppData\Local\Programs\PrismLauncher\prismlauncher.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Programs\PrismLauncher\Qt6Gui.dll

Filesize
6.8MB

MD5
e2aa275e1d1cdbcc1162e775cefaa19f

SHA1
5346c74dfca4768a07773c33380fcba95bdd9f57

SHA256
86aeaa6ae500798133dd1429d3cf5517d5e2f201f7e470a606a43fb1ad602727

SHA512
540f07d04f391c2215540c642f033f434f15bd04aeab31d8da89e56733d6661b1a01f6b182e6c66a4afae542732127895fca9f2ce59b2f3e5c8bede5b0f60029

Download Submit
C:\Users\Admin\AppData\Local\Programs\PrismLauncher\Qt6Widgets.dll

Filesize
6.2MB

MD5
373e8fc6044b19fe2857b71ebf83a3a4

SHA1
af15b5da48d07c0883170a6089976a29b1d427a9

SHA256
0f040d7f14e1a6cec10b80d9e90065c2e3b5f8f4aab7a45244dd7327a1bf1c20

SHA512
9f4a93b946d26118c313719e753a0bdc78bf075a072b74d221dcdf31163f60b92521a8bcd4f5287deea885f7cbfbfb06ae52c60fcf1e7a61ab0f2e00c2a793d3

Download Submit
C:\Users\Admin\AppData\Local\Programs\PrismLauncher\prismlauncher.exe

Filesize
6.2MB

MD5
45afa397c4462be50024b6e8cb31a8c5

SHA1
deaadfd4455780d00dde34fc522d5a49758908e1

SHA256
d24192eddc9bd7b5aeebe1dd74b0e63ea10b767ea2e93db8350851e64218fb34

SHA512
8f896225cb6aa87a3c373d6b5952f872883775304d20b2772872a1d7db7881992ad4f307ebc9a35be77e61b197d8d92de112b84369307c4c2d86a2164a165930

Download Submit
C:\Users\Admin\AppData\Local\Programs\PrismLauncher\prismlauncher.exe

Filesize
9.7MB

MD5
f76f36aec1c7701f0f528dd87e5a2df8

SHA1
1eb2c7d88b1898184f813d47cb60fe6553682307

SHA256
8c79a4bf9229e4f11696a3196463b9830f66e9cac22dc9eb39eda1cb062604dc

SHA512
c2c6ded06c89a6722e4f4a8d00819b1b0ef8422890d6b793354bd98103108d177dc41327a4fe4d77f021853f5c5a02ab3a1ca2f97e3ddc55b60ae0a183a7ff45

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi4CD9.tmp\System.dll

Filesize
12KB

MD5
cff85c549d536f651d4fb8387f1976f2

SHA1
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

SHA256
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

SHA512
531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi4CD9.tmp\modern-wizard.bmp

Filesize
25KB

MD5
cbe40fd2b1ec96daedc65da172d90022

SHA1
366c216220aa4329dff6c485fd0e9b0f4f0a7944

SHA256
3ad2dc318056d0a2024af1804ea741146cfc18cc404649a44610cbf8b2056cf2

SHA512
62990cb16e37b6b4eff6ab03571c3a82dcaa21a1d393c3cb01d81f62287777fb0b4b27f8852b5fa71bc975feab5baa486d33f2c58660210e115de7e2bd34ea63

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi4CD9.tmp\nsDialogs.dll

Filesize
9KB

MD5
6c3f8c94d0727894d706940a8a980543

SHA1
0d1bcad901be377f38d579aafc0c41c0ef8dcefd

SHA256
56b96add1978b1abba286f7f8982b0efbe007d4a48b3ded6a4d408e01d753fe2

SHA512
2094f0e4bb7c806a5ff27f83a1d572a5512d979eefda3345baff27d2c89e828f68466d08c3ca250da11b01fc0407a21743037c25e94fbe688566dd7deaebd355

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi4CD9.tmp\nsExec.dll

Filesize
7KB

MD5
675c4948e1efc929edcabfe67148eddd

SHA1
f5bdd2c4329ed2732ecfe3423c3cc482606eb28e

SHA256
1076ca39c449ed1a968021b76ef31f22a5692dfafeea29460e8d970a63c59906

SHA512
61737021f86f54279d0a4e35db0d0808e9a55d89784a31d597f2e4b65b7bbeec99aa6c79d65258259130eeda2e5b2820f4f1247777a3010f2dc53e30c612a683

Download Submit
\Users\Admin\AppData\Local\Programs\PrismLauncher\Qt6Gui.dll

Filesize
5.7MB

MD5
e4ed8404c6f18a31e34a5ad1554296a5

SHA1
7e6cbac642803d0027420772bd174ad89f74cc6d

SHA256
6fa8117e77a4eab296ea44f01fc9bf6a1404e14ba653fc4ff3a53e6037462804

SHA512
1a79652c62b0da06b4f8d7a092aa263433efd4c8a8b2f0ad0de4dba82c42e512638678e81afb155c8e5893b51ff6dbcf1ef3d9c6ec000b1e9943e8e0750b8a08

Download Submit
\Users\Admin\AppData\Local\Programs\PrismLauncher\Qt6Widgets.dll

Filesize
6.2MB

MD5
373e8fc6044b19fe2857b71ebf83a3a4

SHA1
af15b5da48d07c0883170a6089976a29b1d427a9

SHA256
0f040d7f14e1a6cec10b80d9e90065c2e3b5f8f4aab7a45244dd7327a1bf1c20

SHA512
9f4a93b946d26118c313719e753a0bdc78bf075a072b74d221dcdf31163f60b92521a8bcd4f5287deea885f7cbfbfb06ae52c60fcf1e7a61ab0f2e00c2a793d3

Download Submit
\Users\Admin\AppData\Local\Programs\PrismLauncher\prismlauncher.exe

Filesize
9.7MB

MD5
f76f36aec1c7701f0f528dd87e5a2df8

SHA1
1eb2c7d88b1898184f813d47cb60fe6553682307

SHA256
8c79a4bf9229e4f11696a3196463b9830f66e9cac22dc9eb39eda1cb062604dc

SHA512
c2c6ded06c89a6722e4f4a8d00819b1b0ef8422890d6b793354bd98103108d177dc41327a4fe4d77f021853f5c5a02ab3a1ca2f97e3ddc55b60ae0a183a7ff45

Download Submit
\Users\Admin\AppData\Local\Programs\PrismLauncher\prismlauncher.exe

Filesize
9.7MB

MD5
f76f36aec1c7701f0f528dd87e5a2df8

SHA1
1eb2c7d88b1898184f813d47cb60fe6553682307

SHA256
8c79a4bf9229e4f11696a3196463b9830f66e9cac22dc9eb39eda1cb062604dc

SHA512
c2c6ded06c89a6722e4f4a8d00819b1b0ef8422890d6b793354bd98103108d177dc41327a4fe4d77f021853f5c5a02ab3a1ca2f97e3ddc55b60ae0a183a7ff45

Download Submit
\Users\Admin\AppData\Local\Temp\nsi4CD9.tmp\System.dll

Filesize
12KB

MD5
cff85c549d536f651d4fb8387f1976f2

SHA1
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

SHA256
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

SHA512
531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

Download Submit
\Users\Admin\AppData\Local\Temp\nsi4CD9.tmp\nsDialogs.dll

Filesize
9KB

MD5
6c3f8c94d0727894d706940a8a980543

SHA1
0d1bcad901be377f38d579aafc0c41c0ef8dcefd

SHA256
56b96add1978b1abba286f7f8982b0efbe007d4a48b3ded6a4d408e01d753fe2

SHA512
2094f0e4bb7c806a5ff27f83a1d572a5512d979eefda3345baff27d2c89e828f68466d08c3ca250da11b01fc0407a21743037c25e94fbe688566dd7deaebd355

Download Submit
\Users\Admin\AppData\Local\Temp\nsi4CD9.tmp\nsExec.dll

Filesize
7KB

MD5
675c4948e1efc929edcabfe67148eddd

SHA1
f5bdd2c4329ed2732ecfe3423c3cc482606eb28e

SHA256
1076ca39c449ed1a968021b76ef31f22a5692dfafeea29460e8d970a63c59906

SHA512
61737021f86f54279d0a4e35db0d0808e9a55d89784a31d597f2e4b65b7bbeec99aa6c79d65258259130eeda2e5b2820f4f1247777a3010f2dc53e30c612a683

Download Submit