f1b132f7ecf06d2aa1dd007fc7736166af3ee7c177c91587ae43930c65e531e0

Analysis

max time kernel
143s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
29-12-2023 18:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TLauncher-2.885-Installer-1.1.3.exe
Size

22.6MB
MD5

bd3eefe3f5a4bb0c948251a5d05727e7
SHA1

b18722304d297aa384a024444aadd4e5f54a115e
SHA256

f1b132f7ecf06d2aa1dd007fc7736166af3ee7c177c91587ae43930c65e531e0
SHA512

d7df966eeda90bf074249ba983aac4ba32a7f09fe4bb6d95811951df08f24e55e01c790ffebc3bc50ce7b1c501ff562f0de5e01ca340c8596881f69f8fed932d
SSDEEP

393216:KXGWOLBh2NPfs/dQETVlOBbpFEjdGphRqV56HpkoaH3D8P2Q6YS6x9DOc:K2/BhSHExi73qqHpu34kYbzOc

Score

7^/10

discovery upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	TLauncher-2.885-Installer-1.1.3.exe

Executes dropped EXE 1 IoCs

pid	Process
2116	irsetup.exe

Loads dropped DLL 3 IoCs

pid	Process
2116	irsetup.exe
2116	irsetup.exe
2116	irsetup.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023242-6.dat	upx
behavioral2/files/0x0007000000023242-11.dat	upx
behavioral2/memory/2116-14-0x0000000000680000-0x0000000000A68000-memory.dmp	upx
behavioral2/files/0x0007000000023242-10.dat	upx
behavioral2/memory/2116-328-0x0000000000680000-0x0000000000A68000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2116	irsetup.exe
2116	irsetup.exe
2116	irsetup.exe
2116	irsetup.exe
2116	irsetup.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3716 wrote to memory of 2116	3716	TLauncher-2.885-Installer-1.1.3.exe	92
PID 3716 wrote to memory of 2116	3716	TLauncher-2.885-Installer-1.1.3.exe	92
PID 3716 wrote to memory of 2116	3716	TLauncher-2.885-Installer-1.1.3.exe	92

C:\Users\Admin\AppData\Local\Temp\TLauncher-2.885-Installer-1.1.3.exe
"C:\Users\Admin\AppData\Local\Temp\TLauncher-2.885-Installer-1.1.3.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3716
- C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
  "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1910546 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\TLauncher-2.885-Installer-1.1.3.exe" "__IRCT:3" "__IRTSS:23661420" "__IRSID:S-1-5-21-3803511929-1339359695-2191195476-1000"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:2116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\200.ico

Filesize
116KB

MD5
e043a9cb014d641a56f50f9d9ac9a1b9

SHA1
61dc6aed3d0d1f3b8afe3d161410848c565247ed

SHA256
9dd7020d04753294c8fb694ac49f406de9adad45d8cdd43fefd99fec3659e946

SHA512
4ae5df94fd590703b7a92f19703d733559d600a3885c65f146db04e8bbf6ead9ab5a1748d99c892e6bde63dd4e1592d6f06e02e4baf5e854c8ce6ea0cce1984f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\BrowserInstaller.exe

Filesize
278KB

MD5
7bd914e4fbe7726eb315026f6de31941

SHA1
e13e5ad23ec464be54be0fe3eebb6ac22575481a

SHA256
3888784289b4ef0e30cf1f62d5481634d7c020c47a46f1f6531b67b8c5e31018

SHA512
aebc92b1da9b56e8cc9789fe30c14a99ec5792afac056d8daca41df0d405da48379226efeebd93128625ef110413df4ab08d1ce3ba6559819071e48def1872ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRZip.lmd

Filesize
735KB

MD5
c72dfbf846089e8127746667491688c1

SHA1
a01e568868a249a9c9d0bebdbca55e14a2c6d8ac

SHA256
8a96a5f5c944a25880b246bc43cf9f1425daa634a4d86b3b44ca8f9817890728

SHA512
6d0d3fc0a0d932d6a290c918c5bb145f88f9d257104dde6338d6d12a30a78c1e66dae2c0188dbc84b14706a6de9fc34dc2e8df2209a6a52fdd42093d88b8e559

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRZip.lmd

Filesize
802KB

MD5
cb37cc4a2922d5d72059e0b071cd1dad

SHA1
9c47279817e3c328d67c0cdb29884497d75a739e

SHA256
b2f475705f0830f140f3155d1fd4ac3f48370653085c100eec41d3e6a825b00c

SHA512
8d9ebed10f7e0c03e00175633d66be95d33867d345ac1cff52935d571996212d877541606cdcd70dfb2d3e30be06279d27596da28df5f38cdb58502f29d0e630

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\Wow64.lmd

Filesize
97KB

MD5
da1d0cd400e0b6ad6415fd4d90f69666

SHA1
de9083d2902906cacf57259cf581b1466400b799

SHA256
7a79b049bdc3b6e4d101691888360f4f993098f3e3a8beefff4ac367430b1575

SHA512
f12f64670f158c2e846e78b7b5d191158268b45ecf3c288f02bbee15ae10c4a62e67fb3481da304ba99da2c68ac44d713a44a458ef359db329b6fef3d323382a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
98KB

MD5
a9d7c0bdd3c090cc9196ce5d81bd080e

SHA1
8d1d6584f733afdc98b12c3b520ed7204350342f

SHA256
349f44df7c90205d42b030ac96a128c2f7f590f655b7b692196715d38641e71c

SHA512
fd43df6b2a9ac4b961995067efe6face64e1b79ee77e5de2e5802f6f9579f676b209794e42128a75bac2b0453a8540d29160f62d49a6b02b5d3ae247df013fca

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
112KB

MD5
7e8a0e9f1adfbdd38fa254edcea64479

SHA1
1d89422e5b109631e7f28979951e0b4ccbf4e8d1

SHA256
578550f55f1c89347baa400fd2520e1c698c1fe7ceae0a19dc12d06cd64a889a

SHA512
210437a60ed51b713bbd4e3a268c26a4a207d15b4f95829ff7e40166bf366c11fa7eba9dd47e73c7c1c0a38c9a2a7c5201b09d6103453d9256b74640aecf7160

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
501KB

MD5
bca8a1e4cd417fda8f794ba8af415dad

SHA1
c96c2f5219da4ba6da9fb9fa0197fd3d4eca5c29

SHA256
c6d3d335e1c3cad649a2e70c83fe76c4625c706b65995f1a46ba4cf41aeb346d

SHA512
0e5f5f1ce3edc90645ea1205840aa955280a6c2e31309c9e94854167b7504f9c0d800844c31f9cefb4b30bbe6da06e20a17b4a7187d7b9bc060e593e4c3b5aa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

Filesize
128KB

MD5
a132edd63f24f3c9a7650f65e3211a83

SHA1
1fee285d4a4b93c145f977946197713b4cc3c0d8

SHA256
73edd88cd5396338a7512d6ffba616bb678332d55d4627cfc2efe7aace545334

SHA512
9bec49c187a5ec0a222bd85dcad871ac06ece7dfd2a839bf394688ab0a4cc481c26b6bca4bfa6710322d34f6197e9dea491b83d0bb584b5f8da414f9e00f9123

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

Filesize
65KB

MD5
2b1df233a56054629c49c99a9eb235eb

SHA1
81957faaff2742b30a837d93f43edffdfca87d99

SHA256
9a1f2fe77903a924cf2e6e3fc71fc9ef39f6fb9de8872869aa3af27e1256f1d7

SHA512
fc42126a3c93ca08b61ca9826c1f743aad519b038bf17ab05415fe9c197626460e5ca1b716b5971604b43f605957ff1d453a053f75f657ea63f69849f0cac53e

Download Submit
memory/2116-14-0x0000000000680000-0x0000000000A68000-memory.dmp

Filesize
3.9MB

Download
memory/2116-302-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/2116-303-0x00000000065A0000-0x00000000065A3000-memory.dmp

Filesize
12KB

Download
memory/2116-328-0x0000000000680000-0x0000000000A68000-memory.dmp

Filesize
3.9MB

Download
memory/2116-329-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/2116-353-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/2116-355-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download