f1b132f7ecf06d2aa1dd007fc7736166af3ee7c177c91587ae43930c65e531e0

General

Target

TLauncher-2.885-Installer-1.1.3.exe
Size

22.6MB
MD5

bd3eefe3f5a4bb0c948251a5d05727e7
SHA1

b18722304d297aa384a024444aadd4e5f54a115e
SHA256

f1b132f7ecf06d2aa1dd007fc7736166af3ee7c177c91587ae43930c65e531e0
SHA512

d7df966eeda90bf074249ba983aac4ba32a7f09fe4bb6d95811951df08f24e55e01c790ffebc3bc50ce7b1c501ff562f0de5e01ca340c8596881f69f8fed932d
SSDEEP

393216:KXGWOLBh2NPfs/dQETVlOBbpFEjdGphRqV56HpkoaH3D8P2Q6YS6x9DOc:K2/BhSHExi73qqHpu34kYbzOc

Score

7^/10

discovery upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	TLauncher-2.885-Installer-1.1.3.exe

Executes dropped EXE 1 IoCs

pid	Process
2992	irsetup.exe

Loads dropped DLL 3 IoCs

pid	Process
2992	irsetup.exe
2992	irsetup.exe
2992	irsetup.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0008000000023207-5.dat	upx
behavioral2/files/0x0008000000023207-11.dat	upx
behavioral2/memory/2992-14-0x0000000000520000-0x0000000000908000-memory.dmp	upx
behavioral2/files/0x0008000000023207-10.dat	upx
behavioral2/memory/2992-340-0x0000000000520000-0x0000000000908000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2992	irsetup.exe
2992	irsetup.exe
2992	irsetup.exe
2992	irsetup.exe
2992	irsetup.exe
2992	irsetup.exe
2992	irsetup.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4880 wrote to memory of 2992	4880	TLauncher-2.885-Installer-1.1.3.exe	93
PID 4880 wrote to memory of 2992	4880	TLauncher-2.885-Installer-1.1.3.exe	93
PID 4880 wrote to memory of 2992	4880	TLauncher-2.885-Installer-1.1.3.exe	93

C:\Users\Admin\AppData\Local\Temp\TLauncher-2.885-Installer-1.1.3.exe
"C:\Users\Admin\AppData\Local\Temp\TLauncher-2.885-Installer-1.1.3.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4880
- C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
  "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1910546 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\TLauncher-2.885-Installer-1.1.3.exe" "__IRCT:3" "__IRTSS:23661420" "__IRSID:S-1-5-21-1232405761-1209240240-3206092754-1000"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:2992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\BrowserInstaller.exe

Filesize
92KB

MD5
6cb98d59b0523d33205a8a217d4bd48d

SHA1
dca1a5ac9c9faf99de1ef63961e7dcdbb2c3d14f

SHA256
422857040fc4e5afef5a0597a0a099af318ac758759bac4ac47cef2b22e57741

SHA512
9c29e0e3baefbb2f5286eadaea8ff99c20dd1a9afee23e949f34216744d89d63a31fdab6d9b5a0365fc0915b314d87f2052ead340b98cb26ae676e49292bf09a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG2.PNG

Filesize
280B

MD5
5803b5d5f862418b64caa83396e69c7f

SHA1
97b6c8209b8ad65f4f9f3b953fe966bb09ee4e13

SHA256
ee340f8560ba2e71d7e6d305b959ff8fa77869dac916287da2bff7ce5aa2e159

SHA512
e9bf37f0c89299bfa369a8677ac56b12177dd3153246e5e6a9390577658111b731b0ab987044d30f43e05cb41d79ed31dae3b6f4521f225925920617d0414edd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG3.PNG

Filesize
281B

MD5
60a19921c7ff3c75e28c302f95460994

SHA1
07ac64ffbb153c8675e2ce0651afeaa5e8c6652d

SHA256
33341d30463fbc7cf3fba5070925569c822b6835aabdb8ef2c3cf09547912d46

SHA512
b30b960152dc13b1a9d384c4972169392cd405bdf4d3ecf73f85cf8a9a68a075131b2495c0348f54d43d0e7a279907bc7b76ac103f4a624738cbfc73bbeeba02

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
854KB

MD5
39c55c446aa9d382f156d380c7747cd1

SHA1
19660d7e451d4b9b1cc8315993e7539f4353bb60

SHA256
f76bb1fa3fe2e23c677977cfcaf4645ceb3109d30825a5a2380567d7059a5180

SHA512
fbab0f62a9cdc7f438354be8f14330de70b292799a926817744c8326575a85a3de04032a73ef2e7fc845fc4dc6ce251f03c2bbb64431e7c916e57b93cb1b9823

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
344KB

MD5
cd3b032c4d20c89e7e800ba284239c91

SHA1
57b073b21fd3f71e195dee38394d6a9753a9093b

SHA256
b965dbdadfc282b28504d10691a7598a69b3bf2f000f3a27afaf97bde26cef7c

SHA512
878b3cd1fb26942aeca23e8ad1e295f1c4f6ba7ce9d345a0a4b148bc32e91bee493962b3f97ecc85d860fe7bafa007bd8a0f57eed501f0bd1540055da9248bde

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
a70accbc1f1001cbf1c4a139e4e5d7af

SHA1
138de36067af0c8f98e1f7bc4c6bea1d73bc53ab

SHA256
b000fef41ce0267255701aacc76c02159d207212c4595437077e7904b7968ca6

SHA512
46fde27847dfab38d2f6fefca31677a0d5a5ac775951fc19f1fc0b4ec56969622f0c4f036ecacc05b33854871f03232a4944f3e93a747280cac622503f5c4f04

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

Filesize
93KB

MD5
205392534756bd15aa40182edcd70daf

SHA1
f787406e0c78f9776eff06f99e0824ec2066cd88

SHA256
cfedb4ee7082239be83948389bfc221c4efff9337d5d3d2023131dbad68e1418

SHA512
1d034171d9d6a746c7cf1dbc6be77be21cd8bd9aa6516d261c6df5a73b45a2c27ddfddf776cb993981a23b3fb54b9bb1718c3a119b13f106ff0fcef25451f008

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

Filesize
92KB

MD5
1354872867caf8a06bb2849fb80d2caf

SHA1
facbd8a332092e4a879590ca2ee0f91b62df9b9e

SHA256
7afc835809fbe62361c97dcb215c34196a0e5653a139ff78c94803d00c0e781a

SHA512
e65ada4dac5145dd79aefb39a8e91de4bdc145a037a014239f6999ac72fc6e6da8a2867a741aa9978d9ee0cd9380dafdb85899f86e3a4f68f0b495ea62923f94

Download Submit
memory/2992-302-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/2992-308-0x0000000006690000-0x0000000006693000-memory.dmp

Filesize
12KB

Download
memory/2992-14-0x0000000000520000-0x0000000000908000-memory.dmp

Filesize
3.9MB

Download
memory/2992-340-0x0000000000520000-0x0000000000908000-memory.dmp

Filesize
3.9MB

Download
memory/2992-341-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/2992-367-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download

Analysis

Sharing