891a3528b807f283a98d6dd92b5b08cbb42cbbee4c48f61816edf72adf7f4c95

Analysis

max time kernel
110s
max time network
198s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
27-01-2024 12:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

KLauncher.exe
Size

18.4MB
MD5

d2f7939c25f392e000f9731bc67274b3
SHA1

70e0dfc92605340267404be5c05476fbeb00b9ce
SHA256

891a3528b807f283a98d6dd92b5b08cbb42cbbee4c48f61816edf72adf7f4c95
SHA512

fc30aba479d2f7bb09eeaf0209acd0f82ecf7d0b8994c7fbd7990393aa4b40f5349ffd12af7beeea2092ae73071470156bef2abc2c9b17e56d881b0761795d0d
SSDEEP

393216:jHOsugDBfcbVnMJnGrT8t+7vyE6tL8a10Zh4pOsrKadFu7xmwaMzry04PcMx0C:jusb1c6JGrQtQvyE6D10Z2ksq7xvDz2V

Score

7^/10

discovery

Malware Config

Signatures

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4512	icacls.exe

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\symbols\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\symbols\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\jvm.pdb	javaw.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4148	msedge.exe
4148	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4404 wrote to memory of 3408	4404	KLauncher.exe	87
PID 4404 wrote to memory of 3408	4404	KLauncher.exe	87
PID 3408 wrote to memory of 4512	3408	javaw.exe	89
PID 3408 wrote to memory of 4512	3408	javaw.exe	89
PID 4128 wrote to memory of 4860	4128	msedge.exe	110
PID 4128 wrote to memory of 4860	4128	msedge.exe	110
PID 4128 wrote to memory of 5084	4128	msedge.exe	111
PID 4128 wrote to memory of 5084	4128	msedge.exe	111
PID 4128 wrote to memory of 5084	4128	msedge.exe	111
PID 4128 wrote to memory of 5084	4128	msedge.exe	111
PID 4128 wrote to memory of 5084	4128	msedge.exe	111
PID 4128 wrote to memory of 5084	4128	msedge.exe	111
PID 4128 wrote to memory of 5084	4128	msedge.exe	111
PID 4128 wrote to memory of 5084	4128	msedge.exe	111
PID 4128 wrote to memory of 5084	4128	msedge.exe	111
PID 4128 wrote to memory of 5084	4128	msedge.exe	111
PID 4128 wrote to memory of 5084	4128	msedge.exe	111
PID 4128 wrote to memory of 5084	4128	msedge.exe	111
PID 4128 wrote to memory of 5084	4128	msedge.exe	111
PID 4128 wrote to memory of 5084	4128	msedge.exe	111
PID 4128 wrote to memory of 5084	4128	msedge.exe	111
PID 4128 wrote to memory of 5084	4128	msedge.exe	111
PID 4128 wrote to memory of 5084	4128	msedge.exe	111
PID 4128 wrote to memory of 5084	4128	msedge.exe	111
PID 4128 wrote to memory of 5084	4128	msedge.exe	111
PID 4128 wrote to memory of 5084	4128	msedge.exe	111
PID 4128 wrote to memory of 5084	4128	msedge.exe	111
PID 4128 wrote to memory of 5084	4128	msedge.exe	111
PID 4128 wrote to memory of 5084	4128	msedge.exe	111
PID 4128 wrote to memory of 5084	4128	msedge.exe	111
PID 4128 wrote to memory of 5084	4128	msedge.exe	111
PID 4128 wrote to memory of 5084	4128	msedge.exe	111
PID 4128 wrote to memory of 5084	4128	msedge.exe	111
PID 4128 wrote to memory of 5084	4128	msedge.exe	111
PID 4128 wrote to memory of 5084	4128	msedge.exe	111
PID 4128 wrote to memory of 5084	4128	msedge.exe	111
PID 4128 wrote to memory of 5084	4128	msedge.exe	111
PID 4128 wrote to memory of 5084	4128	msedge.exe	111
PID 4128 wrote to memory of 5084	4128	msedge.exe	111
PID 4128 wrote to memory of 5084	4128	msedge.exe	111
PID 4128 wrote to memory of 5084	4128	msedge.exe	111
PID 4128 wrote to memory of 5084	4128	msedge.exe	111
PID 4128 wrote to memory of 5084	4128	msedge.exe	111
PID 4128 wrote to memory of 5084	4128	msedge.exe	111
PID 4128 wrote to memory of 5084	4128	msedge.exe	111
PID 4128 wrote to memory of 5084	4128	msedge.exe	111
PID 4128 wrote to memory of 4148	4128	msedge.exe	112
PID 4128 wrote to memory of 4148	4128	msedge.exe	112
PID 4128 wrote to memory of 4940	4128	msedge.exe	113
PID 4128 wrote to memory of 4940	4128	msedge.exe	113
PID 4128 wrote to memory of 4940	4128	msedge.exe	113
PID 4128 wrote to memory of 4940	4128	msedge.exe	113
PID 4128 wrote to memory of 4940	4128	msedge.exe	113
PID 4128 wrote to memory of 4940	4128	msedge.exe	113
PID 4128 wrote to memory of 4940	4128	msedge.exe	113
PID 4128 wrote to memory of 4940	4128	msedge.exe	113
PID 4128 wrote to memory of 4940	4128	msedge.exe	113
PID 4128 wrote to memory of 4940	4128	msedge.exe	113
PID 4128 wrote to memory of 4940	4128	msedge.exe	113
PID 4128 wrote to memory of 4940	4128	msedge.exe	113
PID 4128 wrote to memory of 4940	4128	msedge.exe	113
PID 4128 wrote to memory of 4940	4128	msedge.exe	113
PID 4128 wrote to memory of 4940	4128	msedge.exe	113
PID 4128 wrote to memory of 4940	4128	msedge.exe	113

C:\Users\Admin\AppData\Local\Temp\KLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\KLauncher.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4404
- C:\Program Files\Java\jre-1.8\bin\javaw.exe
  "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -XX:+UseG1GC -Dfile.encoding=UTF-8 -jar "C:\Users\Admin\AppData\Local\Temp\KLauncher.exe"
  2⤵
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:3408
- - C:\Windows\system32\icacls.exe
    C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
    3⤵
    - Modifies file permissions
    PID:4512

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefaultef333be2hc759h4078hadbbh3b6cc44ab152
1⤵
- Suspicious use of WriteProcessMemory
PID:4128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffb5fd446f8,0x7ffb5fd44708,0x7ffb5fd44718
  2⤵
  PID:4860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1916,3086992510440891658,14223270328229531990,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1944 /prefetch:2
  2⤵
  PID:5084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1916,3086992510440891658,14223270328229531990,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1916,3086992510440891658,14223270328229531990,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2720 /prefetch:8
  2⤵
  PID:4940

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3240

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4840

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
1⤵
PID:1052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
30cc69c9589dfb1a6089d69d6e9f3850

SHA1
62a53f5582f2e4f7caa6606ed12c079fd9a33528

SHA256
ab4c5e9fdaeb70ee7da9c58691809fa82b982e7572b1af1a8230abd64ddfc9fa

SHA512
98352a4a4c299ce106c74f78247e98ebe131b7e2c6c4dfbe416676be75608abd283b58f064c6d5f19c9627de52a0e418903ac853fe21423b98607cd57ebb5ebb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f246cc2c0e84109806d24fcf52bd0672

SHA1
8725d2b2477efe4f66c60e0f2028bf79d8b88e4e

SHA256
0c1014ae07c2077dd55d7386cc9cf9e0551be1d67fe05a6006957427ae09fec5

SHA512
dcf31357eb39a05213550a879941e2c039ec0ba41e4867d5d630807420f070289552d56d9f16c6d11edcdb0f9448bf51e7d2e460e88aa9c55a5bfe5d8d331640

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
3f1d78d034871aeb6c50b256c67f7e32

SHA1
3445c96da375667b1e5f680afca108e3a2530cd1

SHA256
fcf11e7a5ca96a1f56c3de094aed28f3fb73cdc7ca4295f6160aa11c22d5dd2e

SHA512
cb64b5bd34a40fe6024af60773f482406404cae5f41b8ae42b00416351112aacc60164fec1d72857cd4d351e7687b56102adfb8e45cf70252de19a892b21c4b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
3KB

MD5
b67ad202cf104b87ae16111f440f74bf

SHA1
45a5091cd02a845a46de1306797aae0f7794cc81

SHA256
72c5fafe00212c9c611637d60635c976bd4b1409f75b8bc09be23dc86c2cb617

SHA512
cd4fc8251d8bcd55a35d998095978f65c5aaee940b3edc8d884d094a460bd5f2248c45b252b5f26493334d9aae09bfd9ac3c55ddfed389a6cb974523be0c8165

Download Submit
memory/3408-5-0x0000020709D90000-0x000002070AD90000-memory.dmp

Filesize
16.0MB

Download
memory/3408-17-0x00000207085C0000-0x00000207085C1000-memory.dmp

Filesize
4KB

Download
memory/3408-19-0x00000207085C0000-0x00000207085C1000-memory.dmp

Filesize
4KB

Download
memory/4404-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download