Analysis
-
max time kernel
128s -
max time network
130s -
platform
windows10-1703_x64 -
resource
win10-20231215-en -
resource tags
arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system -
submitted
04/02/2024, 21:17
Static task
static1
Behavioral task
behavioral1
Sample
Old-TLauncher.exe
Resource
win10-20231215-en
General
-
Target
Old-TLauncher.exe
-
Size
8.9MB
-
MD5
505731086d2f448e68c025a7003efe00
-
SHA1
e8358cf87df55712a7b6998d1816e94b57f3b7c1
-
SHA256
978dfe8f0fbb57398366e2302055b58fa641258f53db6909fca2b5a1e87ff3c5
-
SHA512
856ad2f0caa72c15b20831c7e1d8917329907381e1e95ce470ff3592755804cc17cd507c105d49fdecbc418a2c3f2b01e1be2ce15dc981aeb7f39ce2889cb4d4
-
SSDEEP
196608:vRAQAHQHWFm5kAiFWnuf6J/+Ift24xJN+vwvasDU6sU0s:LUn6nDJ/+v4xJprUB4
Malware Config
Signatures
-
Modifies file permissions 1 TTPs 1 IoCs
pid Process 932 icacls.exe -
Drops file in Program Files directory 12 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jre-1.8\bin\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\dll\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\server\dll\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\dll\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\symbols\dll\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\server\dll\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\symbols\dll\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\server\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\server\jvm.pdb javaw.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2644 javaw.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 192 wrote to memory of 2644 192 Old-TLauncher.exe 74 PID 192 wrote to memory of 2644 192 Old-TLauncher.exe 74 PID 2644 wrote to memory of 932 2644 javaw.exe 75 PID 2644 wrote to memory of 932 2644 javaw.exe 75
Processes
-
C:\Users\Admin\AppData\Local\Temp\Old-TLauncher.exe"C:\Users\Admin\AppData\Local\Temp\Old-TLauncher.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:192 -
C:\Program Files\Java\jre-1.8\bin\javaw.exe"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\Old-TLauncher.exe"2⤵
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\system32\icacls.exeC:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M3⤵
- Modifies file permissions
PID:932
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2028
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
46B
MD52d8f85362f078773542cd404f26022ba
SHA1b90f6a11022d5b29488ee74260bfa4fcbf66501b
SHA2566c51c8e0efef08fa7691fc095a5132987710ca8ce96936e2f7f3dd56109a4855
SHA51295667871c544e29247fae6bd9012c1f0693e52707155e4bdeb0c6b655297418fd41189c0ac189382a27e4147c6ff94158bf3c579523c3ac1de82daaa7a9b2ddb