1f3f72219b7fd0a7a240af52841a7beb53cac83004b7f0c9fcdff9fd462252d5

Resubmissions

11-02-2024 13:47

240211-q3qqqsag66 7

11-02-2024 13:45

240211-q2vnasag58 7

Analysis

max time kernel
146s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
11-02-2024 13:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

prismlauncher.exe
Size

9.7MB
MD5

f76f36aec1c7701f0f528dd87e5a2df8
SHA1

1eb2c7d88b1898184f813d47cb60fe6553682307
SHA256

8c79a4bf9229e4f11696a3196463b9830f66e9cac22dc9eb39eda1cb062604dc
SHA512

c2c6ded06c89a6722e4f4a8d00819b1b0ef8422890d6b793354bd98103108d177dc41327a4fe4d77f021853f5c5a02ab3a1ca2f97e3ddc55b60ae0a183a7ff45
SSDEEP

98304:8yka33OsX9cGWp5ozIHDno6TR3UNxOK6zytxwU:8Lchi06KxpQU

Score

7^/10

discovery

Malware Config

Signatures

Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

4584 icacls.exe

pid	process
4584	icacls.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

prismlauncher.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	prismlauncher.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

prismlauncher.exe

pid process

468 prismlauncher.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

prismlauncher.exe

pid process

468 prismlauncher.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

prismlauncher.exe

pid process

468 prismlauncher.exe

pid	process
468	prismlauncher.exe

pid	process
468	prismlauncher.exe

pid	process
468	prismlauncher.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

prismlauncher.exejavaw.exe

description	pid	process	target process
PID 468 wrote to memory of 4256	468	prismlauncher.exe	javaw.exe
PID 468 wrote to memory of 4256	468	prismlauncher.exe	javaw.exe
PID 468 wrote to memory of 464	468	prismlauncher.exe	javaw.exe
PID 468 wrote to memory of 464	468	prismlauncher.exe	javaw.exe
PID 468 wrote to memory of 4896	468	prismlauncher.exe	javaw.exe
PID 468 wrote to memory of 4896	468	prismlauncher.exe	javaw.exe
PID 468 wrote to memory of 3644	468	prismlauncher.exe	javaw.exe
PID 468 wrote to memory of 3644	468	prismlauncher.exe	javaw.exe
PID 464 wrote to memory of 4584	464	javaw.exe	icacls.exe
PID 464 wrote to memory of 4584	464	javaw.exe	icacls.exe

C:\Users\Admin\AppData\Local\Temp\prismlauncher.exe
"C:\Users\Admin\AppData\Local\Temp\prismlauncher.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:468

C:\Program Files\Java\jre-1.8\bin\javaw.exe
"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar C:/Users/Admin/AppData/Local/Temp/jars/JavaCheck.jar
2⤵
PID:4256

C:\Program Files\Java\jdk-1.8\bin\javaw.exe
"C:\Program Files\Java\jdk-1.8\bin\javaw.exe" -jar C:/Users/Admin/AppData/Local/Temp/jars/JavaCheck.jar
2⤵
- Suspicious use of WriteProcessMemory
PID:464

C:\Windows\system32\icacls.exe
C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
3⤵
- Modifies file permissions
PID:4584

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe
javaw -jar C:/Users/Admin/AppData/Local/Temp/jars/JavaCheck.jar
2⤵
PID:4896

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe
"C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe" -jar C:/Users/Admin/AppData/Local/Temp/jars/JavaCheck.jar
2⤵
PID:3644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
e40860dcbaf68391a6f3f24368a77905

SHA1
3f7a3939e56527b13e11536b9aac1d93eaf0784d

SHA256
492f34f689aea7346f25b2fe0f7a3939d3d61cbe7bfb42f13a113f297e38ad6c

SHA512
05c2fbe3d730aca96ddced4a1555fe61f6c7b4bbf8e33a87ca85516ca21b2c2af613c3521dbe8d183cd66fb40eaaf491dbd639fc553e4ef4c3680b27bf15c156

Download Submit
C:\ProgramData\Oracle\Java\.oracle_jre_usage\905ebba3a8fc8cc.timestamp

Filesize
50B

MD5
afadbae09de90f0f28a7e1631ba657bd

SHA1
602236fe67f6114d78a1d1ca34a289c891628628

SHA256
ce971393ab10de45e1da21cf2714b9609a94bfe6f48e7b88ccbfa8c3e6217808

SHA512
05a96a65bcda069677843370d37d40495767bbd50cba0a35d9dbe323960291940534ce1eacdb9389c1b95dde609a9802b82bc0c7559c1a0400dc0776a8173f00

Download Submit
C:\Users\Admin\AppData\Roaming\PrismLauncher\prismlauncher.cfg

Filesize
151B

MD5
b0af4994142ced436dbfe8b371a49906

SHA1
b0b1b076c228a23d7fef106b07ecc66e501eb4d3

SHA256
1d371d0862deaf7dcc4bf2bef9263310cd7eb15ec699ed7680860183c9482124

SHA512
c5e4242bac9013d23971bc926d4ae034906b5745b10636e4ff32904bf55afa6152e6e1bc4a8dd5b830878bab92fe336c77cf6148018cc36dd447acc6e3d50108

Download Submit
C:\Users\Admin\AppData\Roaming\PrismLauncher\prismlauncher.cfg

Filesize
100B

MD5
5f8423ed6f700050d9e9e07d0b649de6

SHA1
28f9233ab6f2cb1f68db4e0fad11db9386e9105d

SHA256
c5445f2ecf60e19ccc6327dc9385507c07b6a765c82a2b35abfc2c254e52527b

SHA512
a1a6a852ee52b19050e3e9bca758b8709cb10c70befc1a66a67387490fa0bd0a744676813dcf902e1a1465f07d2859efd92916272708976647c17685e8722f3e

Download Submit
C:\Users\Admin\AppData\Roaming\PrismLauncher\prismlauncher.cfg

Filesize
116B

MD5
39c1ce40c6f243cd3f657b5ff4b65049

SHA1
31ac7f9176ac0ef6f3fe81ddcb197986e89f8c3a

SHA256
731eacec4ebbe014347eedb33cb56488a1e70716044ee19c7b8aa8826cb3a7d9

SHA512
ec0c02ba8e9b8c1f48d77b984fec955378339156b20053bcba33c32d999d097fc4ce06972b00470d699f7c4d20c36bdb914e03843d344a62cd18cdc8ac496194

Download Submit
C:\Users\Admin\AppData\Roaming\PrismLauncher\prismlauncher.cfg.SeUgth

Filesize
30B

MD5
a6dc16331f06bc5831e5ddc9799284ec

SHA1
d344f83d549df8c3e2c959182ba37f8c81d885a5

SHA256
9da99b49301ba83c33387e75d2028185562479e677b6afb110b4f8b098465807

SHA512
43e498eab5c6f9b2f70c01e0abd4e63edb2651e498f267b53c7f62f2ef9c1eb68fa4783967fdba1880722a8bcd6e58065108f42773f0f47c04c9e54e809b1c14

Download Submit
C:\Users\Admin\AppData\Roaming\PrismLauncher\prismlauncher.cfg.lock

Filesize
65B

MD5
e986c44763599f74f13d1e321c92b606

SHA1
955e9779d6bcafdf94e3c4b027ba5bb455702e89

SHA256
e26eac0ee0a807c5ad4b1e56c1a7d645705b875c31c3f8331cd955243b0552cc

SHA512
f3b5dd2ecfa9cb0babb09f165e9f8c9e1854d17d5b135a4573c56f54d168402e7c4e091a43bbdc872cef54df62aa18f9fc1f39732c087de91accd1795045bc48

Download Submit
memory/464-101-0x0000024000000000-0x0000024000270000-memory.dmp

Filesize
2.4MB

Download
memory/464-87-0x000002407A290000-0x000002407A291000-memory.dmp

Filesize
4KB

Download
memory/468-2-0x000001A4E7A00000-0x000001A4E7A10000-memory.dmp

Filesize
64KB

Download
memory/468-0-0x00007FF9214E0000-0x00007FF921B0A000-memory.dmp

Filesize
6.2MB

Download
memory/468-107-0x000001A4E7A00000-0x000001A4E7A10000-memory.dmp

Filesize
64KB

Download
memory/468-1-0x00007FF6BCC90000-0x00007FF6BD63E000-memory.dmp

Filesize
9.7MB

Download
memory/3644-92-0x0000020063AC0000-0x0000020063AC1000-memory.dmp

Filesize
4KB

Download
memory/3644-100-0x0000020065300000-0x0000020065570000-memory.dmp

Filesize
2.4MB

Download
memory/4256-96-0x0000014543030000-0x0000014543031000-memory.dmp

Filesize
4KB

Download
memory/4256-69-0x0000014543050000-0x0000014544050000-memory.dmp

Filesize
16.0MB

Download
memory/4256-108-0x0000014543050000-0x0000014544050000-memory.dmp

Filesize
16.0MB

Download
memory/4896-89-0x000002CFE2970000-0x000002CFE2971000-memory.dmp

Filesize
4KB

Download
memory/4896-99-0x000002CFE4210000-0x000002CFE4480000-memory.dmp

Filesize
2.4MB

Download