84896fbfb13875ac47d85739e4b55e34f0f60a183c27077426cf839020d91e13

Analysis

max time kernel
144s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
11-02-2024 13:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

prismlauncher.exe
Size

9.7MB
MD5

f76f36aec1c7701f0f528dd87e5a2df8
SHA1

1eb2c7d88b1898184f813d47cb60fe6553682307
SHA256

8c79a4bf9229e4f11696a3196463b9830f66e9cac22dc9eb39eda1cb062604dc
SHA512

c2c6ded06c89a6722e4f4a8d00819b1b0ef8422890d6b793354bd98103108d177dc41327a4fe4d77f021853f5c5a02ab3a1ca2f97e3ddc55b60ae0a183a7ff45
SSDEEP

98304:8yka33OsX9cGWp5ozIHDno6TR3UNxOK6zytxwU:8Lchi06KxpQU

Score

5^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

prismlauncher.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	prismlauncher.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

prismlauncher.exe

pid process

1420 prismlauncher.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

prismlauncher.exe

pid process

1420 prismlauncher.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

prismlauncher.exe

pid process

1420 prismlauncher.exe

pid	process
1420	prismlauncher.exe

pid	process
1420	prismlauncher.exe

pid	process
1420	prismlauncher.exe

C:\Users\Admin\AppData\Local\Temp\prismlauncher.exe
"C:\Users\Admin\AppData\Local\Temp\prismlauncher.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:1420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\PrismLauncher\prismlauncher.cfg.GLeEog

Filesize
30B

MD5
a6dc16331f06bc5831e5ddc9799284ec

SHA1
d344f83d549df8c3e2c959182ba37f8c81d885a5

SHA256
9da99b49301ba83c33387e75d2028185562479e677b6afb110b4f8b098465807

SHA512
43e498eab5c6f9b2f70c01e0abd4e63edb2651e498f267b53c7f62f2ef9c1eb68fa4783967fdba1880722a8bcd6e58065108f42773f0f47c04c9e54e809b1c14

Download Submit
C:\Users\Admin\AppData\Roaming\PrismLauncher\prismlauncher.cfg.lock

Filesize
66B

MD5
e8645149a41cc6837bb53b932c83eead

SHA1
cdfee369ef81ad6aba8f8f0f1cfaa847b065aa98

SHA256
d57037e0e0bc42f987508055211ea308428c220c80b2dd957b2ede88292607ff

SHA512
c24ab3ea46eca105afcbe7c5718f8030a17681cb416bdec8b22020861ec0328c69d502689c61da6a50c0172cd842ec6758c62d8ba28d4e736e05752b7490f081

Download Submit
memory/1420-0-0x00007FFA0F5E0000-0x00007FFA0FC0A000-memory.dmp

Filesize
6.2MB

Download
memory/1420-1-0x00007FF6C0E60000-0x00007FF6C180E000-memory.dmp

Filesize
9.7MB

Download
memory/1420-2-0x000001CED6AB0000-0x000001CED6AC0000-memory.dmp

Filesize
64KB

Download
memory/1420-42-0x000001CED6AB0000-0x000001CED6AC0000-memory.dmp

Filesize
64KB

Download