05ae2f0dd61ef10019b94c200e8df192b767bb4cc24a7e7b329ab43cc9c74caf

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
21/02/2024, 20:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SKlauncher-3.2.exe
Size

1.6MB
MD5

b63468dd118dfbca5ef7967ba344e0e3
SHA1

2ba4f0df5f3bd284bf2a89aba320e4440d8b8355
SHA256

05ae2f0dd61ef10019b94c200e8df192b767bb4cc24a7e7b329ab43cc9c74caf
SHA512

007ecb7445dc0c01a802b5a2c91313aae59f9dc96e27455dd85e7a92a4e649d683fbc2ada5f48925d9ab3b4fdaea20aa89eeb442fde079902aecb5ca3454a548
SSDEEP

49152:HIBc3n9dRvwVlzhFAQ/ggUTPQjYEiim7V:oBaO/FAqMQjYEXm

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
2108	SKlauncher-3.2.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
232	icacls.exe

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File opened for modification	\??\c:\program files\java\jre-1.8\bin\ntdll.pdb	SKlauncher-3.2.exe
File opened for modification	\??\c:\program files\java\jre-1.8\bin\dll\ntdll.pdb	SKlauncher-3.2.exe
File opened for modification	\??\c:\program files\java\jre-1.8\bin\server\jvm.pdb	SKlauncher-3.2.exe
File opened for modification	\??\c:\program files\java\jre-1.8\bin\jvm.pdb	SKlauncher-3.2.exe
File opened for modification	\??\c:\program files\java\jre-1.8\bin\server\ntdll.pdb	SKlauncher-3.2.exe
File opened for modification	\??\c:\program files\java\jre-1.8\bin\symbols\dll\jvm.pdb	SKlauncher-3.2.exe
File opened for modification	\??\c:\program files\java\jre-1.8\bin\server\dll\ntdll.pdb	SKlauncher-3.2.exe
File opened for modification	\??\c:\program files\java\jre-1.8\bin\server\symbols\dll\ntdll.pdb	SKlauncher-3.2.exe
File opened for modification	\??\c:\program files\java\jre-1.8\bin\symbols\dll\ntdll.pdb	SKlauncher-3.2.exe
File opened for modification	\??\c:\program files\java\jre-1.8\bin\server\dll\jvm.pdb	SKlauncher-3.2.exe
File opened for modification	\??\c:\program files\java\jre-1.8\bin\server\symbols\dll\jvm.pdb	SKlauncher-3.2.exe
File opened for modification	\??\c:\program files\java\jre-1.8\bin\dll\jvm.pdb	SKlauncher-3.2.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe

Suspicious behavior: EnumeratesProcesses 47 IoCs

pid	Process
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4660	taskmgr.exe
Token: SeSystemProfilePrivilege	4660	taskmgr.exe
Token: SeCreateGlobalPrivilege	4660	taskmgr.exe

Suspicious use of FindShellTrayWindow 58 IoCs

pid	Process
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe

Suspicious use of SendNotifyMessage 58 IoCs

pid	Process
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe
4660	taskmgr.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2108	SKlauncher-3.2.exe
2108	SKlauncher-3.2.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2108 wrote to memory of 4052	2108	SKlauncher-3.2.exe	84
PID 2108 wrote to memory of 4052	2108	SKlauncher-3.2.exe	84
PID 4052 wrote to memory of 232	4052	java.exe	86
PID 4052 wrote to memory of 232	4052	java.exe	86
PID 2108 wrote to memory of 5080	2108	SKlauncher-3.2.exe	88
PID 2108 wrote to memory of 5080	2108	SKlauncher-3.2.exe	88

C:\Users\Admin\AppData\Local\Temp\SKlauncher-3.2.exe
"C:\Users\Admin\AppData\Local\Temp\SKlauncher-3.2.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2108
- \??\c:\PROGRA~1\java\jre-1.8\bin\java.exe
  "c:\PROGRA~1\java\jre-1.8\bin\java.exe" -version
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4052
- - C:\Windows\system32\icacls.exe
    C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
    3⤵
    - Modifies file permissions
    PID:232
- \??\c:\PROGRA~1\java\jdk-1.8\jre\bin\java.exe
  "c:\PROGRA~1\java\jdk-1.8\jre\bin\java.exe" -version
  2⤵
  PID:5080

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
eedfa975045aec235b0e05ae172e9e1b

SHA1
83dc11969e1fe0769358c6923c7210d3066c5905

SHA256
f31914e635225170c5294e6d6e0a1434d13ba561fc920aadca8956c2d54f4c53

SHA512
394be39de63c91b653b57acad19b016fc2aa43aee85dabe0d89701b910b94da85ea923f3566f464e69eba32c07fb43e6a74b7b9f97f30d508b64b51bd8e4f2a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\flatlaf.temp\flatlaf-windows-x86_64-4847446907000.dll

Filesize
22KB

MD5
dcd68a87b7e6edbcfde48150403b22eb

SHA1
28e4839a29725075772fccc39b44e194eb91e477

SHA256
ae3352b6ad6cffaae55f4387f9f5e79365ea17f8d5fb45ef11d21c3300a49a4c

SHA512
ac2a6bc0afcd08c56090536a937772edd54f35505c9a5837d9bc8e91c31edb6137cf5191986b3473e9e2f512950b4dbfe4088598bfd1faf47088124c70aeba71

Download Submit
memory/2108-90-0x0000000002FD0000-0x0000000002FE0000-memory.dmp

Filesize
64KB

Download
memory/2108-91-0x0000000002FE0000-0x0000000002FF0000-memory.dmp

Filesize
64KB

Download
memory/2108-92-0x0000000002FF0000-0x0000000003000000-memory.dmp

Filesize
64KB

Download
memory/2108-40-0x0000000002D20000-0x0000000003D20000-memory.dmp

Filesize
16.0MB

Download
memory/2108-43-0x0000000002A30000-0x0000000002A31000-memory.dmp

Filesize
4KB

Download
memory/2108-47-0x0000000002A30000-0x0000000002A31000-memory.dmp

Filesize
4KB

Download
memory/2108-95-0x0000000002D20000-0x0000000003D20000-memory.dmp

Filesize
16.0MB

Download
memory/2108-73-0x0000000002D20000-0x0000000003D20000-memory.dmp

Filesize
16.0MB

Download
memory/2108-81-0x0000000002A30000-0x0000000002A31000-memory.dmp

Filesize
4KB

Download
memory/2108-83-0x0000000002A30000-0x0000000002A31000-memory.dmp

Filesize
4KB

Download
memory/2108-86-0x0000000002D20000-0x0000000003D20000-memory.dmp

Filesize
16.0MB

Download
memory/2108-87-0x0000000002FA0000-0x0000000002FB0000-memory.dmp

Filesize
64KB

Download
memory/2108-88-0x0000000003000000-0x0000000003010000-memory.dmp

Filesize
64KB

Download
memory/2108-89-0x0000000002FC0000-0x0000000002FD0000-memory.dmp

Filesize
64KB

Download
memory/4052-93-0x0000027BB2750000-0x0000027BB3750000-memory.dmp

Filesize
16.0MB

Download
memory/4052-7-0x0000027BB2750000-0x0000027BB3750000-memory.dmp

Filesize
16.0MB

Download
memory/4052-14-0x0000027BB2730000-0x0000027BB2731000-memory.dmp

Filesize
4KB

Download
memory/4660-104-0x00000257E5E90000-0x00000257E5E91000-memory.dmp

Filesize
4KB

Download
memory/4660-98-0x00000257E5E90000-0x00000257E5E91000-memory.dmp

Filesize
4KB

Download
memory/4660-96-0x00000257E5E90000-0x00000257E5E91000-memory.dmp

Filesize
4KB

Download
memory/4660-97-0x00000257E5E90000-0x00000257E5E91000-memory.dmp

Filesize
4KB

Download
memory/4660-102-0x00000257E5E90000-0x00000257E5E91000-memory.dmp

Filesize
4KB

Download
memory/4660-105-0x00000257E5E90000-0x00000257E5E91000-memory.dmp

Filesize
4KB

Download
memory/4660-103-0x00000257E5E90000-0x00000257E5E91000-memory.dmp

Filesize
4KB

Download
memory/4660-107-0x00000257E5E90000-0x00000257E5E91000-memory.dmp

Filesize
4KB

Download
memory/4660-106-0x00000257E5E90000-0x00000257E5E91000-memory.dmp

Filesize
4KB

Download
memory/4660-108-0x00000257E5E90000-0x00000257E5E91000-memory.dmp

Filesize
4KB

Download
memory/5080-94-0x000001B5CFB30000-0x000001B5D0B30000-memory.dmp

Filesize
16.0MB

Download
memory/5080-28-0x000001B5CE300000-0x000001B5CE301000-memory.dmp

Filesize
4KB

Download
memory/5080-20-0x000001B5CFB30000-0x000001B5D0B30000-memory.dmp

Filesize
16.0MB

Download