Analysis
-
max time kernel
72s -
max time network
41s -
platform
windows10-1703_x64 -
resource
win10-20240221-en -
resource tags
arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system -
submitted
22/02/2024, 18:03
Static task
static1
General
-
Target
TLauncher-2.885-Installer-1.1.3.exe
-
Size
22.6MB
-
MD5
bd3eefe3f5a4bb0c948251a5d05727e7
-
SHA1
b18722304d297aa384a024444aadd4e5f54a115e
-
SHA256
f1b132f7ecf06d2aa1dd007fc7736166af3ee7c177c91587ae43930c65e531e0
-
SHA512
d7df966eeda90bf074249ba983aac4ba32a7f09fe4bb6d95811951df08f24e55e01c790ffebc3bc50ce7b1c501ff562f0de5e01ca340c8596881f69f8fed932d
-
SSDEEP
393216:KXGWOLBh2NPfs/dQETVlOBbpFEjdGphRqV56HpkoaH3D8P2Q6YS6x9DOc:K2/BhSHExi73qqHpu34kYbzOc
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1408 irsetup.exe -
Loads dropped DLL 3 IoCs
pid Process 1408 irsetup.exe 1408 irsetup.exe 1408 irsetup.exe -
resource yara_rule behavioral1/files/0x000700000001ac40-4.dat upx behavioral1/memory/1408-8-0x0000000000B20000-0x0000000000F08000-memory.dmp upx behavioral1/memory/1408-334-0x0000000000B20000-0x0000000000F08000-memory.dmp upx -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\Debug\WIA\wiatrace.log mspaint.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3281913400-1494313570-2321515684-1000\Software\Microsoft\Internet Explorer\LowRegistry\Shell Extensions\Cached PaintStudio.View.exe Key created \REGISTRY\USER\S-1-5-21-3281913400-1494313570-2321515684-1000\Software\Microsoft\Internet Explorer\LowRegistry PaintStudio.View.exe Key created \REGISTRY\USER\S-1-5-21-3281913400-1494313570-2321515684-1000\Software\Microsoft\Internet Explorer\LowRegistry\Shell Extensions PaintStudio.View.exe -
Modifies registry class 12 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3281913400-1494313570-2321515684-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Content PaintStudio.View.exe Set value (int) \REGISTRY\USER\S-1-5-21-3281913400-1494313570-2321515684-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Content\CacheLimit = "51200" PaintStudio.View.exe Key created \REGISTRY\USER\S-1-5-21-3281913400-1494313570-2321515684-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Cookies PaintStudio.View.exe Set value (str) \REGISTRY\USER\S-1-5-21-3281913400-1494313570-2321515684-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" PaintStudio.View.exe Key created \REGISTRY\USER\S-1-5-21-3281913400-1494313570-2321515684-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\History PaintStudio.View.exe Set value (str) \REGISTRY\USER\S-1-5-21-3281913400-1494313570-2321515684-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:" PaintStudio.View.exe Set value (int) \REGISTRY\USER\S-1-5-21-3281913400-1494313570-2321515684-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\History\CacheLimit = "1" PaintStudio.View.exe Key created \REGISTRY\USER\S-1-5-21-3281913400-1494313570-2321515684-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings PaintStudio.View.exe Key created \REGISTRY\USER\S-1-5-21-3281913400-1494313570-2321515684-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache PaintStudio.View.exe Set value (str) \REGISTRY\USER\S-1-5-21-3281913400-1494313570-2321515684-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix PaintStudio.View.exe Set value (int) \REGISTRY\USER\S-1-5-21-3281913400-1494313570-2321515684-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CacheLimit = "1" PaintStudio.View.exe Key created \REGISTRY\USER\S-1-5-21-3281913400-1494313570-2321515684-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache PaintStudio.View.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1964 PaintStudio.View.exe -
Suspicious behavior: EnumeratesProcesses 54 IoCs
pid Process 2108 mspaint.exe 2108 mspaint.exe 4628 mspaint.exe 4628 mspaint.exe 1964 PaintStudio.View.exe 1964 PaintStudio.View.exe 1964 PaintStudio.View.exe 1964 PaintStudio.View.exe 1964 PaintStudio.View.exe 1964 PaintStudio.View.exe 1964 PaintStudio.View.exe 1964 PaintStudio.View.exe 1964 PaintStudio.View.exe 1964 PaintStudio.View.exe 1964 PaintStudio.View.exe 1964 PaintStudio.View.exe 1964 PaintStudio.View.exe 1964 PaintStudio.View.exe 1964 PaintStudio.View.exe 1964 PaintStudio.View.exe 1964 PaintStudio.View.exe 1964 PaintStudio.View.exe 1964 PaintStudio.View.exe 1964 PaintStudio.View.exe 1964 PaintStudio.View.exe 1964 PaintStudio.View.exe 1964 PaintStudio.View.exe 1964 PaintStudio.View.exe 1964 PaintStudio.View.exe 1964 PaintStudio.View.exe 1964 PaintStudio.View.exe 1964 PaintStudio.View.exe 1964 PaintStudio.View.exe 1964 PaintStudio.View.exe 1964 PaintStudio.View.exe 1964 PaintStudio.View.exe 1964 PaintStudio.View.exe 1964 PaintStudio.View.exe 1964 PaintStudio.View.exe 1964 PaintStudio.View.exe 1964 PaintStudio.View.exe 1964 PaintStudio.View.exe 1964 PaintStudio.View.exe 1964 PaintStudio.View.exe 1964 PaintStudio.View.exe 1964 PaintStudio.View.exe 1964 PaintStudio.View.exe 1964 PaintStudio.View.exe 1964 PaintStudio.View.exe 1964 PaintStudio.View.exe 1964 PaintStudio.View.exe 1964 PaintStudio.View.exe 1964 PaintStudio.View.exe 1964 PaintStudio.View.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1964 PaintStudio.View.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1964 PaintStudio.View.exe Token: SeDebugPrivilege 1964 PaintStudio.View.exe Token: SeDebugPrivilege 1964 PaintStudio.View.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1964 PaintStudio.View.exe 1964 PaintStudio.View.exe -
Suspicious use of SetWindowsHookEx 14 IoCs
pid Process 1408 irsetup.exe 1408 irsetup.exe 1408 irsetup.exe 1408 irsetup.exe 1408 irsetup.exe 1408 irsetup.exe 1408 irsetup.exe 2108 mspaint.exe 2108 mspaint.exe 2108 mspaint.exe 2108 mspaint.exe 4628 mspaint.exe 1964 PaintStudio.View.exe 1964 PaintStudio.View.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2428 wrote to memory of 1408 2428 TLauncher-2.885-Installer-1.1.3.exe 75 PID 2428 wrote to memory of 1408 2428 TLauncher-2.885-Installer-1.1.3.exe 75 PID 2428 wrote to memory of 1408 2428 TLauncher-2.885-Installer-1.1.3.exe 75
Processes
-
C:\Users\Admin\AppData\Local\Temp\TLauncher-2.885-Installer-1.1.3.exe"C:\Users\Admin\AppData\Local\Temp\TLauncher-2.885-Installer-1.1.3.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1910546 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\TLauncher-2.885-Installer-1.1.3.exe" "__IRCT:3" "__IRTSS:23661420" "__IRSID:S-1-5-21-3281913400-1494313570-2321515684-1000"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1408
-
-
C:\Windows\system32\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\CompressStep.bmp"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2108
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s DeviceAssociationService1⤵PID:2312
-
C:\Windows\system32\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\DebugPublish.jpeg" /ForceBootstrapPaint3D1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4628
-
C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe"C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe" -ServerName:Microsoft.MSPaint.AppX437q68k2qc2asvaagas2prv9tjej6ja9.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1964
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:408
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\Projects\Projects.json
Filesize2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\Projects\Projects.json
Filesize233B
MD5972b2d09e61075ccbbd32311c65f53f7
SHA14f5268ff03f2423831f5842ff4b062cdf7717106
SHA2561a4c4e16d58e153d4e523f36df0e7c6e7d8fcdf77a59e1215dfd5321bef65539
SHA5122e61cce3678b1e6601dc9fb7b76a55f963502a84d9b556911ad93a6ff37468c31106d983e767e3d4d0686d9f2d42f0bc914abd7dde5c28545d7f303decd73d02
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\cloudCommunitySettings.json
Filesize2KB
MD5404a3ec24e3ebf45be65e77f75990825
SHA11e05647cf0a74cedfdeabfa3e8ee33b919780a61
SHA256cc45905af3aaa62601a69c748a06a2fa48eca3b28d44d8ec18764a7e8e4c3da2
SHA512a55382b72267375821b0a229d3529ed54cef0f295f550d1e95661bafccec606aa1cd72e059d37d78e7d2927ae72e2919941251d233152f5eeb32ffdfc96023e5
-
Filesize
116KB
MD5e043a9cb014d641a56f50f9d9ac9a1b9
SHA161dc6aed3d0d1f3b8afe3d161410848c565247ed
SHA2569dd7020d04753294c8fb694ac49f406de9adad45d8cdd43fefd99fec3659e946
SHA5124ae5df94fd590703b7a92f19703d733559d600a3885c65f146db04e8bbf6ead9ab5a1748d99c892e6bde63dd4e1592d6f06e02e4baf5e854c8ce6ea0cce1984f
-
Filesize
1.8MB
MD5cb50d496ae05fa1c8bfbcb3b7f910bfe
SHA13ec4d77b73c4d7e9858b11224314e99d082497a8
SHA2567616c72f6659a3a2439d0452190459cd4ceb83fab2307e3e47c9604fa29d9f34
SHA51222051de06c7e52a37ad36250aa095a8ccc0b0e1cdbfa2e9073c146e77e278cbdbe89bdb078dcfd8babf48baec1902b303ac39cc9db4114ce1516b06552dc924d
-
Filesize
280B
MD55803b5d5f862418b64caa83396e69c7f
SHA197b6c8209b8ad65f4f9f3b953fe966bb09ee4e13
SHA256ee340f8560ba2e71d7e6d305b959ff8fa77869dac916287da2bff7ce5aa2e159
SHA512e9bf37f0c89299bfa369a8677ac56b12177dd3153246e5e6a9390577658111b731b0ab987044d30f43e05cb41d79ed31dae3b6f4521f225925920617d0414edd
-
Filesize
281B
MD560a19921c7ff3c75e28c302f95460994
SHA107ac64ffbb153c8675e2ce0651afeaa5e8c6652d
SHA25633341d30463fbc7cf3fba5070925569c822b6835aabdb8ef2c3cf09547912d46
SHA512b30b960152dc13b1a9d384c4972169392cd405bdf4d3ecf73f85cf8a9a68a075131b2495c0348f54d43d0e7a279907bc7b76ac103f4a624738cbfc73bbeeba02
-
Filesize
1.3MB
MD5a70accbc1f1001cbf1c4a139e4e5d7af
SHA1138de36067af0c8f98e1f7bc4c6bea1d73bc53ab
SHA256b000fef41ce0267255701aacc76c02159d207212c4595437077e7904b7968ca6
SHA51246fde27847dfab38d2f6fefca31677a0d5a5ac775951fc19f1fc0b4ec56969622f0c4f036ecacc05b33854871f03232a4944f3e93a747280cac622503f5c4f04
-
Filesize
326KB
MD580d93d38badecdd2b134fe4699721223
SHA1e829e58091bae93bc64e0c6f9f0bac999cfda23d
SHA256c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59
SHA5129f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4
-
Filesize
1.7MB
MD51bbf5dd0b6ca80e4c7c77495c3f33083
SHA1e0520037e60eb641ec04d1e814394c9da0a6a862
SHA256bc6bd19ab0977ac794e18e2c82ace3116bf0537711a352638efd2d8d847c140b
SHA51297bc810871868217f944bc5e60ab642f161c1f082bc9e4122094f10b4e309a6d96e3dd695553a20907cb8fea5aef4802f5a2f0a852328c1a1cd85944022abaab
-
Filesize
97KB
MD5da1d0cd400e0b6ad6415fd4d90f69666
SHA1de9083d2902906cacf57259cf581b1466400b799
SHA2567a79b049bdc3b6e4d101691888360f4f993098f3e3a8beefff4ac367430b1575
SHA512f12f64670f158c2e846e78b7b5d191158268b45ecf3c288f02bbee15ae10c4a62e67fb3481da304ba99da2c68ac44d713a44a458ef359db329b6fef3d323382a