978dfe8f0fbb57398366e2302055b58fa641258f53db6909fca2b5a1e87ff3c5

General

Target

TLauncher.exe
Size

8.9MB
MD5

505731086d2f448e68c025a7003efe00
SHA1

e8358cf87df55712a7b6998d1816e94b57f3b7c1
SHA256

978dfe8f0fbb57398366e2302055b58fa641258f53db6909fca2b5a1e87ff3c5
SHA512

856ad2f0caa72c15b20831c7e1d8917329907381e1e95ce470ff3592755804cc17cd507c105d49fdecbc418a2c3f2b01e1be2ce15dc981aeb7f39ce2889cb4d4
SSDEEP

196608:vRAQAHQHWFm5kAiFWnuf6J/+Ift24xJN+vwvasDU6sU0s:LUn6nDJ/+v4xJprUB4

Score

7^/10

discovery

Malware Config

Signatures

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
3856	icacls.exe

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\symbols\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\symbols\dll\jvm.pdb	javaw.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe

Suspicious behavior: LoadsDriver 6 IoCs

pid	Process
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
664	Process not Found

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4212	javaw.exe
420	OpenWith.exe
3288	OpenWith.exe
4436	OpenWith.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1500 wrote to memory of 4212	1500	TLauncher.exe	81
PID 1500 wrote to memory of 4212	1500	TLauncher.exe	81
PID 4212 wrote to memory of 3856	4212	javaw.exe	82
PID 4212 wrote to memory of 3856	4212	javaw.exe	82

C:\Users\Admin\AppData\Local\Temp\TLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\TLauncher.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1500
- C:\Program Files\Java\jre-1.8\bin\javaw.exe
  "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\TLauncher.exe"
  2⤵
  - Drops file in Program Files directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4212
- - C:\Windows\system32\icacls.exe
    C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
    3⤵
    - Modifies file permissions
    PID:3856

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:2044

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:3456

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
PID:2480

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:420

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:3288

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:4436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

1

T1222

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
714f226d5bada8e2d0b0563459a006ce

SHA1
46c36611de880abfbe5341a15216791033258050

SHA256
b7f0b52f9d0f56f5f6d8485579b103b0464c95ae48168cd7d83f79e30ecada0a

SHA512
508234defd727a2467cdb0d892d8012541f81c11b156a6bdc0f246d484bf4d579fb103907993b3fe4b7ad5a64c22b60d78205ec437f7c3d524df2459a0116695

Download Submit
memory/1500-0-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4212-5-0x000002B211D20000-0x000002B212D20000-memory.dmp

Filesize
16.0MB

Download
memory/4212-12-0x000002B210550000-0x000002B210551000-memory.dmp

Filesize
4KB

Download
memory/4212-14-0x000002B210550000-0x000002B210551000-memory.dmp

Filesize
4KB

Download
memory/4212-22-0x000002B210550000-0x000002B210551000-memory.dmp

Filesize
4KB

Download
memory/4212-27-0x000002B211D20000-0x000002B212D20000-memory.dmp

Filesize
16.0MB

Download
memory/4212-28-0x000002B211FA0000-0x000002B211FB0000-memory.dmp

Filesize
64KB

Download
memory/4212-29-0x000002B211D20000-0x000002B212D20000-memory.dmp

Filesize
16.0MB

Download

Analysis

Sharing