aa3c568c88329c4dd471492c0db25a6c299b4346562d63e850e3064902d86d69

Analysis

max time kernel
114s
max time network
120s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
09/03/2024, 20:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

prismlauncher.exe
Size

9.7MB
MD5

337e87e1117573b52d7a069a2bec9935
SHA1

52060abc875a8cb7aa08076b503f2aeaf3dd4d89
SHA256

6651a644ecbfa74355c25036986efe7ac48002c7d6d54b9ff1eb2db5f7fd8bf3
SHA512

638312070c05b33c979e95264f07168e494a854068172c414d2066e9dc7fe766a27d9fae7437060cf5d8c25dfd587d7b066d88a09d6dd32f68b8bd2fc88b6aa7
SSDEEP

98304:zpPOVXkPVGiWnYmryIHDno6TRlUNxOKsgCfVT:z1Gi0h06gxyhVT

Score

7^/10

discovery

Malware Config

Signatures

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4924	icacls.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1101742937-4171729779-750941522-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
972	prismlauncher.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
972	prismlauncher.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2440	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2440	AUDIODG.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4304	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 972 wrote to memory of 3380	972	prismlauncher.exe	81
PID 972 wrote to memory of 3380	972	prismlauncher.exe	81
PID 972 wrote to memory of 2060	972	prismlauncher.exe	82
PID 972 wrote to memory of 2060	972	prismlauncher.exe	82
PID 972 wrote to memory of 3644	972	prismlauncher.exe	83
PID 972 wrote to memory of 3644	972	prismlauncher.exe	83
PID 972 wrote to memory of 2020	972	prismlauncher.exe	84
PID 972 wrote to memory of 2020	972	prismlauncher.exe	84
PID 3644 wrote to memory of 4924	3644	javaw.exe	85
PID 3644 wrote to memory of 4924	3644	javaw.exe	85
PID 972 wrote to memory of 4496	972	prismlauncher.exe	88
PID 972 wrote to memory of 4496	972	prismlauncher.exe	88

C:\Users\Admin\AppData\Local\Temp\prismlauncher.exe
"C:\Users\Admin\AppData\Local\Temp\prismlauncher.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:972
- C:\Program Files\Java\jre-1.8\bin\javaw.exe
  "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar C:/Users/Admin/AppData/Local/Temp/jars/JavaCheck.jar
  2⤵
  PID:3380
- C:\Program Files\Java\jdk-1.8\bin\javaw.exe
  "C:\Program Files\Java\jdk-1.8\bin\javaw.exe" -jar C:/Users/Admin/AppData/Local/Temp/jars/JavaCheck.jar
  2⤵
  PID:2060
- C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe
  javaw -jar C:/Users/Admin/AppData/Local/Temp/jars/JavaCheck.jar
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3644
- - C:\Windows\system32\icacls.exe
    C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
    3⤵
    - Modifies file permissions
    PID:4924
- C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe
  "C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe" -jar C:/Users/Admin/AppData/Local/Temp/jars/JavaCheck.jar
  2⤵
  PID:2020
- C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe
  "C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe" -Xms512m -Xmx4096m -jar C:/Users/Admin/AppData/Local/Temp/jars/JavaCheck.jar
  2⤵
  PID:4496

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004E8 0x00000000000004F0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2440

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
b3068921143d0abdd25538928e9d7180

SHA1
2a90f5e8b29e2250ab45b247af519a009560c5ef

SHA256
8084b97f53c3394ff9f0c98d428a33ebf7f7738b141d6ba9df25817f86f93f5f

SHA512
c9b8f82b16e471d5754f261cba937bc16428c2c446f615fa35b125d040462e3fbcd4613a178152ad115c636623b0bad7aac9b132a8d196c1008febe8e08144d3

Download Submit
C:\ProgramData\Oracle\Java\.oracle_jre_usage\905ebba3a8fc8cc.timestamp

Filesize
50B

MD5
cc754619c02966e170cbbb62624b8433

SHA1
8995d3a2b068614450afeed41b826d4102ed2113

SHA256
89cf502dfca79ebfbb371e7e40e2fa246cdf65412872b1e695f23b6cf1b40c07

SHA512
a211f279b74eb9e9649b6a8acd23a8eb2db6ce4a1d2275e98c566c0e1423ca24f916635e382dbac92a93201bd717c0a3f59b5eb8801598052def4eaf1146be47

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
11KB

MD5
e7287dd4e71a21e10194c99cc8ccd823

SHA1
d12b4151bb25ca694ad8098751b4918129c322ac

SHA256
9c3bad374f6b813d2d3393e29f7e9aaca5404a001e521746d21fe7ced190f27c

SHA512
e76c126fb4f111e78772ee65afb4a06ff74d4c56432a4aa3f6c9680a0e832c257285e68f2b09e4513b4d4ca3169d865e375caa20dca32648d81010394c0c8c21

Download Submit
C:\Users\Admin\AppData\Roaming\PrismLauncher\prismlauncher.cfg

Filesize
228B

MD5
e4dde792d1ffc9d27b9e478ed627363f

SHA1
89ebd06968a551636d10603db84ff25a3f5ad310

SHA256
7fc0dd6b91d833a8bd70b1fb24a87b103f212c5108adf2765da29dc6a5e6e22f

SHA512
8bd1974d526af055d3f78219dfb4d891edf9d196c7157f749ec8ab4fdc7e33c7229a3b35798d9022e9a666002a783d6e29997244001fdcc7c21bde578b42b134

Download Submit
C:\Users\Admin\AppData\Roaming\PrismLauncher\prismlauncher.cfg.Tiwvaw

Filesize
30B

MD5
a6dc16331f06bc5831e5ddc9799284ec

SHA1
d344f83d549df8c3e2c959182ba37f8c81d885a5

SHA256
9da99b49301ba83c33387e75d2028185562479e677b6afb110b4f8b098465807

SHA512
43e498eab5c6f9b2f70c01e0abd4e63edb2651e498f267b53c7f62f2ef9c1eb68fa4783967fdba1880722a8bcd6e58065108f42773f0f47c04c9e54e809b1c14

Download Submit
C:\Users\Admin\AppData\Roaming\PrismLauncher\prismlauncher.cfg.lock

Filesize
65B

MD5
08ef67bd98091e8c3d352a64ba259cba

SHA1
74de0ce4db3ab0e7e33db2606789db0d57e4b159

SHA256
b9f7c0d523e99980d82f3ee5a1282c920d3d411199b7be180ac92ea0efed1bc2

SHA512
486b8491a66301b8216e1f1110ecace1d004b1ccacb06ef0a5c8b07048183ef7d57738cfae8da213ac870895bdb51672de37dd12191fac7ea8f141931f462064

Download Submit
C:\Users\Admin\AppData\Roaming\PrismLauncher\translations\index_v2.json

Filesize
22KB

MD5
cf3ed029870672a13175dd31817adfa4

SHA1
0cb97689ab7b75ea0b478f1ec30c64a9013b0f0d

SHA256
dbea4234accda9e6d66435ceb3fce855ad5e1a97b004e04b026182f3638d553d

SHA512
51ac7ef3dd80b3cd9488e60912e666a44801b742e9720efd1290621e278e274956efc0416231d1f3192391ae612deac4071aaca4ea50d0e16cfe335a982a1b06

Download Submit
memory/972-42-0x000001F8F0450000-0x000001F8F0460000-memory.dmp

Filesize
64KB

Download
memory/972-0-0x00007FF655A30000-0x00007FF6563F6000-memory.dmp

Filesize
9.8MB

Download
memory/972-1-0x00007FF8DAC20000-0x00007FF8DB24D000-memory.dmp

Filesize
6.2MB

Download
memory/972-2-0x000001F8F0450000-0x000001F8F0460000-memory.dmp

Filesize
64KB

Download
memory/2020-101-0x000002A230010000-0x000002A230280000-memory.dmp

Filesize
2.4MB

Download
memory/2020-94-0x000002A22E840000-0x000002A22E841000-memory.dmp

Filesize
4KB

Download
memory/2060-100-0x00000297C9F10000-0x00000297C9F11000-memory.dmp

Filesize
4KB

Download
memory/2060-103-0x00000297C9F30000-0x00000297CA1A0000-memory.dmp

Filesize
2.4MB

Download
memory/3380-88-0x0000020AE4410000-0x0000020AE5410000-memory.dmp

Filesize
16.0MB

Download
memory/3380-153-0x0000020AE4410000-0x0000020AE5410000-memory.dmp

Filesize
16.0MB

Download
memory/3380-91-0x0000020AE2B70000-0x0000020AE2B71000-memory.dmp

Filesize
4KB

Download
memory/3644-102-0x0000020B62080000-0x0000020B622F0000-memory.dmp

Filesize
2.4MB

Download
memory/3644-90-0x0000020B607E0000-0x0000020B607E1000-memory.dmp

Filesize
4KB

Download
memory/4496-119-0x0000024BADFC0000-0x0000024BADFC1000-memory.dmp

Filesize
4KB

Download
memory/4496-121-0x0000024BAF850000-0x0000024BAFAC0000-memory.dmp

Filesize
2.4MB

Download