aa3c568c88329c4dd471492c0db25a6c299b4346562d63e850e3064902d86d69

Analysis

max time kernel
444s
max time network
450s
platform
windows10-2004_x64
resource
win10v2004-20240226-es
resource tags

arch:x64arch:x86image:win10v2004-20240226-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
11/03/2024, 10:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

prismlauncher.exe
Size

9.7MB
MD5

337e87e1117573b52d7a069a2bec9935
SHA1

52060abc875a8cb7aa08076b503f2aeaf3dd4d89
SHA256

6651a644ecbfa74355c25036986efe7ac48002c7d6d54b9ff1eb2db5f7fd8bf3
SHA512

638312070c05b33c979e95264f07168e494a854068172c414d2066e9dc7fe766a27d9fae7437060cf5d8c25dfd587d7b066d88a09d6dd32f68b8bd2fc88b6aa7
SSDEEP

98304:zpPOVXkPVGiWnYmryIHDno6TRlUNxOKsgCfVT:z1Gi0h06gxyhVT

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	prismlauncher.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4648	prismlauncher.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4648	prismlauncher.exe

C:\Users\Admin\AppData\Local\Temp\prismlauncher.exe
"C:\Users\Admin\AppData\Local\Temp\prismlauncher.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
PID:4648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\PrismLauncher\prismlauncher.cfg.hBDbCd

Filesize
30B

MD5
a6dc16331f06bc5831e5ddc9799284ec

SHA1
d344f83d549df8c3e2c959182ba37f8c81d885a5

SHA256
9da99b49301ba83c33387e75d2028185562479e677b6afb110b4f8b098465807

SHA512
43e498eab5c6f9b2f70c01e0abd4e63edb2651e498f267b53c7f62f2ef9c1eb68fa4783967fdba1880722a8bcd6e58065108f42773f0f47c04c9e54e809b1c14

Download Submit
C:\Users\Admin\AppData\Roaming\PrismLauncher\prismlauncher.cfg.lock

Filesize
66B

MD5
60ac057c23e333c7f611ef312579b6ab

SHA1
369fe1bca0d45ab1e30d81ee01360d222103fb67

SHA256
17a81a52ea182c9e862333a0e0f9ae8bca813b1c39c37b117e34e34a2081d76d

SHA512
e9d38c68a71d7c2f0659e87886b639f0820402e85a233f993feac51b2f8480eab0647d450cc2a92252d24022f58392b09b905774097dde12295fe3f732a6d310

Download Submit
C:\Users\Admin\AppData\Roaming\PrismLauncher\translations\index_v2.json

Filesize
22KB

MD5
c4639a2238a1a95c30a551293aa4cfa2

SHA1
a79fa5f781e870b54dc3b1f91686bc92486e7d18

SHA256
284cb0046496e5617d0ed617e052824dc461345e4b5d6d0e4c4992c3f5588341

SHA512
0f2f49e56f0cd919c34ccdb60a421fb33e3dce63d2dc10821d1cba60315ce46f63055f31008af78171838a7e3a611ab6a812ba8cf81947d23c760aa2a38264f1

Download Submit
C:\Users\Admin\AppData\Roaming\PrismLauncher\translations\mmc_es.qm

Filesize
276KB

MD5
6c9a8fb2b7e17b1507108be5ab57d1ed

SHA1
14a47a4bcaabbbb4f9a747e2689e2b84e95b14fb

SHA256
c18df5a5b4ca78a1ce8e0ee397f7597dcd6cd8d9befb23bbb290d8d674957963

SHA512
50e92516838da26c056388985dfcd7603507bf8cef8b44f24f59da5d4fd39e8f1d5b6ce4df78c1085d17585394223a351df866e70d234941ab8692978bb141f5

Download Submit
memory/4648-0-0x00007FF985160000-0x00007FF98578D000-memory.dmp

Filesize
6.2MB

Download
memory/4648-1-0x00007FF6F5120000-0x00007FF6F5AE6000-memory.dmp

Filesize
9.8MB

Download
memory/4648-2-0x000001F681CA0000-0x000001F681CB0000-memory.dmp

Filesize
64KB

Download
memory/4648-51-0x000001F681CA0000-0x000001F681CB0000-memory.dmp

Filesize
64KB

Download