5eb30845e355c1e6c74f4f5c60e452be993b545e58c4944847c1b987b3bf2891

Analysis

max time kernel
121s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10-04-2024 03:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PrismLauncher-Windows-MSVC-Setup-7.1.exe
Size

16.5MB
MD5

bc6b5ba6dad47bb8dad0dd5d56442e05
SHA1

173d11382b2474a95dabe2c2f6b2edbc179b39ad
SHA256

5eb30845e355c1e6c74f4f5c60e452be993b545e58c4944847c1b987b3bf2891
SHA512

ead834dc029bd21595596515b5cbe176f5f220dfa4ae03b7a074245fcf288191fb6cd9f765dadb44c4b65192134bc86d198b48863352b0566c3f759d1dbc9c02
SSDEEP

393216:L9zo+iQe0XFivTqz7aOKARMv9CtzxTVwRNniKoBEBdCaINFc/tgZKfU:L9k+iQeuiv2z7RRMv9czxZwPauDyTYU

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
308	prismlauncher.exe

Loads dropped DLL 6 IoCs

pid	Process
2952	PrismLauncher-Windows-MSVC-Setup-7.1.exe
2952	PrismLauncher-Windows-MSVC-Setup-7.1.exe
2952	PrismLauncher-Windows-MSVC-Setup-7.1.exe
2952	PrismLauncher-Windows-MSVC-Setup-7.1.exe
308	prismlauncher.exe
308	prismlauncher.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
2564	TaskKill.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2564	TaskKill.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2952 wrote to memory of 2564	2952	PrismLauncher-Windows-MSVC-Setup-7.1.exe	28
PID 2952 wrote to memory of 2564	2952	PrismLauncher-Windows-MSVC-Setup-7.1.exe	28
PID 2952 wrote to memory of 2564	2952	PrismLauncher-Windows-MSVC-Setup-7.1.exe	28
PID 2952 wrote to memory of 2564	2952	PrismLauncher-Windows-MSVC-Setup-7.1.exe	28
PID 2952 wrote to memory of 2564	2952	PrismLauncher-Windows-MSVC-Setup-7.1.exe	28
PID 2952 wrote to memory of 2564	2952	PrismLauncher-Windows-MSVC-Setup-7.1.exe	28
PID 2952 wrote to memory of 2564	2952	PrismLauncher-Windows-MSVC-Setup-7.1.exe	28
PID 2952 wrote to memory of 308	2952	PrismLauncher-Windows-MSVC-Setup-7.1.exe	31
PID 2952 wrote to memory of 308	2952	PrismLauncher-Windows-MSVC-Setup-7.1.exe	31
PID 2952 wrote to memory of 308	2952	PrismLauncher-Windows-MSVC-Setup-7.1.exe	31
PID 2952 wrote to memory of 308	2952	PrismLauncher-Windows-MSVC-Setup-7.1.exe	31

C:\Users\Admin\AppData\Local\Temp\PrismLauncher-Windows-MSVC-Setup-7.1.exe
"C:\Users\Admin\AppData\Local\Temp\PrismLauncher-Windows-MSVC-Setup-7.1.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2952
- C:\Windows\SysWOW64\TaskKill.exe
  TaskKill /IM prismlauncher.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2564
- C:\Users\Admin\AppData\Local\Programs\PrismLauncher\prismlauncher.exe
  "C:\Users\Admin\AppData\Local\Programs\PrismLauncher\prismlauncher.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Programs\PrismLauncher\Qt6Gui.dll

Filesize
7.4MB

MD5
0ab8efed44e94227d814f456e51f0b57

SHA1
22a55fa81689d7314424083e515f9c8819c9cf17

SHA256
1c7b79a164335b8c43d7267fa8a0ee43a2bdeb957aef167b38bfedda21cff825

SHA512
95cf380fa921f127deb40da22788b1b41c0a47f8a31d7656e02c11ba69d360609527b6b9ff7ec236bec139cea59453634e845058d06adfe9fbce0dd82bd36b23

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst2888.tmp\modern-wizard.bmp

Filesize
25KB

MD5
cbe40fd2b1ec96daedc65da172d90022

SHA1
366c216220aa4329dff6c485fd0e9b0f4f0a7944

SHA256
3ad2dc318056d0a2024af1804ea741146cfc18cc404649a44610cbf8b2056cf2

SHA512
62990cb16e37b6b4eff6ab03571c3a82dcaa21a1d393c3cb01d81f62287777fb0b4b27f8852b5fa71bc975feab5baa486d33f2c58660210e115de7e2bd34ea63

Download Submit
\Users\Admin\AppData\Local\Programs\PrismLauncher\Qt6Widgets.dll

Filesize
5.8MB

MD5
fe5d94996b8128747762cf0fdcab1f82

SHA1
3cb1bc591d55c4e5f76be53c3993eaab7e67541c

SHA256
05362dfd5ce0ab18988d878240f1daec2c505fb60cfb85636444c1843692e4a3

SHA512
c91be91786e38341ad83eb38ba27e4110d18c24b03f088aced46b32eb3fe9d81bf89c5bec4b8da1b84252fe78d3294dee1230ff79bd9308e979d0b9b219eab53

Download Submit
\Users\Admin\AppData\Local\Programs\PrismLauncher\prismlauncher.exe

Filesize
9.2MB

MD5
ba7ccd217a83355650c7fa23c6c7dae8

SHA1
b2795abe6720493103625abd00d3943b032f34a8

SHA256
a8f93ab70e33e8b00648434b6a3bb96f833d888aef058f7d656dd866348f0d2b

SHA512
407cac8280133227c0fdf93474e722e9111b8904acbcd29133a37ce706859c27f74efdab68d28d6770aef77973c2c0913cf8d9b7f8e013d319ebcc0554f85c92

Download Submit
\Users\Admin\AppData\Local\Temp\nst2888.tmp\System.dll

Filesize
12KB

MD5
cff85c549d536f651d4fb8387f1976f2

SHA1
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

SHA256
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

SHA512
531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

Download Submit
\Users\Admin\AppData\Local\Temp\nst2888.tmp\nsDialogs.dll

Filesize
9KB

MD5
6c3f8c94d0727894d706940a8a980543

SHA1
0d1bcad901be377f38d579aafc0c41c0ef8dcefd

SHA256
56b96add1978b1abba286f7f8982b0efbe007d4a48b3ded6a4d408e01d753fe2

SHA512
2094f0e4bb7c806a5ff27f83a1d572a5512d979eefda3345baff27d2c89e828f68466d08c3ca250da11b01fc0407a21743037c25e94fbe688566dd7deaebd355

Download Submit
\Users\Admin\AppData\Local\Temp\nst2888.tmp\nsExec.dll

Filesize
7KB

MD5
675c4948e1efc929edcabfe67148eddd

SHA1
f5bdd2c4329ed2732ecfe3423c3cc482606eb28e

SHA256
1076ca39c449ed1a968021b76ef31f22a5692dfafeea29460e8d970a63c59906

SHA512
61737021f86f54279d0a4e35db0d0808e9a55d89784a31d597f2e4b65b7bbeec99aa6c79d65258259130eeda2e5b2820f4f1247777a3010f2dc53e30c612a683

Download Submit