aa3c568c88329c4dd471492c0db25a6c299b4346562d63e850e3064902d86d69

Analysis

max time kernel
118s
max time network
127s
platform
windows7_x64
resource
win7-20240319-es
resource tags

arch:x64arch:x86image:win7-20240319-eslocale:es-esos:windows7-x64systemwindows
submitted
15/04/2024, 14:52

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

PrismLauncher-Windows-MSVC-Setup-8.2.exe
Size

18.1MB
MD5

242927c23fc9b6ff5efaa51aaf5eda58
SHA1

53e851f8a136ae29aeb0159d9fa221b5e37a8b4c
SHA256

aa3c568c88329c4dd471492c0db25a6c299b4346562d63e850e3064902d86d69
SHA512

cda01dc9762a02d47829cadb0678fcf0b361d6ce4a9b3ddffa5bb7636487bd16446076274ac5a4ad015cb4d52fff4cccbb49b472ed031616fccc1826b748ce17
SSDEEP

393216:CMU77hg6HfhIjEYqNPPoDlXsLAmCrQ7cAIYE9rpyTXuEz18Tcso:CMUhHfhIgTkX3mwQ7cAo9+Pyo

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1864	prismlauncher.exe
1772	prismlauncher.exe

Loads dropped DLL 15 IoCs

pid	Process
2184	PrismLauncher-Windows-MSVC-Setup-8.2.exe
2184	PrismLauncher-Windows-MSVC-Setup-8.2.exe
2184	PrismLauncher-Windows-MSVC-Setup-8.2.exe
2184	PrismLauncher-Windows-MSVC-Setup-8.2.exe
2184	PrismLauncher-Windows-MSVC-Setup-8.2.exe
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
2184	PrismLauncher-Windows-MSVC-Setup-8.2.exe
1864	prismlauncher.exe
1864	prismlauncher.exe
1260	Process not Found
1772	prismlauncher.exe
1772	prismlauncher.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
3004	TaskKill.exe

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000_CLASSES\curseforge\shell	PrismLauncher-Windows-MSVC-Setup-8.2.exe
Key created	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000_CLASSES\curseforge\shell\open	PrismLauncher-Windows-MSVC-Setup-8.2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000_CLASSES\curseforge\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Programs\\PrismLauncher\\prismlauncher.exe\" \"%1\""	PrismLauncher-Windows-MSVC-Setup-8.2.exe
Key created	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000_CLASSES\curseforge	PrismLauncher-Windows-MSVC-Setup-8.2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000_CLASSES\curseforge\URL Protocol	PrismLauncher-Windows-MSVC-Setup-8.2.exe
Key created	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000_CLASSES\curseforge\shell\open\command	PrismLauncher-Windows-MSVC-Setup-8.2.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3004	TaskKill.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2184 wrote to memory of 3004	2184	PrismLauncher-Windows-MSVC-Setup-8.2.exe	28
PID 2184 wrote to memory of 3004	2184	PrismLauncher-Windows-MSVC-Setup-8.2.exe	28
PID 2184 wrote to memory of 3004	2184	PrismLauncher-Windows-MSVC-Setup-8.2.exe	28
PID 2184 wrote to memory of 3004	2184	PrismLauncher-Windows-MSVC-Setup-8.2.exe	28
PID 2184 wrote to memory of 3004	2184	PrismLauncher-Windows-MSVC-Setup-8.2.exe	28
PID 2184 wrote to memory of 3004	2184	PrismLauncher-Windows-MSVC-Setup-8.2.exe	28
PID 2184 wrote to memory of 3004	2184	PrismLauncher-Windows-MSVC-Setup-8.2.exe	28
PID 2184 wrote to memory of 1864	2184	PrismLauncher-Windows-MSVC-Setup-8.2.exe	32
PID 2184 wrote to memory of 1864	2184	PrismLauncher-Windows-MSVC-Setup-8.2.exe	32
PID 2184 wrote to memory of 1864	2184	PrismLauncher-Windows-MSVC-Setup-8.2.exe	32
PID 2184 wrote to memory of 1864	2184	PrismLauncher-Windows-MSVC-Setup-8.2.exe	32

C:\Users\Admin\AppData\Local\Temp\PrismLauncher-Windows-MSVC-Setup-8.2.exe
"C:\Users\Admin\AppData\Local\Temp\PrismLauncher-Windows-MSVC-Setup-8.2.exe"
1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2184
- C:\Windows\SysWOW64\TaskKill.exe
  TaskKill /IM prismlauncher.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3004
- C:\Users\Admin\AppData\Local\Programs\PrismLauncher\prismlauncher.exe
  "C:\Users\Admin\AppData\Local\Programs\PrismLauncher\prismlauncher.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1864

C:\Users\Admin\AppData\Local\Programs\PrismLauncher\prismlauncher.exe
"C:\Users\Admin\AppData\Local\Programs\PrismLauncher\prismlauncher.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Programs\PrismLauncher\Qt6Gui.dll

Filesize
8.5MB

MD5
4d427578ce80d21926239bde77859cbc

SHA1
ac7c9d7b8f2991a34f6368ebc098e369360e30ab

SHA256
1158536c723cfbcbf24f6f3443b16e42fc5473d8b1309040aa300a03408b5979

SHA512
4364dd317ebe3f54c33bb9af8e56ba45762882c74b18e336134f2904cb494cd15bbb94dd603e00b3ffb18c67f928dccf87b05feaa208bbd0ccade71d4ca29965

Download Submit
C:\Users\Admin\AppData\Local\Programs\PrismLauncher\Qt6Widgets.dll

Filesize
6.2MB

MD5
c22c19fae4dfb264296ffa339795c37b

SHA1
38f6d382208081904e8c6c2d0fb09f52b39c388f

SHA256
9761e3b306d52403f1f190abcb2ccacd01630cfae053457028d9b6e8d91d3adf

SHA512
1b7ae36117b7c266cdb833e232b9bf90e3fbae0b316f4ed5c5b45de7c81407778cf4df906df34d4339ebb232d0e569125b6f9788f68e78a17f5887d50f51c1fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy66CF.tmp\modern-wizard.bmp

Filesize
25KB

MD5
cbe40fd2b1ec96daedc65da172d90022

SHA1
366c216220aa4329dff6c485fd0e9b0f4f0a7944

SHA256
3ad2dc318056d0a2024af1804ea741146cfc18cc404649a44610cbf8b2056cf2

SHA512
62990cb16e37b6b4eff6ab03571c3a82dcaa21a1d393c3cb01d81f62287777fb0b4b27f8852b5fa71bc975feab5baa486d33f2c58660210e115de7e2bd34ea63

Download Submit
\Users\Admin\AppData\Local\Programs\PrismLauncher\prismlauncher.exe

Filesize
9.7MB

MD5
337e87e1117573b52d7a069a2bec9935

SHA1
52060abc875a8cb7aa08076b503f2aeaf3dd4d89

SHA256
6651a644ecbfa74355c25036986efe7ac48002c7d6d54b9ff1eb2db5f7fd8bf3

SHA512
638312070c05b33c979e95264f07168e494a854068172c414d2066e9dc7fe766a27d9fae7437060cf5d8c25dfd587d7b066d88a09d6dd32f68b8bd2fc88b6aa7

Download Submit
\Users\Admin\AppData\Local\Temp\nsy66CF.tmp\System.dll

Filesize
12KB

MD5
4add245d4ba34b04f213409bfe504c07

SHA1
ef756d6581d70e87d58cc4982e3f4d18e0ea5b09

SHA256
9111099efe9d5c9b391dc132b2faf0a3851a760d4106d5368e30ac744eb42706

SHA512
1bd260cabe5ea3cefbbc675162f30092ab157893510f45a1b571489e03ebb2903c55f64f89812754d3fe03c8f10012b8078d1261a7e73ac1f87c82f714bce03d

Download Submit
\Users\Admin\AppData\Local\Temp\nsy66CF.tmp\nsDialogs.dll

Filesize
9KB

MD5
1d8f01a83ddd259bc339902c1d33c8f1

SHA1
9f7806af462c94c39e2ec6cc9c7ad05c44eba04e

SHA256
4b7d17da290f41ebe244827cc295ce7e580da2f7e9f7cc3efc1abc6898e3c9ed

SHA512
28bf647374b4b500a0f3dbced70c2b256f93940e2b39160512e6e486ac31d1d90945acecef578f61b0a501f27c7106b6ffc3deab2ec3bfb3d9af24c9449a1567

Download Submit
\Users\Admin\AppData\Local\Temp\nsy66CF.tmp\nsExec.dll

Filesize
7KB

MD5
b4579bc396ace8cafd9e825ff63fe244

SHA1
32a87ed28a510e3b3c06a451d1f3d0ba9faf8d9c

SHA256
01e72332362345c415a7edcb366d6a1b52be9ac6e946fb9da49785c140ba1a4b

SHA512
3a76e0e259a0ca12275fed922ce6e01bdfd9e33ba85973e80101b8025ef9243f5e32461a113bbcc6aa75e40894bb5d3a42d6b21045517b6b3cf12d76b4cfa36a

Download Submit