05ae2f0dd61ef10019b94c200e8df192b767bb4cc24a7e7b329ab43cc9c74caf

General

Target

SKlauncher-3.2.exe
Size

1.6MB
MD5

b63468dd118dfbca5ef7967ba344e0e3
SHA1

2ba4f0df5f3bd284bf2a89aba320e4440d8b8355
SHA256

05ae2f0dd61ef10019b94c200e8df192b767bb4cc24a7e7b329ab43cc9c74caf
SHA512

007ecb7445dc0c01a802b5a2c91313aae59f9dc96e27455dd85e7a92a4e649d683fbc2ada5f48925d9ab3b4fdaea20aa89eeb442fde079902aecb5ca3454a548
SSDEEP

49152:HIBc3n9dRvwVlzhFAQ/ggUTPQjYEiim7V:oBaO/FAqMQjYEXm

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 1 IoCs

Processes:

SKlauncher-3.2.exe

pid process

2576 SKlauncher-3.2.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

3152 icacls.exe

pid	process
2576	SKlauncher-3.2.exe

pid	process
3152	icacls.exe

Drops file in Program Files directory 12 IoCs

Processes:

SKlauncher-3.2.exe

description	ioc	process
File opened for modification	\??\c:\program files\java\jre-1.8\bin\ntdll.pdb	SKlauncher-3.2.exe
File opened for modification	\??\c:\program files\java\jre-1.8\bin\dll\ntdll.pdb	SKlauncher-3.2.exe
File opened for modification	\??\c:\program files\java\jre-1.8\bin\server\jvm.pdb	SKlauncher-3.2.exe
File opened for modification	\??\c:\program files\java\jre-1.8\bin\server\dll\jvm.pdb	SKlauncher-3.2.exe
File opened for modification	\??\c:\program files\java\jre-1.8\bin\jvm.pdb	SKlauncher-3.2.exe
File opened for modification	\??\c:\program files\java\jre-1.8\bin\dll\jvm.pdb	SKlauncher-3.2.exe
File opened for modification	\??\c:\program files\java\jre-1.8\bin\symbols\dll\jvm.pdb	SKlauncher-3.2.exe
File opened for modification	\??\c:\program files\java\jre-1.8\bin\server\dll\ntdll.pdb	SKlauncher-3.2.exe
File opened for modification	\??\c:\program files\java\jre-1.8\bin\server\symbols\dll\jvm.pdb	SKlauncher-3.2.exe
File opened for modification	\??\c:\program files\java\jre-1.8\bin\server\ntdll.pdb	SKlauncher-3.2.exe
File opened for modification	\??\c:\program files\java\jre-1.8\bin\server\symbols\dll\ntdll.pdb	SKlauncher-3.2.exe
File opened for modification	\??\c:\program files\java\jre-1.8\bin\symbols\dll\ntdll.pdb	SKlauncher-3.2.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

SKlauncher-3.2.exe

pid process

2576 SKlauncher-3.2.exe
2576 SKlauncher-3.2.exe

pid	process
2576	SKlauncher-3.2.exe
2576	SKlauncher-3.2.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

SKlauncher-3.2.exejava.exe

description	pid	process	target process
PID 2576 wrote to memory of 1804	2576	SKlauncher-3.2.exe	java.exe
PID 2576 wrote to memory of 1804	2576	SKlauncher-3.2.exe	java.exe
PID 1804 wrote to memory of 3152	1804	java.exe	icacls.exe
PID 1804 wrote to memory of 3152	1804	java.exe	icacls.exe
PID 2576 wrote to memory of 388	2576	SKlauncher-3.2.exe	java.exe
PID 2576 wrote to memory of 388	2576	SKlauncher-3.2.exe	java.exe

C:\Users\Admin\AppData\Local\Temp\SKlauncher-3.2.exe
"C:\Users\Admin\AppData\Local\Temp\SKlauncher-3.2.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2576

\??\c:\PROGRA~1\java\jre-1.8\bin\java.exe
"c:\PROGRA~1\java\jre-1.8\bin\java.exe" -version
2⤵
- Suspicious use of WriteProcessMemory
PID:1804

C:\Windows\system32\icacls.exe
C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
3⤵
- Modifies file permissions
PID:3152

\??\c:\PROGRA~1\java\jdk-1.8\jre\bin\java.exe
"c:\PROGRA~1\java\jdk-1.8\jre\bin\java.exe" -version
2⤵
PID:388

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2924

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

1

T1222

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp
Filesize
46B

MD5
2c1b0f664c943f0af18eaa978ad2d3f4

SHA1
0edd8988556d0576ed0f6aef75b36af71ff788c7

SHA256
307125216ed14a2ead7629f7fad665a291a353ecf39a0c75a2bb07dc8de52a70

SHA512
1ccb0e823ae3376a5db00db75690dba57e169fb5140c6cdbdfccd1d46d897d09a9e596c759ad04f0d7a70691ed6ddf2ab2b398988aa21db38a0e73c61475a8fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\flatlaf.temp\flatlaf-windows-x86_64-4682611694300.dll
Filesize
22KB

MD5
dcd68a87b7e6edbcfde48150403b22eb

SHA1
28e4839a29725075772fccc39b44e194eb91e477

SHA256
ae3352b6ad6cffaae55f4387f9f5e79365ea17f8d5fb45ef11d21c3300a49a4c

SHA512
ac2a6bc0afcd08c56090536a937772edd54f35505c9a5837d9bc8e91c31edb6137cf5191986b3473e9e2f512950b4dbfe4088598bfd1faf47088124c70aeba71

Download Submit
memory/388-21-0x000001DF00000000-0x000001DF01000000-memory.dmp

Filesize
16.0MB

Download
memory/388-29-0x000001DF780C0000-0x000001DF780C1000-memory.dmp

Filesize
4KB

Download
memory/1804-7-0x00000264E2EE0000-0x00000264E3EE0000-memory.dmp

Filesize
16.0MB

Download
memory/1804-15-0x00000264E1600000-0x00000264E1601000-memory.dmp

Filesize
4KB

Download
memory/2576-43-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/2576-47-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/2576-38-0x0000000002530000-0x0000000003530000-memory.dmp

Filesize
16.0MB

Download
memory/2576-65-0x0000000002530000-0x0000000003530000-memory.dmp

Filesize
16.0MB

Download
memory/2576-81-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/2576-83-0x0000000002530000-0x0000000003530000-memory.dmp

Filesize
16.0MB

Download
memory/2576-91-0x0000000002530000-0x0000000003530000-memory.dmp

Filesize
16.0MB

Download
memory/2576-98-0x0000000002530000-0x0000000003530000-memory.dmp

Filesize
16.0MB

Download
memory/2576-103-0x0000000002530000-0x0000000003530000-memory.dmp

Filesize
16.0MB

Download

Analysis

Sharing