1c66423f1cbcd1967d66b888c071f9bfff5129f1f2b7be87004c72910d764429

Analysis

max time kernel
151s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
27-04-2024 22:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Launcher.exe
Size

132.0MB
MD5

b57a40c63cc54575c4d332f15a547546
SHA1

b82b61b7e36a5a6f8b6a22f2a878f9eda5fb4c01
SHA256

2ccb11f136637815cbe5d99610c1d57e13ee11bcbf183f8a37f0065c64903d2a
SHA512

a67d64f7eb13362bcd82a74a3fb4ee35b0afc237f90005f01090ba58dd4408ef087322f77e13f6bc90323ad1854d14db7805302461da1f7996dd3a2d80e9f6e6
SSDEEP

1572864:o4sMLl/BkZTVV2iplzf+ekzrMdTOG0AfhgojwlwVgmPQtn06H9rejAEdCoIZXCVw:9l/BkVVPBDgmPKa5Wnu3X7

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 2 IoCs

Processes:

Launcher.exe

pid process

3224 Launcher.exe
3224 Launcher.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

3 ipinfo.io

pid	process
3224	Launcher.exe
3224	Launcher.exe

flow	ioc
3	ipinfo.io

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

Launcher.exepowershell.exepowershell.exepowershell.exeLauncher.exe

pid	process
536	Launcher.exe
536	Launcher.exe
4844	powershell.exe
4396	powershell.exe
1900	powershell.exe
4844	powershell.exe
1900	powershell.exe
4396	powershell.exe
60	Launcher.exe
60	Launcher.exe
60	Launcher.exe
60	Launcher.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Launcher.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeShutdownPrivilege	3224	Launcher.exe
Token: SeCreatePagefilePrivilege	3224	Launcher.exe
Token: SeDebugPrivilege	1900	powershell.exe
Token: SeDebugPrivilege	4396	powershell.exe
Token: SeDebugPrivilege	4844	powershell.exe
Token: SeShutdownPrivilege	3224	Launcher.exe
Token: SeCreatePagefilePrivilege	3224	Launcher.exe
Token: SeShutdownPrivilege	3224	Launcher.exe
Token: SeCreatePagefilePrivilege	3224	Launcher.exe
Token: SeShutdownPrivilege	3224	Launcher.exe
Token: SeCreatePagefilePrivilege	3224	Launcher.exe
Token: SeIncreaseQuotaPrivilege	4396	powershell.exe
Token: SeSecurityPrivilege	4396	powershell.exe
Token: SeTakeOwnershipPrivilege	4396	powershell.exe
Token: SeLoadDriverPrivilege	4396	powershell.exe
Token: SeSystemProfilePrivilege	4396	powershell.exe
Token: SeSystemtimePrivilege	4396	powershell.exe
Token: SeProfSingleProcessPrivilege	4396	powershell.exe
Token: SeIncBasePriorityPrivilege	4396	powershell.exe
Token: SeCreatePagefilePrivilege	4396	powershell.exe
Token: SeBackupPrivilege	4396	powershell.exe
Token: SeRestorePrivilege	4396	powershell.exe
Token: SeShutdownPrivilege	4396	powershell.exe
Token: SeDebugPrivilege	4396	powershell.exe
Token: SeSystemEnvironmentPrivilege	4396	powershell.exe
Token: SeRemoteShutdownPrivilege	4396	powershell.exe
Token: SeUndockPrivilege	4396	powershell.exe
Token: SeManageVolumePrivilege	4396	powershell.exe
Token: 33	4396	powershell.exe
Token: 34	4396	powershell.exe
Token: 35	4396	powershell.exe
Token: 36	4396	powershell.exe
Token: SeIncreaseQuotaPrivilege	1900	powershell.exe
Token: SeSecurityPrivilege	1900	powershell.exe
Token: SeTakeOwnershipPrivilege	1900	powershell.exe
Token: SeLoadDriverPrivilege	1900	powershell.exe
Token: SeSystemProfilePrivilege	1900	powershell.exe
Token: SeSystemtimePrivilege	1900	powershell.exe
Token: SeProfSingleProcessPrivilege	1900	powershell.exe
Token: SeIncBasePriorityPrivilege	1900	powershell.exe
Token: SeCreatePagefilePrivilege	1900	powershell.exe
Token: SeBackupPrivilege	1900	powershell.exe
Token: SeRestorePrivilege	1900	powershell.exe
Token: SeShutdownPrivilege	1900	powershell.exe
Token: SeDebugPrivilege	1900	powershell.exe
Token: SeSystemEnvironmentPrivilege	1900	powershell.exe
Token: SeRemoteShutdownPrivilege	1900	powershell.exe
Token: SeUndockPrivilege	1900	powershell.exe
Token: SeManageVolumePrivilege	1900	powershell.exe
Token: 33	1900	powershell.exe
Token: 34	1900	powershell.exe
Token: 35	1900	powershell.exe
Token: 36	1900	powershell.exe
Token: SeShutdownPrivilege	3224	Launcher.exe
Token: SeCreatePagefilePrivilege	3224	Launcher.exe
Token: SeShutdownPrivilege	3224	Launcher.exe
Token: SeCreatePagefilePrivilege	3224	Launcher.exe
Token: SeShutdownPrivilege	3224	Launcher.exe
Token: SeCreatePagefilePrivilege	3224	Launcher.exe
Token: SeShutdownPrivilege	3224	Launcher.exe
Token: SeCreatePagefilePrivilege	3224	Launcher.exe
Token: SeShutdownPrivilege	3224	Launcher.exe
Token: SeCreatePagefilePrivilege	3224	Launcher.exe
Token: SeShutdownPrivilege	3224	Launcher.exe

Suspicious use of WriteProcessMemory 62 IoCs

Processes:

Launcher.execmd.execmd.exe

description	pid	process	target process
PID 3224 wrote to memory of 968	3224	Launcher.exe	cmd.exe
PID 3224 wrote to memory of 968	3224	Launcher.exe	cmd.exe
PID 3224 wrote to memory of 968	3224	Launcher.exe	cmd.exe
PID 968 wrote to memory of 4828	968	cmd.exe	chcp.com
PID 968 wrote to memory of 4828	968	cmd.exe	chcp.com
PID 968 wrote to memory of 4828	968	cmd.exe	chcp.com
PID 3224 wrote to memory of 3124	3224	Launcher.exe	cmd.exe
PID 3224 wrote to memory of 3124	3224	Launcher.exe	cmd.exe
PID 3224 wrote to memory of 3124	3224	Launcher.exe	cmd.exe
PID 3224 wrote to memory of 4396	3224	Launcher.exe	powershell.exe
PID 3224 wrote to memory of 4396	3224	Launcher.exe	powershell.exe
PID 3224 wrote to memory of 4396	3224	Launcher.exe	powershell.exe
PID 3224 wrote to memory of 1900	3224	Launcher.exe	powershell.exe
PID 3224 wrote to memory of 1900	3224	Launcher.exe	powershell.exe
PID 3224 wrote to memory of 1900	3224	Launcher.exe	powershell.exe
PID 3224 wrote to memory of 4844	3224	Launcher.exe	powershell.exe
PID 3224 wrote to memory of 4844	3224	Launcher.exe	powershell.exe
PID 3224 wrote to memory of 4844	3224	Launcher.exe	powershell.exe
PID 3224 wrote to memory of 220	3224	Launcher.exe	Launcher.exe
PID 3224 wrote to memory of 220	3224	Launcher.exe	Launcher.exe
PID 3224 wrote to memory of 220	3224	Launcher.exe	Launcher.exe
PID 3224 wrote to memory of 220	3224	Launcher.exe	Launcher.exe
PID 3224 wrote to memory of 220	3224	Launcher.exe	Launcher.exe
PID 3224 wrote to memory of 220	3224	Launcher.exe	Launcher.exe
PID 3224 wrote to memory of 220	3224	Launcher.exe	Launcher.exe
PID 3224 wrote to memory of 220	3224	Launcher.exe	Launcher.exe
PID 3224 wrote to memory of 220	3224	Launcher.exe	Launcher.exe
PID 3224 wrote to memory of 220	3224	Launcher.exe	Launcher.exe
PID 3224 wrote to memory of 220	3224	Launcher.exe	Launcher.exe
PID 3224 wrote to memory of 220	3224	Launcher.exe	Launcher.exe
PID 3224 wrote to memory of 220	3224	Launcher.exe	Launcher.exe
PID 3224 wrote to memory of 220	3224	Launcher.exe	Launcher.exe
PID 3224 wrote to memory of 220	3224	Launcher.exe	Launcher.exe
PID 3224 wrote to memory of 220	3224	Launcher.exe	Launcher.exe
PID 3224 wrote to memory of 220	3224	Launcher.exe	Launcher.exe
PID 3224 wrote to memory of 220	3224	Launcher.exe	Launcher.exe
PID 3224 wrote to memory of 220	3224	Launcher.exe	Launcher.exe
PID 3224 wrote to memory of 220	3224	Launcher.exe	Launcher.exe
PID 3224 wrote to memory of 220	3224	Launcher.exe	Launcher.exe
PID 3224 wrote to memory of 220	3224	Launcher.exe	Launcher.exe
PID 3224 wrote to memory of 220	3224	Launcher.exe	Launcher.exe
PID 3224 wrote to memory of 220	3224	Launcher.exe	Launcher.exe
PID 3224 wrote to memory of 220	3224	Launcher.exe	Launcher.exe
PID 3224 wrote to memory of 220	3224	Launcher.exe	Launcher.exe
PID 3224 wrote to memory of 220	3224	Launcher.exe	Launcher.exe
PID 3224 wrote to memory of 220	3224	Launcher.exe	Launcher.exe
PID 3224 wrote to memory of 220	3224	Launcher.exe	Launcher.exe
PID 3224 wrote to memory of 220	3224	Launcher.exe	Launcher.exe
PID 3224 wrote to memory of 220	3224	Launcher.exe	Launcher.exe
PID 3224 wrote to memory of 220	3224	Launcher.exe	Launcher.exe
PID 3224 wrote to memory of 536	3224	Launcher.exe	Launcher.exe
PID 3224 wrote to memory of 536	3224	Launcher.exe	Launcher.exe
PID 3224 wrote to memory of 536	3224	Launcher.exe	Launcher.exe
PID 3224 wrote to memory of 1800	3224	Launcher.exe	cmd.exe
PID 3224 wrote to memory of 1800	3224	Launcher.exe	cmd.exe
PID 3224 wrote to memory of 1800	3224	Launcher.exe	cmd.exe
PID 1800 wrote to memory of 3712	1800	cmd.exe	findstr.exe
PID 1800 wrote to memory of 3712	1800	cmd.exe	findstr.exe
PID 1800 wrote to memory of 3712	1800	cmd.exe	findstr.exe
PID 3224 wrote to memory of 60	3224	Launcher.exe	Launcher.exe
PID 3224 wrote to memory of 60	3224	Launcher.exe	Launcher.exe
PID 3224 wrote to memory of 60	3224	Launcher.exe	Launcher.exe

C:\Users\Admin\AppData\Local\Temp\Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\Launcher.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3224

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "chcp"
2⤵
- Suspicious use of WriteProcessMemory
PID:968

C:\Windows\SysWOW64\chcp.com
chcp
3⤵
PID:4828

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "echo %COMPUTERNAME%.%USERDNSDOMAIN%"
2⤵
PID:3124

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4396

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1900

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4844

C:\Users\Admin\AppData\Local\Temp\Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\Launcher.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\Launcher" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAABgAAAAAAAAAGAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1984 --field-trial-handle=1996,i,4021428563164912843,801622709986624854,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
2⤵
PID:220

C:\Users\Admin\AppData\Local\Temp\Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\Launcher.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\Launcher" --mojo-platform-channel-handle=2244 --field-trial-handle=1996,i,4021428563164912843,801622709986624854,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:536

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "findstr /C:"Detected boot environment" "%windir%\Panther\setupact.log""
2⤵
- Suspicious use of WriteProcessMemory
PID:1800

C:\Windows\SysWOW64\findstr.exe
findstr /C:"Detected boot environment" "C:\Windows\Panther\setupact.log"
3⤵
PID:3712

C:\Users\Admin\AppData\Local\Temp\Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\Launcher.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\Launcher" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAABgAAAAAAAAAGAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2896 --field-trial-handle=1996,i,4021428563164912843,801622709986624854,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:60

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
4279e6347a341c54e5e9bcc5ccf0b55e

SHA1
54e8b5376f11426145c70cb07a47da6c7c536bfe

SHA256
1d6fb68d1b317f18ae1f506adebddc735260a7d79fc25cbe5208a66baf9611fb

SHA512
ebfa6e9a7ae45305d929c0ec75fcf2d368fa786427e533859b537b4c1a3d609f9eff313977e6c3a33acf4d06906149fdc8f3bf684d36be9c5f669867e6b722c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
21KB

MD5
cb7cbed746e65cfb730ee797667b0966

SHA1
5bbd5af32e892fe02c23185124127debe1393dde

SHA256
a9563d196578d30ab41f889561df23947e6937fe64392dbbd1d2641ec8f3c424

SHA512
a65e2066d1f1065bf080f821ffccbe8ec54074a9390b2f6779e6e7a85c1d2e1b3d2101552e9f8fb5a912fcd1ac9d2f91f8813b995c9a54914883fb14c91a3c83

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
21KB

MD5
fb3f6ee38957fd139346f69818794a92

SHA1
0e5b704dc6145bfbc3513673deda18673bf8179c

SHA256
6613ed84b27bbbe5c98996dd78990faf9c84fed87a7411efd133f533897124c4

SHA512
367a33fa8c93e3c43fce2007c60b479cd8eedff365b667478404cd457a9ce5240a998d6abb2ae6924c02e7c3ba8821f1a0c087a8e04a1447890235c96a5f2c10

Download Submit
C:\Users\Admin\AppData\Local\Temp\1084e3bc-4290-4691-9aa1-efc973706922.tmp.node
Filesize
95KB

MD5
5d764128ece6612a3569a382e28e8679

SHA1
644a9b556c63740ba6ebae07646aa417dd2354e8

SHA256
4fecf002838f2c0d179fdbc1b3dad7868a5ff3c14ce2a2a70c18c5e35ed4eb74

SHA512
944b7e5e8846875998aa9672fbe6789a541853e5ea1c7d8a63c1839c0f814003da2ea40d18e90169046f6ff929d36084af5fe0dc357341c77b6dc97b3568785f

Download Submit
C:\Users\Admin\AppData\Local\Temp\359e9a90-f9c1-4ed8-af48-123f032e5d54.tmp.node
Filesize
1.5MB

MD5
61afcbf8b2fba5628c4c1c0640db4073

SHA1
7eac20d5c51c8b2b1fc49d61543f88e6935b14e9

SHA256
1ca727a3bc5e068f73ad7f427c555828fc90dc3eb022f9a0153635c2d30fb814

SHA512
d8e164c426cb556aae7e08449931cbb507363de185540aaa23f78c0457a413c4978aebb615185eda447ee39da46f361ff8499eadb95b020762d5f10904cd611e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_baocuxi5.qwi.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/60-106-0x000000000E860000-0x000000000E861000-memory.dmp

Filesize
4KB

Download
memory/60-110-0x000000000E860000-0x000000000E861000-memory.dmp

Filesize
4KB

Download
memory/60-109-0x000000000E860000-0x000000000E861000-memory.dmp

Filesize
4KB

Download
memory/60-104-0x000000000E860000-0x000000000E861000-memory.dmp

Filesize
4KB

Download
memory/60-108-0x000000000E860000-0x000000000E861000-memory.dmp

Filesize
4KB

Download
memory/60-100-0x000000000E860000-0x000000000E861000-memory.dmp

Filesize
4KB

Download
memory/60-99-0x000000000E860000-0x000000000E861000-memory.dmp

Filesize
4KB

Download
memory/60-98-0x000000000E860000-0x000000000E861000-memory.dmp

Filesize
4KB

Download
memory/60-107-0x000000000E860000-0x000000000E861000-memory.dmp

Filesize
4KB

Download
memory/60-105-0x000000000E860000-0x000000000E861000-memory.dmp

Filesize
4KB

Download
memory/1900-46-0x0000000006660000-0x000000000667E000-memory.dmp

Filesize
120KB

Download
memory/1900-17-0x00000000058C0000-0x0000000005926000-memory.dmp

Filesize
408KB

Download
memory/1900-69-0x0000000007C00000-0x0000000007C1E000-memory.dmp

Filesize
120KB

Download
memory/1900-77-0x0000000007C20000-0x0000000007CC3000-memory.dmp

Filesize
652KB

Download
memory/1900-13-0x0000000003070000-0x00000000030A6000-memory.dmp

Filesize
216KB

Download
memory/1900-14-0x0000000005950000-0x0000000005F78000-memory.dmp

Filesize
6.2MB

Download
memory/1900-16-0x0000000005720000-0x0000000005786000-memory.dmp

Filesize
408KB

Download
memory/1900-49-0x0000000007980000-0x00000000079F6000-memory.dmp

Filesize
472KB

Download
memory/1900-45-0x0000000006080000-0x00000000063D4000-memory.dmp

Filesize
3.3MB

Download
memory/1900-47-0x0000000006690000-0x00000000066DC000-memory.dmp

Filesize
304KB

Download
memory/1900-87-0x000000006CCE0000-0x000000006D034000-memory.dmp

Filesize
3.3MB

Download
memory/1900-55-0x0000000007BC0000-0x0000000007BF2000-memory.dmp

Filesize
200KB

Download
memory/1900-56-0x000000006C730000-0x000000006C77C000-memory.dmp

Filesize
304KB

Download
memory/1900-50-0x0000000007960000-0x000000000797A000-memory.dmp

Filesize
104KB

Download
memory/4396-48-0x0000000006A00000-0x0000000006A44000-memory.dmp

Filesize
272KB

Download
memory/4396-57-0x000000006C730000-0x000000006C77C000-memory.dmp

Filesize
304KB

Download
memory/4396-85-0x000000006CCE0000-0x000000006D034000-memory.dmp

Filesize
3.3MB

Download
memory/4396-82-0x0000000007BD0000-0x0000000007BF4000-memory.dmp

Filesize
144KB

Download
memory/4396-81-0x0000000007BA0000-0x0000000007BCA000-memory.dmp

Filesize
168KB

Download
memory/4396-79-0x0000000007B60000-0x0000000007B6A000-memory.dmp

Filesize
40KB

Download
memory/4844-51-0x0000000007B20000-0x000000000819A000-memory.dmp

Filesize
6.5MB

Download
memory/4844-15-0x0000000005170000-0x0000000005192000-memory.dmp

Filesize
136KB

Download
memory/4844-80-0x00000000076E0000-0x0000000007772000-memory.dmp

Filesize
584KB

Download
memory/4844-78-0x0000000008750000-0x0000000008CF4000-memory.dmp

Filesize
5.6MB

Download