9d95e947dbd2a170fa8900a06982f361deeb55012ed8b4087ccc9bc188c25cab

General

Target

TLauncher-Installer-1.3.7.exe
Size

23.0MB
MD5

fefa077f58a4efb4f4e71e9a296cd25d
SHA1

9613b235524ba675373f0698d6e3b5ff092b8e53
SHA256

9d95e947dbd2a170fa8900a06982f361deeb55012ed8b4087ccc9bc188c25cab
SHA512

303661182c6309a0752c999dc4465755467756153efd3fa715d64ef1d7be8196dc92e636d3a838175f938e1e89fd0adc5c4ea9a246fd73bd0af790a9e166502c
SSDEEP

393216:Z25Kw30exBRZjQ5+LTc2rr6of5MJ7ZWqxPAIgtMIMlFRqWM/DX9QMIuLLf0a+jVg:kKwEqZc+LtrrKJBH5lFRqlDYkLf0a0VG

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1936	irsetup.exe

Loads dropped DLL 7 IoCs

pid	Process
1964	TLauncher-Installer-1.3.7.exe
1964	TLauncher-Installer-1.3.7.exe
1964	TLauncher-Installer-1.3.7.exe
1964	TLauncher-Installer-1.3.7.exe
1936	irsetup.exe
1936	irsetup.exe
1936	irsetup.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0030000000016126-3.dat	upx
behavioral1/memory/1936-17-0x0000000000B10000-0x0000000000EF9000-memory.dmp	upx
behavioral1/memory/1936-671-0x0000000000B10000-0x0000000000EF9000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main	irsetup.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1936	irsetup.exe
1936	irsetup.exe
1936	irsetup.exe
1936	irsetup.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1964 wrote to memory of 1936	1964	TLauncher-Installer-1.3.7.exe	28
PID 1964 wrote to memory of 1936	1964	TLauncher-Installer-1.3.7.exe	28
PID 1964 wrote to memory of 1936	1964	TLauncher-Installer-1.3.7.exe	28
PID 1964 wrote to memory of 1936	1964	TLauncher-Installer-1.3.7.exe	28
PID 1964 wrote to memory of 1936	1964	TLauncher-Installer-1.3.7.exe	28
PID 1964 wrote to memory of 1936	1964	TLauncher-Installer-1.3.7.exe	28
PID 1964 wrote to memory of 1936	1964	TLauncher-Installer-1.3.7.exe	28

C:\Users\Admin\AppData\Local\Temp\TLauncher-Installer-1.3.7.exe
"C:\Users\Admin\AppData\Local\Temp\TLauncher-Installer-1.3.7.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1964
- C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
  "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1773458 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\TLauncher-Installer-1.3.7.exe" "__IRCT:3" "__IRTSS:24078146" "__IRSID:S-1-5-21-481678230-3773327859-3495911762-1000"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1936

Network

DNS

dl2.tlauncher.org

irsetup.exe

Remote address:

8.8.8.8:53

Request

dl2.tlauncher.org

IN A

Response

dl2.tlauncher.org

IN A

104.20.37.13

dl2.tlauncher.org

IN A

104.20.36.13
GET

https://dl2.tlauncher.org/check_latest_tl.php

irsetup.exe

Remote address:

104.20.37.13:443

Request

GET /check_latest_tl.php HTTP/1.1
Accept: */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Setup Factory 8.0
Host: dl2.tlauncher.org
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 403 Forbidden

Date: Thu, 09 May 2024 21:26:52 GMT
Content-Type: text/plain; charset=UTF-8
Content-Length: 16
Connection: keep-alive
X-Frame-Options: SAMEORIGIN
Referrer-Policy: same-origin
Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Server: cloudflare
CF-RAY: 8814c52f99c17756-LHR
alt-svc: h3=":443"; ma=86400

104.20.37.13:443

https://dl2.tlauncher.org/check_latest_tl.php

tls, http

irsetup.exe

1.1kB
7.2kB
11
12

HTTP Request

GET https://dl2.tlauncher.org/check_latest_tl.php

HTTP Response

403

8.8.8.8:53

dl2.tlauncher.org

dns

irsetup.exe

63 B
95 B
1
1

DNS Request

dl2.tlauncher.org

DNS Response

104.20.37.13

104.20.36.13

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cab23D9.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar23EB.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\200.ico

Filesize
116KB

MD5
e043a9cb014d641a56f50f9d9ac9a1b9

SHA1
61dc6aed3d0d1f3b8afe3d161410848c565247ed

SHA256
9dd7020d04753294c8fb694ac49f406de9adad45d8cdd43fefd99fec3659e946

SHA512
4ae5df94fd590703b7a92f19703d733559d600a3885c65f146db04e8bbf6ead9ab5a1748d99c892e6bde63dd4e1592d6f06e02e4baf5e854c8ce6ea0cce1984f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\BrowserInstaller.exe

Filesize
1.6MB

MD5
83a8f0546164c9ba1a248acedefd6e5d

SHA1
7652f353ed74015e7e78bc9f9e305a48d336b6d1

SHA256
e7c5072ec60d32022b3c818c527ad86f4985837a4f0e9fc6477f54ae86d9f1c9

SHA512
111d11acdaef0036ff5cabeb16ed55bf4c681fa6eb3c006af450a0ebadae3e213a8f3abb0f4a9aecc8e893af7a79b4eb7f74a5fc3743e338c3e3136b5d7f9f2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

Filesize
325KB

MD5
c333af59fa9f0b12d1cd9f6bba111e3a

SHA1
66ae1d42b2de0d620fe0b7cc6e1c718c6c579ed0

SHA256
fad540071986c59ec40102c9ca9518a0ddce80cf39eb2fd476bb1a7a03d6eb34

SHA512
2f7e2e53ba1cb9ff38e580da20d6004900494ff7b7ae0ced73c330fae95320cf0ab79278e7434272e469cb4ea2cbbd5198d2cd305dc4b75935e1ca686c6c7ff4

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRZip.lmd

Filesize
1.7MB

MD5
dabd469bae99f6f2ada08cd2dd3139c3

SHA1
6714e8be7937f7b1be5f7d9bef9cc9c6da0d9e9b

SHA256
89acf7a60e1d3f2bd7804c0cd65f8c90d52606d2a66906c8f31dce2e0ea66606

SHA512
9c5fd1c8f00c78a6f4fd77b75efae892d1cb6baa2e71d89389c659d7c6f8b827b99cecadb0d56c690dd7b26849c6f237af9db3d1a52ae8531d67635b5eff5915

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\Wow64.lmd

Filesize
97KB

MD5
da1d0cd400e0b6ad6415fd4d90f69666

SHA1
de9083d2902906cacf57259cf581b1466400b799

SHA256
7a79b049bdc3b6e4d101691888360f4f993098f3e3a8beefff4ac367430b1575

SHA512
f12f64670f158c2e846e78b7b5d191158268b45ecf3c288f02bbee15ae10c4a62e67fb3481da304ba99da2c68ac44d713a44a458ef359db329b6fef3d323382a

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.2MB

MD5
a14411ca54ffb3b223c21c63a784409b

SHA1
33050df5397e5a44169cf0cd702d776269233f36

SHA256
1c830be41a2d969da6e8e889a1ae23fc41594d5323520e5a39de7f2c32c5dc5b

SHA512
0bc34e8d826e3e026068c52c41eb4617e9bff553c675ff45c525ac4210b6cf878267fdfb4b6796d4de4dad2e8145eb3dd98220ee01957bd3e839e9f8a8d4bba7

Download Submit
memory/1936-597-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/1936-598-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/1936-17-0x0000000000B10000-0x0000000000EF9000-memory.dmp

Filesize
3.9MB

Download
memory/1936-672-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/1936-671-0x0000000000B10000-0x0000000000EF9000-memory.dmp

Filesize
3.9MB

Download
memory/1936-675-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/1936-685-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/1936-697-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/1964-14-0x0000000003540000-0x0000000003929000-memory.dmp

Filesize
3.9MB

Download
memory/1964-15-0x0000000003540000-0x0000000003929000-memory.dmp

Filesize
3.9MB

Download
memory/1964-673-0x0000000003540000-0x0000000003929000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

DNS Request

DNS Response

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.