a49a364b7394a70e5bac73917bd825b703aa9f11b66848069379b01a595ca307

Analysis

max time kernel
119s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
07/06/2024, 13:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TLauncher-Installer-1.4.5.exe
Size

22.8MB
MD5

b4c335fec6bbb46bc5e8dfd74be77a78
SHA1

da6aeca92a7b0e562f1db8e83d73386046b1beb7
SHA256

a49a364b7394a70e5bac73917bd825b703aa9f11b66848069379b01a595ca307
SHA512

caca2ce1edbbdf04b1eb0ad2eff2f5c73f2d51db5b49612a516325b27329f4ee7db86dea0e2fa8df264b40557d0167112a22440bc4ef513089ba11e90720a15d
SSDEEP

393216:025KNJux8K2E+Q5JIkc2rr6of5MJ7ZWqxPAIgtMIMlFRqH0fHbS1K8kn/rbhQyD0:RKNJuIMJIArrKJBH5lFRqH0fYk/pUJ8a

Score

7^/10

discovery upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1936	irsetup.exe

Loads dropped DLL 7 IoCs

pid	Process
2300	TLauncher-Installer-1.4.5.exe
2300	TLauncher-Installer-1.4.5.exe
2300	TLauncher-Installer-1.4.5.exe
2300	TLauncher-Installer-1.4.5.exe
1936	irsetup.exe
1936	irsetup.exe
1936	irsetup.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x002b000000015c23-3.dat	upx
behavioral1/memory/2300-5-0x0000000002C10000-0x0000000002FF9000-memory.dmp	upx
behavioral1/memory/1936-18-0x0000000000290000-0x0000000000679000-memory.dmp	upx
behavioral1/memory/1936-636-0x0000000000290000-0x0000000000679000-memory.dmp	upx
behavioral1/memory/1936-736-0x0000000000290000-0x0000000000679000-memory.dmp	upx
behavioral1/memory/1936-1378-0x0000000000290000-0x0000000000679000-memory.dmp	upx
behavioral1/memory/1936-1982-0x0000000000290000-0x0000000000679000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main	irsetup.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1936	irsetup.exe
1936	irsetup.exe
1936	irsetup.exe
1936	irsetup.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2300 wrote to memory of 1936	2300	TLauncher-Installer-1.4.5.exe	28
PID 2300 wrote to memory of 1936	2300	TLauncher-Installer-1.4.5.exe	28
PID 2300 wrote to memory of 1936	2300	TLauncher-Installer-1.4.5.exe	28
PID 2300 wrote to memory of 1936	2300	TLauncher-Installer-1.4.5.exe	28
PID 2300 wrote to memory of 1936	2300	TLauncher-Installer-1.4.5.exe	28
PID 2300 wrote to memory of 1936	2300	TLauncher-Installer-1.4.5.exe	28
PID 2300 wrote to memory of 1936	2300	TLauncher-Installer-1.4.5.exe	28

C:\Users\Admin\AppData\Local\Temp\TLauncher-Installer-1.4.5.exe
"C:\Users\Admin\AppData\Local\Temp\TLauncher-Installer-1.4.5.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2300
- C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
  "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1773458 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\TLauncher-Installer-1.4.5.exe" "__IRCT:3" "__IRTSS:23874292" "__IRSID:S-1-5-21-330940541-141609230-1670313778-1000"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1936

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:3760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarC8A4.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\200.ico

Filesize
116KB

MD5
e043a9cb014d641a56f50f9d9ac9a1b9

SHA1
61dc6aed3d0d1f3b8afe3d161410848c565247ed

SHA256
9dd7020d04753294c8fb694ac49f406de9adad45d8cdd43fefd99fec3659e946

SHA512
4ae5df94fd590703b7a92f19703d733559d600a3885c65f146db04e8bbf6ead9ab5a1748d99c892e6bde63dd4e1592d6f06e02e4baf5e854c8ce6ea0cce1984f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\BrowserInstaller.exe

Filesize
1.6MB

MD5
2885c4a1dc2bc52ea298b8d9c7e1bfbb

SHA1
964bff819cbfd38692900403460c67b9d0dae8b0

SHA256
4007ca82da52600902ad2e269445e0ae15701187d111ba7f59546c7dfe1fc3dc

SHA512
e0480ece21136a29a727fe99001fae8a9009a4ce92bb1a48644cf20dfc57fe70cb685b6427a6582f85ac2ffee93d85fe91c7cb1bc5b8e2121f3cb38907da2e50

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG1.BMP

Filesize
12KB

MD5
3adf5e8387c828f62f12d2dd59349d63

SHA1
bd065d74b7fa534e5bfb0fb8fb2ee1f188db9e3a

SHA256
1d7a67b1c0d620506ac76da1984449dfb9c35ffa080dc51e439ed45eecaa7ee0

SHA512
e4ceb68a0a7d211152d0009cc0ef9b11537cfa8911d6d773c465cea203122f1c83496e655c9654aabe2034161e132de8714f3751d2b448a6a87d5e0dd36625be

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG15.PNG

Filesize
43KB

MD5
0314a0f669165b4e59739311ae077948

SHA1
993a17c3e130275bb8734162773cf70808fccfd2

SHA256
4d573e91bf0c8cb83127ee7d0f8bd94344dd0d9d80f5212355d405c301a8fb41

SHA512
6a43b3faba1018403adbc18c5336d53fd81cc95e55777a3c54a87d2ee53c7d1574ca04a045e02745a5a422fc1faa54ab3702e94653177da6b8b91c1e7194dc2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG16.PNG

Filesize
644B

MD5
bdd65c0250504bbae95d89e3af56c12c

SHA1
c963f7e440c4c391201533acae3be513c6723bf0

SHA256
ec78b5098bc883fc6c96f46821de3ea9ca11d05faab67b8b560b1dd8aca584c8

SHA512
555479c3799e15189aa76a48ff42afef3b25c2abd127e045ccba062b6e7810a4bd27ca49eba6146fa11bdcba001153b07e0ef9000b2a8b14c82fdba6109557b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG18.PNG

Filesize
40KB

MD5
76a95eb3aa924d130b2a60147cc4443c

SHA1
b19c95c2a38fa2d2e7d9acb89a68f7ca664924d0

SHA256
05b954ed90eb42c480056bcd5101d49a3be83fafb9db0dae8226ba1616d5e402

SHA512
f24b3c669cfa461431c9ba91a91b146990d72c6ab9557793d8f28596d2cc96e588114fbce4cd2c21bb38dfc6445c174856f5044ca7f71e77f1738876df62b163

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG2.BMP

Filesize
12KB

MD5
f35117734829b05cfceaa7e39b2b61fb

SHA1
342ae5f530dce669fedaca053bd15b47e755adc2

SHA256
9c893fe1ab940ee4c2424aa9dd9972e7ad3198da670006263ecbbb5106d881e3

SHA512
1805b376ab7aae87061e9b3f586e9fdef942bb32488b388856d8a96e15871238882928c75489994f9916a77e2c61c6f6629e37d1d872721d19a5d4de3e77f471

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG3.BMP

Filesize
12KB

MD5
f5d6a81635291e408332cc01c565068f

SHA1
72fa5c8111e95cc7c5e97a09d1376f0619be111b

SHA256
4c85cdddd497ad81fedb090bc0f8d69b54106c226063fdc1795ada7d8dc74e26

SHA512
33333761706c069d2c1396e85333f759549b1dfc94674abb612fd4e5336b1c4877844270a8126e833d0617e6780dd8a4fee2d380c16de8cbf475b23f9d512b5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG9.PNG

Filesize
438B

MD5
e74e81694bdd2d1370dc43c71ead9b9f

SHA1
fec3d9689a883eb978b171b39570a829bbb83c0b

SHA256
6f86d8c78b9da18aed4d1df50cf13fde56754e7d2398c6ccdc44504c4a8a824e

SHA512
bf8ac81c62e2c6f8a4e7d1e28a4ea0036bf31273876b4521c593c715024a150ac9d07f1d9ec4fa060266f854df8005cf088d90b97de6c9898f3cb638805679b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

Filesize
325KB

MD5
c333af59fa9f0b12d1cd9f6bba111e3a

SHA1
66ae1d42b2de0d620fe0b7cc6e1c718c6c579ed0

SHA256
fad540071986c59ec40102c9ca9518a0ddce80cf39eb2fd476bb1a7a03d6eb34

SHA512
2f7e2e53ba1cb9ff38e580da20d6004900494ff7b7ae0ced73c330fae95320cf0ab79278e7434272e469cb4ea2cbbd5198d2cd305dc4b75935e1ca686c6c7ff4

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe

Filesize
9.1MB

MD5
833512c89f1ab92c80131d415f89f442

SHA1
dd9953ddcc33278bb97502ffdc6e7462e8005680

SHA256
717f80429e16e7c467a8472dfb0404e22fdf2d67ecd94018b6536dc9d995bff6

SHA512
f23201251ea19b6122f60a788a027bd59aca1233b17b265709a51a2babc1eea1394a4400eadcc6792bb5f9843d73a95660f60f487779cbfc05766f53fa3ef3d1

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG1.PNG

Filesize
45KB

MD5
bed1faf91ad17cf27a07d784c4f7552e

SHA1
08bc59a0bf1af7d52a3fc1b838b87ccc8ba63b54

SHA256
0c280eb11d5c15cc34bde953c9fc3b6a61454b3bfa457910a2b19843eca68618

SHA512
d35dcf99c4e1d585bcda498aa957bc2b53a13bde7e5607522b63673a21ddf08f90f10f212df0dcff6109e7c5faaa509fb68b0014ae56f7346e1d1e37e8798282

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG10.PNG

Filesize
206B

MD5
1c09f11f645f5bc8ad2fc424184e36fd

SHA1
7be93cc50c32e0f7307489c9e5cc2928c7083ae6

SHA256
d28d35dd7eac3d02d501365b6e264a63bafc58e9620a89d05d320de6571cc785

SHA512
f77aa3f143ed8925b5161715775ed4cf6d281c85d609d34dff601b688dd7b24f795333a447c3ed65a7a612ca0808346e73888473cac74cdf2b91018701683b64

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG14.PNG

Filesize
41KB

MD5
cdcf2f8c2e28d874c185493ea4cb706b

SHA1
a00b1fc305af1d9dfd578909b98f344e834c1738

SHA256
c55b2ad6bd86ef8be2608ad383949ae82237cd47a7a06a7d6cba3f39500aee71

SHA512
9c9b171fac23add340706a459a0fbb8dcb8e6d8339698b1cb243e2c0850f8cbad53ae243f9dd71199c2c146c0a8250419a16e64e600ff468f206e9de5c12c217

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG3.PNG

Filesize
475B

MD5
a16fd532ec028ddffa4e4adde1e74af7

SHA1
ccd3375736524ec24ec30324d1c5d773a9dbf737

SHA256
969184f6dfeecb188617dd49aed73de00d2776c5bce56b7dc3e8580398afa914

SHA512
80b53ebc964acd08342c32ded2ba92fbf1799f543cfc4487c929817e75e8873747606c3b15ea7d4e18cae859db8e9918c511ebf7f3aacf34bffc65c934618e45

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG4.PNG

Filesize
368B

MD5
edd7a2b497282c1a576123adfb5518ec

SHA1
c9ae4ce71d152b42b86f9ff5662ab850e9f74126

SHA256
33ccb0cc6b7af88b812a560309848a722d0030e964c6f3c6151feb216ac20413

SHA512
db4290363a46f3304849970ca7bd6cf9c839b95c06b86841cd643fb4b61bf609aaae444c5c943fbdd674261b4bc089c85dbbca2f9dc9b7f5e169baf6522ad3d5

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\uninstall.xml

Filesize
21KB

MD5
2f4da7c7d7e54033c2168d9ba387021e

SHA1
4503c3fd493681ba1dac7506c237e1b298a3d70a

SHA256
2fbef53c49eeb57053f98e6f54b1e571639e207bfb3a61498deb58e306ddf782

SHA512
23ef8be88e5c6c6526e90f173890c523bd8b65edd0990d3a1c1c1340823bbc483478a0536d0b14bf9af8c2468be25ca552ef0362adf5109b01faf69151077ad7

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\uninstall.xml

Filesize
2KB

MD5
a4582cf5f7e9a72cd6bc9cb473fc4977

SHA1
4e3ddb5729b73ae06e4dd5507d5b0f1a2270e2ac

SHA256
b990ba7ea39d00b6b5439e5a8f938af817bd7fc00d8b8049c777cdf8396f16e2

SHA512
6cbbbb2eaca10d5e72fa6f027c5d8141969c618b03f91507926f419c5f590fd74d6d6c9ba1041fabf1afb09d75a655ddbb324fc7707a59ed507940b7c6e63829

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\uninstall.xml

Filesize
4KB

MD5
1309abb4d7695b135de1bccb3d0383bd

SHA1
6435990c33f357ecdad2f72f11da62a766c4abd8

SHA256
d705428077945f54aea3cb29ccf04123369634444a578cd9f01ab1b947d454c3

SHA512
05440cbc9f24a56083a4ad63b42cc02b782c46abecdf4b23de9f7d6f8f66b196bcc9fa21920575ba1899735bd2bf398166151e95d2a802288d637ae4ec2ec83a

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRZip.lmd

Filesize
1.7MB

MD5
dabd469bae99f6f2ada08cd2dd3139c3

SHA1
6714e8be7937f7b1be5f7d9bef9cc9c6da0d9e9b

SHA256
89acf7a60e1d3f2bd7804c0cd65f8c90d52606d2a66906c8f31dce2e0ea66606

SHA512
9c5fd1c8f00c78a6f4fd77b75efae892d1cb6baa2e71d89389c659d7c6f8b827b99cecadb0d56c690dd7b26849c6f237af9db3d1a52ae8531d67635b5eff5915

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\Wow64.lmd

Filesize
97KB

MD5
da1d0cd400e0b6ad6415fd4d90f69666

SHA1
de9083d2902906cacf57259cf581b1466400b799

SHA256
7a79b049bdc3b6e4d101691888360f4f993098f3e3a8beefff4ac367430b1575

SHA512
f12f64670f158c2e846e78b7b5d191158268b45ecf3c288f02bbee15ae10c4a62e67fb3481da304ba99da2c68ac44d713a44a458ef359db329b6fef3d323382a

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.2MB

MD5
da025e7c96d52ef9829b1fe3a9dbe061

SHA1
c722b5c15c319a205a3d6ba150e60e15bdf6c28e

SHA256
6682c060e9b5b003430bed3346e4715607cbcd07e2d06584a0cd7cdae5872e45

SHA512
3906ca655ccb67811828ea9b33e677c01cfb745a58d5f10e609b05da998d3be7e8cd026efb5a31724a22afbd9a9b5e14c651e4fef1d21ec3c524d49a362e32de

Download Submit
memory/1936-736-0x0000000000290000-0x0000000000679000-memory.dmp

Filesize
3.9MB

Download
memory/1936-622-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/1936-1982-0x0000000000290000-0x0000000000679000-memory.dmp

Filesize
3.9MB

Download
memory/1936-636-0x0000000000290000-0x0000000000679000-memory.dmp

Filesize
3.9MB

Download
memory/1936-737-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/1936-1377-0x0000000000CA0000-0x0000000000CA3000-memory.dmp

Filesize
12KB

Download
memory/1936-623-0x0000000000CA0000-0x0000000000CA3000-memory.dmp

Filesize
12KB

Download
memory/1936-637-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/1936-18-0x0000000000290000-0x0000000000679000-memory.dmp

Filesize
3.9MB

Download
memory/1936-1378-0x0000000000290000-0x0000000000679000-memory.dmp

Filesize
3.9MB

Download
memory/2300-739-0x0000000002C10000-0x0000000002FF9000-memory.dmp

Filesize
3.9MB

Download
memory/2300-16-0x0000000002C10000-0x0000000002FF9000-memory.dmp

Filesize
3.9MB

Download
memory/2300-15-0x0000000002C10000-0x0000000002FF9000-memory.dmp

Filesize
3.9MB

Download
memory/2300-5-0x0000000002C10000-0x0000000002FF9000-memory.dmp

Filesize
3.9MB

Download
memory/2300-738-0x0000000002C10000-0x0000000002FF9000-memory.dmp

Filesize
3.9MB

Download