Overview

overview

7

Static

static

3

SKlauncher-3.2.exe

windows10-1703-x64

7

Analysis

  • max time kernel
    39s
  • max time network
    39s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    08-06-2024 01:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SKlauncher-3.2.exe

  • Size

    1.6MB

  • MD5

    b63468dd118dfbca5ef7967ba344e0e3

  • SHA1

    2ba4f0df5f3bd284bf2a89aba320e4440d8b8355

  • SHA256

    05ae2f0dd61ef10019b94c200e8df192b767bb4cc24a7e7b329ab43cc9c74caf

  • SHA512

    007ecb7445dc0c01a802b5a2c91313aae59f9dc96e27455dd85e7a92a4e649d683fbc2ada5f48925d9ab3b4fdaea20aa89eeb442fde079902aecb5ca3454a548

  • SSDEEP

    49152:HIBc3n9dRvwVlzhFAQ/ggUTPQjYEiim7V:oBaO/FAqMQjYEXm

Score
7/10
microsoftdiscoveryphishing

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Detected potential entity reuse from brand microsoft.
    phishingmicrosoft
  • Drops file in Windows directory 5 IoCs
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 43 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SKlauncher-3.2.exe
    "C:\Users\Admin\AppData\Local\Temp\SKlauncher-3.2.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2324
    • \??\c:\PROGRA~1\java\jre-1.8\bin\java.exe
      "c:\PROGRA~1\java\jre-1.8\bin\java.exe" -version
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1436
      • C:\Windows\system32\icacls.exe
        C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
        3⤵
        • Modifies file permissions
        PID:4516
    • \??\c:\PROGRA~1\java\jdk-1.8\jre\bin\java.exe
      "c:\PROGRA~1\java\jdk-1.8\jre\bin\java.exe" -version
      2⤵
        PID:3248
      • C:\Windows\SYSTEM32\reg.exe
        reg query "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Themes\Personalize" /v AppsUseLightTheme
        2⤵
          PID:2112
        • C:\Windows\SYSTEM32\rundll32.exe
          rundll32.exe url.dll,FileProtocolHandler https://login.microsoftonline.com/consumers/oauth2/v2.0/authorize?scope=XboxLive.signin%20offline_access&response_type=code&redirect_uri=http://localhost:26669/relogin&prompt=select_account&client_id=907a248d-3eb5-4d01-99d2-ff72d79c5eb1
          2⤵
          • Checks computer location settings
          PID:2828
        • C:\Windows\SYSTEM32\rundll32.exe
          rundll32.exe url.dll,FileProtocolHandler https://www.minecraft.net/store/minecraft-java-bedrock-edition-pc
          2⤵
          • Checks computer location settings
          PID:5100
      • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
        "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
        1⤵
        • Drops file in Windows directory
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:2736
      • C:\Windows\system32\browser_broker.exe
        C:\Windows\system32\browser_broker.exe -Embedding
        1⤵
        • Modifies Internet Explorer settings
        PID:2056
      • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
        "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
        1⤵
        • Modifies registry class
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1980
      • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
        "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
        1⤵
        • Drops file in Windows directory
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:4996
      • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
        "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
        1⤵
        • Drops file in Windows directory
        • Modifies registry class
        PID:3344
      • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
        "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
        1⤵
        • Drops file in Windows directory
        • Modifies registry class
        PID:1336

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      File and Directory Permissions Modification

      1
      T1222

      Modify Registry

      1
      T1112

      Credential Access

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Resource Development

      Reconnaissance

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp
        Filesize

        46B

        MD5

        fcf26b38b3b7ae963112ddca261b18f7

        SHA1

        b3694346b223df86491267cfc7d1150e1410a164

        SHA256

        1adda3472b97e16daa15830fd0bf95846375fb9c3dbab96e3cc66c2c557e86c5

        SHA512

        07700c8a144652fea3ecb9b50387c9eefdc48b7f82f550e437a5a305fd161a7829c544f19c91d28667cd56469e998f1872f93f6a19ab810d1aeabbdb055755cd

        Download Submit
      • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\90MKKRR5\MinecraftTen[1].woff
        Filesize

        23KB

        MD5

        375b25d1dbf7acfd6521e79a75c2727a

        SHA1

        fa50b89e5ab27f7d52a12ce108c9b38c809e2a5d

        SHA256

        3d938ace0eb47b68598f0a56fcbefeb577379e09eeb234fef46ae070b329cbc7

        SHA512

        d50f3ca93458272e4f02fa5759214f4f208e34939bd0b2e40b6018f81440ff231eb1d79efcfd85e004be09c9159035381a32c753f1cdc14d0b775e8307589f26

        Download Submit
      • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\User\Default\DOMStore\O2NI6W1O\login.live[1].xml
        Filesize

        13B

        MD5

        c1ddea3ef6bbef3e7060a1a9ad89e4c5

        SHA1

        35e3224fcbd3e1af306f2b6a2c6bbea9b0867966

        SHA256

        b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db

        SHA512

        6be8cec7c862afae5b37aa32dc5bb45912881a3276606da41bf808a4ef92c318b355e616bf45a257b995520d72b7c08752c0be445dceade5cf79f73480910fed

        Download Submit
      • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\3WNUAE56\favicon[1].ico
        Filesize

        16KB

        MD5

        12e3dac858061d088023b2bd48e2fa96

        SHA1

        e08ce1a144eceae0c3c2ea7a9d6fbc5658f24ce5

        SHA256

        90cdaf487716184e4034000935c605d1633926d348116d198f355a98b8c6cd21

        SHA512

        c5030c55a855e7a9e20e22f4c70bf1e0f3c558a9b7d501cfab6992ac2656ae5e41b050ccac541efa55f9603e0d349b247eb4912ee169d44044271789c719cd01

        Download Submit
      • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\BFW8BSZG\android-icon-192x192[1].png
        Filesize

        1KB

        MD5

        01d02ad0ddc13fdad91d0e176b370c57

        SHA1

        a07a73645bc50a162fb4ff6d56422344eb1a4352

        SHA256

        50696460f0eaea39f5bf34cd451af6ebff1026caa0e4ddb87f60eb6b8a80238f

        SHA512

        f5c2c1d6197e208339660a654df938fdcdff6b3c1a8a165dc3512965921344fe1505a2a96ceb2e05036466224c19d9bd91d96efa51b6f5d4912c3afe52c0cfdf

        Download Submit
      • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\ImageStore\px9qmuw\imagestore.dat
        Filesize

        26KB

        MD5

        782b64a02dfe8d177ea0f26edbeb7013

        SHA1

        f2e1b564e5adec091f4cb6ccb25bbb15a91aba2e

        SHA256

        3205a503b4369055fb6f5a900f240d546957d3518d1af52426ec25e64f1fae90

        SHA512

        9fee9b7f0bb9d5fef51c2993347c47302f83f57af5184759feac0fbdb5f54698b58c0538cb349da01944dea226631a36a11493be2332c2c4adb5a5ba0ccdb900

        Download Submit
      • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A
        Filesize

        471B

        MD5

        b3f8b9179f6d4c11c07271af89d2b3c2

        SHA1

        8c2d9c5e6aa7fb156c9f63a087e7c741ba5c669f

        SHA256

        443d5267ddd6d42daa5c4fabcf5b713281f3bafd9ae3fdb6625353a485975102

        SHA512

        1803314baefda8c09e6d498b8f8df9a67b39146fc121dd9baae48444779cf8a7668c305c6d836ec59f4d4da85b3424df71a6d8a88f45e2bfe77a83a15297754d

        Download Submit
      • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A
        Filesize

        412B

        MD5

        6fdf750aadb2ee8b70ee618058a57c30

        SHA1

        ba53d23546b8c2b02af0122e425198f6d5cd056d

        SHA256

        ec659c3fb785f17c0325613c4fcd5d169197a073c2c3ad1980b3c04ae5292552

        SHA512

        4984c71bae38a6106c344c3213dc26efe02bb539f253a5593854ecd4cecd75b4f9af5096ef626be885d88fcbda4c495b5dce6dcca68015c8decfaee81699bf24

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\+JXF1168073471860272938.tmp
        Filesize

        397KB

        MD5

        fdb50e0d48cdcf775fa1ac0dc3c33bd4

        SHA1

        5c95e5d66572aeca303512ba41a8dde0cea92c80

        SHA256

        64f8be6e55c37e32ef03da99714bf3aa58b8f2099bfe4f759a7578e3b8291123

        SHA512

        20ce8100c96058d4e64a12d0817b7ce638cec9f5d03651320eb6b9c3f47ee289ccc695bd3b5b6bf8e0867cdab0ebb6e8cae77df054e185828a6a13f3733ede53

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\+JXF5321600691574913285.tmp
        Filesize

        398KB

        MD5

        ff5fdc6f42c720a3ebd7b60f6d605888

        SHA1

        460c18ddf24846e3d8792d440fd9a750503aef1b

        SHA256

        1936d24cb0f4ce7006e08c6ef4243d2e42a7b45f2249f8fe54d92f76a317dfd1

        SHA512

        d3d333b1627d597c83a321a3daca38df63ea0f7cab716006935905b8170379ec2aab26cb7ffc7b539ca272cf7fb7937198aee6db3411077bedf3d2b920d078a3

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\+JXF5937255364679419006.tmp
        Filesize

        405KB

        MD5

        8f2869a84ad71f156a17bb66611ebe22

        SHA1

        0325b9b3992fa2fdc9c715730a33135696c68a39

        SHA256

        0cb1bc1335372d9e3a0cf6f5311c7cce87af90d2a777fdeec18be605a2a70bc1

        SHA512

        3d4315d591dcf7609c15b3e32bcc234659fcdbe4be24aef5dba4ad248ad42fd9ab082250244f99dc801ec21575b7400aace50a1e8834d5c33404e76a0caac834

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\e4j6467.tmp_dir1717809365\SKlauncher-3.2.jar
        Filesize

        1.1MB

        MD5

        4d653e61ba01a521c56b9a70a9c9814e

        SHA1

        de855dc3dbc914b497b58da92e0c21fff660796d

        SHA256

        f7d3e01dcfc001cc80a988c518d4358955842d140054214d1367972c5c543350

        SHA512

        e6a7db6e2893b5b01dd0c84a230d88abf50da63ceb1af5754a2c4c1fbd307a799a74f3f368430d3beb33590cda2e0a3cf509fef11c4477b76e8d3c4a582b5def

        Download Submit
      • C:\Users\Admin\AppData\Roaming\.minecraft\sklauncher-fx.jar
        Filesize

        14.1MB

        MD5

        9b59fa715db2f9f8f6ed9e14f3768ed3

        SHA1

        9d46c5898c653fb1785e399b74f26633107d0bde

        SHA256

        fab6dede2f59dc4b7b6be032fbce1209a93aca02b7d6c126e3f1584148230146

        SHA512

        e9e84b056e0f1d8be544194a275ca61b5e6820dbbd701dec5aa75b804705ab33cb826314c0f6edd527cffa84de80062c559f9fb49c53b5bbfda9481bd138be5f

        Download Submit
      • \Users\Admin\AppData\Local\Temp\flatlaf.temp\flatlaf-windows-x86_64-4643597819100.dll
        Filesize

        22KB

        MD5

        dcd68a87b7e6edbcfde48150403b22eb

        SHA1

        28e4839a29725075772fccc39b44e194eb91e477

        SHA256

        ae3352b6ad6cffaae55f4387f9f5e79365ea17f8d5fb45ef11d21c3300a49a4c

        SHA512

        ac2a6bc0afcd08c56090536a937772edd54f35505c9a5837d9bc8e91c31edb6137cf5191986b3473e9e2f512950b4dbfe4088598bfd1faf47088124c70aeba71

        Download Submit
      • memory/1436-5-0x00000274B6310000-0x00000274B6580000-memory.dmp
        Filesize

        2.4MB

        Download
      • memory/1436-15-0x00000274B4B40000-0x00000274B4B41000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1436-16-0x00000274B6310000-0x00000274B6580000-memory.dmp
        Filesize

        2.4MB

        Download
      • memory/2324-219-0x0000000002E80000-0x0000000002E81000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2324-304-0x0000000002E80000-0x0000000002E81000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2324-159-0x0000000002E80000-0x0000000002E81000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2324-212-0x0000000002E80000-0x0000000002E81000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2324-229-0x0000000002E80000-0x0000000002E81000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2324-232-0x0000000002E80000-0x0000000002E81000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2324-124-0x0000000002E80000-0x0000000002E81000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2324-294-0x0000000002E80000-0x0000000002E81000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2324-306-0x0000000002E80000-0x0000000002E81000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2324-184-0x0000000002E80000-0x0000000002E81000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2324-118-0x0000000002E80000-0x0000000002E81000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2324-80-0x0000000002E80000-0x0000000002E81000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2324-174-0x0000000002E80000-0x0000000002E81000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2324-48-0x0000000002E80000-0x0000000002E81000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2324-44-0x0000000002E80000-0x0000000002E81000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2324-151-0x0000000002E80000-0x0000000002E81000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2324-173-0x0000000002E80000-0x0000000002E81000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3248-20-0x0000014356E90000-0x0000014357100000-memory.dmp
        Filesize

        2.4MB

        Download
      • memory/3248-30-0x0000014355850000-0x0000014355851000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3248-31-0x0000014356E90000-0x0000014357100000-memory.dmp
        Filesize

        2.4MB

        Download