Overview

overview

7

Static

static

1

TLauncher-....6.exe

windows11-21h2-x64

Analysis

  • max time kernel
    305s
  • max time network
    307s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240508-en
  • resource tags

    arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    15-06-2024 13:33

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    TLauncher-Installer-1.4.6.exe

  • Size

    24.1MB

  • MD5

    cb62632298b924eddb9d9d3b0e9be20f

  • SHA1

    de604df13e8fd718955384f1b8c10ec9ada6569f

  • SHA256

    851ca59e7bae2de692a15d5f62811737f4d2e40bb132ea4a021999139062c4a6

  • SHA512

    48ee61193f2077876ac111402bd48bff43277cda064fbb61ee810af94ade74d8022a5df2734b6662c0d39d0fb3aceda70be0d78295bb1a146a6b541350b11054

  • SSDEEP

    786432:SK3aa5vbJNM9irrKJBH5lFRqH0fYk/pUJ8a:SKvhMQPKJBZlCUfYSpUJ8

Score
7/10
discoveryupx

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 6 IoCs
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks for any installed AV software in registry 1 TTPs 4 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies data under HKEY_USERS 42 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 13 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\TLauncher-Installer-1.4.6.exe
    "C:\Users\Admin\AppData\Local\Temp\TLauncher-Installer-1.4.6.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:456
    • C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
      "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1773458 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\TLauncher-Installer-1.4.6.exe" "__IRCT:3" "__IRTSS:25230798" "__IRSID:S-1-5-21-3433428765-2473475212-4279855560-1000"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks for any installed AV software in registry
      • Suspicious use of SetWindowsHookEx
      PID:332
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
    1⤵
      PID:1384
    • C:\Windows\SysWOW64\werfault.exe
      werfault.exe /h /shared Global\96e6975abe054c56a4fcffcc5cd0658c /t 1524 /p 332
      1⤵
        PID:1056
      • C:\Windows\System32\rundll32.exe
        C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
        1⤵
          PID:4700
        • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
          "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
          1⤵
          • Modifies registry class
          • Suspicious use of SetWindowsHookEx
          PID:3000
        • C:\Users\Admin\AppData\Local\Temp\TLauncher-Installer-1.4.6.exe
          "C:\Users\Admin\AppData\Local\Temp\TLauncher-Installer-1.4.6.exe"
          1⤵
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2476
          • C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe
            "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe" __IRAOFF:1773458 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\TLauncher-Installer-1.4.6.exe" "__IRCT:3" "__IRTSS:25230798" "__IRSID:S-1-5-21-3433428765-2473475212-4279855560-1000"
            2⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Checks for any installed AV software in registry
            • Suspicious use of SetWindowsHookEx
            PID:1724
        • C:\Windows\System32\oobe\UserOOBEBroker.exe
          C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
          1⤵
          • Drops file in Windows directory
          PID:2256
        • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
          C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
          1⤵
            PID:1436
          • C:\Windows\system32\CredentialEnrollmentManager.exe
            C:\Windows\system32\CredentialEnrollmentManager.exe
            1⤵
              PID:2400
            • C:\Windows\system32\CredentialEnrollmentManager.exe
              C:\Windows\system32\CredentialEnrollmentManager.exe
              1⤵
                PID:4652
              • C:\Windows\system32\CredentialEnrollmentManager.exe
                C:\Windows\system32\CredentialEnrollmentManager.exe
                1⤵
                  PID:2932
                • C:\Windows\system32\CredentialEnrollmentManager.exe
                  C:\Windows\system32\CredentialEnrollmentManager.exe
                  1⤵
                    PID:3388
                  • C:\Windows\system32\CredentialEnrollmentManager.exe
                    C:\Windows\system32\CredentialEnrollmentManager.exe
                    1⤵
                      PID:1784
                    • C:\Windows\system32\CredentialEnrollmentManager.exe
                      C:\Windows\system32\CredentialEnrollmentManager.exe
                      1⤵
                        PID:1768
                      • C:\Windows\system32\LogonUI.exe
                        "LogonUI.exe" /flags:0x0 /state0:0xa3a24055 /state1:0x41c64e6d
                        1⤵
                        • Modifies data under HKEY_USERS
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of SetWindowsHookEx
                        PID:1984

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\ProgramData\Microsoft\Windows\SystemData\S-1-5-21-3433428765-2473475212-4279855560-1000\ReadOnly\LockScreen_Z\LockScreen___1280_0720_notdimmed.jpg
                        Filesize

                        62KB

                        MD5

                        6cb7e9f13c79d1dd975a8aa005ab0256

                        SHA1

                        eac7fc28cc13ac1e9c85f828215cd61f0c698ae3

                        SHA256

                        af2537d470fddbeda270c965b8dbdf7e9ccf480ed2f525012e2f1035112a6d67

                        SHA512

                        3a40359d8e4cc8792be78a022dc04daed5c1cc55d78fe9cf3e061ea5587baa15023ce2152238f5be5cc5124cd468f220cf9dab54344d93edd3dfcd400b24469d

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
                        Filesize

                        10KB

                        MD5

                        df46eb1fe5d54a0521d9965203a4a9da

                        SHA1

                        e977aae1bb82f3d57267ead3b91df3d82d6d50c6

                        SHA256

                        6076a9ea8f52f5ad109fbe29f955ee052f626b22ee45366bfa83f70706744b1d

                        SHA512

                        5bc5f8d247ba164f1af6f4ae902906568a4e9baf05c9782d999e537730d8cfe443daac6f44aa246f27e9678237a4b57a7e8411e3c4fbe88e943525cdb2ae239e

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\200.ico
                        Filesize

                        116KB

                        MD5

                        e043a9cb014d641a56f50f9d9ac9a1b9

                        SHA1

                        61dc6aed3d0d1f3b8afe3d161410848c565247ed

                        SHA256

                        9dd7020d04753294c8fb694ac49f406de9adad45d8cdd43fefd99fec3659e946

                        SHA512

                        4ae5df94fd590703b7a92f19703d733559d600a3885c65f146db04e8bbf6ead9ab5a1748d99c892e6bde63dd4e1592d6f06e02e4baf5e854c8ce6ea0cce1984f

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\BrowserInstaller.exe
                        Filesize

                        1.6MB

                        MD5

                        199e6e6533c509fb9c02a6971bd8abda

                        SHA1

                        b95e5ef6c4c5a15781e1046c9a86d7035f1df26d

                        SHA256

                        4257d06e14dd5851e8ac75cd4cbafe85db8baec17eaebd8f8a983b576cd889f8

                        SHA512

                        34d90fa78bd5c26782d16421e634caec852ca74b85154b2a3499bc85879fc183402a7743dd64f2532b27c791df6e9dd8113cc652dcb0cdf3beae656efe79c579

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG49.BMP
                        Filesize

                        1.8MB

                        MD5

                        5c9fb63e5ba2c15c3755ebbef52cabd2

                        SHA1

                        79ce7b10a602140b89eafdec4f944accd92e3660

                        SHA256

                        54ee86cd55a42cfe3b00866cd08defee9a288da18baf824e3728f0d4a6f580e7

                        SHA512

                        262c50e018fd2053afb101b153511f89a77fbcfd280541d088bbfad19a9f3e54471508da8b56c90fe4c1f489b40f9a8f4de66eac7f6181b954102c6b50bdc584

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRZip.lmd
                        Filesize

                        1.7MB

                        MD5

                        dabd469bae99f6f2ada08cd2dd3139c3

                        SHA1

                        6714e8be7937f7b1be5f7d9bef9cc9c6da0d9e9b

                        SHA256

                        89acf7a60e1d3f2bd7804c0cd65f8c90d52606d2a66906c8f31dce2e0ea66606

                        SHA512

                        9c5fd1c8f00c78a6f4fd77b75efae892d1cb6baa2e71d89389c659d7c6f8b827b99cecadb0d56c690dd7b26849c6f237af9db3d1a52ae8531d67635b5eff5915

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\Wow64.lmd
                        Filesize

                        97KB

                        MD5

                        da1d0cd400e0b6ad6415fd4d90f69666

                        SHA1

                        de9083d2902906cacf57259cf581b1466400b799

                        SHA256

                        7a79b049bdc3b6e4d101691888360f4f993098f3e3a8beefff4ac367430b1575

                        SHA512

                        f12f64670f158c2e846e78b7b5d191158268b45ecf3c288f02bbee15ae10c4a62e67fb3481da304ba99da2c68ac44d713a44a458ef359db329b6fef3d323382a

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
                        Filesize

                        1.2MB

                        MD5

                        67e0266d7656a59373f89a131254044e

                        SHA1

                        3cf6dcedb972406f320f0831a86ee88f05c82266

                        SHA256

                        ea940ba2e7cd2e66cf5d5a0eee0e85ec84ccb64ef99c603d4ccc6d00aede0c7d

                        SHA512

                        d49268fdfdb0a40b5c7741dd847afb0a1e3b1ff87e8e75c8f8b7c27a29929ea25bd8e5299d8fc5035dfbbb523de3ae906e41b22c966a835ea9cec28aef3ff009

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll
                        Filesize

                        325KB

                        MD5

                        c333af59fa9f0b12d1cd9f6bba111e3a

                        SHA1

                        66ae1d42b2de0d620fe0b7cc6e1c718c6c579ed0

                        SHA256

                        fad540071986c59ec40102c9ca9518a0ddce80cf39eb2fd476bb1a7a03d6eb34

                        SHA512

                        2f7e2e53ba1cb9ff38e580da20d6004900494ff7b7ae0ced73c330fae95320cf0ab79278e7434272e469cb4ea2cbbd5198d2cd305dc4b75935e1ca686c6c7ff4

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\IRIMG1.BMP
                        Filesize

                        12KB

                        MD5

                        3adf5e8387c828f62f12d2dd59349d63

                        SHA1

                        bd065d74b7fa534e5bfb0fb8fb2ee1f188db9e3a

                        SHA256

                        1d7a67b1c0d620506ac76da1984449dfb9c35ffa080dc51e439ed45eecaa7ee0

                        SHA512

                        e4ceb68a0a7d211152d0009cc0ef9b11537cfa8911d6d773c465cea203122f1c83496e655c9654aabe2034161e132de8714f3751d2b448a6a87d5e0dd36625be

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\IRIMG1.PNG
                        Filesize

                        45KB

                        MD5

                        c454a79baa9d8a38cc82063d7af449a1

                        SHA1

                        d645284428550a4ee0b4da591215f4214e755262

                        SHA256

                        da603e732930e30b474b63e96503a20d5fca85d91ef76e7dd40e55bc58dd782a

                        SHA512

                        98c3280aee4c1ce48fbdf8c26f121d0d9d12dc38798a5462ae7a2797d482cfc375decd26f57a182a9360a41794cd68e7f28f53c5efbdc21dba5eeca88b05c6af

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\IRIMG2.BMP
                        Filesize

                        12KB

                        MD5

                        f35117734829b05cfceaa7e39b2b61fb

                        SHA1

                        342ae5f530dce669fedaca053bd15b47e755adc2

                        SHA256

                        9c893fe1ab940ee4c2424aa9dd9972e7ad3198da670006263ecbbb5106d881e3

                        SHA512

                        1805b376ab7aae87061e9b3f586e9fdef942bb32488b388856d8a96e15871238882928c75489994f9916a77e2c61c6f6629e37d1d872721d19a5d4de3e77f471

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\IRIMG3.BMP
                        Filesize

                        12KB

                        MD5

                        f5d6a81635291e408332cc01c565068f

                        SHA1

                        72fa5c8111e95cc7c5e97a09d1376f0619be111b

                        SHA256

                        4c85cdddd497ad81fedb090bc0f8d69b54106c226063fdc1795ada7d8dc74e26

                        SHA512

                        33333761706c069d2c1396e85333f759549b1dfc94674abb612fd4e5336b1c4877844270a8126e833d0617e6780dd8a4fee2d380c16de8cbf475b23f9d512b5a

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.dat
                        Filesize

                        7.8MB

                        MD5

                        54251495c99dca9cfba2ed6107b138b1

                        SHA1

                        effabb99b263df13234a71db5c40e44ebbd44b76

                        SHA256

                        63ee03875db2135cf046dcb23316b1973f8361728f5e03b03efa2ce26cc762f5

                        SHA512

                        a28fa3e523b78ad3466f7df0680abb8fd0b1768ebdf4a329831991666aa431659907491dbebf30740d4937ed41c22a8047d0780461d612dacbfe85a4ac0e02e9

                        Download Submit

                      • memory/332-705-0x0000000010000000-0x0000000010051000-memory.dmp

                        Filesize

                        324KB

                        Download

                      • memory/332-704-0x0000000000E20000-0x0000000001209000-memory.dmp

                        Filesize

                        3.9MB

                        Download

                      • memory/332-688-0x0000000000E20000-0x0000000001209000-memory.dmp

                        Filesize

                        3.9MB

                        Download

                      • memory/332-689-0x0000000010000000-0x0000000010051000-memory.dmp

                        Filesize

                        324KB

                        Download

                      • memory/332-681-0x0000000010000000-0x0000000010051000-memory.dmp

                        Filesize

                        324KB

                        Download

                      • memory/332-682-0x0000000007900000-0x0000000007903000-memory.dmp

                        Filesize

                        12KB

                        Download

                      • memory/332-14-0x0000000000E20000-0x0000000001209000-memory.dmp

                        Filesize

                        3.9MB

                        Download

                      • memory/1724-747-0x00000000007F0000-0x0000000000BD9000-memory.dmp

                        Filesize

                        3.9MB

                        Download

                      • memory/1724-1421-0x0000000010000000-0x0000000010051000-memory.dmp

                        Filesize

                        324KB

                        Download

                      • memory/1724-1423-0x0000000010000000-0x0000000010051000-memory.dmp

                        Filesize

                        324KB

                        Download

                      • memory/1724-1422-0x00000000007F0000-0x0000000000BD9000-memory.dmp

                        Filesize

                        3.9MB

                        Download

                      • memory/1724-1440-0x0000000010000000-0x0000000010051000-memory.dmp

                        Filesize

                        324KB

                        Download

                      • memory/1724-1439-0x00000000007F0000-0x0000000000BD9000-memory.dmp

                        Filesize

                        3.9MB

                        Download