6cbbfe0860d7c601d7c179840ebbf2c65009382419d539ab2d11db91c6ea1dd7

Analysis

max time kernel
199s
max time network
209s
platform
windows11-21h2_x64
resource
win11-20240611-en
resource tags

arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
submitted
23-06-2024 14:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PrismLauncher-Windows-MSVC-Setup-8.4.exe
Size

18.1MB
MD5

69bc5aec4f40f1cd760f0fa8a1b650f0
SHA1

d8156098ebe7c38b6e3d2aa6b408d89bc75dffb8
SHA256

6cbbfe0860d7c601d7c179840ebbf2c65009382419d539ab2d11db91c6ea1dd7
SHA512

ce5b0f27b99e838af2a2cdb5cc569ca72e5d83c2f81d10a69a60389367d234455119dc395667c1530d12314eb998006d47e7f1cbfe336d1e249f04ac5e88b44c
SSDEEP

393216:t0eFxWTics3YkZls45LKn/ZwtI4Np+uH5Xw7nxQPY1DrnQDtZqw2MQXgXwC:tHxWTiTYko+LIxb4v+uZjqPQDtZ3yXgR

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 8 IoCs

Processes:

prismlauncher.exeprismlauncher.exeprismlauncher.exeprismlauncher.exeprismlauncher.exeprismlauncher.exeprismlauncher.exeprismlauncher.exe

pid	process
2232	prismlauncher.exe
3128	prismlauncher.exe
1580	prismlauncher.exe
4124	prismlauncher.exe
2108	prismlauncher.exe
2064	prismlauncher.exe
4896	prismlauncher.exe
3856	prismlauncher.exe

Loads dropped DLL 64 IoCs

Processes:

PrismLauncher-Windows-MSVC-Setup-8.4.exeprismlauncher.exeprismlauncher.exeprismlauncher.exeprismlauncher.exeprismlauncher.exeprismlauncher.exeprismlauncher.exeprismlauncher.exe

pid	process
1180	PrismLauncher-Windows-MSVC-Setup-8.4.exe
1180	PrismLauncher-Windows-MSVC-Setup-8.4.exe
1180	PrismLauncher-Windows-MSVC-Setup-8.4.exe
2232	prismlauncher.exe
2232	prismlauncher.exe
2232	prismlauncher.exe
2232	prismlauncher.exe
2232	prismlauncher.exe
2232	prismlauncher.exe
2232	prismlauncher.exe
2232	prismlauncher.exe
2232	prismlauncher.exe
3128	prismlauncher.exe
3128	prismlauncher.exe
3128	prismlauncher.exe
3128	prismlauncher.exe
3128	prismlauncher.exe
3128	prismlauncher.exe
3128	prismlauncher.exe
3128	prismlauncher.exe
1580	prismlauncher.exe
1580	prismlauncher.exe
1580	prismlauncher.exe
1580	prismlauncher.exe
1580	prismlauncher.exe
1580	prismlauncher.exe
1580	prismlauncher.exe
1580	prismlauncher.exe
4124	prismlauncher.exe
4124	prismlauncher.exe
4124	prismlauncher.exe
4124	prismlauncher.exe
4124	prismlauncher.exe
4124	prismlauncher.exe
4124	prismlauncher.exe
4124	prismlauncher.exe
2108	prismlauncher.exe
2108	prismlauncher.exe
2108	prismlauncher.exe
2108	prismlauncher.exe
2108	prismlauncher.exe
2108	prismlauncher.exe
2108	prismlauncher.exe
2108	prismlauncher.exe
2108	prismlauncher.exe
2064	prismlauncher.exe
2064	prismlauncher.exe
2064	prismlauncher.exe
2064	prismlauncher.exe
2064	prismlauncher.exe
2064	prismlauncher.exe
2064	prismlauncher.exe
2064	prismlauncher.exe
4896	prismlauncher.exe
4896	prismlauncher.exe
4896	prismlauncher.exe
4896	prismlauncher.exe
4896	prismlauncher.exe
4896	prismlauncher.exe
4896	prismlauncher.exe
4896	prismlauncher.exe
3856	prismlauncher.exe
3856	prismlauncher.exe
3856	prismlauncher.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Kills process with taskkill 1 IoCs
evasion

Processes:

TaskKill.exe

pid process

2024 TaskKill.exe

pid	process
2024	TaskKill.exe

Modifies registry class 6 IoCs

Processes:

PrismLauncher-Windows-MSVC-Setup-8.4.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\curseforge\shell\open\command	PrismLauncher-Windows-MSVC-Setup-8.4.exe
Key created	\REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\curseforge\shell	PrismLauncher-Windows-MSVC-Setup-8.4.exe
Key created	\REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\curseforge\shell\open	PrismLauncher-Windows-MSVC-Setup-8.4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\curseforge\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Programs\\PrismLauncher\\prismlauncher.exe\" \"%1\""	PrismLauncher-Windows-MSVC-Setup-8.4.exe
Key created	\REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\curseforge	PrismLauncher-Windows-MSVC-Setup-8.4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\curseforge\URL Protocol	PrismLauncher-Windows-MSVC-Setup-8.4.exe

Suspicious behavior: AddClipboardFormatListener 8 IoCs

Processes:

prismlauncher.exeprismlauncher.exeprismlauncher.exeprismlauncher.exeprismlauncher.exeprismlauncher.exeprismlauncher.exeprismlauncher.exe

pid	process
2232	prismlauncher.exe
3128	prismlauncher.exe
1580	prismlauncher.exe
4124	prismlauncher.exe
2108	prismlauncher.exe
2064	prismlauncher.exe
4896	prismlauncher.exe
3856	prismlauncher.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

TaskKill.exe

description pid process

Token: SeDebugPrivilege 2024 TaskKill.exe

description	pid	process
Token: SeDebugPrivilege	2024	TaskKill.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

PrismLauncher-Windows-MSVC-Setup-8.4.exe

description	pid	process	target process
PID 1180 wrote to memory of 2024	1180	PrismLauncher-Windows-MSVC-Setup-8.4.exe	TaskKill.exe
PID 1180 wrote to memory of 2024	1180	PrismLauncher-Windows-MSVC-Setup-8.4.exe	TaskKill.exe
PID 1180 wrote to memory of 2024	1180	PrismLauncher-Windows-MSVC-Setup-8.4.exe	TaskKill.exe
PID 1180 wrote to memory of 2232	1180	PrismLauncher-Windows-MSVC-Setup-8.4.exe	prismlauncher.exe
PID 1180 wrote to memory of 2232	1180	PrismLauncher-Windows-MSVC-Setup-8.4.exe	prismlauncher.exe

C:\Users\Admin\AppData\Local\Temp\PrismLauncher-Windows-MSVC-Setup-8.4.exe
"C:\Users\Admin\AppData\Local\Temp\PrismLauncher-Windows-MSVC-Setup-8.4.exe"
1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1180

C:\Windows\SysWOW64\TaskKill.exe
TaskKill /IM prismlauncher.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2024

C:\Users\Admin\AppData\Local\Programs\PrismLauncher\prismlauncher.exe
"C:\Users\Admin\AppData\Local\Programs\PrismLauncher\prismlauncher.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: AddClipboardFormatListener
PID:2232

C:\Users\Admin\AppData\Local\Programs\PrismLauncher\prismlauncher.exe
"C:\Users\Admin\AppData\Local\Programs\PrismLauncher\prismlauncher.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: AddClipboardFormatListener
PID:3128

C:\Users\Admin\AppData\Local\Programs\PrismLauncher\prismlauncher.exe
"C:\Users\Admin\AppData\Local\Programs\PrismLauncher\prismlauncher.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: AddClipboardFormatListener
PID:1580

C:\Users\Admin\AppData\Local\Programs\PrismLauncher\prismlauncher.exe
"C:\Users\Admin\AppData\Local\Programs\PrismLauncher\prismlauncher.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: AddClipboardFormatListener
PID:4124

C:\Users\Admin\AppData\Local\Programs\PrismLauncher\prismlauncher.exe
"C:\Users\Admin\AppData\Local\Programs\PrismLauncher\prismlauncher.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: AddClipboardFormatListener
PID:2108

C:\Users\Admin\AppData\Local\Programs\PrismLauncher\prismlauncher.exe
"C:\Users\Admin\AppData\Local\Programs\PrismLauncher\prismlauncher.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: AddClipboardFormatListener
PID:2064

C:\Users\Admin\AppData\Local\Programs\PrismLauncher\prismlauncher.exe
"C:\Users\Admin\AppData\Local\Programs\PrismLauncher\prismlauncher.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: AddClipboardFormatListener
PID:4896

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:336

C:\Users\Admin\AppData\Local\Programs\PrismLauncher\prismlauncher.exe
"C:\Users\Admin\AppData\Local\Programs\PrismLauncher\prismlauncher.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: AddClipboardFormatListener
PID:3856

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Programs\PrismLauncher\Qt6Core.dll
Filesize
6.0MB

MD5
46a0dbd38cb28d8e79c80c9a033f6ae9

SHA1
1be5f3e78485f9b08e32346f13155a94001de50e

SHA256
225bd38093416c825f2e3220213f64e1079e9ab20f4738decc0fc6eb992e8a9e

SHA512
3fb62bce7b1d5129237914269aa3dd9a24f9e797927f2f4f937a0a291d357a40ec51b9c829094dc0bae1edcd6c580f1c9a03ca2c84d5526599c3608246f00bd0

Download Submit
C:\Users\Admin\AppData\Local\Programs\PrismLauncher\Qt6Core5Compat.dll
Filesize
851KB

MD5
e50b9b3fa16362c86a40e6255c6b45e7

SHA1
fa8ce8fd6d4415abdb67597735575dc83a8fc634

SHA256
c95ab3df8dc0bfd92925b7b8b51bce859ae09008691874a5c6f5630969557564

SHA512
03a8ac0ae14e8420dd9fd91bc1619d072882d152127b3f2f1c6f7e670b7c54c524490e7c84a7cd0b76e2db413439a1ca55c4e03416fd6beb47b1067c3e960cba

Download Submit
C:\Users\Admin\AppData\Local\Programs\PrismLauncher\Qt6Gui.dll
Filesize
8.5MB

MD5
7875aad0d0d426e9d1b132a35266de32

SHA1
8b7656e3412ae546153d2d3df91a6ff506d64749

SHA256
fc2464f62d7915ddeaebb5490bee6d60e7b42ad5a223d5812f0993c27c35be19

SHA512
9fa16c5c628f2e9b242323aed4c1aa70f093cee9f341ac61640287ff9be8663658f502769e037a8409943d3c9ab826bb1c6f88532f0fbacdaea28b2353cdfba9

Download Submit
C:\Users\Admin\AppData\Local\Programs\PrismLauncher\Qt6Network.dll
Filesize
1.4MB

MD5
960f50470059381c65833145036fef29

SHA1
270e230bfc9248e5ecff9ea8dfbc5f1066df02ee

SHA256
1071f4f88c65317401bf93a2ffb55e661adcbb84f05911879ab21a6656521a68

SHA512
cb0a0d63aaae1b9646dad722759b1c53b36ed13a4231a30b054f6124bcc69e7285c5777ab6bbbb8296756d6c31fc94e735db42c5155db35274e0ec25c1406582

Download Submit
C:\Users\Admin\AppData\Local\Programs\PrismLauncher\Qt6Widgets.dll
Filesize
6.2MB

MD5
34abb42b63e71b09b72b48cf5b1dba53

SHA1
9f3111aab57a5f28a4ce9bf82ea208fa3eadb9a6

SHA256
c71e65b882a84f47114590784a256f14ba19202ec30b218ce4841b2c7256060b

SHA512
06acab5a04a5d3e6834ddc95229758d4adc7a7f0ef003c80e8d59a8241e295b196aceacce20c88879e1676405a2538d032ec6ac543258538e686878fb29f77f1

Download Submit
C:\Users\Admin\AppData\Local\Programs\PrismLauncher\Qt6Xml.dll
Filesize
151KB

MD5
7fcfa82dd4a01915622c14931cc585dd

SHA1
079736f39ed5791df528fed5a12456285bfa1f18

SHA256
8b772f5f227b266c47655d02843bf51be6c50729acc28db7dced488d62f7ed4f

SHA512
caf98eecb1c57789b91dbef88c3f908f0652d29d93ae335526987a47f791d565e67e25ee4643abd006a39b2d9533449672c2c21df23cc61d77032c3cd01d6f39

Download Submit
C:\Users\Admin\AppData\Local\Programs\PrismLauncher\platforms\qdirect2d.dll
Filesize
939KB

MD5
a883645fd99ed6b7d6398e1bbc5028d0

SHA1
ab0afcb2d58df52f402c0a2a81bf3f769fea15fa

SHA256
9386b1af2adbf8972801723f7d13f394d96001e979f06dd0695622a6a3ad63a8

SHA512
d70aafb4cbc0c2f2a8fc16e3560248f867908548c7b970d827ee9ad8c7342502dcf77a7b442a06a547dda6bdc6f3673dde5f909242327161fe1fdb272575ee3e

Download Submit
C:\Users\Admin\AppData\Local\Programs\PrismLauncher\platforms\qwindows.dll
Filesize
869KB

MD5
6031ccd3785bafba8556008cbc058dfd

SHA1
885147d02060dab7b0a124865c8116a478297ce0

SHA256
2bdc29b85bd94170f97aadb1cd447eefe7a3ddf7950c535c81a9ef63e17d1ddc

SHA512
b35c58cddc461c0160ee223fddcc181d8e6c21b5713fd8d216334b69f6ab1e4c12f4da1d377fd5b718db2c723ab20b673ab89190a3acc88d3cab03ff23bfd23d

Download Submit
C:\Users\Admin\AppData\Local\Programs\PrismLauncher\prismlauncher.exe
Filesize
9.8MB

MD5
f870a1b89e9bb05023eff04fd1ff4053

SHA1
0140d7feeab5ce8833b9bb55a224d041be3b2be7

SHA256
e2871c9c570bf8e8f2ea10a7b91f08ff3833136e861c5fd9679f7ad3d5433442

SHA512
766008210a531061b6b0af3fe2668f6d973b008dbe325f58b571927d8cf48c76a03f26135ce1c6fe573fe61ac6274a31fc9e7a760aa0eef93b6ad78147ba418a

Download Submit
C:\Users\Admin\AppData\Local\Programs\PrismLauncher\qt.conf
Filesize
1B

MD5
7215ee9c7d9dc229d2921a40e899ec5f

SHA1
b858cb282617fb0956d960215c8e84d1ccf909c6

SHA256
36a9e7f1c95b82ffb99743e0c5c4ce95d83c9a430aac59f84ef3cbfab6145068

SHA512
f90ddd77e400dfe6a3fcf479b00b1ee29e7015c5bb8cd70f5f15b4886cc339275ff553fc8a053f8ddc7324f45168cffaf81f8c3ac93996f6536eef38e5e40768

Download Submit
C:\Users\Admin\AppData\Local\Programs\PrismLauncher\qtlogging.ini
Filesize
534B

MD5
4995c4ae4070a861669fd6e997d815be

SHA1
aa42f6bbab438d303e6e74172eca6a0673239e2d

SHA256
fa8b3d64121cc915337b69756bd87597f4f557a802a95e953e2dfe33e40a52ff

SHA512
96a0cee7c45fb86deb02286f6994a7aa1979e69e6e0bd3014a9ed897e6695d2fa586434fc3ea9c083118f1440bfcbacb9d4bba55cbe6ab14fdb92424b31a315e

Download Submit
C:\Users\Admin\AppData\Local\Programs\PrismLauncher\styles\qwindowsvistastyle.dll
Filesize
140KB

MD5
cc096aea386047b0131eea248122c0d2

SHA1
6251253bbc6e4460884bfc22c1dd30cec32dbac4

SHA256
47a22e7958279e7668ace09849a669f7410bf8c7aed752bd6e60f23c9581cd50

SHA512
4b097b86a21ac26e8849bf3908de97479b3484f28a68060c06f75515b07b8878466bce4241aae6b0c06a1b671b59b5dd115c760f08dc6d3287f1b875963d1cb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg70DB.tmp\System.dll
Filesize
12KB

MD5
192639861e3dc2dc5c08bb8f8c7260d5

SHA1
58d30e460609e22fa0098bc27d928b689ef9af78

SHA256
23d618a0293c78ce00f7c6e6dd8b8923621da7dd1f63a070163ef4c0ec3033d6

SHA512
6e573d8b2ef6ed719e271fd0b2fd9cd451f61fc9a9459330108d6d7a65a0f64016303318cad787aa1d5334ba670d8f1c7c13074e1be550b4a316963ecc465cdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg70DB.tmp\modern-wizard.bmp
Filesize
25KB

MD5
cbe40fd2b1ec96daedc65da172d90022

SHA1
366c216220aa4329dff6c485fd0e9b0f4f0a7944

SHA256
3ad2dc318056d0a2024af1804ea741146cfc18cc404649a44610cbf8b2056cf2

SHA512
62990cb16e37b6b4eff6ab03571c3a82dcaa21a1d393c3cb01d81f62287777fb0b4b27f8852b5fa71bc975feab5baa486d33f2c58660210e115de7e2bd34ea63

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg70DB.tmp\nsDialogs.dll
Filesize
9KB

MD5
b7d61f3f56abf7b7ff0d4e7da3ad783d

SHA1
15ab5219c0e77fd9652bc62ff390b8e6846c8e3e

SHA256
89a82c4849c21dfe765052681e1fad02d2d7b13c8b5075880c52423dca72a912

SHA512
6467c0de680fadb8078bdaa0d560d2b228f5a22d4d8358a1c7d564c6ebceface5d377b870eaf8985fbee727001da569867554154d568e3b37f674096bbafafb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg70DB.tmp\nsExec.dll
Filesize
7KB

MD5
11092c1d3fbb449a60695c44f9f3d183

SHA1
b89d614755f2e943df4d510d87a7fc1a3bcf5a33

SHA256
2cd3a2d4053954db1196e2526545c36dfc138c6de9b81f6264632f3132843c77

SHA512
c182e0a1f0044b67b4b9fb66cef9c4955629f6811d98bbffa99225b03c43c33b1e85cacabb39f2c45ead81cd85e98b201d5f9da4ee0038423b1ad947270c134a

Download Submit
memory/1580-128-0x00007FFC56170000-0x00007FFC5679D000-memory.dmp

Filesize
6.2MB

Download
memory/1580-130-0x00007FF752150000-0x00007FF752B1B000-memory.dmp

Filesize
9.8MB

Download
memory/2064-159-0x00007FF752150000-0x00007FF752B1B000-memory.dmp

Filesize
9.8MB

Download
memory/2064-158-0x00007FFC55F60000-0x00007FFC5658D000-memory.dmp

Filesize
6.2MB

Download
memory/2108-153-0x00007FF752150000-0x00007FF752B1B000-memory.dmp

Filesize
9.8MB

Download
memory/2108-152-0x00007FFC55F60000-0x00007FFC5658D000-memory.dmp

Filesize
6.2MB

Download
memory/2232-102-0x00007FFC56320000-0x00007FFC5694D000-memory.dmp

Filesize
6.2MB

Download
memory/2232-100-0x00007FF752150000-0x00007FF752B1B000-memory.dmp

Filesize
9.8MB

Download
memory/3128-118-0x00007FF752150000-0x00007FF752B1B000-memory.dmp

Filesize
9.8MB

Download
memory/3128-119-0x00007FFC565B0000-0x00007FFC56BDD000-memory.dmp

Filesize
6.2MB

Download
memory/3856-162-0x00007FFC55F60000-0x00007FFC5658D000-memory.dmp

Filesize
6.2MB

Download
memory/3856-163-0x00007FF752150000-0x00007FF752B1B000-memory.dmp

Filesize
9.8MB

Download
memory/4124-140-0x00007FFC56170000-0x00007FFC5679D000-memory.dmp

Filesize
6.2MB

Download
memory/4124-141-0x00007FF752150000-0x00007FF752B1B000-memory.dmp

Filesize
9.8MB

Download
memory/4896-160-0x00007FF752150000-0x00007FF752B1B000-memory.dmp

Filesize
9.8MB

Download
memory/4896-161-0x00007FFC55F60000-0x00007FFC5658D000-memory.dmp

Filesize
6.2MB

Download