Analysis

  • max time kernel
    91s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-07-2024 16:02

General

  • Target

    prismlauncher.exe

  • Size

    14.8MB

  • MD5

    05c74ad84493a5d93adb3d5922f9a6ae

  • SHA1

    51e939ed7aeec978933c09d5f743014151965006

  • SHA256

    749e5714c80aecb30274b59e1dfb13221510aa87d0306bc764ffd3fec4f48e3a

  • SHA512

    94f2581e9edf1eef0da3ddd721d22d0eaeddd07d1da15dfe362f9db5132a0c8c7c3863eb2df50676e26befc7850d3863a039c81b6945a8ac9718fd1a2c5fabc1

  • SSDEEP

    98304:qHd2YsCJjpj3GstTNpgU7r7rPilIV5UFj+HCMIHDno6TR1UNxOfNURt6QALs0fIp:qgYhJg+Hi06Qx2NAP0

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Modifies file permissions 1 TTPs 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\prismlauncher.exe
    "C:\Users\Admin\AppData\Local\Temp\prismlauncher.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:1360
    • C:\Program Files\Java\jre-1.8\bin\javaw.exe
      "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar C:/Users/Admin/AppData/Local/Temp/jars/JavaCheck.jar
      2⤵
        PID:1648
      • C:\Program Files\Java\jdk-1.8\bin\javaw.exe
        "C:\Program Files\Java\jdk-1.8\bin\javaw.exe" -jar C:/Users/Admin/AppData/Local/Temp/jars/JavaCheck.jar
        2⤵
          PID:4540
        • C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe
          javaw -jar C:/Users/Admin/AppData/Local/Temp/jars/JavaCheck.jar
          2⤵
            PID:4864
          • C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe
            "C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe" -jar C:/Users/Admin/AppData/Local/Temp/jars/JavaCheck.jar
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:648
            • C:\Windows\system32\icacls.exe
              C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
              3⤵
              • Modifies file permissions
              PID:4348
          • C:\Program Files\Java\jdk-1.8\bin\javaw.exe
            "C:\Program Files\Java\jdk-1.8\bin\javaw.exe" -Xms512m -Xmx4096m -jar C:/Users/Admin/AppData/Local/Temp/jars/JavaCheck.jar
            2⤵
              PID:3924

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

            Filesize

            46B

            MD5

            8bd0cfe0a748e9ce9ed7111f3f299e6b

            SHA1

            533b61f9852af63d1957571c83d2b56fadb649d9

            SHA256

            c1719e470d6229563cd004941dd54ed2ad6d64ac4620083aa6d5806a77694ec7

            SHA512

            a200475685432d03309cc7806fe6cb38dbe50f5c5a45f85032cff7c9bdb152e9c18ae21c228f1556d12a6ada5c9bfeaa444e61790d06200532f0b03105b40675

          • C:\ProgramData\Oracle\Java\.oracle_jre_usage\905ebba3a8fc8cc.timestamp

            Filesize

            50B

            MD5

            5db32120c804ffbbb5aeae7be0bff369

            SHA1

            953b45430b7b6187d3ec759d42b02f02319e2388

            SHA256

            365e0ac4b13ef6e97eac11f6a25775495cc2de4180a45f554c2de7adb7b57ae5

            SHA512

            11b97b76096680bd5a8815134e52c569665cc1b7d3c2e2901c20e0c44f20adea968cb3fe7a788435c8be65f34859169a12254d00849606eec0042a3454a75a77

          • C:\Users\Admin\AppData\Local\Temp\prismlauncher.cfg

            Filesize

            30B

            MD5

            a6dc16331f06bc5831e5ddc9799284ec

            SHA1

            d344f83d549df8c3e2c959182ba37f8c81d885a5

            SHA256

            9da99b49301ba83c33387e75d2028185562479e677b6afb110b4f8b098465807

            SHA512

            43e498eab5c6f9b2f70c01e0abd4e63edb2651e498f267b53c7f62f2ef9c1eb68fa4783967fdba1880722a8bcd6e58065108f42773f0f47c04c9e54e809b1c14

          • C:\Users\Admin\AppData\Local\Temp\prismlauncher.cfg.lock

            Filesize

            66B

            MD5

            1a22468ebc89b4e1a1bd28460c7e2ad6

            SHA1

            2034c707f07cc477194e2e00e0b67051b80b8c01

            SHA256

            9f05bf93cdca224d9c78e81f3756d882c0134ed8094ffb8f08815412a9a80e9f

            SHA512

            b752feec6a13268c7cb6df8d5fef1a16c85c358f78e40abafef56b1c2a8e9dbd5c9745142f755f91fc707287f8e137584a200e53bd364cc2e294dcdc27ea9e7a

          • memory/648-72-0x0000018237E40000-0x0000018237E41000-memory.dmp

            Filesize

            4KB

          • memory/1360-8-0x00007FFE8A7C0000-0x00007FFE8A7ED000-memory.dmp

            Filesize

            180KB

          • memory/1360-4-0x00007FFE76DA0000-0x00007FFE7753E000-memory.dmp

            Filesize

            7.6MB

          • memory/1360-3-0x00007FFE76310000-0x00007FFE76643000-memory.dmp

            Filesize

            3.2MB

          • memory/1360-5-0x00007FFE77540000-0x00007FFE77B63000-memory.dmp

            Filesize

            6.1MB

          • memory/1360-17-0x00007FFE86690000-0x00007FFE866A4000-memory.dmp

            Filesize

            80KB

          • memory/1360-7-0x00007FFE87220000-0x00007FFE8725A000-memory.dmp

            Filesize

            232KB

          • memory/1360-1-0x00007FFE77540000-0x00007FFE77B63000-memory.dmp

            Filesize

            6.1MB

          • memory/1360-6-0x00007FFE870D0000-0x00007FFE87131000-memory.dmp

            Filesize

            388KB

          • memory/1360-2-0x00007FFE76650000-0x00007FFE76823000-memory.dmp

            Filesize

            1.8MB

          • memory/1360-0-0x00007FF6A76B0000-0x00007FF6A8365000-memory.dmp

            Filesize

            12.7MB

          • memory/1648-76-0x000001F454B90000-0x000001F454B91000-memory.dmp

            Filesize

            4KB

          • memory/3924-96-0x00000156E64A0000-0x00000156E64A1000-memory.dmp

            Filesize

            4KB

          • memory/4540-78-0x0000015617730000-0x0000015617731000-memory.dmp

            Filesize

            4KB

          • memory/4864-79-0x000001EE4F890000-0x000001EE4F891000-memory.dmp

            Filesize

            4KB