Analysis
-
max time kernel
91s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
02-07-2024 16:02
Static task
static1
Behavioral task
behavioral1
Sample
prismlauncher.exe
Resource
win10v2004-20240508-en
General
-
Target
prismlauncher.exe
-
Size
14.8MB
-
MD5
05c74ad84493a5d93adb3d5922f9a6ae
-
SHA1
51e939ed7aeec978933c09d5f743014151965006
-
SHA256
749e5714c80aecb30274b59e1dfb13221510aa87d0306bc764ffd3fec4f48e3a
-
SHA512
94f2581e9edf1eef0da3ddd721d22d0eaeddd07d1da15dfe362f9db5132a0c8c7c3863eb2df50676e26befc7850d3863a039c81b6945a8ac9718fd1a2c5fabc1
-
SSDEEP
98304:qHd2YsCJjpj3GstTNpgU7r7rPilIV5UFj+HCMIHDno6TR1UNxOfNURt6QALs0fIp:qgYhJg+Hi06Qx2NAP0
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
prismlauncher.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation prismlauncher.exe -
Modifies file permissions 1 TTPs 1 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
prismlauncher.exepid process 1360 prismlauncher.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
prismlauncher.exepid process 1360 prismlauncher.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
prismlauncher.exejavaw.exedescription pid process target process PID 1360 wrote to memory of 1648 1360 prismlauncher.exe javaw.exe PID 1360 wrote to memory of 1648 1360 prismlauncher.exe javaw.exe PID 1360 wrote to memory of 4540 1360 prismlauncher.exe javaw.exe PID 1360 wrote to memory of 4540 1360 prismlauncher.exe javaw.exe PID 1360 wrote to memory of 4864 1360 prismlauncher.exe javaw.exe PID 1360 wrote to memory of 4864 1360 prismlauncher.exe javaw.exe PID 1360 wrote to memory of 648 1360 prismlauncher.exe javaw.exe PID 1360 wrote to memory of 648 1360 prismlauncher.exe javaw.exe PID 648 wrote to memory of 4348 648 javaw.exe icacls.exe PID 648 wrote to memory of 4348 648 javaw.exe icacls.exe PID 1360 wrote to memory of 3924 1360 prismlauncher.exe javaw.exe PID 1360 wrote to memory of 3924 1360 prismlauncher.exe javaw.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\prismlauncher.exe"C:\Users\Admin\AppData\Local\Temp\prismlauncher.exe"1⤵
- Checks computer location settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1360 -
C:\Program Files\Java\jre-1.8\bin\javaw.exe"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar C:/Users/Admin/AppData/Local/Temp/jars/JavaCheck.jar2⤵PID:1648
-
C:\Program Files\Java\jdk-1.8\bin\javaw.exe"C:\Program Files\Java\jdk-1.8\bin\javaw.exe" -jar C:/Users/Admin/AppData/Local/Temp/jars/JavaCheck.jar2⤵PID:4540
-
C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exejavaw -jar C:/Users/Admin/AppData/Local/Temp/jars/JavaCheck.jar2⤵PID:4864
-
C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe"C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe" -jar C:/Users/Admin/AppData/Local/Temp/jars/JavaCheck.jar2⤵
- Suspicious use of WriteProcessMemory
PID:648 -
C:\Windows\system32\icacls.exeC:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M3⤵
- Modifies file permissions
PID:4348 -
C:\Program Files\Java\jdk-1.8\bin\javaw.exe"C:\Program Files\Java\jdk-1.8\bin\javaw.exe" -Xms512m -Xmx4096m -jar C:/Users/Admin/AppData/Local/Temp/jars/JavaCheck.jar2⤵PID:3924
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
46B
MD58bd0cfe0a748e9ce9ed7111f3f299e6b
SHA1533b61f9852af63d1957571c83d2b56fadb649d9
SHA256c1719e470d6229563cd004941dd54ed2ad6d64ac4620083aa6d5806a77694ec7
SHA512a200475685432d03309cc7806fe6cb38dbe50f5c5a45f85032cff7c9bdb152e9c18ae21c228f1556d12a6ada5c9bfeaa444e61790d06200532f0b03105b40675
-
Filesize
50B
MD55db32120c804ffbbb5aeae7be0bff369
SHA1953b45430b7b6187d3ec759d42b02f02319e2388
SHA256365e0ac4b13ef6e97eac11f6a25775495cc2de4180a45f554c2de7adb7b57ae5
SHA51211b97b76096680bd5a8815134e52c569665cc1b7d3c2e2901c20e0c44f20adea968cb3fe7a788435c8be65f34859169a12254d00849606eec0042a3454a75a77
-
Filesize
30B
MD5a6dc16331f06bc5831e5ddc9799284ec
SHA1d344f83d549df8c3e2c959182ba37f8c81d885a5
SHA2569da99b49301ba83c33387e75d2028185562479e677b6afb110b4f8b098465807
SHA51243e498eab5c6f9b2f70c01e0abd4e63edb2651e498f267b53c7f62f2ef9c1eb68fa4783967fdba1880722a8bcd6e58065108f42773f0f47c04c9e54e809b1c14
-
Filesize
66B
MD51a22468ebc89b4e1a1bd28460c7e2ad6
SHA12034c707f07cc477194e2e00e0b67051b80b8c01
SHA2569f05bf93cdca224d9c78e81f3756d882c0134ed8094ffb8f08815412a9a80e9f
SHA512b752feec6a13268c7cb6df8d5fef1a16c85c358f78e40abafef56b1c2a8e9dbd5c9745142f755f91fc707287f8e137584a200e53bd364cc2e294dcdc27ea9e7a