9f0ffcd4852f9af353558f104dd8edf13e67971076341e87da304b8e6d8c5414

Resubmissions

03/07/2024, 05:47

240703-ghd2rstfrq 7

03/07/2024, 05:41

240703-gdpmpstepm 7

Analysis

max time kernel
113s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
03/07/2024, 05:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TLauncher-Installer-1.4.7.exe
Size

24.1MB
MD5

86fc2557f00baf9698715dc99a8cec41
SHA1

75f8f54eabd25749af37d21316f02d7d5868c398
SHA256

9f0ffcd4852f9af353558f104dd8edf13e67971076341e87da304b8e6d8c5414
SHA512

521e19cc02c996fc478fead4239cd3ab24b70a441df138ed955d349eb46e7a03ccc10a3d58d8dc726292f494d6bd6efd2a92f62d3f179cb2751fc725ea7d449e
SSDEEP

786432:lKxabBbJyM9irrKJBH5lFRqH0fYk/pUJ8a:lKcSMQPKJBZlCUfYSpUJ8

Score

7^/10

discovery upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	TLauncher-Installer-1.4.7.exe

Executes dropped EXE 3 IoCs

pid	Process
4636	irsetup.exe
2684	irsetup.exe
1220	irsetup.exe

Loads dropped DLL 5 IoCs

pid	Process
4636	irsetup.exe
4636	irsetup.exe
4636	irsetup.exe
2684	irsetup.exe
1220	irsetup.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000023525-5.dat	upx
behavioral1/memory/4636-14-0x0000000000160000-0x0000000000549000-memory.dmp	upx
behavioral1/memory/4636-702-0x0000000000160000-0x0000000000549000-memory.dmp	upx
behavioral1/memory/2684-715-0x0000000000160000-0x0000000000549000-memory.dmp	upx
behavioral1/memory/1220-721-0x0000000000160000-0x0000000000549000-memory.dmp	upx

Checks for any installed AV software in registry 1 TTPs 2 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast	irsetup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVG\AV\Dir	irsetup.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	7zFM.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2156	7zFM.exe
2376	OpenWith.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	2156	7zFM.exe
Token: 35	2156	7zFM.exe
Token: SeSecurityPrivilege	2156	7zFM.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2156	7zFM.exe
2156	7zFM.exe
2156	7zFM.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
4636	irsetup.exe
4636	irsetup.exe
4636	irsetup.exe
4636	irsetup.exe
4636	irsetup.exe
2684	irsetup.exe
2684	irsetup.exe
1220	irsetup.exe
1220	irsetup.exe
2376	OpenWith.exe
2376	OpenWith.exe
2376	OpenWith.exe
2376	OpenWith.exe
2376	OpenWith.exe
2376	OpenWith.exe
2376	OpenWith.exe
2376	OpenWith.exe
2376	OpenWith.exe
2376	OpenWith.exe
2376	OpenWith.exe
2376	OpenWith.exe
2376	OpenWith.exe
2376	OpenWith.exe
2376	OpenWith.exe
2376	OpenWith.exe
2376	OpenWith.exe
2376	OpenWith.exe
2376	OpenWith.exe
2376	OpenWith.exe
2376	OpenWith.exe
2376	OpenWith.exe
2376	OpenWith.exe
2376	OpenWith.exe
2376	OpenWith.exe
2376	OpenWith.exe
2376	OpenWith.exe
2376	OpenWith.exe
2376	OpenWith.exe
2376	OpenWith.exe
2376	OpenWith.exe
2376	OpenWith.exe
2376	OpenWith.exe
2376	OpenWith.exe
2376	OpenWith.exe
2376	OpenWith.exe
2376	OpenWith.exe
2376	OpenWith.exe
2376	OpenWith.exe
2376	OpenWith.exe
2376	OpenWith.exe
2376	OpenWith.exe
2376	OpenWith.exe
2376	OpenWith.exe
2376	OpenWith.exe
2376	OpenWith.exe
2376	OpenWith.exe
2376	OpenWith.exe
2376	OpenWith.exe
2376	OpenWith.exe
2376	OpenWith.exe
2376	OpenWith.exe
2376	OpenWith.exe
2376	OpenWith.exe
2376	OpenWith.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 4676 wrote to memory of 4636	4676	TLauncher-Installer-1.4.7.exe	90
PID 4676 wrote to memory of 4636	4676	TLauncher-Installer-1.4.7.exe	90
PID 4676 wrote to memory of 4636	4676	TLauncher-Installer-1.4.7.exe	90
PID 2376 wrote to memory of 4628	2376	OpenWith.exe	110
PID 2376 wrote to memory of 4628	2376	OpenWith.exe	110

C:\Users\Admin\AppData\Local\Temp\TLauncher-Installer-1.4.7.exe
"C:\Users\Admin\AppData\Local\Temp\TLauncher-Installer-1.4.7.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4676
- C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
  "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1773458 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\TLauncher-Installer-1.4.7.exe" "__IRCT:3" "__IRTSS:25232362" "__IRSID:S-1-5-21-1181767204-2009306918-3718769404-1000"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks for any installed AV software in registry
  - Suspicious use of SetWindowsHookEx
  PID:4636

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4080,i,5711962389779687290,1245653010537220991,262144 --variations-seed-version --mojo-platform-channel-handle=4140 /prefetch:8
1⤵
PID:2348

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4176

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2684

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1220

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe"
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2156

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2376
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zOC6896969\UPX1
  2⤵
  PID:4628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zOC6896969\UPX1

Filesize
1.2MB

MD5
c37185b36abd2a42454399fa04677dcf

SHA1
19b19cd42626ea16db335dab059142f885001d0c

SHA256
c7d64a1de521a7b1632019a943f7470e9e5ae1d83278d5bdc6b469a242e73640

SHA512
9bc5e5f64e155965f27881f285cc6c95da1607c47a4ed488ec390e7fd73c73a4ad33b07a8082224b1215eb59bde3156da13b73c7847e4d936346d93c248ba547

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\200.ico

Filesize
116KB

MD5
e043a9cb014d641a56f50f9d9ac9a1b9

SHA1
61dc6aed3d0d1f3b8afe3d161410848c565247ed

SHA256
9dd7020d04753294c8fb694ac49f406de9adad45d8cdd43fefd99fec3659e946

SHA512
4ae5df94fd590703b7a92f19703d733559d600a3885c65f146db04e8bbf6ead9ab5a1748d99c892e6bde63dd4e1592d6f06e02e4baf5e854c8ce6ea0cce1984f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\BrowserInstaller.exe

Filesize
1.6MB

MD5
199e6e6533c509fb9c02a6971bd8abda

SHA1
b95e5ef6c4c5a15781e1046c9a86d7035f1df26d

SHA256
4257d06e14dd5851e8ac75cd4cbafe85db8baec17eaebd8f8a983b576cd889f8

SHA512
34d90fa78bd5c26782d16421e634caec852ca74b85154b2a3499bc85879fc183402a7743dd64f2532b27c791df6e9dd8113cc652dcb0cdf3beae656efe79c579

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG49.BMP

Filesize
1.8MB

MD5
5c9fb63e5ba2c15c3755ebbef52cabd2

SHA1
79ce7b10a602140b89eafdec4f944accd92e3660

SHA256
54ee86cd55a42cfe3b00866cd08defee9a288da18baf824e3728f0d4a6f580e7

SHA512
262c50e018fd2053afb101b153511f89a77fbcfd280541d088bbfad19a9f3e54471508da8b56c90fe4c1f489b40f9a8f4de66eac7f6181b954102c6b50bdc584

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRZip.lmd

Filesize
1.7MB

MD5
dabd469bae99f6f2ada08cd2dd3139c3

SHA1
6714e8be7937f7b1be5f7d9bef9cc9c6da0d9e9b

SHA256
89acf7a60e1d3f2bd7804c0cd65f8c90d52606d2a66906c8f31dce2e0ea66606

SHA512
9c5fd1c8f00c78a6f4fd77b75efae892d1cb6baa2e71d89389c659d7c6f8b827b99cecadb0d56c690dd7b26849c6f237af9db3d1a52ae8531d67635b5eff5915

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\Wow64.lmd

Filesize
97KB

MD5
da1d0cd400e0b6ad6415fd4d90f69666

SHA1
de9083d2902906cacf57259cf581b1466400b799

SHA256
7a79b049bdc3b6e4d101691888360f4f993098f3e3a8beefff4ac367430b1575

SHA512
f12f64670f158c2e846e78b7b5d191158268b45ecf3c288f02bbee15ae10c4a62e67fb3481da304ba99da2c68ac44d713a44a458ef359db329b6fef3d323382a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.2MB

MD5
af9bb57e1893112a57a47df0908bc3d1

SHA1
39f31da08004741fd4b9fb31b04e29368f1e317e

SHA256
1cf4f5e5d5bed48b7c989e34bb80507ca623cb1ac1fc1596f07cfd1dc7aec60e

SHA512
3a8cd6660a0147101f4898c20a6fec1192b4196ae8e46cd3e730dc43c8bd7feed9c576590b6aa79c7763e5942466ac9118d44177edbc2ff1ddf1af3da5234040

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

Filesize
325KB

MD5
c333af59fa9f0b12d1cd9f6bba111e3a

SHA1
66ae1d42b2de0d620fe0b7cc6e1c718c6c579ed0

SHA256
fad540071986c59ec40102c9ca9518a0ddce80cf39eb2fd476bb1a7a03d6eb34

SHA512
2f7e2e53ba1cb9ff38e580da20d6004900494ff7b7ae0ced73c330fae95320cf0ab79278e7434272e469cb4ea2cbbd5198d2cd305dc4b75935e1ca686c6c7ff4

Download Submit
memory/1220-721-0x0000000000160000-0x0000000000549000-memory.dmp

Filesize
3.9MB

Download
memory/2684-715-0x0000000000160000-0x0000000000549000-memory.dmp

Filesize
3.9MB

Download
memory/4636-683-0x0000000006CA0000-0x0000000006CA3000-memory.dmp

Filesize
12KB

Download
memory/4636-682-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/4636-14-0x0000000000160000-0x0000000000549000-memory.dmp

Filesize
3.9MB

Download
memory/4636-703-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/4636-702-0x0000000000160000-0x0000000000549000-memory.dmp

Filesize
3.9MB

Download