2e16953cd6445d754b38f654a83ba81d7f34598b23882ca14f40f1ef88e64242

General

Target

BlackLauncher.exe
Size

66.0MB
MD5

9af3e6d9cde373f8f514fc69439c5cab
SHA1

8349cdcfcdb3b081253e733b93e71f0e7c94d0ef
SHA256

1d80f6a688af15e12116f444d8da85be020a3393aeaab885e4d0f8589ac23dc0
SHA512

b66c9878cce829eea3467eaa8255f2752de8db2de33b8a525f2cbd886728a95d16173ed0132bc30e69da6a352952b437e1953ba84786ad3b178293abcce49550
SSDEEP

393216:1qCKJWr646m8GH5y4SVFY+L/I5glN7tFL+fzqdqhuQjPLzXq:1qCKJWr36PGZpSVFh/aglNpg7jPq

Score

5^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Start PowerShell.

execution

PowerShell

T1059.001

pid	Process
5000	powershell.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5000	powershell.exe
5000	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: 33	660	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	660	AUDIODG.EXE
Token: SeDebugPrivilege	5000	powershell.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
4224	BlackLauncher.exe
4224	BlackLauncher.exe
4224	BlackLauncher.exe
3636	BlackLauncher.exe
3636	BlackLauncher.exe
3636	BlackLauncher.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4224 wrote to memory of 5000	4224	BlackLauncher.exe	85
PID 4224 wrote to memory of 5000	4224	BlackLauncher.exe	85
PID 5000 wrote to memory of 3636	5000	powershell.exe	87
PID 5000 wrote to memory of 3636	5000	powershell.exe	87

C:\Users\Admin\AppData\Local\Temp\BlackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\BlackLauncher.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4224
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -Command " Start-Process -FilePath 'C:/Users/Admin/AppData/Local/Temp/BlackLauncher.exe' -ArgumentList '--rendering-driver opengl3 --admin-requested' -Verb RunAs "
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5000
- - C:\Users\Admin\AppData\Local\Temp\BlackLauncher.exe
    "C:\Users\Admin\AppData\Local\Temp\BlackLauncher.exe" --rendering-driver opengl3 --admin-requested
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:3636

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x494 0x2d4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3ql11pah.pbb.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Godot\app_userdata\NewLauncher\logs\godot.log

Filesize
490B

MD5
29132f5cea29a541e4a4bee112233ed4

SHA1
f4fcbceaf72c04bd92a592fbd6805369bb84c7d3

SHA256
2c115bc9f9729e851dd136694e8e44fb903a7be888370a3ddcab875da2829b73

SHA512
332d99628233872eee04d4a055c3a594017a530ef97dca1a645261e863aefdfd0e2707a8ed4ebfd7d0a496ca6bd9a3069d32d2604dbd4900f30a1f54719ff51b

Download Submit
C:\Users\Admin\AppData\Roaming\Godot\app_userdata\NewLauncher\shader_cache\CanvasShaderGLES3\4e9e83ef92cfe6b6881057f0e41e775d2f0a3ea470fb34af487edaa273c90c2c\fa7b62523470356194bdf709eb2639ab149a07cc.cache

Filesize
128KB

MD5
31493e258a21680bcb8e57ae1db77eaa

SHA1
bdef2bb9c4d5118bf65206e2109ba9af47a7c2bb

SHA256
f9807566566182192ee7f47955d9e2cde5aecda8380e4923c860afe75ac82127

SHA512
0254415318c4e90fb5c88b900939ce546be2964860be6fe117cd8c3ca8d53379dd21f512cf3aa8d5027debb61685cd6739b63dc1f52b6e0e862f2c1cdac921fa

Download Submit
C:\Users\Admin\AppData\Roaming\Godot\app_userdata\NewLauncher\shader_cache\CopyShaderGLES3\f8827df5e23db5bc636a3d6c081f1b5ec27655db61c9d942fd9b2364a6b58de7\fa7b62523470356194bdf709eb2639ab149a07cc.cache

Filesize
60KB

MD5
b5e157aabf1ad8173f58afc808372572

SHA1
686897130946b9fc563fcbaf43ecf4ddff130648

SHA256
808932f74dbcf687842cbfa4428b80d2f9fe51a9ce4f829700f5e104f1245393

SHA512
4c199408bb17cd31b9ee9945cb1ace5ab6898bf0f9ada2f903867a96736097def1c1bcdf030b7d5f7545ab0086bf70e0fb61de9df727e180704322b73cd3727e

Download Submit
C:\Users\Admin\AppData\Roaming\Godot\app_userdata\NewLauncher\shader_cache\SceneShaderGLES3\fde6c2cbcc2ec71d9bf0aaa797b35a71635bb92f1057da48e6e13d5058805d9c\fa7b62523470356194bdf709eb2639ab149a07cc.cache

Filesize
343KB

MD5
858c90cf6f469533fa56359a33e91580

SHA1
97811818c89d34fe907bac6f49690b88b4d43a66

SHA256
0ec2129e8e633e289ec86ea0ebe1537067cb3f153aa13a58aaadfec1f9c1a9a5

SHA512
1cb99b324a4b4ee389afa8ca5428a49c03ed73159509697d5e380763f40e1abece7a130aff7e8e486316c69ffca6e00d6c5184957a9e12d916dca26394f71c53

Download Submit
memory/3636-45-0x00007FF7606C0000-0x00007FF764A22000-memory.dmp

Filesize
67.4MB

Download
memory/3636-47-0x00007FF7606C0000-0x00007FF764A22000-memory.dmp

Filesize
67.4MB

Download
memory/3636-42-0x00007FF7606C0000-0x00007FF764A22000-memory.dmp

Filesize
67.4MB

Download
memory/3636-43-0x00007FF7606C0000-0x00007FF764A22000-memory.dmp

Filesize
67.4MB

Download
memory/3636-44-0x00007FF7606C0000-0x00007FF764A22000-memory.dmp

Filesize
67.4MB

Download
memory/3636-55-0x00007FF7606C0000-0x00007FF764A22000-memory.dmp

Filesize
67.4MB

Download
memory/3636-46-0x00007FF7606C0000-0x00007FF764A22000-memory.dmp

Filesize
67.4MB

Download
memory/3636-54-0x00007FF7606C0000-0x00007FF764A22000-memory.dmp

Filesize
67.4MB

Download
memory/3636-48-0x00007FF7606C0000-0x00007FF764A22000-memory.dmp

Filesize
67.4MB

Download
memory/3636-49-0x00007FF7606C0000-0x00007FF764A22000-memory.dmp

Filesize
67.4MB

Download
memory/3636-50-0x00007FF7606C0000-0x00007FF764A22000-memory.dmp

Filesize
67.4MB

Download
memory/3636-51-0x00007FF7606C0000-0x00007FF764A22000-memory.dmp

Filesize
67.4MB

Download
memory/3636-52-0x00007FF7606C0000-0x00007FF764A22000-memory.dmp

Filesize
67.4MB

Download
memory/3636-53-0x00007FF7606C0000-0x00007FF764A22000-memory.dmp

Filesize
67.4MB

Download
memory/4224-36-0x00007FF7606C0000-0x00007FF764A22000-memory.dmp

Filesize
67.4MB

Download
memory/5000-13-0x000001DD59250000-0x000001DD59272000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing