hxxps://llaun[.]ch/installer

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/08/2024, 17:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://llaun.ch/installer

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4292	msedge.exe
4292	msedge.exe
4544	msedge.exe
4544	msedge.exe
2260	identity_helper.exe
2260	identity_helper.exe
4124	msedge.exe
4124	msedge.exe
4124	msedge.exe
4124	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4544	msedge.exe
4544	msedge.exe
4544	msedge.exe
4544	msedge.exe
4544	msedge.exe
4544	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4544	msedge.exe
4544	msedge.exe
4544	msedge.exe
4544	msedge.exe
4544	msedge.exe
4544	msedge.exe
4544	msedge.exe
4544	msedge.exe
4544	msedge.exe
4544	msedge.exe
4544	msedge.exe
4544	msedge.exe
4544	msedge.exe
4544	msedge.exe
4544	msedge.exe
4544	msedge.exe
4544	msedge.exe
4544	msedge.exe
4544	msedge.exe
4544	msedge.exe
4544	msedge.exe
4544	msedge.exe
4544	msedge.exe
4544	msedge.exe
4544	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4544	msedge.exe
4544	msedge.exe
4544	msedge.exe
4544	msedge.exe
4544	msedge.exe
4544	msedge.exe
4544	msedge.exe
4544	msedge.exe
4544	msedge.exe
4544	msedge.exe
4544	msedge.exe
4544	msedge.exe
4544	msedge.exe
4544	msedge.exe
4544	msedge.exe
4544	msedge.exe
4544	msedge.exe
4544	msedge.exe
4544	msedge.exe
4544	msedge.exe
4544	msedge.exe
4544	msedge.exe
4544	msedge.exe
4544	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4544 wrote to memory of 2420	4544	msedge.exe	84
PID 4544 wrote to memory of 2420	4544	msedge.exe	84
PID 4544 wrote to memory of 4776	4544	msedge.exe	85
PID 4544 wrote to memory of 4776	4544	msedge.exe	85
PID 4544 wrote to memory of 4776	4544	msedge.exe	85
PID 4544 wrote to memory of 4776	4544	msedge.exe	85
PID 4544 wrote to memory of 4776	4544	msedge.exe	85
PID 4544 wrote to memory of 4776	4544	msedge.exe	85
PID 4544 wrote to memory of 4776	4544	msedge.exe	85
PID 4544 wrote to memory of 4776	4544	msedge.exe	85
PID 4544 wrote to memory of 4776	4544	msedge.exe	85
PID 4544 wrote to memory of 4776	4544	msedge.exe	85
PID 4544 wrote to memory of 4776	4544	msedge.exe	85
PID 4544 wrote to memory of 4776	4544	msedge.exe	85
PID 4544 wrote to memory of 4776	4544	msedge.exe	85
PID 4544 wrote to memory of 4776	4544	msedge.exe	85
PID 4544 wrote to memory of 4776	4544	msedge.exe	85
PID 4544 wrote to memory of 4776	4544	msedge.exe	85
PID 4544 wrote to memory of 4776	4544	msedge.exe	85
PID 4544 wrote to memory of 4776	4544	msedge.exe	85
PID 4544 wrote to memory of 4776	4544	msedge.exe	85
PID 4544 wrote to memory of 4776	4544	msedge.exe	85
PID 4544 wrote to memory of 4776	4544	msedge.exe	85
PID 4544 wrote to memory of 4776	4544	msedge.exe	85
PID 4544 wrote to memory of 4776	4544	msedge.exe	85
PID 4544 wrote to memory of 4776	4544	msedge.exe	85
PID 4544 wrote to memory of 4776	4544	msedge.exe	85
PID 4544 wrote to memory of 4776	4544	msedge.exe	85
PID 4544 wrote to memory of 4776	4544	msedge.exe	85
PID 4544 wrote to memory of 4776	4544	msedge.exe	85
PID 4544 wrote to memory of 4776	4544	msedge.exe	85
PID 4544 wrote to memory of 4776	4544	msedge.exe	85
PID 4544 wrote to memory of 4776	4544	msedge.exe	85
PID 4544 wrote to memory of 4776	4544	msedge.exe	85
PID 4544 wrote to memory of 4776	4544	msedge.exe	85
PID 4544 wrote to memory of 4776	4544	msedge.exe	85
PID 4544 wrote to memory of 4776	4544	msedge.exe	85
PID 4544 wrote to memory of 4776	4544	msedge.exe	85
PID 4544 wrote to memory of 4776	4544	msedge.exe	85
PID 4544 wrote to memory of 4776	4544	msedge.exe	85
PID 4544 wrote to memory of 4776	4544	msedge.exe	85
PID 4544 wrote to memory of 4776	4544	msedge.exe	85
PID 4544 wrote to memory of 4292	4544	msedge.exe	86
PID 4544 wrote to memory of 4292	4544	msedge.exe	86
PID 4544 wrote to memory of 3480	4544	msedge.exe	87
PID 4544 wrote to memory of 3480	4544	msedge.exe	87
PID 4544 wrote to memory of 3480	4544	msedge.exe	87
PID 4544 wrote to memory of 3480	4544	msedge.exe	87
PID 4544 wrote to memory of 3480	4544	msedge.exe	87
PID 4544 wrote to memory of 3480	4544	msedge.exe	87
PID 4544 wrote to memory of 3480	4544	msedge.exe	87
PID 4544 wrote to memory of 3480	4544	msedge.exe	87
PID 4544 wrote to memory of 3480	4544	msedge.exe	87
PID 4544 wrote to memory of 3480	4544	msedge.exe	87
PID 4544 wrote to memory of 3480	4544	msedge.exe	87
PID 4544 wrote to memory of 3480	4544	msedge.exe	87
PID 4544 wrote to memory of 3480	4544	msedge.exe	87
PID 4544 wrote to memory of 3480	4544	msedge.exe	87
PID 4544 wrote to memory of 3480	4544	msedge.exe	87
PID 4544 wrote to memory of 3480	4544	msedge.exe	87
PID 4544 wrote to memory of 3480	4544	msedge.exe	87
PID 4544 wrote to memory of 3480	4544	msedge.exe	87
PID 4544 wrote to memory of 3480	4544	msedge.exe	87
PID 4544 wrote to memory of 3480	4544	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://llaun.ch/installer
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff93cf746f8,0x7ff93cf74708,0x7ff93cf74718
  2⤵
  PID:2420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2024,2080387533869611085,6346416982737499865,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2060 /prefetch:2
  2⤵
  PID:4776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2024,2080387533869611085,6346416982737499865,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2024,2080387533869611085,6346416982737499865,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2712 /prefetch:8
  2⤵
  PID:3480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,2080387533869611085,6346416982737499865,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
  2⤵
  PID:836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,2080387533869611085,6346416982737499865,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3480 /prefetch:1
  2⤵
  PID:3240
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2024,2080387533869611085,6346416982737499865,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5252 /prefetch:8
  2⤵
  PID:3268
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2024,2080387533869611085,6346416982737499865,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5252 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,2080387533869611085,6346416982737499865,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5248 /prefetch:1
  2⤵
  PID:4016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,2080387533869611085,6346416982737499865,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5344 /prefetch:1
  2⤵
  PID:3920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,2080387533869611085,6346416982737499865,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3904 /prefetch:1
  2⤵
  PID:1688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,2080387533869611085,6346416982737499865,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5752 /prefetch:1
  2⤵
  PID:3572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2024,2080387533869611085,6346416982737499865,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2268 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4124

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1588

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
53bc70ecb115bdbabe67620c416fe9b3

SHA1
af66ec51a13a59639eaf54d62ff3b4f092bb2fc1

SHA256
b36cad5c1f7bc7d07c7eaa2f3cad2959ddb5447d4d3adcb46eb6a99808e22771

SHA512
cad44933b94e17908c0eb8ac5feeb53d03a7720d97e7ccc8724a1ed3021a5bece09e1f9f3cec56ce0739176ebbbeb20729e650f8bca04e5060c986b75d8e4921

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e765f3d75e6b0e4a7119c8b14d47d8da

SHA1
cc9f7c7826c2e1a129e7d98884926076c3714fc0

SHA256
986443556d3878258b710d9d9efbf4f25f0d764c3f83dc54217f2b12a6eccd89

SHA512
a1872a849f27da78ebe9adb9beb260cb49ed5f4ca2d403f23379112bdfcd2482446a6708188100496e45db1517cdb43aba8bb93a75e605713c3f97cd716b1079

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
312B

MD5
4e9b0d4f7edf40a380543fac73d2f0d7

SHA1
cb1ffc9d75f754162dac003ee405d8968fc4854b

SHA256
00eca14e807100e43c152dfc91fd40f9b6551148f6129124f2e5956b32751709

SHA512
693c5a1900419ea7f5704a296e987bdb51589b012ef2fc42a8d49949d967a31779a27502117fac36da0e8fa0d463884222915d9d2f11c31d326ad4195a8affee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\000\t\Paths\000001.dbtmp

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
535B

MD5
3a2d7270f29d75fbf44a1b599fb85aee

SHA1
2403fdfb370864fa556a847b535bcf00aaf46282

SHA256
9bbef9ed95710e9514545dd4aa454e2db21e72bf349d8c9f1c37cb1c6e99d5e0

SHA512
8fe7fae224097498d3c478a8173e887a6db999aed9d5fa8cc3b8af597ad7afd6bf6cd3dcd6684b30f31253ddf6ac58ce355fb984e1903611138e6527f8a9dcfe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
0ee7a8cc1fcc48094881630c6ba45507

SHA1
3fa4a507a249a95918f98ed4cd353b4ac447f883

SHA256
e796c2fa93198fabbfe125d4ca15db899227f3efb89f5b6f3f424ba57f0b6c43

SHA512
004c3f2f7f75c6388aea2be96b2eb01044c35832ea2a39b601ca88e5abebdc22627263b3ac58ce246603f237c7416a88dd14c7a3a40538098b35d263820112cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f6525286f7e43825a2c1ed9ba3614275

SHA1
a31327b9da9beb67987cf2836bbf7f467ebcbb7d

SHA256
656e0954a5b01c0c93b81cf6e4ab3eab82587f7f1615b720031ec5b48d89d315

SHA512
eb6e91534ab7f5a9c418606caedff84b1cac6b63807337807b67ff6bcc8250c5a0ff74829d432c3331c667060d6fd90bf609ba91441cf7501ef74e4c8befa0ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
539B

MD5
6c5f49620cea80c549023c4993238d4c

SHA1
7e467dc74f4923959c5b6602c391dcb78ea998be

SHA256
6baafc1e28b6a61d53578d9cd6811722336fb6e15fcdab4e1900d01c69566a14

SHA512
4df7151e38ea8e9a27ea69a098c02fedf691b58efaf43d4a11b345fbac94443e6ed036d26deed348b223d359f90b3c98474843254080b52eafef6899dd994d36

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58050c.TMP

Filesize
539B

MD5
1b44276566e6551708dc54116066a5e9

SHA1
e2cf603ee5ce39a84c1cd0a95c8cff6e0d112db2

SHA256
4735fc8c3441952efd09a03e04f496a2b96890c1f4fb74a7d2e2cfd9c853db73

SHA512
a6e62a6227929b3dda8de39fd32365146a1819bae95e42214e179684e41b8c3811ac851e070bc0abf95cb84643e46207f2ec656e573a867edb94cbe20f25f897

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
7bc4656ce40ea4b817d954bea0aba1be

SHA1
db0d39a1a50f14c9784cbad27517bec6eb57c188

SHA256
27a37104a41ca0afb9aa44861eaa2d8722779f3e43531affa3be4ae73b4ffa0a

SHA512
f0b29e9fc37d9324aab37b857006acc247bbf58fd1f785afe55b0acef62f5c61e6985202a81d6e5ff12b4615a26109744894a8d2c8dc22eb753bf69d25e860a6

Download Submit