Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
26-10-2024 19:28
Behavioral task
behavioral1
Sample
!果核剥壳 - 全网更新最快.url
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
!果核剥壳 - 全网更新最快.url
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
CLaunch_v4.0.4_32Bit_Setup.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
CLaunch_v4.0.4_32Bit_Setup.exe
Resource
win10v2004-20241007-en
General
-
Target
CLaunch_v4.0.4_32Bit_Setup.exe
-
Size
1.8MB
-
MD5
54480f90931211f14061588f00a38ed8
-
SHA1
f865afe8f124073073d72cea375feabcac3b9074
-
SHA256
e34c26fc7fa6a25bd951619491bd0f0a6debcc38a2f5163ed2dbb00451ebe3b0
-
SHA512
b4d3832b095711e0abe072acd134c148062ea2f73a47e7a6c3bbdba0a4a3f18ce6944cf601502c380df317a53902f16b6bb07a1156429fda86104e815b43c650
-
SSDEEP
24576:5cBGvXirzmR4EJEM8rmlXtYpaQWQ82U5khl40i1Lbpq1a3Bk1uT/fzx:/XiE0K1t7+zi1Lb13Bk1wfV
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 3056 setup.exe -
Loads dropped DLL 5 IoCs
pid Process 2384 CLaunch_v4.0.4_32Bit_Setup.exe 2384 CLaunch_v4.0.4_32Bit_Setup.exe 2384 CLaunch_v4.0.4_32Bit_Setup.exe 2384 CLaunch_v4.0.4_32Bit_Setup.exe 3056 setup.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 32 IoCs
description ioc Process File created C:\Program Files (x86)\CLaunch\Docs\CLaunch_ja.chm setup.exe File opened for modification C:\Program Files (x86)\CLaunch\Docs\CLaunch_ja.chm setup.exe File created C:\Program Files (x86)\CLaunch\Languages\Language.ini setup.exe File opened for modification C:\Program Files (x86)\CLaunch\Languages\Language.ini setup.exe File opened for modification C:\Program Files (x86)\CLaunch\Languages\Spanish.dll setup.exe File created C:\Program Files (x86)\CLaunch\Skins\Vista-style.zip setup.exe File opened for modification C:\Program Files (x86)\CLaunch\ClAdmin.exe setup.exe File opened for modification C:\Program Files (x86)\CLaunch\Languages\English.dll setup.exe File created C:\Program Files (x86)\CLaunch\Languages\Spanish.dll setup.exe File created C:\Program Files (x86)\CLaunch\Skins\Solid Black.zip setup.exe File opened for modification C:\Program Files (x86)\CLaunch\Skins\Vista-style.zip setup.exe File created C:\Program Files (x86)\CLaunch\Languages\Chinese_t.dll setup.exe File created C:\Program Files (x86)\CLaunch\Docs\CLaunch_en.chm setup.exe File created C:\Program Files (x86)\CLaunch\Setup.exe setup.exe File created C:\Program Files (x86)\CLaunch\ClHook.dll setup.exe File created C:\Program Files (x86)\CLaunch\ClAdmin.exe setup.exe File created C:\Program Files (x86)\CLaunch\Languages\Chinese.dll setup.exe File created C:\Program Files (x86)\CLaunch\Skins\Glass.zip setup.exe File opened for modification C:\Program Files (x86)\CLaunch\Skins\Glass.zip setup.exe File created C:\Program Files (x86)\CLaunch\CLaunch.exe setup.exe File created C:\Program Files (x86)\CLaunch\Languages\Korean.dll setup.exe File opened for modification C:\Program Files (x86)\CLaunch\Languages\Korean.dll setup.exe File created C:\Program Files (x86)\CLaunch\Languages\Russian.dll setup.exe File opened for modification C:\Program Files (x86)\CLaunch\CLaunch.exe setup.exe File opened for modification C:\Program Files (x86)\CLaunch\Setup.exe setup.exe File opened for modification C:\Program Files (x86)\CLaunch\Docs\CLaunch_en.chm setup.exe File created C:\Program Files (x86)\CLaunch\Languages\English.dll setup.exe File opened for modification C:\Program Files (x86)\CLaunch\ClHook.dll setup.exe File opened for modification C:\Program Files (x86)\CLaunch\Languages\Chinese_t.dll setup.exe File opened for modification C:\Program Files (x86)\CLaunch\Languages\Russian.dll setup.exe File opened for modification C:\Program Files (x86)\CLaunch\Skins\Solid Black.zip setup.exe File opened for modification C:\Program Files (x86)\CLaunch\Languages\Chinese.dll setup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CLaunch_v4.0.4_32Bit_Setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language setup.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeBackupPrivilege 3056 setup.exe Token: SeRestorePrivilege 3056 setup.exe Token: SeBackupPrivilege 3056 setup.exe Token: SeRestorePrivilege 3056 setup.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2384 wrote to memory of 3056 2384 CLaunch_v4.0.4_32Bit_Setup.exe 30 PID 2384 wrote to memory of 3056 2384 CLaunch_v4.0.4_32Bit_Setup.exe 30 PID 2384 wrote to memory of 3056 2384 CLaunch_v4.0.4_32Bit_Setup.exe 30 PID 2384 wrote to memory of 3056 2384 CLaunch_v4.0.4_32Bit_Setup.exe 30 PID 2384 wrote to memory of 3056 2384 CLaunch_v4.0.4_32Bit_Setup.exe 30 PID 2384 wrote to memory of 3056 2384 CLaunch_v4.0.4_32Bit_Setup.exe 30 PID 2384 wrote to memory of 3056 2384 CLaunch_v4.0.4_32Bit_Setup.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\CLaunch_v4.0.4_32Bit_Setup.exe"C:\Users\Admin\AppData\Local\Temp\CLaunch_v4.0.4_32Bit_Setup.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Users\Admin\AppData\Local\Temp\~CLaunch_v4.0.4_32Bit_Setup.exe\setup.exe"C:\Users\Admin\AppData\Local\Temp\~CLaunch_v4.0.4_32Bit_Setup.exe\setup.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3056
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
135KB
MD57ab6b4f92404df446a28bbadca915062
SHA1837cf40b429fb7225f09ac000bbdb66c1a5b045a
SHA2561f6c50da7042f0b55e1ba7e09264d3313a8d033259b8d3cb960ed6b16fad888f
SHA512ebca6f7eafdf71fbc5e1875a3d7aef653fc0677890e8c42a55aa5458ffbbf25c6443a8d2f3e44ee1346427745f2b3d640a665689e4f792a2056c851366b7237a
-
Filesize
144KB
MD58b6dc6ea1f2f025cdc786fee9cf72bb8
SHA11385a5fc3373efc3189b188316415435aa3777dc
SHA256defe49de8a56a35af7109b0edeadff13ad6aaedb38d6754cc7af8672d25ed72e
SHA512e188a2dbb901321ccbbba43b6218e6d2c8b9a13c2b91d88f0d3cf6f43880f295cf636fa97c16ae9a3ca02cafe37a6f0246dca240ca426e168315501e955115c0
-
Filesize
18KB
MD53b943c8e146c28ef23770b4bcb4e1b1e
SHA11fb1675f048a6dfecf38e9c1d144adbd497cf1cc
SHA256f481d0971913b8382e363ba21c4995b861063a38a2c26f9b3faa20846ed00bfc
SHA512a84b91a2da6d5c33ff898b7e3eb606e3fdb8663fede0ff498a95728eeab705a9687669af4cdfa28248eace9ea615371e098d2602d48413fa6f568c28f1c830be
-
Filesize
22KB
MD5b1d11a0e05a30766a19cdcb669ef140f
SHA1970712d951eac2cd7e5e3e79e0694b5b5b6101ca
SHA256f483b36404ca48e86ef8a9c2353a69774b3e506e57e97a14a1c9393a8193bcc1
SHA5125f675dec0908ca334323e923fcac62b0603bbca1801eff04b94dc79ac595320bfabccca7c78560c3601bd64b9e0fd21c0d6ffd6f7b5f7a68c1892ebc435e972f
-
Filesize
970KB
MD592642a29ac1e5344adba7f359f4b027f
SHA1a8c6c68c231e202220fdb922f3bb87b787df6e1a
SHA2561233508594ec70e604d6b5ed0a31dbc49021123b811ed1fd72d38934f61ce195
SHA5129b2935e0a81b507dca7a91e02ef7e2dbd54c8075e90fcfb995b369afff27666b1146d9a385377c9707b712d369fcf20fe086a331286c2a65061bc0960d9f31ad
-
Filesize
100KB
MD5128351cc939df45b8c36f556e797c82e
SHA14601db67a6ba316a11eef43beda3f833dc795cd7
SHA25658f4e77115976010eed4cee481b910f928b3f8b4e67d4b7d1adff1a0e0aac49f
SHA512a260353413da0c76279870ccfafb13e4314bcd0972128985128bae79b35db38ce9f70c5ae21cee55649096c71d22184c76b9cf75d4c60567e56c2bb091b1a965
-
Filesize
93KB
MD5e57badcdab32d4adf1d8d68cbc2acd06
SHA1bae2ff80bf04331456e3904a784fe8029094c8d1
SHA2560be6b179cbb452616ce3b828e8d207f6693b5763d93ca50194ec6d2744b057e6
SHA512a9c1e8bdd4bb6306fd5c7d494f274f09fe5797bc52c60e1288f7bb09b9f15690eef077f95b7a1a58cf16ab00c8096f2577a78475ce8525786ad4061206e76851
-
Filesize
296KB
MD59d41f99aaf945634b9b73169cc0fc82e
SHA180164234ee85287d4e1ea94bf20f1b76d7411927
SHA256da6e54b354a95a90661b713ead1f62c597d368276242b48cbf56287434dcfadd
SHA51227505ff03afecead3cf576392cac929f21cf88e4eedf95a231470f81996bd2c70359ba867230e9e90330f42da783fc5791f2488d2937f73e63cbbd745d0f88a2
-
Filesize
328KB
MD5ca29dfa10fe1b8dbc12b45364af33f18
SHA1c9e599b2cea93f1585ffdf5a45ad4de52c271278
SHA256586ca0d164a2611870a62f12e0452bd09025efc03340904a030347586f80ff40
SHA512a1985678a33698c6190a09b8986765242657f48d409ad137ee508f516923439137a34b6ec7f43ed5afaf3f8ba895124b02a2012b12824e2e34bc77b9760347ce
-
Filesize
115KB
MD5ee709bd544cf6dee9c804d85c53d35f4
SHA12ada1c46fd740bd52c7aacacf2953e787ec3558b
SHA256ad3c58385f26ec8f87040c474ceb372a7323def350d088ea878112f44c94abef
SHA5126ea9dc95f3330b710054ec6a31081d4e5c41fb377f6e0347070a5b5d8c18a7d65cd4c837aee19ca0a31ce68acd2fe9c303d4f57cb152689c3f3a5bea11e7aea1
-
Filesize
118KB
MD56ef531f8f59bc7bf2bb2664702b7d155
SHA1e6e0220075b9dfaf773b0106a0ce1885be863126
SHA2566a14c61709f2cab5354032e547f61302b1c5beb7e38f9ebcbfa3aa514030d946
SHA512a23d176fcf8cdaa342e03148f4b1a68e6577466efb65fc7421db455274132310afa2761e69a58badde34dca7cf9ea9b3426043be72a3741a7476bf156e7deeb1
-
Filesize
119KB
MD573bb3a4b84d17f40b8308f45afaad7a7
SHA1d9b6459aa1b561fafda764ec91110aa6d5fdce53
SHA256a706f32a3b55c6f226e56d144b37754ea07f4a3e69b055b3253174a895bc0169
SHA512ccdd47985dec82bf24a7514db8df605b1faeca65f7dff4cedf6b48defdf9de1662f0ff367d1eab1cedbc5826c31df26110dbe3d86a9dba2c7dbd882a473b659e
-
Filesize
3KB
MD506207469b4aaaa298793e796f615c696
SHA1540452d3b383dcf4551178c32fbfcd3d445eec80
SHA25646403b7b5e394569d5f4034fb4c7281eb6ee881e4d897c45dd447cb08d7ed240
SHA51252f812874d1fd0b344f794d4dfa531fb30bfa3e604d6d37fe49df953e2c14d3791f19345291c98a4574e8a2a2517d27dbc0ff3b4d3aa9974b6349fc7f06e23e6
-
Filesize
170KB
MD519d9735f791e35894e2ac444dc7f0660
SHA11a0c9ac76ce26ee96edfe81de3e41d33f2d24ec1
SHA25600c8fafb1785050756496155bf6a6f070d965b0ceeec6ed2cbc41fdc52e09ace
SHA5121a2e639eec221a79be1966956b494850ba33ac114d68e38a57cdbef784346a930181d313f456c325a014e051f928489529901289b0c8205efe528077968249eb
-
Filesize
59KB
MD5b02daf92c40ec61e3cf1f45f1e3ca594
SHA12e08b2ad8189ecb7c1bde82121e15bffef769f8a
SHA2565055d3f3e129bd19166a88ced9a0701ae6e4fc7e6c75a0fd20e29ac13354abc3
SHA5127bf8e97c2d378073f8e7c51645ae0f2a1a9cfb0616b47eda865adb7927775bd6ce9d2a8dd0cdfbb32644260aaa020ec3e09a1b53fe3d3b85f458f617f46217db
-
Filesize
138KB
MD50dc89a0461c29bd2dcefcd6f25d9ae39
SHA15a34df0f8047e488dfa3dd816557fc1a11e62c6e
SHA256aa8be1cf26040eb620eec8e26294ee938d1059ef815865459c64dda88a7a19da
SHA512a370d66c03f1b7e80838ef102a944ee301d504f66cb8114fb03f79717edf26361ed864aabaf7497bdf01b1314cd6b87d66c1c7db7e8a18ed0a41c42850cc45e6