Analysis
-
max time kernel
122s -
max time network
129s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
09/11/2024, 19:24
Static task
static1
Behavioral task
behavioral1
Sample
TLauncher.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
TLauncher.exe
Resource
win10v2004-20241007-en
General
-
Target
TLauncher.exe
-
Size
2.7MB
-
MD5
cb027aa142f066c4f4fb9de5ff6ff493
-
SHA1
70a3ecaae4728c2a97c99f5fc7c12268e349ec91
-
SHA256
682500d7ea4034f74fc2387b77a7a6cd3d6e06d6bd992ebbbb29978a33d1bd01
-
SHA512
79a973dfd3c1a860a495672a07f6f17286cdbebe04492117d03cbcf9e3a383b8140102f2e6cf700bdbe9821f0ae93e5fe52c3604c1be593040e9cc64e76e576e
-
SSDEEP
49152:q2qPl6Dm1WPOQCzCwiKc4ocySSca2d9UM22c5Yw/Vu/8BkRVvw:klq6aOQCuwiKc4ocyj2d6nYdLw
Malware Config
Signatures
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TLauncher.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE -
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b8d48fc8adfa6b4a805f1a4a681aaa6f00000000020000000000106600000001000020000000c67069779257455254f6102ec329cf3348b13991723bfdc9dac07041d898e667000000000e80000000020000200000009bc673664566ef4b59a19fff20c59ad4bac45b07cb7deaf01d879ec61161da76900000009fdaad765eab7900bc5ad2cf2815d5112e8acd96b180d19715f8393e652c8bb65f581d8149dea9828e5e44d3ad6f3f46760d5d6a085dd7276ee5fdf4e953efcf78ff6cad3294843e1b5b131c6d03a384c4aed663d94e4b952e068ee2f6655890bc9bb7b0dd8d68b6f2e548d604be5c87c7382e82aad4459d7b0e84d1e9e231d2164cd72234f8ed5405495a6f602f4a6040000000881df0d500cf28b2643d433bd341909a3482ea1295c7fc5ac962538a56ba87e1cf5fc70deac7a1a392590c89a5abb72e956c6f013eff3513a5c0840c3bc2c314 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a00cf377dd32db01 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "437342275" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b8d48fc8adfa6b4a805f1a4a681aaa6f00000000020000000000106600000001000020000000aab1dad796fa8479b2825862b4ee09a1e0eaa1239144515d921df3455ebbc7ec000000000e800000000200002000000071d27f1fb0402e3a386957aa06ff68d26b0e7a8dae98e0db5f3b6218dde062cb20000000f8e6bbba88141d61cb073dc8022f7973421e4d5bf4e83e48db6cb13c72b46e2540000000d346fb9fc644b8701fea38b7a0da9b7e2f6222ccf639f7efa57ccea805a61545ed95d639874974913a3bc1add9b7c4f393e22349fd775b3485845b9df05f7f7c iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{8D0E1801-9ED0-11EF-9E7F-EE9D5ADBD8E3} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 880 iexplore.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 880 iexplore.exe 880 iexplore.exe 2144 IEXPLORE.EXE 2144 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 1224 wrote to memory of 880 1224 TLauncher.exe 31 PID 1224 wrote to memory of 880 1224 TLauncher.exe 31 PID 1224 wrote to memory of 880 1224 TLauncher.exe 31 PID 1224 wrote to memory of 880 1224 TLauncher.exe 31 PID 880 wrote to memory of 2144 880 iexplore.exe 32 PID 880 wrote to memory of 2144 880 iexplore.exe 32 PID 880 wrote to memory of 2144 880 iexplore.exe 32 PID 880 wrote to memory of 2144 880 iexplore.exe 32 PID 880 wrote to memory of 2144 880 iexplore.exe 32 PID 880 wrote to memory of 2144 880 iexplore.exe 32 PID 880 wrote to memory of 2144 880 iexplore.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\TLauncher.exe"C:\Users\Admin\AppData\Local\Temp\TLauncher.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1224 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://java-for-minecraft.com/2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:880 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:880 CREDAT:275457 /prefetch:23⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2144
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
914B
MD5e4a68ac854ac5242460afd72481b2a44
SHA1df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA5125622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5
-
Filesize
1KB
MD5a266bb7dcc38a562631361bbf61dd11b
SHA13b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA5120da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC
Filesize252B
MD583f0690476c87494823e7af35949cab4
SHA1021a4c8285c2e2dbfa427cc60a524f9ea6b29fe9
SHA256561eeeb0bc5c1ce0f659177f818b1d717aaf971ec19c9ffb80557f4894d7f954
SHA51248e6a2d10c9d308fe53c7a74d03fe7591f266a1d0d0c58d243bd8e105085b6df5d2bbe338a88b7ed3542d5491a25fa7a569ccb94d7b4f8cc584e4e3e4ed9d4fa
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5226b5fd26b353e8d30ad7fea2590eeef
SHA164f2f09377220ef2f5b92af26d7467ff6ec0c20a
SHA2564fe03e5793b7ba0fe4fd37b0977d059a2bde81348d8c36863a67c7334e429997
SHA512e22a0f84c6f944b3597863e2e73fa5ede24fd121138015d563ed3667f8f7c036d93c8777cb981270d5e950a73a8754b9efc908906054de70c2464683b4a9623f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD528394630997f13f92d696909b5252c19
SHA1d72a8841f467986f004f56cda0e52dc94c195c8a
SHA25629f2a15df8ffd95885254cf8d44e716eed478825dde3ef2bf4e3343eb289600c
SHA5126551199302567477dd23d01dbd38440c861f7fe3c7abbe45a8202f771abf7e8e4502b424f0e2735bdc55773e3718b2add1ac20d281bd4f8cc6c1523c0a962164
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f15a72a50b6757f9395384479a2328c6
SHA111fd48281f84d171a433207b97cb5bfba934dbb4
SHA256b5afcd1037c2599310ffb5e0a94284d576b3f011b88671b3c73c035bd2b64bdf
SHA512ab32a9aa610e91d0401fd172aaf2aab35d111ea362d54d554c200c9fcfd820906b668b7a2ccaa9fc9c7eb0abf05358ddc13cd49f082bf46fa9e9494cfed29fc0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5cb047b0382225c29c8717d8bd282deb7
SHA1917addab710ed4e100f7d108d8ea277c422c8cf8
SHA256fe38898abd256a7f5aab9d201b89c4453952cd7a674088751fb1e3ae5be5ab9c
SHA512c088cb1880fb9c6b7e370a4ee3e9590104582c89c94c38c9a60d96ce3c645c92029bcf4c05f76a054c8564ca2a38c13a3e3c3beb8788df0770f2e185aaa17e2f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5efc55639c243004e002f6dc4ec4c4c8a
SHA101ac79f9e0400d2a9393bceeaa67b3763274b615
SHA2567eea3b72ca623c999e637dd98693b1bea7b676ea07102a8cb5b17c565a97b4c9
SHA5127ac6249a6e73618bfa9ecf7fcd19d2cf39a737dc0f18e8de33c50ab68998ed095634003b88a841762e1ec91abedd9d0034d2076f503d63098159358c7edef6ac
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5259bc3b2996efc8321f48229716307b9
SHA1cbde18b96dae0b7d85304f200926c93e31a50718
SHA256ce954dfa7ea076d485dd520e0c8e5e672825a2030eb6cedf11e6e48a76d2ff5c
SHA5126b4a8575e8557afe3ce868c5ca9fa63a62a44b359cfef3a27ec3d38a41435916e225a00a053a3b1f6ff644f20ffc8e727602fe3b70c405a1a7df7327b21a2abd
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD565db7ee0c1c2cd3a118d63abc0570ec0
SHA1c32bcdb5da2d8d3d485a0c69eaca284a1ec373c7
SHA256b53e806d49e031fe15d33e1de69cfe784cbd2dcb92ac656402cdbb23251b5291
SHA512e0d6baa37ae9fa8eb738901351207982b07036c416ef6baeb2182b81c5099e26eff18df769ffe55f28f6953829ce9cb57ca3c1387ab22630d9c23512c063c2bc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5eb55af77674f5c3f555343e6b12941c2
SHA1d8d37015b291d762a72ffd9012a1c0e1da065cb2
SHA256499099f47d31e0f858b4d25e50e8323077360629729edc16996d14549c3d4863
SHA5121b59839bb4a0280f9d927b29105d7c1aa46e32b39fbc6322f2fbddf80f328b5459892bb4eb11211e0de77a810f5879a57af98e1e0d42817f4a0b9c731898d573
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD54b49ce14a474bb39c21dce62abdeda79
SHA18655d536d84f52688144ad8d79aac2390099120b
SHA256fca8d57135d31a14d38970bf51d4a334dc2e8e95c0d07bedee2851dc4612f49d
SHA5128149c94f1f3b44452e75a487e21800ae3c05ca83cf0040333ecad8c42534bcc58e3a6dff2ca44fed2478ab9299def18f0a683174164f3a6d94e0ec4604cb75e8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5899abcaad7cc879118d5711a7e189096
SHA14b38c1ff001042a896b8772365487b089828a3d8
SHA256ef2350b531505db8f68f290773b1c51ec93f9506885a6bf29104c3cf95beb0e4
SHA5127c14eb117345915c54b7da540402d7c48e85fef33a0ef6a96da81759222c54896b7edbc11f9dc1352fb11c75cde9575b4e666defc62ae65d0f32b198a72ac7f5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD57dec52c64cdf403b884a62eb6cc83b19
SHA16930caf61317e1f41393563079df3684c8d5943b
SHA25646763cad03afdf811e5da7d9ea51e25df50ddd633a1cd154e1459bf401899c7d
SHA512351fba8b1b816828777289705392d6342bc7e115c15c99a1a4eec36e1cc6f368e44657825af847de70081e18788ae56bd5f5e5b6ba25eb0cf7b6b889680aafa4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize242B
MD5bbb71d907fbd080498b754ac091e2d9c
SHA19ec65d0cfadb91170275665326492ea963a33b07
SHA2562ce500fbbeb170ae8fd9d3b3207e1fa552314f629a174452f25ac9e759f7fe8a
SHA512ed1953802f75c368ed77f1781cba51ceafc7682943dfe52c27fc2c8578e34807d376894372d53e2151eab67d1243eb93aee36302e64ad864f5adf3d1bcf412f6
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b