Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

TLauncher-....8.exe

windows10-2004-x64

TLauncher-....8.exe

windows10-ltsc 2021-x64

7

Analysis

  • max time kernel
    591s
  • max time network
    445s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241211-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    04/01/2025, 14:25 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    TLauncher-Installer-1.5.8.exe

  • Size

    24.2MB

  • MD5

    685de3af992c9d24a32af13119fec8e1

  • SHA1

    d00eb98453b6b4206cdc0d72e452fde15d639517

  • SHA256

    fa10e4efecf3aeb583e2edf1e48e1fd92543fd86b7f0d07f7aaf46927e4da214

  • SHA512

    b40831a22b32abf2fa5508e888c3c8aa830801f83af04c4db3438c6f7c843ce7f21c876b9054b9c9586ce96d2fb4d627ac97fc3cb1310f93643dd5c0314f899f

  • SSDEEP

    393216:0hJ7SFBjbX5IwhgCyCArr6of5MJ7ZWqxPAIgtMIMlFRq1k4ZFx3ylu2GXJIcw:0h8FBjbJjhQHrrKJBH5lFRqO4x392cw

Score
7/10
discoveryupx

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\TLauncher-Installer-1.5.8.exe
    "C:\Users\Admin\AppData\Local\Temp\TLauncher-Installer-1.5.8.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3220
    • C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
      "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1776394 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\TLauncher-Installer-1.5.8.exe" "__IRCT:3" "__IRTSS:25358014" "__IRSID:S-1-5-21-3829776853-2076861744-2973657197-1000"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:3564

Network

  • flag-us
    DNS
    71.31.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    71.31.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    209.205.72.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    209.205.72.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    dl2.tlauncher.org
    irsetup.exe
    Remote address:
    8.8.8.8:53
    Request
    dl2.tlauncher.org
    IN A
    Response
    dl2.tlauncher.org
    IN A
    104.20.37.13
    dl2.tlauncher.org
    IN A
    104.20.36.13
  • flag-us
    GET
    http://dl2.tlauncher.org/
    irsetup.exe
    Remote address:
    104.20.37.13:80
    Request
    GET / HTTP/1.1
    Accept: */*
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Setup Factory 8.0
    Host: dl2.tlauncher.org
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Date: Sat, 04 Jan 2025 14:26:12 GMT
    Content-Type: text/html; charset=utf-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Last-Modified: Sat, 05 May 2018 14:21:02 GMT
    Accept-Ranges: bytes
    CF-Cache-Status: DYNAMIC
    Server: cloudflare
    CF-RAY: 8fcbe6fbe8e09467-LHR
    alt-svc: h3=":443"; ma=86400
  • flag-us
    GET
    http://dl2.tlauncher.org/
    irsetup.exe
    Remote address:
    104.20.37.13:80
    Request
    GET / HTTP/1.1
    Accept: */*
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Setup Factory 8.0
    Host: dl2.tlauncher.org
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Date: Sat, 04 Jan 2025 14:26:13 GMT
    Content-Type: text/html; charset=utf-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Last-Modified: Sat, 05 May 2018 14:21:02 GMT
    Accept-Ranges: bytes
    CF-Cache-Status: DYNAMIC
    Server: cloudflare
    CF-RAY: 8fcbe70269a89467-LHR
    alt-svc: h3=":443"; ma=86400
  • flag-us
    DNS
    172.210.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.210.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.210.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.210.232.199.in-addr.arpa
    IN PTR
  • flag-us
    GET
    https://dl2.tlauncher.org/check_latest_tl.php
    irsetup.exe
    Remote address:
    104.20.37.13:443
    Request
    GET /check_latest_tl.php HTTP/1.1
    Accept: */*
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Setup Factory 8.0
    Host: dl2.tlauncher.org
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Date: Sat, 04 Jan 2025 14:26:14 GMT
    Content-Type: text/plain;charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    content-description: File Transfer
    Cache-Control: no-store
    pragma: public
    CF-Cache-Status: DYNAMIC
    Server: cloudflare
    CF-RAY: 8fcbe709d965f668-LHR
    alt-svc: h3=":443"; ma=86400
  • flag-us
    DNS
    13.37.20.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    13.37.20.104.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    228.249.119.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    228.249.119.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    58.55.71.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    58.55.71.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    fd.api.iris.microsoft.com
    Remote address:
    8.8.8.8:53
    Request
    fd.api.iris.microsoft.com
    IN A
    Response
    fd.api.iris.microsoft.com
    IN CNAME
    fd-api-iris.trafficmanager.net
    fd-api-iris.trafficmanager.net
    IN CNAME
    iris-de-prod-azsc-v2-frc.francecentral.cloudapp.azure.com
    iris-de-prod-azsc-v2-frc.francecentral.cloudapp.azure.com
    IN A
    20.199.58.43
  • flag-us
    DNS
    56.163.245.4.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    56.163.245.4.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    171.39.242.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    171.39.242.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    43.58.199.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    43.58.199.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    13.227.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    13.227.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    26.73.42.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    26.73.42.20.in-addr.arpa
    IN PTR
    Response
  • 104.20.37.13:80
    http://dl2.tlauncher.org/
    http
    irsetup.exe
    1.2kB
     1.3kB
     11
    7

    HTTP Request

    GET http://dl2.tlauncher.org/

    HTTP Response

    200

    HTTP Request

    GET http://dl2.tlauncher.org/

    HTTP Response

    200
  • 104.20.37.13:443
    https://dl2.tlauncher.org/check_latest_tl.php
    tls, http
    irsetup.exe
    1.4kB
     7.2kB
     17
    13

    HTTP Request

    GET https://dl2.tlauncher.org/check_latest_tl.php

    HTTP Response

    200
  • 20.199.58.43:443
    fd.api.iris.microsoft.com
    tls
    624 B
     6.5kB
     9
    6
  • 8.8.8.8:53
    71.31.126.40.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    71.31.126.40.in-addr.arpa

  • 8.8.8.8:53
    209.205.72.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    209.205.72.20.in-addr.arpa

  • 8.8.8.8:53
    dl2.tlauncher.org
    dns
    irsetup.exe
    63 B
     95 B
     1
    1

    DNS Request

    dl2.tlauncher.org

    DNS Response

    104.20.37.13
    104.20.36.13

  • 8.8.8.8:53
    172.210.232.199.in-addr.arpa
    dns
    148 B
     128 B
     2
    1

    DNS Request

    172.210.232.199.in-addr.arpa

    DNS Request

    172.210.232.199.in-addr.arpa

  • 8.8.8.8:53
    13.37.20.104.in-addr.arpa
    dns
    71 B
     133 B
     1
    1

    DNS Request

    13.37.20.104.in-addr.arpa

  • 8.8.8.8:53
    228.249.119.40.in-addr.arpa
    dns
    73 B
     159 B
     1
    1

    DNS Request

    228.249.119.40.in-addr.arpa

  • 8.8.8.8:53
    58.55.71.13.in-addr.arpa
    dns
    70 B
     144 B
     1
    1

    DNS Request

    58.55.71.13.in-addr.arpa

  • 8.8.8.8:53
    fd.api.iris.microsoft.com
    dns
    71 B
     199 B
     1
    1

    DNS Request

    fd.api.iris.microsoft.com

    DNS Response

    20.199.58.43

  • 8.8.8.8:53
    56.163.245.4.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    56.163.245.4.in-addr.arpa

  • 8.8.8.8:53
    171.39.242.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    171.39.242.20.in-addr.arpa

  • 8.8.8.8:53
    43.58.199.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    43.58.199.20.in-addr.arpa

  • 8.8.8.8:53
    13.227.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    13.227.111.52.in-addr.arpa

  • 8.8.8.8:53
    26.73.42.20.in-addr.arpa
    dns
    70 B
     156 B
     1
    1

    DNS Request

    26.73.42.20.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\200.ico
    Filesize

    116KB

    MD5

    e043a9cb014d641a56f50f9d9ac9a1b9

    SHA1

    61dc6aed3d0d1f3b8afe3d161410848c565247ed

    SHA256

    9dd7020d04753294c8fb694ac49f406de9adad45d8cdd43fefd99fec3659e946

    SHA512

    4ae5df94fd590703b7a92f19703d733559d600a3885c65f146db04e8bbf6ead9ab5a1748d99c892e6bde63dd4e1592d6f06e02e4baf5e854c8ce6ea0cce1984f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\BrowserInstaller.exe
    Filesize

    1.7MB

    MD5

    eefe16631befb168e10e6693e4dba04a

    SHA1

    b8f03bcd2df7f3031cd3d95a6a883359df4ea72c

    SHA256

    58988dc1a580da642d4cd98eb219bf93170a3a1dc171dd106a7efea2513114be

    SHA512

    7f0fe6c628d7253aacb0696dbee0a6d526c9ede300f0cd3a730e5107ad7f33956093c537e64e68522351945c1d72ba481509b666ddac34fb14e34eac10ae525d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG49.BMP
    Filesize

    1.8MB

    MD5

    5c9fb63e5ba2c15c3755ebbef52cabd2

    SHA1

    79ce7b10a602140b89eafdec4f944accd92e3660

    SHA256

    54ee86cd55a42cfe3b00866cd08defee9a288da18baf824e3728f0d4a6f580e7

    SHA512

    262c50e018fd2053afb101b153511f89a77fbcfd280541d088bbfad19a9f3e54471508da8b56c90fe4c1f489b40f9a8f4de66eac7f6181b954102c6b50bdc584

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRZip.lmd
    Filesize

    1.7MB

    MD5

    e12d4c3c6a210393f824304550ff61d9

    SHA1

    ec3a5d0b2691402a1da7a0ee26d7f251a48081fc

    SHA256

    b26810e792dee36944b25183cac167df237333efb738445ec21205bf24419292

    SHA512

    660b8b387d41f39e097cca03234557bea8a0534b1276d7b40fed38469e91fb67bf89cb570dd5c56b20ebe64c79d01b59168bf24ee893613966c4dab41770d4b7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\Wow64.lmd
    Filesize

    97KB

    MD5

    da1d0cd400e0b6ad6415fd4d90f69666

    SHA1

    de9083d2902906cacf57259cf581b1466400b799

    SHA256

    7a79b049bdc3b6e4d101691888360f4f993098f3e3a8beefff4ac367430b1575

    SHA512

    f12f64670f158c2e846e78b7b5d191158268b45ecf3c288f02bbee15ae10c4a62e67fb3481da304ba99da2c68ac44d713a44a458ef359db329b6fef3d323382a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
    Filesize

    1.2MB

    MD5

    3133ad2849911fab93754d7ce2af1666

    SHA1

    3ace2f1f394474d64e9ba7544df42362e6b2fb97

    SHA256

    4a207b020521b0ed9e671e2ed63f995137a60936bcf7aa2b7cfc1a4f56dc7e54

    SHA512

    8bf510655d994c60b87b9684196aecfb0c3de4488683946416d531665243c712b170aaeb151ccdb74d2b57aa2b3d185aaf11dbb99df0cbfcc61dc522cf481f7d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll
    Filesize

    326KB

    MD5

    ecc57f7d6507c2cb63aeb1f9d18210d3

    SHA1

    54fdc4c48690fbc118cadcd119b2c67f5584b4a9

    SHA256

    e6cb42ce5a0245dcaf635cd2950b2811ae5f4990cbc11126e2e8e769556144ab

    SHA512

    1d24e9b2edd9a76df666f643b592c47439b583b96cab6979a6cf0675e4c0d3b8266227d0ebd6df28f4ed3ad6972a4e9b4b9c080ef8e89d25eb5d033b89b828e2

    Download Submit

  • memory/3564-686-0x0000000008150000-0x0000000008153000-memory.dmp

    Filesize

    12KB

    Download

  • memory/3564-685-0x0000000010000000-0x0000000010051000-memory.dmp

    Filesize

    324KB

    Download

  • memory/3564-14-0x0000000000E30000-0x000000000121A000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/3564-711-0x0000000000E30000-0x000000000121A000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/3564-714-0x0000000008150000-0x0000000008153000-memory.dmp

    Filesize

    12KB

    Download

  • memory/3564-713-0x0000000010000000-0x0000000010051000-memory.dmp

    Filesize

    324KB

    Download

  • memory/3564-738-0x0000000010000000-0x0000000010051000-memory.dmp

    Filesize

    324KB

    Download

  • memory/3564-740-0x0000000010000000-0x0000000010051000-memory.dmp

    Filesize

    324KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.