Malware analysis PrismLauncher-Windows-MSVC-Setup-6.1.exe Malicious activity

Add for printing

File name:	PrismLauncher-Windows-MSVC-Setup-6.1.exe
Full analysis:	https://app.any.run/tasks/4b597de2-8d99-47bf-b286-9bdc975378f5
Verdict:	Malicious activity
Analysis date:	August 02, 2024, 15:51:35
OS:	Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5:	3A9E82A34241CC1074B5ACDBA96DE397
SHA1:	753FAC5C5E7AA94A026465C148354AA50E980A2A
SHA256:	9915886397DCDC3AB005E677C7ECAA2227F107E953A6CE3F0FE9DA5AA24E99BA
SSDEEP:	196608:b1Zq/twK7Yaj7Ig0mZGj7UECKD0yFBNkQmQT:b1Zq/tz7YEZ0j2KD0yjNzmQT

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: off

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Drops the executable file immediately after the start
  - PrismLauncher-Windows-MSVC-Setup-6.1.exe (PID: 6496)
SUSPICIOUS
- Executable content was dropped or overwritten
  - PrismLauncher-Windows-MSVC-Setup-6.1.exe (PID: 6496)
- Malware-specific behavior (creating "System.dll" in Temp)
  - PrismLauncher-Windows-MSVC-Setup-6.1.exe (PID: 6496)
- The process creates files with name similar to system file names
  - PrismLauncher-Windows-MSVC-Setup-6.1.exe (PID: 6496)
- Uses TASKKILL.EXE to kill process
  - PrismLauncher-Windows-MSVC-Setup-6.1.exe (PID: 6496)
- Creates a software uninstall entry
  - PrismLauncher-Windows-MSVC-Setup-6.1.exe (PID: 6496)
INFO
- Reads the computer name
  - PrismLauncher-Windows-MSVC-Setup-6.1.exe (PID: 6496)
- Checks supported languages
  - PrismLauncher-Windows-MSVC-Setup-6.1.exe (PID: 6496)
- Create files in a temporary directory
  - PrismLauncher-Windows-MSVC-Setup-6.1.exe (PID: 6496)
- Creates files or folders in the user directory
  - PrismLauncher-Windows-MSVC-Setup-6.1.exe (PID: 6496)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win32 Executable MS Visual C++ (generic) (67.4)
.dll	\|	Win32 Dynamic Link Library (generic) (14.2)
.exe	\|	Win32 Executable (generic) (9.7)
.exe	\|	Generic Win/DOS Executable (4.3)
.exe	\|	DOS Executable Generic (4.3)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2021:09:25 21:57:46+00:00
ImageFileCharacteristics:	No relocs, Executable, No line numbers, No symbols, 32-bit
PEType:	PE32
LinkerVersion:	6
CodeSize:	27136
InitializedDataSize:	186880
UninitializedDataSize:	2048
EntryPoint:	0x352d
OSVersion:	4
ImageVersion:	6
SubsystemVersion:	4
Subsystem:	Windows GUI
FileVersionNumber:	6.1.0.0
ProductVersionNumber:	6.1.0.0
FileFlagsMask:	0x0000
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Windows, Latin1
FileDescription:	Prism Launcher Installer
FileVersion:	6.1.0.0
LegalCopyright:	Prism Launcher Contributors\nÂ© 2021-2022 PolyMC Contributors \nÂ© 2012-2021 MultiMC Contributors
ProductName:	Prism Launcher
ProductVersion:	6.1.0.0

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

122

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

6496

"C:\Users\admin\AppData\Local\Temp\PrismLauncher-Windows-MSVC-Setup-6.1.exe"

C:\Users\admin\AppData\Local\Temp\PrismLauncher-Windows-MSVC-Setup-6.1.exe

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Description:

Prism Launcher Installer

Exit code:

Version:

6.1.0.0

Modules

Images
c:\users\admin\appdata\local\temp\prismlauncher-windows-msvc-setup-6.1.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll

6584

TaskKill /IM prismlauncher.exe /F

C:\Windows\SysWOW64\taskkill.exe

—

PrismLauncher-Windows-MSVC-Setup-6.1.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Terminates Processes

Exit code:

128

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll

6592

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

taskkill.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

Add for printing

Total events

3 592

Read events

3 567

Write events

Delete events

Modification events


(PID) Process:	(6496) PrismLauncher-Windows-MSVC-Setup-6.1.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\PrismLauncher
Operation:	write	Name:	InstallDir
Value: C:\Users\admin\AppData\Local\Programs\PrismLauncher
(PID) Process:	(6496) PrismLauncher-Windows-MSVC-Setup-6.1.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PrismLauncher
Operation:	write	Name:	DisplayName
Value: Prism Launcher
(PID) Process:	(6496) PrismLauncher-Windows-MSVC-Setup-6.1.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PrismLauncher
Operation:	write	Name:	DisplayIcon
Value: C:\Users\admin\AppData\Local\Programs\PrismLauncher\prismlauncher.exe
(PID) Process:	(6496) PrismLauncher-Windows-MSVC-Setup-6.1.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PrismLauncher
Operation:	write	Name:	UninstallString
Value: "C:\Users\admin\AppData\Local\Programs\PrismLauncher\uninstall.exe"
(PID) Process:	(6496) PrismLauncher-Windows-MSVC-Setup-6.1.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PrismLauncher
Operation:	write	Name:	QuietUninstallString
Value: "C:\Users\admin\AppData\Local\Programs\PrismLauncher\uninstall.exe" /S
(PID) Process:	(6496) PrismLauncher-Windows-MSVC-Setup-6.1.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PrismLauncher
Operation:	write	Name:	InstallLocation
Value: C:\Users\admin\AppData\Local\Programs\PrismLauncher
(PID) Process:	(6496) PrismLauncher-Windows-MSVC-Setup-6.1.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PrismLauncher
Operation:	write	Name:	Publisher
Value: Prism Launcher Contributors
(PID) Process:	(6496) PrismLauncher-Windows-MSVC-Setup-6.1.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PrismLauncher
Operation:	write	Name:	Version
Value: 6.1.0.0
(PID) Process:	(6496) PrismLauncher-Windows-MSVC-Setup-6.1.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PrismLauncher
Operation:	write	Name:	DisplayVersion
Value: 6.1
(PID) Process:	(6496) PrismLauncher-Windows-MSVC-Setup-6.1.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PrismLauncher
Operation:	write	Name:	VersionMajor
Value: 6

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
6496	PrismLauncher-Windows-MSVC-Setup-6.1.exe	C:\Users\admin\AppData\Local\Temp\nse52A1.tmp\nsDialogs.dll		executable
		MD5:6C3F8C94D0727894D706940A8A980543	SHA256:56B96ADD1978B1ABBA286F7F8982B0EFBE007D4A48B3DED6A4D408E01D753FE2
6496	PrismLauncher-Windows-MSVC-Setup-6.1.exe	C:\Users\admin\AppData\Local\Temp\nse52A1.tmp\modern-wizard.bmp		image
		MD5:CBE40FD2B1EC96DAEDC65DA172D90022	SHA256:3AD2DC318056D0A2024AF1804EA741146CFC18CC404649A44610CBF8B2056CF2
6496	PrismLauncher-Windows-MSVC-Setup-6.1.exe	C:\Users\admin\AppData\Local\Temp\nse52A1.tmp\System.dll		executable
		MD5:CFF85C549D536F651D4FB8387F1976F2	SHA256:8DC562CDA7217A3A52DB898243DE3E2ED68B80E62DDCB8619545ED0B4E7F65A8
6496	PrismLauncher-Windows-MSVC-Setup-6.1.exe	C:\Users\admin\AppData\Local\Programs\PrismLauncher\Qt6Core.dll		executable
		MD5:7EB1E9956AB6A6EB41D7EBB48F073527	SHA256:D037DD5176F7A404CD42DEC2F6E172BC0938D431039E023080CBB1E6E0E62485
6496	PrismLauncher-Windows-MSVC-Setup-6.1.exe	C:\Users\admin\AppData\Local\Programs\PrismLauncher\Qt6Gui.dll		executable
		MD5:6478C16E7FB5CDD73DB8D9459F2202E0	SHA256:78285161C08AAB7ECE80C2AB8E34A1F1455D07B368DB88FD26B8C52352D28757
6496	PrismLauncher-Windows-MSVC-Setup-6.1.exe	C:\Users\admin\AppData\Local\Programs\PrismLauncher\Qt6Svg.dll		executable
		MD5:E25AA9BB3DF70191F7C5A569D2B75915	SHA256:125E0BAFABAE04FA8E0EF3FF6EDEA2AF90807DC10CE6952789DD3B8E5E51E1ED
6496	PrismLauncher-Windows-MSVC-Setup-6.1.exe	C:\Users\admin\AppData\Local\Programs\PrismLauncher\imageformats\qsvg.dll		executable
		MD5:C887002B0A8E938DC91F250B70E3CCC9	SHA256:FA0313A5E685B3315BF29608E80748D28BEA7924230522843FE5EE0ACAA2C543
6496	PrismLauncher-Windows-MSVC-Setup-6.1.exe	C:\Users\admin\AppData\Local\Programs\PrismLauncher\Qt6Network.dll		executable
		MD5:1D3E8947DFE774292FF86BE36D75F584	SHA256:6CD325C8EA7CC757260D288C49BF362092DA0159AA45685E774EF8B9E448E30F
6496	PrismLauncher-Windows-MSVC-Setup-6.1.exe	C:\Users\admin\AppData\Local\Programs\PrismLauncher\Qt6Widgets.dll		executable
		MD5:FB4F282DA22FF082FDAA957698C079B1	SHA256:226E112BCB5A00F576DB2278C993D4BAD299826C3AECBAB1ABBFA9F6D281D850
6496	PrismLauncher-Windows-MSVC-Setup-6.1.exe	C:\Users\admin\AppData\Local\Programs\PrismLauncher\Qt6Xml.dll		executable
		MD5:31BA9D5365004CCB0F8662BCDF59D702	SHA256:7D06F78EF2435708113465B04BC30666CAD3C67A246DC4D412C1BD673F6A3C00

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

No HTTP requests

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected

Add for printing

No debug info

General Info

PrismLauncher-Windows-MSVC-Setup-6.1.exe

3A9E82A34241CC1074B5ACDBA96DE397

753FAC5C5E7AA94A026465C148354AA50E980A2A

9915886397DCDC3AB005E677C7ECAA2227F107E953A6CE3F0FE9DA5AA24E99BA

196608:b1Zq/twK7Yaj7Ig0mZGj7UECKD0yFBNkQmQT:b1Zq/tz7YEZ0j2KD0yjNzmQT

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

SUSPICIOUS

Executable content was dropped or overwritten

Malware-specific behavior (creating "System.dll" in Temp)

The process creates files with name similar to system file names

Uses TASKKILL.EXE to kill process

Creates a software uninstall entry

INFO

Reads the computer name

Checks supported languages

Create files in a temporary directory

Creates files or folders in the user directory

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings