0dfc9627816b72691bec2cb22609dedaf6600d04591fba4b171a3c16ebd4b981

Analysis

max time kernel
119s
max time network
125s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 03:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

LabyModLauncherSetup-latest.exe
Size

117.8MB
MD5

7f27e58482ba0dfe4c3792b907fe3157
SHA1

5c620695d5c22d6a41caf33ade5f04275dc5143c
SHA256

0dfc9627816b72691bec2cb22609dedaf6600d04591fba4b171a3c16ebd4b981
SHA512

b8f674317646ca4e47489d43b006f3f9937e5c1adbb8864d3362bf778a77e79eb974070ce203a20d43d45573463ce4f0a18c1b8e66cdc6c291ab27cd3d320754
SSDEEP

1572864:sJuCHOAm/coUV8fo6BeOuEGhqPJGkf3/m88LMMxdJsxS7DSAVGY/IP+zQ06ngWOt:sUI6u8OxqSI+J37GA0d+z4vhmr

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 4 IoCs

Processes:

Update.exeSquirrel.exeLabyModLauncher.exeLabyModLauncher.exe

pid process

2356 Update.exe
2676 Squirrel.exe
2744 LabyModLauncher.exe
2504 LabyModLauncher.exe
Loads dropped DLL 7 IoCs

Processes:

LabyModLauncherSetup-latest.exeUpdate.exeLabyModLauncher.exeLabyModLauncher.exe

pid process

2036 LabyModLauncherSetup-latest.exe
2356 Update.exe
2356 Update.exe
2356 Update.exe
2744 LabyModLauncher.exe
2356 Update.exe
2504 LabyModLauncher.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

Update.exe

pid process

2356 Update.exe
2356 Update.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Update.exe

description pid process

Token: SeDebugPrivilege 2356 Update.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

Update.exe

pid process

2356 Update.exe

pid	process
2356	Update.exe
2676	Squirrel.exe
2744	LabyModLauncher.exe
2504	LabyModLauncher.exe

pid	process
2036	LabyModLauncherSetup-latest.exe
2356	Update.exe
2356	Update.exe
2356	Update.exe
2744	LabyModLauncher.exe
2356	Update.exe
2504	LabyModLauncher.exe

pid	process
2356	Update.exe
2356	Update.exe

description	pid	process
Token: SeDebugPrivilege	2356	Update.exe

pid	process
2356	Update.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

LabyModLauncherSetup-latest.exeUpdate.exe

description	pid	process	target process
PID 2036 wrote to memory of 2356	2036	LabyModLauncherSetup-latest.exe	Update.exe
PID 2036 wrote to memory of 2356	2036	LabyModLauncherSetup-latest.exe	Update.exe
PID 2036 wrote to memory of 2356	2036	LabyModLauncherSetup-latest.exe	Update.exe
PID 2036 wrote to memory of 2356	2036	LabyModLauncherSetup-latest.exe	Update.exe
PID 2356 wrote to memory of 2676	2356	Update.exe	Squirrel.exe
PID 2356 wrote to memory of 2676	2356	Update.exe	Squirrel.exe
PID 2356 wrote to memory of 2676	2356	Update.exe	Squirrel.exe
PID 2356 wrote to memory of 2744	2356	Update.exe	LabyModLauncher.exe
PID 2356 wrote to memory of 2744	2356	Update.exe	LabyModLauncher.exe
PID 2356 wrote to memory of 2744	2356	Update.exe	LabyModLauncher.exe
PID 2356 wrote to memory of 2504	2356	Update.exe	LabyModLauncher.exe
PID 2356 wrote to memory of 2504	2356	Update.exe	LabyModLauncher.exe
PID 2356 wrote to memory of 2504	2356	Update.exe	LabyModLauncher.exe

C:\Users\Admin\AppData\Local\Temp\LabyModLauncherSetup-latest.exe
"C:\Users\Admin\AppData\Local\Temp\LabyModLauncherSetup-latest.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2036

C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
"C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe" --install .
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2356

C:\Users\Admin\AppData\Local\labymodlauncher\app-2.1.5\Squirrel.exe
"C:\Users\Admin\AppData\Local\labymodlauncher\app-2.1.5\Squirrel.exe" --updateSelf=C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
3⤵
- Executes dropped EXE
PID:2676

C:\Users\Admin\AppData\Local\labymodlauncher\app-2.1.5\LabyModLauncher.exe
"C:\Users\Admin\AppData\Local\labymodlauncher\app-2.1.5\LabyModLauncher.exe" --squirrel-install 2.1.5
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2744

C:\Users\Admin\AppData\Local\labymodlauncher\app-2.1.5\LabyModLauncher.exe
"C:\Users\Admin\AppData\Local\labymodlauncher\app-2.1.5\LabyModLauncher.exe" --squirrel-firstrun
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2504

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\SquirrelTemp\RELEASES
Filesize
86B

MD5
edb49ae6d05888ff01614ee3209c023f

SHA1
9902cef5c9533bd13bb093e9a71e1f6bf77c4603

SHA256
73d6a59d025f3c93978186beb27448cc9d38b3b3a06f5d01c4be3744664e8f24

SHA512
3f64a70a11e950da46a7de840c0617acee024a4a80671f345dcf74df71fd45e478abe0483833f7fe47e9045ccca0ec8b35da81fac9965dbe51bf238ffa6b41a5

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\background.gif
Filesize
41KB

MD5
def79fef823db7584ce1844c5fb157ef

SHA1
c61ac5eba78ac34ee4568c6a85ac780add6cab4f

SHA256
dc99de97b0324cddf77f56d2f07de40108eeaac9b50bed3820958bf383e8b345

SHA512
a179663bd53c4d39bd31643a08aae2326e12bba9dd07cbfb1d5b79aa4bd64c8d4178528871df5541e4ba7cff9bcb39f63a57eb4cb0e7be6625a5bb318c75f705

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\setupIcon.ico
Filesize
122KB

MD5
4bce15bbb0487f88efc006fd597441b7

SHA1
da5a02653245112aabfd45429c417c39fcb2f67a

SHA256
0e684d8f833fd47d4c98d4742ce46abbfdb1f4b130da4a93047df9926f189e46

SHA512
e128d96cad8d214d41b60a7ab129dbf105866fe895d206c5b77b65af04c5d83ff1be87ece9b862dc30c88faeda69cff185925d7ae7b311c5351ca664db4a3060

Download Submit
C:\Users\Admin\AppData\Local\labymodlauncher\app-2.1.5\squirrel.exe
Filesize
1.9MB

MD5
fc1b7cfa8f901954a1b49ef13fa01013

SHA1
fcfa707e43c491e6bd078d0f0e9b136f69941af3

SHA256
000770caadd9d3c0ce95da9743bf182129f0c7bec5e3013bca6620f0dc894861

SHA512
e762a19338183930f6c559b5dca622a602317fb399411a14b094d9c048aff893af14d6a77fa6210036eae9f251d09c0a72d6e7b1c9f46424422a5ae1e675a6a7

Download Submit
\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
Filesize
1.8MB

MD5
1aebd7aae95aa53067e2ea36fc644bc6

SHA1
da51deb35df39106101aea2cb9782f5b384b52ba

SHA256
852be1352542a3b93060e1a915c444bbb6d410e4cd3a89d133dd48c8599869c3

SHA512
8d05595e47018155a39231ce57043130c91b2615c732c113e944d468fae77a5d12ceec2705f624bda51fc84845c40a88421700b168291a5fff4f245c656d7294

Download Submit
\Users\Admin\AppData\Local\labymodlauncher\app-2.1.5\ffmpeg.dll
Filesize
2.8MB

MD5
94aca096ac1762ed185bf3086d0eee6f

SHA1
59aacdfc27903b3b44ca62cbebb1f5bc2c0a078b

SHA256
d5dfd6e0b3414e4765904b06824e68f8d626cea8a20a4e05551fda068d6a6fed

SHA512
fb8b8a98c8cba0abb8b4b2620c2b357b16db9d6ab9609ab6675e9f83c9b9dcec25b626ad3f919c0186fcdc324ca28c4ac98baabad66421d0763ac913d64d8b38

Download Submit
memory/2356-9-0x0000000000AB0000-0x0000000000C86000-memory.dmp

Filesize
1.8MB

Download
memory/2356-382-0x0000000000180000-0x000000000018A000-memory.dmp

Filesize
40KB

Download
memory/2356-383-0x0000000000180000-0x000000000018A000-memory.dmp

Filesize
40KB

Download
memory/2356-412-0x0000000000180000-0x000000000018A000-memory.dmp

Filesize
40KB

Download
memory/2676-392-0x0000000000240000-0x0000000000434000-memory.dmp

Filesize
2.0MB

Download