4e391f6288ee119660df3a6dcd7c817673ad59b31f5123c24477b4edc16b2508

Analysis

max time kernel
129s
max time network
47s
platform
windows7_x64
resource
win7-20220331-en
submitted
07-04-2022 11:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

masterCONFIGURATOR_v2.16.0.1407/masterCONFIGURATOR_v2.16.0.1407.exe
Size

24.8MB
MD5

c68242aef3fcb3c3026558da41a81e9f
SHA1

a75f12a5478017257a2efc19255b083d665f3253
SHA256

2d0317b2fd26072119aa48686918f6314c730af415074633dc54e3df57db38aa
SHA512

f1a10f16b5845eb107a80e60cdc81d67e4f6f6440c66ac1b767b1a7eb1eef720e16be8b5a0e2ce634de52898caf0d3d3f0d285dc0b32f84b5cc38a68ab8749f0

Score

8^/10

discovery

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

DALIMonitor25.exeDALIBusServer25.exeDALIBusServer25.exe

pid process

1524 DALIMonitor25.exe
1352 DALIBusServer25.exe
1220 DALIBusServer25.exe
Loads dropped DLL 4 IoCs

Processes:

masterCONFIGURATOR_v2.16.0.1407.exeDALIMonitor25.exe

pid process

1744 masterCONFIGURATOR_v2.16.0.1407.exe
1744 masterCONFIGURATOR_v2.16.0.1407.exe
1524 DALIMonitor25.exe
1524 DALIMonitor25.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
1744	masterCONFIGURATOR_v2.16.0.1407.exe
1744	masterCONFIGURATOR_v2.16.0.1407.exe
1524	DALIMonitor25.exe
1524	DALIMonitor25.exe

Drops file in Program Files directory 14 IoCs

Processes:

masterCONFIGURATOR_v2.16.0.1407.exe

description	ioc	process
File created	C:\Program Files (x86)\masterConfigurator\msvcr100.dll	masterCONFIGURATOR_v2.16.0.1407.exe
File created	C:\Program Files (x86)\masterConfigurator\masterCONFIGURATORUninstall.exe	masterCONFIGURATOR_v2.16.0.1407.exe
File created	C:\Program Files (x86)\DALITools\DaliBusServer25.exe	masterCONFIGURATOR_v2.16.0.1407.exe
File created	C:\Program Files (x86)\masterConfigurator\masterConfigurator.pdf	masterCONFIGURATOR_v2.16.0.1407.exe
File created	C:\Program Files (x86)\masterConfigurator\masterConfigurator_de.pdf	masterCONFIGURATOR_v2.16.0.1407.exe
File created	C:\Program Files (x86)\DALITools\DaliBusAccess25.dll	masterCONFIGURATOR_v2.16.0.1407.exe
File created	C:\Program Files (x86)\masterConfigurator\masterCONFIGURATOR.exe	masterCONFIGURATOR_v2.16.0.1407.exe
File created	C:\Program Files (x86)\masterConfigurator\mfc100.dll	masterCONFIGURATOR_v2.16.0.1407.exe
File created	C:\Program Files (x86)\masterConfigurator\English.dll	masterCONFIGURATOR_v2.16.0.1407.exe
File created	C:\Program Files (x86)\DALITools\DALIMonitor.pdf	masterCONFIGURATOR_v2.16.0.1407.exe
File created	C:\Program Files (x86)\DALITools\DALIMonitor25Uninstall.exe	masterCONFIGURATOR_v2.16.0.1407.exe
File created	C:\Program Files (x86)\masterConfigurator\mfc100u.dll	masterCONFIGURATOR_v2.16.0.1407.exe
File created	C:\Program Files (x86)\masterConfigurator\msvcp100.dll	masterCONFIGURATOR_v2.16.0.1407.exe
File created	C:\Program Files (x86)\DALITools\DALIMonitor25.exe	masterCONFIGURATOR_v2.16.0.1407.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

masterCONFIGURATOR_v2.16.0.1407.exe

description pid process

Token: SeRestorePrivilege 1744 masterCONFIGURATOR_v2.16.0.1407.exe
Token: SeBackupPrivilege 1744 masterCONFIGURATOR_v2.16.0.1407.exe
Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

DALIBusServer25.exeDALIMonitor25.exeDALIBusServer25.exe

pid process

1352 DALIBusServer25.exe
1352 DALIBusServer25.exe
1524 DALIMonitor25.exe
1220 DALIBusServer25.exe
1220 DALIBusServer25.exe
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

DALIBusServer25.exeDALIBusServer25.exe

pid process

1352 DALIBusServer25.exe
1352 DALIBusServer25.exe
1220 DALIBusServer25.exe
1220 DALIBusServer25.exe

description	pid	process
Token: SeRestorePrivilege	1744	masterCONFIGURATOR_v2.16.0.1407.exe
Token: SeBackupPrivilege	1744	masterCONFIGURATOR_v2.16.0.1407.exe

pid	process
1352	DALIBusServer25.exe
1352	DALIBusServer25.exe
1524	DALIMonitor25.exe
1220	DALIBusServer25.exe
1220	DALIBusServer25.exe

pid	process
1352	DALIBusServer25.exe
1352	DALIBusServer25.exe
1220	DALIBusServer25.exe
1220	DALIBusServer25.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

DALIMonitor25.exeDALIBusServer25.exeDALIBusServer25.exe

pid	process
1524	DALIMonitor25.exe
1524	DALIMonitor25.exe
1352	DALIBusServer25.exe
1352	DALIBusServer25.exe
1352	DALIBusServer25.exe
1220	DALIBusServer25.exe
1220	DALIBusServer25.exe
1220	DALIBusServer25.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

DALIMonitor25.exe

description	pid	process	target process
PID 1524 wrote to memory of 1352	1524	DALIMonitor25.exe	DALIBusServer25.exe
PID 1524 wrote to memory of 1352	1524	DALIMonitor25.exe	DALIBusServer25.exe
PID 1524 wrote to memory of 1352	1524	DALIMonitor25.exe	DALIBusServer25.exe
PID 1524 wrote to memory of 1352	1524	DALIMonitor25.exe	DALIBusServer25.exe
PID 1524 wrote to memory of 1220	1524	DALIMonitor25.exe	DALIBusServer25.exe
PID 1524 wrote to memory of 1220	1524	DALIMonitor25.exe	DALIBusServer25.exe
PID 1524 wrote to memory of 1220	1524	DALIMonitor25.exe	DALIBusServer25.exe
PID 1524 wrote to memory of 1220	1524	DALIMonitor25.exe	DALIBusServer25.exe

C:\Users\Admin\AppData\Local\Temp\masterCONFIGURATOR_v2.16.0.1407\masterCONFIGURATOR_v2.16.0.1407.exe
"C:\Users\Admin\AppData\Local\Temp\masterCONFIGURATOR_v2.16.0.1407\masterCONFIGURATOR_v2.16.0.1407.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1744

C:\Program Files (x86)\DALITools\DALIMonitor25.exe
"C:\Program Files (x86)\DALITools\DALIMonitor25.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1524

C:\Program Files (x86)\DALITools\DALIBusServer25.exe
"C:\Program Files (x86)\DALITools\DALIBusServer25.exe"
2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1352

C:\Program Files (x86)\DALITools\DALIBusServer25.exe
"C:\Program Files (x86)\DALITools\DALIBusServer25.exe"
2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1220

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\DALITools\DALIMonitor25.exe
Filesize
1.7MB

MD5
84882793b0e2f039510a5ae06b2c3935

SHA1
68c71606453be14f20e49d74ee667e1318f085f2

SHA256
192d335b8d8db977b246e202c2d720205b01e8152c34d6f2bc7300b350b8495a

SHA512
0ada02182d47a955bea6991e16fe26bcb3143d9e1f8ac18be99dd08ca88b3b239559d7128a224b1d82b449b9753c2eb9bdb29b6401b50a82b8da2964333576a1

Download Submit
C:\Program Files (x86)\DALITools\DALIMonitor25.exe
Filesize
1.7MB

MD5
84882793b0e2f039510a5ae06b2c3935

SHA1
68c71606453be14f20e49d74ee667e1318f085f2

SHA256
192d335b8d8db977b246e202c2d720205b01e8152c34d6f2bc7300b350b8495a

SHA512
0ada02182d47a955bea6991e16fe26bcb3143d9e1f8ac18be99dd08ca88b3b239559d7128a224b1d82b449b9753c2eb9bdb29b6401b50a82b8da2964333576a1

Download Submit
C:\Program Files (x86)\DALITools\DaliBusAccess25.dll
Filesize
1.6MB

MD5
1633be013c97f4b39a72a8f5490a42e0

SHA1
fc4a7a9b8f530d85f717829e9247294025085681

SHA256
c362ec3907f69e9e6513cb72a48e2758b4d9543b46e46d839dece035a2891d1d

SHA512
da9a447353226a8af4cea1aa39e1b792635fab26aad27568e4d0077c754354741830c4263f06cee6d6f98a1376dfb1e546f74fa7b9f3edae7548a71089adccbd

Download Submit
C:\Program Files (x86)\DALITools\DaliBusServer25.exe
Filesize
1.7MB

MD5
06e2e28a9562fc0bf90372222bb050b7

SHA1
41efd6ecdc830c3efc860b74172f756bca6f9857

SHA256
5df0897151de9a54463b616c0c3261fa281d3ea28f204d4c26f1da6bd8bd5bd5

SHA512
4b010b8b332f07b164ab4b4004388beb0fb5b5c261cf292609fd49525470927aec3c13456b9dc6d8fcc6aa02b6f0f41512115ab5a21590483680a3f09288a99d

Download Submit
C:\Program Files (x86)\DALITools\DaliBusServer25.exe
Filesize
1.7MB

MD5
06e2e28a9562fc0bf90372222bb050b7

SHA1
41efd6ecdc830c3efc860b74172f756bca6f9857

SHA256
5df0897151de9a54463b616c0c3261fa281d3ea28f204d4c26f1da6bd8bd5bd5

SHA512
4b010b8b332f07b164ab4b4004388beb0fb5b5c261cf292609fd49525470927aec3c13456b9dc6d8fcc6aa02b6f0f41512115ab5a21590483680a3f09288a99d

Download Submit
C:\Program Files (x86)\DALITools\DaliBusServer25.exe
Filesize
1.7MB

MD5
06e2e28a9562fc0bf90372222bb050b7

SHA1
41efd6ecdc830c3efc860b74172f756bca6f9857

SHA256
5df0897151de9a54463b616c0c3261fa281d3ea28f204d4c26f1da6bd8bd5bd5

SHA512
4b010b8b332f07b164ab4b4004388beb0fb5b5c261cf292609fd49525470927aec3c13456b9dc6d8fcc6aa02b6f0f41512115ab5a21590483680a3f09288a99d

Download Submit
\Program Files (x86)\DALITools\DALIMonitor25.exe
Filesize
1.7MB

MD5
84882793b0e2f039510a5ae06b2c3935

SHA1
68c71606453be14f20e49d74ee667e1318f085f2

SHA256
192d335b8d8db977b246e202c2d720205b01e8152c34d6f2bc7300b350b8495a

SHA512
0ada02182d47a955bea6991e16fe26bcb3143d9e1f8ac18be99dd08ca88b3b239559d7128a224b1d82b449b9753c2eb9bdb29b6401b50a82b8da2964333576a1

Download Submit
\Program Files (x86)\DALITools\DaliBusAccess25.dll
Filesize
1.6MB

MD5
1633be013c97f4b39a72a8f5490a42e0

SHA1
fc4a7a9b8f530d85f717829e9247294025085681

SHA256
c362ec3907f69e9e6513cb72a48e2758b4d9543b46e46d839dece035a2891d1d

SHA512
da9a447353226a8af4cea1aa39e1b792635fab26aad27568e4d0077c754354741830c4263f06cee6d6f98a1376dfb1e546f74fa7b9f3edae7548a71089adccbd

Download Submit
\Program Files (x86)\DALITools\DaliBusServer25.exe
Filesize
1.7MB

MD5
06e2e28a9562fc0bf90372222bb050b7

SHA1
41efd6ecdc830c3efc860b74172f756bca6f9857

SHA256
5df0897151de9a54463b616c0c3261fa281d3ea28f204d4c26f1da6bd8bd5bd5

SHA512
4b010b8b332f07b164ab4b4004388beb0fb5b5c261cf292609fd49525470927aec3c13456b9dc6d8fcc6aa02b6f0f41512115ab5a21590483680a3f09288a99d

Download Submit
\Program Files (x86)\masterConfigurator\masterCONFIGURATOR.exe
Filesize
5.6MB

MD5
8c23e8f0580ddab062f69a0bb09b0afc

SHA1
7e0bc5f3936df9f55ed2d613248adf5db72371bc

SHA256
04e90c7e2a8c80a5220c05038b6ac6444aabb7705e9e31c416467e7464540dee

SHA512
ac477c939442b8d7701a1745acde85b5b025e384e0f394fd1b6ae47a4c17443bbdfbfe41ae186223c5d2ff21dfa466c23ba1bce609e51555b9ca29182845b99b

Download Submit
memory/1220-67-0x0000000000000000-mapping.dmp

Download
memory/1352-64-0x0000000000000000-mapping.dmp

Download
memory/1744-54-0x0000000075B41000-0x0000000075B43000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads