Analysis
-
max time kernel
129s -
max time network
47s -
platform
windows7_x64 -
resource
win7-20220331-en -
submitted
07-04-2022 11:34
Behavioral task
behavioral1
Sample
masterCONFIGURATOR_v2.16.0.1407/Release_Note_masterCONFIGURATOR V2.16.0.1407.pdf
Resource
win7-20220331-en
Behavioral task
behavioral2
Sample
masterCONFIGURATOR_v2.16.0.1407/Release_Note_masterCONFIGURATOR V2.16.0.1407.pdf
Resource
win10v2004-20220331-en
Behavioral task
behavioral3
Sample
masterCONFIGURATOR_v2.16.0.1407/masterCONFIGURATOR_v2.16.0.1407.exe
Resource
win7-20220331-en
Behavioral task
behavioral4
Sample
masterCONFIGURATOR_v2.16.0.1407/masterCONFIGURATOR_v2.16.0.1407.exe
Resource
win10v2004-20220331-en
General
-
Target
masterCONFIGURATOR_v2.16.0.1407/masterCONFIGURATOR_v2.16.0.1407.exe
-
Size
24.8MB
-
MD5
c68242aef3fcb3c3026558da41a81e9f
-
SHA1
a75f12a5478017257a2efc19255b083d665f3253
-
SHA256
2d0317b2fd26072119aa48686918f6314c730af415074633dc54e3df57db38aa
-
SHA512
f1a10f16b5845eb107a80e60cdc81d67e4f6f6440c66ac1b767b1a7eb1eef720e16be8b5a0e2ce634de52898caf0d3d3f0d285dc0b32f84b5cc38a68ab8749f0
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
DALIMonitor25.exeDALIBusServer25.exeDALIBusServer25.exepid process 1524 DALIMonitor25.exe 1352 DALIBusServer25.exe 1220 DALIBusServer25.exe -
Loads dropped DLL 4 IoCs
Processes:
masterCONFIGURATOR_v2.16.0.1407.exeDALIMonitor25.exepid process 1744 masterCONFIGURATOR_v2.16.0.1407.exe 1744 masterCONFIGURATOR_v2.16.0.1407.exe 1524 DALIMonitor25.exe 1524 DALIMonitor25.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 14 IoCs
Processes:
masterCONFIGURATOR_v2.16.0.1407.exedescription ioc process File created C:\Program Files (x86)\masterConfigurator\msvcr100.dll masterCONFIGURATOR_v2.16.0.1407.exe File created C:\Program Files (x86)\masterConfigurator\masterCONFIGURATORUninstall.exe masterCONFIGURATOR_v2.16.0.1407.exe File created C:\Program Files (x86)\DALITools\DaliBusServer25.exe masterCONFIGURATOR_v2.16.0.1407.exe File created C:\Program Files (x86)\masterConfigurator\masterConfigurator.pdf masterCONFIGURATOR_v2.16.0.1407.exe File created C:\Program Files (x86)\masterConfigurator\masterConfigurator_de.pdf masterCONFIGURATOR_v2.16.0.1407.exe File created C:\Program Files (x86)\DALITools\DaliBusAccess25.dll masterCONFIGURATOR_v2.16.0.1407.exe File created C:\Program Files (x86)\masterConfigurator\masterCONFIGURATOR.exe masterCONFIGURATOR_v2.16.0.1407.exe File created C:\Program Files (x86)\masterConfigurator\mfc100.dll masterCONFIGURATOR_v2.16.0.1407.exe File created C:\Program Files (x86)\masterConfigurator\English.dll masterCONFIGURATOR_v2.16.0.1407.exe File created C:\Program Files (x86)\DALITools\DALIMonitor.pdf masterCONFIGURATOR_v2.16.0.1407.exe File created C:\Program Files (x86)\DALITools\DALIMonitor25Uninstall.exe masterCONFIGURATOR_v2.16.0.1407.exe File created C:\Program Files (x86)\masterConfigurator\mfc100u.dll masterCONFIGURATOR_v2.16.0.1407.exe File created C:\Program Files (x86)\masterConfigurator\msvcp100.dll masterCONFIGURATOR_v2.16.0.1407.exe File created C:\Program Files (x86)\DALITools\DALIMonitor25.exe masterCONFIGURATOR_v2.16.0.1407.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
masterCONFIGURATOR_v2.16.0.1407.exedescription pid process Token: SeRestorePrivilege 1744 masterCONFIGURATOR_v2.16.0.1407.exe Token: SeBackupPrivilege 1744 masterCONFIGURATOR_v2.16.0.1407.exe -
Suspicious use of FindShellTrayWindow 5 IoCs
Processes:
DALIBusServer25.exeDALIMonitor25.exeDALIBusServer25.exepid process 1352 DALIBusServer25.exe 1352 DALIBusServer25.exe 1524 DALIMonitor25.exe 1220 DALIBusServer25.exe 1220 DALIBusServer25.exe -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
DALIBusServer25.exeDALIBusServer25.exepid process 1352 DALIBusServer25.exe 1352 DALIBusServer25.exe 1220 DALIBusServer25.exe 1220 DALIBusServer25.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
Processes:
DALIMonitor25.exeDALIBusServer25.exeDALIBusServer25.exepid process 1524 DALIMonitor25.exe 1524 DALIMonitor25.exe 1352 DALIBusServer25.exe 1352 DALIBusServer25.exe 1352 DALIBusServer25.exe 1220 DALIBusServer25.exe 1220 DALIBusServer25.exe 1220 DALIBusServer25.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
DALIMonitor25.exedescription pid process target process PID 1524 wrote to memory of 1352 1524 DALIMonitor25.exe DALIBusServer25.exe PID 1524 wrote to memory of 1352 1524 DALIMonitor25.exe DALIBusServer25.exe PID 1524 wrote to memory of 1352 1524 DALIMonitor25.exe DALIBusServer25.exe PID 1524 wrote to memory of 1352 1524 DALIMonitor25.exe DALIBusServer25.exe PID 1524 wrote to memory of 1220 1524 DALIMonitor25.exe DALIBusServer25.exe PID 1524 wrote to memory of 1220 1524 DALIMonitor25.exe DALIBusServer25.exe PID 1524 wrote to memory of 1220 1524 DALIMonitor25.exe DALIBusServer25.exe PID 1524 wrote to memory of 1220 1524 DALIMonitor25.exe DALIBusServer25.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\masterCONFIGURATOR_v2.16.0.1407\masterCONFIGURATOR_v2.16.0.1407.exe"C:\Users\Admin\AppData\Local\Temp\masterCONFIGURATOR_v2.16.0.1407\masterCONFIGURATOR_v2.16.0.1407.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1744
-
C:\Program Files (x86)\DALITools\DALIMonitor25.exe"C:\Program Files (x86)\DALITools\DALIMonitor25.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1524 -
C:\Program Files (x86)\DALITools\DALIBusServer25.exe"C:\Program Files (x86)\DALITools\DALIBusServer25.exe"2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1352 -
C:\Program Files (x86)\DALITools\DALIBusServer25.exe"C:\Program Files (x86)\DALITools\DALIBusServer25.exe"2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1220
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\DALITools\DALIMonitor25.exeFilesize
1.7MB
MD584882793b0e2f039510a5ae06b2c3935
SHA168c71606453be14f20e49d74ee667e1318f085f2
SHA256192d335b8d8db977b246e202c2d720205b01e8152c34d6f2bc7300b350b8495a
SHA5120ada02182d47a955bea6991e16fe26bcb3143d9e1f8ac18be99dd08ca88b3b239559d7128a224b1d82b449b9753c2eb9bdb29b6401b50a82b8da2964333576a1
-
C:\Program Files (x86)\DALITools\DALIMonitor25.exeFilesize
1.7MB
MD584882793b0e2f039510a5ae06b2c3935
SHA168c71606453be14f20e49d74ee667e1318f085f2
SHA256192d335b8d8db977b246e202c2d720205b01e8152c34d6f2bc7300b350b8495a
SHA5120ada02182d47a955bea6991e16fe26bcb3143d9e1f8ac18be99dd08ca88b3b239559d7128a224b1d82b449b9753c2eb9bdb29b6401b50a82b8da2964333576a1
-
C:\Program Files (x86)\DALITools\DaliBusAccess25.dllFilesize
1.6MB
MD51633be013c97f4b39a72a8f5490a42e0
SHA1fc4a7a9b8f530d85f717829e9247294025085681
SHA256c362ec3907f69e9e6513cb72a48e2758b4d9543b46e46d839dece035a2891d1d
SHA512da9a447353226a8af4cea1aa39e1b792635fab26aad27568e4d0077c754354741830c4263f06cee6d6f98a1376dfb1e546f74fa7b9f3edae7548a71089adccbd
-
C:\Program Files (x86)\DALITools\DaliBusServer25.exeFilesize
1.7MB
MD506e2e28a9562fc0bf90372222bb050b7
SHA141efd6ecdc830c3efc860b74172f756bca6f9857
SHA2565df0897151de9a54463b616c0c3261fa281d3ea28f204d4c26f1da6bd8bd5bd5
SHA5124b010b8b332f07b164ab4b4004388beb0fb5b5c261cf292609fd49525470927aec3c13456b9dc6d8fcc6aa02b6f0f41512115ab5a21590483680a3f09288a99d
-
C:\Program Files (x86)\DALITools\DaliBusServer25.exeFilesize
1.7MB
MD506e2e28a9562fc0bf90372222bb050b7
SHA141efd6ecdc830c3efc860b74172f756bca6f9857
SHA2565df0897151de9a54463b616c0c3261fa281d3ea28f204d4c26f1da6bd8bd5bd5
SHA5124b010b8b332f07b164ab4b4004388beb0fb5b5c261cf292609fd49525470927aec3c13456b9dc6d8fcc6aa02b6f0f41512115ab5a21590483680a3f09288a99d
-
C:\Program Files (x86)\DALITools\DaliBusServer25.exeFilesize
1.7MB
MD506e2e28a9562fc0bf90372222bb050b7
SHA141efd6ecdc830c3efc860b74172f756bca6f9857
SHA2565df0897151de9a54463b616c0c3261fa281d3ea28f204d4c26f1da6bd8bd5bd5
SHA5124b010b8b332f07b164ab4b4004388beb0fb5b5c261cf292609fd49525470927aec3c13456b9dc6d8fcc6aa02b6f0f41512115ab5a21590483680a3f09288a99d
-
\Program Files (x86)\DALITools\DALIMonitor25.exeFilesize
1.7MB
MD584882793b0e2f039510a5ae06b2c3935
SHA168c71606453be14f20e49d74ee667e1318f085f2
SHA256192d335b8d8db977b246e202c2d720205b01e8152c34d6f2bc7300b350b8495a
SHA5120ada02182d47a955bea6991e16fe26bcb3143d9e1f8ac18be99dd08ca88b3b239559d7128a224b1d82b449b9753c2eb9bdb29b6401b50a82b8da2964333576a1
-
\Program Files (x86)\DALITools\DaliBusAccess25.dllFilesize
1.6MB
MD51633be013c97f4b39a72a8f5490a42e0
SHA1fc4a7a9b8f530d85f717829e9247294025085681
SHA256c362ec3907f69e9e6513cb72a48e2758b4d9543b46e46d839dece035a2891d1d
SHA512da9a447353226a8af4cea1aa39e1b792635fab26aad27568e4d0077c754354741830c4263f06cee6d6f98a1376dfb1e546f74fa7b9f3edae7548a71089adccbd
-
\Program Files (x86)\DALITools\DaliBusServer25.exeFilesize
1.7MB
MD506e2e28a9562fc0bf90372222bb050b7
SHA141efd6ecdc830c3efc860b74172f756bca6f9857
SHA2565df0897151de9a54463b616c0c3261fa281d3ea28f204d4c26f1da6bd8bd5bd5
SHA5124b010b8b332f07b164ab4b4004388beb0fb5b5c261cf292609fd49525470927aec3c13456b9dc6d8fcc6aa02b6f0f41512115ab5a21590483680a3f09288a99d
-
\Program Files (x86)\masterConfigurator\masterCONFIGURATOR.exeFilesize
5.6MB
MD58c23e8f0580ddab062f69a0bb09b0afc
SHA17e0bc5f3936df9f55ed2d613248adf5db72371bc
SHA25604e90c7e2a8c80a5220c05038b6ac6444aabb7705e9e31c416467e7464540dee
SHA512ac477c939442b8d7701a1745acde85b5b025e384e0f394fd1b6ae47a4c17443bbdfbfe41ae186223c5d2ff21dfa466c23ba1bce609e51555b9ca29182845b99b
-
memory/1220-67-0x0000000000000000-mapping.dmp
-
memory/1352-64-0x0000000000000000-mapping.dmp
-
memory/1744-54-0x0000000075B41000-0x0000000075B43000-memory.dmpFilesize
8KB