2b8a0655984a8d3fa1c3a6d2a5a30249218773f2abe329f1b6c56fa1ac58ef41

Analysis

max time kernel
222s
max time network
207s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
19-04-2022 07:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

masterCONFIGURATOR_v2.16.0.1407/masterCONFIGURATOR_v2.16.0.1407.exe
Size

24.8MB
MD5

c68242aef3fcb3c3026558da41a81e9f
SHA1

a75f12a5478017257a2efc19255b083d665f3253
SHA256

2d0317b2fd26072119aa48686918f6314c730af415074633dc54e3df57db38aa
SHA512

f1a10f16b5845eb107a80e60cdc81d67e4f6f6440c66ac1b767b1a7eb1eef720e16be8b5a0e2ce634de52898caf0d3d3f0d285dc0b32f84b5cc38a68ab8749f0

Score

8^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

masterCONFIGURATOR.exeDALIBusServer25.exe

pid process

4952 masterCONFIGURATOR.exe
1628 DALIBusServer25.exe
Loads dropped DLL 5 IoCs

Processes:

masterCONFIGURATOR.exe

pid process

4952 masterCONFIGURATOR.exe
4952 masterCONFIGURATOR.exe
4952 masterCONFIGURATOR.exe
4952 masterCONFIGURATOR.exe
4952 masterCONFIGURATOR.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 14 IoCs

Processes:

masterCONFIGURATOR_v2.16.0.1407.exe

description	ioc	process
File created	C:\Program Files (x86)\DALITools\DALIMonitor.pdf	masterCONFIGURATOR_v2.16.0.1407.exe
File created	C:\Program Files (x86)\masterConfigurator\masterConfigurator.pdf	masterCONFIGURATOR_v2.16.0.1407.exe
File created	C:\Program Files (x86)\masterConfigurator\mfc100u.dll	masterCONFIGURATOR_v2.16.0.1407.exe
File created	C:\Program Files (x86)\masterConfigurator\msvcr100.dll	masterCONFIGURATOR_v2.16.0.1407.exe
File created	C:\Program Files (x86)\masterConfigurator\masterCONFIGURATORUninstall.exe	masterCONFIGURATOR_v2.16.0.1407.exe
File created	C:\Program Files (x86)\DALITools\DALIMonitor25.exe	masterCONFIGURATOR_v2.16.0.1407.exe
File created	C:\Program Files (x86)\DALITools\DaliBusAccess25.dll	masterCONFIGURATOR_v2.16.0.1407.exe
File created	C:\Program Files (x86)\masterConfigurator\masterConfigurator_de.pdf	masterCONFIGURATOR_v2.16.0.1407.exe
File created	C:\Program Files (x86)\DALITools\DaliBusServer25.exe	masterCONFIGURATOR_v2.16.0.1407.exe
File created	C:\Program Files (x86)\masterConfigurator\English.dll	masterCONFIGURATOR_v2.16.0.1407.exe
File created	C:\Program Files (x86)\masterConfigurator\mfc100.dll	masterCONFIGURATOR_v2.16.0.1407.exe
File created	C:\Program Files (x86)\DALITools\DALIMonitor25Uninstall.exe	masterCONFIGURATOR_v2.16.0.1407.exe
File created	C:\Program Files (x86)\masterConfigurator\masterCONFIGURATOR.exe	masterCONFIGURATOR_v2.16.0.1407.exe
File created	C:\Program Files (x86)\masterConfigurator\msvcp100.dll	masterCONFIGURATOR_v2.16.0.1407.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 18 IoCs

Processes:

masterCONFIGURATOR.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\masterCONFIGURATOR.DALINetwork\shell	masterCONFIGURATOR.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.dnc	masterCONFIGURATOR.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.dnc\ShellNew	masterCONFIGURATOR.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\masterCONFIGURATOR.DALINetwork	masterCONFIGURATOR.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\masterCONFIGURATOR.DALINetwork\ = "masterCONFIGURATOR DALINetwork File"	masterCONFIGURATOR.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\masterCONFIGURATOR.DALINetwork\DefaultIcon\ = "C:\\PROGRA~2\\MASTER~1\\MASTER~1.EXE,1"	masterCONFIGURATOR.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\masterCONFIGURATOR.DALINetwork\shell\open\command\ = "C:\\PROGRA~2\\MASTER~1\\MASTER~1.EXE \"%1\""	masterCONFIGURATOR.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\masterCONFIGURATOR.DALINetwork\shell\print\command	masterCONFIGURATOR.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\masterCONFIGURATOR.DALINetwork\shell\print	masterCONFIGURATOR.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\masterCONFIGURATOR.DALINetwork\DefaultIcon	masterCONFIGURATOR.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\masterCONFIGURATOR.DALINetwork\shell\open	masterCONFIGURATOR.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.dnc\ = "masterCONFIGURATOR.DALINetwork"	masterCONFIGURATOR.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\masterCONFIGURATOR.DALINetwork\shell\open\command	masterCONFIGURATOR.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\masterCONFIGURATOR.DALINetwork\shell\print\command\ = "C:\\PROGRA~2\\MASTER~1\\MASTER~1.EXE /p \"%1\""	masterCONFIGURATOR.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\masterCONFIGURATOR.DALINetwork\shell\printto\command	masterCONFIGURATOR.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\masterCONFIGURATOR.DALINetwork\shell\printto	masterCONFIGURATOR.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\masterCONFIGURATOR.DALINetwork\shell\printto\command\ = "C:\\PROGRA~2\\MASTER~1\\MASTER~1.EXE /pt \"%1\" \"%2\" \"%3\" \"%4\""	masterCONFIGURATOR.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.dnc\ShellNew\NullFile	masterCONFIGURATOR.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

DALIBusServer25.exe

pid process

1628 DALIBusServer25.exe
1628 DALIBusServer25.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

DALIBusServer25.exe

pid process

1628 DALIBusServer25.exe
1628 DALIBusServer25.exe

pid	process
1628	DALIBusServer25.exe
1628	DALIBusServer25.exe

pid	process
1628	DALIBusServer25.exe
1628	DALIBusServer25.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

masterCONFIGURATOR.exeDALIBusServer25.exe

pid	process
4952	masterCONFIGURATOR.exe
4952	masterCONFIGURATOR.exe
4952	masterCONFIGURATOR.exe
1628	DALIBusServer25.exe
1628	DALIBusServer25.exe
1628	DALIBusServer25.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

masterCONFIGURATOR.exe

description	pid	process	target process
PID 4952 wrote to memory of 1628	4952	masterCONFIGURATOR.exe	DALIBusServer25.exe
PID 4952 wrote to memory of 1628	4952	masterCONFIGURATOR.exe	DALIBusServer25.exe
PID 4952 wrote to memory of 1628	4952	masterCONFIGURATOR.exe	DALIBusServer25.exe

C:\Users\Admin\AppData\Local\Temp\masterCONFIGURATOR_v2.16.0.1407\masterCONFIGURATOR_v2.16.0.1407.exe
"C:\Users\Admin\AppData\Local\Temp\masterCONFIGURATOR_v2.16.0.1407\masterCONFIGURATOR_v2.16.0.1407.exe"
1⤵
- Drops file in Program Files directory
PID:4292

C:\Program Files (x86)\masterConfigurator\masterCONFIGURATOR.exe
"C:\Program Files (x86)\masterConfigurator\masterCONFIGURATOR.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4952

C:\Program Files (x86)\DALITools\DALIBusServer25.exe
"C:\Program Files (x86)\DALITools\DALIBusServer25.exe"
2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1628

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\DALITools\DALIBusServer25.exe
Filesize
1.7MB

MD5
06e2e28a9562fc0bf90372222bb050b7

SHA1
41efd6ecdc830c3efc860b74172f756bca6f9857

SHA256
5df0897151de9a54463b616c0c3261fa281d3ea28f204d4c26f1da6bd8bd5bd5

SHA512
4b010b8b332f07b164ab4b4004388beb0fb5b5c261cf292609fd49525470927aec3c13456b9dc6d8fcc6aa02b6f0f41512115ab5a21590483680a3f09288a99d

Download Submit
C:\Program Files (x86)\DALITools\DaliBusAccess25.dll
Filesize
1.6MB

MD5
1633be013c97f4b39a72a8f5490a42e0

SHA1
fc4a7a9b8f530d85f717829e9247294025085681

SHA256
c362ec3907f69e9e6513cb72a48e2758b4d9543b46e46d839dece035a2891d1d

SHA512
da9a447353226a8af4cea1aa39e1b792635fab26aad27568e4d0077c754354741830c4263f06cee6d6f98a1376dfb1e546f74fa7b9f3edae7548a71089adccbd

Download Submit
C:\Program Files (x86)\DALITools\DaliBusAccess25.dll
Filesize
1.6MB

MD5
1633be013c97f4b39a72a8f5490a42e0

SHA1
fc4a7a9b8f530d85f717829e9247294025085681

SHA256
c362ec3907f69e9e6513cb72a48e2758b4d9543b46e46d839dece035a2891d1d

SHA512
da9a447353226a8af4cea1aa39e1b792635fab26aad27568e4d0077c754354741830c4263f06cee6d6f98a1376dfb1e546f74fa7b9f3edae7548a71089adccbd

Download Submit
C:\Program Files (x86)\DALITools\DaliBusServer25.exe
Filesize
1.7MB

MD5
06e2e28a9562fc0bf90372222bb050b7

SHA1
41efd6ecdc830c3efc860b74172f756bca6f9857

SHA256
5df0897151de9a54463b616c0c3261fa281d3ea28f204d4c26f1da6bd8bd5bd5

SHA512
4b010b8b332f07b164ab4b4004388beb0fb5b5c261cf292609fd49525470927aec3c13456b9dc6d8fcc6aa02b6f0f41512115ab5a21590483680a3f09288a99d

Download Submit
C:\Program Files (x86)\masterConfigurator\English.dll
Filesize
4.7MB

MD5
0cdf95b14b0579170b9b0652f46a33ca

SHA1
f9f760bdaee298a1034ef8669d4bc57c60edd5b6

SHA256
612856ad754e8f02cb44650c37fea78d430c0bd14a5d523cfaaa62a760370eab

SHA512
ee8dbeb2b473ddec2a67fed0ad40b4ceb4ed8ce939f9275ce80382e0691ae18e3d8c81ca66df92eff69642b6212721e14914b78c2bb2bffdf7690ec57b023460

Download Submit
C:\Program Files (x86)\masterConfigurator\English.dll
Filesize
4.7MB

MD5
0cdf95b14b0579170b9b0652f46a33ca

SHA1
f9f760bdaee298a1034ef8669d4bc57c60edd5b6

SHA256
612856ad754e8f02cb44650c37fea78d430c0bd14a5d523cfaaa62a760370eab

SHA512
ee8dbeb2b473ddec2a67fed0ad40b4ceb4ed8ce939f9275ce80382e0691ae18e3d8c81ca66df92eff69642b6212721e14914b78c2bb2bffdf7690ec57b023460

Download Submit
C:\Program Files (x86)\masterConfigurator\MSVCP100.dll
Filesize
411KB

MD5
03e9314004f504a14a61c3d364b62f66

SHA1
0aa3caac24fdf9d9d4c618e2bbf0a063036cd55d

SHA256
a3ba6421991241bea9c8334b62c3088f8f131ab906c3cc52113945d05016a35f

SHA512
2fcff4439d2759d93c57d49b24f28ae89b7698e284e76ac65fe2b50bdefc23a8cc3c83891d671de4e4c0f036cef810856de79ac2b028aa89a895bf35abff8c8d

Download Submit
C:\Program Files (x86)\masterConfigurator\MSVCR100.dll
Filesize
752KB

MD5
67ec459e42d3081dd8fd34356f7cafc1

SHA1
1738050616169d5b17b5adac3ff0370b8c642734

SHA256
1221a09484964a6f38af5e34ee292b9afefccb3dc6e55435fd3aaf7c235d9067

SHA512
9ed1c106df217e0b4e4fbd1f4275486ceba1d8a225d6c7e47b854b0b5e6158135b81be926f51db0ad5c624f9bd1d09282332cf064680dc9f7d287073b9686d33

Download Submit
C:\Program Files (x86)\masterConfigurator\masterCONFIGURATOR.exe
Filesize
5.6MB

MD5
8c23e8f0580ddab062f69a0bb09b0afc

SHA1
7e0bc5f3936df9f55ed2d613248adf5db72371bc

SHA256
04e90c7e2a8c80a5220c05038b6ac6444aabb7705e9e31c416467e7464540dee

SHA512
ac477c939442b8d7701a1745acde85b5b025e384e0f394fd1b6ae47a4c17443bbdfbfe41ae186223c5d2ff21dfa466c23ba1bce609e51555b9ca29182845b99b

Download Submit
C:\Program Files (x86)\masterConfigurator\masterCONFIGURATOR.exe
Filesize
5.6MB

MD5
8c23e8f0580ddab062f69a0bb09b0afc

SHA1
7e0bc5f3936df9f55ed2d613248adf5db72371bc

SHA256
04e90c7e2a8c80a5220c05038b6ac6444aabb7705e9e31c416467e7464540dee

SHA512
ac477c939442b8d7701a1745acde85b5b025e384e0f394fd1b6ae47a4c17443bbdfbfe41ae186223c5d2ff21dfa466c23ba1bce609e51555b9ca29182845b99b

Download Submit
C:\Program Files (x86)\masterConfigurator\mfc100.dll
Filesize
4.1MB

MD5
07bccdcc337d393d7db0b2f8fe200b3f

SHA1
5a02b227cb0a22a8e7884cd138c3e8568d083d94

SHA256
bf38dda13b938b49a4df72b6477342373ee6e151be12c25cb0c17662fcb4bcd4

SHA512
e5637727a549cf7b88f13474097a71200f0dfa511ecd55c5a42e5f53e9f86ce8b7ce763448830fd073e232876f7537bad96f2ced8d3159558778460264d07639

Download Submit
C:\Program Files (x86)\masterConfigurator\mfc100.dll
Filesize
4.1MB

MD5
07bccdcc337d393d7db0b2f8fe200b3f

SHA1
5a02b227cb0a22a8e7884cd138c3e8568d083d94

SHA256
bf38dda13b938b49a4df72b6477342373ee6e151be12c25cb0c17662fcb4bcd4

SHA512
e5637727a549cf7b88f13474097a71200f0dfa511ecd55c5a42e5f53e9f86ce8b7ce763448830fd073e232876f7537bad96f2ced8d3159558778460264d07639

Download Submit
C:\Program Files (x86)\masterConfigurator\msvcp100.dll
Filesize
411KB

MD5
03e9314004f504a14a61c3d364b62f66

SHA1
0aa3caac24fdf9d9d4c618e2bbf0a063036cd55d

SHA256
a3ba6421991241bea9c8334b62c3088f8f131ab906c3cc52113945d05016a35f

SHA512
2fcff4439d2759d93c57d49b24f28ae89b7698e284e76ac65fe2b50bdefc23a8cc3c83891d671de4e4c0f036cef810856de79ac2b028aa89a895bf35abff8c8d

Download Submit
C:\Program Files (x86)\masterConfigurator\msvcr100.dll
Filesize
752KB

MD5
67ec459e42d3081dd8fd34356f7cafc1

SHA1
1738050616169d5b17b5adac3ff0370b8c642734

SHA256
1221a09484964a6f38af5e34ee292b9afefccb3dc6e55435fd3aaf7c235d9067

SHA512
9ed1c106df217e0b4e4fbd1f4275486ceba1d8a225d6c7e47b854b0b5e6158135b81be926f51db0ad5c624f9bd1d09282332cf064680dc9f7d287073b9686d33

Download Submit
memory/1628-142-0x0000000000000000-mapping.dmp

Download