a57f2de66af4baf12438d25c384d7d6b292a18c2518480c9769ca80009770686

Analysis

max time kernel
122s
max time network
133s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
18-07-2023 17:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

LabyModLauncherSetup-latest.exe
Size

104.4MB
MD5

3068632f90a35de47318e5800f99492d
SHA1

37091956fed1b38909e7cf654d08d391069c1b3c
SHA256

a57f2de66af4baf12438d25c384d7d6b292a18c2518480c9769ca80009770686
SHA512

ff012b1d940c63f82318c48e3dd8c72f9c6e70c036c44571ee8441f0a846fbfc084924326bc96fe9bcdc308b5c19c9aa7ffea3027fe5e840746df8c2597fdaf0
SSDEEP

3145728:LuMkzNvstvhjLgy4uvQSfePOmLL8nc2sWeo7DaNfYd9Cs:LDkzNEvfza9sn5jPME

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2324	Update.exe
1092	Squirrel.exe
2268	LabyModLauncher.exe
2252	LabyModLauncher.exe

Loads dropped DLL 7 IoCs

pid	Process
2532	LabyModLauncherSetup-latest.exe
2324	Update.exe
2324	Update.exe
2324	Update.exe
2268	LabyModLauncher.exe
2324	Update.exe
2252	LabyModLauncher.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2324	Update.exe
2324	Update.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2324	Update.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2324	Update.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2532 wrote to memory of 2324	2532	LabyModLauncherSetup-latest.exe	28
PID 2532 wrote to memory of 2324	2532	LabyModLauncherSetup-latest.exe	28
PID 2532 wrote to memory of 2324	2532	LabyModLauncherSetup-latest.exe	28
PID 2532 wrote to memory of 2324	2532	LabyModLauncherSetup-latest.exe	28
PID 2324 wrote to memory of 1092	2324	Update.exe	31
PID 2324 wrote to memory of 1092	2324	Update.exe	31
PID 2324 wrote to memory of 1092	2324	Update.exe	31
PID 2324 wrote to memory of 2268	2324	Update.exe	32
PID 2324 wrote to memory of 2268	2324	Update.exe	32
PID 2324 wrote to memory of 2268	2324	Update.exe	32
PID 2324 wrote to memory of 2252	2324	Update.exe	33
PID 2324 wrote to memory of 2252	2324	Update.exe	33
PID 2324 wrote to memory of 2252	2324	Update.exe	33

C:\Users\Admin\AppData\Local\Temp\LabyModLauncherSetup-latest.exe
"C:\Users\Admin\AppData\Local\Temp\LabyModLauncherSetup-latest.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2532
- C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
  "C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe" --install .
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2324
- - C:\Users\Admin\AppData\Local\labymodlauncher\app-1.0.24\Squirrel.exe
    "C:\Users\Admin\AppData\Local\labymodlauncher\app-1.0.24\Squirrel.exe" --updateSelf=C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
    3⤵
    - Executes dropped EXE
    PID:1092
- - C:\Users\Admin\AppData\Local\labymodlauncher\app-1.0.24\LabyModLauncher.exe
    "C:\Users\Admin\AppData\Local\labymodlauncher\app-1.0.24\LabyModLauncher.exe" --squirrel-install 1.0.24
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2268
- - C:\Users\Admin\AppData\Local\labymodlauncher\app-1.0.24\LabyModLauncher.exe
    "C:\Users\Admin\AppData\Local\labymodlauncher\app-1.0.24\LabyModLauncher.exe" --squirrel-firstrun
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2252

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\SquirrelTemp\RELEASES

Filesize
87B

MD5
ae3f33172e9d5fc16add67e9dbb52c99

SHA1
92d1d288d0b85a15a2f232f5db64cbb93171b16f

SHA256
41de3ef31788c60e4537e7cd5c7f829195caee7656581df3880a5d8e1cd735fd

SHA512
4e52ebf2d9fc5b726508cfe01ad7dc2a6d0c259fae852d46beb1b800f78a3b1503e5f849903b4d2913a2423d4c1292751f8339fda38e861abba441b09a4f6fc3

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe

Filesize
1.8MB

MD5
62d1e08f4623aca6a146b86b74d06654

SHA1
21414819012b25d60ff0604d709410100e7d77cb

SHA256
90e40375aae7a9763177fb2e2364067420b013f676379f5703b397e34860fb83

SHA512
1eb4e4516c1d0730fc082e8963fd0096b43ecdbb06b0a092ce262c2f0a15041c5a49f960dc85e066250f0e474bb0657da0ffce09b82bdafba9368e5787a6b09f

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe

Filesize
1.8MB

MD5
62d1e08f4623aca6a146b86b74d06654

SHA1
21414819012b25d60ff0604d709410100e7d77cb

SHA256
90e40375aae7a9763177fb2e2364067420b013f676379f5703b397e34860fb83

SHA512
1eb4e4516c1d0730fc082e8963fd0096b43ecdbb06b0a092ce262c2f0a15041c5a49f960dc85e066250f0e474bb0657da0ffce09b82bdafba9368e5787a6b09f

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\background.gif

Filesize
41KB

MD5
def79fef823db7584ce1844c5fb157ef

SHA1
c61ac5eba78ac34ee4568c6a85ac780add6cab4f

SHA256
dc99de97b0324cddf77f56d2f07de40108eeaac9b50bed3820958bf383e8b345

SHA512
a179663bd53c4d39bd31643a08aae2326e12bba9dd07cbfb1d5b79aa4bd64c8d4178528871df5541e4ba7cff9bcb39f63a57eb4cb0e7be6625a5bb318c75f705

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\labymodlauncher-1.0.24-full.nupkg

Filesize
103.5MB

MD5
24576a4e66d66bf768ceba46dda677d0

SHA1
e997a0ef9a3a758ead0919ae350c7ba8eccff4e5

SHA256
0e5b5614b44e04ef3db9d8aaeaa13c93b5d8912eb67a02a89da146b9b46bac7d

SHA512
ad2266ebee6f8b7c1f295c78596864af269209e9e4a7106948f7b9c57223747f34d0183ecc64e04d776630bae60b94f2b31e3802eb845f57745b87dbbc2ce70b

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\setupIcon.ico

Filesize
122KB

MD5
4bce15bbb0487f88efc006fd597441b7

SHA1
da5a02653245112aabfd45429c417c39fcb2f67a

SHA256
0e684d8f833fd47d4c98d4742ce46abbfdb1f4b130da4a93047df9926f189e46

SHA512
e128d96cad8d214d41b60a7ab129dbf105866fe895d206c5b77b65af04c5d83ff1be87ece9b862dc30c88faeda69cff185925d7ae7b311c5351ca664db4a3060

Download Submit
C:\Users\Admin\AppData\Local\labymodlauncher\Update.exe

Filesize
1.9MB

MD5
86429de3e363131c183a62a90355bf77

SHA1
9c5b03b279e03bf01daa96a8769e189287407cf8

SHA256
453b5bda2077d843fde5cd374a5f58034d9c80b69062ec0a80ab9f131b981270

SHA512
b98cbbeb69202041a9ac184bd3f4d7acad5b5dd2a98a390d0be1c4a5278b46a254c15bb721c11685c7193d30f9c8aeae35f3ef6e124235b4973eeda415303479

Download Submit
C:\Users\Admin\AppData\Local\labymodlauncher\app-1.0.24\LabyModLauncher.exe

Filesize
155.9MB

MD5
dd2f4aa1bcd850d04aa6bc55de377172

SHA1
b6b0a5116e9e540327b65e0935f13d758d9d1e63

SHA256
cf41f8f7615770000895c0b5cce59a63905fea8a1022f67cdb6cc482da136336

SHA512
835721580b3ce96db8850911b81cae67680d8359fae22a2d69b7bf9aa94c2d302a146ed4354a7f5dd677b4b9495c27a31846c185945c72b551fd3f8902e8bac7

Download Submit
C:\Users\Admin\AppData\Local\labymodlauncher\app-1.0.24\LabyModLauncher.exe

Filesize
155.9MB

MD5
dd2f4aa1bcd850d04aa6bc55de377172

SHA1
b6b0a5116e9e540327b65e0935f13d758d9d1e63

SHA256
cf41f8f7615770000895c0b5cce59a63905fea8a1022f67cdb6cc482da136336

SHA512
835721580b3ce96db8850911b81cae67680d8359fae22a2d69b7bf9aa94c2d302a146ed4354a7f5dd677b4b9495c27a31846c185945c72b551fd3f8902e8bac7

Download Submit
C:\Users\Admin\AppData\Local\labymodlauncher\app-1.0.24\LabyModLauncher.exe

Filesize
155.9MB

MD5
dd2f4aa1bcd850d04aa6bc55de377172

SHA1
b6b0a5116e9e540327b65e0935f13d758d9d1e63

SHA256
cf41f8f7615770000895c0b5cce59a63905fea8a1022f67cdb6cc482da136336

SHA512
835721580b3ce96db8850911b81cae67680d8359fae22a2d69b7bf9aa94c2d302a146ed4354a7f5dd677b4b9495c27a31846c185945c72b551fd3f8902e8bac7

Download Submit
C:\Users\Admin\AppData\Local\labymodlauncher\app-1.0.24\Squirrel.exe

Filesize
1.9MB

MD5
86429de3e363131c183a62a90355bf77

SHA1
9c5b03b279e03bf01daa96a8769e189287407cf8

SHA256
453b5bda2077d843fde5cd374a5f58034d9c80b69062ec0a80ab9f131b981270

SHA512
b98cbbeb69202041a9ac184bd3f4d7acad5b5dd2a98a390d0be1c4a5278b46a254c15bb721c11685c7193d30f9c8aeae35f3ef6e124235b4973eeda415303479

Download Submit
C:\Users\Admin\AppData\Local\labymodlauncher\app-1.0.24\ffmpeg.dll

Filesize
2.8MB

MD5
ca436d0f7e2c972a59a1487aef84427e

SHA1
c9f3797706e3f789b10f7640c0a088769afebc72

SHA256
b14c72a64822a34cce20871565742459249bf2657ea80b3450d61053c6c586c9

SHA512
eba8eb15129b3e5371ec484e50847e1ea676ff52c051769ec510cae853a335fe9d12d1a5d74c147641e4fe9e2aeb0251a91fb658fcd06afab6e5f76b42e519ce

Download Submit
C:\Users\Admin\AppData\Local\labymodlauncher\app-1.0.24\resources\i18n\nb-NO.json

Filesize
4B

MD5
c443b04d0fc26b0a5a4573a78e0082a1

SHA1
3c957535345645dce7190b85eb10b39da96b2518

SHA256
e3566b3a06430868d71e9287dfd6c6c520a3da027aabea01951d407ee131dc2f

SHA512
7bbf6dac485c9e59d02edabc91ff5b15bc1319cef6905c0077ee16e3b1f572b61bff85f2400bc0f5b4aeab0260bd5d68787d72c7a688d79192952f7957a44de3

Download Submit
C:\Users\Admin\AppData\Local\labymodlauncher\app-1.0.24\squirrel.exe

Filesize
1.9MB

MD5
86429de3e363131c183a62a90355bf77

SHA1
9c5b03b279e03bf01daa96a8769e189287407cf8

SHA256
453b5bda2077d843fde5cd374a5f58034d9c80b69062ec0a80ab9f131b981270

SHA512
b98cbbeb69202041a9ac184bd3f4d7acad5b5dd2a98a390d0be1c4a5278b46a254c15bb721c11685c7193d30f9c8aeae35f3ef6e124235b4973eeda415303479

Download Submit
C:\Users\Admin\AppData\Local\labymodlauncher\packages\RELEASES

Filesize
87B

MD5
ae3f33172e9d5fc16add67e9dbb52c99

SHA1
92d1d288d0b85a15a2f232f5db64cbb93171b16f

SHA256
41de3ef31788c60e4537e7cd5c7f829195caee7656581df3880a5d8e1cd735fd

SHA512
4e52ebf2d9fc5b726508cfe01ad7dc2a6d0c259fae852d46beb1b800f78a3b1503e5f849903b4d2913a2423d4c1292751f8339fda38e861abba441b09a4f6fc3

Download Submit
C:\Users\Admin\AppData\Local\labymodlauncher\packages\labymodlauncher-1.0.24-full.nupkg

Filesize
103.5MB

MD5
24576a4e66d66bf768ceba46dda677d0

SHA1
e997a0ef9a3a758ead0919ae350c7ba8eccff4e5

SHA256
0e5b5614b44e04ef3db9d8aaeaa13c93b5d8912eb67a02a89da146b9b46bac7d

SHA512
ad2266ebee6f8b7c1f295c78596864af269209e9e4a7106948f7b9c57223747f34d0183ecc64e04d776630bae60b94f2b31e3802eb845f57745b87dbbc2ce70b

Download Submit
\Users\Admin\AppData\Local\SquirrelTemp\Update.exe

Filesize
1.8MB

MD5
62d1e08f4623aca6a146b86b74d06654

SHA1
21414819012b25d60ff0604d709410100e7d77cb

SHA256
90e40375aae7a9763177fb2e2364067420b013f676379f5703b397e34860fb83

SHA512
1eb4e4516c1d0730fc082e8963fd0096b43ecdbb06b0a092ce262c2f0a15041c5a49f960dc85e066250f0e474bb0657da0ffce09b82bdafba9368e5787a6b09f

Download Submit
\Users\Admin\AppData\Local\labymodlauncher\app-1.0.24\LabyModLauncher.exe

Filesize
155.9MB

MD5
dd2f4aa1bcd850d04aa6bc55de377172

SHA1
b6b0a5116e9e540327b65e0935f13d758d9d1e63

SHA256
cf41f8f7615770000895c0b5cce59a63905fea8a1022f67cdb6cc482da136336

SHA512
835721580b3ce96db8850911b81cae67680d8359fae22a2d69b7bf9aa94c2d302a146ed4354a7f5dd677b4b9495c27a31846c185945c72b551fd3f8902e8bac7

Download Submit
\Users\Admin\AppData\Local\labymodlauncher\app-1.0.24\LabyModLauncher.exe

Filesize
155.9MB

MD5
dd2f4aa1bcd850d04aa6bc55de377172

SHA1
b6b0a5116e9e540327b65e0935f13d758d9d1e63

SHA256
cf41f8f7615770000895c0b5cce59a63905fea8a1022f67cdb6cc482da136336

SHA512
835721580b3ce96db8850911b81cae67680d8359fae22a2d69b7bf9aa94c2d302a146ed4354a7f5dd677b4b9495c27a31846c185945c72b551fd3f8902e8bac7

Download Submit
\Users\Admin\AppData\Local\labymodlauncher\app-1.0.24\LabyModLauncher.exe

Filesize
155.9MB

MD5
dd2f4aa1bcd850d04aa6bc55de377172

SHA1
b6b0a5116e9e540327b65e0935f13d758d9d1e63

SHA256
cf41f8f7615770000895c0b5cce59a63905fea8a1022f67cdb6cc482da136336

SHA512
835721580b3ce96db8850911b81cae67680d8359fae22a2d69b7bf9aa94c2d302a146ed4354a7f5dd677b4b9495c27a31846c185945c72b551fd3f8902e8bac7

Download Submit
\Users\Admin\AppData\Local\labymodlauncher\app-1.0.24\LabyModLauncher.exe

Filesize
155.9MB

MD5
dd2f4aa1bcd850d04aa6bc55de377172

SHA1
b6b0a5116e9e540327b65e0935f13d758d9d1e63

SHA256
cf41f8f7615770000895c0b5cce59a63905fea8a1022f67cdb6cc482da136336

SHA512
835721580b3ce96db8850911b81cae67680d8359fae22a2d69b7bf9aa94c2d302a146ed4354a7f5dd677b4b9495c27a31846c185945c72b551fd3f8902e8bac7

Download Submit
\Users\Admin\AppData\Local\labymodlauncher\app-1.0.24\ffmpeg.dll

Filesize
2.8MB

MD5
ca436d0f7e2c972a59a1487aef84427e

SHA1
c9f3797706e3f789b10f7640c0a088769afebc72

SHA256
b14c72a64822a34cce20871565742459249bf2657ea80b3450d61053c6c586c9

SHA512
eba8eb15129b3e5371ec484e50847e1ea676ff52c051769ec510cae853a335fe9d12d1a5d74c147641e4fe9e2aeb0251a91fb658fcd06afab6e5f76b42e519ce

Download Submit
\Users\Admin\AppData\Local\labymodlauncher\app-1.0.24\ffmpeg.dll

Filesize
2.8MB

MD5
ca436d0f7e2c972a59a1487aef84427e

SHA1
c9f3797706e3f789b10f7640c0a088769afebc72

SHA256
b14c72a64822a34cce20871565742459249bf2657ea80b3450d61053c6c586c9

SHA512
eba8eb15129b3e5371ec484e50847e1ea676ff52c051769ec510cae853a335fe9d12d1a5d74c147641e4fe9e2aeb0251a91fb658fcd06afab6e5f76b42e519ce

Download Submit
memory/1092-248-0x000007FEF5CB0000-0x000007FEF669C000-memory.dmp

Filesize
9.9MB

Download
memory/1092-243-0x000007FEF5CB0000-0x000007FEF669C000-memory.dmp

Filesize
9.9MB

Download
memory/1092-215-0x00000000001D0000-0x00000000003C4000-memory.dmp

Filesize
2.0MB

Download
memory/1092-216-0x000007FEF5CB0000-0x000007FEF669C000-memory.dmp

Filesize
9.9MB

Download
memory/2324-63-0x000007FEF5CB0000-0x000007FEF669C000-memory.dmp

Filesize
9.9MB

Download
memory/2324-189-0x0000000000750000-0x000000000075A000-memory.dmp

Filesize
40KB

Download
memory/2324-65-0x000000001B140000-0x000000001B1C0000-memory.dmp

Filesize
512KB

Download
memory/2324-166-0x000007FEF5CB0000-0x000007FEF669C000-memory.dmp

Filesize
9.9MB

Download
memory/2324-168-0x0000000000750000-0x000000000075A000-memory.dmp

Filesize
40KB

Download
memory/2324-244-0x000007FEF5CB0000-0x000007FEF669C000-memory.dmp

Filesize
9.9MB

Download
memory/2324-62-0x00000000001D0000-0x00000000003A6000-memory.dmp

Filesize
1.8MB

Download
memory/2324-206-0x000000001B140000-0x000000001B1C0000-memory.dmp

Filesize
512KB

Download