a40fd46188362e4842174730b24da4cb1716a4a2c7c18e9bde3538a69896dfe9

Analysis

max time kernel
120s
max time network
133s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
11/10/2023, 22:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

LabyModLauncherSetup-latest.exe
Size

104.8MB
MD5

3b55f2916fc143ea77b1c5efbd8c4481
SHA1

e03d2aef3fc01f0b7afb80e690cccc8f6f35f41a
SHA256

a40fd46188362e4842174730b24da4cb1716a4a2c7c18e9bde3538a69896dfe9
SHA512

c01e04e7bbe55bc2af2a37252b04843f15e81e8fd4b452ac3e2184226750867b68c8d0745b5fcc11757200abe4d5c7cbfe09f529a7d8851aec48e01f0c29f9d4
SSDEEP

3145728:vkDIfoDlCY2aGwOouHYIykHhfz3IOuG/ASF+RvFcCd:v6IylVQwOGIhHh73ITqAnDd

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2796	Update.exe
1388	Squirrel.exe
2932	LabyModLauncher.exe
1404	LabyModLauncher.exe

Loads dropped DLL 7 IoCs

pid	Process
2660	LabyModLauncherSetup-latest.exe
2796	Update.exe
2796	Update.exe
2796	Update.exe
2932	LabyModLauncher.exe
2796	Update.exe
1404	LabyModLauncher.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2796	Update.exe
2796	Update.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2796	Update.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2796	Update.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2660 wrote to memory of 2796	2660	LabyModLauncherSetup-latest.exe	29
PID 2660 wrote to memory of 2796	2660	LabyModLauncherSetup-latest.exe	29
PID 2660 wrote to memory of 2796	2660	LabyModLauncherSetup-latest.exe	29
PID 2660 wrote to memory of 2796	2660	LabyModLauncherSetup-latest.exe	29
PID 2796 wrote to memory of 1388	2796	Update.exe	30
PID 2796 wrote to memory of 1388	2796	Update.exe	30
PID 2796 wrote to memory of 1388	2796	Update.exe	30
PID 2796 wrote to memory of 2932	2796	Update.exe	31
PID 2796 wrote to memory of 2932	2796	Update.exe	31
PID 2796 wrote to memory of 2932	2796	Update.exe	31
PID 2796 wrote to memory of 1404	2796	Update.exe	32
PID 2796 wrote to memory of 1404	2796	Update.exe	32
PID 2796 wrote to memory of 1404	2796	Update.exe	32

C:\Users\Admin\AppData\Local\Temp\LabyModLauncherSetup-latest.exe
"C:\Users\Admin\AppData\Local\Temp\LabyModLauncherSetup-latest.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2660
- C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
  "C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe" --install .
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2796
- - C:\Users\Admin\AppData\Local\labymodlauncher\app-1.0.32\Squirrel.exe
    "C:\Users\Admin\AppData\Local\labymodlauncher\app-1.0.32\Squirrel.exe" --updateSelf=C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
    3⤵
    - Executes dropped EXE
    PID:1388
- - C:\Users\Admin\AppData\Local\labymodlauncher\app-1.0.32\LabyModLauncher.exe
    "C:\Users\Admin\AppData\Local\labymodlauncher\app-1.0.32\LabyModLauncher.exe" --squirrel-install 1.0.32
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2932
- - C:\Users\Admin\AppData\Local\labymodlauncher\app-1.0.32\LabyModLauncher.exe
    "C:\Users\Admin\AppData\Local\labymodlauncher\app-1.0.32\LabyModLauncher.exe" --squirrel-firstrun
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\SquirrelTemp\RELEASES

Filesize
87B

MD5
28c3b263182c8e697b11f35706671aae

SHA1
943f0db4bdcfe3c1bb8dd50315eed93d16a046b5

SHA256
fe38fb355f1a73e55de807a7b6d0e88f91b11de089967736f5b971ba4a122d9e

SHA512
e94b8a144b5f47a12e2ad39125fafafc140f43e6cbb0223602160e9bee76a744e5392aecb1a2d08edc722760b420cf04847a090a3a5c874f4765e916c220afbf

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe

Filesize
1.8MB

MD5
9228aff974a5273ad8b1251f068b5aac

SHA1
e8f1dc23b5f7e036c369eb6b257f2ab8d32a2318

SHA256
71ced51fd6400556ac36914a07faa1752f54f9e87161be13a943f6895cb9d2b4

SHA512
caf766523e8fc18d1438e48da519280dff9cb9c82ffc808668a907da7cb4a5e92ab557571a9b8a2b30db8595284dc96f83d29bdebe83d99745465a8a163c4547

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe

Filesize
1.8MB

MD5
9228aff974a5273ad8b1251f068b5aac

SHA1
e8f1dc23b5f7e036c369eb6b257f2ab8d32a2318

SHA256
71ced51fd6400556ac36914a07faa1752f54f9e87161be13a943f6895cb9d2b4

SHA512
caf766523e8fc18d1438e48da519280dff9cb9c82ffc808668a907da7cb4a5e92ab557571a9b8a2b30db8595284dc96f83d29bdebe83d99745465a8a163c4547

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\background.gif

Filesize
41KB

MD5
def79fef823db7584ce1844c5fb157ef

SHA1
c61ac5eba78ac34ee4568c6a85ac780add6cab4f

SHA256
dc99de97b0324cddf77f56d2f07de40108eeaac9b50bed3820958bf383e8b345

SHA512
a179663bd53c4d39bd31643a08aae2326e12bba9dd07cbfb1d5b79aa4bd64c8d4178528871df5541e4ba7cff9bcb39f63a57eb4cb0e7be6625a5bb318c75f705

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\labymodlauncher-1.0.32-full.nupkg

Filesize
103.8MB

MD5
295d3d1b7268673e99a93f260cd4a2ae

SHA1
75f2c4d05b273e05e66aa4fa6d7753cba8e2761c

SHA256
524c3f03546900df92dd538a7bfbde9526c7549bba7a5e1dc07b2b1ec9d904d4

SHA512
015b18202d7709b1b61302dee89e9d3430c48d7b15c498ef78d465061e3d25bf4f9ead9733c10edd42d82d62b5df17b0742196f4d0afcc8a8d9639d423161906

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\setupIcon.ico

Filesize
122KB

MD5
4bce15bbb0487f88efc006fd597441b7

SHA1
da5a02653245112aabfd45429c417c39fcb2f67a

SHA256
0e684d8f833fd47d4c98d4742ce46abbfdb1f4b130da4a93047df9926f189e46

SHA512
e128d96cad8d214d41b60a7ab129dbf105866fe895d206c5b77b65af04c5d83ff1be87ece9b862dc30c88faeda69cff185925d7ae7b311c5351ca664db4a3060

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabFE00.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarFE13.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
C:\Users\Admin\AppData\Local\labymodlauncher\Update.exe

Filesize
1.9MB

MD5
b42d5263b3ae9d13daf9a8d981eeb806

SHA1
12a9424153562a5208dc8c345ac0f080cb411613

SHA256
cbca391c03d96a73688a2d2d21a7e853e370c4a41e2bd6675ee70deb035bdb7e

SHA512
9d8fefde71c10340c0b06cfe53a4afd9a2360c37c8047e3e20070f2eb9d6a29784a26c00a624b47110a99b11e09efeb5163b3c1163a557077f9647c12d4194f5

Download Submit
C:\Users\Admin\AppData\Local\labymodlauncher\app-1.0.32\LabyModLauncher.exe

Filesize
155.9MB

MD5
548ee69e48e64af01689dfa6a3456220

SHA1
a5bc681b5ad6d86fa772b1c5b64319bff589d766

SHA256
c27010878dabcb272365a3ceb37126699eab5e510e7f80524e70338766a59d7c

SHA512
0dc5c65bdbcebbf918a08d20bf01f4593249a7d33a3eca72f999330b560b2d103afa54a55e15cc3bb7cee886414762020ab96c554ce2a0190760743e0b87c2f3

Download Submit
C:\Users\Admin\AppData\Local\labymodlauncher\app-1.0.32\LabyModLauncher.exe

Filesize
155.9MB

MD5
548ee69e48e64af01689dfa6a3456220

SHA1
a5bc681b5ad6d86fa772b1c5b64319bff589d766

SHA256
c27010878dabcb272365a3ceb37126699eab5e510e7f80524e70338766a59d7c

SHA512
0dc5c65bdbcebbf918a08d20bf01f4593249a7d33a3eca72f999330b560b2d103afa54a55e15cc3bb7cee886414762020ab96c554ce2a0190760743e0b87c2f3

Download Submit
C:\Users\Admin\AppData\Local\labymodlauncher\app-1.0.32\LabyModLauncher.exe

Filesize
155.9MB

MD5
548ee69e48e64af01689dfa6a3456220

SHA1
a5bc681b5ad6d86fa772b1c5b64319bff589d766

SHA256
c27010878dabcb272365a3ceb37126699eab5e510e7f80524e70338766a59d7c

SHA512
0dc5c65bdbcebbf918a08d20bf01f4593249a7d33a3eca72f999330b560b2d103afa54a55e15cc3bb7cee886414762020ab96c554ce2a0190760743e0b87c2f3

Download Submit
C:\Users\Admin\AppData\Local\labymodlauncher\app-1.0.32\Squirrel.exe

Filesize
1.9MB

MD5
b42d5263b3ae9d13daf9a8d981eeb806

SHA1
12a9424153562a5208dc8c345ac0f080cb411613

SHA256
cbca391c03d96a73688a2d2d21a7e853e370c4a41e2bd6675ee70deb035bdb7e

SHA512
9d8fefde71c10340c0b06cfe53a4afd9a2360c37c8047e3e20070f2eb9d6a29784a26c00a624b47110a99b11e09efeb5163b3c1163a557077f9647c12d4194f5

Download Submit
C:\Users\Admin\AppData\Local\labymodlauncher\app-1.0.32\ffmpeg.dll

Filesize
2.8MB

MD5
bc84edbce76b06d86a45bb96e5f4fe3c

SHA1
01bdd375eb2c3b8080a15dac1469c910a31ce6e1

SHA256
6bbc7a007c469887478c5d00b021be65b5aab9a0e300235f31030811438c5677

SHA512
7e600f3e74a2271a28ece0a12970c6e3d109a40cfc3b446e8c2831656a1a17eed6d396754b021f10ed787b40e5efcf85fc9448030bcb5a00c3162024a7c2b5f0

Download Submit
C:\Users\Admin\AppData\Local\labymodlauncher\app-1.0.32\resources\i18n\uk-UA.json

Filesize
4B

MD5
c443b04d0fc26b0a5a4573a78e0082a1

SHA1
3c957535345645dce7190b85eb10b39da96b2518

SHA256
e3566b3a06430868d71e9287dfd6c6c520a3da027aabea01951d407ee131dc2f

SHA512
7bbf6dac485c9e59d02edabc91ff5b15bc1319cef6905c0077ee16e3b1f572b61bff85f2400bc0f5b4aeab0260bd5d68787d72c7a688d79192952f7957a44de3

Download Submit
C:\Users\Admin\AppData\Local\labymodlauncher\app-1.0.32\squirrel.exe

Filesize
1.9MB

MD5
b42d5263b3ae9d13daf9a8d981eeb806

SHA1
12a9424153562a5208dc8c345ac0f080cb411613

SHA256
cbca391c03d96a73688a2d2d21a7e853e370c4a41e2bd6675ee70deb035bdb7e

SHA512
9d8fefde71c10340c0b06cfe53a4afd9a2360c37c8047e3e20070f2eb9d6a29784a26c00a624b47110a99b11e09efeb5163b3c1163a557077f9647c12d4194f5

Download Submit
C:\Users\Admin\AppData\Local\labymodlauncher\packages\RELEASES

Filesize
87B

MD5
28c3b263182c8e697b11f35706671aae

SHA1
943f0db4bdcfe3c1bb8dd50315eed93d16a046b5

SHA256
fe38fb355f1a73e55de807a7b6d0e88f91b11de089967736f5b971ba4a122d9e

SHA512
e94b8a144b5f47a12e2ad39125fafafc140f43e6cbb0223602160e9bee76a744e5392aecb1a2d08edc722760b420cf04847a090a3a5c874f4765e916c220afbf

Download Submit
C:\Users\Admin\AppData\Local\labymodlauncher\packages\labymodlauncher-1.0.32-full.nupkg

Filesize
103.8MB

MD5
295d3d1b7268673e99a93f260cd4a2ae

SHA1
75f2c4d05b273e05e66aa4fa6d7753cba8e2761c

SHA256
524c3f03546900df92dd538a7bfbde9526c7549bba7a5e1dc07b2b1ec9d904d4

SHA512
015b18202d7709b1b61302dee89e9d3430c48d7b15c498ef78d465061e3d25bf4f9ead9733c10edd42d82d62b5df17b0742196f4d0afcc8a8d9639d423161906

Download Submit
\Users\Admin\AppData\Local\SquirrelTemp\Update.exe

Filesize
1.8MB

MD5
9228aff974a5273ad8b1251f068b5aac

SHA1
e8f1dc23b5f7e036c369eb6b257f2ab8d32a2318

SHA256
71ced51fd6400556ac36914a07faa1752f54f9e87161be13a943f6895cb9d2b4

SHA512
caf766523e8fc18d1438e48da519280dff9cb9c82ffc808668a907da7cb4a5e92ab557571a9b8a2b30db8595284dc96f83d29bdebe83d99745465a8a163c4547

Download Submit
\Users\Admin\AppData\Local\labymodlauncher\app-1.0.32\LabyModLauncher.exe

Filesize
155.9MB

MD5
548ee69e48e64af01689dfa6a3456220

SHA1
a5bc681b5ad6d86fa772b1c5b64319bff589d766

SHA256
c27010878dabcb272365a3ceb37126699eab5e510e7f80524e70338766a59d7c

SHA512
0dc5c65bdbcebbf918a08d20bf01f4593249a7d33a3eca72f999330b560b2d103afa54a55e15cc3bb7cee886414762020ab96c554ce2a0190760743e0b87c2f3

Download Submit
\Users\Admin\AppData\Local\labymodlauncher\app-1.0.32\LabyModLauncher.exe

Filesize
155.9MB

MD5
548ee69e48e64af01689dfa6a3456220

SHA1
a5bc681b5ad6d86fa772b1c5b64319bff589d766

SHA256
c27010878dabcb272365a3ceb37126699eab5e510e7f80524e70338766a59d7c

SHA512
0dc5c65bdbcebbf918a08d20bf01f4593249a7d33a3eca72f999330b560b2d103afa54a55e15cc3bb7cee886414762020ab96c554ce2a0190760743e0b87c2f3

Download Submit
\Users\Admin\AppData\Local\labymodlauncher\app-1.0.32\LabyModLauncher.exe

Filesize
155.9MB

MD5
548ee69e48e64af01689dfa6a3456220

SHA1
a5bc681b5ad6d86fa772b1c5b64319bff589d766

SHA256
c27010878dabcb272365a3ceb37126699eab5e510e7f80524e70338766a59d7c

SHA512
0dc5c65bdbcebbf918a08d20bf01f4593249a7d33a3eca72f999330b560b2d103afa54a55e15cc3bb7cee886414762020ab96c554ce2a0190760743e0b87c2f3

Download Submit
\Users\Admin\AppData\Local\labymodlauncher\app-1.0.32\LabyModLauncher.exe

Filesize
155.9MB

MD5
548ee69e48e64af01689dfa6a3456220

SHA1
a5bc681b5ad6d86fa772b1c5b64319bff589d766

SHA256
c27010878dabcb272365a3ceb37126699eab5e510e7f80524e70338766a59d7c

SHA512
0dc5c65bdbcebbf918a08d20bf01f4593249a7d33a3eca72f999330b560b2d103afa54a55e15cc3bb7cee886414762020ab96c554ce2a0190760743e0b87c2f3

Download Submit
\Users\Admin\AppData\Local\labymodlauncher\app-1.0.32\ffmpeg.dll

Filesize
2.8MB

MD5
bc84edbce76b06d86a45bb96e5f4fe3c

SHA1
01bdd375eb2c3b8080a15dac1469c910a31ce6e1

SHA256
6bbc7a007c469887478c5d00b021be65b5aab9a0e300235f31030811438c5677

SHA512
7e600f3e74a2271a28ece0a12970c6e3d109a40cfc3b446e8c2831656a1a17eed6d396754b021f10ed787b40e5efcf85fc9448030bcb5a00c3162024a7c2b5f0

Download Submit
\Users\Admin\AppData\Local\labymodlauncher\app-1.0.32\ffmpeg.dll

Filesize
2.8MB

MD5
bc84edbce76b06d86a45bb96e5f4fe3c

SHA1
01bdd375eb2c3b8080a15dac1469c910a31ce6e1

SHA256
6bbc7a007c469887478c5d00b021be65b5aab9a0e300235f31030811438c5677

SHA512
7e600f3e74a2271a28ece0a12970c6e3d109a40cfc3b446e8c2831656a1a17eed6d396754b021f10ed787b40e5efcf85fc9448030bcb5a00c3162024a7c2b5f0

Download Submit
memory/1388-168-0x0000000000B00000-0x0000000000CF4000-memory.dmp

Filesize
2.0MB

Download
memory/1388-169-0x000007FEF5B90000-0x000007FEF657C000-memory.dmp

Filesize
9.9MB

Download
memory/1388-179-0x000007FEF5B90000-0x000007FEF657C000-memory.dmp

Filesize
9.9MB

Download
memory/1388-235-0x000007FEF5B90000-0x000007FEF657C000-memory.dmp

Filesize
9.9MB

Download
memory/2796-24-0x0000000000460000-0x000000000046A000-memory.dmp

Filesize
40KB

Download
memory/2796-22-0x0000000000460000-0x000000000046A000-memory.dmp

Filesize
40KB

Download
memory/2796-13-0x000000001B830000-0x000000001B8B0000-memory.dmp

Filesize
512KB

Download
memory/2796-33-0x0000000000460000-0x000000000046A000-memory.dmp

Filesize
40KB

Download
memory/2796-31-0x000000001B830000-0x000000001B8B0000-memory.dmp

Filesize
512KB

Download
memory/2796-11-0x000007FEF5B90000-0x000007FEF657C000-memory.dmp

Filesize
9.9MB

Download
memory/2796-10-0x000007FEF5B90000-0x000007FEF657C000-memory.dmp

Filesize
9.9MB

Download
memory/2796-231-0x000007FEF5B90000-0x000007FEF657C000-memory.dmp

Filesize
9.9MB

Download
memory/2796-9-0x00000000008B0000-0x0000000000A86000-memory.dmp

Filesize
1.8MB

Download
memory/2796-32-0x0000000000460000-0x000000000046A000-memory.dmp

Filesize
40KB

Download