Overview

overview

8

Static

static

1

liquidlaun...US.msi

windows7-x64

6

liquidlaun...US.msi

windows10-2004-x64

8

Analysis

  • max time kernel
    119s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    24/02/2024, 12:30

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    liquidlauncher_0.2.1_x64_en-US.msi

  • Size

    6.9MB

  • MD5

    93394562e845b91d2795b2c18fe4c451

  • SHA1

    62f10d528e54a6e33e35ef0657a452e73bca036f

  • SHA256

    e3b541059a8d1ddc386fd2a31934148de3574ba80247df751d33c6d8a167b215

  • SHA512

    5fae28e482ea37c4629fbf63dc7698180c19e5d7b66853f7fae63c253e68404eb92af3fa8b02c57c9d15f41443e00ad10edd52c550ee3e8d2f82c3f50eb2b50b

  • SSDEEP

    196608:XcQlpq6HQ4IXRBPT68xVq9YRG9UYvkJYcO:M6XqRZG8vq9YE8O

Score
6/10

Malware Config

Signatures

  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 3 IoCs
  • Drops file in Windows directory 12 IoCs
  • Loads dropped DLL 7 IoCs
  • Modifies data under HKEY_USERS 46 IoCs
  • Modifies registry class 35 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\liquidlauncher_0.2.1_x64_en-US.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1152
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Loads dropped DLL
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1292
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 331B8CD4A7DC34B27DB73CE081F89631 C
      2⤵
      • Loads dropped DLL
      PID:2576
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -windowstyle hidden try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 } catch {}; Invoke-WebRequest -Uri "https://go.microsoft.com/fwlink/p/?LinkId=2124703" -OutFile "$env:TEMP\MicrosoftEdgeWebview2Setup.exe" ; Start-Process -FilePath "$env:TEMP\MicrosoftEdgeWebview2Setup.exe" -ArgumentList ('/silent', '/install') -Wait
      2⤵
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      PID:1796
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
      PID:2504
    • C:\Windows\system32\DrvInst.exe
      DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000304" "000000000000057C"
      1⤵
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      PID:2448

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files\liquidlauncher\liquidlauncher.exe
            Filesize

            75KB

            MD5

            2465f30ca7c5e82b514f7046bcc58587

            SHA1

            ebabbe9602882012abb881294f3c9f408ee85be0

            SHA256

            af13197d8c1418bdf4ad72631438976aba4a2c961a6b8877af953416e875070b

            SHA512

            99b672972a97128ff8f59005c40bc249c8eaac4af65135d8ac347f728761b12bfc3e8ead4b5f83d813198434d240816914a6e45a2731cf88cefa666e8ca3366d

            Download Submit

          • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\liquidlauncher\liquidlauncher.lnk
            Filesize

            2KB

            MD5

            99f487492b77fbf0343de191834fb664

            SHA1

            658c84399a767df070613afd39ef5727c3036f74

            SHA256

            013d012064965f4d953cea44f9ab1777d53ae255850af8ceaa01a6deed55b0c6

            SHA512

            c30bf6cfdab80f6eab4089e5839bc97861e296d8fac53bfddd372e00ab95f1f91344683cca27c19d803746dc5d5a5cf9bf8da46bc5129ebb4e3cd0b8ea38b10b

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\MSI864F.tmp
            Filesize

            113KB

            MD5

            4fdd16752561cf585fed1506914d73e0

            SHA1

            f00023b9ae3c8ce5b7bb92f25011eaebe6f9d424

            SHA256

            aecd2d2fe766f6d439acc2bbf1346930ecc535012cf5ad7b3273d2875237b7e7

            SHA512

            3695e7eb1e35ec959243a91ab5b4454eb59aeef0f2699aa5de8e03de8fbb89f756a89130526da5c08815408cb700284a17936522ad2cad594c3e6e9d18a3f600

            Download Submit

          • C:\Windows\Installer\f76e659.msi
            Filesize

            34KB

            MD5

            e998f8228de623082c568fb063f58582

            SHA1

            de3a65af16a38d14487c8c6c7d75bf123be1f6a5

            SHA256

            dd0bffaa09e01a808d3cf8c9440b2f65fadbc3f3d3c789292ee91cb519c6ffd3

            SHA512

            573490b7c6bbadeddab4269c602b1bce49b1d7785658270fea44798012b74e4d8b830080eca7977126e15512ea38d30bbd77cfbd018dd43e6ce4f65c0e0835a9

            Download Submit

          • \Program Files\liquidlauncher\liquidlauncher.exe
            Filesize

            430KB

            MD5

            fb4a213143568e983da1a07dbc56d755

            SHA1

            bfa55e7bb796d96b08b328bff02b48ec9bec2969

            SHA256

            0dc01558cfd2ac03f4b6f233d1b6d4563f83c3a8a6fe4c1d659f2d844e151a91

            SHA512

            86d39867d5105fdd1b9d9e367b84673ddab00240c8a19f00508245dd4b5e0a82e357f18f69088927adf14e03e2ccc423df4e14d1f0afe913391d986eac692979

            Download Submit

          • \Program Files\liquidlauncher\liquidlauncher.exe
            Filesize

            256KB

            MD5

            83c2b2638d2e996265a1c9eb38c80677

            SHA1

            86d13be7a853c1f0d6b632082a09cc1598d248cf

            SHA256

            38184a6a9a2028092fb41f5449312b3ef29664b4ee92d1c30a94394903804b74

            SHA512

            a2025fb7576ae3b510b62b47390bdf2eca7d5fb8e24e27c934b6cf853c2dd76887cc9895c657cde8531b1112db1ea11062261b38578ba563b6898bb4ce693ea5

            Download Submit

          • \Program Files\liquidlauncher\liquidlauncher.exe
            Filesize

            623KB

            MD5

            499ddf3414f6d435a6f0a4bd3143e688

            SHA1

            8610bc4f759413f8e09de34658438bc5611925f2

            SHA256

            204fe8e0e8f623336b9025b7e68057b994639a0524d55c19da2590efdc1ce198

            SHA512

            bddc6e58a69c0f125971f09f1cc89ce29e70d8a8e5a9be3f1b0779e7a75f68647e7c6733fe68068b5b21accbc6d1869ebda2b077cf6cb29e14b91e14f4ee4506

            Download Submit

          • \Program Files\liquidlauncher\liquidlauncher.exe
            Filesize

            688KB

            MD5

            8ae8214d1275567ad1c47e04bd9be8fe

            SHA1

            48b859366f68bb99fb9e92d7c1a5567b2502a100

            SHA256

            e4a21343db86f8908bddb35a3efac5248c8fadaa91135d5812e2953fa6dc26c4

            SHA512

            30280aae3ea8b745b9c9929e28b158712c475f7dd11fee92330091110b8952f050af36cae3ff158120ad6550b5c763b8570a04d2315d901c66cd1c409f6f7a1e

            Download Submit

          • \Program Files\liquidlauncher\liquidlauncher.exe
            Filesize

            592KB

            MD5

            21aa10f4a7b680b41a8d6f11c4f0a3c7

            SHA1

            ebfe68e90bcc642ac17d8f9441c336f57b9fa825

            SHA256

            9781059f54177f9de3086467655dbbb4d1b400ed13f444c5907c791bb4a2f96f

            SHA512

            1def04c67e3deb739d5cba4cdf50bda0254d59d91b0028c66817d43af02db50e3fc06a2d3e5cc24b8af444deef46715336ca41633f9f91dffcc3b83ee6a713cf

            Download Submit

          • \Program Files\liquidlauncher\liquidlauncher.exe
            Filesize

            519KB

            MD5

            202507ee2022cb2b438df866f49a0ce6

            SHA1

            babc9544a361496d2817e52bdaa6292a268f1d33

            SHA256

            a6dd176494f60fcc8a312ae4b41583a7b68fe7cadfbdbe2094baf8af71e62689

            SHA512

            c6df6bd14391c2f2b765d73884a4cd7bde56bea66a04c01fe209e05016a063154be923f7dd6326b586f548526eba21fcb1de8010585e222610e0335af63a41e0

            Download Submit

          • memory/1796-47-0x00000000028E0000-0x0000000002960000-memory.dmp

            Filesize

            512KB

            Download

          • memory/1796-46-0x000007FEF4D30000-0x000007FEF56CD000-memory.dmp

            Filesize

            9.6MB

            Download

          • memory/1796-41-0x0000000001FA0000-0x0000000001FA8000-memory.dmp

            Filesize

            32KB

            Download

          • memory/1796-48-0x000007FEF4D30000-0x000007FEF56CD000-memory.dmp

            Filesize

            9.6MB

            Download

          • memory/1796-49-0x00000000028E0000-0x0000000002960000-memory.dmp

            Filesize

            512KB

            Download

          • memory/1796-50-0x00000000028E0000-0x0000000002960000-memory.dmp

            Filesize

            512KB

            Download

          • memory/1796-51-0x000007FEF4D30000-0x000007FEF56CD000-memory.dmp

            Filesize

            9.6MB

            Download

          • memory/1796-40-0x000000001B340000-0x000000001B622000-memory.dmp

            Filesize

            2.9MB

            Download