293e7015eb183738e9fb581c65a371416a9c5e33bd737e103737f12b1717c3ab

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
28-02-2024 17:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

lghub_installer.exe
Size

39.9MB
MD5

fbd53bfe5fda8370e557b8f88dd55c44
SHA1

2b955e43a39c8e662bcd0e2d831631f492414617
SHA256

293e7015eb183738e9fb581c65a371416a9c5e33bd737e103737f12b1717c3ab
SHA512

fe34e88b7e270240eeb990acff53b8a21a01647c107d61f41d792c08f287b5f961e828542609dc8c59a691346327f57f51a7873b7b6c68b9dd0d8fdda9170dde
SSDEEP

786432:e0R9hbEpttD7yBG/4M3OW+upttD7yBG/PcXU9g5y:e0RzEpttD7y0/pnpttD7y0/0XUm5y

Score

5^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	lghub_installer.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Executes dropped EXE 4 IoCs

pid	Process
2476	vc_redist.x64.exe
1040	vc_redist.x64.exe
804	vc_redist.x86.exe
5100	vc_redist.x86.exe

Loads dropped DLL 4 IoCs

pid	Process
1040	vc_redist.x64.exe
5100	vc_redist.x86.exe
3216	lghub_installer.exe
3216	lghub_installer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3216	lghub_installer.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3216 wrote to memory of 2476	3216	lghub_installer.exe	90
PID 3216 wrote to memory of 2476	3216	lghub_installer.exe	90
PID 3216 wrote to memory of 2476	3216	lghub_installer.exe	90
PID 2476 wrote to memory of 1040	2476	vc_redist.x64.exe	91
PID 2476 wrote to memory of 1040	2476	vc_redist.x64.exe	91
PID 2476 wrote to memory of 1040	2476	vc_redist.x64.exe	91
PID 3216 wrote to memory of 804	3216	lghub_installer.exe	92
PID 3216 wrote to memory of 804	3216	lghub_installer.exe	92
PID 3216 wrote to memory of 804	3216	lghub_installer.exe	92
PID 804 wrote to memory of 5100	804	vc_redist.x86.exe	93
PID 804 wrote to memory of 5100	804	vc_redist.x86.exe	93
PID 804 wrote to memory of 5100	804	vc_redist.x86.exe	93

C:\Users\Admin\AppData\Local\Temp\lghub_installer.exe
"C:\Users\Admin\AppData\Local\Temp\lghub_installer.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3216
- C:\Users\Admin\AppData\Local\Temp\ghub-y2iaxi5h.3ql\vc_redist.x64.exe
  "C:\Users\Admin\AppData\Local\Temp\ghub-y2iaxi5h.3ql\vc_redist.x64.exe" /install /quiet /norestart
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2476
- - C:\Windows\Temp\{01337076-BD2B-43B6-9BD0-5BDD6753E8A0}\.cr\vc_redist.x64.exe
    "C:\Windows\Temp\{01337076-BD2B-43B6-9BD0-5BDD6753E8A0}\.cr\vc_redist.x64.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\ghub-y2iaxi5h.3ql\vc_redist.x64.exe" -burn.filehandle.attached=564 -burn.filehandle.self=560 /install /quiet /norestart
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1040
- C:\Users\Admin\AppData\Local\Temp\ghub-y2iaxi5h.3ql\vc_redist.x86.exe
  "C:\Users\Admin\AppData\Local\Temp\ghub-y2iaxi5h.3ql\vc_redist.x86.exe" /install /quiet /norestart
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:804
- - C:\Windows\Temp\{0E9B428C-E3C0-4146-BE75-E9A0F408E67B}\.cr\vc_redist.x86.exe
    "C:\Windows\Temp\{0E9B428C-E3C0-4146-BE75-E9A0F408E67B}\.cr\vc_redist.x86.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\ghub-y2iaxi5h.3ql\vc_redist.x86.exe" -burn.filehandle.attached=548 -burn.filehandle.self=540 /install /quiet /norestart
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:5100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\LGHUB\next.json

Filesize
724KB

MD5
19a28b1a96f8e89ece6f64588a298dab

SHA1
035c6ff0561d60ce8a89c4a393081065d4bb3443

SHA256
895f5a32261187c4814e89f903b1276ebc168a6ddca3133e246f467e9ab98bca

SHA512
83c14426dbbc22fc76665a4b631e7a609816ffab9a1e67009356ce687c9972350a40aab4b00ee481cd962766f407d37f960a162195c9920d9c1cc49c91a70604

Download Submit
C:\Users\Admin\AppData\Local\Temp\3e74-93a8-eb30-b62d.decompressed

Filesize
2.7MB

MD5
e00163185ff4fefd1c093f951ba2c4b8

SHA1
0379ea1eead64f51b82bec52077b2b53cd969e6d

SHA256
1d6b169d607acf54f0aec33b3dc781fd0c5c1c7de43207202cb53dd38ea14791

SHA512
bb923c65c207582b223c9e9c561471699d993d78821199603e69562a5749bdf6e6cdcb862966910f647db287d8b41a76b288310419561691927d25347bf5c70e

Download Submit
C:\Users\Admin\AppData\Local\Temp\b380-8e3b-3b79-825a.decompressed

Filesize
64KB

MD5
2b5ddcfb8f0ca90a311bb7022773e2a2

SHA1
6ce2c1bfc5feb7c2c7596d73f63ec37a22e0b3e7

SHA256
ad410042a2ad772e45085d80aecf2063055762dfac253d4a01c377777da0b829

SHA512
121e11df525c2ba28b0b5338ef284776425368427172a49980c2c34afd3f63658b2196a32c294afefa92928ab69f93ec5b0bbb7403b419bc9fb8323fd4f04b14

Download Submit
C:\Users\Admin\AppData\Local\Temp\ba57-e19d-6e3f-0ebc.decompressed

Filesize
47KB

MD5
40e0e1194935f765376c314769a03de5

SHA1
4cf3c092cc197d2f4ffa690cac7e67712f7a9749

SHA256
1fe379605cd6883b2811fd089f1691a8b9a272ec6f693737823df2a73cf5f36d

SHA512
b6db72581d26317696425d7008e8da902d603fbe82bae4a332f634f9edb8683f2254a3358609292f7589b21159e8253734d25a7a19ca15f15ffc30c872cc174d

Download Submit
C:\Users\Admin\AppData\Local\Temp\f1a5-3f1d-027f-615a.decompressed

Filesize
9.3MB

MD5
d68fb32073c002a725600d81368bf7bd

SHA1
62f65b3270269a1da1b238c4f7a943473abb3226

SHA256
35c8d04f7dea53977d8c64d0d4c39acc048a2c0a0b57e6c3dc21b96942f9d3f0

SHA512
db47c190200dc569e243853e20e4ca5ac719cf13349359c7466aca54474cc8172795af165ed1c65eb77e2dc4296b9c5eed7560d72730cd8a08de78c3d6292c03

Download Submit
C:\Users\Admin\AppData\Local\Temp\ghub-y2iaxi5h.3ql\logi_codecs_shared.dll

Filesize
538KB

MD5
b1b044e7db3051d8611b9eec4d8e6f23

SHA1
0f3a60b6fbfad1774fb266e1a56949f21450f4bf

SHA256
993d3cf3ce3f1d1f8ff35e3f9961e5d7b8667cd22994ce926024e19a415e7441

SHA512
e2159f5f24560ba623c6b20519c2619fe4a6f4d3097f01f31ac59231d9380a728ac93e0dc3a8d18b6258a98e7214ab1d1645006770f05715ff30b39ead441a47

Download Submit
C:\Users\Admin\AppData\Local\Temp\ghub-y2iaxi5h.3ql\logi_installer_shared.dll

Filesize
2.6MB

MD5
6c14685f02d318af19f7b5b981e80777

SHA1
7abc5cd90f63b4499d5c5e59f2e00fd29cba930b

SHA256
5586ba7dc00dd3ea60d536a4b9edc26480d36aa5b0a2ecf338c3a95fd69c0117

SHA512
f519fadf7a0f8fb5283ffe76770d59684c328d2b07f72a0fcee6f79b46e76f4f8633e666ed29b5bf4d3f09b0e58eab514fb5b1e428cedee3937c5fd88146a55a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ghub-y2iaxi5h.3ql\vc_redist.x64.exe

Filesize
5.3MB

MD5
4a1c708c1e9cf5b9bbd7ab6bbf45573f

SHA1
49ce4b6b32a465e39ed0462e9bd42c3f5dcfb531

SHA256
5dc47a262e009d3aede9d2328be9643fa737a9466461f06871967fa12026bbfb

SHA512
6823dd06298969499cd0897deb19edacddaf662bea8fa0f55ca3d7a33cb78eccc8e8e7c4b229d039f90ef79f00d54fe3fed1154f8a1b58e62c5e054315151327

Download Submit
C:\Users\Admin\AppData\Local\Temp\ghub-y2iaxi5h.3ql\vc_redist.x64.exe

Filesize
4.9MB

MD5
bdeecc4dc5b4f24026e6e152461aa342

SHA1
bdc1586359287bbbcef8ecd5bea2d3aa8f34d0bc

SHA256
95bf3b09004110270a3153b0530259bc8bb6f55d9fc36c72b25a65dade75b1ac

SHA512
1f2746cd398266e77aead1156ec2577b388b3c1dc0e6649610727b890505cc8312bd5e9fdd69b2e2193af1f920e00a62ca50a55aa1b59dcb83dd224c22ca3419

Download Submit
C:\Users\Admin\AppData\Local\Temp\ghub-y2iaxi5h.3ql\vc_redist.x64.exe

Filesize
5.9MB

MD5
440c642e6c7a508b3ae2a1f0ee0f0377

SHA1
b19037a3075323dc8dbff260229e2b19d1507af8

SHA256
eea93fcd2f0e28f2cb9b2542649febe48c567d0bafeae0336bbf7944f492992e

SHA512
875e71e4b3bf1cf9405ab07bf1918b45fb02eb0e5c2624bee8441eed6d9a39161cce3b7529780fe2e0bdd09e9237a22d52190f17518d9cc6e225be25586c3091

Download Submit
C:\Users\Admin\AppData\Local\Temp\ghub-y2iaxi5h.3ql\vc_redist.x86.exe

Filesize
2.8MB

MD5
c2337312f56e01b0d8bdee0d1b938cba

SHA1
5c712d8b11a9056e2dd4b5ea846e53469e7ef6e9

SHA256
7921bed7d130245b72cc2da25dd4442950239665ee6c89c537206d391c3fad61

SHA512
f3a4914daee4d1a2b94bc849726125eb37ea44fed1b3ff50d24b743c26e58422cca1bfcd2c3b26fed0290ff4adeb6deaac85cd871b449883854ec3c586ea375b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ghub-y2iaxi5h.3ql\vc_redist.x86.exe

Filesize
2.8MB

MD5
1a87d9ff3e4971e3a6b7f4aaf106ead9

SHA1
e7566cf75dea8235339ba0d223658a5737eeb6f1

SHA256
07d769cc396fb05cd00edf23a56f330611d8832d07afed102b29569ab223b929

SHA512
d6c4c12d844aa7828df810881aec8d2e97741cfe3c09c86dbb86cd282f0f1fc4758e80657e740e00a98a5c57605d38368002785408d1737935d06d3e7244c995

Download Submit
C:\Users\Admin\AppData\Local\Temp\ghub-y2iaxi5h.3ql\vc_redist.x86.exe

Filesize
3.2MB

MD5
752cef0aead3b11c1bf8c719f04e5f1d

SHA1
93deb173ac94efd9baf6fc4e3ed029ec2a8530b1

SHA256
43b3c275f63de32514144cf83433d35a8948c3796c665d1ca76b21dc0994c4ca

SHA512
549ab6bb3ddb9144e133bed0800c569b69af9d819cae5630c04e31939c54cbd5e65fa2604298282bcd5956f757fb9a751d3381dc80240cb8c26af06d15bfb371

Download Submit
C:\Windows\Temp\{01337076-BD2B-43B6-9BD0-5BDD6753E8A0}\.cr\vc_redist.x64.exe

Filesize
632KB

MD5
94970fc3a8ed7b9de44f4117419ce829

SHA1
aa1292f049c4173e2ab60b59b62f267fd884d21a

SHA256
de1acbb1df68a39a5b966303ac1b609dde2688b28ebf3eba8d2adeeb3d90bf5e

SHA512
b17bd215b83bfa46512b73c3d9f430806ca3bea13bebde971e8edd972614e54a7ba3d6fc3439078cdfdaa7eeb1f3f9054bf03ed5c45b622b691b968d4ec0566f

Download Submit
C:\Windows\Temp\{0E9B428C-E3C0-4146-BE75-E9A0F408E67B}\.cr\vc_redist.x86.exe

Filesize
632KB

MD5
c9d95472a5627c6c455e74c8b8fef5be

SHA1
34cb7f8f8b8dede7be6fd99e2b4bddaa37e5db82

SHA256
4b1bf90a0e4e3a628613c2fe42ddba589ee6303e37ccc70cf99ddc92dde03b0b

SHA512
989caff542f310972c15364925af542984ca73c1c1eec82fcbd1ea4bf9186487fd8349989afc95db4e761ebcbb8b14ce49482bc61d51b3259d134c571f4fab31

Download Submit
C:\Windows\Temp\{72AD8A6E-896D-4D17-8FF1-A70CA89E7CC2}\.ba\logo.png

Filesize
1KB

MD5
d6bd210f227442b3362493d046cea233

SHA1
ff286ac8370fc655aea0ef35e9cf0bfcb6d698de

SHA256
335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef

SHA512
464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

Download Submit
C:\Windows\Temp\{72AD8A6E-896D-4D17-8FF1-A70CA89E7CC2}\.ba\wixstdba.dll

Filesize
191KB

MD5
eab9caf4277829abdf6223ec1efa0edd

SHA1
74862ecf349a9bedd32699f2a7a4e00b4727543d

SHA256
a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041

SHA512
45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

Download Submit
memory/3216-194-0x000002DD9A330000-0x000002DD9A340000-memory.dmp

Filesize
64KB

Download
memory/3216-197-0x000002DDFF940000-0x000002DDFF94E000-memory.dmp

Filesize
56KB

Download
memory/3216-196-0x000002DDFFC10000-0x000002DDFFC48000-memory.dmp

Filesize
224KB

Download
memory/3216-198-0x000002DD9A330000-0x000002DD9A340000-memory.dmp

Filesize
64KB

Download
memory/3216-199-0x00007FFF6DC80000-0x00007FFF6E741000-memory.dmp

Filesize
10.8MB

Download
memory/3216-200-0x000002DD9A330000-0x000002DD9A340000-memory.dmp

Filesize
64KB

Download
memory/3216-201-0x000002DD9A330000-0x000002DD9A340000-memory.dmp

Filesize
64KB

Download
memory/3216-202-0x000002DD9A330000-0x000002DD9A340000-memory.dmp

Filesize
64KB

Download
memory/3216-203-0x000002DD9A330000-0x000002DD9A340000-memory.dmp

Filesize
64KB

Download
memory/3216-204-0x000002DD9A330000-0x000002DD9A340000-memory.dmp

Filesize
64KB

Download
memory/3216-193-0x000002DD9A330000-0x000002DD9A340000-memory.dmp

Filesize
64KB

Download
memory/3216-0-0x00007FFF6DC80000-0x00007FFF6E741000-memory.dmp

Filesize
10.8MB

Download
memory/3216-195-0x000002DDFF930000-0x000002DDFF938000-memory.dmp

Filesize
32KB

Download
memory/3216-2-0x000002DD9A330000-0x000002DD9A340000-memory.dmp

Filesize
64KB

Download
memory/3216-1-0x000002DDFD0A0000-0x000002DDFF87E000-memory.dmp

Filesize
39.9MB

Download