Overview
overview
7Static
static
3Bindu Soft...al.pdf
windows10-1703-x64
1Bindu Soft...32.dll
windows10-1703-x64
1Bindu Soft...50.dll
windows10-1703-x64
1Bindu Soft...b1.exe
windows10-1703-x64
1Bindu Soft...or.dll
windows10-1703-x64
1Bindu Soft...32.dll
windows10-1703-x64
1Bindu Soft...re.exe
windows10-1703-x64
1Bindu Soft...nS.exe
windows10-1703-x64
1Bindu Soft...ro.exe
windows10-1703-x64
1Bindu Soft...OM.dll
windows10-1703-x64
1Bindu Soft...32.dll
windows10-1703-x64
1Bindu Soft...er.dll
windows10-1703-x64
1Bindu Soft...32.dll
windows10-1703-x64
1Bindu Soft...ms.dll
windows10-1703-x64
1Bindu Soft...60.dll
windows10-1703-x64
1Bindu Soft...nt.dll
windows10-1703-x64
1Bindu Soft...ev.dll
windows10-1703-x64
1Bindu Soft...ws.dll
windows10-1703-x64
1Bindu Soft...32.dll
windows10-1703-x64
3Bindu Soft...ws.dll
windows10-1703-x64
1Bindu Soft...l2.dll
windows10-1703-x64
1Bindu Soft...er.dll
windows10-1703-x64
1Bindu Soft...ll.dll
windows10-1703-x64
1Bindu Soft...32.exe
windows10-1703-x64
1Bindu Soft...m2.dll
windows10-1703-x64
1Bindu Soft...ty.dll
windows10-1703-x64
1Bindu Soft...00.dll
windows10-1703-x64
1Bindu Soft...Me.pdf
windows10-1703-x64
1Bindu Soft...80.exe
windows10-1703-x64
7Bindu Soft...15.exe
windows10-1703-x64
6Bindu Soft...53.exe
windows10-1703-x64
6Bindu Soft...up.exe
windows10-1703-x64
7Analysis
-
max time kernel
368s -
max time network
1608s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
16/05/2024, 09:59
Behavioral task
behavioral1
Sample
Bindu Software/Colorlab/5100 Software Manual.pdf
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral2
Sample
Bindu Software/Colorlab/DAO3032.dll
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral3
Sample
Bindu Software/Colorlab/DAO350.dll
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral4
Sample
Bindu Software/Colorlab/Lib1.exe
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral5
Sample
Bindu Software/Colorlab/Locator.dll
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral6
Sample
Bindu Software/Colorlab/MIO32.dll
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral7
Sample
Bindu Software/Colorlab/Measure.exe
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral8
Sample
Bindu Software/Colorlab/ScanS.exe
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral9
Sample
Bindu Software/Colorlab/Spectro.exe
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral10
Sample
Bindu Software/Colorlab/USBIOCOM.dll
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral11
Sample
Bindu Software/Colorlab/WSC32.dll
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral12
Sample
Bindu Software/Colorlab/X5VBDriver.dll
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral13
Sample
Bindu Software/Colorlab/XYDRV32.dll
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral14
Sample
Bindu Software/Colorlab/comms.dll
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral15
Sample
Bindu Software/Colorlab/dao360.dll
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral16
Sample
Bindu Software/Colorlab/haspclnt.dll
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral17
Sample
Bindu Software/Colorlab/haspdev.dll
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral18
Sample
Bindu Software/Colorlab/haspds_windows.dll
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral19
Sample
Bindu Software/Colorlab/haspvb32.dll
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral20
Sample
Bindu Software/Colorlab/hdinst_windows.dll
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral21
Sample
Bindu Software/Colorlab/msxml2.dll
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral22
Sample
Bindu Software/Colorlab/parser.dll
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral23
Sample
Bindu Software/Colorlab/regression_dll.dll
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral24
Sample
Bindu Software/Colorlab/regsvr32.exe
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral25
Sample
Bindu Software/Colorlab/usbiocom2.dll
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral26
Sample
Bindu Software/Colorlab/utility.dll
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral27
Sample
Bindu Software/Colorlab/x2d200.dll
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral28
Sample
Bindu Software/Colorlab_Read_Me.pdf
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral29
Sample
Bindu Software/HASPUserSetup_7_80.exe
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral30
Sample
Bindu Software/HASPUserSetup_8_15.exe
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral31
Sample
Bindu Software/HASPUserSetup_8_53.exe
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral32
Sample
Bindu Software/setup.exe
Resource
win10-20240404-en
windows10-1703-x64
General
-
Target
Bindu Software/HASPUserSetup_8_15.exe
-
Size
21.0MB
-
MD5
9e95296d454027e9365660a34d89d2d6
-
SHA1
580d6611d3fd5103a2b283f0d7c1846c99c48cae
-
SHA256
9783154b3e678fe812f19c7b0b4e8eed86a7394d6215ad470305ad88d4693b89
-
SHA512
cc8b9d3e6f4fcb04caec8c5822a52667cdea355b21941f64db7cb62470add4c2f2283aeb227cb894736963ad82ea0f57fe75d5fd3956534b733c3d510b684a83
-
SSDEEP
393216:Kq4RRYTALrCibyHUNQEt68bmIEVVRO6pnjzR6tV054zAG8AMiM3OI+:KpRRIACVHu4omIETRO6nI0djiAOI+
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\E: MSIEXEC.EXE File opened (read-only) \??\G: MSIEXEC.EXE File opened (read-only) \??\K: MSIEXEC.EXE File opened (read-only) \??\Q: MSIEXEC.EXE File opened (read-only) \??\W: MSIEXEC.EXE File opened (read-only) \??\Y: MSIEXEC.EXE File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\R: MSIEXEC.EXE File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\M: MSIEXEC.EXE File opened (read-only) \??\T: MSIEXEC.EXE File opened (read-only) \??\Z: MSIEXEC.EXE File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\L: MSIEXEC.EXE File opened (read-only) \??\N: MSIEXEC.EXE File opened (read-only) \??\O: MSIEXEC.EXE File opened (read-only) \??\X: MSIEXEC.EXE File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\B: MSIEXEC.EXE File opened (read-only) \??\H: MSIEXEC.EXE File opened (read-only) \??\S: MSIEXEC.EXE File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\A: MSIEXEC.EXE File opened (read-only) \??\I: MSIEXEC.EXE File opened (read-only) \??\V: MSIEXEC.EXE File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\J: MSIEXEC.EXE File opened (read-only) \??\P: MSIEXEC.EXE File opened (read-only) \??\U: MSIEXEC.EXE File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe -
Executes dropped EXE 1 IoCs
pid Process 2404 HASPUserSetup_8_15.exe -
Loads dropped DLL 1 IoCs
pid Process 5008 MsiExec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 2124 MSIEXEC.EXE Token: SeIncreaseQuotaPrivilege 2124 MSIEXEC.EXE Token: SeSecurityPrivilege 4340 msiexec.exe Token: SeCreateTokenPrivilege 2124 MSIEXEC.EXE Token: SeAssignPrimaryTokenPrivilege 2124 MSIEXEC.EXE Token: SeLockMemoryPrivilege 2124 MSIEXEC.EXE Token: SeIncreaseQuotaPrivilege 2124 MSIEXEC.EXE Token: SeMachineAccountPrivilege 2124 MSIEXEC.EXE Token: SeTcbPrivilege 2124 MSIEXEC.EXE Token: SeSecurityPrivilege 2124 MSIEXEC.EXE Token: SeTakeOwnershipPrivilege 2124 MSIEXEC.EXE Token: SeLoadDriverPrivilege 2124 MSIEXEC.EXE Token: SeSystemProfilePrivilege 2124 MSIEXEC.EXE Token: SeSystemtimePrivilege 2124 MSIEXEC.EXE Token: SeProfSingleProcessPrivilege 2124 MSIEXEC.EXE Token: SeIncBasePriorityPrivilege 2124 MSIEXEC.EXE Token: SeCreatePagefilePrivilege 2124 MSIEXEC.EXE Token: SeCreatePermanentPrivilege 2124 MSIEXEC.EXE Token: SeBackupPrivilege 2124 MSIEXEC.EXE Token: SeRestorePrivilege 2124 MSIEXEC.EXE Token: SeShutdownPrivilege 2124 MSIEXEC.EXE Token: SeDebugPrivilege 2124 MSIEXEC.EXE Token: SeAuditPrivilege 2124 MSIEXEC.EXE Token: SeSystemEnvironmentPrivilege 2124 MSIEXEC.EXE Token: SeChangeNotifyPrivilege 2124 MSIEXEC.EXE Token: SeRemoteShutdownPrivilege 2124 MSIEXEC.EXE Token: SeUndockPrivilege 2124 MSIEXEC.EXE Token: SeSyncAgentPrivilege 2124 MSIEXEC.EXE Token: SeEnableDelegationPrivilege 2124 MSIEXEC.EXE Token: SeManageVolumePrivilege 2124 MSIEXEC.EXE Token: SeImpersonatePrivilege 2124 MSIEXEC.EXE Token: SeCreateGlobalPrivilege 2124 MSIEXEC.EXE Token: SeCreateTokenPrivilege 2124 MSIEXEC.EXE Token: SeAssignPrimaryTokenPrivilege 2124 MSIEXEC.EXE Token: SeLockMemoryPrivilege 2124 MSIEXEC.EXE Token: SeIncreaseQuotaPrivilege 2124 MSIEXEC.EXE Token: SeMachineAccountPrivilege 2124 MSIEXEC.EXE Token: SeTcbPrivilege 2124 MSIEXEC.EXE Token: SeSecurityPrivilege 2124 MSIEXEC.EXE Token: SeTakeOwnershipPrivilege 2124 MSIEXEC.EXE Token: SeLoadDriverPrivilege 2124 MSIEXEC.EXE Token: SeSystemProfilePrivilege 2124 MSIEXEC.EXE Token: SeSystemtimePrivilege 2124 MSIEXEC.EXE Token: SeProfSingleProcessPrivilege 2124 MSIEXEC.EXE Token: SeIncBasePriorityPrivilege 2124 MSIEXEC.EXE Token: SeCreatePagefilePrivilege 2124 MSIEXEC.EXE Token: SeCreatePermanentPrivilege 2124 MSIEXEC.EXE Token: SeBackupPrivilege 2124 MSIEXEC.EXE Token: SeRestorePrivilege 2124 MSIEXEC.EXE Token: SeShutdownPrivilege 2124 MSIEXEC.EXE Token: SeDebugPrivilege 2124 MSIEXEC.EXE Token: SeAuditPrivilege 2124 MSIEXEC.EXE Token: SeSystemEnvironmentPrivilege 2124 MSIEXEC.EXE Token: SeChangeNotifyPrivilege 2124 MSIEXEC.EXE Token: SeRemoteShutdownPrivilege 2124 MSIEXEC.EXE Token: SeUndockPrivilege 2124 MSIEXEC.EXE Token: SeSyncAgentPrivilege 2124 MSIEXEC.EXE Token: SeEnableDelegationPrivilege 2124 MSIEXEC.EXE Token: SeManageVolumePrivilege 2124 MSIEXEC.EXE Token: SeImpersonatePrivilege 2124 MSIEXEC.EXE Token: SeCreateGlobalPrivilege 2124 MSIEXEC.EXE Token: SeCreateTokenPrivilege 2124 MSIEXEC.EXE Token: SeAssignPrimaryTokenPrivilege 2124 MSIEXEC.EXE Token: SeLockMemoryPrivilege 2124 MSIEXEC.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2124 MSIEXEC.EXE -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4696 wrote to memory of 2404 4696 HASPUserSetup_8_15.exe 74 PID 4696 wrote to memory of 2404 4696 HASPUserSetup_8_15.exe 74 PID 4696 wrote to memory of 2404 4696 HASPUserSetup_8_15.exe 74 PID 2404 wrote to memory of 2124 2404 HASPUserSetup_8_15.exe 75 PID 2404 wrote to memory of 2124 2404 HASPUserSetup_8_15.exe 75 PID 2404 wrote to memory of 2124 2404 HASPUserSetup_8_15.exe 75 PID 4340 wrote to memory of 5008 4340 msiexec.exe 78 PID 4340 wrote to memory of 5008 4340 msiexec.exe 78 PID 4340 wrote to memory of 5008 4340 msiexec.exe 78
Processes
-
C:\Users\Admin\AppData\Local\Temp\Bindu Software\HASPUserSetup_8_15.exe"C:\Users\Admin\AppData\Local\Temp\Bindu Software\HASPUserSetup_8_15.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4696 -
C:\Users\Admin\AppData\Local\Temp\{D3E3A5B2-22CA-4B79-9B60-7926EB0BA3B5}\HASPUserSetup_8_15.exeC:\Users\Admin\AppData\Local\Temp\{D3E3A5B2-22CA-4B79-9B60-7926EB0BA3B5}\HASPUserSetup_8_15.exe /q"C:\Users\Admin\AppData\Local\Temp\Bindu Software\HASPUserSetup_8_15.exe" /tempdisk1folder"C:\Users\Admin\AppData\Local\Temp\{D3E3A5B2-22CA-4B79-9B60-7926EB0BA3B5}" /IS_temp2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Windows\SysWOW64\MSIEXEC.EXE"C:\Windows\system32\MSIEXEC.EXE" /i "C:\Users\Admin\AppData\Local\Temp\{D3E3A5B2-22CA-4B79-9B60-7926EB0BA3B5}\HASP_Setup.msi" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp\Bindu Software" SETUPEXENAME="HASPUserSetup_8_15.exe"3⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2124
-
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4340 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 03EE4D2E973429628B0B98B5D5A5D80C C2⤵
- Loads dropped DLL
PID:5008
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
165KB
MD59ac43e9f162f01eb026d136b819a9e1e
SHA1e63f01850981fb921ee15710844ba97cd5dbd664
SHA2561ce5a14e6a556722280b67c6a146dcc0a5a09e7e6a84b3b15ff36f3055ee5eea
SHA51265b6e48c1416c76e9d19e388dee9055345dcc62bf057daec9cd22db210be63076308fe0de1ae4eb311c75a0ba2da51c92414c2962df638941ca01f7f5037ff0e
-
Filesize
21KB
MD5a108f0030a2cda00405281014f897241
SHA1d112325fa45664272b08ef5e8ff8c85382ebb991
SHA2568b76df0ffc9a226b532b60936765b852b89780c6e475c152f7c320e085e43948
SHA512d83894b039316c38915a789920758664257680dcb549a9b740cf5361addbee4d4a96a3ff2999b5d8acfb1d9336da055ec20012d29a9f83ee5459f103fbeec298
-
Filesize
21.0MB
MD59e95296d454027e9365660a34d89d2d6
SHA1580d6611d3fd5103a2b283f0d7c1846c99c48cae
SHA2569783154b3e678fe812f19c7b0b4e8eed86a7394d6215ad470305ad88d4693b89
SHA512cc8b9d3e6f4fcb04caec8c5822a52667cdea355b21941f64db7cb62470add4c2f2283aeb227cb894736963ad82ea0f57fe75d5fd3956534b733c3d510b684a83
-
Filesize
20.5MB
MD5444b43c22316577e7b307697e49f0caf
SHA13589a8c7920ba624916b26c5be359a87b3d50c5a
SHA256edc7ce5037bde11b571c565ed70430f928be25ee47d0264e337cb64c8d6f9db8
SHA512c32d03f66146acbf676126822ca2a9f0306aa0a1a12523e39a77537b46f64be9afea3e7da1414546a0386f7eac534c2c3cec458c380424c1d3ef3eef7b76a207
-
Filesize
644B
MD57061b94db6d837f02e6bc8ca117f07f6
SHA177672f88cb0738a162ac7e0f015bb61707dd9687
SHA256be607778a7489ee69b5d97d8e06fe338c23f2ba7910f106a712be7803af2692c
SHA512e5e4d253c0f67e1fcec625e1e29c52b59b3b0cd0ca76093538f575e53751621a73a9bf2072c76261d92644c7e44f41c8d00ffcacc82771952d470f190f267927
-
Filesize
5KB
MD572bfb1892a498d1edd2167a9df514902
SHA1c972129a7643e63549f728fe0a6336571b2456eb
SHA256ec055886d82cc2e888c452f1ad974586f0a73b162639f9ce2f625f2b9be2adda
SHA512f65438740d41ac26ad66d08a149bb4db7e1e8e8ff1774bfe11858dd43212588f46bbbea9f0a10c2c1b9f34d17a099fab7ab310d674589b6470cad80a3e99c9e2