30c44b9238db71416a891f44814d8ea123d7e1ba25848004702949e53cc3e197

General

Target

LabyModLauncherSetup-latest.exe
Size

117.7MB
MD5

6ae78299a1e88c54f5a30f3b12d15671
SHA1

2691e953792e56943b372aeeb5a1a3882bc18586
SHA256

30c44b9238db71416a891f44814d8ea123d7e1ba25848004702949e53cc3e197
SHA512

a0e6fb945a8cfb8e87915f74a41158214deafe8380b2d4645bb69b6c3de4e3792e34bebcd4fb0c4f455e9534e23c383b5a5fd9338fab22191f20a0d62e4fe834
SSDEEP

3145728:O8Dsa1/m7ngk13YUaaZH5vjmz8K1n3/Tl7MtSxV4C5G8TR:Ow1hkGLaZlO8Q3/Ry+4CM8TR

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
1660	Update.exe
1532	Squirrel.exe
2700	LabyModLauncher.exe
2652	LabyModLauncher.exe

Loads dropped DLL 7 IoCs

pid	Process
2068	LabyModLauncherSetup-latest.exe
1660	Update.exe
1660	Update.exe
1660	Update.exe
2700	LabyModLauncher.exe
1660	Update.exe
2652	LabyModLauncher.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1660	Update.exe
1660	Update.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1660	Update.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1660	Update.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2068 wrote to memory of 1660	2068	LabyModLauncherSetup-latest.exe	28
PID 2068 wrote to memory of 1660	2068	LabyModLauncherSetup-latest.exe	28
PID 2068 wrote to memory of 1660	2068	LabyModLauncherSetup-latest.exe	28
PID 2068 wrote to memory of 1660	2068	LabyModLauncherSetup-latest.exe	28
PID 1660 wrote to memory of 1532	1660	Update.exe	29
PID 1660 wrote to memory of 1532	1660	Update.exe	29
PID 1660 wrote to memory of 1532	1660	Update.exe	29
PID 1660 wrote to memory of 2700	1660	Update.exe	30
PID 1660 wrote to memory of 2700	1660	Update.exe	30
PID 1660 wrote to memory of 2700	1660	Update.exe	30
PID 1660 wrote to memory of 2652	1660	Update.exe	31
PID 1660 wrote to memory of 2652	1660	Update.exe	31
PID 1660 wrote to memory of 2652	1660	Update.exe	31

C:\Users\Admin\AppData\Local\Temp\LabyModLauncherSetup-latest.exe
"C:\Users\Admin\AppData\Local\Temp\LabyModLauncherSetup-latest.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2068
- C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
  "C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe" --install .
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1660
- - C:\Users\Admin\AppData\Local\labymodlauncher\app-2.1.2\Squirrel.exe
    "C:\Users\Admin\AppData\Local\labymodlauncher\app-2.1.2\Squirrel.exe" --updateSelf=C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
    3⤵
    - Executes dropped EXE
    PID:1532
- - C:\Users\Admin\AppData\Local\labymodlauncher\app-2.1.2\LabyModLauncher.exe
    "C:\Users\Admin\AppData\Local\labymodlauncher\app-2.1.2\LabyModLauncher.exe" --squirrel-install 2.1.2
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2700
- - C:\Users\Admin\AppData\Local\labymodlauncher\app-2.1.2\LabyModLauncher.exe
    "C:\Users\Admin\AppData\Local\labymodlauncher\app-2.1.2\LabyModLauncher.exe" --squirrel-firstrun
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2652

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:2528

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\SquirrelTemp\RELEASES

Filesize
86B

MD5
bd6bb51f03475e76810ec6a411fbc06d

SHA1
7e53fa62048c63e6b033f8dc76d8a2e018d63784

SHA256
39d3afabed45f6351650eea1e6acbfffa19700cd0d60f78b752db77626a69c28

SHA512
2e5300238ac1469a8896280e29b892c0d999b71dc1af227e94711bf0c3b69579921b5f3e2c77f4d3ed31a120b44fa012d1490ecbe11ea113d47452c5895e9527

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\background.gif

Filesize
41KB

MD5
def79fef823db7584ce1844c5fb157ef

SHA1
c61ac5eba78ac34ee4568c6a85ac780add6cab4f

SHA256
dc99de97b0324cddf77f56d2f07de40108eeaac9b50bed3820958bf383e8b345

SHA512
a179663bd53c4d39bd31643a08aae2326e12bba9dd07cbfb1d5b79aa4bd64c8d4178528871df5541e4ba7cff9bcb39f63a57eb4cb0e7be6625a5bb318c75f705

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\setupIcon.ico

Filesize
122KB

MD5
4bce15bbb0487f88efc006fd597441b7

SHA1
da5a02653245112aabfd45429c417c39fcb2f67a

SHA256
0e684d8f833fd47d4c98d4742ce46abbfdb1f4b130da4a93047df9926f189e46

SHA512
e128d96cad8d214d41b60a7ab129dbf105866fe895d206c5b77b65af04c5d83ff1be87ece9b862dc30c88faeda69cff185925d7ae7b311c5351ca664db4a3060

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab4C5E.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4C9F.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\labymodlauncher\app-2.1.2\Squirrel.exe

Filesize
1.9MB

MD5
ca7946295c0ef5ec80f6eec304ec2637

SHA1
81fd3df8b2d149d0b0341d01e3382ec0ff7aa205

SHA256
f2e664761e9222602654c1057ae675a062d186e28ee04ce8a5d6bdc3786ce8f2

SHA512
d6a7aa984f73c0feed9f50cd731f10dfbfae27f4db48e66d5b81f09ade2ec6b37e79fffc8a2501d5439649e15964f1b65bbeacbd6b9480e7c51fece6fed3ed67

Download Submit
\Users\Admin\AppData\Local\SquirrelTemp\Update.exe

Filesize
1.8MB

MD5
e8bd867e8dfd503dbefa0348a908c6ce

SHA1
7fea91d3b533601eadf66b0622cb25721af79562

SHA256
9829b83d6e1dc671258a45ecc6a173db6200f24888c9bc46a6148608f065ddc8

SHA512
6e37083d4d0d19180349aeb717eaba20defcfc64b8dae7e7a0bd4625a61a2a22092f2255306967e23174f4efcc7dfa4ff61a1cb875ce2c5ec3086b14cb43a8d9

Download Submit
\Users\Admin\AppData\Local\labymodlauncher\app-2.1.2\ffmpeg.dll

Filesize
2.8MB

MD5
ff954cfbad17b34df27cb9df061db185

SHA1
88ff2cb302240a233ac97f62e548a45aeffdde59

SHA256
121221e632f5b580a0c5e628bd9381eea1981e0ac720c366ce01c1f5681697b2

SHA512
67fe215233ac2ddb28c6e68494ed2560702d408d6987a6e8bb3cabfc348d6b3756613df7ecbb63cfbe8572749521a8a80938efc9a5117150de440be7bb3f505d

Download Submit
memory/1532-387-0x00000000008A0000-0x0000000000A94000-memory.dmp

Filesize
2.0MB

Download
memory/1660-9-0x0000000000D60000-0x0000000000F36000-memory.dmp

Filesize
1.8MB

Download
memory/1660-394-0x00000000005C0000-0x00000000005CA000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing