0dfc9627816b72691bec2cb22609dedaf6600d04591fba4b171a3c16ebd4b981

General

Target

LabyModLauncherSetup-latest.exe
Size

117.8MB
MD5

7f27e58482ba0dfe4c3792b907fe3157
SHA1

5c620695d5c22d6a41caf33ade5f04275dc5143c
SHA256

0dfc9627816b72691bec2cb22609dedaf6600d04591fba4b171a3c16ebd4b981
SHA512

b8f674317646ca4e47489d43b006f3f9937e5c1adbb8864d3362bf778a77e79eb974070ce203a20d43d45573463ce4f0a18c1b8e66cdc6c291ab27cd3d320754
SSDEEP

1572864:sJuCHOAm/coUV8fo6BeOuEGhqPJGkf3/m88LMMxdJsxS7DSAVGY/IP+zQ06ngWOt:sUI6u8OxqSI+J37GA0d+z4vhmr

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2968	Update.exe
864	Squirrel.exe
2524	LabyModLauncher.exe
3008	LabyModLauncher.exe

Loads dropped DLL 7 IoCs

pid	Process
1028	LabyModLauncherSetup-latest.exe
2968	Update.exe
2968	Update.exe
2968	Update.exe
2524	LabyModLauncher.exe
2968	Update.exe
3008	LabyModLauncher.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2968	Update.exe
2968	Update.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2968	Update.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2968	Update.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 1028 wrote to memory of 2968	1028	LabyModLauncherSetup-latest.exe	28
PID 1028 wrote to memory of 2968	1028	LabyModLauncherSetup-latest.exe	28
PID 1028 wrote to memory of 2968	1028	LabyModLauncherSetup-latest.exe	28
PID 1028 wrote to memory of 2968	1028	LabyModLauncherSetup-latest.exe	28
PID 2968 wrote to memory of 864	2968	Update.exe	29
PID 2968 wrote to memory of 864	2968	Update.exe	29
PID 2968 wrote to memory of 864	2968	Update.exe	29
PID 2968 wrote to memory of 2524	2968	Update.exe	30
PID 2968 wrote to memory of 2524	2968	Update.exe	30
PID 2968 wrote to memory of 2524	2968	Update.exe	30
PID 2968 wrote to memory of 3008	2968	Update.exe	31
PID 2968 wrote to memory of 3008	2968	Update.exe	31
PID 2968 wrote to memory of 3008	2968	Update.exe	31

C:\Users\Admin\AppData\Local\Temp\LabyModLauncherSetup-latest.exe
"C:\Users\Admin\AppData\Local\Temp\LabyModLauncherSetup-latest.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1028
- C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
  "C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe" --install .
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2968
- - C:\Users\Admin\AppData\Local\labymodlauncher\app-2.1.5\Squirrel.exe
    "C:\Users\Admin\AppData\Local\labymodlauncher\app-2.1.5\Squirrel.exe" --updateSelf=C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
    3⤵
    - Executes dropped EXE
    PID:864
- - C:\Users\Admin\AppData\Local\labymodlauncher\app-2.1.5\LabyModLauncher.exe
    "C:\Users\Admin\AppData\Local\labymodlauncher\app-2.1.5\LabyModLauncher.exe" --squirrel-install 2.1.5
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2524
- - C:\Users\Admin\AppData\Local\labymodlauncher\app-2.1.5\LabyModLauncher.exe
    "C:\Users\Admin\AppData\Local\labymodlauncher\app-2.1.5\LabyModLauncher.exe" --squirrel-firstrun
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\RELEASES

Filesize
86B

MD5
edb49ae6d05888ff01614ee3209c023f

SHA1
9902cef5c9533bd13bb093e9a71e1f6bf77c4603

SHA256
73d6a59d025f3c93978186beb27448cc9d38b3b3a06f5d01c4be3744664e8f24

SHA512
3f64a70a11e950da46a7de840c0617acee024a4a80671f345dcf74df71fd45e478abe0483833f7fe47e9045ccca0ec8b35da81fac9965dbe51bf238ffa6b41a5

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\background.gif

Filesize
41KB

MD5
def79fef823db7584ce1844c5fb157ef

SHA1
c61ac5eba78ac34ee4568c6a85ac780add6cab4f

SHA256
dc99de97b0324cddf77f56d2f07de40108eeaac9b50bed3820958bf383e8b345

SHA512
a179663bd53c4d39bd31643a08aae2326e12bba9dd07cbfb1d5b79aa4bd64c8d4178528871df5541e4ba7cff9bcb39f63a57eb4cb0e7be6625a5bb318c75f705

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\setupIcon.ico

Filesize
122KB

MD5
4bce15bbb0487f88efc006fd597441b7

SHA1
da5a02653245112aabfd45429c417c39fcb2f67a

SHA256
0e684d8f833fd47d4c98d4742ce46abbfdb1f4b130da4a93047df9926f189e46

SHA512
e128d96cad8d214d41b60a7ab129dbf105866fe895d206c5b77b65af04c5d83ff1be87ece9b862dc30c88faeda69cff185925d7ae7b311c5351ca664db4a3060

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3BDF.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\labymodlauncher\app-2.1.5\ffmpeg.dll

Filesize
2.8MB

MD5
94aca096ac1762ed185bf3086d0eee6f

SHA1
59aacdfc27903b3b44ca62cbebb1f5bc2c0a078b

SHA256
d5dfd6e0b3414e4765904b06824e68f8d626cea8a20a4e05551fda068d6a6fed

SHA512
fb8b8a98c8cba0abb8b4b2620c2b357b16db9d6ab9609ab6675e9f83c9b9dcec25b626ad3f919c0186fcdc324ca28c4ac98baabad66421d0763ac913d64d8b38

Download Submit
C:\Users\Admin\AppData\Local\labymodlauncher\app-2.1.5\squirrel.exe

Filesize
1.9MB

MD5
fc1b7cfa8f901954a1b49ef13fa01013

SHA1
fcfa707e43c491e6bd078d0f0e9b136f69941af3

SHA256
000770caadd9d3c0ce95da9743bf182129f0c7bec5e3013bca6620f0dc894861

SHA512
e762a19338183930f6c559b5dca622a602317fb399411a14b094d9c048aff893af14d6a77fa6210036eae9f251d09c0a72d6e7b1c9f46424422a5ae1e675a6a7

Download Submit
\Users\Admin\AppData\Local\SquirrelTemp\Update.exe

Filesize
1.8MB

MD5
1aebd7aae95aa53067e2ea36fc644bc6

SHA1
da51deb35df39106101aea2cb9782f5b384b52ba

SHA256
852be1352542a3b93060e1a915c444bbb6d410e4cd3a89d133dd48c8599869c3

SHA512
8d05595e47018155a39231ce57043130c91b2615c732c113e944d468fae77a5d12ceec2705f624bda51fc84845c40a88421700b168291a5fff4f245c656d7294

Download Submit
memory/864-392-0x0000000001060000-0x0000000001254000-memory.dmp

Filesize
2.0MB

Download
memory/2968-9-0x0000000000A30000-0x0000000000C06000-memory.dmp

Filesize
1.8MB

Download
memory/2968-410-0x00000000009A0000-0x00000000009AA000-memory.dmp

Filesize
40KB

Download

Resubmissions

Analysis

Sharing