151c49f3dd25931feef73b10908d3c0572454c28a4bd70bd1d3a2b54b55c3796

General

Target

LabyModLauncherSetup-latest.exe
Size

118.5MB
MD5

46ad74bc8b64feb99a251d9c98907f27
SHA1

c5c977fe2e5a04679074436b102b5315ac9b615e
SHA256

151c49f3dd25931feef73b10908d3c0572454c28a4bd70bd1d3a2b54b55c3796
SHA512

7c84d364f08b8dee560b2d01f1a3649083cafb03c559a9d0db0dcf259d5ca1a894a4b142e2c65267036e00ccc9253197a0bdc6026d2832be6447189192b89ee8
SSDEEP

3145728:DjIKJTrUAG98yrsfAveykeYTy25+D2Ys2XVhUJ0sZDC2oT:DMokV98yIJTRu4+SsAJ0spzu

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2256	Update.exe
2808	Squirrel.exe
2900	LabyModLauncher.exe
2636	LabyModLauncher.exe

Loads dropped DLL 7 IoCs

pid	Process
2812	LabyModLauncherSetup-latest.exe
2256	Update.exe
2256	Update.exe
2256	Update.exe
2900	LabyModLauncher.exe
2256	Update.exe
2636	LabyModLauncher.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2256	Update.exe
2256	Update.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2256	Update.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2256	Update.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2812 wrote to memory of 2256	2812	LabyModLauncherSetup-latest.exe	29
PID 2812 wrote to memory of 2256	2812	LabyModLauncherSetup-latest.exe	29
PID 2812 wrote to memory of 2256	2812	LabyModLauncherSetup-latest.exe	29
PID 2812 wrote to memory of 2256	2812	LabyModLauncherSetup-latest.exe	29
PID 2256 wrote to memory of 2808	2256	Update.exe	30
PID 2256 wrote to memory of 2808	2256	Update.exe	30
PID 2256 wrote to memory of 2808	2256	Update.exe	30
PID 2256 wrote to memory of 2900	2256	Update.exe	31
PID 2256 wrote to memory of 2900	2256	Update.exe	31
PID 2256 wrote to memory of 2900	2256	Update.exe	31
PID 2256 wrote to memory of 2636	2256	Update.exe	32
PID 2256 wrote to memory of 2636	2256	Update.exe	32
PID 2256 wrote to memory of 2636	2256	Update.exe	32

C:\Users\Admin\AppData\Local\Temp\LabyModLauncherSetup-latest.exe
"C:\Users\Admin\AppData\Local\Temp\LabyModLauncherSetup-latest.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2812
- C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
  "C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe" --install .
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2256
- - C:\Users\Admin\AppData\Local\labymodlauncher\app-2.1.6\Squirrel.exe
    "C:\Users\Admin\AppData\Local\labymodlauncher\app-2.1.6\Squirrel.exe" --updateSelf=C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
    3⤵
    - Executes dropped EXE
    PID:2808
- - C:\Users\Admin\AppData\Local\labymodlauncher\app-2.1.6\LabyModLauncher.exe
    "C:\Users\Admin\AppData\Local\labymodlauncher\app-2.1.6\LabyModLauncher.exe" --squirrel-install 2.1.6
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2900
- - C:\Users\Admin\AppData\Local\labymodlauncher\app-2.1.6\LabyModLauncher.exe
    "C:\Users\Admin\AppData\Local\labymodlauncher\app-2.1.6\LabyModLauncher.exe" --squirrel-firstrun
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\SquirrelTemp\RELEASES

Filesize
86B

MD5
96607107b77eb1b38a758ada1f9dbd1b

SHA1
9f56fe8ca98d2731ec05ce6c09efeb3c7d0ee531

SHA256
44f3ea4df8ea7eb0812ca1f092911c6a911930ac6160217502272c8de76d69e4

SHA512
43df1c45f01c753eb256982c8d666c949f871794dcc0cbcc13e413cd042cf8df2b7cb1391ee1ff09e865b130da5cc345c226b0f6b549c6169df4a496cbb48d0a

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\background.gif

Filesize
41KB

MD5
def79fef823db7584ce1844c5fb157ef

SHA1
c61ac5eba78ac34ee4568c6a85ac780add6cab4f

SHA256
dc99de97b0324cddf77f56d2f07de40108eeaac9b50bed3820958bf383e8b345

SHA512
a179663bd53c4d39bd31643a08aae2326e12bba9dd07cbfb1d5b79aa4bd64c8d4178528871df5541e4ba7cff9bcb39f63a57eb4cb0e7be6625a5bb318c75f705

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\setupIcon.ico

Filesize
122KB

MD5
4bce15bbb0487f88efc006fd597441b7

SHA1
da5a02653245112aabfd45429c417c39fcb2f67a

SHA256
0e684d8f833fd47d4c98d4742ce46abbfdb1f4b130da4a93047df9926f189e46

SHA512
e128d96cad8d214d41b60a7ab129dbf105866fe895d206c5b77b65af04c5d83ff1be87ece9b862dc30c88faeda69cff185925d7ae7b311c5351ca664db4a3060

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab698E.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar69B0.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\labymodlauncher\app-2.1.6\ffmpeg.dll

Filesize
2.7MB

MD5
192ad44c75c9f20ddc81f72d1be2826b

SHA1
fd14cd15df610591dc1df5fb9ff166a707df36cd

SHA256
5a69e026513e6bf17ab1beb16d686afd93f231eef06cf6202b0710b17102b287

SHA512
48e18f6b69533607bf94daa1b5a45239b6878c2ffde845044305e4879115b32ef58bac9ae3526637b7b9622ce2db1b46ee490a476f61ccf888b8821769d4ba28

Download Submit
C:\Users\Admin\AppData\Local\labymodlauncher\app-2.1.6\squirrel.exe

Filesize
1.9MB

MD5
655044270f76ccc4b85f3eedc48e7abc

SHA1
d80b1e0c792adb48f180190cc9d87963fd4c6cfc

SHA256
119b05bf7a45cab767b474ce8f3ea3c7243b9e094a52575d9e32df6205367c0d

SHA512
1ce9ba09b1bef95fbb722ec3416c31733ec37839ff7578cfa3c9be8b14dd7de3f66e7731e5c49d1fda8e2eaf244d308f4e8fdffc2cb1209e693619713b765535

Download Submit
\Users\Admin\AppData\Local\SquirrelTemp\Update.exe

Filesize
1.8MB

MD5
7c844f47a28bcb773ed565be6ea0a1a1

SHA1
9a27914908c96455d3a225550e13373dd772646e

SHA256
e7dc3a854bbdcea459cc8e823ecd6dd2318d459cac3dff56af2d57bfd11176a1

SHA512
2b5ca21aaaef212d3f5223d0686308ce3a7b7c4b0137b77fb4baf65c5bfefef44d99e6238f7f9e4c6390be6740df9516f9252a373c24b4ddba403d5fbb327fc2

Download Submit
memory/2256-34-0x00000000001E0000-0x00000000001EA000-memory.dmp

Filesize
40KB

Download
memory/2256-35-0x00000000001E0000-0x00000000001EA000-memory.dmp

Filesize
40KB

Download
memory/2256-9-0x0000000000810000-0x00000000009E6000-memory.dmp

Filesize
1.8MB

Download
memory/2256-454-0x00000000001E0000-0x00000000001EA000-memory.dmp

Filesize
40KB

Download
memory/2808-393-0x00000000012F0000-0x00000000014E4000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing