29863a90ffd7d97587a4c72844029f8d8a446c755f2623d82a086705159b66c9

General

Target

lghub_installer.exe
Size

39.9MB
MD5

60bb13925f7ec996ba6de2fa08e407ef
SHA1

2e060ea3a5442a91e938c612a5ce299a7b2666b6
SHA256

29863a90ffd7d97587a4c72844029f8d8a446c755f2623d82a086705159b66c9
SHA512

4123b3b044186491137dc92cd05a8e7126293ed26bec005a7474878405a4fe3d38bb8b0e2b1c6881fe23f418ba8b53582e19846c77b7c32cd77f2bf10135f766
SSDEEP

786432:A0qrfHbEpttD7yBG/4M3OW+upttD7yBG/PcXU9g58:A0qPEpttD7y0/pnpttD7y0/0XUm58

Score

5^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	lghub_installer.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Executes dropped EXE 4 IoCs

pid	Process
4224	vc_redist.x64.exe
1100	vc_redist.x64.exe
5064	vc_redist.x86.exe
3320	vc_redist.x86.exe

Loads dropped DLL 4 IoCs

pid	Process
1100	vc_redist.x64.exe
3320	vc_redist.x86.exe
2080	lghub_installer.exe
2080	lghub_installer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vc_redist.x86.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vc_redist.x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vc_redist.x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vc_redist.x86.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
1056	taskmgr.exe
1056	taskmgr.exe
1056	taskmgr.exe
1056	taskmgr.exe
1056	taskmgr.exe
1056	taskmgr.exe
1056	taskmgr.exe
1056	taskmgr.exe
1056	taskmgr.exe
1056	taskmgr.exe
1056	taskmgr.exe
1056	taskmgr.exe
1056	taskmgr.exe
1056	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2080	lghub_installer.exe
Token: SeDebugPrivilege	1056	taskmgr.exe
Token: SeSystemProfilePrivilege	1056	taskmgr.exe
Token: SeCreateGlobalPrivilege	1056	taskmgr.exe
Token: 33	1056	taskmgr.exe
Token: SeIncBasePriorityPrivilege	1056	taskmgr.exe

Suspicious use of FindShellTrayWindow 40 IoCs

pid	Process
1056	taskmgr.exe
1056	taskmgr.exe
1056	taskmgr.exe
1056	taskmgr.exe
1056	taskmgr.exe
1056	taskmgr.exe
1056	taskmgr.exe
1056	taskmgr.exe
1056	taskmgr.exe
1056	taskmgr.exe
1056	taskmgr.exe
1056	taskmgr.exe
1056	taskmgr.exe
1056	taskmgr.exe
1056	taskmgr.exe
1056	taskmgr.exe
1056	taskmgr.exe
1056	taskmgr.exe
1056	taskmgr.exe
1056	taskmgr.exe
1056	taskmgr.exe
1056	taskmgr.exe
1056	taskmgr.exe
1056	taskmgr.exe
1056	taskmgr.exe
1056	taskmgr.exe
1056	taskmgr.exe
1056	taskmgr.exe
1056	taskmgr.exe
1056	taskmgr.exe
1056	taskmgr.exe
1056	taskmgr.exe
1056	taskmgr.exe
1056	taskmgr.exe
1056	taskmgr.exe
1056	taskmgr.exe
1056	taskmgr.exe
1056	taskmgr.exe
1056	taskmgr.exe
1056	taskmgr.exe

Suspicious use of SendNotifyMessage 40 IoCs

pid	Process
1056	taskmgr.exe
1056	taskmgr.exe
1056	taskmgr.exe
1056	taskmgr.exe
1056	taskmgr.exe
1056	taskmgr.exe
1056	taskmgr.exe
1056	taskmgr.exe
1056	taskmgr.exe
1056	taskmgr.exe
1056	taskmgr.exe
1056	taskmgr.exe
1056	taskmgr.exe
1056	taskmgr.exe
1056	taskmgr.exe
1056	taskmgr.exe
1056	taskmgr.exe
1056	taskmgr.exe
1056	taskmgr.exe
1056	taskmgr.exe
1056	taskmgr.exe
1056	taskmgr.exe
1056	taskmgr.exe
1056	taskmgr.exe
1056	taskmgr.exe
1056	taskmgr.exe
1056	taskmgr.exe
1056	taskmgr.exe
1056	taskmgr.exe
1056	taskmgr.exe
1056	taskmgr.exe
1056	taskmgr.exe
1056	taskmgr.exe
1056	taskmgr.exe
1056	taskmgr.exe
1056	taskmgr.exe
1056	taskmgr.exe
1056	taskmgr.exe
1056	taskmgr.exe
1056	taskmgr.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2080 wrote to memory of 4224	2080	lghub_installer.exe	84
PID 2080 wrote to memory of 4224	2080	lghub_installer.exe	84
PID 2080 wrote to memory of 4224	2080	lghub_installer.exe	84
PID 4224 wrote to memory of 1100	4224	vc_redist.x64.exe	85
PID 4224 wrote to memory of 1100	4224	vc_redist.x64.exe	85
PID 4224 wrote to memory of 1100	4224	vc_redist.x64.exe	85
PID 2080 wrote to memory of 5064	2080	lghub_installer.exe	86
PID 2080 wrote to memory of 5064	2080	lghub_installer.exe	86
PID 2080 wrote to memory of 5064	2080	lghub_installer.exe	86
PID 5064 wrote to memory of 3320	5064	vc_redist.x86.exe	87
PID 5064 wrote to memory of 3320	5064	vc_redist.x86.exe	87
PID 5064 wrote to memory of 3320	5064	vc_redist.x86.exe	87

C:\Users\Admin\AppData\Local\Temp\lghub_installer.exe
"C:\Users\Admin\AppData\Local\Temp\lghub_installer.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2080
- C:\Users\Admin\AppData\Local\Temp\ghub-br21s5cl.bie\vc_redist.x64.exe
  "C:\Users\Admin\AppData\Local\Temp\ghub-br21s5cl.bie\vc_redist.x64.exe" /install /quiet /norestart
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4224
- - C:\Windows\Temp\{537240D7-77BF-485E-A480-6FD84C0BA6A2}\.cr\vc_redist.x64.exe
    "C:\Windows\Temp\{537240D7-77BF-485E-A480-6FD84C0BA6A2}\.cr\vc_redist.x64.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\ghub-br21s5cl.bie\vc_redist.x64.exe" -burn.filehandle.attached=532 -burn.filehandle.self=536 /install /quiet /norestart
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:1100
- C:\Users\Admin\AppData\Local\Temp\ghub-br21s5cl.bie\vc_redist.x86.exe
  "C:\Users\Admin\AppData\Local\Temp\ghub-br21s5cl.bie\vc_redist.x86.exe" /install /quiet /norestart
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5064
- - C:\Windows\Temp\{DB7666EF-AB19-4BF7-9941-920F67ACAB08}\.cr\vc_redist.x86.exe
    "C:\Windows\Temp\{DB7666EF-AB19-4BF7-9941-920F67ACAB08}\.cr\vc_redist.x86.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\ghub-br21s5cl.bie\vc_redist.x86.exe" -burn.filehandle.attached=544 -burn.filehandle.self=556 /install /quiet /norestart
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:3320

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

4

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ghub-br21s5cl.bie\logi_codecs_shared.dll

Filesize
538KB

MD5
766ad9b68b29b5b5a3b8a2acb4d2f67b

SHA1
07894a9b211a25df47944feea280b50313311008

SHA256
6f0610975651093c03ca6043082cc46a65680b37db1557d63a746c71429c1d49

SHA512
d9c2e55490f4e73f84a0ab74e2f8236b4c0e3aa553cf697bc604ef0a172d8868627fa53c54978fa0f4b84204814fc87bd57b54421c20544c72ec3e213aed65d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ghub-br21s5cl.bie\logi_installer_shared.dll

Filesize
5.7MB

MD5
be8d493e25793a90762c170c4c3052ce

SHA1
63c8a916b47438c8af847c5bd0da91091d0f3f45

SHA256
0b706bb10eb20fecce2fb197e3b3c8ee798c25335b8acb598ff0a74529af93a2

SHA512
521ca6dd58c3e5f88f85d9cb85c5aca80dc61e9fa60c139b7a1eb9b7e6ae201b90f7a9f296ad68957866ebc5c0f8ab38032bfcb8e2929b7ddee4830d18d05b37

Download Submit
C:\Users\Admin\AppData\Local\Temp\ghub-br21s5cl.bie\vc_redist.x64.exe

Filesize
14.4MB

MD5
be433764fa9bbe0f2f9c654f6512c9e0

SHA1
b87c38d093872d7be7e191f01107b39c87888a5a

SHA256
40ea2955391c9eae3e35619c4c24b5aaf3d17aeaa6d09424ee9672aa9372aeed

SHA512
8a050ebd392654ce5981af3d0bf99107bfa576529bce8325a7ccc46f92917515744026a2d0ea49afb72bbc4e4278638a0677c6596ad96b7019e47c250e438191

Download Submit
C:\Users\Admin\AppData\Local\Temp\ghub-br21s5cl.bie\vc_redist.x86.exe

Filesize
13.7MB

MD5
24e8177b25c072f4fb0d37496ccdbb34

SHA1
afa5badce64ee67290add24e0dc3d8210954ac6c

SHA256
e59ae3e886bd4571a811fe31a47959ae5c40d87c583f786816c60440252cd7ec

SHA512
2fda8abc77b6ed9e98a2b120628e4e3b9458f2b18998c836eec1de82642244fe55234c7e52d6036d8b75c4b707a24f12fa639cc92d4234e94ed604a259d651e4

Download Submit
C:\Windows\Temp\{537240D7-77BF-485E-A480-6FD84C0BA6A2}\.cr\vc_redist.x64.exe

Filesize
632KB

MD5
94970fc3a8ed7b9de44f4117419ce829

SHA1
aa1292f049c4173e2ab60b59b62f267fd884d21a

SHA256
de1acbb1df68a39a5b966303ac1b609dde2688b28ebf3eba8d2adeeb3d90bf5e

SHA512
b17bd215b83bfa46512b73c3d9f430806ca3bea13bebde971e8edd972614e54a7ba3d6fc3439078cdfdaa7eeb1f3f9054bf03ed5c45b622b691b968d4ec0566f

Download Submit
C:\Windows\Temp\{87C025BF-BDC0-48D7-97F2-6C837DC83C96}\.ba\logo.png

Filesize
1KB

MD5
d6bd210f227442b3362493d046cea233

SHA1
ff286ac8370fc655aea0ef35e9cf0bfcb6d698de

SHA256
335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef

SHA512
464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

Download Submit
C:\Windows\Temp\{87C025BF-BDC0-48D7-97F2-6C837DC83C96}\.ba\wixstdba.dll

Filesize
191KB

MD5
eab9caf4277829abdf6223ec1efa0edd

SHA1
74862ecf349a9bedd32699f2a7a4e00b4727543d

SHA256
a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041

SHA512
45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

Download Submit
C:\Windows\Temp\{DB7666EF-AB19-4BF7-9941-920F67ACAB08}\.cr\vc_redist.x86.exe

Filesize
632KB

MD5
c9d95472a5627c6c455e74c8b8fef5be

SHA1
34cb7f8f8b8dede7be6fd99e2b4bddaa37e5db82

SHA256
4b1bf90a0e4e3a628613c2fe42ddba589ee6303e37ccc70cf99ddc92dde03b0b

SHA512
989caff542f310972c15364925af542984ca73c1c1eec82fcbd1ea4bf9186487fd8349989afc95db4e761ebcbb8b14ce49482bc61d51b3259d134c571f4fab31

Download Submit
memory/1056-207-0x000001D877F40000-0x000001D877F41000-memory.dmp

Filesize
4KB

Download
memory/1056-204-0x000001D877F40000-0x000001D877F41000-memory.dmp

Filesize
4KB

Download
memory/1056-202-0x000001D877F40000-0x000001D877F41000-memory.dmp

Filesize
4KB

Download
memory/1056-203-0x000001D877F40000-0x000001D877F41000-memory.dmp

Filesize
4KB

Download
memory/1056-205-0x000001D877F40000-0x000001D877F41000-memory.dmp

Filesize
4KB

Download
memory/1056-206-0x000001D877F40000-0x000001D877F41000-memory.dmp

Filesize
4KB

Download
memory/1056-198-0x000001D877F40000-0x000001D877F41000-memory.dmp

Filesize
4KB

Download
memory/1056-197-0x000001D877F40000-0x000001D877F41000-memory.dmp

Filesize
4KB

Download
memory/1056-196-0x000001D877F40000-0x000001D877F41000-memory.dmp

Filesize
4KB

Download
memory/1056-208-0x000001D877F40000-0x000001D877F41000-memory.dmp

Filesize
4KB

Download
memory/2080-0-0x00007FFB44A53000-0x00007FFB44A55000-memory.dmp

Filesize
8KB

Download
memory/2080-195-0x000002194A8D0000-0x000002194A8DE000-memory.dmp

Filesize
56KB

Download
memory/2080-194-0x000002194BC40000-0x000002194BC78000-memory.dmp

Filesize
224KB

Download
memory/2080-2-0x00007FFB44A50000-0x00007FFB45511000-memory.dmp

Filesize
10.8MB

Download
memory/2080-193-0x000002194A830000-0x000002194A838000-memory.dmp

Filesize
32KB

Download
memory/2080-1-0x0000021929B50000-0x000002192C33C000-memory.dmp

Filesize
39.9MB

Download
memory/2080-209-0x00007FFB44A53000-0x00007FFB44A55000-memory.dmp

Filesize
8KB

Download
memory/2080-210-0x00007FFB44A50000-0x00007FFB45511000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads