9afaf38566a0e92fcc844c0dfb69c76a86c524e4ad167518c5f461025463ddf0

General

Target

LabyModLauncherSetup-latest.exe
Size

118.5MB
MD5

0a7bd6235295f9f4325d0f7eb98ba508
SHA1

2582474e77f54099a89438e23c94edf6acf1d2fd
SHA256

9afaf38566a0e92fcc844c0dfb69c76a86c524e4ad167518c5f461025463ddf0
SHA512

c89b3aae81db3dda4e3654d85c3830fc551adbb1f76b7d4f76548ddc25aba1ed385baad20eefb874ccfad11b17ee1f972cad2848806753230be3e069719ff1cb
SSDEEP

3145728:g6I450/XJLzx3WikTgt2pQYJaUIN47Od4pRvm:gvfNxGikTgApBJaRN47Odqvm

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2124	Update.exe
2204	Squirrel.exe
2880	LabyModLauncher.exe
2744	LabyModLauncher.exe

Loads dropped DLL 7 IoCs

pid	Process
1700	LabyModLauncherSetup-latest.exe
2124	Update.exe
2124	Update.exe
2124	Update.exe
2880	LabyModLauncher.exe
2124	Update.exe
2744	LabyModLauncher.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LabyModLauncherSetup-latest.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2124	Update.exe
2124	Update.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2124	Update.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2124	Update.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 1700 wrote to memory of 2124	1700	LabyModLauncherSetup-latest.exe	30
PID 1700 wrote to memory of 2124	1700	LabyModLauncherSetup-latest.exe	30
PID 1700 wrote to memory of 2124	1700	LabyModLauncherSetup-latest.exe	30
PID 1700 wrote to memory of 2124	1700	LabyModLauncherSetup-latest.exe	30
PID 2124 wrote to memory of 2204	2124	Update.exe	31
PID 2124 wrote to memory of 2204	2124	Update.exe	31
PID 2124 wrote to memory of 2204	2124	Update.exe	31
PID 2124 wrote to memory of 2880	2124	Update.exe	32
PID 2124 wrote to memory of 2880	2124	Update.exe	32
PID 2124 wrote to memory of 2880	2124	Update.exe	32
PID 2124 wrote to memory of 2744	2124	Update.exe	33
PID 2124 wrote to memory of 2744	2124	Update.exe	33
PID 2124 wrote to memory of 2744	2124	Update.exe	33

C:\Users\Admin\AppData\Local\Temp\LabyModLauncherSetup-latest.exe
"C:\Users\Admin\AppData\Local\Temp\LabyModLauncherSetup-latest.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1700
- C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
  "C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe" --install .
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2124
- - C:\Users\Admin\AppData\Local\labymodlauncher\app-2.1.7\Squirrel.exe
    "C:\Users\Admin\AppData\Local\labymodlauncher\app-2.1.7\Squirrel.exe" --updateSelf=C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
    3⤵
    - Executes dropped EXE
    PID:2204
- - C:\Users\Admin\AppData\Local\labymodlauncher\app-2.1.7\LabyModLauncher.exe
    "C:\Users\Admin\AppData\Local\labymodlauncher\app-2.1.7\LabyModLauncher.exe" --squirrel-install 2.1.7
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2880
- - C:\Users\Admin\AppData\Local\labymodlauncher\app-2.1.7\LabyModLauncher.exe
    "C:\Users\Admin\AppData\Local\labymodlauncher\app-2.1.7\LabyModLauncher.exe" --squirrel-firstrun
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\SquirrelTemp\RELEASES

Filesize
86B

MD5
96e21527101ec7a2017e863b5042e184

SHA1
1f8e4c1c4d1a6c05ac2d2df0415ed928d8d0864d

SHA256
c7ecdc2f94417299c2abb7b38c38c7e484dd69c2c44204beaad32583081c1817

SHA512
aea7024d3ef881f2833b79750b849ccfe3daf88166abda0955fedcfb5bb3e17685ce961ec66f4d4c98d37657f46461c68770e9db98795c09a38885836a862aeb

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\background.gif

Filesize
41KB

MD5
def79fef823db7584ce1844c5fb157ef

SHA1
c61ac5eba78ac34ee4568c6a85ac780add6cab4f

SHA256
dc99de97b0324cddf77f56d2f07de40108eeaac9b50bed3820958bf383e8b345

SHA512
a179663bd53c4d39bd31643a08aae2326e12bba9dd07cbfb1d5b79aa4bd64c8d4178528871df5541e4ba7cff9bcb39f63a57eb4cb0e7be6625a5bb318c75f705

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\setupIcon.ico

Filesize
122KB

MD5
4bce15bbb0487f88efc006fd597441b7

SHA1
da5a02653245112aabfd45429c417c39fcb2f67a

SHA256
0e684d8f833fd47d4c98d4742ce46abbfdb1f4b130da4a93047df9926f189e46

SHA512
e128d96cad8d214d41b60a7ab129dbf105866fe895d206c5b77b65af04c5d83ff1be87ece9b862dc30c88faeda69cff185925d7ae7b311c5351ca664db4a3060

Download Submit
C:\Users\Admin\AppData\Local\labymodlauncher\app-2.1.7\Squirrel.exe

Filesize
1.9MB

MD5
a6d96797a9c6d46c6bf953213ddc2a7a

SHA1
5d6b664ac8750094afe81f5ef68eec46e378fc50

SHA256
580f3ecee2f33fca9d37f4102187b17c561ef88284b096af9e41cceaef20e728

SHA512
7b4d44fc085cd00dd041579513a534b4acfc2d01d9bd201cc5a24d6b531ef53a0974041622fd74582a5e25ae9abcf7a55bcdd4002ac964d881efe4d793dbf9ba

Download Submit
C:\Users\Admin\AppData\Local\labymodlauncher\app-2.1.7\ffmpeg.dll

Filesize
2.7MB

MD5
495ec8ea6e48faf690afa1a32695d434

SHA1
e77821157f52a6828b43e700b1e982809f16153e

SHA256
404cc71e04e4b7b89d9ef746502795643b6c940db82bd58c5403e9d0b27f7248

SHA512
50344079483458fae19b0092cc875c67cd92de3f1069d5107e3baaf67a9d70de61e01271e4bda8325749104a743270e521396f4e3a516db44c30fa9646197be5

Download Submit
\Users\Admin\AppData\Local\SquirrelTemp\Update.exe

Filesize
1.8MB

MD5
e356889661efdc4312a3cf16cffe6d1a

SHA1
4bee286beef11e95db1d8139f956422fa2a0ccbf

SHA256
695013dca3e35baf2cd9506236c4111a4ef72d82467777919660300acd0024a5

SHA512
1980a590cfe73f96e795d17ad87fb021b65b56ce81873c086c3b9fbeecb69b8e60181f06c83a1536e8c550a64c0f7dea0eff18b44749a0c9eb0213dfe70502b0

Download Submit
memory/2124-9-0x0000000000FA0000-0x0000000001176000-memory.dmp

Filesize
1.8MB

Download
memory/2124-412-0x0000000000CF0000-0x0000000000CFA000-memory.dmp

Filesize
40KB

Download
memory/2124-411-0x0000000000CF0000-0x0000000000CFA000-memory.dmp

Filesize
40KB

Download
memory/2124-420-0x0000000000CF0000-0x0000000000CFA000-memory.dmp

Filesize
40KB

Download
memory/2204-388-0x0000000000C20000-0x0000000000E14000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing