d16a0ff410861d71b3be9b7f84200782f36ee7123c69294395f7d362fd1ae767 | Triage

Submit
Reports

Overview

overview

8

Static

static

1

Lagswitch_...US.msi

windows7-x64

8

Lagswitch_...US.msi

windows10-2004-x64

8

Sharing

General

Target

Lagswitch_2.0.1_x86_en-US.msi
Size

3.6MB
Sample

241130-fsycqatpcz
MD5

88f53f1eef043e3f7b931e0461b52287
SHA1

fbebe0190b08236d2acea5a5b41058f0e301aa03
SHA256

d16a0ff410861d71b3be9b7f84200782f36ee7123c69294395f7d362fd1ae767
SHA512

299170a983d1025d7373dabeb6c2dc498a5db94543e5f38c04bb70cd67cc77bace5a84a7e0d7c5e886fe4b412cbe7000d2a1f287d071b935fa30ef4e40f34ccb
SSDEEP

98304:3vrEI3WzXhrWfAIaOm1xV04xPWl1zl0rY4T2VrP9Pv8m:3vQI3+hROmx04x+zI2VrF

Score

8^/10

discovery execution persistence privilege_escalation

Static task

static1

Behavioral task

behavioral1

Sample

Lagswitch_2.0.1_x86_en-US.msi

Resource

win7-20240903-en

discovery execution persistence privilege_escalation

windows7-x64

14 signatures

150 seconds

Behavioral task

behavioral2

Sample

Lagswitch_2.0.1_x86_en-US.msi

Resource

win10v2004-20241007-en

discovery execution persistence privilege_escalation

windows10-2004-x64

25 signatures

150 seconds

Malware Config

Targets

- Target
  
  Lagswitch_2.0.1_x86_en-US.msi
- Size
  
  3.6MB
- MD5
  
  88f53f1eef043e3f7b931e0461b52287
- SHA1
  
  fbebe0190b08236d2acea5a5b41058f0e301aa03
- SHA256
  
  d16a0ff410861d71b3be9b7f84200782f36ee7123c69294395f7d362fd1ae767
- SHA512
  
  299170a983d1025d7373dabeb6c2dc498a5db94543e5f38c04bb70cd67cc77bace5a84a7e0d7c5e886fe4b412cbe7000d2a1f287d071b935fa30ef4e40f34ccb
- SSDEEP
  
  98304:3vrEI3WzXhrWfAIaOm1xV04xPWl1zl0rY4T2VrP9Pv8m:3vQI3+hROmx04x+zI2VrF
Score

8^/10

discovery execution persistence privilege_escalation
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Powershell Invoke Web Request.
  execution
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Downloads MZ/PE file
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Event Triggered Execution: Image File Execution Options Injection
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Event Triggered Execution: Component Object Model Hijacking
  Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
  persistence privilege_escalation
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Event Triggered Execution

Component Object Model Hijacking

Image File Execution Options Injection

Installer Packages

Privilege Escalation

Event Triggered Execution

Component Object Model Hijacking

Image File Execution Options Injection

Installer Packages

Defense Evasion

System Binary Proxy Execution

Msiexec

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

discoveryexecutionpersistenceprivilege_escalation

behavioral2

discoveryexecutionpersistenceprivilege_escalation

© 2018-2025

Terms | Privacy