Edit tour
Windows
Analysis Report
LEADER_Setup_2024-03-01.exe
Overview
General Information
Detection
Score: | 6 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 20% |
Signatures
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Drops files with a non-matching file extension (content does not match file extension)
Found dropped PE file which has not been started or loaded
Queries the volume information (name, serial number etc) of a device
Registers a DLL
Searches for user specific document files
Stores files to the Windows start menu directory
Too many similar processes found
Uses 32bit PE files
Classification
Analysis Advice
Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox |
Sample searches for specific file, try point organization specific fake files to the analysis machine |
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior |
Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis |
- System is w10x64_ra
- LEADER_Setup_2024-03-01.exe (PID: 7020 cmdline:
"C:\Users\ user\Deskt op\LEADER_ Setup_2024 -03-01.exe " MD5: CEC0E50F9DE40DF587F87C062196880E) - regsvr32.exe (PID: 7612 cmdline:
"C:\Window s\SysWOW64 \regsvr32. exe" "C:\P rogram Fil es (x86)\C ommon File s\Microsof t Shared\D AO\DAO360. DLL" /s MD5: 878E47C8656E53AE8A8A21E927C6F7E0) - regsvr32.exe (PID: 7668 cmdline:
"C:\Window s\SysWOW64 \regsvr32. exe" "C:\P rogram Fil es (x86)\L EADER\BIN\ MSMASK32.O CX" /s MD5: 878E47C8656E53AE8A8A21E927C6F7E0) - regsvr32.exe (PID: 7688 cmdline:
"C:\Window s\SysWOW64 \regsvr32. exe" "C:\P rogram Fil es (x86)\L EADER\BIN\ LeaderGrid 2.ocx" /s MD5: 878E47C8656E53AE8A8A21E927C6F7E0) - regsvr32.exe (PID: 7752 cmdline:
"C:\Window s\SysWOW64 \regsvr32. exe" "C:\P rogram Fil es (x86)\L EADER\BIN\ ABSDI.dll" /s MD5: 878E47C8656E53AE8A8A21E927C6F7E0) - regsvr32.exe (PID: 7776 cmdline:
"C:\Window s\SysWOW64 \regsvr32. exe" "C:\P rogram Fil es (x86)\L EADER\BIN\ OpenDialog .dll" /s MD5: 878E47C8656E53AE8A8A21E927C6F7E0) - regsvr32.exe (PID: 7812 cmdline:
"C:\Window s\SysWOW64 \regsvr32. exe" "C:\P rogram Fil es (x86)\L EADER\BIN\ L4FieldSer ver.dll" / s MD5: 878E47C8656E53AE8A8A21E927C6F7E0) - regsvr32.exe (PID: 7836 cmdline:
"C:\Window s\SysWOW64 \regsvr32. exe" "C:\P rogram Fil es (x86)\L EADER\BIN\ ErrorLogge r.dll" /s MD5: 878E47C8656E53AE8A8A21E927C6F7E0) - regsvr32.exe (PID: 7860 cmdline:
"C:\Window s\SysWOW64 \regsvr32. exe" "C:\P rogram Fil es (x86)\L EADER\BIN\ Erroneous. dll" /s MD5: 878E47C8656E53AE8A8A21E927C6F7E0) - regsvr32.exe (PID: 7884 cmdline:
"C:\Window s\SysWOW64 \regsvr32. exe" "C:\P rogram Fil es (x86)\L EADER\BIN\ L4TermConv ertor.dll" /s MD5: 878E47C8656E53AE8A8A21E927C6F7E0) - regsvr32.exe (PID: 7900 cmdline:
"C:\Window s\SysWOW64 \regsvr32. exe" "C:\P rogram Fil es (x86)\L EADER\BIN\ Revalidati onSetup.dl l" /s MD5: 878E47C8656E53AE8A8A21E927C6F7E0) - regsvr32.exe (PID: 7924 cmdline:
"C:\Window s\SysWOW64 \regsvr32. exe" "C:\P rogram Fil es (x86)\L EADER\BIN\ ProgressDi alog.dll" /s MD5: 878E47C8656E53AE8A8A21E927C6F7E0) - regsvr32.exe (PID: 7948 cmdline:
"C:\Window s\SysWOW64 \regsvr32. exe" "C:\P rogram Fil es (x86)\L EADER\BIN\ AdvMsgBox. dll" /s MD5: 878E47C8656E53AE8A8A21E927C6F7E0) - regsvr32.exe (PID: 7972 cmdline:
"C:\Window s\SysWOW64 \regsvr32. exe" "C:\P rogram Fil es (x86)\L EADER\BIN\ AutoType.d ll" /s MD5: 878E47C8656E53AE8A8A21E927C6F7E0) - regsvr32.exe (PID: 7996 cmdline:
"C:\Window s\SysWOW64 \regsvr32. exe" "C:\P rogram Fil es (x86)\L EADER\BIN\ Splash.dll " /s MD5: 878E47C8656E53AE8A8A21E927C6F7E0) - regsvr32.exe (PID: 8020 cmdline:
"C:\Window s\SysWOW64 \regsvr32. exe" "C:\P rogram Fil es (x86)\L EADER\BIN\ PTxSCP.ocx " /s MD5: 878E47C8656E53AE8A8A21E927C6F7E0) - regsvr32.exe (PID: 8044 cmdline:
"C:\Window s\SysWOW64 \regsvr32. exe" "C:\P rogram Fil es (x86)\L EADER\BIN\ sstbars2.o cx" /s MD5: 878E47C8656E53AE8A8A21E927C6F7E0) - regsvr32.exe (PID: 8072 cmdline:
"C:\Window s\SysWOW64 \regsvr32. exe" "C:\P rogram Fil es (x86)\L EADER\BIN\ TList4.ocx " /s MD5: 878E47C8656E53AE8A8A21E927C6F7E0) - regsvr32.exe (PID: 8096 cmdline:
"C:\Window s\SysWOW64 \regsvr32. exe" "C:\P rogram Fil es (x86)\L EADER\BIN\ VSpell32.o cx" /s MD5: 878E47C8656E53AE8A8A21E927C6F7E0) - regsvr32.exe (PID: 8120 cmdline:
"C:\Window s\SysWOW64 \regsvr32. exe" "C:\P rogram Fil es (x86)\L EADER\BIN\ VSFlex6d.o cx" /s MD5: 878E47C8656E53AE8A8A21E927C6F7E0) - regsvr32.exe (PID: 8148 cmdline:
"C:\Window s\SysWOW64 \regsvr32. exe" "C:\P rogram Fil es (x86)\L EADER\BIN\ VSFlex7l.o cx" /s MD5: 878E47C8656E53AE8A8A21E927C6F7E0) - regsvr32.exe (PID: 8172 cmdline:
"C:\Window s\SysWOW64 \regsvr32. exe" "C:\P rogram Fil es (x86)\L EADER\BIN\ JSBBAR16.o cx" /s MD5: 878E47C8656E53AE8A8A21E927C6F7E0) - regsvr32.exe (PID: 3988 cmdline:
"C:\Window s\SysWOW64 \regsvr32. exe" "C:\P rogram Fil es (x86)\L EADER\BIN\ ViewPort6. ocx" /s MD5: 878E47C8656E53AE8A8A21E927C6F7E0) - regsvr32.exe (PID: 1468 cmdline:
"C:\Window s\SysWOW64 \regsvr32. exe" "C:\P rogram Fil es (x86)\L EADER\BIN\ Softlocx5. ocx" /s MD5: 878E47C8656E53AE8A8A21E927C6F7E0) - regsvr32.exe (PID: 1504 cmdline:
"C:\Window s\SysWOW64 \regsvr32. exe" "C:\P rogram Fil es (x86)\L EADER\BIN\ mblink.ocx " /s MD5: 878E47C8656E53AE8A8A21E927C6F7E0) - regsvr32.exe (PID: 5952 cmdline:
"C:\Window s\SysWOW64 \regsvr32. exe" "C:\P rogram Fil es (x86)\L EADER\BIN\ excooltips .dll" /s MD5: 878E47C8656E53AE8A8A21E927C6F7E0) - regsvr32.exe (PID: 1360 cmdline:
"C:\Window s\SysWOW64 \regsvr32. exe" "C:\P rogram Fil es (x86)\L EADER\BIN\ HHActiveX. dll" /s MD5: 878E47C8656E53AE8A8A21E927C6F7E0) - regsvr32.exe (PID: 3364 cmdline:
"C:\Window s\SysWOW64 \regsvr32. exe" "C:\P rogram Fil es (x86)\L EADER\L3Co nversion\L eader3Impo rt.dll" /s MD5: 878E47C8656E53AE8A8A21E927C6F7E0) - regsvr32.exe (PID: 5736 cmdline:
"C:\Window s\SysWOW64 \regsvr32. exe" "C:\P rogram Fil es (x86)\L EADER\BIN\ TimerPlus. ocx" /s MD5: 878E47C8656E53AE8A8A21E927C6F7E0) - regsvr32.exe (PID: 6164 cmdline:
"C:\Window s\SysWOW64 \regsvr32. exe" "C:\P rogram Fil es (x86)\L EADER\BIN\ TimerLite. ocx" /s MD5: 878E47C8656E53AE8A8A21E927C6F7E0) - regsvr32.exe (PID: 2348 cmdline:
"C:\Window s\SysWOW64 \regsvr32. exe" "C:\P rogram Fil es (x86)\L EADER\BIN\ ActiveWiza rd.ocx" /s MD5: 878E47C8656E53AE8A8A21E927C6F7E0) - regsvr32.exe (PID: 5996 cmdline:
"C:\Window s\SysWOW64 \regsvr32. exe" "C:\P rogram Fil es (x86)\L EADER\BIN\ prjLOPARol lup.dll" / s MD5: 878E47C8656E53AE8A8A21E927C6F7E0) - regsvr32.exe (PID: 6440 cmdline:
"C:\Window s\SysWOW64 \regsvr32. exe" "C:\P rogram Fil es (x86)\L EADER\BIN\ IGToolBars 50.ocx" /s MD5: 878E47C8656E53AE8A8A21E927C6F7E0) - regsvr32.exe (PID: 1476 cmdline:
"C:\Window s\SysWOW64 \regsvr32. exe" "C:\P rogram Fil es (x86)\L EADER\BIN\ sg20o.ocx" /s MD5: 878E47C8656E53AE8A8A21E927C6F7E0) - regsvr32.exe (PID: 6580 cmdline:
"C:\Window s\SysWOW64 \regsvr32. exe" "C:\P rogram Fil es (x86)\L EADER\BIN\ VLBtnBar.o cx" /s MD5: 878E47C8656E53AE8A8A21E927C6F7E0) - regsvr32.exe (PID: 3612 cmdline:
"C:\Window s\SysWOW64 \regsvr32. exe" "C:\P rogram Fil es (x86)\L EADER\BIN\ vbalXPBG6. dll" /s MD5: 878E47C8656E53AE8A8A21E927C6F7E0) - regsvr32.exe (PID: 2932 cmdline:
"C:\Window s\SysWOW64 \regsvr32. exe" "C:\P rogram Fil es (x86)\L EADER\BIN\ BreakTimer .dll" /s MD5: 878E47C8656E53AE8A8A21E927C6F7E0) - regsvr32.exe (PID: 1788 cmdline:
"C:\Window s\SysWOW64 \regsvr32. exe" "C:\P rogram Fil es (x86)\L EADER\BIN\ IGTabs40.o cx" /s MD5: 878E47C8656E53AE8A8A21E927C6F7E0) - regsvr32.exe (PID: 7616 cmdline:
"C:\Window s\SysWOW64 \regsvr32. exe" "C:\P rogram Fil es (x86)\L EADER\BIN\ Jbfalls.dl l" /s MD5: 878E47C8656E53AE8A8A21E927C6F7E0) - regsvr32.exe (PID: 7576 cmdline:
"C:\Window s\SysWOW64 \regsvr32. exe" "C:\P rogram Fil es (x86)\L EADER\BIN\ JBFAETS.dl l" /s MD5: 878E47C8656E53AE8A8A21E927C6F7E0) - regsvr32.exe (PID: 4304 cmdline:
"C:\Window s\SysWOW64 \regsvr32. exe" "C:\P rogram Fil es (x86)\L EADER\BIN\ JBFAWI.DLL " /s MD5: 878E47C8656E53AE8A8A21E927C6F7E0) - regsvr32.exe (PID: 7568 cmdline:
"C:\Window s\SysWOW64 \regsvr32. exe" "C:\P rogram Fil es (x86)\L EADER\BIN\ SoftRegist er.dll" /s MD5: 878E47C8656E53AE8A8A21E927C6F7E0) - regsvr32.exe (PID: 716 cmdline:
"C:\Window s\SysWOW64 \regsvr32. exe" "C:\P rogram Fil es (x86)\L EADER\BIN\ Imports.dl l" /s MD5: 878E47C8656E53AE8A8A21E927C6F7E0) - regsvr32.exe (PID: 1272 cmdline:
"C:\Window s\SysWOW64 \regsvr32. exe" "C:\P rogram Fil es (x86)\L EADER\BIN\ HRLUR.dll" /s MD5: 878E47C8656E53AE8A8A21E927C6F7E0) - regsvr32.exe (PID: 5288 cmdline:
"C:\Window s\SysWOW64 \regsvr32. exe" "C:\P rogram Fil es (x86)\L EADER\BIN\ ExportToOu tline.dll" /s MD5: 878E47C8656E53AE8A8A21E927C6F7E0) - regsvr32.exe (PID: 6056 cmdline:
"C:\Window s\SysWOW64 \regsvr32. exe" C:\Wi ndows\SysW OW64\MSCOM CTL.OCX /s MD5: 878E47C8656E53AE8A8A21E927C6F7E0) - GLJB936.tmp (PID: 1344 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\GLJB93 6.tmp" C:\ Windows\Sy stem32\COM DLG32.OCX MD5: 6F608D264503796BEBD7CD66B687BE92) - GLJB936.tmp (PID: 3960 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\GLJB93 6.tmp" C:\ Windows\Sy stem32\Dbl ist32.ocx MD5: 6F608D264503796BEBD7CD66B687BE92) - GLJB936.tmp (PID: 3840 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\GLJB93 6.tmp" C:\ Windows\Sy stem32\Com ct332.ocx MD5: 6F608D264503796BEBD7CD66B687BE92) - GLJB936.tmp (PID: 1904 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\GLJB93 6.tmp" C:\ Windows\Sy stem32\Msc omct2.ocx MD5: 6F608D264503796BEBD7CD66B687BE92) - GLJB936.tmp (PID: 1956 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\GLJB93 6.tmp" C:\ Windows\Sy stem32\Thr eed32.ocx MD5: 6F608D264503796BEBD7CD66B687BE92) - GLJB936.tmp (PID: 3184 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\GLJB93 6.tmp" C:\ Windows\Sy stem32\Tab ctl32.ocx MD5: 6F608D264503796BEBD7CD66B687BE92) - GLJB936.tmp (PID: 724 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\GLJB93 6.tmp" C:\ Windows\Sy stem32\Ric htx32.ocx MD5: 6F608D264503796BEBD7CD66B687BE92) - GLJB936.tmp (PID: 4960 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\GLJB93 6.tmp" C:\ Windows\Sy stem32\Mss tdfmt.dll MD5: 6F608D264503796BEBD7CD66B687BE92)
- chrome.exe (PID: 7132 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --st art-maximi zed --sing le-argumen t http:/// MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4) - chrome.exe (PID: 6228 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --ty pe=utility --utility -sub-type= network.mo jom.Networ kService - -lang=en-U S --servic e-sandbox- type=none --mojo-pla tform-chan nel-handle =2180 --fi eld-trial- handle=194 4,i,144938 9182462970 2636,35999 5249815249 6209,26214 4 --disabl e-features =Optimizat ionGuideMo delDownloa ding,Optim izationHin ts,Optimiz ationHints Fetching,O ptimizatio nTargetPre diction /p refetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
- LEADER.exe (PID: 2292 cmdline:
"C:\Progra m Files (x 86)\LEADER \LEADER.ex e" MD5: 486B47F8595639C22CF00087A3D21456)
- LEADER.exe (PID: 3956 cmdline:
"C:\Progra m Files (x 86)\LEADER \LEADER.ex e" MD5: 486B47F8595639C22CF00087A3D21456)
- cleanup
⊘No yara matches
⊘No Sigma rule has matched
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
There are no malicious signatures, click here to show all signatures.
Source: | Static PE information: |
Source: | Window detected: |