Overview
overview
1Static
static
1lib/Mono.C...db.dll
windows10-2004-x64
lib/Mono.C...ks.dll
windows10-2004-x64
1lib/Mono.Cecil.dll
windows10-2004-x64
1lib/Mono.Nat.dll
windows10-2004-x64
1lib/MonoMo...ur.dll
windows10-2004-x64
1lib/MonoMod.Utils.dll
windows10-2004-x64
1lib/Newton...on.dll
windows10-2004-x64
1lib/NitroxClient.dll
windows10-2004-x64
1lib/Nitrox...ca.dll
windows10-2004-x64
1lib/NitroxModel.dll
windows10-2004-x64
1lib/NitroxPatcher.dll
windows10-2004-x64
1lib/Nitrox...ll.xml
windows10-2004-x64
1lib/NitroxServer.dll
windows10-2004-x64
1lib/Nitrox...ll.xml
windows10-2004-x64
1lib/Serilo...nc.dll
windows10-2004-x64
1lib/Serilo...le.dll
windows10-2004-x64
1lib/Serilo...ap.dll
windows10-2004-x64
1lib/Serilog.dll
windows10-2004-x64
1lib/System...rs.dll
windows10-2004-x64
1lib/System...on.dll
windows10-2004-x64
1lib/System...ol.dll
windows10-2004-x64
1lib/System.Memory.dll
windows10-2004-x64
1lib/System...rs.dll
windows10-2004-x64
1lib/System...fe.dll
windows10-2004-x64
1lib/System...ol.dll
windows10-2004-x64
1lib/System...ws.dll
windows10-2004-x64
1lib/ToastN...es.dll
windows10-2004-x64
1lib/ToastN...ns.dll
windows10-2004-x64
1lib/Window...er.dll
windows10-2004-x64
1lib/discor...dk.dll
windows10-2004-x64
1lib/dnlib.dll
windows10-2004-x64
1lib/protobuf-net.dll
windows10-2004-x64
1Analysis
-
max time kernel
90s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
03-02-2023 18:19
Static task
static1
Behavioral task
behavioral1
Sample
lib/Mono.Cecil.Pdb.dll
Resource
win10v2004-20221111-en
windows10-2004-x64
Behavioral task
behavioral2
Sample
lib/Mono.Cecil.Rocks.dll
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
lib/Mono.Cecil.dll
Resource
win10v2004-20221111-en
windows10-2004-x64
Behavioral task
behavioral4
Sample
lib/Mono.Nat.dll
Resource
win10v2004-20221111-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
lib/MonoMod.RuntimeDetour.dll
Resource
win10v2004-20220901-en
windows10-2004-x64
Behavioral task
behavioral6
Sample
lib/MonoMod.Utils.dll
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
lib/Newtonsoft.Json.dll
Resource
win10v2004-20221111-en
windows10-2004-x64
Behavioral task
behavioral8
Sample
lib/NitroxClient.dll
Resource
win10v2004-20221111-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
lib/NitroxModel-Subnautica.dll
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral10
Sample
lib/NitroxModel.dll
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
lib/NitroxPatcher.dll
Resource
win10v2004-20221111-en
windows10-2004-x64
Behavioral task
behavioral12
Sample
lib/NitroxPatcher.dll.xml
Resource
win10v2004-20220901-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
lib/NitroxServer.dll
Resource
win10v2004-20221111-en
windows10-2004-x64
Behavioral task
behavioral14
Sample
lib/NitroxServer.dll.xml
Resource
win10v2004-20221111-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
lib/Serilog.Sinks.Async.dll
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral16
Sample
lib/Serilog.Sinks.File.dll
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
lib/Serilog.Sinks.Map.dll
Resource
win10v2004-20221111-en
windows10-2004-x64
Behavioral task
behavioral18
Sample
lib/Serilog.dll
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
lib/System.Buffers.dll
Resource
win10v2004-20220901-en
windows10-2004-x64
Behavioral task
behavioral20
Sample
lib/System.Drawing.Common.dll
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
lib/System.IO.FileSystem.AccessControl.dll
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral22
Sample
lib/System.Memory.dll
Resource
win10v2004-20221111-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
lib/System.Numerics.Vectors.dll
Resource
win10v2004-20221111-en
windows10-2004-x64
Behavioral task
behavioral24
Sample
lib/System.Runtime.CompilerServices.Unsafe.dll
Resource
win10v2004-20220901-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
lib/System.Security.AccessControl.dll
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral26
Sample
lib/System.Security.Principal.Windows.dll
Resource
win10v2004-20221111-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
lib/ToastNotifications.Messages.dll
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral28
Sample
lib/ToastNotifications.dll
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
lib/WindowsFirewallHelper.dll
Resource
win10v2004-20221111-en
windows10-2004-x64
Behavioral task
behavioral30
Sample
lib/discord_game_sdk.dll
Resource
win10v2004-20221111-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
lib/dnlib.dll
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral32
Sample
lib/protobuf-net.dll
Resource
win10v2004-20221111-en
windows10-2004-x64
General
-
Target
lib/NitroxPatcher.dll.xml
-
Size
541B
-
MD5
eedc5cf14768398678b0e33ae76d698f
-
SHA1
4c4bbe481ebbf2b91aad494ea44e9501ea7b3f38
-
SHA256
775b821a4b95d9bf45b6f924ad8177808e8c015430f7ec1dd68cf72fec77b528
-
SHA512
86c768c4710a27b381ac98f1d7a7da574b85a5aeeb949b8e6d01cfd05adff9c179cf0af0bd76e7ad13489156a1e8e400c5bb18152e949af541fef1d48d4d68ae
Malware Config
Signatures
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31012860" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31012860" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{BB2D71DA-A3EF-11ED-A0EE-CA180515AB83} = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31012860" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2430129591" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c83c3acc624c3249b4a1efd60bc27a2f00000000020000000000106600000001000020000000ab5a7ddd3461a772127e02c462e992dde226a24eb8500dda45008a603deacff9000000000e8000000002000020000000089ce5fe83826704d54d87fd08aa63bdab1e124d375b317b3eaab3cab688095a200000009d323166dcb8bef5fb864e0550b546f0a818a5b22c1971c2fe6cc4580248006040000000363d9c5aeaece03f5f9c583fdd753a4513b432ed1186462fe3ac08ba74204614c3d4eef0610c1a11f81a4a3d6f8a42a6d410756512756f666a4cec7438d7eb3f iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "382213530" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\IESettingSync IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2430129591" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c83c3acc624c3249b4a1efd60bc27a2f00000000020000000000106600000001000020000000d4ad96f4fe81e48ac782c7af66c1cf967cb8e325b14409a2132c20d67140d831000000000e8000000002000020000000a144028c5df5eaffdcf994da1fc50f6ed509d56f443e8ee4927b6cc4c60d2c21200000004fde1c757a6e4530caf02b6acdf5c982a7415601e47f8fcd2f403b10c8f2a91440000000c6703541bd77608b071bba6b58423c034e7716e9b8c2bb3460965b588ce0a563e62785503cb2da6efbc214dd64d5ac9a9f5f5a6d967bd4c7b58334f17b6eae64 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2423723465" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31012860" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 6028fa90fc37d901 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0b84191fc37d901 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2423723465" iexplore.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4404 iexplore.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4404 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 4404 iexplore.exe 4404 iexplore.exe 4736 IEXPLORE.EXE 4736 IEXPLORE.EXE 4736 IEXPLORE.EXE 4736 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 1776 wrote to memory of 4404 1776 MSOXMLED.EXE 77 PID 1776 wrote to memory of 4404 1776 MSOXMLED.EXE 77 PID 4404 wrote to memory of 4736 4404 iexplore.exe 80 PID 4404 wrote to memory of 4736 4404 iexplore.exe 80 PID 4404 wrote to memory of 4736 4404 iexplore.exe 80
Processes
-
C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\lib\NitroxPatcher.dll.xml"1⤵
- Suspicious use of WriteProcessMemory
PID:1776 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\lib\NitroxPatcher.dll.xml2⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4404 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4404 CREDAT:17410 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4736
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize471B
MD5ccb3ea965204795878736144d1a57796
SHA1c74c7a85503f1a1ba0c1876cdeec774aabb3910b
SHA25609912639ea660c3f744c3d70ee54d0a43b591074ee0bb150e5447fd20f8a4f93
SHA51216916d8458a84465e7dd6e4af1b24adcbbd3ce830766313f6963fdf7e6ed0c66b76b04636e91b68110e23604833658cc040563d46eda2bca3309fd233cbb1ac5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize434B
MD53ec573cb1bc20a68847edfbc6ff40d9c
SHA16a30788462cf590ac567a4278e91f8673f619fe0
SHA256140c44940f9a1d40bb8b9aca3370cf1ca73de929d9e9ac93c85addd2f6564bcf
SHA512af42d5f66fdd92787deb0a8d7f9eb7370e9a826682a1ebef7a112465ed62561680471a0506f24ecc410c1017fb83d75b5f10c3a663565a1badb51324df46af69