Overview
overview
1Static
static
1lib/Mono.C...db.dll
windows10-2004-x64
lib/Mono.C...ks.dll
windows10-2004-x64
1lib/Mono.Cecil.dll
windows10-2004-x64
1lib/Mono.Nat.dll
windows10-2004-x64
1lib/MonoMo...ur.dll
windows10-2004-x64
1lib/MonoMod.Utils.dll
windows10-2004-x64
1lib/Newton...on.dll
windows10-2004-x64
1lib/NitroxClient.dll
windows10-2004-x64
1lib/Nitrox...ca.dll
windows10-2004-x64
1lib/NitroxModel.dll
windows10-2004-x64
1lib/NitroxPatcher.dll
windows10-2004-x64
1lib/Nitrox...ll.xml
windows10-2004-x64
1lib/NitroxServer.dll
windows10-2004-x64
1lib/Nitrox...ll.xml
windows10-2004-x64
1lib/Serilo...nc.dll
windows10-2004-x64
1lib/Serilo...le.dll
windows10-2004-x64
1lib/Serilo...ap.dll
windows10-2004-x64
1lib/Serilog.dll
windows10-2004-x64
1lib/System...rs.dll
windows10-2004-x64
1lib/System...on.dll
windows10-2004-x64
1lib/System...ol.dll
windows10-2004-x64
1lib/System.Memory.dll
windows10-2004-x64
1lib/System...rs.dll
windows10-2004-x64
1lib/System...fe.dll
windows10-2004-x64
1lib/System...ol.dll
windows10-2004-x64
1lib/System...ws.dll
windows10-2004-x64
1lib/ToastN...es.dll
windows10-2004-x64
1lib/ToastN...ns.dll
windows10-2004-x64
1lib/Window...er.dll
windows10-2004-x64
1lib/discor...dk.dll
windows10-2004-x64
1lib/dnlib.dll
windows10-2004-x64
1lib/protobuf-net.dll
windows10-2004-x64
1Analysis
-
max time kernel
91s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
03-02-2023 18:19
Static task
static1
Behavioral task
behavioral1
Sample
lib/Mono.Cecil.Pdb.dll
Resource
win10v2004-20221111-en
windows10-2004-x64
Behavioral task
behavioral2
Sample
lib/Mono.Cecil.Rocks.dll
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
lib/Mono.Cecil.dll
Resource
win10v2004-20221111-en
windows10-2004-x64
Behavioral task
behavioral4
Sample
lib/Mono.Nat.dll
Resource
win10v2004-20221111-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
lib/MonoMod.RuntimeDetour.dll
Resource
win10v2004-20220901-en
windows10-2004-x64
Behavioral task
behavioral6
Sample
lib/MonoMod.Utils.dll
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
lib/Newtonsoft.Json.dll
Resource
win10v2004-20221111-en
windows10-2004-x64
Behavioral task
behavioral8
Sample
lib/NitroxClient.dll
Resource
win10v2004-20221111-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
lib/NitroxModel-Subnautica.dll
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral10
Sample
lib/NitroxModel.dll
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
lib/NitroxPatcher.dll
Resource
win10v2004-20221111-en
windows10-2004-x64
Behavioral task
behavioral12
Sample
lib/NitroxPatcher.dll.xml
Resource
win10v2004-20220901-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
lib/NitroxServer.dll
Resource
win10v2004-20221111-en
windows10-2004-x64
Behavioral task
behavioral14
Sample
lib/NitroxServer.dll.xml
Resource
win10v2004-20221111-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
lib/Serilog.Sinks.Async.dll
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral16
Sample
lib/Serilog.Sinks.File.dll
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
lib/Serilog.Sinks.Map.dll
Resource
win10v2004-20221111-en
windows10-2004-x64
Behavioral task
behavioral18
Sample
lib/Serilog.dll
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
lib/System.Buffers.dll
Resource
win10v2004-20220901-en
windows10-2004-x64
Behavioral task
behavioral20
Sample
lib/System.Drawing.Common.dll
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
lib/System.IO.FileSystem.AccessControl.dll
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral22
Sample
lib/System.Memory.dll
Resource
win10v2004-20221111-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
lib/System.Numerics.Vectors.dll
Resource
win10v2004-20221111-en
windows10-2004-x64
Behavioral task
behavioral24
Sample
lib/System.Runtime.CompilerServices.Unsafe.dll
Resource
win10v2004-20220901-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
lib/System.Security.AccessControl.dll
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral26
Sample
lib/System.Security.Principal.Windows.dll
Resource
win10v2004-20221111-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
lib/ToastNotifications.Messages.dll
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral28
Sample
lib/ToastNotifications.dll
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
lib/WindowsFirewallHelper.dll
Resource
win10v2004-20221111-en
windows10-2004-x64
Behavioral task
behavioral30
Sample
lib/discord_game_sdk.dll
Resource
win10v2004-20221111-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
lib/dnlib.dll
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral32
Sample
lib/protobuf-net.dll
Resource
win10v2004-20221111-en
windows10-2004-x64
General
-
Target
lib/NitroxServer.dll.xml
-
Size
1KB
-
MD5
6c78c2e8b9fbfb36f7a32c5ff3438dfe
-
SHA1
edb1bc3b68ad55bdaf33aab4ecb2dae212aaf88d
-
SHA256
cb614c1cfc8669b87de23146f99c4b21df5acf77efb72b9f973009f17e47efe8
-
SHA512
c7ab31011b884d8a68b596f8ef8c5bce513c9012d985ec84483082c88ebb56445ed0a8bd74a8ea3dd408109313aff3038470f5a6e86c784b2e53b21cb84ca8e7
Malware Config
Signatures
-
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "9748470" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e6851ef31fd3cf49b332bbb4721c974800000000020000000000106600000001000020000000c9e443e6699ef67803fdc3565bb57cef0001a70ac64044d593a345746247f2ff000000000e8000000002000020000000178a3ebf86d7a6dd61b7b66fabedbde4627be8043f97fc244a2a110c5fc1010a2000000044f2ff23122391026d262222e0dd4bbb903d48839edc2695213ad9fdaf657322400000001703fca38a3f3814887dc147d5fb58a54657b8aad094e708d093f27d6845385f383d8e769559b88ad6ddc41a7192e2be028a567db33d36c86bfee76a758d2fd1 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e6851ef31fd3cf49b332bbb4721c9748000000000200000000001066000000010000200000008a4ae5c465b58c6820c00cd708fa75be0de85ced32b8551fe1fc526c88a5664c000000000e80000000020000200000009fbb6395ceab0aba67993fb614965ad3200c505c513dc54be8abfa39f205df9d20000000c731f21cdb5db028cf3a21f014a584849d04c45f31cd6ad9c20a4d3e1b47b7e940000000ba913fa4300e74f1f7e43bb209d620960c972f2afeed42b32070c8c00e4c47f12d05e21711760c7f5bf8e9f6b0b1b24ee94683ca0ccf7a85c79bbf87708da083 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\IESettingSync IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "4282214699" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31012868" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b081f8030538d901 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{2A44D3DD-A3F8-11ED-919F-5695DBFAB5D8} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e0fde2030538d901 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31012868" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31012869" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4282214699" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "382217154" iexplore.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4868 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 4868 iexplore.exe 4868 iexplore.exe 2456 IEXPLORE.EXE 2456 IEXPLORE.EXE 2456 IEXPLORE.EXE 2456 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 4708 wrote to memory of 4868 4708 MSOXMLED.EXE 80 PID 4708 wrote to memory of 4868 4708 MSOXMLED.EXE 80 PID 4868 wrote to memory of 2456 4868 iexplore.exe 82 PID 4868 wrote to memory of 2456 4868 iexplore.exe 82 PID 4868 wrote to memory of 2456 4868 iexplore.exe 82
Processes
-
C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\lib\NitroxServer.dll.xml"1⤵
- Suspicious use of WriteProcessMemory
PID:4708 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\lib\NitroxServer.dll.xml2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4868 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4868 CREDAT:17410 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2456
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize471B
MD5ccb3ea965204795878736144d1a57796
SHA1c74c7a85503f1a1ba0c1876cdeec774aabb3910b
SHA25609912639ea660c3f744c3d70ee54d0a43b591074ee0bb150e5447fd20f8a4f93
SHA51216916d8458a84465e7dd6e4af1b24adcbbd3ce830766313f6963fdf7e6ed0c66b76b04636e91b68110e23604833658cc040563d46eda2bca3309fd233cbb1ac5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize434B
MD5fb5b6c25ad23307ae9f702cfddb7184f
SHA164ce066f1a4b3b845e3917f5d59adbdb92cc9317
SHA256753e15ad4539f12da15cd4df1117d64e76c932e8b823546b6c5fadaaeacf3a17
SHA5122b76b1def43576bcb6b38261c6c0c4071dd785f80f344ac5e264746b1d4b9115f54d9b60c30e979d3b5296c4c5fc944d403482f9494bda8753959e52ed20363d