Overview
overview
3Static
static
3Nitrox_1.7.1.0.zip
windows10-1703-x64
1NitroxLauncher.exe
windows10-1703-x64
3NitroxLaun...xe.xml
windows10-1703-x64
1NitroxServ...ca.exe
windows10-1703-x64
1NitroxServ...xe.xml
windows10-1703-x64
1lib/0Harmony.dll
windows10-1703-x64
1lib/Assets...ET.dll
windows10-1703-x64
1lib/Autofac.dll
windows10-1703-x64
1lib/BinaryPack.dll
windows10-1703-x64
1lib/Discor...er.dll
windows10-1703-x64
1lib/JetBra...ns.dll
windows10-1703-x64
1lib/LZ4.dll
windows10-1703-x64
1lib/LitJSON.dll
windows10-1703-x64
1lib/LiteNetLib.dll
windows10-1703-x64
1lib/Micros...ry.dll
windows10-1703-x64
1lib/Micros...ll.dll
windows10-1703-x64
1lib/Micros...ck.dll
windows10-1703-x64
1lib/Mono.C...db.dll
windows10-1703-x64
1lib/Mono.C...db.dll
windows10-1703-x64
1lib/Mono.C...ks.dll
windows10-1703-x64
1lib/Mono.Cecil.dll
windows10-1703-x64
1lib/Mono.Nat.dll
windows10-1703-x64
1lib/MonoMo...ur.dll
windows10-1703-x64
1lib/MonoMod.Utils.dll
windows10-1703-x64
1lib/Newton...on.dll
windows10-1703-x64
1lib/NitroxClient.dll
windows10-1703-x64
1lib/NitroxClient.pdb
windows10-1703-x64
3lib/Nitrox...ca.dll
windows10-1703-x64
1lib/Nitrox...ca.pdb
windows10-1703-x64
3lib/NitroxModel.pdb
windows10-1703-x64
3lib/NitroxPatcher.pdb
windows10-1703-x64
3lib/NitroxServer.pdb
windows10-1703-x64
3Analysis
-
max time kernel
1201s -
max time network
1607s -
platform
windows10-1703_x64 -
resource
win10-20230703-es -
resource tags
arch:x64arch:x86image:win10-20230703-eslocale:es-esos:windows10-1703-x64systemwindows -
submitted
11-07-2023 13:37
Static task
static1
Behavioral task
behavioral1
Sample
Nitrox_1.7.1.0.zip
Resource
win10-20230703-es
windows10-1703-x64
Behavioral task
behavioral2
Sample
NitroxLauncher.exe
Resource
win10-20230703-es
windows10-1703-x64
Behavioral task
behavioral3
Sample
NitroxLauncher.exe.xml
Resource
win10-20230703-es
windows10-1703-x64
Behavioral task
behavioral4
Sample
NitroxServer-Subnautica.exe
Resource
win10-20230703-es
windows10-1703-x64
Behavioral task
behavioral5
Sample
NitroxServer-Subnautica.exe.xml
Resource
win10-20230703-es
windows10-1703-x64
Behavioral task
behavioral6
Sample
lib/0Harmony.dll
Resource
win10-20230703-es
windows10-1703-x64
Behavioral task
behavioral7
Sample
lib/AssetsTools.NET.dll
Resource
win10-20230703-es
windows10-1703-x64
Behavioral task
behavioral8
Sample
lib/Autofac.dll
Resource
win10-20230703-es
windows10-1703-x64
Behavioral task
behavioral9
Sample
lib/BinaryPack.dll
Resource
win10-20230703-es
windows10-1703-x64
Behavioral task
behavioral10
Sample
lib/DiscordGameSDKWrapper.dll
Resource
win10-20230703-es
windows10-1703-x64
Behavioral task
behavioral11
Sample
lib/JetBrains.Annotations.dll
Resource
win10-20230703-es
windows10-1703-x64
Behavioral task
behavioral12
Sample
lib/LZ4.dll
Resource
win10-20230703-es
windows10-1703-x64
Behavioral task
behavioral13
Sample
lib/LitJSON.dll
Resource
win10-20230703-es
windows10-1703-x64
Behavioral task
behavioral14
Sample
lib/LiteNetLib.dll
Resource
win10-20230703-es
windows10-1703-x64
Behavioral task
behavioral15
Sample
lib/Microsoft.Win32.Registry.dll
Resource
win10-20230703-es
windows10-1703-x64
Behavioral task
behavioral16
Sample
lib/Microsoft.WindowsAPICodePack.Shell.dll
Resource
win10-20230703-es
windows10-1703-x64
Behavioral task
behavioral17
Sample
lib/Microsoft.WindowsAPICodePack.dll
Resource
win10-20230703-es
windows10-1703-x64
Behavioral task
behavioral18
Sample
lib/Mono.Cecil.Mdb.dll
Resource
win10-20230703-es
windows10-1703-x64
Behavioral task
behavioral19
Sample
lib/Mono.Cecil.Pdb.dll
Resource
win10-20230703-es
windows10-1703-x64
Behavioral task
behavioral20
Sample
lib/Mono.Cecil.Rocks.dll
Resource
win10-20230703-es
windows10-1703-x64
Behavioral task
behavioral21
Sample
lib/Mono.Cecil.dll
Resource
win10-20230703-es
windows10-1703-x64
Behavioral task
behavioral22
Sample
lib/Mono.Nat.dll
Resource
win10-20230703-es
windows10-1703-x64
Behavioral task
behavioral23
Sample
lib/MonoMod.RuntimeDetour.dll
Resource
win10-20230703-es
windows10-1703-x64
Behavioral task
behavioral24
Sample
lib/MonoMod.Utils.dll
Resource
win10-20230703-es
windows10-1703-x64
Behavioral task
behavioral25
Sample
lib/Newtonsoft.Json.dll
Resource
win10-20230703-es
windows10-1703-x64
Behavioral task
behavioral26
Sample
lib/NitroxClient.dll
Resource
win10-20230703-es
windows10-1703-x64
Behavioral task
behavioral27
Sample
lib/NitroxClient.pdb
Resource
win10-20230703-es
windows10-1703-x64
Behavioral task
behavioral28
Sample
lib/NitroxModel-Subnautica.dll
Resource
win10-20230703-es
windows10-1703-x64
Behavioral task
behavioral29
Sample
lib/NitroxModel-Subnautica.pdb
Resource
win10-20230703-es
windows10-1703-x64
Behavioral task
behavioral30
Sample
lib/NitroxModel.pdb
Resource
win10-20230703-es
windows10-1703-x64
Behavioral task
behavioral31
Sample
lib/NitroxPatcher.pdb
Resource
win10-20230703-es
windows10-1703-x64
Behavioral task
behavioral32
Sample
lib/NitroxServer.pdb
Resource
win10-20230703-es
windows10-1703-x64
General
-
Target
NitroxLauncher.exe.xml
-
Size
2KB
-
MD5
07a0a619101800cc15c38b1494ab87ca
-
SHA1
4c1dbcc4390d83503e2642afeb81292c214642e9
-
SHA256
749b8184de2e12e47bc7b0140840a392423a9e0b07a7f20afa54c237f61ee111
-
SHA512
e22a0ad49e3bf7985c40d76b5b389f75eaab7165ca6811c0a173f64359f06d1276fec9e285f2aa8bfbed0f7cf9aa02ce614138689bec66c1fe09a552343e121e
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "444939138" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "444939138" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "446657685" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ce19d01ba0487545829bf9ad88e781c500000000020000000000106600000001000020000000ca2aa0718e369f46186f7b106919cc1a5eab67766803a0d426b79f2edd96f5af000000000e80000000020000200000001a082735e4456e6225ccf7f8afdc4b74450df778fed1c3d9b2a6f397c8b580ec20000000d512411fba10b14965ebc98b15038a33b11af613f71a878c5f151560965e47b9400000005751ba61777fe2d9df1174819b762f8bead9a3be774009e4e63d39139e5a074c905fa6778615ec9fccea18a825d2929b90161235b193f27d1eaa8d5d05ad622f iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\es-ES = "es-ES.1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{4622D655-1FF0-11EE-B5F1-4691AFEAE949} = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "395847707" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31044605" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e0137d1bfdb3d901 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 009e731bfdb3d901 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/ iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31044605" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "395896293" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "446657685" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31044605" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ce19d01ba0487545829bf9ad88e781c50000000002000000000010660000000100002000000038da88eae544a1f96372a6ddb9ca476418fde243ccbf8753d8a4f24557bb1e7e000000000e8000000002000020000000fd63a0b4a9244351d5bfa0ed3a3f32560b1e835025e35567c8b680c7cea932d520000000b95b8871558dffef954d43be911c1c60550f3f6a78a58e67961572116e3dae8140000000e7f2d10d4f70b4e79873b335b85bd3b904abd679d74e371269af75ee12b83a0f33c56a735abf1199fd9811142646e90eefe7dd53f8dca670cfd6c6b64a02eb46 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31044605" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000\Software\Microsoft\Internet Explorer\FlipAhead iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz! iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "395864301" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2960 iexplore.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2960 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2960 iexplore.exe 2960 iexplore.exe 4616 IEXPLORE.EXE 4616 IEXPLORE.EXE 4616 IEXPLORE.EXE 4616 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 2728 wrote to memory of 2960 2728 MSOXMLED.EXE 69 PID 2728 wrote to memory of 2960 2728 MSOXMLED.EXE 69 PID 2960 wrote to memory of 4616 2960 iexplore.exe 71 PID 2960 wrote to memory of 4616 2960 iexplore.exe 71 PID 2960 wrote to memory of 4616 2960 iexplore.exe 71
Processes
-
C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\NitroxLauncher.exe.xml"1⤵
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\NitroxLauncher.exe.xml2⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2960 CREDAT:82945 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4616
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
15KB
MD51a545d0052b581fbb2ab4c52133846bc
SHA162f3266a9b9925cd6d98658b92adec673cbe3dd3
SHA256557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1
SHA512bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d
-
Filesize
18KB
MD5e2749896090665aeb9b29bce1a591a75
SHA159e05283e04c6c0252d2b75d5141ba62d73e9df9
SHA256d428ea8ca335c7cccf1e1564554d81b52fb5a1f20617aa99136cacf73354e0b7
SHA512c750e9ccb30c45e2c4844df384ee9b02b81aa4c8e576197c0811910a63376a7d60e68f964dad858ff0e46a8fd0952ddaf19c8f79f3fd05cefd7dbf2c043d52c5
-
Filesize
608B
MD5e19f41a42a7e22292e594488fc9c5379
SHA14c6e0bbe8af707a383699fbe6bc5d3f23a55bc94
SHA256d15a096b7d2350983509ab294b0aec2f02854e7db3fbe215d7210008ab8c6ddf
SHA5128b848b26f48d8ff69530c52aa8309aa0aed3bd04b5daedef42c1360714b6f6686280641bcf05010ed3c6ea56fad5c1723e6baed5db0f2a6ab978eed31d15e6ed
-
Filesize
608B
MD5f1faf5ed8ee961fd1b6424ad8475e08e
SHA14dff44b141b37ef4f95c52565589fd7bc6fec383
SHA256cf09374ee76b11caf367b9364b4b776b6fb9902ed66e8b45097e0f5dc8620034
SHA5121105374dbdec1179d248c93abae6d210ab6336386a41d652ae18f5f75653cfd976a99d904f6c8b6f047d7b7ce49a28c0202854612a4141202342a8c9220783ec