Overview
overview
3Static
static
3Nitrox_1.7.1.0.zip
windows10-1703-x64
1NitroxLauncher.exe
windows10-1703-x64
3NitroxLaun...xe.xml
windows10-1703-x64
1NitroxServ...ca.exe
windows10-1703-x64
1NitroxServ...xe.xml
windows10-1703-x64
1lib/0Harmony.dll
windows10-1703-x64
1lib/Assets...ET.dll
windows10-1703-x64
1lib/Autofac.dll
windows10-1703-x64
1lib/BinaryPack.dll
windows10-1703-x64
1lib/Discor...er.dll
windows10-1703-x64
1lib/JetBra...ns.dll
windows10-1703-x64
1lib/LZ4.dll
windows10-1703-x64
1lib/LitJSON.dll
windows10-1703-x64
1lib/LiteNetLib.dll
windows10-1703-x64
1lib/Micros...ry.dll
windows10-1703-x64
1lib/Micros...ll.dll
windows10-1703-x64
1lib/Micros...ck.dll
windows10-1703-x64
1lib/Mono.C...db.dll
windows10-1703-x64
1lib/Mono.C...db.dll
windows10-1703-x64
1lib/Mono.C...ks.dll
windows10-1703-x64
1lib/Mono.Cecil.dll
windows10-1703-x64
1lib/Mono.Nat.dll
windows10-1703-x64
1lib/MonoMo...ur.dll
windows10-1703-x64
1lib/MonoMod.Utils.dll
windows10-1703-x64
1lib/Newton...on.dll
windows10-1703-x64
1lib/NitroxClient.dll
windows10-1703-x64
1lib/NitroxClient.pdb
windows10-1703-x64
3lib/Nitrox...ca.dll
windows10-1703-x64
1lib/Nitrox...ca.pdb
windows10-1703-x64
3lib/NitroxModel.pdb
windows10-1703-x64
3lib/NitroxPatcher.pdb
windows10-1703-x64
3lib/NitroxServer.pdb
windows10-1703-x64
3Analysis
-
max time kernel
1201s -
max time network
1598s -
platform
windows10-1703_x64 -
resource
win10-20230703-es -
resource tags
arch:x64arch:x86image:win10-20230703-eslocale:es-esos:windows10-1703-x64systemwindows -
submitted
11-07-2023 13:37
Static task
static1
Behavioral task
behavioral1
Sample
Nitrox_1.7.1.0.zip
Resource
win10-20230703-es
windows10-1703-x64
Behavioral task
behavioral2
Sample
NitroxLauncher.exe
Resource
win10-20230703-es
windows10-1703-x64
Behavioral task
behavioral3
Sample
NitroxLauncher.exe.xml
Resource
win10-20230703-es
windows10-1703-x64
Behavioral task
behavioral4
Sample
NitroxServer-Subnautica.exe
Resource
win10-20230703-es
windows10-1703-x64
Behavioral task
behavioral5
Sample
NitroxServer-Subnautica.exe.xml
Resource
win10-20230703-es
windows10-1703-x64
Behavioral task
behavioral6
Sample
lib/0Harmony.dll
Resource
win10-20230703-es
windows10-1703-x64
Behavioral task
behavioral7
Sample
lib/AssetsTools.NET.dll
Resource
win10-20230703-es
windows10-1703-x64
Behavioral task
behavioral8
Sample
lib/Autofac.dll
Resource
win10-20230703-es
windows10-1703-x64
Behavioral task
behavioral9
Sample
lib/BinaryPack.dll
Resource
win10-20230703-es
windows10-1703-x64
Behavioral task
behavioral10
Sample
lib/DiscordGameSDKWrapper.dll
Resource
win10-20230703-es
windows10-1703-x64
Behavioral task
behavioral11
Sample
lib/JetBrains.Annotations.dll
Resource
win10-20230703-es
windows10-1703-x64
Behavioral task
behavioral12
Sample
lib/LZ4.dll
Resource
win10-20230703-es
windows10-1703-x64
Behavioral task
behavioral13
Sample
lib/LitJSON.dll
Resource
win10-20230703-es
windows10-1703-x64
Behavioral task
behavioral14
Sample
lib/LiteNetLib.dll
Resource
win10-20230703-es
windows10-1703-x64
Behavioral task
behavioral15
Sample
lib/Microsoft.Win32.Registry.dll
Resource
win10-20230703-es
windows10-1703-x64
Behavioral task
behavioral16
Sample
lib/Microsoft.WindowsAPICodePack.Shell.dll
Resource
win10-20230703-es
windows10-1703-x64
Behavioral task
behavioral17
Sample
lib/Microsoft.WindowsAPICodePack.dll
Resource
win10-20230703-es
windows10-1703-x64
Behavioral task
behavioral18
Sample
lib/Mono.Cecil.Mdb.dll
Resource
win10-20230703-es
windows10-1703-x64
Behavioral task
behavioral19
Sample
lib/Mono.Cecil.Pdb.dll
Resource
win10-20230703-es
windows10-1703-x64
Behavioral task
behavioral20
Sample
lib/Mono.Cecil.Rocks.dll
Resource
win10-20230703-es
windows10-1703-x64
Behavioral task
behavioral21
Sample
lib/Mono.Cecil.dll
Resource
win10-20230703-es
windows10-1703-x64
Behavioral task
behavioral22
Sample
lib/Mono.Nat.dll
Resource
win10-20230703-es
windows10-1703-x64
Behavioral task
behavioral23
Sample
lib/MonoMod.RuntimeDetour.dll
Resource
win10-20230703-es
windows10-1703-x64
Behavioral task
behavioral24
Sample
lib/MonoMod.Utils.dll
Resource
win10-20230703-es
windows10-1703-x64
Behavioral task
behavioral25
Sample
lib/Newtonsoft.Json.dll
Resource
win10-20230703-es
windows10-1703-x64
Behavioral task
behavioral26
Sample
lib/NitroxClient.dll
Resource
win10-20230703-es
windows10-1703-x64
Behavioral task
behavioral27
Sample
lib/NitroxClient.pdb
Resource
win10-20230703-es
windows10-1703-x64
Behavioral task
behavioral28
Sample
lib/NitroxModel-Subnautica.dll
Resource
win10-20230703-es
windows10-1703-x64
Behavioral task
behavioral29
Sample
lib/NitroxModel-Subnautica.pdb
Resource
win10-20230703-es
windows10-1703-x64
Behavioral task
behavioral30
Sample
lib/NitroxModel.pdb
Resource
win10-20230703-es
windows10-1703-x64
Behavioral task
behavioral31
Sample
lib/NitroxPatcher.pdb
Resource
win10-20230703-es
windows10-1703-x64
Behavioral task
behavioral32
Sample
lib/NitroxServer.pdb
Resource
win10-20230703-es
windows10-1703-x64
General
-
Target
NitroxServer-Subnautica.exe.xml
-
Size
1011B
-
MD5
5258b3e435706e2d5bf1374853e84d11
-
SHA1
6275d78bfa1995151953593e0c1bff3b1ad05bc4
-
SHA256
29b6339edcb982893d7d94c3e5fe15e3d1af72e45ac0525e31bab7f85a878564
-
SHA512
ba596623d108c0cd7125e8fd0cadd32d017c6ab611bbd8318dff83d09b3f584e04e97f11d3be03fa48a4df424260f646e56e66075791aa9d2cbbf9953c0686ee
Malware Config
Signatures
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4175128012-676912335-1083716439-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4175128012-676912335-1083716439-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\es-ES = "es-ES.1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4175128012-676912335-1083716439-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4175128012-676912335-1083716439-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4175128012-676912335-1083716439-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4175128012-676912335-1083716439-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4175128012-676912335-1083716439-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "429708749" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4175128012-676912335-1083716439-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31044605" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-4175128012-676912335-1083716439-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000052535e57bd21a445ab42809e2aee86b40000000002000000000010660000000100002000000017785c124f7713f5fcf3c66ff2da78364a82684f2834905be993c0aa00564486000000000e80000000020000200000008538f7c14c1bd497ad21f43dacad17209bcc374cedba44a05791a114a96ffad5200000002397f4748dd4d96b6e65490878561ce8232de8c4cf15b0de5312e31a3d350733400000003e821e6297a322289f53f78d5181e247610abf63f3fcd5ca3ca8615cd616bc1fbf9a7942d9978521379afebcf2c1ce573f5833b34e3d190d59e6fa79fb8e6c75 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4175128012-676912335-1083716439-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz! iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4175128012-676912335-1083716439-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4175128012-676912335-1083716439-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "395896290" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4175128012-676912335-1083716439-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4175128012-676912335-1083716439-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31044605" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4175128012-676912335-1083716439-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "429708749" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4175128012-676912335-1083716439-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4175128012-676912335-1083716439-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "395847705" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4175128012-676912335-1083716439-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4175128012-676912335-1083716439-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4175128012-676912335-1083716439-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4175128012-676912335-1083716439-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4175128012-676912335-1083716439-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{44DFD928-1FF0-11EE-9A94-4691AFEAE949} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4175128012-676912335-1083716439-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4175128012-676912335-1083716439-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-4175128012-676912335-1083716439-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 20d4001afdb3d901 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4175128012-676912335-1083716439-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4175128012-676912335-1083716439-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4175128012-676912335-1083716439-1000\Software\Microsoft\Internet Explorer\FlipAhead iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4175128012-676912335-1083716439-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4175128012-676912335-1083716439-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4175128012-676912335-1083716439-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "395864299" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4175128012-676912335-1083716439-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4175128012-676912335-1083716439-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31044605" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4175128012-676912335-1083716439-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31044605" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4175128012-676912335-1083716439-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4175128012-676912335-1083716439-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f0c8181afdb3d901 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4175128012-676912335-1083716439-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4175128012-676912335-1083716439-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4175128012-676912335-1083716439-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "427834053" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4175128012-676912335-1083716439-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "427834053" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4175128012-676912335-1083716439-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-4175128012-676912335-1083716439-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000052535e57bd21a445ab42809e2aee86b40000000002000000000010660000000100002000000004c3dae6ad5f836b53e697abb764676faa72fb077252b5194e4b859106dea537000000000e8000000002000020000000312c398238b02580fc64d9b3b90c9031aac950fb95ad57845d848ed22a38019e20000000f7aa1370a2ae8d26d8f409f16c096af456d5d81b870bfb42138928626343c876400000004af7f2d76fa04baaaeee55cb125ccad563efc4fd98d24507f740d3b7f0594f2adfc17fae6aaeea0a9b29f4e55280591bba865c462776f7bfc13e9ea66a3fe1c7 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4175128012-676912335-1083716439-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4175128012-676912335-1083716439-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4175128012-676912335-1083716439-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4175128012-676912335-1083716439-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4175128012-676912335-1083716439-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4175128012-676912335-1083716439-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4175128012-676912335-1083716439-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4175128012-676912335-1083716439-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4175128012-676912335-1083716439-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4175128012-676912335-1083716439-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4984 iexplore.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4984 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 4984 iexplore.exe 4984 iexplore.exe 3580 IEXPLORE.EXE 3580 IEXPLORE.EXE 3580 IEXPLORE.EXE 3580 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 432 wrote to memory of 4984 432 MSOXMLED.EXE 70 PID 432 wrote to memory of 4984 432 MSOXMLED.EXE 70 PID 4984 wrote to memory of 3580 4984 iexplore.exe 72 PID 4984 wrote to memory of 3580 4984 iexplore.exe 72 PID 4984 wrote to memory of 3580 4984 iexplore.exe 72
Processes
-
C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\NitroxServer-Subnautica.exe.xml"1⤵
- Suspicious use of WriteProcessMemory
PID:432 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\NitroxServer-Subnautica.exe.xml2⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4984 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4984 CREDAT:82945 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3580
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
15KB
MD51a545d0052b581fbb2ab4c52133846bc
SHA162f3266a9b9925cd6d98658b92adec673cbe3dd3
SHA256557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1
SHA512bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d
-
Filesize
18KB
MD5e2749896090665aeb9b29bce1a591a75
SHA159e05283e04c6c0252d2b75d5141ba62d73e9df9
SHA256d428ea8ca335c7cccf1e1564554d81b52fb5a1f20617aa99136cacf73354e0b7
SHA512c750e9ccb30c45e2c4844df384ee9b02b81aa4c8e576197c0811910a63376a7d60e68f964dad858ff0e46a8fd0952ddaf19c8f79f3fd05cefd7dbf2c043d52c5
-
Filesize
610B
MD51eb007181310fdb0139a09600c0e7688
SHA1af874b52c783ef9b2b8733e0ff45af6cd9cd2a8e
SHA256b38e5d662e7807e1a97b6bd0d7415c4adeb704edc53e7c4b295fe62a240d09df
SHA5121634e406b82975ad7933bd0e30a817d759f96dc50b228c7b6e78aab6a8498090c1c6b02aa059e947d68169854c029b9bc5b1fcb0b183721c5e9e1b14c797199e
-
Filesize
610B
MD540c0bb4a4a3b882646b6c19a700c243b
SHA1f221d2b20b58be52f274fcb1e53f327367c0a9a5
SHA25687bc7220dc6c31de1def87ebeda710c9251a79dc218e845915fe748e2c0dd18f
SHA5127332cfce22ef173a640f87bbad16f1da32ba50dd3462989488796ac3b16baeaa26b3777e5935a15d466c6118302c9e31eb59b11a08e5f2161869c4cfa3ba329f