Overview
overview
3Static
static
3Lethal-Com...om.rar
windows7-x64
3Lethal-Com...om.rar
windows10-2004-x64
3Lethal Com...ne.xml
windows7-x64
1Lethal Com...ne.xml
windows10-2004-x64
1Lethal Com...gs.xml
windows7-x64
1Lethal Com...gs.xml
windows10-2004-x64
1Lethal Com...eb.xml
windows7-x64
1Lethal Com...eb.xml
windows10-2004-x64
1Lethal Com...rowser
windows7-x64
3Lethal Com...rowser
windows10-2004-x64
3Lethal Com...tor.js
windows7-x64
1Lethal Com...tor.js
windows10-2004-x64
1Lethal Com...ne.xml
windows7-x64
1Lethal Com...ne.xml
windows10-2004-x64
1Lethal Com...gs.xml
windows7-x64
1Lethal Com...gs.xml
windows10-2004-x64
1Lethal Com...eb.xml
windows7-x64
1Lethal Com...eb.xml
windows10-2004-x64
1Lethal Com...ap.ini
windows7-x64
1Lethal Com...ap.ini
windows10-2004-x64
1Lethal Com...config
windows7-x64
1Lethal Com...config
windows10-2004-x64
1Lethal Com...ig.xml
windows7-x64
1Lethal Com...ig.xml
windows10-2004-x64
1Lethal Com...in.dll
windows7-x64
1Lethal Com...in.dll
windows10-2004-x64
1Lethal Com...ix.ini
windows7-x64
1Lethal Com...ix.ini
windows10-2004-x64
1Lethal Com...ix.url
windows7-x64
1Lethal Com...ix.url
windows10-2004-x64
1Lethal Com...64.dll
windows7-x64
1Lethal Com...64.dll
windows10-2004-x64
1Analysis
-
max time kernel
577s -
max time network
618s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
26-11-2023 16:38
Static task
static1
Behavioral task
behavioral1
Sample
Lethal-Company-SteamRIP.com.rar
Resource
win7-20231025-en
windows7-x64
Behavioral task
behavioral2
Sample
Lethal-Company-SteamRIP.com.rar
Resource
win10v2004-20231020-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
Lethal Company/MonoBleedingEdge/etc/mono/4.0/machine.xml
Resource
win7-20231023-en
windows7-x64
Behavioral task
behavioral4
Sample
Lethal Company/MonoBleedingEdge/etc/mono/4.0/machine.xml
Resource
win10v2004-20231025-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
Lethal Company/MonoBleedingEdge/etc/mono/4.0/settings.xml
Resource
win7-20231020-en
windows7-x64
Behavioral task
behavioral6
Sample
Lethal Company/MonoBleedingEdge/etc/mono/4.0/settings.xml
Resource
win10v2004-20231023-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
Lethal Company/MonoBleedingEdge/etc/mono/4.0/web.xml
Resource
win7-20231023-en
windows7-x64
Behavioral task
behavioral8
Sample
Lethal Company/MonoBleedingEdge/etc/mono/4.0/web.xml
Resource
win10v2004-20231020-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
Lethal Company/MonoBleedingEdge/etc/mono/4.5/Browsers/Compat.browser
Resource
win7-20231020-en
windows7-x64
Behavioral task
behavioral10
Sample
Lethal Company/MonoBleedingEdge/etc/mono/4.5/Browsers/Compat.browser
Resource
win10v2004-20231023-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
Lethal Company/MonoBleedingEdge/etc/mono/4.5/DefaultWsdlHelpGenerator.js
Resource
win7-20231025-en
windows7-x64
Behavioral task
behavioral12
Sample
Lethal Company/MonoBleedingEdge/etc/mono/4.5/DefaultWsdlHelpGenerator.js
Resource
win10v2004-20231020-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
Lethal Company/MonoBleedingEdge/etc/mono/4.5/machine.xml
Resource
win7-20231023-en
windows7-x64
Behavioral task
behavioral14
Sample
Lethal Company/MonoBleedingEdge/etc/mono/4.5/machine.xml
Resource
win10v2004-20231023-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
Lethal Company/MonoBleedingEdge/etc/mono/4.5/settings.xml
Resource
win7-20231023-en
windows7-x64
Behavioral task
behavioral16
Sample
Lethal Company/MonoBleedingEdge/etc/mono/4.5/settings.xml
Resource
win10v2004-20231023-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
Lethal Company/MonoBleedingEdge/etc/mono/4.5/web.xml
Resource
win7-20231020-en
windows7-x64
Behavioral task
behavioral18
Sample
Lethal Company/MonoBleedingEdge/etc/mono/4.5/web.xml
Resource
win10v2004-20231020-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
Lethal Company/MonoBleedingEdge/etc/mono/browscap.ini
Resource
win7-20231020-en
windows7-x64
Behavioral task
behavioral20
Sample
Lethal Company/MonoBleedingEdge/etc/mono/browscap.ini
Resource
win10v2004-20231025-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
Lethal Company/MonoBleedingEdge/etc/mono/config
Resource
win7-20231023-en
windows7-x64
Behavioral task
behavioral22
Sample
Lethal Company/MonoBleedingEdge/etc/mono/config
Resource
win10v2004-20231023-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
Lethal Company/MonoBleedingEdge/etc/mono/mconfig/config.xml
Resource
win7-20231023-en
windows7-x64
Behavioral task
behavioral24
Sample
Lethal Company/MonoBleedingEdge/etc/mono/mconfig/config.xml
Resource
win10v2004-20231020-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
Lethal Company/NVUnityPlugin.dll
Resource
win7-20231025-en
windows7-x64
Behavioral task
behavioral26
Sample
Lethal Company/NVUnityPlugin.dll
Resource
win10v2004-20231023-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
Lethal Company/OnlineFix.ini
Resource
win7-20231020-en
windows7-x64
Behavioral task
behavioral28
Sample
Lethal Company/OnlineFix.ini
Resource
win10v2004-20231020-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
Lethal Company/OnlineFix.url
Resource
win7-20231023-en
windows7-x64
Behavioral task
behavioral30
Sample
Lethal Company/OnlineFix.url
Resource
win10v2004-20231020-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
Lethal Company/OnlineFix64.dll
Resource
win7-20231025-en
windows7-x64
Behavioral task
behavioral32
Sample
Lethal Company/OnlineFix64.dll
Resource
win10v2004-20231020-en
windows10-2004-x64
General
-
Target
Lethal Company/MonoBleedingEdge/etc/mono/4.5/settings.xml
-
Size
2KB
-
MD5
ba17ade8a8e3ee221377534c8136f617
-
SHA1
8e17e2aec423a8e6fb43e8cbe6215040217bb8a3
-
SHA256
ce1db1ad8a9512073164e3eccdc193f7eda036e1a9733caec4635de21b2865c8
-
SHA512
c18bcbcbd4b9a20a72b1a934d70db1eafef047f34f3ba2c6357d8e3afed07ecaab861e5571ceb58c22d4d3e5ebb34b51e366a0553c3153fbc263d1d80472e297
Malware Config
Signatures
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d79072038c960342ab421b8facb933e900000000020000000000106600000001000020000000b0bd125520472e5bd4858b32b0c6a276f796c038d8c5f7a3cf40b3d2dee6faea000000000e8000000002000020000000378e5dec1918989efa1488126a69020dad20e5b264299ed445f8a6e9aecd39ab20000000d9c6582d3d69557a0eb6888501bfb90b74d283a1b0a3878b0fcfc09cc4b0372440000000b1fa33ddd046f208e0ef30b31b1c943d276157445ff1ff4b3a21ef5e8afe3cd840ea9325d9832190dafe44f1a3e6b192529ea69f2fa874ff9b23f7847087c7a4 IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 508cf0f48720da01 IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Toolbar IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d79072038c960342ab421b8facb933e900000000020000000000106600000001000020000000ebf6cfc386a3a039a99b76ffc07333f28f4b9b24c94fe9856c288e526e70a547000000000e8000000002000020000000bb867d364adaa30f0f4f87b411f62d269a1be0bdeacde35ac21d83f52e1f82d09000000027178005a575209702030b08e93233cab6402d64b87017f05cd1319dadd63a09b22b6806b0f85007852ec40399c9bd76103e06037413ee853701578da6b5ab598603c60d974591fb6850e53831e1fa9017d04a1a094b50f045030a3247989bed4a8309721bd756df4deb0228318ddf52fb2346670b48272dfa50000a28c5286b5b5ecdcb5fd1105748659d1545212fae40000000c444845c90447e77ba136e349f20e6846c7367c5f0a94d67eed9253ad8308edccd08fbe9ee994aa655d71b9740d1d4971e83bf234b8d7c00b0fdaedf9cc77930 IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\SearchScopes IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\IETld\LowMic IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{201C2EC1-8C7B-11EE-BA08-6A9D9D199239} = "0" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "407178984" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Zoom IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\DomainSuggestion IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\InternetRegistry IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\IntelliForms IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\LowRegistry IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\PageSetup IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery IEXPLORE.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2748 IEXPLORE.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2748 IEXPLORE.EXE -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2748 IEXPLORE.EXE 2748 IEXPLORE.EXE 2740 IEXPLORE.EXE 2740 IEXPLORE.EXE 2740 IEXPLORE.EXE 2740 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2616 wrote to memory of 2648 2616 MSOXMLED.EXE 30 PID 2616 wrote to memory of 2648 2616 MSOXMLED.EXE 30 PID 2616 wrote to memory of 2648 2616 MSOXMLED.EXE 30 PID 2616 wrote to memory of 2648 2616 MSOXMLED.EXE 30 PID 2648 wrote to memory of 2748 2648 iexplore.exe 31 PID 2648 wrote to memory of 2748 2648 iexplore.exe 31 PID 2648 wrote to memory of 2748 2648 iexplore.exe 31 PID 2648 wrote to memory of 2748 2648 iexplore.exe 31 PID 2748 wrote to memory of 2740 2748 IEXPLORE.EXE 32 PID 2748 wrote to memory of 2740 2748 IEXPLORE.EXE 32 PID 2748 wrote to memory of 2740 2748 IEXPLORE.EXE 32 PID 2748 wrote to memory of 2740 2748 IEXPLORE.EXE 32
Processes
-
C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Lethal Company\MonoBleedingEdge\etc\mono\4.5\settings.xml"1⤵
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome2⤵
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome3⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2748 CREDAT:275457 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2740
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5e0ba5a5a77ac1d3cac0ce2410329b2a0
SHA1dd027a96a41064e50a94ce4c13ffde5eabf58921
SHA256096f756d3e5413669d0cd0344de5fade2d85b3211d9cadd2306e7d68d3ff5dbb
SHA512464a520a729545695913451b1d0ab99187b8d9086f30ad0f7e530963f4294ed8dd65596588ad2ed5cdca1eee6d97922163953f2b73f27d1672c923b8b409c833
-
Filesize
61KB
MD5f3441b8572aae8801c04f3060b550443
SHA14ef0a35436125d6821831ef36c28ffaf196cda15
SHA2566720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA5125ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9
-
Filesize
163KB
MD59441737383d21192400eca82fda910ec
SHA1725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA5127608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf