c8ed4ce42d2f0ccc51b3e9f8f2a329d3e4f71350c80a70c786dc9eea8a7d18c5

Analysis

max time kernel
583s
max time network
620s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
26/11/2023, 16:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Lethal Company/MonoBleedingEdge/etc/mono/4.5/web.xml
Size

18KB
MD5

5075af18fe1d2b5f9555d5cc68029814
SHA1

56c4c47501664bc3bcd54be505cc3d9f7d0761f5
SHA256

c4cbddd4fd9347b58cc5a72b36dc4ba1ad2bb699e65869d05cd3fb9865f0d824
SHA512

dfe8ed72b013e67c3cf0622cfe7d14ffde97a4d7132ca6690db5cf2d347f3535b475119b01984923ff6c3f39b8865f857c67ed465c3b0358e2fd06bb0dae0909
SSDEEP

384:lJJuAr8F1mJ1ayCk5+H75YaW41DBWTwa6st/tlLvSqwwU4FVXaS7L3nHIXYFXc//:jbEJi91Xbi

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10046aee8720da01	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000efee191c820df7499e31472656722fd50000000002000000000010660000000100002000000015a8cdefff055128f340b29b0e3159557169f2545087c981959e816afecdb8cf000000000e80000000020000200000000fdd6916278b7d9b51bc358b722d8c215d1d44de1553f002232a3db2ed50297f90000000af326dc4846a120308d15aac25a2b9638a2774ac5bd4613dcac730969195bd44cd5e18d381eef7d74442d81fbae3dfe9512c55ab099a0b6061b290bf46f33c2badf5ea4d877607b7d301a53242663a2e17bb0879e448c0ce25e3da73df30c647988bba81012b50802a9fd6987f7bae1e95ec0c2a867ddbe55b6ea67c38b9d5e07a87183505f28a5156b1bb2bf012480940000000032271ba2b4d90b2783149b44728152aad182fc00aea79591950451cbe5b92b80802e08b5b90382d57a2f7bf958994fca710be1955e92eb39a7bbe0c9e03cd22	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "407178950"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{196157E1-8C7B-11EE-96D2-D6971570E9FA} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000efee191c820df7499e31472656722fd50000000002000000000010660000000100002000000087cd83b7de33ccf15ae149b20cf47c79288cb7b9c8d18a1d481d1d4ea0b56479000000000e80000000020000200000005ea7f5f1c5d4543b41771954ca32dc20e3a5cbda238b1e4898626f6513693c0f200000008da58298b0db13cee5c6d876b22e582d6d8732fd487555209bce60dbee6e9deb40000000f8c026c7a0db6250c729b83c11799a2b0bba63d53ce5c451be9a96afb5b8ed162b3f49c5c956fd9c8441ef316afdf464e6b1cd51a8466b5a5ce785a8d87f6526	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2704	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2704	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2704	IEXPLORE.EXE
2704	IEXPLORE.EXE
2728	IEXPLORE.EXE
2728	IEXPLORE.EXE
2728	IEXPLORE.EXE
2728	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1112 wrote to memory of 1284	1112	MSOXMLED.EXE	28
PID 1112 wrote to memory of 1284	1112	MSOXMLED.EXE	28
PID 1112 wrote to memory of 1284	1112	MSOXMLED.EXE	28
PID 1112 wrote to memory of 1284	1112	MSOXMLED.EXE	28
PID 1284 wrote to memory of 2704	1284	iexplore.exe	29
PID 1284 wrote to memory of 2704	1284	iexplore.exe	29
PID 1284 wrote to memory of 2704	1284	iexplore.exe	29
PID 1284 wrote to memory of 2704	1284	iexplore.exe	29
PID 2704 wrote to memory of 2728	2704	IEXPLORE.EXE	30
PID 2704 wrote to memory of 2728	2704	IEXPLORE.EXE	30
PID 2704 wrote to memory of 2728	2704	IEXPLORE.EXE	30
PID 2704 wrote to memory of 2728	2704	IEXPLORE.EXE	30

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Lethal Company\MonoBleedingEdge\etc\mono\4.5\web.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:1112
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1284
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2704
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2704 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
dffde2febb58bfa8c3764250a3a62c03

SHA1
77382bf7f2621414f9607c206f869c6a4879449a

SHA256
77d0db6a83a79a127d4559f8b7e47b9cd0496e4e1da7611edaa9c428474e100f

SHA512
831659cc0a80eb7d8d6293e65a0d19e6e457dd3fd5c004511fcdaef288c9885e1a42b704904e50793dde1651326d1364c2ff8cc0e653e48a475e7d22382243f0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6fd67b5c51423484b81d8d1419679880

SHA1
5361341dd19b2cb7b549a1629cda86fdaff62eac

SHA256
e144633d31b185b4786fcc4f21de2051b8717dae285042de1b7369dfa887a653

SHA512
dc63bc41c9c033716b075e24e5c21ac305a5db484fd7f937f2d8d5abeebfbae460d4f77b05f993aadb30a97b6c177808be082737c4dad4bfe5c8f4f405339a8d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8519a03146b15d0bf756ee4b59ce69a2

SHA1
1f68d3c227d631f8da988043efe3dca6fd40fed5

SHA256
45177ecb74baed2d11c6b455d3c85ff99f829c01373b853010da7ed5d0ee8119

SHA512
91db466336e450f9c51c0ec523131a0f378d36d13361ba09eb24fd49a2d3ad1f96880f244b4b8db61e9762c549393c4297f3787b769210177b3a846653917ae0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
79d153f1a3d3b76fa750d2135535a566

SHA1
af9ae3d0507441080c9f1f93f2f813242ab68a8a

SHA256
2065badfad360bab82143fa41a05e3f8773c79dd3b4ee7bf0e763903972ca365

SHA512
1947f36fc4ace6d11dbb553483772cf086169fab07ddbc10a734022fd866fc77050d5cfa7729817b7edfd083b458620d78d243c93743f09d396a5a0251ad5163

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
705ea259c7b03c219be4fbf69e9d1af5

SHA1
4eb9de0778439e8c50e3007dd59ff6121a5833e9

SHA256
6600a498875d3589f00dbbf8464d853b2f3a6244e73af733c47975cd1810c807

SHA512
219429703499bf39c4badd5303620de745f85a92bba925130aa8e1991f0e8975e60addfe33ee4c313c65635c40abe8dcb306d16321ce7a4a0fad79c13bdefff1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b953597cbef63d1644751accd27d9e70

SHA1
db889a323a151438bb38eb68a6a29a5570823103

SHA256
fdefb3e1d0b87c6f30a0105113f79354406b27e3e123e0152e66d92d0ad9a364

SHA512
e1eb323ca2543e1afd2c86134b9ff0c7f26c519a9bec037414592e39e1be412c59f4b58f03ceaabc8975281bf58835bc602826ffc40a4d6967e5ab85504a437c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
72e53327b49cd1bcbce0f09471bed596

SHA1
cf9ce55f9d290649500025c707db04a50b60b482

SHA256
74530919a8f002df673b5ef61f43a45a66f94ff459418755f923919bb22969fa

SHA512
3468ab50b1c26e6dfe7f2bc63d6ba2c50099cece84bfe400036be5cb3dc0a1343fe3642a2a7788303377175944cc8e7617a8b8bb24a0ea51755abb8c9da2f9c0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f4f46498af279dc6fbfb396c3d3e4fc0

SHA1
0d0d4a4d62d89176ac24af66cae8304a8b18edc6

SHA256
27ddc3f7d7fe6c04ef498b819c97670d29191d8b6bacc88f1307bc5a83fa43a9

SHA512
ca00b98107b2e14917929dd58d17dafb73627644e51b35be60a8ae7000983af7ac5c47b3564caebb576572a17614811975d6d8b8e4ea86950f9ff6aa43fe0dbb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f15366191a603da4845362ba073835c2

SHA1
190edd594b5c68840001b776d4e1a0427c2a454f

SHA256
91a8a18068e425fd99794132c211541e7d053e9303d7f23a5da0a0ff4bba3853

SHA512
cf0183318512e5ad7e421a4c8288fddec838616cd3f9f55dee9fa2e5b023b0c9e05cb31b77795cafcf6164a278a12111c41afa949ceb367527e74c2838d1ac69

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4ebc3892fc3cc5caef900603b6b6a5cf

SHA1
7efc2ef642ea8a76caffbd3f364a92d34a00c799

SHA256
848b63b81aee352e1a93fb926e480ae6905c4342df5559fbb1406e59e95cef28

SHA512
bd53c550d611a7720b1e1a37c2dc1535895f3c857a37621457a022160e24b8b41f8c40cda2d3af28f977065b4c32d9f0da9a4f86bf2ae16229664657560f50dc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6e916c30e9382154d0d84f991d89d2dd

SHA1
4694a10c207c55dcc4175f6a937c2f52adb1759d

SHA256
e16ba87bc2c1526471bf25ff8284d51d4c9b45393a8b786173c4792e5b840e8a

SHA512
f45a07bf2bcff6cb517a048704de2889be7a280a6d22befd8225f4cf5c0c2535596eb29288a690483221d82c14994970e9817212a0867e20191e917e81adaa38

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ce2a435297ab4079f2f04228642030fd

SHA1
5a06a3e4dbe076d062fa996f8c6dca01ab3308ab

SHA256
383454f3f3c5f1f180b7d60b33c0841c71d3a850dd7f4e25fbf1e8cd010550c7

SHA512
62c4643c7b5b0b876fc4743c3bc7c32b32cf912cf3fc7cc87f025e4040867afb091975075be7d89bfbefd2e707ff3a43133b1ea594b9600a6cb0b3febbd9ab6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabE2A5.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarE2C7.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit