6c4c636ca68edd549a5363e304952b1f280fc5a8db585eb9cd508d8123732f30

General

Target

ipchanger/Tibia MULTI-ip changer.exe
Size

670KB
MD5

8fcdd21204741520303cecfdc682b07a
SHA1

377cf064e94c9fed35533b93f9a8ad5295da3093
SHA256

9b91731987dc0fc29e8a7162c75d290dee41e64881cfe023eecb59c6575b523c
SHA512

8ad5c175e3bd6450432b498c23df820fdb8e4ea02ecd7e669ccf032822cd0ba8c81ef875e51621af80b5fc22bced9dcde0c3dc1118fc6946f7432bf905cac546
SSDEEP

12288:WczJJhqrVPaUm8xAivTWU71T9b/KiGGgZgpgz+QtLUXhmIUSSz3QhX/Qb/5sbvj2:WczJqVSUm8WiLWUBTNKSt2zttsmIDhYd

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation	Tibia MULTI-ip changer.exe

Executes dropped EXE 4 IoCs

pid	Process
1540	server_et.exe
1844	patch2.exe
3088	changer.exe
4924	mservice32_t.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\UpdateT = "C:\\Users\\Admin\\AppData\\Roaming\\mservice32_t.exe"	mservice32_t.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Update	mservice32_t.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3088	changer.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4664 wrote to memory of 1540	4664	Tibia MULTI-ip changer.exe	92
PID 4664 wrote to memory of 1540	4664	Tibia MULTI-ip changer.exe	92
PID 4664 wrote to memory of 1540	4664	Tibia MULTI-ip changer.exe	92
PID 4664 wrote to memory of 1844	4664	Tibia MULTI-ip changer.exe	91
PID 4664 wrote to memory of 1844	4664	Tibia MULTI-ip changer.exe	91
PID 4664 wrote to memory of 1844	4664	Tibia MULTI-ip changer.exe	91
PID 4664 wrote to memory of 3088	4664	Tibia MULTI-ip changer.exe	94
PID 4664 wrote to memory of 3088	4664	Tibia MULTI-ip changer.exe	94
PID 4664 wrote to memory of 3088	4664	Tibia MULTI-ip changer.exe	94
PID 1540 wrote to memory of 4924	1540	server_et.exe	93
PID 1540 wrote to memory of 4924	1540	server_et.exe	93
PID 1540 wrote to memory of 4924	1540	server_et.exe	93

C:\Users\Admin\AppData\Local\Temp\ipchanger\Tibia MULTI-ip changer.exe
"C:\Users\Admin\AppData\Local\Temp\ipchanger\Tibia MULTI-ip changer.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4664
- C:\Users\Admin\AppData\Local\Temp\patch2.exe
  "C:\Users\Admin\AppData\Local\Temp\patch2.exe"
  2⤵
  - Executes dropped EXE
  PID:1844
- C:\Users\Admin\AppData\Local\Temp\server_et.exe
  "C:\Users\Admin\AppData\Local\Temp\server_et.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1540
- - C:\Users\Admin\AppData\Roaming\mservice32_t.exe
    "C:\Users\Admin\AppData\Roaming\mservice32_t.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    PID:4924
- C:\Users\Admin\AppData\Local\Temp\changer.exe
  "C:\Users\Admin\AppData\Local\Temp\changer.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Language\English.lang

Filesize
2KB

MD5
63d8d7d597bc262644d9147bd4983e32

SHA1
18d08e1b59af89b02a94f668b7102d9851178410

SHA256
32cb2a88ab9d41d10575932947bdf8d7980ba1f3c7c9518f9a6167fceb49d7bf

SHA512
9cb69feb0ad2d773115df65da61a467b2e89fbe390121a785567bb85459c965a191cfc75b077c32424109e315dba5c6ef3606356885c6abae0b67cf53421c1ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\changer.exe

Filesize
92KB

MD5
811102638a9f4b08ddded2a72f5c9966

SHA1
af411dd43173776461388942033a2952f694c205

SHA256
1cf77d22eb135186f6558d58bb0f2cf50af8b57a9db6f727a2aeae2d2f1fe8de

SHA512
f8877e48042aee004d8a2b0e72fd77afbe67e77435111455b0aa29ee14ee44cfca1bec257cb1bc6ba2ed8f186829bbace188266b0033c0ba66f4ca5ead2c7b61

Download Submit
C:\Users\Admin\AppData\Local\Temp\patch2.exe

Filesize
995KB

MD5
972c3e6ac723963ebbb18ec833ddde74

SHA1
e628d6f40ce4f8f59f4e634eb41b5912a179f89d

SHA256
97f8eff31b84792b9e61200c36063de55cb6a97bfa1316abc845f7134cdb46c6

SHA512
dc4e912ee41c4b0ee991a55d7fec028a6d7c0366e8b81a2c0cf13864a961c941df1eb6c3bb892535975fc68e2aea8b837d55dddb8e9534feaab128b68b6adf9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\patch2.exe

Filesize
381KB

MD5
89f05a60eb6b2129b497ab9b9ed81de9

SHA1
c51347465a0b1bd76aa51300975dfafd62cda118

SHA256
274cc6760855a2b7a2fb14fc16775a0fe8a5569fde8c94136db5101cba075faf

SHA512
732b163ce19ec1dda12f5958aaa4d82c9ab05a260ec205659f9770ca52f4972c8ec439f2b9cd9dc7e25d21b31411a1e3927766f5f0e2966e5ac53c036ba96cb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\patch2.exe

Filesize
92KB

MD5
7ba621d02a7187e40a963fe91cf356ae

SHA1
20fcd8d70a3f26331cb00999417cf00d98aee69e

SHA256
fe11d281ef1be1a04dbb285713e3e1aae9e0dd355ae0b2f9628cf3d05ca0727d

SHA512
8b69276a1bc402e85052a554e563f76534b667a49cb540f1a9a6b07eb367cc083e35ae1a02aa48c64d022a988a02c3b4f4d50487949eaf397ccd02a0d96a9ad7

Download Submit
C:\Users\Admin\AppData\Local\Temp\server_et.exe

Filesize
434KB

MD5
3f3706b29643416b0ee909b73a3508c0

SHA1
c30dc47f34c0309b41652f4e05a72cf2b7483472

SHA256
34b01578044d4cb8454176b5b916cf77503de18687201d94c171e01c5a256774

SHA512
2c65970c95f4d058fd50b5c64f0ac236c45ac5d5340f0ffe39c24c7c0a6629220806a9c21d76db0912f04465ae1ecd27fe24275a9388a083d4ddd3ccac60240f

Download Submit
memory/1540-45-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1844-33-0x00000000006C0000-0x00000000006C1000-memory.dmp

Filesize
4KB

Download
memory/1844-46-0x0000000009120000-0x0000000009225000-memory.dmp

Filesize
1.0MB

Download
memory/4924-52-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4924-53-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads