Overview
overview
7Static
static
10LordsBot-Release.zip
windows10-2004-x64
3GameAssets...ct.txt
windows10-2004-x64
1GameAssets...st.txt
windows10-2004-x64
1GameAssets...ct.txt
windows10-2004-x64
1GameAssets...er.txt
windows10-2004-x64
1GameAssets...my.txt
windows10-2004-x64
1GameAssets/TDHero.txt
windows10-2004-x64
1GameAssets...st.txt
windows10-2004-x64
1GameAssets...ge.txt
windows10-2004-x64
1GameAssets/Table.crc
windows10-2004-x64
3GameAssets/Talent.txt
windows10-2004-x64
1GameAssets...Lv.txt
windows10-2004-x64
1GameAssets...ee.txt
windows10-2004-x64
1GameAssets/Tech.txt
windows10-2004-x64
1GameAssets...nd.txt
windows10-2004-x64
1GameAssets...SP.txt
windows10-2004-x64
1GameAssets...P2.txt
windows10-2004-x64
1GameAssets/TechLv.txt
windows10-2004-x64
1GameAssets...SP.txt
windows10-2004-x64
1GameAssets...P2.txt
windows10-2004-x64
1GameAssets...on.txt
windows10-2004-x64
1GameAssets/TechSP.txt
windows10-2004-x64
1GameAssets...ee.txt
windows10-2004-x64
1GameAssets...SP.txt
windows10-2004-x64
1GameAssets...06.txt
windows10-2004-x64
1GameAssets...01.txt
windows10-2004-x64
1InstallNet6.bat
windows10-2004-x64
7Lords Monitor.exe
windows10-2004-x64
7LordsMobileBot.exe
windows10-2004-x64
7MSVCP120.dll
windows10-2004-x64
1MSVCR120.dll
windows10-2004-x64
1Updater.exe
windows10-2004-x64
3Analysis
-
max time kernel
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-es -
submitted
28-01-2024 04:27
Behavioral task
behavioral1
Sample
LordsBot-Release.zip
Resource
win10v2004-20231215-es
Behavioral task
behavioral2
Sample
GameAssets/Subscriptioneffect.txt
Resource
win10v2004-20231215-es
Behavioral task
behavioral3
Sample
GameAssets/TDCardCost.txt
Resource
win10v2004-20231215-es
Behavioral task
behavioral4
Sample
GameAssets/TDCardEffect.txt
Resource
win10v2004-20231215-es
Behavioral task
behavioral5
Sample
GameAssets/TDChapter.txt
Resource
win10v2004-20231215-es
Behavioral task
behavioral6
Sample
GameAssets/TDEnemy.txt
Resource
win10v2004-20231215-es
Behavioral task
behavioral7
Sample
GameAssets/TDHero.txt
Resource
win10v2004-20231215-es
Behavioral task
behavioral8
Sample
GameAssets/TDHeroPlaylist.txt
Resource
win10v2004-20231215-es
Behavioral task
behavioral9
Sample
GameAssets/TDStage.txt
Resource
win10v2004-20231215-es
Behavioral task
behavioral10
Sample
GameAssets/Table.crc
Resource
win10v2004-20231215-es
Behavioral task
behavioral11
Sample
GameAssets/Talent.txt
Resource
win10v2004-20231215-es
Behavioral task
behavioral12
Sample
GameAssets/TalentLv.txt
Resource
win10v2004-20231222-es
Behavioral task
behavioral13
Sample
GameAssets/TalentTree.txt
Resource
win10v2004-20231222-es
Behavioral task
behavioral14
Sample
GameAssets/Tech.txt
Resource
win10v2004-20231215-es
Behavioral task
behavioral15
Sample
GameAssets/TechKind.txt
Resource
win10v2004-20231222-es
Behavioral task
behavioral16
Sample
GameAssets/TechKindSP.txt
Resource
win10v2004-20231215-es
Behavioral task
behavioral17
Sample
GameAssets/TechKindSP2.txt
Resource
win10v2004-20231215-es
Behavioral task
behavioral18
Sample
GameAssets/TechLv.txt
Resource
win10v2004-20231215-es
Behavioral task
behavioral19
Sample
GameAssets/TechLvSP.txt
Resource
win10v2004-20231215-es
Behavioral task
behavioral20
Sample
GameAssets/TechLvSP2.txt
Resource
win10v2004-20231215-es
Behavioral task
behavioral21
Sample
GameAssets/TechRecommendation.txt
Resource
win10v2004-20231215-es
Behavioral task
behavioral22
Sample
GameAssets/TechSP.txt
Resource
win10v2004-20231215-es
Behavioral task
behavioral23
Sample
GameAssets/TechTree.txt
Resource
win10v2004-20231215-es
Behavioral task
behavioral24
Sample
GameAssets/TechTreeSP.txt
Resource
win10v2004-20231215-es
Behavioral task
behavioral25
Sample
GameAssets/TileMapEx_006.txt
Resource
win10v2004-20231222-es
Behavioral task
behavioral26
Sample
GameAssets/TileMapEx_101.txt
Resource
win10v2004-20231215-es
Behavioral task
behavioral27
Sample
InstallNet6.bat
Resource
win10v2004-20231222-es
Behavioral task
behavioral28
Sample
Lords Monitor.exe
Resource
win10v2004-20231215-es
Behavioral task
behavioral29
Sample
LordsMobileBot.exe
Resource
win10v2004-20231215-es
Behavioral task
behavioral30
Sample
MSVCP120.dll
Resource
win10v2004-20231215-es
Behavioral task
behavioral31
Sample
MSVCR120.dll
Resource
win10v2004-20231215-es
Behavioral task
behavioral32
Sample
Updater.exe
Resource
win10v2004-20231222-es
General
-
Target
Lords Monitor.exe
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation Lords Monitor.exe -
Loads dropped DLL 2 IoCs
pid Process 652 LordsMobileBot.exe 4688 LordsMobileBot.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lords Monitor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Updater.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Updater.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 4592 Lords Monitor.exe 4592 Lords Monitor.exe 652 LordsMobileBot.exe 652 LordsMobileBot.exe 4592 Lords Monitor.exe 4688 LordsMobileBot.exe 4688 LordsMobileBot.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 4592 Lords Monitor.exe Token: SeDebugPrivilege 652 LordsMobileBot.exe Token: SeDebugPrivilege 3956 Updater.exe Token: SeDebugPrivilege 4688 LordsMobileBot.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4592 Lords Monitor.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 4592 Lords Monitor.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 652 LordsMobileBot.exe 652 LordsMobileBot.exe 4688 LordsMobileBot.exe 4688 LordsMobileBot.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 4592 wrote to memory of 652 4592 Lords Monitor.exe 89 PID 4592 wrote to memory of 652 4592 Lords Monitor.exe 89 PID 652 wrote to memory of 3956 652 LordsMobileBot.exe 94 PID 652 wrote to memory of 3956 652 LordsMobileBot.exe 94 PID 652 wrote to memory of 3956 652 LordsMobileBot.exe 94 PID 4592 wrote to memory of 4688 4592 Lords Monitor.exe 96 PID 4592 wrote to memory of 4688 4592 Lords Monitor.exe 96 PID 4688 wrote to memory of 232 4688 LordsMobileBot.exe 98 PID 4688 wrote to memory of 232 4688 LordsMobileBot.exe 98 PID 4688 wrote to memory of 232 4688 LordsMobileBot.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\Lords Monitor.exe"C:\Users\Admin\AppData\Local\Temp\Lords Monitor.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4592 -
C:\Users\Admin\AppData\Local\Temp\LordsMobileBot.exe"C:\Users\Admin\AppData\Local\Temp\LordsMobileBot.exe"2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:652 -
C:\Users\Admin\AppData\Local\Temp\Updater.exe"C:\Users\Admin\AppData\Local\Temp\Updater.exe" --no-diag3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3956
-
-
-
C:\Users\Admin\AppData\Local\Temp\LordsMobileBot.exe"C:\Users\Admin\AppData\Local\Temp\LordsMobileBot.exe"2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4688 -
C:\Users\Admin\AppData\Local\Temp\Updater.exe"C:\Users\Admin\AppData\Local\Temp\Updater.exe" --no-diag3⤵
- System Location Discovery: System Language Discovery
PID:232
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5df27a876383bd81dfbcb457a9fa9f09d
SHA11bbc4ab95c89d02ec1d217f0255205787999164e
SHA2568940500d6f057583903fde1af0287e27197410415639fc69beb39475fa5240dc
SHA512fe68271375002cfcf8585c92b948ae47cd1632919c43db4bc738e2bc85ceea6dd30880dba27df9c3317531f1017624d4bd8979e6c5fad58112c7aa1189f0b844
-
Filesize
4.3MB
MD521184c4444b13c67546c7acf7f6ad8e3
SHA1806fb111900a0ec8bee1f658c6828b9e005f1111
SHA25614f61c269509eb27083883d5e8edcf9ed14f3b62cfbfb69f4f7434d64a7fa924
SHA5129c55f71051f7c83d8644c7eaf500a5ea887aa75886480fcb607e3540f482afde0cc11396e3c2be936bd6418ce76a752132391c97b2620927a9a694eee99380eb
-
Filesize
1KB
MD5a718311ed71ac3ff0a176092cadf1805
SHA146fb4f68bf06abcef5c765561297bd85e21f821e
SHA25676b2d3852874363a03a9a06510581661bb8b45762ec81a6296643b91980f4acd
SHA5122e3bda5fd7c83a41359ac20892981b8bf1db7565a4b215e533cb08e27e9a83a485b0f980ae357e356186d8ece33dd9e946d1ddf42d2f98f47c9c8d073d3d32b5
-
Filesize
2KB
MD577a059894f5b443e282cf65b0b881ead
SHA1a31d9501ac2afb90fbb1fea2a469a5b75fcaba74
SHA25631ba4b8f8dd7022d03fbd02fc17dd23294276302ca93dc7983f09ac0294fb97a
SHA512e79b80722e15101d1b1372f296a27177ca9b1f86bded897fa395e99acfa13c72ad977c7b0be9cc0148f8a06e1859e40de2ea0b75b088f9bd8e57a25b02d4986a
-
Filesize
116B
MD584450fcda18ac067ccc498cd72da4a63
SHA1aee3e00c313f39919090b1eaa182b9cb68d9a79a
SHA256c3c6a0da9c71636db20136f70a5ce99df8ac78d57c68ad8ff8362204ddcd17df
SHA512fb3c2ac20b28ad10c9e55271abc206d9997ca12cc46e71c4bfeacdf68d8a1d752efdc554ac91dd50c1e0a79dff78744cf2f1869b5108661b7b60c8f5bcd432da