Overview
overview
10Static
static
10LordsBot-Release.zip
windows10-2004-x64
1GameAssets...ct.txt
windows10-2004-x64
1GameAssets...st.txt
windows10-2004-x64
1GameAssets...ct.txt
windows10-2004-x64
1GameAssets...er.txt
windows10-2004-x64
1GameAssets...my.txt
windows10-2004-x64
1GameAssets/TDHero.txt
windows10-2004-x64
1GameAssets...st.txt
windows10-2004-x64
1GameAssets...ge.txt
windows10-2004-x64
1GameAssets/Table.crc
windows10-2004-x64
3GameAssets/Talent.txt
windows10-2004-x64
1GameAssets...Lv.txt
windows10-2004-x64
1GameAssets...ee.txt
windows10-2004-x64
1GameAssets/Tech.txt
windows10-2004-x64
1GameAssets...nd.txt
windows10-2004-x64
1GameAssets...SP.txt
windows10-2004-x64
1GameAssets...P2.txt
windows10-2004-x64
1GameAssets/TechLv.txt
windows10-2004-x64
1GameAssets...SP.txt
windows10-2004-x64
1GameAssets...P2.txt
windows10-2004-x64
1GameAssets...on.txt
windows10-2004-x64
1GameAssets/TechSP.txt
windows10-2004-x64
1GameAssets...ee.txt
windows10-2004-x64
1GameAssets...SP.txt
windows10-2004-x64
1GameAssets...06.txt
windows10-2004-x64
1GameAssets...01.txt
windows10-2004-x64
1InstallNet6.bat
windows10-2004-x64
7Lords Monitor.exe
windows10-2004-x64
7LordsMobileBot.exe
windows10-2004-x64
7MSVCP120.dll
windows10-2004-x64
1MSVCR120.dll
windows10-2004-x64
1Updater.exe
windows10-2004-x64
1Analysis
-
max time kernel
150s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-es -
resource tags
arch:x64arch:x86image:win10v2004-20231215-eslocale:es-esos:windows10-2004-x64systemwindows -
submitted
28-01-2024 04:27
Behavioral task
behavioral1
Sample
LordsBot-Release.zip
Resource
win10v2004-20231215-es
Behavioral task
behavioral2
Sample
GameAssets/Subscriptioneffect.txt
Resource
win10v2004-20231215-es
Behavioral task
behavioral3
Sample
GameAssets/TDCardCost.txt
Resource
win10v2004-20231215-es
Behavioral task
behavioral4
Sample
GameAssets/TDCardEffect.txt
Resource
win10v2004-20231215-es
Behavioral task
behavioral5
Sample
GameAssets/TDChapter.txt
Resource
win10v2004-20231215-es
Behavioral task
behavioral6
Sample
GameAssets/TDEnemy.txt
Resource
win10v2004-20231215-es
Behavioral task
behavioral7
Sample
GameAssets/TDHero.txt
Resource
win10v2004-20231215-es
Behavioral task
behavioral8
Sample
GameAssets/TDHeroPlaylist.txt
Resource
win10v2004-20231215-es
Behavioral task
behavioral9
Sample
GameAssets/TDStage.txt
Resource
win10v2004-20231215-es
Behavioral task
behavioral10
Sample
GameAssets/Table.crc
Resource
win10v2004-20231215-es
Behavioral task
behavioral11
Sample
GameAssets/Talent.txt
Resource
win10v2004-20231215-es
Behavioral task
behavioral12
Sample
GameAssets/TalentLv.txt
Resource
win10v2004-20231222-es
Behavioral task
behavioral13
Sample
GameAssets/TalentTree.txt
Resource
win10v2004-20231222-es
Behavioral task
behavioral14
Sample
GameAssets/Tech.txt
Resource
win10v2004-20231215-es
Behavioral task
behavioral15
Sample
GameAssets/TechKind.txt
Resource
win10v2004-20231222-es
Behavioral task
behavioral16
Sample
GameAssets/TechKindSP.txt
Resource
win10v2004-20231215-es
Behavioral task
behavioral17
Sample
GameAssets/TechKindSP2.txt
Resource
win10v2004-20231215-es
Behavioral task
behavioral18
Sample
GameAssets/TechLv.txt
Resource
win10v2004-20231215-es
Behavioral task
behavioral19
Sample
GameAssets/TechLvSP.txt
Resource
win10v2004-20231215-es
Behavioral task
behavioral20
Sample
GameAssets/TechLvSP2.txt
Resource
win10v2004-20231215-es
Behavioral task
behavioral21
Sample
GameAssets/TechRecommendation.txt
Resource
win10v2004-20231215-es
Behavioral task
behavioral22
Sample
GameAssets/TechSP.txt
Resource
win10v2004-20231215-es
Behavioral task
behavioral23
Sample
GameAssets/TechTree.txt
Resource
win10v2004-20231215-es
Behavioral task
behavioral24
Sample
GameAssets/TechTreeSP.txt
Resource
win10v2004-20231215-es
Behavioral task
behavioral25
Sample
GameAssets/TileMapEx_006.txt
Resource
win10v2004-20231222-es
Behavioral task
behavioral26
Sample
GameAssets/TileMapEx_101.txt
Resource
win10v2004-20231215-es
Behavioral task
behavioral27
Sample
InstallNet6.bat
Resource
win10v2004-20231222-es
Behavioral task
behavioral28
Sample
Lords Monitor.exe
Resource
win10v2004-20231215-es
Behavioral task
behavioral29
Sample
LordsMobileBot.exe
Resource
win10v2004-20231215-es
Behavioral task
behavioral30
Sample
MSVCP120.dll
Resource
win10v2004-20231215-es
Behavioral task
behavioral31
Sample
MSVCR120.dll
Resource
win10v2004-20231215-es
Behavioral task
behavioral32
Sample
Updater.exe
Resource
win10v2004-20231222-es
General
-
Target
Lords Monitor.exe
-
Size
417KB
-
MD5
4a114995273b5a478cb5d1f4bfedb12d
-
SHA1
d859974e863c6d8d325b24424790dd720051044f
-
SHA256
80e57b1c5e90505dfab81291a9db92331649ecb8bb13dd026e70ac164711335e
-
SHA512
5378f14e0132ba08857e29a1fb72d0007fd1e569e2157737f1ff42fe8e1ad6b8c752d40b9fbebd7adf4878acdf052931b4363b81d44882f401b5cc08967b6e69
-
SSDEEP
3072:IVFe9Lh3pudG/GUnpaIvVm1fMF3pudG/GUnpaIvVm1fM+3pudG/GUnpKI9Vm1fMx:IMLh51ZQiF51ZQi+51LQiJT
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Lords Monitor.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation Lords Monitor.exe -
Loads dropped DLL 2 IoCs
Processes:
LordsMobileBot.exeLordsMobileBot.exepid process 652 LordsMobileBot.exe 4688 LordsMobileBot.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
Lords Monitor.exeLordsMobileBot.exeLordsMobileBot.exepid process 4592 Lords Monitor.exe 4592 Lords Monitor.exe 652 LordsMobileBot.exe 652 LordsMobileBot.exe 4592 Lords Monitor.exe 4688 LordsMobileBot.exe 4688 LordsMobileBot.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
Lords Monitor.exeLordsMobileBot.exeUpdater.exeLordsMobileBot.exedescription pid process Token: SeDebugPrivilege 4592 Lords Monitor.exe Token: SeDebugPrivilege 652 LordsMobileBot.exe Token: SeDebugPrivilege 3956 Updater.exe Token: SeDebugPrivilege 4688 LordsMobileBot.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
Lords Monitor.exepid process 4592 Lords Monitor.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
Lords Monitor.exepid process 4592 Lords Monitor.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
LordsMobileBot.exeLordsMobileBot.exepid process 652 LordsMobileBot.exe 652 LordsMobileBot.exe 4688 LordsMobileBot.exe 4688 LordsMobileBot.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
Lords Monitor.exeLordsMobileBot.exeLordsMobileBot.exedescription pid process target process PID 4592 wrote to memory of 652 4592 Lords Monitor.exe LordsMobileBot.exe PID 4592 wrote to memory of 652 4592 Lords Monitor.exe LordsMobileBot.exe PID 652 wrote to memory of 3956 652 LordsMobileBot.exe Updater.exe PID 652 wrote to memory of 3956 652 LordsMobileBot.exe Updater.exe PID 652 wrote to memory of 3956 652 LordsMobileBot.exe Updater.exe PID 4592 wrote to memory of 4688 4592 Lords Monitor.exe LordsMobileBot.exe PID 4592 wrote to memory of 4688 4592 Lords Monitor.exe LordsMobileBot.exe PID 4688 wrote to memory of 232 4688 LordsMobileBot.exe Updater.exe PID 4688 wrote to memory of 232 4688 LordsMobileBot.exe Updater.exe PID 4688 wrote to memory of 232 4688 LordsMobileBot.exe Updater.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Lords Monitor.exe"C:\Users\Admin\AppData\Local\Temp\Lords Monitor.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4592 -
C:\Users\Admin\AppData\Local\Temp\LordsMobileBot.exe"C:\Users\Admin\AppData\Local\Temp\LordsMobileBot.exe"2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:652 -
C:\Users\Admin\AppData\Local\Temp\Updater.exe"C:\Users\Admin\AppData\Local\Temp\Updater.exe" --no-diag3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3956 -
C:\Users\Admin\AppData\Local\Temp\LordsMobileBot.exe"C:\Users\Admin\AppData\Local\Temp\LordsMobileBot.exe"2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4688 -
C:\Users\Admin\AppData\Local\Temp\Updater.exe"C:\Users\Admin\AppData\Local\Temp\Updater.exe" --no-diag3⤵PID:232
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5df27a876383bd81dfbcb457a9fa9f09d
SHA11bbc4ab95c89d02ec1d217f0255205787999164e
SHA2568940500d6f057583903fde1af0287e27197410415639fc69beb39475fa5240dc
SHA512fe68271375002cfcf8585c92b948ae47cd1632919c43db4bc738e2bc85ceea6dd30880dba27df9c3317531f1017624d4bd8979e6c5fad58112c7aa1189f0b844
-
Filesize
4.3MB
MD521184c4444b13c67546c7acf7f6ad8e3
SHA1806fb111900a0ec8bee1f658c6828b9e005f1111
SHA25614f61c269509eb27083883d5e8edcf9ed14f3b62cfbfb69f4f7434d64a7fa924
SHA5129c55f71051f7c83d8644c7eaf500a5ea887aa75886480fcb607e3540f482afde0cc11396e3c2be936bd6418ce76a752132391c97b2620927a9a694eee99380eb
-
Filesize
617KB
MD5dd69620ce2469f9d184a0963b49640f4
SHA1c24901f99d69c95b8931bfee8c56950dc54eef5f
SHA256074a4620b90ea5f91822b61d3f5fc4d446093f994e13e2b8d82f013db091b4e7
SHA51213455cd1ee525fabe53d80243b2d65cdbc89fa5d8846c9317fc27b03dba2d09655c8c5fcba7a6ac5d789a6c214573c51f69b1c250adcc16d41a5ac040e40c6a5
-
Filesize
1KB
MD5a718311ed71ac3ff0a176092cadf1805
SHA146fb4f68bf06abcef5c765561297bd85e21f821e
SHA25676b2d3852874363a03a9a06510581661bb8b45762ec81a6296643b91980f4acd
SHA5122e3bda5fd7c83a41359ac20892981b8bf1db7565a4b215e533cb08e27e9a83a485b0f980ae357e356186d8ece33dd9e946d1ddf42d2f98f47c9c8d073d3d32b5
-
Filesize
2KB
MD577a059894f5b443e282cf65b0b881ead
SHA1a31d9501ac2afb90fbb1fea2a469a5b75fcaba74
SHA25631ba4b8f8dd7022d03fbd02fc17dd23294276302ca93dc7983f09ac0294fb97a
SHA512e79b80722e15101d1b1372f296a27177ca9b1f86bded897fa395e99acfa13c72ad977c7b0be9cc0148f8a06e1859e40de2ea0b75b088f9bd8e57a25b02d4986a
-
Filesize
116B
MD584450fcda18ac067ccc498cd72da4a63
SHA1aee3e00c313f39919090b1eaa182b9cb68d9a79a
SHA256c3c6a0da9c71636db20136f70a5ce99df8ac78d57c68ad8ff8362204ddcd17df
SHA512fb3c2ac20b28ad10c9e55271abc206d9997ca12cc46e71c4bfeacdf68d8a1d752efdc554ac91dd50c1e0a79dff78744cf2f1869b5108661b7b60c8f5bcd432da