5d23bb56ae025619efa102acbaf07801ceb76f457ca12edd3cbc89151e4339d0

Analysis

max time kernel
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-es
submitted
28-01-2024 04:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Lords Monitor.exe

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	Lords Monitor.exe

Loads dropped DLL 2 IoCs

pid	Process
652	LordsMobileBot.exe
4688	LordsMobileBot.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lords Monitor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Updater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Updater.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4592	Lords Monitor.exe
4592	Lords Monitor.exe
652	LordsMobileBot.exe
652	LordsMobileBot.exe
4592	Lords Monitor.exe
4688	LordsMobileBot.exe
4688	LordsMobileBot.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4592	Lords Monitor.exe
Token: SeDebugPrivilege	652	LordsMobileBot.exe
Token: SeDebugPrivilege	3956	Updater.exe
Token: SeDebugPrivilege	4688	LordsMobileBot.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4592	Lords Monitor.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
4592	Lords Monitor.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
652	LordsMobileBot.exe
652	LordsMobileBot.exe
4688	LordsMobileBot.exe
4688	LordsMobileBot.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 4592 wrote to memory of 652	4592	Lords Monitor.exe	89
PID 4592 wrote to memory of 652	4592	Lords Monitor.exe	89
PID 652 wrote to memory of 3956	652	LordsMobileBot.exe	94
PID 652 wrote to memory of 3956	652	LordsMobileBot.exe	94
PID 652 wrote to memory of 3956	652	LordsMobileBot.exe	94
PID 4592 wrote to memory of 4688	4592	Lords Monitor.exe	96
PID 4592 wrote to memory of 4688	4592	Lords Monitor.exe	96
PID 4688 wrote to memory of 232	4688	LordsMobileBot.exe	98
PID 4688 wrote to memory of 232	4688	LordsMobileBot.exe	98
PID 4688 wrote to memory of 232	4688	LordsMobileBot.exe	98

C:\Users\Admin\AppData\Local\Temp\Lords Monitor.exe
"C:\Users\Admin\AppData\Local\Temp\Lords Monitor.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4592
- C:\Users\Admin\AppData\Local\Temp\LordsMobileBot.exe
  "C:\Users\Admin\AppData\Local\Temp\LordsMobileBot.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:652
- - C:\Users\Admin\AppData\Local\Temp\Updater.exe
    "C:\Users\Admin\AppData\Local\Temp\Updater.exe" --no-diag
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:3956
- C:\Users\Admin\AppData\Local\Temp\LordsMobileBot.exe
  "C:\Users\Admin\AppData\Local\Temp\LordsMobileBot.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4688
- - C:\Users\Admin\AppData\Local\Temp\Updater.exe
    "C:\Users\Admin\AppData\Local\Temp\Updater.exe" --no-diag
    3⤵
    - System Location Discovery: System Language Discovery
    PID:232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Updater.exe.log

Filesize
1KB

MD5
df27a876383bd81dfbcb457a9fa9f09d

SHA1
1bbc4ab95c89d02ec1d217f0255205787999164e

SHA256
8940500d6f057583903fde1af0287e27197410415639fc69beb39475fa5240dc

SHA512
fe68271375002cfcf8585c92b948ae47cd1632919c43db4bc738e2bc85ceea6dd30880dba27df9c3317531f1017624d4bd8979e6c5fad58112c7aa1189f0b844

Download Submit
C:\Users\Admin\AppData\Local\Temp\DN40B6560D6598ABA0\HVMRun64.dll

Filesize
4.3MB

MD5
21184c4444b13c67546c7acf7f6ad8e3

SHA1
806fb111900a0ec8bee1f658c6828b9e005f1111

SHA256
14f61c269509eb27083883d5e8edcf9ed14f3b62cfbfb69f4f7434d64a7fa924

SHA512
9c55f71051f7c83d8644c7eaf500a5ea887aa75886480fcb607e3540f482afde0cc11396e3c2be936bd6418ce76a752132391c97b2620927a9a694eee99380eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\LordsMobileBot.dll.config

Filesize
1KB

MD5
a718311ed71ac3ff0a176092cadf1805

SHA1
46fb4f68bf06abcef5c765561297bd85e21f821e

SHA256
76b2d3852874363a03a9a06510581661bb8b45762ec81a6296643b91980f4acd

SHA512
2e3bda5fd7c83a41359ac20892981b8bf1db7565a4b215e533cb08e27e9a83a485b0f980ae357e356186d8ece33dd9e946d1ddf42d2f98f47c9c8d073d3d32b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\appSettings.json

Filesize
2KB

MD5
77a059894f5b443e282cf65b0b881ead

SHA1
a31d9501ac2afb90fbb1fea2a469a5b75fcaba74

SHA256
31ba4b8f8dd7022d03fbd02fc17dd23294276302ca93dc7983f09ac0294fb97a

SHA512
e79b80722e15101d1b1372f296a27177ca9b1f86bded897fa395e99acfa13c72ad977c7b0be9cc0148f8a06e1859e40de2ea0b75b088f9bd8e57a25b02d4986a

Download Submit
C:\Users\Admin\AppData\Local\Temp\lm_settings.ini

Filesize
116B

MD5
84450fcda18ac067ccc498cd72da4a63

SHA1
aee3e00c313f39919090b1eaa182b9cb68d9a79a

SHA256
c3c6a0da9c71636db20136f70a5ce99df8ac78d57c68ad8ff8362204ddcd17df

SHA512
fb3c2ac20b28ad10c9e55271abc206d9997ca12cc46e71c4bfeacdf68d8a1d752efdc554ac91dd50c1e0a79dff78744cf2f1869b5108661b7b60c8f5bcd432da

Download Submit
memory/232-126-0x0000000005980000-0x0000000005990000-memory.dmp

Filesize
64KB

Download
memory/232-125-0x00000000744C0000-0x0000000074C70000-memory.dmp

Filesize
7.7MB

Download
memory/652-112-0x00007FF9982C0000-0x00007FF9987BE000-memory.dmp

Filesize
5.0MB

Download
memory/652-49-0x00007FF9982C0000-0x00007FF9987BE000-memory.dmp

Filesize
5.0MB

Download
memory/652-19-0x00007FF9982C0000-0x00007FF9987BE000-memory.dmp

Filesize
5.0MB

Download
memory/652-24-0x00007FF997720000-0x00007FF997882000-memory.dmp

Filesize
1.4MB

Download
memory/3956-36-0x00000000744C0000-0x0000000074C70000-memory.dmp

Filesize
7.7MB

Download
memory/3956-31-0x00000000744C0000-0x0000000074C70000-memory.dmp

Filesize
7.7MB

Download
memory/3956-30-0x0000000000A30000-0x0000000000A7A000-memory.dmp

Filesize
296KB

Download
memory/3956-32-0x0000000005530000-0x0000000005540000-memory.dmp

Filesize
64KB

Download
memory/4592-12-0x0000000008920000-0x0000000008A22000-memory.dmp

Filesize
1.0MB

Download
memory/4592-43-0x00000000744C0000-0x0000000074C70000-memory.dmp

Filesize
7.7MB

Download
memory/4592-44-0x0000000005310000-0x0000000005320000-memory.dmp

Filesize
64KB

Download
memory/4592-1-0x00000000744C0000-0x0000000074C70000-memory.dmp

Filesize
7.7MB

Download
memory/4592-8-0x0000000005310000-0x0000000005320000-memory.dmp

Filesize
64KB

Download
memory/4592-113-0x0000000005310000-0x0000000005320000-memory.dmp

Filesize
64KB

Download
memory/4592-5-0x00000000052B0000-0x00000000052BA000-memory.dmp

Filesize
40KB

Download
memory/4592-4-0x0000000005310000-0x0000000005320000-memory.dmp

Filesize
64KB

Download
memory/4592-3-0x0000000005120000-0x00000000051B2000-memory.dmp

Filesize
584KB

Download
memory/4592-2-0x0000000005630000-0x0000000005BD4000-memory.dmp

Filesize
5.6MB

Download
memory/4592-0-0x00000000006A0000-0x000000000070A000-memory.dmp

Filesize
424KB

Download
memory/4688-114-0x00007FF999630000-0x00007FF999B2E000-memory.dmp

Filesize
5.0MB

Download
memory/4688-117-0x00007FF9AAB40000-0x00007FF9AACA2000-memory.dmp

Filesize
1.4MB

Download