Overview
overview
7Static
static
3MasterModz...CK.dll
windows7-x64
1MasterModz...CK.dll
windows10-2004-x64
1MasterModz...dz.exe
windows7-x64
3MasterModz...dz.exe
windows10-2004-x64
7MasterModz...et.dll
windows7-x64
1MasterModz...et.dll
windows10-2004-x64
1MasterModz...n1.exe
windows7-x64
3MasterModz...n1.exe
windows10-2004-x64
7Analysis
-
max time kernel
2s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
01/07/2024, 21:41
Static task
static1
Behavioral task
behavioral1
Sample
MasterModz27/MSWINSCK.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
MasterModz27/MSWINSCK.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
MasterModz27/MasterModz.exe
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
MasterModz27/MasterModz.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
MasterModz27/packet.dll
Resource
win7-20231129-en
Behavioral task
behavioral6
Sample
MasterModz27/packet.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
MasterModz27/vietclan1.exe
Resource
win7-20240508-en
Behavioral task
behavioral8
Sample
MasterModz27/vietclan1.exe
Resource
win10v2004-20240508-en
General
-
Target
MasterModz27/vietclan1.exe
-
Size
999KB
-
MD5
74875414286f38026ba797089abcc4f1
-
SHA1
77455ecc3f3e1db1249bdc214c254196ecec0120
-
SHA256
0ff2fecd3d8db67aba33704e7a6cbc92ccf8381ca04616dc6078427428f28d92
-
SHA512
1b25b62423acbdc9159c4475b9bbd2528d39392dde4473a6cfc9ab59132349499aee07b7abc0cf4d9e6d61f213888799bc034987e66d212b1a5fee43fb765b3b
-
SSDEEP
24576:1tviYFCFAbEj390uf8oC/mgkrNEaEEmcuRAo80PE:P5IACdf+jaVfJ
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation RunDll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\BrowserEmulation\CVListXMLVersionLow = "395196024" RunDll32.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\GPU RunDll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\Wow64-DeviceId = "140" RunDll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" RunDll32.exe Key deleted \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\LowRegistry\DOMStorage RunDll32.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\DomStorageState RunDll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionLow = "0" RunDll32.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main RunDll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\BrowserEmulation\CVListXMLVersionHigh = "268435456" RunDll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionHigh = "268435456" RunDll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Cleared = "1" RunDll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Cleared_TIMESTAMP = 8eed776303ccda01 RunDll32.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch RunDll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\Wow64-VendorId = "4318" RunDll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionLow = "395196024" RunDll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\BrowserEmulation\StaleCompatCache = "1" RunDll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\Wow64-SoftwareFallback = "0" RunDll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\Wow64-SubSysId = "0" RunDll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\Wow64-Revision = "0" RunDll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\BrowserEmulation\CVListDomainAttributeSet = "0" RunDll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\DomStorageState\EdpCleanupState = "0" RunDll32.exe Key deleted \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs RunDll32.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\BrowserEmulation RunDll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionHigh = "0" RunDll32.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry RunDll32.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133643453880997745" RunDll32.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4388 RunDll32.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 1484 vietclan1.exe 1484 vietclan1.exe 1484 vietclan1.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1484 wrote to memory of 4388 1484 vietclan1.exe 81 PID 1484 wrote to memory of 4388 1484 vietclan1.exe 81 PID 1484 wrote to memory of 4388 1484 vietclan1.exe 81 PID 4388 wrote to memory of 5016 4388 RunDll32.exe 85 PID 4388 wrote to memory of 5016 4388 RunDll32.exe 85 PID 4388 wrote to memory of 5016 4388 RunDll32.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\MasterModz27\vietclan1.exe"C:\Users\Admin\AppData\Local\Temp\MasterModz27\vietclan1.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1484 -
C:\Windows\SysWOW64\RunDll32.exeRunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 43512⤵
- Checks computer location settings
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4388 -
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -ResetDestinationList3⤵PID:5016
-
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\system32\inetcpl.cpl,ClearMyTracksByProcess Flags:4351 WinX:0 WinY:0 IEFrame:000000003⤵PID:4820
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5dfeabde84792228093a5a270352395b6
SHA1e41258c9576721025926326f76063c2305586f76
SHA25677b138ab5d0a90ff04648c26addd5e414cc178165e3b54a4cb3739da0f58e075
SHA512e256f603e67335151bb709294749794e2e3085f4063c623461a0b3decbcca8e620807b707ec9bcbe36dcd7d639c55753da0495be85b4ae5fb6bfc52ab4b284fd
-
Filesize
11KB
MD59234071287e637f85d721463c488704c
SHA1cca09b1e0fba38ba29d3972ed8dcecefdef8c152
SHA25665cc039890c7ceb927ce40f6f199d74e49b8058c3f8a6e22e8f916ad90ea8649
SHA51287d691987e7a2f69ad8605f35f94241ab7e68ad4f55ad384f1f0d40dc59ffd1432c758123661ee39443d624c881b01dcd228a67afb8700fe5e66fc794a6c0384
-
Filesize
4KB
MD5d65ec06f21c379c87040b83cc1abac6b
SHA1208d0a0bb775661758394be7e4afb18357e46c8b
SHA256a1270e90cea31b46432ec44731bf4400d22b38eb2855326bf934fe8f1b169a4f
SHA5128a166d26b49a5d95aea49bc649e5ea58786a2191f4d2adac6f5fbb7523940ce4482d6a2502aa870a931224f215cb2010a8c9b99a2c1820150e4d365cab28299e
-
Filesize
1KB
MD57e81a79f38695e467a49ee41dd24146d
SHA1035e110c36bf3072525b05394f73d1ba54d0d316
SHA256a705d1e0916a79b0d6e60c41a9ce301ed95b3fc00e927f940ab27061c208a536
SHA51253c5f2f2b9ad8b555f9ae6644941cf2016108e803ea6ab2c7418e31e66874dea5a2bc04be0fa9766e7206617879520e730e9e3e0de136bae886c2e786082d622
-
Filesize
130B
MD5941682911c20b2dabecb20476f91c98a
SHA10b0becf019cb15e75cdfa23bf0d4cb976f109baa
SHA2563fef99e07b0455f88a5bb59e83329d0bfcebe078d907985d0abf70be26b9b89a
SHA512a12f5caf5fd39cf2ae600e4378b9296d07787a83ae76bc410b89182a2f8e3202c4ca80d811d548193dff439541de9447f9fa141ebfd771e7ab7a6053cb4af2b3