d49877b56eae195a92a251b8a2323f9271c5d1258c8671d26e03ee44425c0478

Analysis

max time kernel
600s
max time network
467s
platform
windows11-21h2_x64
resource
win11-20240730-en
resource tags

arch:x64arch:x86image:win11-20240730-enlocale:en-usos:windows11-21h2-x64system
submitted
01-08-2024 20:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Minecraft Note Block Studio.exe
Size

15.2MB
MD5

f59330f3e9be9f9b700a387d73b4bd20
SHA1

f426bc953200341d073cf836ff806756f9315035
SHA256

766cc85b942faa30fdad76ced3b0ef1af2b09edd74eab09c6384db6f3bd7bdab
SHA512

373d2773d9e64ffa8e88f3bd9a4b5ec661856c99ef8f1421c38c548baee1348cbe4057128e6457790156820830fb358792a78bda6a07e465009d3afb676a3092
SSDEEP

98304:ZmHeNU7b4PIPMIkaF0JnyxCzCmqz2o5Dq76ZjF/CCMSeCiCDD+k2mChBcCGVjF:ZmHeskA08FfXmqzd8yVPUmJ

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Minecraft Note Block Studio.exe

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1974522869-4251526421-3305193628-1000_Classes\discord-848873736702132246\DefaultIcon	Minecraft Note Block Studio.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1974522869-4251526421-3305193628-1000_Classes\discord-848873736702132246\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Minecraft Note Block Studio.exe"	Minecraft Note Block Studio.exe
Key created	\REGISTRY\USER\S-1-5-21-1974522869-4251526421-3305193628-1000_Classes\discord-848873736702132246\shell\open\command	Minecraft Note Block Studio.exe
Key created	\REGISTRY\USER\S-1-5-21-1974522869-4251526421-3305193628-1000_Classes\discord-848873736702132246\shell	Minecraft Note Block Studio.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1974522869-4251526421-3305193628-1000_Classes\discord-848873736702132246\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Minecraft Note Block Studio.exe"	Minecraft Note Block Studio.exe
Key created	\REGISTRY\USER\S-1-5-21-1974522869-4251526421-3305193628-1000_Classes\discord-848873736702132246	Minecraft Note Block Studio.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1974522869-4251526421-3305193628-1000_Classes\discord-848873736702132246\ = "URL:Run game 848873736702132246 protocol"	Minecraft Note Block Studio.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1974522869-4251526421-3305193628-1000_Classes\discord-848873736702132246\URL Protocol	Minecraft Note Block Studio.exe
Key created	\REGISTRY\USER\S-1-5-21-1974522869-4251526421-3305193628-1000_Classes\discord-848873736702132246\shell\open	Minecraft Note Block Studio.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	4752	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4752	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2640	Minecraft Note Block Studio.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2640	Minecraft Note Block Studio.exe
2640	Minecraft Note Block Studio.exe
2640	Minecraft Note Block Studio.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2640 wrote to memory of 4764	2640	Minecraft Note Block Studio.exe	81
PID 2640 wrote to memory of 4764	2640	Minecraft Note Block Studio.exe	81
PID 2640 wrote to memory of 4764	2640	Minecraft Note Block Studio.exe	81

C:\Users\Admin\AppData\Local\Temp\Minecraft Note Block Studio.exe
"C:\Users\Admin\AppData\Local\Temp\Minecraft Note Block Studio.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2640
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Data\wallpaper.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4764

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004DC 0x00000000000004D4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Data\Wallpaper.jpg

Filesize
71KB

MD5
6d7960a52b61551fed5ae46fc1f475aa

SHA1
68424a542d1d8b2ba26486753c9fa63d733172eb

SHA256
9fcc5fc179dc359ce73e4ba4b7730a5ce57fb6575ad9b26171970812de25c5db

SHA512
61a65528964576ea79e9f75b2e39d7562c0f4bf730b605fe6cd67fed41ffae40abe2ece54e277ed3346dff951d59902d5fe4329374e11f813dd571ffaf3c94d9

Download Submit
C:\Users\Admin\AppData\Roaming\Minecraft_Note_Block_Studio\log.txt

Filesize
1KB

MD5
469c5f98677a71dfc5f2e853416d2c7b

SHA1
410a6d254a0108e2b2bb66c43a9367b41605f770

SHA256
35fcb0a3a0489ca58b5cdeab711ac326221e9203d57026830bb19764ec9b0973

SHA512
6a3bd56c542bfc1063c134c9744b254c43cc33f08df73e6fe37f1293f5517b1bc5525735d32d4211205498e819fcafeab7e526f973cbaefd6793f84e9b14525b

Download Submit
C:\Users\Admin\AppData\Roaming\Minecraft_Note_Block_Studio\log.txt

Filesize
376B

MD5
b230552ef1205c3f7a6326eb52f7d2df

SHA1
7b51201b3f74ab9d0740c4864a889202480f0181

SHA256
e713a393ea12565b07e0ae571190cbc66efc0ec50c0a9ffffeddd2bb3a749d67

SHA512
bbd7b18e6322b7a7d31f9cff331a2018b1859759154260deddfc4aed395846c092d9c60a39d5d6e450b44ea4affc7b5a5cd752a261bc37fb51b23fb2e14380b5

Download Submit
C:\Users\Admin\AppData\Roaming\Minecraft_Note_Block_Studio\log.txt

Filesize
2KB

MD5
20293631f946b38d6316e43c20018806

SHA1
da0fad081326e46f38ba3ebd06230bd732c39b29

SHA256
6af24c9eba53acd5f788f6dc30260699c74384292965198ca052fa635bdb6216

SHA512
b3959fb02dcecef4ffcc6cfde07c50a1a92591b84369eef1875c8a2788d8bace15e68ea00c616529297a0ca7d678e8280541b8f251a24236e3a507f8eaca15d1

Download Submit
C:\Users\Admin\AppData\Roaming\Minecraft_Note_Block_Studio\log.txt

Filesize
2KB

MD5
8f2c30a9a7162dcbc3b9e32b005f4682

SHA1
4e3b2320acf608fef790bda4a85e3121d5e29320

SHA256
3bddabea2fff3fb5ce3d08174754da272948064bd6b10eb90f5ba073e06f286c

SHA512
af31a5987eeae388f11803987b9b28ae9dd5deee0628975ac50778ca98d9126b130e6dce3c8d98250527aa3e04e56fb2d2fe43622c6438a5b1ea3c2f0cb6a55e

Download Submit
C:\Users\Admin\AppData\Roaming\Minecraft_Note_Block_Studio\log.txt

Filesize
2KB

MD5
c5e18211761f24311cc25f65b830083a

SHA1
d0316b71bc6bd0e148699cbefd4dbdab713fe642

SHA256
adb803501baa0cd9ad0967848c8e317431302684c642feb7c080bbf5e76d8c14

SHA512
dbf7fa2a3b8f11bbc337e959a2f6b72a58307272a19a9648dacb2fbc12ee6bca40593e121ca2992152ffcf991464a0b09107b7450621fc9bef401366712055cc

Download Submit
C:\Users\Admin\AppData\Roaming\Minecraft_Note_Block_Studio\log.txt

Filesize
2KB

MD5
40f136e5a2dae69806280d4da1ff941e

SHA1
99a71e5232bd60adab30671c999d9befeb0afc52

SHA256
02804d9113393815c384e1cd32b2e1b9335207627a9406991eabc372265f1653

SHA512
908b7e73b6c28234578bdbda00a8af436e5875b37ddefd92a9d48a6339c476d0614774ff5d150f95555ad9d85e6dab7c70ff851a946db73251cde014f72d72cc

Download Submit
C:\Users\Admin\AppData\Roaming\Minecraft_Note_Block_Studio\log.txt

Filesize
3KB

MD5
49a46c036929edc3be16b6c2563f1a4d

SHA1
c4174a8a85b95d431813235e813a224386b049bb

SHA256
3c243be755091e4c2f8162be62821e79a4950965d747ca982b98e1073b8d073b

SHA512
c26716bf74b7819ce0b86d153c351dd939a9234249517e060f7278f6586ddcf44cdb52446038e4c6ec73b5436cdd746877424f35dd2b114b0a8f0a0884acc0dc

Download Submit
C:\Users\Admin\AppData\Roaming\Minecraft_Note_Block_Studio\log.txt

Filesize
3KB

MD5
c00f2eda7f9b4e069219cee57575fb8a

SHA1
33f4f0dc75eff08e63b96fbbf57b6a7adcc252c8

SHA256
f6d1ab80a13a5698e306e9863b906b4bf69299bdc619d1032d9fbfa7501b13a0

SHA512
32ebeb857b993b837bd8d74b909f30a9aaed0964d24beb1f35b5c0269506f75001bf0a775005603ab48c9bef8a71f1e87e864bb2e6c24d00a6b25dc582ed3198

Download Submit
C:\Users\Admin\AppData\Roaming\Minecraft_Note_Block_Studio\log.txt

Filesize
4KB

MD5
c3cb9da6b2cc3a83de8a435f68a6504b

SHA1
fd5a1b3654f5638d69dcda55ce585f0ff0058216

SHA256
64d72797ea5f187edf41418164be9dc35054050fe6a227195818ecb25a3cf89b

SHA512
b00d49a386e3c93f4efe2ad44ed81cc504657f797a93dc55f5a8bc598211b45f88d71efa87ebb30fb6e9a3ba2e83cf0c8980e0d1496fc852a4bda8d6a1b44601

Download Submit
C:\Users\Admin\AppData\Roaming\Minecraft_Note_Block_Studio\log.txt

Filesize
835B

MD5
c9134e4446648e03c512bb7ba89af06d

SHA1
87f9bf71159227abcb69ebca4f75c05498cd54aa

SHA256
fae3eaeec908b10768e45268db2627acab5d4ecd92782c7b38e3150fd5939ebc

SHA512
1a6a190fa8510f74a6503f59514726734c3c6c82bca7c71cc7be5e23536d659b90eb420464367c76304efcb50291256892cdd02c494459454c50c2b97939eb25

Download Submit
C:\Users\Admin\AppData\Roaming\Minecraft_Note_Block_Studio\log.txt

Filesize
991B

MD5
8fc75b3db378a9cf6a18b835373cd206

SHA1
95f45505aa5fae1c06920a8597352801c1964ca7

SHA256
b5421fc66904f4c904be3379b5c6f0a845661a2f64b195f6132e35183ffd0d4c

SHA512
0549df9711883c33260efac7906a3005ced10bb2356510b7246d11fe5a9233a7f5ee6352d75309d1e1e6bdd989bdc39e9fdd98fbc241e044c4e479bd3c8e1cfc

Download Submit
memory/2640-388-0x0000000008730000-0x0000000008740000-memory.dmp

Filesize
64KB

Download
memory/2640-389-0x000000006F9DE000-0x000000006F9DF000-memory.dmp

Filesize
4KB

Download
memory/2640-390-0x00000000159E0000-0x00000000159EA000-memory.dmp

Filesize
40KB

Download
memory/2640-391-0x0000000073010000-0x000000007301A000-memory.dmp

Filesize
40KB

Download
memory/2640-403-0x0000000008730000-0x0000000008740000-memory.dmp

Filesize
64KB

Download
memory/2640-404-0x000000006F9DE000-0x000000006F9DF000-memory.dmp

Filesize
4KB

Download