d49877b56eae195a92a251b8a2323f9271c5d1258c8671d26e03ee44425c0478

Analysis

max time kernel
600s
max time network
436s
platform
windows11-21h2_x64
resource
win11-20240730-en
resource tags

arch:x64arch:x86image:win11-20240730-enlocale:en-usos:windows11-21h2-x64system
submitted
01-08-2024 20:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NBS Player Mode.bat
Size

50B
MD5

ace21ce50bdcd4b2ffe45af6244779f6
SHA1

f32315a989adcc7e4dd588a23f4b3bcf74f714e6
SHA256

059abac1515316c2be0dc776b2e9820f45bab91618d766b6a0c1afe40ebeba00
SHA512

5862636cd418d16ffca5132c7727c9697dce04c8ffa0f50c891e5b36b121533a0e481a97a04eadae0f8ce2879b1d84046338fa225e00d9379dbd3a09d15a2d5e

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Minecraft Note Block Studio.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 9 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1872973762-1326452598-87257502-1000_Classes\discord-848873736702132246\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Minecraft Note Block Studio.exe"	Minecraft Note Block Studio.exe
Key created	\REGISTRY\USER\S-1-5-21-1872973762-1326452598-87257502-1000_Classes\discord-848873736702132246\shell\open	Minecraft Note Block Studio.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1872973762-1326452598-87257502-1000_Classes\discord-848873736702132246\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Minecraft Note Block Studio.exe"	Minecraft Note Block Studio.exe
Key created	\REGISTRY\USER\S-1-5-21-1872973762-1326452598-87257502-1000_Classes\discord-848873736702132246	Minecraft Note Block Studio.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1872973762-1326452598-87257502-1000_Classes\discord-848873736702132246\ = "URL:Run game 848873736702132246 protocol"	Minecraft Note Block Studio.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1872973762-1326452598-87257502-1000_Classes\discord-848873736702132246\URL Protocol	Minecraft Note Block Studio.exe
Key created	\REGISTRY\USER\S-1-5-21-1872973762-1326452598-87257502-1000_Classes\discord-848873736702132246\DefaultIcon	Minecraft Note Block Studio.exe
Key created	\REGISTRY\USER\S-1-5-21-1872973762-1326452598-87257502-1000_Classes\discord-848873736702132246\shell\open\command	Minecraft Note Block Studio.exe
Key created	\REGISTRY\USER\S-1-5-21-1872973762-1326452598-87257502-1000_Classes\discord-848873736702132246\shell	Minecraft Note Block Studio.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	3652	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3652	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2640	Minecraft Note Block Studio.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2640	Minecraft Note Block Studio.exe
2640	Minecraft Note Block Studio.exe
2640	Minecraft Note Block Studio.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2172 wrote to memory of 2640	2172	cmd.exe	79
PID 2172 wrote to memory of 2640	2172	cmd.exe	79
PID 2172 wrote to memory of 2640	2172	cmd.exe	79
PID 2640 wrote to memory of 3572	2640	Minecraft Note Block Studio.exe	81
PID 2640 wrote to memory of 3572	2640	Minecraft Note Block Studio.exe	81
PID 2640 wrote to memory of 3572	2640	Minecraft Note Block Studio.exe	81

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NBS Player Mode.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Users\Admin\AppData\Local\Temp\Minecraft Note Block Studio.exe
  "Minecraft Note Block Studio.exe" -player
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2640
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Data\wallpaper.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3572

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004E8 0x00000000000004DC
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Data\Wallpaper.jpg

Filesize
71KB

MD5
6d7960a52b61551fed5ae46fc1f475aa

SHA1
68424a542d1d8b2ba26486753c9fa63d733172eb

SHA256
9fcc5fc179dc359ce73e4ba4b7730a5ce57fb6575ad9b26171970812de25c5db

SHA512
61a65528964576ea79e9f75b2e39d7562c0f4bf730b605fe6cd67fed41ffae40abe2ece54e277ed3346dff951d59902d5fe4329374e11f813dd571ffaf3c94d9

Download Submit
C:\Users\Admin\AppData\Roaming\Minecraft_Note_Block_Studio\log.txt

Filesize
376B

MD5
e01838d32b2a974f27027e8e0d969483

SHA1
34b5ea7c75e15b40a3b86722dd11f046196da89e

SHA256
98c42771190d59733f5da9e9ff81d1e0e266d798a9cbcaa70974d135aa836c26

SHA512
8fb9af0c10a02c01f6e4e2fcee6277b4c0e07d9f9955202cb47286f2d01301d883884d6db191283eb1a6b9e7f97fee958d34acc0220086b3fa2b8d2cae9166ef

Download Submit
C:\Users\Admin\AppData\Roaming\Minecraft_Note_Block_Studio\log.txt

Filesize
2KB

MD5
d56b234be3d1377aa88ec4fe900263c9

SHA1
bd6bbf4767c2c82674d0b4c824e0f52a9d76b8dd

SHA256
075f1eb9984aa2d82ea71014af053cff3bf45b276e62e83f79cca124e3632c59

SHA512
cc9bc7a529c6b2b27199f1cf5bb31c1f665a96ceb413d73e17dccbfdd37cf73255f970aaf3d78d9cceba0967253f32c26b0a1f4b5f828522d503a219964c04e7

Download Submit
C:\Users\Admin\AppData\Roaming\Minecraft_Note_Block_Studio\log.txt

Filesize
2KB

MD5
eeb22382b95eb98c8626ab88c11dd43a

SHA1
431c2579467bc86e3834c9ef330152f675dcf233

SHA256
3ce9e5b83021e68791b426193780c0ff21c60085637e7b315d8ae936ae7a9230

SHA512
da4b6c759a1905b232a465e0f19f771fe605d5bde0f92bcbd1ee349de089e6621d3e9b350d570531dbcc82ced521b3e7b718540d3b57bf8e5fa589a87fc4e866

Download Submit
C:\Users\Admin\AppData\Roaming\Minecraft_Note_Block_Studio\log.txt

Filesize
2KB

MD5
09d788da720609906868892e2888ef0d

SHA1
8c41095f33a1c3df4f184e82187ecb25d7806f1b

SHA256
24052f6f63f79b26c64386c77c150a4f33013bbf5568bc84dfcadac7f13e22f8

SHA512
bc5e16b34f4973090bc740c1c2eb8db699c2b72066b36aa53205e8b5fe05cf6d8c715b6984cc8fbc66fd356a18d7e6a1a7c7609186d227f86903042095fbcfc3

Download Submit
C:\Users\Admin\AppData\Roaming\Minecraft_Note_Block_Studio\log.txt

Filesize
3KB

MD5
898797ea94535d02ab47b6a3547b3ca4

SHA1
5a15f4a7e67ab3559024f35f70e760dd588695fc

SHA256
075c609c040a9376584d6dff7b27ab204e92c469d497176b104006ac06f1623d

SHA512
71b03512f91337c40f655ef6f8d9c15c35b1af5e27518002bfb3e567425485a8809dc4dbbeada28a329cb9d4ea2a8771e04bb6360d257e22b7d2662efd77ca58

Download Submit
C:\Users\Admin\AppData\Roaming\Minecraft_Note_Block_Studio\log.txt

Filesize
3KB

MD5
b85ec96af782e5847391ac612d63c0ee

SHA1
6ccb0982c9dda1e9a8362da4ad1671452c1de4ad

SHA256
194e294fc158ed779179fc424429c04960c05d29e520391b1fd5219a1104498c

SHA512
d6ed89e702c910b99fcbce9d22160ed4ee23cc5e7bb7601266c9e4ca6462f5302a6772f0cd9c58b081bae80c1da7bc8b0c76d27512eb7da9a5fe7e5519336add

Download Submit
C:\Users\Admin\AppData\Roaming\Minecraft_Note_Block_Studio\log.txt

Filesize
3KB

MD5
fb8efee7fac08441f311e8dbeac0dad8

SHA1
6ed7eb81eeca3fb13a39387cb0e91f2e35097737

SHA256
0c140348c2cf7898f9dee6001a26ac40cc8fa4a518ba7e90cce63f7ea943f151

SHA512
f97516dabf3ac7d0c04c690472208775559990e34d85fcd6e88977bb047561cdaa6825fc5061c284f799473dea35f016eb21a996b37c4792f22b28692a7d9389

Download Submit
C:\Users\Admin\AppData\Roaming\Minecraft_Note_Block_Studio\log.txt

Filesize
3KB

MD5
2bafcbeb1f28a1cb2e673f4efad8293b

SHA1
0a9e627a2f8315d89a639f4eba2ca4eb124bf757

SHA256
d7a7fddd28d42bd45248cb865255ccde6881605d0b939064ff6db89043733557

SHA512
a6f2714e84b05e60a4486ee099d31577c8170c66bd1cdff246faa9c5b78d8c0522619dd6502a6e69c53530ea439f84bb9ffe24d5ffcccb5fd9645782749fcbe8

Download Submit
C:\Users\Admin\AppData\Roaming\Minecraft_Note_Block_Studio\log.txt

Filesize
4KB

MD5
e53e4c7919ab4662578f961fec0e42a3

SHA1
d7ec3545a42423eea7ba476305ce60b7a9206207

SHA256
be3b19b39d4978aee67097df0bbc6403542b695f9ada17975a0d50ba942e1fa8

SHA512
df14fc34b04d8415aa4d32f12c513f275e25737d0f8d1531b7ea59a36e1171ac663e8853535db653b6bcb5e6daeb90f41d8f4d0a53f2f94c3ef71521e58b2e89

Download Submit
C:\Users\Admin\AppData\Roaming\Minecraft_Note_Block_Studio\log.txt

Filesize
901B

MD5
857a11931b106e9952b61ea92fd666a1

SHA1
1ccc338492b3b87b84a62431e41e4e5979de1436

SHA256
724dd0787a8bd6340a5217f7244fa48e585eb6faf883098d8f6736261f22a2b1

SHA512
9ab48f7d98c8c042e56e0067aeda0a7927b440d4c5715538f58ad1c7e310b294a38a33a4d4c0a9242e4decaa2b0da2f1c613f15d4a01d2acdc30b0a9ec53d396

Download Submit
C:\Users\Admin\AppData\Roaming\Minecraft_Note_Block_Studio\log.txt

Filesize
1KB

MD5
42104344c6d1f42b682525f98ba2b2a2

SHA1
6718d26dd65860494048ce6614582b49edf2efde

SHA256
e381e00c74687824193b70d00677f0f76afda305ef86b0ecb702b88c58e9a36f

SHA512
20b7295c2ecc353c85461d96e6c5ee3b0948f6c53cb5c60bc67cc8645ca5db05abe4d5dd599ec33da6b71148ca1f0f9bd1d581bcbf356dcb25bf64fbac12c2d0

Download Submit
C:\Users\Admin\AppData\Roaming\Minecraft_Note_Block_Studio\log.txt

Filesize
1KB

MD5
7db6b04936422e7b3347d87cea0d99e2

SHA1
37eaf23b235cd149cc5da8a1ea9eda6c173a3a2d

SHA256
2efb53a665ea84b30998fae34cd781ee3504a563d5ddbec337d6d3b3cefe9767

SHA512
baa995a0d9008ab76d039438ba1055d185963b36b3bfc12ee4d549037fce8a8093be81bc2c0c74fdf2b12e08c6673a8a25d2e66ee40d1115915edb81797f5405

Download Submit
memory/2640-388-0x0000000008990000-0x00000000089A0000-memory.dmp

Filesize
64KB

Download
memory/2640-389-0x0000000014ED0000-0x0000000014EDA000-memory.dmp

Filesize
40KB

Download
memory/2640-390-0x0000000072810000-0x000000007281A000-memory.dmp

Filesize
40KB

Download
memory/2640-402-0x0000000008990000-0x00000000089A0000-memory.dmp

Filesize
64KB

Download