89be8c17cbf9828f894f06fc3f4ddbd25d1cf3550f2c5c935e9bebe3ebf0803a

Analysis

max time kernel
29s
max time network
19s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
01/09/2024, 19:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Monolith.exe
Size

5.4MB
MD5

c0c6e14bd080a07e5238dd0bb652b0a1
SHA1

6739859d91396eb0ced14751ed6da0d61489ce95
SHA256

89be8c17cbf9828f894f06fc3f4ddbd25d1cf3550f2c5c935e9bebe3ebf0803a
SHA512

3ca3c6e7f29d68f5fe48538fd1d8a14370b6f94a3ed31e788a4063b52bd215832fb3832493386fc911a1bd3fac0cfb46e06c1868ce9dd9355a11d1f7c38a8124
SSDEEP

98304:HJctIzNdABJheyNIqyN4Uydz1lwTt0Jw59eINgF109GVjZjNRBE9Vd:CG5dg7IYUsz8TtqyeE64GVjxN8

Score

7^/10

discovery vmprotect

Malware Config

Signatures

VMProtect packed file 2 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/memory/2084-10-0x000000013F620000-0x000000013FFC6000-memory.dmp	vmprotect
behavioral1/memory/2084-9-0x000000013F620000-0x000000013FFC6000-memory.dmp	vmprotect

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
19	discord.com
16	discord.com
17	discord.com
18	discord.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\DOMStorage\discord.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{44E1CDE1-689A-11EF-9BF6-6AE4CEDF004B} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\DOMStorage\discord.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2084	Monolith.exe
2084	Monolith.exe
2084	Monolith.exe
2084	Monolith.exe
2084	Monolith.exe
2084	Monolith.exe
2084	Monolith.exe
2084	Monolith.exe
2084	Monolith.exe
2084	Monolith.exe
2084	Monolith.exe
2084	Monolith.exe
2084	Monolith.exe
2084	Monolith.exe
2084	Monolith.exe
2084	Monolith.exe
2084	Monolith.exe
2084	Monolith.exe
2084	Monolith.exe
2084	Monolith.exe
2084	Monolith.exe
2084	Monolith.exe
2084	Monolith.exe
2084	Monolith.exe
2084	Monolith.exe
2084	Monolith.exe
2084	Monolith.exe
2084	Monolith.exe
2084	Monolith.exe
2084	Monolith.exe
2084	Monolith.exe
2084	Monolith.exe
2084	Monolith.exe
2084	Monolith.exe
2084	Monolith.exe
2084	Monolith.exe
2084	Monolith.exe
2084	Monolith.exe
2084	Monolith.exe
2084	Monolith.exe
2084	Monolith.exe
2084	Monolith.exe
2084	Monolith.exe
2084	Monolith.exe
2084	Monolith.exe
2084	Monolith.exe
2084	Monolith.exe
2084	Monolith.exe
2084	Monolith.exe
2084	Monolith.exe
2084	Monolith.exe
2084	Monolith.exe
2084	Monolith.exe
2084	Monolith.exe
2084	Monolith.exe
2084	Monolith.exe
2084	Monolith.exe
2084	Monolith.exe
2084	Monolith.exe
2084	Monolith.exe
2084	Monolith.exe
2084	Monolith.exe
2084	Monolith.exe
2084	Monolith.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2064	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2064	iexplore.exe
2064	iexplore.exe
2664	IEXPLORE.EXE
2664	IEXPLORE.EXE
2664	IEXPLORE.EXE
2664	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2084 wrote to memory of 2064	2084	Monolith.exe	31
PID 2084 wrote to memory of 2064	2084	Monolith.exe	31
PID 2084 wrote to memory of 2064	2084	Monolith.exe	31
PID 2064 wrote to memory of 2664	2064	iexplore.exe	32
PID 2064 wrote to memory of 2664	2064	iexplore.exe	32
PID 2064 wrote to memory of 2664	2064	iexplore.exe	32
PID 2064 wrote to memory of 2664	2064	iexplore.exe	32

C:\Users\Admin\AppData\Local\Temp\Monolith.exe
"C:\Users\Admin\AppData\Local\Temp\Monolith.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2084
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" https://discord.gg/ZCvjwefWyr
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2064
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2064 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7222079d89318b299e240fdb307f7bf1

SHA1
c5b7aa1ccc03ce3117f13ed51c84f9e319634165

SHA256
5b1bf15bd2c94ff05a33f048431a2d8953ad7e8f4b5efafe0668872cbe46e710

SHA512
9f99e3932a63c8403fda952f55ce0f68d967f5e5a291760d4ede5218561a5f87e677902affc8fb0623a9fbb5086689fe4e858538471d8c9ef03ada0cc01e78fa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a8cd6ae4f5dc65d77f0fd811d72ecca5

SHA1
705e3f42b4bab20977338816a18c71c99903f661

SHA256
caa9d5fed3c851ed5d268d7552fb7082e18c8b95b6909fd968544a770f306fed

SHA512
66eff90aef06274aef36cf9ea0c1250662182f2c73b29e68c023381d27f2ef55f08ca57f8ad221679702cb761b7a0cc3467a8c45c3f27935fd7995f86eee8525

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9f5e4440eb45d7a5219fb300266a8d8e

SHA1
6f05b040f1cfe858d9aeca4488a3dea4d1e8e6dd

SHA256
f1c9e460b2bca127bf311c756fa159e6e3db0d78ae15ee08e5208e5fae9993d8

SHA512
169430f86b90881babbf965dc144db6febb9fa71ff0c3c46d848eec242e563b53ecd2ef6c6e86af2015277196c3c090f05cdd0de84866767b9489ae4925cb8a0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
20d9cde2ac0a368a8c5bd28b57ce30d3

SHA1
699b206bac9d6e6e5cba0f635c3e5a0d3a7a70d8

SHA256
c4db6f3129fbf8ee4d7b5b856d3bbd83ca9bf89b310aeeb696afaf615cf587f1

SHA512
7d8dbb1dd39a9cbb4fc9647f9b21b520edc3b911c953f94a2152b59e9bb025b3b035d4346bf805522df6c868cf8ff6a2b7af554e834f87bf38a5ed3f3e7179ae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
aeebf8c0ae9d4767f27f67d86a94b3e6

SHA1
88f097abfcd5495204f44dc4957db26ff00642db

SHA256
d0fd27cd1a42b1786215b5532094aec31d09e703bbd406ea876b712d36525f11

SHA512
5dad2e9123605895cbbf99f88ac2a019b4594d6a32f780c8ef719be81cb719819d9425bd17bc6b0fe91394c46ab8f755892c202970f798cca8395354cf242e5a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
030b2aafe21f5c1a5dcd312690b91edf

SHA1
101f5f25666db7d34e7c96d87afaa92d076665e5

SHA256
b723207b21a0db12750ebb0277ed4e3a6008e5e9af83f191e70549640f727722

SHA512
4d085cae0c2f94714f76b57ac306780633af72ce2ff2e611b8220c2ec26f0d989123a82e079f8deee5321655eb97c115cc139817386389d6e619cf1d3b41a678

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
08f66d9c7e9835a18610897a2999cf75

SHA1
6b45664b1d19f6432b7066a947234f5c3bf75752

SHA256
55e1df866f4c682720dd664f3807fd3749945d8186c77a57595df6c1c4b4b087

SHA512
cb748006c72a87b588cf6459b70de93aa2a9aca8193fa67fa483498b722ab804e79404854fdbac8646d26b477d8bcc35938b11bdaa1ce647f538f0f1a1d1dab5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3f2536fd873bb88a8731794f9a068425

SHA1
b9a8145894915eaaa14c3c3101edb212cd1fbfcb

SHA256
39b02dcf26f7bfba0bac9383d0007d7d687b9892a074835030cd705821786fc5

SHA512
a48f6c4f63a7858768f628d98690a2cc89d21977a8a0838edd6c129e8641e2655ddc4cf04a4fbf1e0c86f5c2329a26527cb0813b61f93a922a080bd616d86b7f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
753ee0da147f867d3f6b6bfc8ddcc59e

SHA1
60905e1a1e7d5914f55eaae4d5ff11843e09708c

SHA256
1fd4b7d0e80813f0cd76d79224b7e560fc250b7c5b06db3d008ebc46e4951ad0

SHA512
fffb40a5171d2c4a397aadbcaebf217f0bfd483363ad77bd8350b70db60c494248635908dbc34bf7b97c1e6f8b7b7770b51b3c3bdd9c8c8a4dd5284cf445b064

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9d78be05d072be4c5d7868b4eb6081e2

SHA1
884d51f4e3b76cb7722cdc11d4080eeee3dff5e6

SHA256
e70c9f53180cdbec3f545b38581bfaf9675a6edc8d060898e77a804e98b4a0f1

SHA512
64cacc2bdb0094ac5cfe9e17ac3445eddb18871463f513a83dfac36afe9c611e000a6142bd18bccb5ab2bcf5de4c3d9f61215025dcdaac7b27a95e9e457646ab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1b90d8128329f522c501db7205620c66

SHA1
e7f2977bcf5c5e57eca759750244af23c0359bca

SHA256
9b30df585118de69c10462b67a242199cb5c2a8cff117595752e4bc18a4c16b7

SHA512
7c63dc4b0d36d5d78230fc5cb36e020eb6e6027dfa0a6c7a423a0895a43f18b79db50966d75294cca5be0276876822c878019956210ea9c77d271f0d3085e83d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a1a0e28b24d70d9369d38ab7f2fc60e5

SHA1
85c9275d2b1a6f3173caca16340be2f31db206a6

SHA256
9f63570bf9c8f6fe20ed3e9f2fee455f78f1e8b0760cdeaaf4a9ca94a1f3f699

SHA512
5e8b8cafdec5f0fea3521ad9c299b14eeadb0eaf753591fdba1dac0a405ca3556caff34a98d283e7755da8e40f52835bd471dd356eb9b51719a7c2e1633b3f49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\0qn8gcy\imagestore.dat

Filesize
24KB

MD5
6b7c426b3729dd5ca97c97cba8f2bb96

SHA1
019498e84ad73b0314ce88fcc293d79265eec6be

SHA256
dcb5700d21e8178a554926875cbd91dec9a1d6a5f6f9b0c8a657d480e212d7b0

SHA512
68fd0de1d59c721812b7835c0ee5283c9d4843a282c85312ce96a981b3f79825d72587789dc89d9bb7f9b1da13b7bfc503118ef28b1e9f4953a7f8d177fb7e29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UQFHO95Z\favicon[1].ico

Filesize
23KB

MD5
ec2c34cadd4b5f4594415127380a85e6

SHA1
e7e129270da0153510ef04a148d08702b980b679

SHA256
128e20b3b15c65dd470cb9d0dc8fe10e2ff9f72fac99ee621b01a391ef6b81c7

SHA512
c1997779ff5d0f74a7fbb359606dab83439c143fbdb52025495bdc3a7cb87188085eaf12cc434cbf63b3f8da5417c8a03f2e64f751c0a63508e4412ea4e7425c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab83C.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar8FB.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
memory/2084-126-0x000000013F709000-0x000000013FA66000-memory.dmp

Filesize
3.4MB

Download
memory/2084-6-0x000000013F709000-0x000000013FA66000-memory.dmp

Filesize
3.4MB

Download
memory/2084-9-0x000000013F620000-0x000000013FFC6000-memory.dmp

Filesize
9.6MB

Download
memory/2084-10-0x000000013F620000-0x000000013FFC6000-memory.dmp

Filesize
9.6MB

Download
memory/2084-0-0x0000000077C00000-0x0000000077C02000-memory.dmp

Filesize
8KB

Download
memory/2084-2-0x0000000077C00000-0x0000000077C02000-memory.dmp

Filesize
8KB

Download
memory/2084-4-0x0000000077C00000-0x0000000077C02000-memory.dmp

Filesize
8KB

Download