8504825018e604414d2ebb1093cf249c2f1d56125f6f33a20b071d6a008b8dd9

General

Target

CristalixLauncher-3.0.145.exe
Size

4.3MB
MD5

25b608146d97e46e5cb8d5d4a77440c5
SHA1

ed5d75d64744a971a7bdb79ba68f4eb0aa7d2cab
SHA256

8504825018e604414d2ebb1093cf249c2f1d56125f6f33a20b071d6a008b8dd9
SHA512

3ae601c91d804c4d6c402ba73263e5749fafdfe35d68d510dc3b632a85d897bb1dc0e48dee4710deaea5932bcf34deb9ca13d4c0c664848abca0372190fb38b9

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEiexplore.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\ = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\ = "102"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "209"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\ = "22"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\ = "117"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\ = "209"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 805fd0ded845d801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "117"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "16"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "355590012"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002ac970f6e21c8045b4ad45959768992c00000000020000000000106600000001000020000000e1c480d18e6c5d01426c15fcd304cd5dbafe8e4709b715514760fa1c6d964dd9000000000e800000000200002000000096c67cce64734029d8aa332c88da3dbae330f5bff8730025afc0df4b7faeb86920010000c03d4e6a837f13ef59f7adbc626a513e0f5dc02f05376841e3f98d9e1168b356e155306c48b7616fc11472f1cf9b5416b332d1fe609c7225b468252e1507da9bdb2055e5ead65c44531b5d3ffa758d3a28c5035f33806490db4507aaefccb41b4173430581e552b5f12f5c68828966f3107a4ce9187627ca42a67db8ebe09f346c38b9f4fdf609a06ce7bf2a1ca6b781c9844c5c6adae65b1c7b4feb3020accbc901b34ff45a6a62d4102fc7b396f649e51a0ce1031832f8f496aaa3294c9a7c9992428583dced864d97a9359ccd5d4e6f6bb0552d5df420d5a9482d8d19dcfbeaafc5c9f4613d9a1c4fac598955d7d607232d627f9dd4a7bdf80aaf89323622a4fa1b620c2b98a06426ef4f56b125a9b5114597771f8e860c572eaebc9e11e340000000cfd9e6333d65d9246714fddeb779e49c359a39e4c66108b702e4af84bd947a96b094fefa34ff9cc9256f94f7f635078793e73b9b4b3c32d555317eca408c71cc	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002ac970f6e21c8045b4ad45959768992c0000000002000000000010660000000100002000000095c14c2771b6beb8e5e978746c18c1193560d4544dc71ec9e9b6e7557a6c38fd000000000e8000000002000020000000e2c0deb10ced064bae3a63dfdf0d7d24d9c10784e02541bc955b6de30893d72220000000cf55d3a4cf2e3b4938389342e0abf39b94bdc227e1d03a8ea50cc90743e55fda4000000081ddfdd21fc8d13a4154bb20a179fffbfd2270a67eb8635843c2fa406cae06fe974c66025ac09a2ee055f692d9351ddf1ce1b4d2d795e8fbbca2d13a6874c08f	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "42"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "117"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "102"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\ = "266"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "22"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "16"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\ = "42"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "22"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "122"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "209"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "266"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{03EE2C21-B1CC-11EC-BBCA-FAC00B121194} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "42"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "102"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "266"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

2004 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

2004 iexplore.exe
2004 iexplore.exe
1700 IEXPLORE.EXE
1700 IEXPLORE.EXE
1700 IEXPLORE.EXE
1700 IEXPLORE.EXE

pid	process
2004	iexplore.exe

pid	process
2004	iexplore.exe
2004	iexplore.exe
1700	IEXPLORE.EXE
1700	IEXPLORE.EXE
1700	IEXPLORE.EXE
1700	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

CristalixLauncher-3.0.145.exeiexplore.exe

description	pid	process	target process
PID 1988 wrote to memory of 2004	1988	CristalixLauncher-3.0.145.exe	iexplore.exe
PID 1988 wrote to memory of 2004	1988	CristalixLauncher-3.0.145.exe	iexplore.exe
PID 1988 wrote to memory of 2004	1988	CristalixLauncher-3.0.145.exe	iexplore.exe
PID 1988 wrote to memory of 2004	1988	CristalixLauncher-3.0.145.exe	iexplore.exe
PID 2004 wrote to memory of 1700	2004	iexplore.exe	IEXPLORE.EXE
PID 2004 wrote to memory of 1700	2004	iexplore.exe	IEXPLORE.EXE
PID 2004 wrote to memory of 1700	2004	iexplore.exe	IEXPLORE.EXE
PID 2004 wrote to memory of 1700	2004	iexplore.exe	IEXPLORE.EXE
PID 2004 wrote to memory of 1700	2004	iexplore.exe	IEXPLORE.EXE
PID 2004 wrote to memory of 1700	2004	iexplore.exe	IEXPLORE.EXE
PID 2004 wrote to memory of 1700	2004	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\CristalixLauncher-3.0.145.exe
"C:\Users\Admin\AppData\Local\Temp\CristalixLauncher-3.0.145.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1988

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://java.com/download
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2004

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2004 CREDAT:275457 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1700

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
7bcda47c29edd9b9b395f849efe98d00

SHA1
b63335f57b8efca772302f2c7892eea33e648472

SHA256
08c25bbc458de3046a1508e24dec4e1a264c5f2b996cef03b14c94b36aface1a

SHA512
7f42731010c7232ffbd90b16d615f6556a6a4146f9b4ce031888913add83c8aab68ab19037a901933533d9203f54b834c02e61c12b6b44fda78230a25e9843a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\b1rou5u\imagestore.dat
Filesize
5KB

MD5
15ebdd980d0896de3da6858eb652293f

SHA1
4cd25ebbefe88b2b7c2beb6fadd42ebf95486e52

SHA256
08e82493c41ac4ba98f9179a894aa3ed071a4519631f4e9a5d1539f97cbd9ae0

SHA512
ef85aed119000f509713b09d7338061efab92a0becabbbdeab383557d3bdd3c2c06b58eb558adf37ab0d60da6ce391edcb6beba61157c161b149c2be9dc81892

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\WDR4ZJ02.txt
Filesize
608B

MD5
fa43e640be219eb4698b274680bd1cc2

SHA1
2d29e8006c8374d678cda6f1b2a061437951d580

SHA256
a8649ef76352c1fdd58accb374aebdb33c1e97881d79359e33ce8a682641d9de

SHA512
b7ae61d939879bafbdece5666f5d326978bb1094315e2a1123706d96259b85caabe2ef0041d2b505c00ded896482987e4981fd9b9ef064e8f70b035131641334

Download Submit
memory/1988-54-0x0000000075D51000-0x0000000075D53000-memory.dmp

Filesize
8KB

Download

Resubmissions

Analysis

Sharing