f32bfcf53e2f11c5651fe5d4124d9dce1cb071fa7e5fc0b20fa6885a8de34af7

Analysis

max time kernel
98s
max time network
137s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
30-05-2023 09:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Roblox Game Manager/x64/dimitryGobbedNouveau/gothishDulledTrilit/moothJuha.xml
Size

22KB
MD5

96a2f9b4bf01b9b91a10b9414241c2c6
SHA1

c1910d4988af5b392d852974d769abba977f52e5
SHA256

6c61f8ec4d791e76e1534445521e5108ca26f645906ae9ba75fdf70b536c3459
SHA512

46342491c8d29bb5f0c505c928460b382b721000c1038a5f46a6d8dfef67685a3fcb2ea2e3d424614ce29a1711cdfd1b6d9110926207c1f22150e0b3c71612d3
SSDEEP

384:7xgALATjR5AGXGyAEQABwxY5nLjPvK4gs2LdN7zOm8Xr0Y1YzVi:tgHjwxovNI1qTIVi

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 38 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009439cb76925f3b4bb27f58e16bdb18ec00000000020000000000106600000001000020000000ed63378dc0dd2de320c3465925863da24d21cf8a18fe3b41352661f3301edf9d000000000e80000000020000200000002d721587fcb37ba1dc56e67ea2a335333caa7b6dd4caeb96c6a789b41eac53c5900000007846688db4169b6ce70db1492201caed2de9545dc17b0e772ce0b7d4e9584de23a93f2171bb178bcd8f96b278cac43347b296c27dc82b8130abebca6c72a59f2b9f154316944af5df4e2c280a5fc15d5ec8e9b5c5e986f5ee12ca09b6510ec5bc7dbde4c1c2f940014464d3a7c3ed184d7e4a5f5b83ec5c0a3245a56ab97d3334b62a4e46cbea2e0cd57da4070067cd6400000007cb65481b5fe2d811dca2617e66fee8d5fc54cb6eeb4dbf81de0401681c6f5329a8c64752e43b8471bb4d30c47680f83538afe570b50b4e7fea0938b0b7eeea2	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a07903c5dc92d901	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "392205426"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{ED2E3821-FECF-11ED-981D-FAEC88B9DA95} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009439cb76925f3b4bb27f58e16bdb18ec000000000200000000001066000000010000200000006421080a6a4701296a9cd9adc915d2e6d65c8f2759e2ad71ad71df3ab0c833ed000000000e8000000002000020000000f756b12bd90138da8975a448498b81b353db1909a75eeae45c7815f18738c41520000000157e7b857b7ca2e2dae3b216c8b2471fec1a5fc3500ff76553b6f7dc0ecd5e294000000089252be943b8d0c3669ce71fd8f840ba52ff55eb2768d473d7365df020c98754e78f46f4f7cc70bdb7fbe091d36c365dec9d1bde3d18392ea021161f8dd6c97f	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

IEXPLORE.EXE

pid process

672 IEXPLORE.EXE
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

IEXPLORE.EXEIEXPLORE.EXE

pid process

672 IEXPLORE.EXE
672 IEXPLORE.EXE
1844 IEXPLORE.EXE
1844 IEXPLORE.EXE
1844 IEXPLORE.EXE
1844 IEXPLORE.EXE

pid	process
672	IEXPLORE.EXE

pid	process
672	IEXPLORE.EXE
672	IEXPLORE.EXE
1844	IEXPLORE.EXE
1844	IEXPLORE.EXE
1844	IEXPLORE.EXE
1844	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

MSOXMLED.EXEiexplore.exeIEXPLORE.EXE

description	pid	process	target process
PID 1976 wrote to memory of 1428	1976	MSOXMLED.EXE	iexplore.exe
PID 1976 wrote to memory of 1428	1976	MSOXMLED.EXE	iexplore.exe
PID 1976 wrote to memory of 1428	1976	MSOXMLED.EXE	iexplore.exe
PID 1976 wrote to memory of 1428	1976	MSOXMLED.EXE	iexplore.exe
PID 1428 wrote to memory of 672	1428	iexplore.exe	IEXPLORE.EXE
PID 1428 wrote to memory of 672	1428	iexplore.exe	IEXPLORE.EXE
PID 1428 wrote to memory of 672	1428	iexplore.exe	IEXPLORE.EXE
PID 1428 wrote to memory of 672	1428	iexplore.exe	IEXPLORE.EXE
PID 672 wrote to memory of 1844	672	IEXPLORE.EXE	IEXPLORE.EXE
PID 672 wrote to memory of 1844	672	IEXPLORE.EXE	IEXPLORE.EXE
PID 672 wrote to memory of 1844	672	IEXPLORE.EXE	IEXPLORE.EXE
PID 672 wrote to memory of 1844	672	IEXPLORE.EXE	IEXPLORE.EXE

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Roblox Game Manager\x64\dimitryGobbedNouveau\gothishDulledTrilit\moothJuha.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:1976

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
2⤵
- Suspicious use of WriteProcessMemory
PID:1428

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:672

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:672 CREDAT:275457 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1844

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
9cf7dee8276b4e71d0a1c7a1f20ae577

SHA1
5532124457a68215896ed0c7fb2f35c90024d513

SHA256
2ed8e1f5d5532892e2c0580511f5ac5c4c034d03c1dd8b4f1e836f22a0be6b68

SHA512
acc1e080f5a406ebe95b7a6f1a32cdfa567f7a1b24a6a49b06fbc98e1e5e7a03b3c1dc038b9c35afd001aae9922323c651bc0e0b2cb326e7d10b82f9a71fd17c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
d51d3cd1a3ad867b84ee2d6feef9ae44

SHA1
717a62364d3e1d4794966cba901b4cd67a8edd13

SHA256
5cd6dae7891fcb000dcb05d26c7205eb04fd24ae29676031976744d9cf83b150

SHA512
9b0ead5514b034561d3668dcda7bb9aba3b65532f74c5d11cb2e82384e0fb769dfa073ecec5e365a4883c83e72d8e59f6d53cc5fd5198ee66108e7f291c337d2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
cad50cc1a63486511c0fd430132328cb

SHA1
3379163c00f23eedd5759c47ed835178d8a12023

SHA256
0322a082c1d33ca6173f44e3ca350e17ba5da7bf42d19bc9f50717d4de33aa78

SHA512
a34ee69826ae2ebb1bd755342444cf88fc5c607b4cd9ee5877af01a27e7351bb04a0278d1cfc07af0763adc6d2486f3a6d75a759af55f3fdf7b9fb12c224c380

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
0ea94f32fc733dc388573fcfcc892c6b

SHA1
dcb245dace887be2ccbffff6ea89856ed0b3dbdd

SHA256
55652ddc60bacdfdc2e74c11cb72befc017909395573bea39fc58ba2f8fecb6e

SHA512
356d69392a6c95c6b52b11d2d3083a88ca8e970bb01db3a527845bb992150922a7df67d7546ca773fff8f70f8344a63e105540058bc034492076316931503e15

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
d8a984d482b90fecf4704affcc207968

SHA1
ed0d95db7de3560941b77392f0ca9e8b0374eb51

SHA256
2db2d9280515e97033f00e4ac0da645f57a72748184b31375638678edad58dd1

SHA512
ea6b5f692140f47d6e85fdda0b86fa187ea7a7ff12d299c0c374872f483bf3622a6da307744d014c1053f4301f24ec7063ff777b52b222b88c9acd77072a26d6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
353cb99ab86ae22041b98e85da549ebf

SHA1
2284286762aa1cdcb2eefe67d3d5301cd1761023

SHA256
fa4e23b895d569c92c5bbc124c7b862eab2f50a8e8631d6a753789d70093d4a6

SHA512
5db24e7d7cf26087a96b07e38bfdbd6e3bf39d20b0c5fbb37d23cdb9f6ac7dbe51dc5f1bc803839979ab8233c8b12cd0caef27cf235a4b0238c1ef5710d777f9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
f4429ad660b9c82ab45fee83a220d5bf

SHA1
0d0c45b9be48c6d61fe373700f536f366eddbbc2

SHA256
0bab3defb4f088a4f6df1a687eabb19c945ddf4612b1fdb82c217a0e7d908415

SHA512
64205cd44382f494e86c0c98c7575688a01b7911eb11851635b9e3e54e4bea3f710f2b13cb5abe4edb36ce43d7a185a1e51429ce85c3c7e8154aa5b3d7affcb1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
717c2be3f4662df64d400fb439b63490

SHA1
25bd67f3b36820d7871691d8a731aae2288c7feb

SHA256
9fb6a37b257245d84b89d54164b0e728a6271e976efd80073e941dc4605bd4c9

SHA512
cfbcbe49ed1fc791ff027eaee744dabb14c0040a69a4b076cf6b5745c12c12f7a7c9bc49fc3f0b50184bedc93d05e8ed66176c2652df9d3684695d4655eef0b1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
986f5a84ab0c9db9a1b8b80e35bf4cd4

SHA1
5bc29509e13f49dadda0a0a6b50ce0776e7df0d0

SHA256
e6e3536185803d020391f19e89ee2b80d264b5b2695e259a97e016828ac678dd

SHA512
68a13ef073588b2ba6bc10684954bd4e6a791abff915cc047c722ac2250c702c19269cc791a0361721c6c12e244eba588c669612f100b329eaa5cfff02140095

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
ff79034cf9b0774a85cef1e87e4e5b36

SHA1
b54b5a9db98a9aca3aec5b7c8e3591191b61778a

SHA256
c7aec977970d8004ee3e38d8aa544ad91292cfc7393e19a11eb0b440fa83b481

SHA512
cde737cded65d0de4dd6c48b90fc6a9ab58891c6648076541c5034d1eb9ae2b62cbb6928429608e53a4c445e26181367db1de7bc71a114cf6d6bb4b0c0602526

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UIC7WQYE\suggestions[1].en-US
Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab7F9E.tmp
Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab801E.tmp
Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar80A0.tmp
Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\M8CDR377.txt
Filesize
539B

MD5
70307d90e6e7e821bc5cee31293bd395

SHA1
52c41d85b2b9bad65a0fbfbc10c8cd12333560ba

SHA256
b1237b4ddbd99df5e8a7068bd7f192ea62440a26b662531f409deec3b4aa8f9f

SHA512
101d43fd4b060346333f1cbe07cc42460cb33f972876817de5b6604dafbe2060d523aa196f1d85404ac928b9799dd7bdeec3af7ab9fbaa0f2c48cd1697370788

Download Submit