bbcc6444202f68e4154063fe28d7a5bd1dde6de140b7e80d707060bb7dbe1650

Analysis

max time kernel
114s
max time network
176s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
18/07/2023, 12:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Among Us v2022.12.14i-Pivigames.blog/Among Us_Data/StreamingAssets/aa/AddressablesLink/link.xml
Size

21KB
MD5

55d5d247dd9dac66f24bcd4600be4c7d
SHA1

74ddbb93cb18169067e00eea0d3f7f0d913eb82c
SHA256

b56aef6d9b54d0d1c219d1083b78fc39fd89707f904e896e8b4680bc22555dff
SHA512

05f38a3068a46565eef3349340c88197135573d385bfb82ab22bebe8286bba1dc43648ff9f4a6726c8f23bffac675b8f564e122e8bf7a46220449c8f6aa53daa
SSDEEP

192:/RJsF71hBg3pEFp37leqVbwuPyrTfTITrTLAUs:5Js6+Fp37O7

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 39 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 7058ae8578b9d901	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b14723a8e389564aa88fef2378dcfc630000000002000000000010660000000100002000000063d36f7241b1097436616d0591829fc99de1a8ce779656c6c1aef8e3751ae180000000000e8000000002000020000000d4ef39b6e099ea3ff972330020ce2622482ede89d917cb104b1df2192778eabd20000000c404bbdbd6899ac420a2cd1ac4bc148d1e72b453f22e7f8d07a93adac0dd8fe34000000025397a71be6b12740b72c9dffe4e70e1f6e50e862e4895f8d85b4eb07a4828cf6fd86349bc5c72cc35bc0fa75aa196fb7acca7a7f1666ac8ac0ed2effa03e0f1	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b14723a8e389564aa88fef2378dcfc630000000002000000000010660000000100002000000041b5136d0708f8beef13173924a5361413504cf7d3cbbad3cd3f9df421d28242000000000e8000000002000020000000c4a0d533d59f17b1701b8eccb6a4715418f2988b926af072e33df9828a865dc990000000d54c5e8ab54688a4fdbd5b826354b2304c0b5dd7060d8dafa9b4c25c94af4d8b064c47f5d803382d655daa1fdb7d0a2ac7a9b6e30a01821530f1793e9a3b2d59812e3de8421dcf2cfe15289ca02dd3eb38e3da77fd279622b3b97810861348c787c87bcad24535d26af721a21a6c4c70b3ecc139808a96547d2ec66c7226d9a9a3dae8d8f8d8ca098cde0780b0d47bd940000000303fb4ee9611b6709d3ba909d75a40c1f56444a298a483c74fd97e5daa39bf476a957cbc31e77542fbd203288a79e1cd411cdbbb1ed3fa73ac3e2e9e5377cd53	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B0CBBA71-256B-11EE-A820-6AF15B915EED} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "396450469"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2824	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2824	IEXPLORE.EXE
2824	IEXPLORE.EXE
2728	IEXPLORE.EXE
2728	IEXPLORE.EXE
2728	IEXPLORE.EXE
2728	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2848 wrote to memory of 292	2848	MSOXMLED.EXE	30
PID 2848 wrote to memory of 292	2848	MSOXMLED.EXE	30
PID 2848 wrote to memory of 292	2848	MSOXMLED.EXE	30
PID 2848 wrote to memory of 292	2848	MSOXMLED.EXE	30
PID 292 wrote to memory of 2824	292	iexplore.exe	31
PID 292 wrote to memory of 2824	292	iexplore.exe	31
PID 292 wrote to memory of 2824	292	iexplore.exe	31
PID 292 wrote to memory of 2824	292	iexplore.exe	31
PID 2824 wrote to memory of 2728	2824	IEXPLORE.EXE	32
PID 2824 wrote to memory of 2728	2824	IEXPLORE.EXE	32
PID 2824 wrote to memory of 2728	2824	IEXPLORE.EXE	32
PID 2824 wrote to memory of 2728	2824	IEXPLORE.EXE	32

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Among Us v2022.12.14i-Pivigames.blog\Among Us_Data\StreamingAssets\aa\AddressablesLink\link.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:2848
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:292
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2824
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2824 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2728

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0590f3a2d3d1a14b9299d72e5d6b920c

SHA1
2e7d44bdd6791e8ea0ef9ceb9ca0ed10935ac1d1

SHA256
c28fa937980c1d73603ca091be23708fdc6cdb8c4606a27c74ada548ac8d3394

SHA512
93bc178e3d3f46769fa211692c32789f6ca745e0e99211b54c0b6c4c51d896b04abb84c5025ca6bff200869842f314804c4a737f132d6119cf6dd16502dfd306

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b4ea06e2f2fb1aa3004987cd138d9c20

SHA1
3dc4a4dc46ad4d9ad1e7a3a2c886268839ffe810

SHA256
79a3d440e18545eabf0c8660b13d5a144b19e787f1739e57a74324361cbc36e8

SHA512
5c1b163ae39dc00ae0c469bd415e61cbb52d3189ce8f93730907bc682c530a3e8cda7cc87180e336b606cf39aabaaad66bf2a542c706f83c7ce81e7e7e2c9da8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4db496d5e7659fbd27f30800a4f7edf2

SHA1
56334a8c6628fc8457ae88d45ce2a43bcdc53fa1

SHA256
79ff20119e7f01c78a1fadb2f96d440895966d8313c3e803a48c2a4d511d198b

SHA512
55f2dcd249652e2ea7a42bf0b8ddbcfab7a010d839e0ee4cc6ab96f5447123bae5028e0c4ce16a6c116186ceac5471d5bb12af99ec61158e4b271fa50949576a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
bde537040f2bf2480f07b11cb16fd465

SHA1
bfc31c3976034eef4ddad1d5ac5c88a686abb9d3

SHA256
4ce14640cb95b87b8d24eed0fe5be0594d9838443b745afdc9f8ab043d6eb2c1

SHA512
9ab7d3445389b38dd1a239983d87ac0861badbacbcc48ebdf351a2203b74074da96cc46a6d1cca2aba03c58bbe90916c1cba2f9be87ae7d88788a9de9bf7ca37

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
067df63a8b298704038b39cb0bbe06df

SHA1
94ba7aeb47a9382f5c5260e8c557953c6a50e25e

SHA256
06c46984348f87c80c5af67a02e9ee522784ba7f3e891ea5b14091a72edab30f

SHA512
d3bb1004f489aad47956bc835a6925a755449135a184a4e45ae29c095ae57e3d4e78a6491e7b43ab14d6950b70f95b2883fd93acd54cf9e51021c3b3013a76ee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
235fce1512b101d4f3a6c7465b2980ff

SHA1
afbbc73dd0076bb9be473d0e1ffd4d93ad2f90c5

SHA256
258ef6f053ec35f31212543a770a2bd4210ad5c7f6fba3f7c66fc73042e90f45

SHA512
363cd2dc5c98374d13384b0ba0406b4fca8a3b6e1ad46bfb6349b57cfb8aa92fca56ba3ca54771dd3c0653eb59924545d7042429236511a8b3695b200a87f5a4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e4fcd45a78ce4dae94452a056ec469f1

SHA1
14daaffbd91ece8fb252f3b4a2e8c3ca7c01cd1a

SHA256
6c5ee5c72ff6fb3e890f10944fb038ac83be1227cd1a2409fae5048eff94e3e7

SHA512
a725b4b988460e0644943b79dfcbbaaa530464e4feffb1959de0cd498c2974f4af08ed15567460007c691917b9c47ec8a449b65947087873ad80e68cbb1b9b66

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a5e7119bb306f6125106368c2ecdc2fc

SHA1
185339a30575859d3b06b5f20f72482f164f6155

SHA256
cb7844c9fe4c85e630e8afdcc3bd2f364b32d300c1803324113226e742426f10

SHA512
f0a1a3bd1d498d811d78ef3256538a236aa31b2a50b314e4a5e7679955e43ccabab4d8d0137eae1b2960fcc4e49710551eea35a26f42e9c11b692a9b2695987f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
83304f2dd6188b55b9eacb7ff9aabd03

SHA1
f0a149f179846a43c67f0d890db69306c620d919

SHA256
47b4a4a06449b29502007cc82c1b12b0ae6064727fc6eb1a293f29f5c4c49d2c

SHA512
0f7c7371db8d19572d63b97e74bb9207d17627d2350d4e4d8fffc6fd36187f766804645093ea38ce610cb5339da75917135175d716f9c5c2796acce75298a8e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ULULORKV\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3AA3.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3CF7.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\1X320IFS.txt

Filesize
605B

MD5
b9540ac64656e1ddbfb08029ab6fd689

SHA1
3abdbc3b5c13b58f410d317c8e2696e60db66237

SHA256
cf702d55be56ad226b4af186e36f86855eb3787a4aef5b5d674d31b51740717c

SHA512
69cdff57242db66392e66b9ef87f05d3d795e458e70901c94f41b512312e761a501fa2e78a98e80aecb2505148b36fc76f8c8cc6fee96872094ed58088b9a820

Download Submit