8cdb4a6406dce9eb74a98f7cc5abc80ce471a850ef2c3d1dd964d3195c10a2ad

Analysis

max time kernel
122s
max time network
151s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
16-08-2023 01:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Geometry Dash/Resources/DungeonSheet-hd.xml
Size

2KB
MD5

81973b2057bca63dd6ca47a89414b35f
SHA1

5f8b5fcc84c7310dd0fc75c21e9f1afda157620a
SHA256

ebbc757cfa618a93a9170ab505da95ea178f49128113c6fe70c4b121ae3c2763
SHA512

a27c4998a93c84470e430d5269d4c488c9c325885ee0c3f007a8a4857f259f9df19125d5797f17672f2a7fd2628f4b11566788b789cfcde9812caca70705c56d

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002a91d4b999c9854dbdd04be1b9b2202d00000000020000000000106600000001000020000000473f497e9c874a5ccceea9efee0a76f815a788be5703359cf45e148ddd357534000000000e8000000002000020000000d1c115ebab487c111dc163648c2c9889ec60ff2e27265813b269e3f18e4ca145900000000011c88e4b10856081517467735f2d9759a17800a8e89f995fbee88ae8c64c8b4e701a78a736d4b53a37148862bbaab99eafcd34057268fb27732da65d20dc01814ce20757efb81a4ef46b3067369119d745aec39fa462e83682186d54a411e1d50b5481fb883e338aff4cd26a727276c9c967f9e4d4f016388d304147880d069be48ed51bdb51722696d32b537ef57740000000bb6bf51a132124851c34a2b6ff8146150fe2190a7c328b785477320a5982d54742f70192c0c6a2e2ceed6cd95d5c4c50f8dfef07becaae8aa80d53dd7cd91dff	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{C68D4FF1-3BD6-11EE-90CA-FA28F6AD3DBC} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "398312282"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 40996e9ce3cfd901	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002a91d4b999c9854dbdd04be1b9b2202d000000000200000000001066000000010000200000004068944e9e6f4643c983056979699d296b948120b9a0c93399b866019e89df73000000000e8000000002000020000000f23d12d8e27e4fadfa817d2e112a05196e85c416ecd9b3972dccba486c29f76d20000000b293ff42cead95a8fbf1d393e40211cdaa3266c3fd1167068c7bfd421c27d6714000000049089cf5a607a9a45289c0ce8438dfdd7595c3511813041b50e7d75bed1537e36a2f3c277d0afad9031092f06e8192a68e3e38cf4e1fb2956555aef12b4af3c3	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2140	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2140	IEXPLORE.EXE
2140	IEXPLORE.EXE
2372	IEXPLORE.EXE
2372	IEXPLORE.EXE
2372	IEXPLORE.EXE
2372	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2132 wrote to memory of 2584	2132	MSOXMLED.EXE	28
PID 2132 wrote to memory of 2584	2132	MSOXMLED.EXE	28
PID 2132 wrote to memory of 2584	2132	MSOXMLED.EXE	28
PID 2132 wrote to memory of 2584	2132	MSOXMLED.EXE	28
PID 2584 wrote to memory of 2140	2584	iexplore.exe	29
PID 2584 wrote to memory of 2140	2584	iexplore.exe	29
PID 2584 wrote to memory of 2140	2584	iexplore.exe	29
PID 2584 wrote to memory of 2140	2584	iexplore.exe	29
PID 2140 wrote to memory of 2372	2140	IEXPLORE.EXE	30
PID 2140 wrote to memory of 2372	2140	IEXPLORE.EXE	30
PID 2140 wrote to memory of 2372	2140	IEXPLORE.EXE	30
PID 2140 wrote to memory of 2372	2140	IEXPLORE.EXE	30

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Geometry Dash\Resources\DungeonSheet-hd.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:2132
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2584
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2140
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2140 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b95629fb8b23a5a4dd59345a41c4d7d3

SHA1
dcf03fb0756cab30f52cbba1184efe4f4317202e

SHA256
14d3ae1e1dab64d284c67d7355f70fc5012d0018ac3d2d9e728f01137336ef3b

SHA512
09a73ac881fd2117f140762e35df2f8823bdda21b280e73ff9d5f20b3a405beb234e74319719a0837a28448c9566ad16f4adfd0a9f661e1a3250dd3eb923efc8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7665dc0be4e4d282579760c9b8dc37cc

SHA1
9a72f9eb57e81401c6af49f2707110663bb742a7

SHA256
db77883974999a160da1e50106b1fe6c15c23ea46f7f42a310e59357d508ddc1

SHA512
24b9a1e2cb1deb16c864165b561fce5d61dd9522b506561d3f3f57d2a730bb880b3a8fb8f145c19fb2c723b7004ca0672ac7f21aa96372e840857c29f6ffa078

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
cabb858095cdd3b0c1cf1189ffcde2ae

SHA1
40e0a994dd8905f791c443bef82d69900802dccc

SHA256
6fbfdef078d004e0345e2e972369f57fe9ea8926f5328a4e4267f3b181569a1c

SHA512
c6d33d983df094d11c3c017892118adf28d6ec9ecccf67444b435ce0a34eeba77d214a07a21f4b8610c19c59a3e93b8d709f63afa27c05be59e8306427dacd37

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e09e9800c063cf0fb1241de9800cdd17

SHA1
b3cc02db53442d601d2f25b163b48757ebfc6f9a

SHA256
42a932f6e1565f2a4eafa5c169abdce972cc0300cd3bdd5cb302fc178b2dd916

SHA512
9bf1f9bb9f6cd4381a1fbe86be282125d96419d7405dee93f0945ac017a16cc261367890404a35b6cd7156692e18591cb819990e3a880874fa8147863300e8c7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3f6df08633664dbfaa65973ad5fb2aea

SHA1
71bc7132a557b5c109ff2c76e10e2aab3baee579

SHA256
8b2eb81b47153911daa0edce489d5014a5bcf56d3012938e0644ba3b5da9d73b

SHA512
695e6df26cb6bdcfeec105ffa6f5544ed9209b69a34744a0219220bf60b9445ded20fd832e98e9932a68a4a18fa0ee3e912b1fc03b1458e7e155c45b51c8170e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6cdb33ab11684c1190fe884ea8dc58a8

SHA1
e116b345e2ec67a4a84798a6eb620b0d6e7f5a6f

SHA256
1d787397315d491fad933cb93c95922f4cae68b622abdaa8268c0f52cce45cdd

SHA512
b227e1166701a973d6ad60b32fcd625a5d61befdc550395d0e7a3ebc25100f432b91fc0bcd83d4736702249312652f370b0f40042e1ec9c37f255a4a0b080f96

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
03855673694ee927448ebb65bd5f9fd3

SHA1
30611ce42a113305ded76725bf259016bf2bbeb0

SHA256
0ff10ef72f4ce0bebeb396a92969239c6dc678cdccd14a3816f30c1463586def

SHA512
4add0bc72238619b2a754173b799972de9c1417d82a0f1069d25ea05ca7c583b3b52889e8fc1eb1d14fb9c00b93f3d415ed91abdfcca06193248536063c48bf9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9e62c17878df11d920d11b92ba9a3214

SHA1
5681aa57860da7821b7cae132c37cf4bb8ac36ce

SHA256
435cc3201503584c2ccb26aa3211e389c1124d013bd47171b82c22b4b2735b55

SHA512
4218c1f1d119f4ed42918069d1a9800da866ad3a98d22551db9ad608fa84ff8123b7e16a3a8303d191c75de7ff4c370e41fcc9260f6cc414fe8dc46b1a215490

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
cbb56812f1731cd196e22f96a4e36190

SHA1
ee027d4a07c02d37659aa7ef13a55ae3a0d2babd

SHA256
657cd45f9b96cc7a95f4cca7dcad93d328cbb61ec51842cceffb19ec5534f48f

SHA512
5ce0682ef8e6f1f2028dddc9bfe7d11f6e9250a47b86f03dc4497bbf694e854ecda4bafc997a762a9bc0c25fa8a759d5d5e41c6d61fba928797ca658d090542c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
41aeb2fdc8c839fb578ad0bc35a144a1

SHA1
7a719186bb832a4fe17f9d3de53802583d62365f

SHA256
e554e58b1a23de6cff7defb43eb0a2a83ba8bf449f9fda0df64d65c1ac65e3cf

SHA512
c83de37233862635874174abbbeece2f39bee7eb93a3558766aa6bccc1c5bc28fe99d75c00b781cfc9c1492d0b00d16dc0b6b755d0587668479ae43331cb5524

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
750dc07e866058d84d34ec227dadd24e

SHA1
3d1f3fd7aaea5732f5f249110f10e17620052d3d

SHA256
2483cc1d592fc6a7efa4bf67e11c5de6d308c43c6d7b777e87260516ba7b7d89

SHA512
e95e093bc330c8156a359e4485935de9f3832299089503687ebbcf6ca9f6b22008291f55467cb619261f9c53ab7434337aa68f878decab69bbe380f202829d1a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e6ab33d3aceb56cd5e46bfa7c74246a6

SHA1
4f8c5f2cb230140b0b80cd00d349f6e6cd6d57f7

SHA256
8a5d860216720b0a55709f6eee0115116561f438eed3bfa33125cdd4fb3f59f4

SHA512
1350e22bba707b25d8e577bf87c4b709d74a72937f3c904247c5dfc57944b319935a6cb08ad0956b73b4d9e7ead0a8063df19a805fb04756c87e7d881b4777d8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
87941fd888e42e93ab0add8a7f2d25d3

SHA1
8a1852825e8464b191eeb4ba3fb633c9701ddbdb

SHA256
9832bd288ed88afa4c21036c5f7bda9e1b65dc07365ec8969daceda1941dcf98

SHA512
3c5ca92ce97690d7ecdc65024642abe712b22f5e86b3150e4b9e99725507dc328ed05b32815fbf9e7aa27989c38bd6dca4f7a49b693b7d66803dc6ce3628452d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4c23adde7d9fd62e79527c94a5ca6931

SHA1
1f60b7fb1b970623d83bc5ee3289eb1876995dc1

SHA256
b5d7f17e170b22ef6a3b99d4e710af71c9709c87c0c136ab0deda8889665617d

SHA512
d208fb75dffc364bfee19ca03069ca8bd6de3fb750d452d9a088a7691a2fbf3242883cca5df4bad39783d5661819caa8308eabb1b04e80cbc233e85840e33af6

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabE8FB.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarE97B.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit