8cdb4a6406dce9eb74a98f7cc5abc80ce471a850ef2c3d1dd964d3195c10a2ad

Analysis

max time kernel
119s
max time network
161s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
16-08-2023 01:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Geometry Dash/Resources/FireSheet_01.xml
Size

202KB
MD5

67630fd426489c25e4f0152eea5667a8
SHA1

8276316ece43e3814a1b00e992bb3981d8bc9613
SHA256

7e38ba081b2c63e88656a3d6ed2c72260ff3c66483a29ad94f3e9a52cfc6a2ad
SHA512

175ee4505cccd736ca0a8b2fb451dcf9ef82b88f3df8f3238b2ba5ff66a235629f87eee577b27e69a1c22349e9bc5739e5af6983db65743238ebd67cb4258971
SSDEEP

1536:N/nPQ9RuUIn7Czlz7rELNxtD+ccHhWvAvOA/lgdjdhdFd1:y9RuUIn7Czlzt1HwvsOA0

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b14723a8e389564aa88fef2378dcfc6300000000020000000000106600000001000020000000c7eb3ae27d7df6bb227628fa7cbf11d44bfc0c0df00c11c11c48ca0e9059c235000000000e8000000002000020000000b3da9160110df4b877b5e1e45dcd05e1d4019f1f4a71151d7f1fbd61b79e4c1020000000919a25595260dadfe74ffe871222891721ee22a279cb23c6fbe423f3a130c2894000000058165dee2b27d160a8a23f3d8803fa2d82d3d941246e815b18f4052e70550c7d5ce37386dbc95fb88d7bcbb4228f066a945e0ae55f1fd455c9f9b10832556022	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10f2169ee3cfd901	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "398312286"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b14723a8e389564aa88fef2378dcfc630000000002000000000010660000000100002000000005a6d7f886d4d22c5d1e354b86809673ebafbebcd76ec15efe8b1bf0da59a2df000000000e80000000020000200000003962154942ea4ac83e60f4ef85269be24e4a32d6392dae66438c275d263f89cc900000007e5d67ece20a38cca424f5e7fbb778f88bd512c3abdf827b356768f12fee8da2ef92251b75c4b3bac45798bec7cf67566275ec521f299765bc4eceb491527b2cca6387003e7c9900a90da5664426188924b283d55e0812df7d229e11b14777ef81baf6ecda280b85e0e7bcdb015766213bf0b915c6115df5238aba4baac4b68617b705c114154126065e93660a2ecde040000000a21e7d99e0d7656206ebe36c2c149cb84a269379838410476e832369dc42995d797978a99460bdb35c92b318234a289c5f9f2250468c4adca12d26e7bd96a9ae	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{C8DEB231-3BD6-11EE-BA1B-72E7016CB537} = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1008	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1008	IEXPLORE.EXE
1008	IEXPLORE.EXE
2936	IEXPLORE.EXE
2936	IEXPLORE.EXE
2936	IEXPLORE.EXE
2936	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2796 wrote to memory of 320	2796	MSOXMLED.EXE	30
PID 2796 wrote to memory of 320	2796	MSOXMLED.EXE	30
PID 2796 wrote to memory of 320	2796	MSOXMLED.EXE	30
PID 2796 wrote to memory of 320	2796	MSOXMLED.EXE	30
PID 320 wrote to memory of 1008	320	iexplore.exe	31
PID 320 wrote to memory of 1008	320	iexplore.exe	31
PID 320 wrote to memory of 1008	320	iexplore.exe	31
PID 320 wrote to memory of 1008	320	iexplore.exe	31
PID 1008 wrote to memory of 2936	1008	IEXPLORE.EXE	32
PID 1008 wrote to memory of 2936	1008	IEXPLORE.EXE	32
PID 1008 wrote to memory of 2936	1008	IEXPLORE.EXE	32
PID 1008 wrote to memory of 2936	1008	IEXPLORE.EXE	32

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Geometry Dash\Resources\FireSheet_01.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:2796
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:320
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1008
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1008 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f39313c82970062b407d614e71905ab3

SHA1
4b205395ecfe9a328e57a5332e6d33f5b3e0f774

SHA256
b21b6239faa585a13737cfeefeb58a55b35ac15eba7cf6ada1bf6512d42226b4

SHA512
499fb2f5a3f5d397b0cac74c3f194a88eb5287f9bd8fdad2828db594f8df7bff1675b51304e6b8ca1076572c401a032f5022a4c94f8132f8e7ef3ebfc99adc2e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ab856862193a5f9bc2d76c0fee1cdf93

SHA1
2aa15157052e000f999f6db6ddc1dc436dc67132

SHA256
89e8ccbfa4b74a60a4b47edfbf0a6a9e8be63497e3216cf269a6d7671c36db87

SHA512
10e1632140be7a5d878f25f22fa065c62ffcb2c335b509eb48e5731f6da98723d4366a812ca5aa3db18e1caa31247266ee51378b4c739be34b39ea28d8a7cad5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e13f3da4808a27cb23a5c571cb430b97

SHA1
0f8df59ed561f0f628071417a4f797ab9ab831c6

SHA256
d856687c2a0f565281d02aef4d729234edaa65634c03e3d1ab296eaaa2a445ba

SHA512
9fcfd4bd7ba6d38a7e76df4ff543c59cee2d56a8b1f972664f6508bab975a0a421178295dd4c55275b7eec5b4a435623189b45d6f01a8297c3b04add0520dcd7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3646b0d6be3ae30acd21e054b1481efc

SHA1
d03f340e2cb998974514d6790c1bdebd1a2f2db9

SHA256
c63c22fd1d9532ee94b39f0f7292e3660f7599b1a238b537af92a1386893f108

SHA512
b21d3af35d3a092866f5de9179af7126f1b7acf37a995912094fee1cde08b52b92cb1034c4888c50540c9474f7c424bbcf65886c2d92cddc14def00a34c30fb1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8e30ec073a1eeb3856d263c01a56aad8

SHA1
aba46030207b8b2e7a838b8fca00eaa73e693aee

SHA256
a0bb6d40089e528336ce11852dd4caf58429c8c048ff9e77bf131a5d39ff673b

SHA512
9662477843a5820da76fcc4c3916e8cc8c9f90e9200beb0806cdefde7bada39c7caf8760e04e96e5ff0e2456c05b7c6b42ed01c8d23a56e0b6e0c54771a01a55

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3c73901ee561d0ddeaba2be7ca8d7ee5

SHA1
997b5d12d7663f7217fb0f811a819224bb9c2889

SHA256
5dbb69e1cf3416bde0cfffdfc49d5c07817aee1a3fc5cc760b7f02a37ef57c23

SHA512
d59c4e5cfb0a49fd752d6331352c87d1ee9dc98eab4c2a35aa5dd098be264f31786245a85e96dd72a8999f710720bf0c44ee85e51c7ff6e98132afbfc4748149

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e70cc6ea1eeb29e77c40fbf71048322d

SHA1
98411b4ef783bdda999d89d9aad6250e13c03366

SHA256
331bb10b9cb2e319b9b23e52be24fc5b6ae9b5745c89513a8796209c4f6a0dd5

SHA512
c1533891e97731f5733d9efe6fff2e8254fc32f24a6c0db76d41551ca4e04bcd10b81b4c61a5e10a38e716fe55d060a6848c0e290822ced4b91bd7d6ed20873f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
59424d7454755436a9a0f05051b33a54

SHA1
c9240233f1bb63145915e2d88d727eb487ffe1e6

SHA256
28ce9c27963428fa54169226dffb57fdef7696de43ea4a8a9884da6d7cb6be3f

SHA512
8bd28f9dee940020c6d303313193df232d1fd19c6b10038ca27ce7b502ef6ccd4dd882b22cde20b66bf2551dc84f6d8f1ecbaa0e5a09cac7d1e39a7cf801b01f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5f92d2d92204b0a86e6cf02a55da7fe8

SHA1
2caa3eaa4de069d35a5ad73013c75b4aee6975b5

SHA256
fedea409e2cce81e6fe693997130a8aadd163729985eec59a8fc5d1c2e093b57

SHA512
35347c39cbd357f0ff613385dc60ba151e2752919710e915f0a80d087c9fb403cf08bcc62dca30fe5d1cf8c1dab2317a8834f105b35d45f61f3e48f7dacc1319

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab5B0E.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar5B31.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit