8cdb4a6406dce9eb74a98f7cc5abc80ce471a850ef2c3d1dd964d3195c10a2ad

Analysis

max time kernel
122s
max time network
189s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
16/08/2023, 01:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Geometry Dash/Resources/SecretSheet-uhd.xml
Size

9KB
MD5

58b19583b080b8b31466e9e85db69945
SHA1

2d53890f00d2855543e048a407f2ff3911777808
SHA256

41a147659aafd6970a2c18bf3e68f10b0bd1cbb24da5acb7d7b2f910f717c5dd
SHA512

5cbd2000477c6748b837f541e49d0b1f75a7228d10822dfe40e65b9a1eea189654fa146de3376e2390a555ee4bb54ca1ced50f9ccfa159348ac9addde63c8846
SSDEEP

96:/y+sYkPlhV8SYkCxGikYkVVWUZcYkYC6VzXJYk/N+cYK7Yk/NKIl93Yk0ojx2Ykx:arjS

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{DCF2DD01-3BD6-11EE-99D5-D63E05CE97E8} = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c7eaec47cb7afa4887efc5e3f3ae1d8c000000000200000000001066000000010000200000008988a991bd7e0a8e7a1024e93b35cd6f92ce9d84e213c6cad544db987076b184000000000e8000000002000020000000d65bf6fb31fd6e7096b1806c3bf467a283449b3780989c3c9197280afabc65d890000000c66d0629905b06d0195cbacddd898d298b4514500d0e460273a411341196c628f7e7268bb9501148ea4804f66af9d3cded2586e4f48897d216a6a618c0508bce42158c959cdbd84e9f3da6218eba8401d22fc9c777bbad530492f64e4b849925c9f49085a5c7185d6157dfd5c451b6094d5b67e227051e1d519c2d6e9e1d371aa44d10e13c9b741515aed489f97414ff40000000659a0813fb66ca72e17b2ecceacf76dff86a842a79a031b24201ae85ce1642e4b12910222f3767564f74a56c479c7ae9d08fb3a44806335c32a46c06f15fe126	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c7eaec47cb7afa4887efc5e3f3ae1d8c000000000200000000001066000000010000200000001d1e70cd51eed67fe25b6a2bc2e0d72d1fd868a026526311a819c4c60c70556d000000000e8000000002000020000000c544332acff981f394289a250f1f4f788b2ff18a8171d22e968ae328cfdd9d1820000000fb566c5f1ca4a3f0d3678853e2ec9f4129ff9f74601089ae84932758e75767db40000000b553848d6ebb367aefe373ce0e359ce63796019fd142b85f97c0c849b9fdbd8f0baa6ffe802f09922703e76fb72e19404d32addfa724b0b63e56ab6a745e293b	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60ca21bbe3cfd901	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "398312319"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2220	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2220	IEXPLORE.EXE
2220	IEXPLORE.EXE
2840	IEXPLORE.EXE
2840	IEXPLORE.EXE
2840	IEXPLORE.EXE
2840	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2404 wrote to memory of 2920	2404	MSOXMLED.EXE	29
PID 2404 wrote to memory of 2920	2404	MSOXMLED.EXE	29
PID 2404 wrote to memory of 2920	2404	MSOXMLED.EXE	29
PID 2404 wrote to memory of 2920	2404	MSOXMLED.EXE	29
PID 2920 wrote to memory of 2220	2920	iexplore.exe	30
PID 2920 wrote to memory of 2220	2920	iexplore.exe	30
PID 2920 wrote to memory of 2220	2920	iexplore.exe	30
PID 2920 wrote to memory of 2220	2920	iexplore.exe	30
PID 2220 wrote to memory of 2840	2220	IEXPLORE.EXE	31
PID 2220 wrote to memory of 2840	2220	IEXPLORE.EXE	31
PID 2220 wrote to memory of 2840	2220	IEXPLORE.EXE	31
PID 2220 wrote to memory of 2840	2220	IEXPLORE.EXE	31

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Geometry Dash\Resources\SecretSheet-uhd.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:2404
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2920
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2220
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2220 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
123c2262b60a677e22d297a08326373b

SHA1
bb14609bdd518efaa81a3528acbcb6dc1886b691

SHA256
444fbd35a546e8343ff0029cc9f76206ec299e99485cf8d3667b7caf9eeea28e

SHA512
94ffab1eb9d251eca2adb9ade8a03fc37f6e38a88a860b55ed85c197d3cb547e938a42bb361ba8ecea71953be1e888c8b5da63c89d61b7204537f1184395d0b3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
78df210075edd1a2173ebc910910638f

SHA1
7f25df03e2640ba23b93ed3a9b42228dba89b26e

SHA256
46762970c6d3072d954cd335f023bc46b204d572b292827c7bf24e03e8f24a14

SHA512
85ee302334453848e419db3c6abcbcb000f84a76c46ffccb511c3aa88b6996dd5fba58a6344d0fad13a9462d066a767f1a5e9903de9a4893a63caa27f6d29a60

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
09ed24331efb91df31afba40d1b29827

SHA1
e11e5107ad5aaf57d342a6597ab49c24624da09b

SHA256
6154defd7ff88b6e8b73ab50f90ccb7ee4cd430ffbe4cb8bb8a112c88feaaa42

SHA512
f8f6d1cd1a86b01a946cadaee95dd3537344596545d934e0bfb0dae06021985f97072183a9b35ec25946f1b7bf16aa8e439602cc4f8f947cb5ab8389a95309c3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
cac62a0428792366703e2c2661695107

SHA1
a64ec935d5022b6f8f5f57ef968495c419fa060d

SHA256
9c4e40105d98d932716b3864865dff61d33d75bfb49a79bfca2ff7e146ad557e

SHA512
dd13e742d0a16d7586dc8f40cee13ca37f616cc84eb2420458b9834138da9c3841c36703ccc9275bc9bce418ed930c849f1a3a689a570f9d4081fd7f0d23f83d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
4d5dc8f4a3f201d89c6b028b03ac0ee6

SHA1
2c2e18eba650cb39d9e0a70b97a7b7a47a2b0b47

SHA256
a2956aa8e827c2bd7a39dcad9a9b7f0703357979ae4aca54948d66c16f62a46d

SHA512
199d9315cbf9d2a64eb879dca21d14a89f9106b4979a6aec0557c8722f49615a5e5bc4755b05097888b9f29040dc71b58204ab224ffa53638c8f23940fdf13ea

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
a9623f8f87ec17f547dc52b5d08aa920

SHA1
e4f811cf4bf8323ed640e3b91a2593f78b2156ef

SHA256
1973b870338d67c1e6fefd65917a2d9a6a1abaa7176d01b453cf7b5c75fa8963

SHA512
0402c389f318b20a6e6f53d8ece29d6633f9b3a1a34c273da0e43a1c406fa0e2274e445309121de9bb5592dd0e87ed5c899a10f6b0048de02cbc09c44774e823

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
1b19495c81471235c3f9db7685f9a987

SHA1
81998e80fb49b5dab949c82d6a5f04e57e09b9b1

SHA256
6206e0ed42ea8f44a6946f67afa54be86fe5fffcb389e58c53d6055f594c4fbd

SHA512
ff1a0545081228b93c556ca60c42b0ef432c91d8610c847ad97a08d0b3ebcda06ff6ce5ab23845592c6c59674f96c4a2220f10255411f6c2c28047c087c0405a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
4350c851e212c6321ca8040289f76f44

SHA1
9958b20f6ffc424e923ba85aafde840ac6a97158

SHA256
ee43f8fb3d0719bca3142c337c5779c89e9fbe0eb5ac2b46887bd177ca19ab93

SHA512
3560c70fd665a2148dff15a3d9d102df3800afb28aed26a709a09ea866724a60c4076b12dfc5f05d0043a3719b9cfe848dd9511cbd48473e8287f383f22b716d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
13327010d81f460dd5897bac0955c554

SHA1
253fdf0824ec3cb8831e3cf1abd21529e1030bee

SHA256
603d7e1f9c5d5ea6fcf5887f39830b4c9a67984b30d6d39d50f131716a6c8f4f

SHA512
9d3ca9ced03560565fe51923ba5e26dfe5b86cf16b27093d293970909bdca7d09707598964431cde40fe5befee1bf2babecd248d1b879cfea5b08358cd26847b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2ACA.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2B3B.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit