8cdb4a6406dce9eb74a98f7cc5abc80ce471a850ef2c3d1dd964d3195c10a2ad

Analysis

max time kernel
80s
max time network
162s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
16/08/2023, 01:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Geometry Dash/Resources/Skull_w_01.xml
Size

2KB
MD5

a89988f0a456c1d1892d9bee7615fef6
SHA1

a21f2bb3d48719b7d760f8e36bd30ed2bbf29b62
SHA256

32efa112a870ce51fd26561e2d37c76ef847bd034af3b67adcad61b1d6ade114
SHA512

3f27b08acda13f2f1f59e56de4ec0822b77b8e3724cd4533fb0f34ece34499ffefe73fd66c57ea475768a14907dfe7a30411dc3f9a112e2151a8caa8764d5a3a

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b14723a8e389564aa88fef2378dcfc6300000000020000000000106600000001000020000000675d7e1f4afd37ae7d62025ab62c2d9911b0327cfc7cb6a19ef5f4aa06722290000000000e80000000020000200000005b69a490745029a2b5cd56c040fb92508e50c9f4eedae462c9e94bfb40cc53689000000006dd9278bc0fc1fc1d0e228763ca7f133a4fab70d26c4e8048f57a31c4deb9754367bd9270581162cd97a89b70c274b7e14a1e004d9646795464bbddf5b3ad43a45023b9614d520647d91da146d9d841f4e30469f582aae9e650c824c036fa5e85b170bfc2921356ec81fc47f973b54bf0ddb0d625bf88fe00bb33079f5caf52ec4daa66bbd5b1e33a19983b1544fc6f400000001c6615376b9c9922bcda301a8c555fbee94902016564699be8210cd27184c93f83f8fa11f3c6a408d48cda77064d0cc81b2bafc4589403716ec32899c6a73dee	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b14723a8e389564aa88fef2378dcfc6300000000020000000000106600000001000020000000fb0eb445965a38fc57fecf9a0fe885b5ca8d8796282d279a874767fc7c63ce93000000000e800000000200002000000034ac6d5da7f584201ac5a8cf51ec276371682aa378e947858a41abffbf2c7b2120000000251eb54b5110a25065931d0159840060fd6537c20e37880c365b8848ddf2573e4000000083fc8a12ea386130e812f567251f30dfe089d61003dc8c7357aea0e3505156e20df714058db799cfa7abaf0541f05d7703b996e5a41a64a369afaeeba7b4ac77	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "398312288"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{C93CDF91-3BD6-11EE-8D11-EE35FE5859DE} = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 000ef79de3cfd901	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2880	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2880	IEXPLORE.EXE
2880	IEXPLORE.EXE
1276	IEXPLORE.EXE
1276	IEXPLORE.EXE
1276	IEXPLORE.EXE
1276	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2824 wrote to memory of 2512	2824	MSOXMLED.EXE	30
PID 2824 wrote to memory of 2512	2824	MSOXMLED.EXE	30
PID 2824 wrote to memory of 2512	2824	MSOXMLED.EXE	30
PID 2824 wrote to memory of 2512	2824	MSOXMLED.EXE	30
PID 2512 wrote to memory of 2880	2512	iexplore.exe	31
PID 2512 wrote to memory of 2880	2512	iexplore.exe	31
PID 2512 wrote to memory of 2880	2512	iexplore.exe	31
PID 2512 wrote to memory of 2880	2512	iexplore.exe	31
PID 2880 wrote to memory of 1276	2880	IEXPLORE.EXE	32
PID 2880 wrote to memory of 1276	2880	IEXPLORE.EXE	32
PID 2880 wrote to memory of 1276	2880	IEXPLORE.EXE	32
PID 2880 wrote to memory of 1276	2880	IEXPLORE.EXE	32

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Geometry Dash\Resources\Skull_w_01.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:2824
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2512
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2880
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2880 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ded4ae68fc5f4ad70c74293a98699ad5

SHA1
71eb5aed71011ae2be00a07ffbb3140fab7c6e4b

SHA256
09b3ce68d13ccca31958de6cffad170248ecdd028d4e61c2e60c96816d14ba38

SHA512
97ea4efb6f7b82a9b0a5aa8d554dde8a94b1f2eef50e28ea91e3fd4baa09f5050c6721836f55bd271f1ad1886194fea1cec9fbc3b73b8a88e51f131851e479cf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b4705c3ee6d626e3b75743a99b532a68

SHA1
cdbd64ba0be879d4bccb9600ea61f7a3cccd41cb

SHA256
05ae49f38bc55e10eaef4298c88c7efd6e1f6bedad88979ea61dc61ceafca4cb

SHA512
50692eaf42fbf04a3999a5e655a5b90916c90707667fdcb5ec484af6535e7ea39883098ef421745e20e66c60065a13341b8e3446c6fa6f317fdc0227b00c2184

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5c913844e063f8f29cedfcf0a24338ec

SHA1
411a32d3690750f1c3c045ad7f4e2cf3c75c3651

SHA256
1733bc4a6e4c2621c95ba9265a6253a366ba8a267b98bce849694be0722329f2

SHA512
e25df749dcce6ae9a6c9ed165fd94c7babb36d2b34b5fc4abc96bb98d03b45c361c76d7a0827788ba3b6f675ebd0a8ebbec597408594ced3303feea6b266f2dc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b44d24e6032a7b8f10a36e58ba9e0312

SHA1
7472e0e0c5d37dacf700ac513314fd0bc9ef0546

SHA256
69cd0c288c08b3cc023a4382e9afedfb53752c6d81839101e6560086fe943b0d

SHA512
fbe62bf2821a67669f35267be81dc527f6292e037d6db08c088837d759465bf4836e6c67f8ca566dd8b1d90e5f41a47bb2135a93256a14b1e127b7d751bcb819

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
dd1002ae7a788cfb6e358ab6cc299680

SHA1
aff153fefe4a08841ff40a405292ebd0554b9265

SHA256
03a84a835a64d195e8f357c1ae2d4569dbf0c2d5c083c801c1c9df15af1687c3

SHA512
a736c6da7291102780ca0d4f2a33d82cf7721a2fdb1564ea2ff9f3d20d46408fced42f78fe682ecf95927684044907e1a946f5cdcfc168b9b9f2700ed937d481

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c8df39b9a52e70e2bce1011ed9939af9

SHA1
dc983d24bbad8ffcfd51dd440d5e39adcb1c0438

SHA256
bbcaf221de1d9497806d287541d708d041076050ddd5cbc990dcf380d73491f5

SHA512
45c63095237e9f9b3b3f592edfd28ed250be02ce938abef3455a0397999f50bd4637a2c65cf1e635674aa1cdc67d391bc74590bef5f0302b250cba037e7eca51

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6b61b758a58fd6c4e358556bd67ae11f

SHA1
48da723a6328b70c100ad57e1c04071876bf0892

SHA256
97244e22bc49daba09f372cc2fbbc1a9e7cfaf49b70d3b5381acaaaa47b2ee78

SHA512
a14b49d4bfc471a61a7213eb6ba6a0ec8830bcc2df145e2b51322a84ca9c8014680b098067571cb7fad30eb40f30fcd3a76d56daa41fabcd966d4de76d6568d9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e444d17311185ab684b7a53e15e9a171

SHA1
200c9ab02f825833e46612cca834b1edf4a3e9d8

SHA256
747fa1661df81ed131a656d9449cc90cec6d514373a6e17241e22a77f0629040

SHA512
d6faf97547a8ce1257f9457cc59d5a762931b2840063e5df75093aa6669cf8f34fcb1bc780f62d1a628d845506e674d2039ea73da345ad4d5d70744b9e6aab34

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0019770d4f6af55f03a35067282798f7

SHA1
cc368d039cf6b791098770e50ea22eb75d6103a3

SHA256
297b5814cad7454f222dd2958b550795eb1e219b9856b0cee8edaef8c2032800

SHA512
4a9760dbc1fc5842464912d591080e296cdffa7659cf6d72c6e5c27459885866698ee548af8d24535a6a1541669680e7607196bde0c32a015139d0b0050dbfc1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
59ebdc69c61b494bb7ac22f69dfda765

SHA1
9d5de6101fa1758740cd911770b98c89cc1311b1

SHA256
ebc2ba7b176bc66961ab800b5f2c77d67c3e51eee5d3d98e5c6d2796e16f3762

SHA512
9af20c084ae45a0513a20bf3a95d74c11948b68d8e24b2224c551ee723ef3b993419dbbe89073ed3e328c13a6e8045bdf929df55ef38753c97468897a65d5f91

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
988e4ef8ea93b7a71d091987fcd096ef

SHA1
232c27123a842d0d9ddbf71d75036b713a5da44d

SHA256
7ea26252200dfc111bf12ec7a2c0a75ad35b1fadf4aa16c81ce8ad89d882f59c

SHA512
be6a7f9fe9555ef6abf0f7285853ada2d92c6a3c76b7ac4f33dc1ca11d734ec84a409b7176fd1dad9f9f607fe4e6d4e8ad675c3c6014f56e3046155a0ba208d0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
cc6a1f48cf8ce78e2b0d080a9442d49e

SHA1
7b0ec7dafdb4042e574f8032385821606baba9f5

SHA256
deb5321b33ad1bf0d923f014b53d4e3555fa2e674be1ce932d501984a4a8c317

SHA512
4a4c6e962355b02aa32b837f64de92819c502ac261f606902c022571ae36d76ddc69ab9f43a3578ce1870cfcfaac841d7234fce0567e155f75787a10fdd27839

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
282e3d6e5e729af3b179cc00145a6ec0

SHA1
36affce388407691bdeccb41fa317c67b84c1ca0

SHA256
fbf5a7923e8181a4ed7f748bb7eff4c40645240b807654adae0453bea0166ad4

SHA512
65ea47dda89df7fbc7300ab6b412772db56f5256772b636ad75e49cdcd2b5cae13f365fc4e7bbf8177c73ea9a5f708922df82edaaa835387f8bc4da4994bd0a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabFAC6.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarFC30.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit