8cdb4a6406dce9eb74a98f7cc5abc80ce471a850ef2c3d1dd964d3195c10a2ad

Analysis

max time kernel
162s
max time network
189s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
16/08/2023, 01:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Geometry Dash/Resources/Skull_w_03.xml
Size

2KB
MD5

b7ed9a96daccc42a4a76ace0f54cedab
SHA1

acf2468b251acce486d4fd736e274eafe96d640d
SHA256

030cb4f718d91020c89e2a1bd1ffdab5d23ca95a69d1a97d9d7424b525d3cb7e
SHA512

f42910b2d89c4c3f739552dcb83534659a889d0dad966ace989cb292683cf01184345de35c3ed500de5fb8dd80dec29d496b82aef2e78f0fe6b762fdf62c7de8

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{DD516FF1-3BD6-11EE-ADD6-5E6847EBFE3A} = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c7eaec47cb7afa4887efc5e3f3ae1d8c000000000200000000001066000000010000200000001dda3c7fb751eb135c3d02577c7d3e79d46fd7ed1d1a775b50eaf16bc103961a000000000e8000000002000020000000d3554910c0ca43a52a90afb79be0163d403d7af93b0d54ad3ad362109c7e6e15900000003e34f6a7ff8a798b3bdb6a21b5442efacee088939f2886dbdc12ee00f8519be9b8ff2b0f3c4159b354796cbf39a567279c2b71d00369ecd2f7b9ad8c025847c940c382432094106d16ddb7423b4395195b23a66a745c1eace0bb1cd67ef0fb7f30690b82cac9f67745e9fad9c08ba1be216b478102457d1cb30127eb6d685aedac109ee962e4dda4ee7580a4f8c6013f40000000ced2944fd6983dc23e20059935660547cd2acc79c1510a08cb7aea7ec98f08556cc4ccdb5c0a35cc89662842a43e000a3ee53529515fbf8b87c2b42373421560	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 301b7ebbe3cfd901	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c7eaec47cb7afa4887efc5e3f3ae1d8c0000000002000000000010660000000100002000000040f029f5035a59c45edae22710c5dae6996d27258dc4f666f3046b398c466755000000000e80000000020000200000001043e0f44c6a825b07a28d1ef4ad90d781eb11905336968faf7272288fa945d820000000a60e37ded36a0f82959e1f0433161376be3507850dff5a6dfcebff1f891f00f1400000000504aa53e2af5b33553481dc9bdcb9269793140e0317470d9fe63ba74596cff4cf535902c4a457e08d524877937bb301e0a811a80bfd2c1006a41bd40a3719c6	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "398312321"	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2952	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2952	IEXPLORE.EXE
2952	IEXPLORE.EXE
2848	IEXPLORE.EXE
2848	IEXPLORE.EXE
2848	IEXPLORE.EXE
2848	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 2920	2236	MSOXMLED.EXE	30
PID 2236 wrote to memory of 2920	2236	MSOXMLED.EXE	30
PID 2236 wrote to memory of 2920	2236	MSOXMLED.EXE	30
PID 2236 wrote to memory of 2920	2236	MSOXMLED.EXE	30
PID 2920 wrote to memory of 2952	2920	iexplore.exe	31
PID 2920 wrote to memory of 2952	2920	iexplore.exe	31
PID 2920 wrote to memory of 2952	2920	iexplore.exe	31
PID 2920 wrote to memory of 2952	2920	iexplore.exe	31
PID 2952 wrote to memory of 2848	2952	IEXPLORE.EXE	32
PID 2952 wrote to memory of 2848	2952	IEXPLORE.EXE	32
PID 2952 wrote to memory of 2848	2952	IEXPLORE.EXE	32
PID 2952 wrote to memory of 2848	2952	IEXPLORE.EXE	32

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Geometry Dash\Resources\Skull_w_03.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2920
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2952
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2952 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
f37d57f223cbe7c089452aaf1f043cf4

SHA1
65f99f3888b7e4f47a991e2e890147e61edb24b2

SHA256
15c6735431a64c9634edc0d238e661b311020469838b3b8352d1ad95d51e7410

SHA512
af84cd3c640bc60e8e0a9181dff690fd65f952b2b9b1cfefcddc228bf78107a7476242868887751746c958ede405a80eed2057c85a896138a6370adc1e539613

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
6bc70f50ef296174a1de2334d808fdd3

SHA1
f2a48e3635a34f502ae16ca4c190340b9ca11e05

SHA256
7a008351d1d1363418834fb7a37f93ebb243d6df8535c43c1650f3ac4f66beca

SHA512
7d7249f86b694d7198628cb2cfe1c57cb09ae15fc7b695bcf705b0a9ae1e8456cf4f686cac56cd4006d0ef7163cde4f84782497a59c028dcc24da1f35ec19fb0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
9c19fd3b46a46f984afcc045be33936c

SHA1
0da7889c6b41280751211d5507342db9e9146e5c

SHA256
55a8ee3fee920f368a1c5c08e1d7ed45a213957b477043832e72b767067b4f31

SHA512
604493927cab348d2c5309a03265c9b70fab71679beb056e85c6bd5b2f04bc03aa9017aef5972cdd15d7f9f105120549ce24311cd572d1e0047ef7cfeae01af0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
ddf1723488c5f248dede9c84b602b0bb

SHA1
7f05e8b15c85f86ca7954fbe90bcbfc19f86bedc

SHA256
3824a1da385a3431fbb4c8357e145fcc08912c4e53888019f0e55a59bbe30e50

SHA512
dd4b0cbde3f8acbdb77225581bfaf5ce69e47e5c287811a18471c1489c9506fb13564026a69115f2ff870f42a6145a673d7043a0c188e5c7c057bc30f59146b4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
8b01d0ba8048544d075bf869228cbb54

SHA1
a319ce521d9524128872b49b81d6d65bce4e956c

SHA256
eab1755077944b2cdb70b3aacd43dde9212fd1e085cf159129c2bbb4ae002bc9

SHA512
962dfda4eef16549b51c43821f78dc618121b89266de0e2685a5b76b59d42a724bde07b3a6474aa0480b7f4453cf4c9d7af52fdbdbc0ecfefee954f81af17a6b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
c5e0295316e907bf2e231c82a34c662d

SHA1
ef129e4ac1e767142fc862c798945bdc4ed60ec2

SHA256
128dcb9ce24c2dfef7cf7b161bd08f922312ef5bc8bf98182ce9499d866e6ebe

SHA512
418d872e0e793d222196fda0289d2ae5bb2b4e13998f2a52313e1106db2e14ab82c103061d31bbadcdb9248fdd199edb31ef4441fa2b154ff628a072f3c0d077

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
4e73c9b7575d5f22d993d88c0d5cb3c9

SHA1
54d0418fdbcc96748095d1edd544e3547c7cee37

SHA256
058a8dacd00d897cfbddd92554f032f62115902f4e30d55f19c0c5804c46de2a

SHA512
b92f07e1f36d4bd9895532547c61001f50e41c63dedf4aa571822ffd012476c1eb9c0a66e7d43e98f2d973e4fcabe723480675c6d98442f79ce347afa7d5cc17

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
89b670be11a07fcfd69b21d2e9cdacd6

SHA1
48c8c1089f47822d7cd76a7af229c9b6c47a1b7c

SHA256
1647cc9ae5ff61e6d4efadc924c72ddbeff03ad946de294e11d5be0e61c81d85

SHA512
d066a5859a1f477a78d53e3389b7283e04f3bb57acd4d058eb089a33238bfc8877929ffa2aba64df33134703afd2ac91772786b1fe37d9c1f9d61f0fd7b1129b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
6672e72b7e09017d538eec3818606bd5

SHA1
1ac588b3c6155aaff7b31736540bd6621d2895b1

SHA256
fee6f77d07590d5c8890b6e8077a6dc114b8e83dfc4813a7da780ef179ce3143

SHA512
49db1bd3d8c879d52fc8a6ed948bceb2249a0c9eeeee325a2e020d00be031cdbb8b67255f2d2acb48b24e77a2af0566b6315f3402bd260bd8d9e05fee9418dc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1D91.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1FD6.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit