8cdb4a6406dce9eb74a98f7cc5abc80ce471a850ef2c3d1dd964d3195c10a2ad

Analysis

max time kernel
138s
max time network
158s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
16/08/2023, 01:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Geometry Dash/Resources/DungeonSheet.xml
Size

2KB
MD5

6da5108211a576bbbc0ca0b926b94706
SHA1

e989deba30cbe58700b5744de53a641cf15ce695
SHA256

c0806b2c8446156cfd84cf8951dee85d3feb36e0d873c882edd2310a0746a888
SHA512

eef1a546a616b61d7c9d444af06bc8f8547c9914ad6901ea8444f15541f3971aab6cb720956f06df2bd8370f053666fcc4eeecd467a699d7867dabe38a379634

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "398312280"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{C5B464B1-3BD6-11EE-84D3-EE35A7B3029D} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000dfff1b3a562844db5bcdd926cd8279400000000020000000000106600000001000020000000a563f444a2700e6cdcaab1c18a7af6bed8b642fad021c62c11acd8c795d4a57a000000000e80000000020000200000007a6569057798c60e7e1db3ca8caca1ad1999a785b13579e50d3cd32d9fb738bb20000000d958d7eb29b8f8f35550d51b315911fb28a8f3031287e663ec7685d16e48a74e40000000decde3aa545c25e4f7f52102ec747f54137a63d689dc13c05aa22af16ab07fbcd226ac2a98c1f36531d82a1c7fda2daa74f5ef4ac35e70a0dd2fc0973d0396c4	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000dfff1b3a562844db5bcdd926cd8279400000000020000000000106600000001000020000000a9f57fb52b97d77f1c944cf95be7a97012dfe95a3791fa21eba02e42f81ece71000000000e8000000002000020000000061b2bdc9810240ebb475627e1cb595be7df9b24b1860cb090538d7688fc4bc29000000039c02acdb193c3fd13f50f360d8d3a28a638bd8c7d6ff79da0e1e3cdf5bf65c886c12c1f2c67cf780e76a9d0a2522f32977d26ff965cb7bce7d36fa7e287721cd7f058500761e565a24bd332b9f323711e1bc588baceeb469c12ded07ead70ba6ea636bab0cd1fa11d65bde5b1ac4373900e01f6c6037bdf09ebec369fa7ee05c03a64b21ed6745a8fe4a7dea7f750ba4000000073864f1a21fa4de1bb41e19d8ac350bd41d6d5fac83e866b954dfa706f5e6457de6a079f4e6678e4d2ec8e0ce5d413a83caba5ee4df8a64ff7730d27291535a2	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c05a749be3cfd901	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1540	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1540	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1540	IEXPLORE.EXE
1540	IEXPLORE.EXE
2448	IEXPLORE.EXE
2448	IEXPLORE.EXE
2448	IEXPLORE.EXE
2448	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 852 wrote to memory of 580	852	MSOXMLED.EXE	30
PID 852 wrote to memory of 580	852	MSOXMLED.EXE	30
PID 852 wrote to memory of 580	852	MSOXMLED.EXE	30
PID 852 wrote to memory of 580	852	MSOXMLED.EXE	30
PID 580 wrote to memory of 1540	580	iexplore.exe	31
PID 580 wrote to memory of 1540	580	iexplore.exe	31
PID 580 wrote to memory of 1540	580	iexplore.exe	31
PID 580 wrote to memory of 1540	580	iexplore.exe	31
PID 1540 wrote to memory of 2448	1540	IEXPLORE.EXE	32
PID 1540 wrote to memory of 2448	1540	IEXPLORE.EXE	32
PID 1540 wrote to memory of 2448	1540	IEXPLORE.EXE	32
PID 1540 wrote to memory of 2448	1540	IEXPLORE.EXE	32

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Geometry Dash\Resources\DungeonSheet.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:852
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:580
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1540
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1540 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
93c5a52f4ce0033398d5736c57e493dc

SHA1
28218032e923cc01b458d7bd494843c1cc02b69f

SHA256
a2be1926c3604ef5840297d12df8dea0fad605749686178ebab79816a00e35f0

SHA512
1b6f7fbee639d13ce4a01dd59fc6fd59c8c329cad07b5b93dca7b9965655af409ab8a028df973d965a0a989f9c4548bb9a1ddfbee24f62824d31117c95b17c49

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
97e2b856ff7853c0ff0130fa104c6254

SHA1
e511f67cd689adef05b724556466e4eff5d02eac

SHA256
85d47b4f56f96ec5d387b5f2d856f004addbac477843cf107948dbb60e91ae64

SHA512
4ce3c7c1f1cd8ae6303fc994a99a04605528ea1093b45dc18ed80bef04591652494455f470a7056ecc90c37796ebe9fa6d92fa9b3e2f5adbb6744a05719f10ac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
79beb1ecce5d08c8ffe8475e8f1777a6

SHA1
79d5f9e833addea1fa6fe73eafe268c892bbdab6

SHA256
df552d3338975cb5cd07d73cf164e1f1dcfa03e05f25ebde54305bdfc846559f

SHA512
13899064dca5fcb958525c57416c830b09dfc4b5939e384a987f60eebb6d82d22a920722417b6c4705cc59a2ac00661ad79c5affc36078f7156f5dcd441e9f01

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ddb26cfda302ef5bd59677226bac8326

SHA1
4a837e7be1705d996f016134476db355646b8930

SHA256
cf5e5164e87181c4117ba412d3ec62cbfb6dbb49de94282349b45b0473b95ba0

SHA512
7d3d37e681dff629f520870a344d70f79805b56bb6cb5cf47ee5b24f8e73cd79d69871fa141eeb21bbfd6ff84bfb4e447e987e5128a1645ca8891e6a931bd52d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8d34268614760451f6df0389728993f7

SHA1
a1cddddd597957908abf88922cd018109c8f186f

SHA256
1a02398dc2d4449a2e8756a1a170c66622db688823baf87a07381df675d9862a

SHA512
613a7f2127c4c09f844f40d716205b3b980e840868dacc66eb3aa3bfcc3c8a6a4cfb6f5c23d5f1097aad335618d187a6a32dd81b029b7f2d316754e20b460c89

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7837ba21e5c755ba12caed9fa6d27e8d

SHA1
47422cf506537309c48f061a6c683f1fb1780fc0

SHA256
53c49fa4c50e2c5a5cd1cb1515a5146be012fc79b7978553c04c3778c9e912eb

SHA512
d12139f63d91a4be6581e8dbb23fabbba72da53e07fbe85917176bb82affe3bb2c3218876ac51b7ed3ae0f6af9604c528549fa4d8773977b5cb82503398bf847

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
22e5fecf8ea915a650a3cd5ae359bd8b

SHA1
a790c4c14f15ad399756284aa58828df3d804aad

SHA256
7652b4b3b9670a09172b9d967e44a71ac617459d8af2af35acc46df37b75cb41

SHA512
58d4051fc07feaea744755eb33d65d959a11ee4bf3feab42327126b649a48ee80862ad34061fbfe00c47a804fb155fad8bf000d9f84117f47b9e3dd0947430ea

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f8c97ad4739d7d9458b21c3e28e186f0

SHA1
2113ca6aaa108c530023850bbaa249766178ec1a

SHA256
cc152b736bc39daaa9a9cfe2886d9d2a940d5e93c27883f61bd1ebf921d17155

SHA512
fe33ddf0742571da2e2c1c99157fabc2069ed70a0c30217766ecb94af2882ffa6678fbe3372b326a66a4716c5e1cdbd8b29a71028cf9ba050f0abf1ec04d9aa4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
81e58a4fd4f4a7b6a170d693efd1c6de

SHA1
c0f717cd914c1d9ff56b9576d1fdd8045a7238ac

SHA256
d37312d30fed28a66ae72e936c1bb492a9ece96712feddff9180324bae93de7a

SHA512
64ccf6cf32fc93b3abb5552c352ac044b3e7b5d9649f4e593753a39c79f6c137e6f00015de4e2c01c3c364bf42ed48ac41fe8ece1222666f6e5ff0854fbb5dc7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
105b56ccb53214f47883d2a87e30ea43

SHA1
5eb38535825b47abbcd12c012d678d2b405497d9

SHA256
d76c6e77bfe9c0fc8df580e9b76cfec1c43a979df17f974e8ca666977d5a120a

SHA512
8f849c4fb8acc62f0e725145a4f6d9ea8b367af0299a8fbeeb6e7f2370e68a88684ae1c06332bb3c8a191e25126acd60a7bd09dd8e2c5ef42fb0281d41bd4082

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
787d486b87b22fac3fe45e594020d2fb

SHA1
aac21595090600f9564fe428d82598aff4a07a72

SHA256
44daa164b1f3ccc0521a1976a4759897db0352e0a4031711c9a8b6cac680f8e3

SHA512
29cc3ee42a5522cc4f87f0048d373c17aa1022ca9b06c7a535ae870f92a6966df67ede4dc323b947eb677c04973b3e1e765ab4f6375378041df23d3c58f220e1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
aed78b217cec086db106ac3f093b48ae

SHA1
1936a02472c12e91c9090f8b92db169fec1ee2d0

SHA256
45dd44b6d790d9ca323cbd211e64a02530c4e80aedd2da7ae1c63cffb277fa95

SHA512
95d8acfc1068e0533bbcd90d52702d1a2a2543e475419ca856ae1fdcee6c4aa5294b0dcd14a377931f85be02bb025076fea27d7354c44cb61b7ad5bf0015c2f3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c2787edb2c5e1fbbb5e48a66df6db518

SHA1
cb1fae4bc90abb7bdb837b47ef2d4f3edbd6a0e8

SHA256
6bd58d95372d3513fc15e5cd152df3bcf3fc46c4a553635ecd8499b431f84c1a

SHA512
30ed323382fda69f3310c02b773b83c3254ec99b51f8a53f3315bf644821354dd01cdc194f16b7727bf810ae4d1eba8765fb7b60a076e588a1dfe6604044b251

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
87a1c92393dde9f71766d0c847adcd63

SHA1
250557064d428ff6e22b7da2513343e601c7e323

SHA256
e629a854f6c5006cb9e6d4804e5099c7902a3d8b348eb15ea28cf802d14ed8c0

SHA512
ff4fa5feb9e21de4d0438a725c7b823c4ac57ec9e9e221450d388a966da5d693aa71bc04636900fb83ec97f3a75d2256b7ca6065cad9142cc72e4ce5df2dfc2e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1ee244cb9abf8a630be8487daed49377

SHA1
5328b4f062271e83fde1c6687576c5a46ac0f6f8

SHA256
f0c65db971a3d3dfc3e06f1c980e130dded90dec2ad979d7b1913ce1c5fc38fd

SHA512
e40a305b47b2319ad1622a79cedd820e0e6b6bd6580751a76b424e8dade616140b0c74fe15c2d80775925362a64d29c70e9401625a22038ffd8be8f539fbb3b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab783E.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar7880.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit