8cdb4a6406dce9eb74a98f7cc5abc80ce471a850ef2c3d1dd964d3195c10a2ad

Analysis

max time kernel
119s
max time network
154s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
16/08/2023, 01:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Geometry Dash/Resources/FireSheet_01-hd.xml
Size

202KB
MD5

390a1e32ffff76050744b88fa57c8247
SHA1

1649cdbca8b6f36c872889b791fd6b478038cf0d
SHA256

aa7e5d61c298018d54bf70a828e3c92245c3394fcea90f247907031435ad0301
SHA512

ad1f10790814f8304081aec308274c8e5704e6b59af8679ebb837c0c33ca6feb78db23014890837843b59129f71b2043148f01a5440f5eb12c99f9060553750e
SSDEEP

768:IE1LvaxO9XpbkROnFWJmdJOAtqQFZXVLDFsi:91LvaPAtqQFZXVXFR

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "398312290"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 80a2ada0e3cfd901	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{CABBB761-3BD6-11EE-BD9E-CEC9BBFEAAA3} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000015e49348610e2a42ac63317e6e4271ae000000000200000000001066000000010000200000003eb84ac0077345dfb36b971e83da29e8b19877c6c0c91c6cfa2f5439cabfa5ee000000000e8000000002000020000000e6ba769547e9fa39f0c03b7688f6325f7bdb192ef1fe9095c656712cf0f04bfa20000000e8f01acb4752ba422e63194edcb378da1b2f74a06122f553b210ebbadbf25011400000005662b3c96e5631bd0f4ded56c3b4a751532ca344557486be30516779c6e5c7053321c552d70de2300b90a279f3d345f644f903b8679637ca099343471833535f	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000015e49348610e2a42ac63317e6e4271ae0000000002000000000010660000000100002000000048150e13ea5b5788e4ecc01d8004dd1307442d7373f59777254b52fa0f3da2bc000000000e8000000002000020000000914f6104926ebd950a74d53320ac1b921f6c591ed6774cd9a105ef93a54412cb9000000072790def4c526c26356a72618d8792f1f25ce5a63670e767a2c5d56013e31ef03a8d4fdf0ef5f15923aaf5535f5baf1391503a2de491e94d46473de26b3383ca7ba30a860a209e099bf6f356aa16f240137550eaf4708131a9dcc46c9d269dc142b0abcfdf77d8e2ab7eb569f9b74f9b55acb655cb26ed1369dd34309069fcaa1097d451bac8f27ca10b1482c140398f400000002433dea886c3d05f5f20a0e2fbb6caa2d96dde921b2fe1e3af69b914e639bd2cbc20b3f6920898dc9eced59bcfb2b56e0af1ba88f81aa16b3f90c9775d82fc2c	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2500	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2500	IEXPLORE.EXE
2500	IEXPLORE.EXE
2856	IEXPLORE.EXE
2856	IEXPLORE.EXE
2856	IEXPLORE.EXE
2856	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2116 wrote to memory of 1904	2116	MSOXMLED.EXE	30
PID 2116 wrote to memory of 1904	2116	MSOXMLED.EXE	30
PID 2116 wrote to memory of 1904	2116	MSOXMLED.EXE	30
PID 2116 wrote to memory of 1904	2116	MSOXMLED.EXE	30
PID 1904 wrote to memory of 2500	1904	iexplore.exe	31
PID 1904 wrote to memory of 2500	1904	iexplore.exe	31
PID 1904 wrote to memory of 2500	1904	iexplore.exe	31
PID 1904 wrote to memory of 2500	1904	iexplore.exe	31
PID 2500 wrote to memory of 2856	2500	IEXPLORE.EXE	32
PID 2500 wrote to memory of 2856	2500	IEXPLORE.EXE	32
PID 2500 wrote to memory of 2856	2500	IEXPLORE.EXE	32
PID 2500 wrote to memory of 2856	2500	IEXPLORE.EXE	32

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Geometry Dash\Resources\FireSheet_01-hd.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:2116
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1904
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2500
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2500 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
eeca84b5a04fe76d3399fbe71896a22a

SHA1
4d873eb5cef3d44626ffe4dc09fdeed6f0efbfbb

SHA256
23f1fae8f815c768d3a2b1bc1a9bddc72d4148963f3f1b9ffdb4b067d6741c83

SHA512
ba9c9aceaab0535ed90ce884a7c336a48dcb88903674640e16d131582287ed97ff051acbb0a3e92d77a190beaa9e8f4a3a02cada97cea3ff800d19d6e1de4ac4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a3176c4c674be839122462812f9af603

SHA1
890608989260b7bb18abeca9f5318b311ba4b98f

SHA256
00ce75889b09c52d1b74acfcb2ef3dab7d47396c082ac8d9dd55f4a41668159f

SHA512
7c07a8a3c1674bbfc837a4eab7135f20ab5bbf588e54951f8a3b15ee98b89f6280c009eb42276cef200bb8edb8f7a655a77ea230c6c42d77cb03612b3a7780ba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
175128974ab70ba62dca32cc6dbacfba

SHA1
9d74fe8cac0fdcab27987c834f29a699483a37d2

SHA256
637b78a05cb03cd68aa85f4141fd19937452605dd14f3ae05bb606bac5a0a53e

SHA512
c4fed71ee03fb90fb94190021b05aedfb96a71ec576ee3b15d7d02a561875f131053fad91818ce2f4eba65e2c436006af11b01dc5a430530350c35b01dcd73eb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2367dd60801729be3ac810393c6765e4

SHA1
6436eef9c503354594b64dc1c792a6bf62df2273

SHA256
ad1f473a3ba8730a5815f8697c7d459d056463f1ccd83bd61c7c27c827b41d54

SHA512
09462cb9c2d77240f04a2c0f683598fe4e0a949555f0953c7f4093e0026dc3ee9bdc263ad517c1db17250a2092e756fa7dddb790964b00f8062eaadca6070a57

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
69b5b9bfa74ed21b126278772a7d7c50

SHA1
7bca2443996fc6295321913a3eb765ff6135bae2

SHA256
ed90d23e989d8b58b8279b314ee4b0567ff1aa6d59acfd38919b9d32fd186ef2

SHA512
f34c47106f36780a032d287078b09005594de10f05fbe320a7c5746310cbdd4b06031ff35e1954871137eee6caf54de9ca01670596bc1c896dd52f9e3b8f7c65

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ad6d1f423f476dd6ef0a282dbed164a7

SHA1
8099a38e403267f74807ed77ff3edadba4e14433

SHA256
7176f74e92bf161e1bfd70571f92a1779d795237faddb467902e1d345a50a00c

SHA512
5871775b80a90c1c41d67728629ac0f8cfcffbf9bbf507161abba13fc8fac71292a46358ef3ae273b23b19a1208b1d059c9ed6e8445b78e86b2116e17508dd86

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b4747cc1d5dacf5bfe8f9c244ee4b5f5

SHA1
30bfe242816c3e569f1675bd727bdd9bca5214dc

SHA256
9520fb1846ee88e20e1f6d0a98d616cd185f31ff7d4315f01de5f8b58b0d95bb

SHA512
1269324dde0cf9d0f7b3adcf994538615c6c536376f08d19b38ba3a67f648983cfac31e311b808521655da36925a462f57da5b1124a2cbe0cfcebffa0cfcc276

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
37b8c41b93e1a41f63f90a62a9e9caa1

SHA1
05e4a44a7175572a6b14fc2e1d7322ea7b239407

SHA256
e897031d64beec30ea37dfd0a3202d242caa68e578decbd0f0fbf3d58a24c06b

SHA512
f99fa28942fc411ca0945061bc409d8d3c2e3767813d6a560a5fbe6bbf44edda84811556124bdd52fd94c094120860157c71c19adf3d897ffa784ce852fc6260

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8ee0654acd4633c15b7b41c544a211ee

SHA1
6aa939a7cbe814ca8236e22413de36a0e2170010

SHA256
9123f95a5fc505356dbeb6455669abe24bd7a3c3bcdfe815526e520a7fdd9077

SHA512
317af61c31bea00f2a8cc203621179c4b77f4134e80683018c09fefe1396306b965fd895c7691f5ae30a546e1d08d4981a3e3014a483ac12ee68bc374e2b1aae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7766991a9ab7320afce7154c44a653bc

SHA1
723e9ff5029c6349d81f56d7d8c4dabcfaf0883c

SHA256
d6475c6730ebcd3d7fef486301a9881edf8a959cbe889bd2e4779898423d3d2b

SHA512
889084e9a1a12b0d9036dade147caccf84961e2ff9b728b6ae5f6c373a690336de132a49e14f3f4bc7bb98134ef142e724266117e04159e5afdb46d4179becea

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabFC1D.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarFD1A.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit