0a1ae2bb65566514f671912024cd0e5a9f7ca6c886933f04faf2667d8ef40878

Analysis

max time kernel
107s
max time network
160s
platform
windows10-1703_x64
resource
win10-20230915-en
resource tags

arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
submitted
19-09-2023 18:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Geometry Dash/Resources/starEffect01.xml
Size

2KB
MD5

31e33f96feacbea77c7b8a60ab7aa90b
SHA1

5e4633307f45fba53031b56205b1709edab0489e
SHA256

33ce08e3b29a2202cd5a17ff3c2a2f5b4e0dbe8160dea9b9d82ded6a07b92a0f
SHA512

b56daae9c1dc1482f25aa5dc6ef2b045a564313bde3028c9092a3bc9e93a0be462214c41944a1dad084c2f2c99f8a43ff6741b540ecb7f3bff7c82ebe3c67fd0

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 52 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31058728"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz!	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "401930431"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d2dd8e9df6e958498930b44c83ed4e6600000000020000000000106600000001000020000000789d993e9086a31e0f25202b60e609708eb92a3d36e2c7cf76801549d377c246000000000e8000000002000020000000d4ed7f17ca502e60c6ce2415ba883ad38bf6891b7e17ea9e71ce8b73c4791dff20000000545275b301e00a3c708011564822f35d0f9dd417c62eb61fa525ffe817145d8340000000048e78700a3ec456a86a53f9b0275720ca1d7a4d50e02dda790d5fae876f693327b4182643ee13dc2c6a3c05c330fd15b37923985cd3377cd4afb7e0d0ab2c4d	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000\Software\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31058728"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31058728"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 109287eb28ebd901	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "401913837"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{154ACCAF-571C-11EE-BC93-C2CA484DAA98} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d2dd8e9df6e958498930b44c83ed4e6600000000020000000000106600000001000020000000132053cf21c3c8175f914e52587b4bd3cd5457d1e0dbc12e703bf07490c4bf11000000000e8000000002000020000000f3467bea8439f4e509bd19724cb96078c14cadaa106092f7156f606cc617d8fa200000000fa88d144919a2f289a4bfb6162f754afb3d48561a3f290ba6888e168e9a3a8c400000002d491e9302f271e21994bf2a332c6a21e72b76ea4cbcc6dc5236127f393b8d0cd47c0f561044d8596d8a3be7c698637d0a76c91e8d78e622a2c50a719e10bd7f	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "401962423"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3934817533"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f00791eb28ebd901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3926222259"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000\Software\Microsoft\Internet Explorer\FlipAhead	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3926222259"	iexplore.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
804	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
804	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
804	iexplore.exe
804	iexplore.exe
3172	IEXPLORE.EXE
3172	IEXPLORE.EXE
3172	IEXPLORE.EXE
3172	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 4196 wrote to memory of 804	4196	MSOXMLED.EXE	71
PID 4196 wrote to memory of 804	4196	MSOXMLED.EXE	71
PID 804 wrote to memory of 3172	804	iexplore.exe	73
PID 804 wrote to memory of 3172	804	iexplore.exe	73
PID 804 wrote to memory of 3172	804	iexplore.exe	73

C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE
"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Geometry Dash\Resources\starEffect01.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:4196
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\Geometry Dash\Resources\starEffect01.xml
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:804
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:804 CREDAT:82945 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:3172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
16d0bb65586872db62ee46480d9d2fba

SHA1
a3af568912c45dbc42fba128072227d705f2e10f

SHA256
32ec593933a2d2f71bb2317b97a3fc722731bbcf4d105c826e5d32c3ad4228c3

SHA512
042afb0bc200a6a45fa33422345fb11f34355d5d3edc548f123d787136b2027a21a139ae0a3061f2fad2394d1cbf1a8c297fce277495a46b59e6b6dcbfd5a67a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
83db0554e0637a263644eba9fc1672c2

SHA1
17e9c293eb046a0afabac171b76806da8f1fdb33

SHA256
c4602d9b4daa70c5d0498e0bfc76771c6f9b2bcc0897b2fbc8387aa9199e4139

SHA512
f6e0faa6f6b58be093b6de0a61f0d6c41de31311c014d17023321c32f155163cefb214af587a542a8f1eb776fa3ea85bf2c5aa5d0bbe968fb09e9f86e48d72fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BYH6LGM1\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\51FNAG2S.cookie

Filesize
614B

MD5
df4aae9e9626e9a2fc9d80c9f4772195

SHA1
9913d03b2e6a60b2e17a37c7ba03d48a07b2a005

SHA256
b99e897799ab178ca339aaf6c465b0bd913084a62adf3be83d7fdac86bc9418f

SHA512
0079cedbd74c273c31cc717ed15519f15b0aedbd0369457955ed50ed0b7cd94719b83108698a610075d28adaa8b38e23b0c6321a03abbfefcca763bc4e56f237

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\BF6YL3C7.cookie

Filesize
615B

MD5
07d6ffb1383cc92461a57bb8f867dfef

SHA1
0f555e4326c67b3996af24a3841a288dbbd9edee

SHA256
4db2091f712f572e2299f2ab939609f35d8540218a9c26cf8bf8bd69d4f815b4

SHA512
0c75dbe3a1b8e6b82df93526177f7217a525f88c5b71ce51e132bd5f8376c64cfc275f79a9246fc23bd7f4d6f9437aacfd2a0ec4c014137acaa6736948a23059

Download Submit
memory/4196-14-0x00007FFE8A550000-0x00007FFE8A560000-memory.dmp

Filesize
64KB

Download
memory/4196-19-0x00007FFE8A550000-0x00007FFE8A560000-memory.dmp

Filesize
64KB

Download
memory/4196-7-0x00007FFECA4C0000-0x00007FFECA69B000-memory.dmp

Filesize
1.9MB

Download
memory/4196-8-0x00007FFECA4C0000-0x00007FFECA69B000-memory.dmp

Filesize
1.9MB

Download
memory/4196-9-0x00007FFECA4C0000-0x00007FFECA69B000-memory.dmp

Filesize
1.9MB

Download
memory/4196-10-0x00007FFECA4C0000-0x00007FFECA69B000-memory.dmp

Filesize
1.9MB

Download
memory/4196-11-0x00007FFECA4C0000-0x00007FFECA69B000-memory.dmp

Filesize
1.9MB

Download
memory/4196-12-0x00007FFECA4C0000-0x00007FFECA69B000-memory.dmp

Filesize
1.9MB

Download
memory/4196-13-0x00007FFEC87E0000-0x00007FFEC888E000-memory.dmp

Filesize
696KB

Download
memory/4196-0-0x00007FFE8A550000-0x00007FFE8A560000-memory.dmp

Filesize
64KB

Download
memory/4196-16-0x00007FFEC87E0000-0x00007FFEC888E000-memory.dmp

Filesize
696KB

Download
memory/4196-18-0x00007FFEC87E0000-0x00007FFEC888E000-memory.dmp

Filesize
696KB

Download
memory/4196-20-0x00007FFECA4C0000-0x00007FFECA69B000-memory.dmp

Filesize
1.9MB

Download
memory/4196-6-0x00007FFECA4C0000-0x00007FFECA69B000-memory.dmp

Filesize
1.9MB

Download
memory/4196-22-0x00007FFECA4C0000-0x00007FFECA69B000-memory.dmp

Filesize
1.9MB

Download
memory/4196-21-0x00007FFECA4C0000-0x00007FFECA69B000-memory.dmp

Filesize
1.9MB

Download
memory/4196-23-0x00007FFECA4C0000-0x00007FFECA69B000-memory.dmp

Filesize
1.9MB

Download
memory/4196-17-0x00007FFE8A550000-0x00007FFE8A560000-memory.dmp

Filesize
64KB

Download
memory/4196-15-0x00007FFE8A550000-0x00007FFE8A560000-memory.dmp

Filesize
64KB

Download
memory/4196-24-0x00007FFEC87E0000-0x00007FFEC888E000-memory.dmp

Filesize
696KB

Download
memory/4196-5-0x00007FFE8A550000-0x00007FFE8A560000-memory.dmp

Filesize
64KB

Download
memory/4196-4-0x00007FFE8A550000-0x00007FFE8A560000-memory.dmp

Filesize
64KB

Download
memory/4196-2-0x00007FFE8A550000-0x00007FFE8A560000-memory.dmp

Filesize
64KB

Download
memory/4196-3-0x00007FFECA4C0000-0x00007FFECA69B000-memory.dmp

Filesize
1.9MB

Download
memory/4196-1-0x00007FFECA4C0000-0x00007FFECA69B000-memory.dmp

Filesize
1.9MB

Download