0a1ae2bb65566514f671912024cd0e5a9f7ca6c886933f04faf2667d8ef40878

Analysis

max time kernel
109s
max time network
167s
platform
windows10-1703_x64
resource
win10-20230915-en
resource tags

arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
submitted
19/09/2023, 18:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Geometry Dash/Resources/stoneHit.xml
Size

2KB
MD5

e3a4026b370dfa7c5cc5075162033a14
SHA1

d3aa2fe4b23576ab9a8b3bc98f6791ee8f92a08e
SHA256

24dffcf657bb086c7ae5eeb8a84bfc3db981356f7690360bfb0a64d55ef313d2
SHA512

c0eec0f6d866d35879f416957c18b568aad4408522d0ed6ef8b9064039768af86d9d082b670baa83400b1b67940755913de2a90d8b225183eb762036c6a5b2f4

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 52 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-844837608-3875958368-2945961404-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "401913846"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-844837608-3875958368-2945961404-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-844837608-3875958368-2945961404-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4007973878"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-844837608-3875958368-2945961404-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-844837608-3875958368-2945961404-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31058728"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-844837608-3875958368-2945961404-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31058728"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-844837608-3875958368-2945961404-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-844837608-3875958368-2945961404-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-844837608-3875958368-2945961404-1000\Software\Microsoft\Internet Explorer\FlipAhead	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-844837608-3875958368-2945961404-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-844837608-3875958368-2945961404-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-844837608-3875958368-2945961404-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz!	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-844837608-3875958368-2945961404-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-844837608-3875958368-2945961404-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-844837608-3875958368-2945961404-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-844837608-3875958368-2945961404-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-844837608-3875958368-2945961404-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-844837608-3875958368-2945961404-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4016100523"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-844837608-3875958368-2945961404-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-844837608-3875958368-2945961404-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-844837608-3875958368-2945961404-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1A552387-571C-11EE-8566-E2657860DAA1} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-844837608-3875958368-2945961404-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-844837608-3875958368-2945961404-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-844837608-3875958368-2945961404-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31058728"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-844837608-3875958368-2945961404-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-844837608-3875958368-2945961404-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-844837608-3875958368-2945961404-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "401930440"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-844837608-3875958368-2945961404-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-844837608-3875958368-2945961404-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-844837608-3875958368-2945961404-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-844837608-3875958368-2945961404-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-844837608-3875958368-2945961404-1000\Software\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-844837608-3875958368-2945961404-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-844837608-3875958368-2945961404-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-844837608-3875958368-2945961404-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-844837608-3875958368-2945961404-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c1655fa699e13748ab5202304d038d6e00000000020000000000106600000001000020000000625e8c78183dcb91ebe536cae81b6cf14b8c0b96b5306faf547af497ffa53b2a000000000e8000000002000020000000e856afe143ad0cfbaf756462dd7b08986ea62fff2e10806a4abe5b72a6b39a912000000098b6bc09502c2ed2f96a6ebf7ca4389c8cdd6e9c03b79d0b1720863a0f866fb240000000f017191ef5aaa403432cb10da4802edaebcdc7394ad84932d47e914e0c250675422dcfbe89756682c98c66c5f0ebe3747a01cc13c68f394b209c5d93b43f0555	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-844837608-3875958368-2945961404-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-844837608-3875958368-2945961404-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-844837608-3875958368-2945961404-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-844837608-3875958368-2945961404-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-844837608-3875958368-2945961404-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "4007973878"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-844837608-3875958368-2945961404-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-844837608-3875958368-2945961404-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-844837608-3875958368-2945961404-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "401962431"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-844837608-3875958368-2945961404-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-844837608-3875958368-2945961404-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-844837608-3875958368-2945961404-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d08213f028ebd901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-844837608-3875958368-2945961404-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-844837608-3875958368-2945961404-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-844837608-3875958368-2945961404-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-844837608-3875958368-2945961404-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 005205f028ebd901	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-844837608-3875958368-2945961404-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c1655fa699e13748ab5202304d038d6e00000000020000000000106600000001000020000000159c3db4e7441fd26e001b34eba67f54e53f97af533b1bd0359ee841772080c0000000000e800000000200002000000034366659dcec838e8e4182ffec0ea3dba4982972c5ad1916d81867a2eedac95820000000d7567f983fdc38814411b1feaa6d339207760908f6be23b413a064ee119828bd400000004247753d3ab9085e78ede1ca9190ceeb48eb91d77525aff7b57580ee26a7fb79ee98b152a46144de3d677d9e105111c5f05a0fe133dd5e762fd80f5d9c561284	iexplore.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2932	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2932	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2932	iexplore.exe
2932	iexplore.exe
4496	IEXPLORE.EXE
4496	IEXPLORE.EXE
4496	IEXPLORE.EXE
4496	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 5044 wrote to memory of 2932	5044	MSOXMLED.EXE	70
PID 5044 wrote to memory of 2932	5044	MSOXMLED.EXE	70
PID 2932 wrote to memory of 4496	2932	iexplore.exe	72
PID 2932 wrote to memory of 4496	2932	iexplore.exe	72
PID 2932 wrote to memory of 4496	2932	iexplore.exe	72

C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE
"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Geometry Dash\Resources\stoneHit.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:5044
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\Geometry Dash\Resources\stoneHit.xml
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2932
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2932 CREDAT:82945 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:4496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
16d0bb65586872db62ee46480d9d2fba

SHA1
a3af568912c45dbc42fba128072227d705f2e10f

SHA256
32ec593933a2d2f71bb2317b97a3fc722731bbcf4d105c826e5d32c3ad4228c3

SHA512
042afb0bc200a6a45fa33422345fb11f34355d5d3edc548f123d787136b2027a21a139ae0a3061f2fad2394d1cbf1a8c297fce277495a46b59e6b6dcbfd5a67a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
37a99beecd046c45a748e7871dd8558f

SHA1
2bfdd227d67ce132a66915a90a195ded12bb246b

SHA256
2561e7e651966598ec9335912c0a22527fe4a254662f8dde2ddea74a9fde1ba1

SHA512
a3c20a10cbc1873d75bc0cba73824029efa7e809e065eecfb8d7b45880e29d2f87ce23134282f9f6504ee010f02bb39819b060e3b861c739db9a36c3cb698a1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6HNQEMO0\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\7D67Y1KY.cookie

Filesize
604B

MD5
0138cda8b0a63bea07ee8ce6b5bda8ed

SHA1
815939c3217d03fe268ee52bbf6455a315b2f5ff

SHA256
263271c56d59d973a3504378bff4fc959916bdc3acc3c74f11c2974c964bba67

SHA512
5ec7c9829c9dcc51b36b14775684f05ecc8eb3f58febb5b70ff19450a3e492728762e3cfabdb1d3bcdc90e92cced32495e76f716a18edb28e136fda490e733fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\JP1V5T8M.cookie

Filesize
605B

MD5
8fc7b8c5b605e5afada386e41a7d1b87

SHA1
70c11cb40df89013fc4775393ba3e66e3d83d7aa

SHA256
2e4fcc8cc0f19c63e9c34694d33c4c508798088328a3581044954ea376ab78c7

SHA512
305a9a0de3355497a2f0e210fd738bff3a43268e5b040435cdca4bf761351d772abe848d69534e9d9cc8045a3fa02ce2c8947fb26542f562ed67ae2bb9a2e4fa

Download Submit
memory/5044-14-0x00007FFC71D70000-0x00007FFC71E1E000-memory.dmp

Filesize
696KB

Download
memory/5044-17-0x00007FFC71D70000-0x00007FFC71E1E000-memory.dmp

Filesize
696KB

Download
memory/5044-7-0x00007FFC72410000-0x00007FFC725EB000-memory.dmp

Filesize
1.9MB

Download
memory/5044-8-0x00007FFC72410000-0x00007FFC725EB000-memory.dmp

Filesize
1.9MB

Download
memory/5044-9-0x00007FFC72410000-0x00007FFC725EB000-memory.dmp

Filesize
1.9MB

Download
memory/5044-10-0x00007FFC72410000-0x00007FFC725EB000-memory.dmp

Filesize
1.9MB

Download
memory/5044-11-0x00007FFC71D70000-0x00007FFC71E1E000-memory.dmp

Filesize
696KB

Download
memory/5044-12-0x00007FFC72410000-0x00007FFC725EB000-memory.dmp

Filesize
1.9MB

Download
memory/5044-13-0x00007FFC324A0000-0x00007FFC324B0000-memory.dmp

Filesize
64KB

Download
memory/5044-0-0x00007FFC324A0000-0x00007FFC324B0000-memory.dmp

Filesize
64KB

Download
memory/5044-15-0x00007FFC324A0000-0x00007FFC324B0000-memory.dmp

Filesize
64KB

Download
memory/5044-6-0x00007FFC324A0000-0x00007FFC324B0000-memory.dmp

Filesize
64KB

Download
memory/5044-19-0x00007FFC72410000-0x00007FFC725EB000-memory.dmp

Filesize
1.9MB

Download
memory/5044-18-0x00007FFC324A0000-0x00007FFC324B0000-memory.dmp

Filesize
64KB

Download
memory/5044-16-0x00007FFC324A0000-0x00007FFC324B0000-memory.dmp

Filesize
64KB

Download
memory/5044-21-0x00007FFC72410000-0x00007FFC725EB000-memory.dmp

Filesize
1.9MB

Download
memory/5044-20-0x00007FFC72410000-0x00007FFC725EB000-memory.dmp

Filesize
1.9MB

Download
memory/5044-22-0x00007FFC72410000-0x00007FFC725EB000-memory.dmp

Filesize
1.9MB

Download
memory/5044-23-0x00007FFC71D70000-0x00007FFC71E1E000-memory.dmp

Filesize
696KB

Download
memory/5044-5-0x00007FFC72410000-0x00007FFC725EB000-memory.dmp

Filesize
1.9MB

Download
memory/5044-4-0x00007FFC324A0000-0x00007FFC324B0000-memory.dmp

Filesize
64KB

Download
memory/5044-2-0x00007FFC324A0000-0x00007FFC324B0000-memory.dmp

Filesize
64KB

Download
memory/5044-3-0x00007FFC72410000-0x00007FFC725EB000-memory.dmp

Filesize
1.9MB

Download
memory/5044-1-0x00007FFC72410000-0x00007FFC725EB000-memory.dmp

Filesize
1.9MB

Download