0a1ae2bb65566514f671912024cd0e5a9f7ca6c886933f04faf2667d8ef40878

Analysis

max time kernel
110s
max time network
166s
platform
windows10-1703_x64
resource
win10-20230915-en
resource tags

arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
submitted
19/09/2023, 18:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Geometry Dash/Resources/trailEffect.xml
Size

2KB
MD5

d1071bd12eba2f668474950b17056c0c
SHA1

ce8bfc6875f3b98b36f5100bc6be6ff89e4f194f
SHA256

07a28b7f74882773e7e0d3c96f470d0be3347cca777bc11f0859627e8ba7d53f
SHA512

f796b0ec322cfec72b00bb01ae75d0669d76a213a5c6df62ebdc040a0fa491dcd766a6608bb69601b5d484c856f230ba667627c397b16412b2c32d9040ae2f8c

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 52 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31058728"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4227748513"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31058728"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "401913880"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000\Software\Microsoft\Internet Explorer\FlipAhead	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b06610fd28ebd901	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "401962465"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{276054B1-571C-11EE-B403-620C9E50A2B4} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "4227748513"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4236030306"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31058728"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz!	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "401930474"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000\Software\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b7d609770cd1254b818f4f87ebce2ea600000000020000000000106600000001000020000000d54e2e21f1dbcc12bc0ba29ca3ce7321087e49ae25bc8495b00f76a103adc24c000000000e8000000002000020000000104a7313a9a9be12b0169d0b379cf9a0b1e9f7648ed471a41032a8985b7110fb20000000db3301513d4594a9d8c648affeff4f65a98a94a8d2418e11f63c3b0f1a0ec1be40000000017c9620435fef5b428c48302956f1f6359dd4770e1b04293379c4e9c031d970438adcb2013e71b54c5738aceb406d8b583adce179c8c42b2d75feaf87dc6171	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d07f04fd28ebd901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b7d609770cd1254b818f4f87ebce2ea600000000020000000000106600000001000020000000cbe9256abc697fba9ad69ad21d1143a1ef2ad72374f8e5e0a9959cf409f3d113000000000e8000000002000020000000ef698a94640041f7e01dadf4620d2211b42c0aec78fccdace6d0037bf460527e20000000329d1bd7b15d79bdab896b4f0008c78c8c2a2bc003befe463d58ac8bbb47ca6240000000c0139e1caeb6d4f34204958cf9df05de8b912ee6446226842be1f791583cc88d123813899669c0443deab9bebc5a129fb2167c02260c0d3ceb0f4a4cf104a426	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3	iexplore.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4784	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4784	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
4784	iexplore.exe
4784	iexplore.exe
4852	IEXPLORE.EXE
4852	IEXPLORE.EXE
4852	IEXPLORE.EXE
4852	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 3256 wrote to memory of 4784	3256	MSOXMLED.EXE	69
PID 3256 wrote to memory of 4784	3256	MSOXMLED.EXE	69
PID 4784 wrote to memory of 4852	4784	iexplore.exe	71
PID 4784 wrote to memory of 4852	4784	iexplore.exe	71
PID 4784 wrote to memory of 4852	4784	iexplore.exe	71

C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE
"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Geometry Dash\Resources\trailEffect.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:3256
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\Geometry Dash\Resources\trailEffect.xml
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4784
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4784 CREDAT:82945 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:4852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
16d0bb65586872db62ee46480d9d2fba

SHA1
a3af568912c45dbc42fba128072227d705f2e10f

SHA256
32ec593933a2d2f71bb2317b97a3fc722731bbcf4d105c826e5d32c3ad4228c3

SHA512
042afb0bc200a6a45fa33422345fb11f34355d5d3edc548f123d787136b2027a21a139ae0a3061f2fad2394d1cbf1a8c297fce277495a46b59e6b6dcbfd5a67a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
6cb0eb920ee303a75369bfa09016ffbe

SHA1
6e030478a3d9e22e996b5eaa78ee223b0abaf858

SHA256
de61b039e1d76ed8e8cc866d4dfdb902c9a5b13c5c30c908739d369229d3acbe

SHA512
e8c0fa37fd2574a25a4df2048e98139a86c5405fbad7f6198d052a24e970a63d29507b6ab632825fa2992220944b9c7171bb06f28a9c4c18d9f7431928758d64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DP57REOA\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\DHLBJXK2.cookie

Filesize
608B

MD5
85f0f602d3573fd55f8a6038c5014331

SHA1
906aafa4290d42c49619414fffe133d4f942021a

SHA256
88435ce546d9f90ec1c71b7d0ffb22f04739dec0215cb0d73303785da8342aa9

SHA512
93cc74736e8c9ba11b3e90cd6dfd75a51124853534df7714012501ff7c607c3e31b7ed523a3ed4b11d1dd475b811872d74228fdfdf0a0f9241810999aa0047e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\METPAAPU.cookie

Filesize
607B

MD5
78507577fa39309bd6164bab88b7d71a

SHA1
b8dad7a86ff1eed708ed0a4495fae7b972dbcea7

SHA256
e3c2dfbd5c5ac7c63793f37dfac0cd82d7ea12cac75d61df65b67f6d1e5c7620

SHA512
57aee4c84d268751b40e94b1f99be0a2dc0a3857a89b9d2152db66fb24eaac91813aa612c0af73e72270e148c5ff9a9145e00b77379803020dd54d7bf418570d

Download Submit
memory/3256-13-0x00007FFA024E0000-0x00007FFA024F0000-memory.dmp

Filesize
64KB

Download
memory/3256-18-0x00007FFA42450000-0x00007FFA4262B000-memory.dmp

Filesize
1.9MB

Download
memory/3256-7-0x00007FFA42450000-0x00007FFA4262B000-memory.dmp

Filesize
1.9MB

Download
memory/3256-8-0x00007FFA42450000-0x00007FFA4262B000-memory.dmp

Filesize
1.9MB

Download
memory/3256-9-0x00007FFA42450000-0x00007FFA4262B000-memory.dmp

Filesize
1.9MB

Download
memory/3256-10-0x00007FFA42450000-0x00007FFA4262B000-memory.dmp

Filesize
1.9MB

Download
memory/3256-11-0x00007FFA42450000-0x00007FFA4262B000-memory.dmp

Filesize
1.9MB

Download
memory/3256-12-0x00007FFA42450000-0x00007FFA4262B000-memory.dmp

Filesize
1.9MB

Download
memory/3256-14-0x00007FFA42450000-0x00007FFA4262B000-memory.dmp

Filesize
1.9MB

Download
memory/3256-1-0x00007FFA42450000-0x00007FFA4262B000-memory.dmp

Filesize
1.9MB

Download
memory/3256-16-0x00007FFA42450000-0x00007FFA4262B000-memory.dmp

Filesize
1.9MB

Download
memory/3256-6-0x00007FFA42450000-0x00007FFA4262B000-memory.dmp

Filesize
1.9MB

Download
memory/3256-19-0x00007FFA024E0000-0x00007FFA024F0000-memory.dmp

Filesize
64KB

Download
memory/3256-21-0x00007FFA3FB90000-0x00007FFA3FC3E000-memory.dmp

Filesize
696KB

Download
memory/3256-20-0x00007FFA42450000-0x00007FFA4262B000-memory.dmp

Filesize
1.9MB

Download
memory/3256-23-0x00007FFA42450000-0x00007FFA4262B000-memory.dmp

Filesize
1.9MB

Download
memory/3256-22-0x00007FFA3FB90000-0x00007FFA3FC3E000-memory.dmp

Filesize
696KB

Download
memory/3256-17-0x00007FFA024E0000-0x00007FFA024F0000-memory.dmp

Filesize
64KB

Download
memory/3256-15-0x00007FFA024E0000-0x00007FFA024F0000-memory.dmp

Filesize
64KB

Download
memory/3256-5-0x00007FFA024E0000-0x00007FFA024F0000-memory.dmp

Filesize
64KB

Download
memory/3256-4-0x00007FFA024E0000-0x00007FFA024F0000-memory.dmp

Filesize
64KB

Download
memory/3256-3-0x00007FFA42450000-0x00007FFA4262B000-memory.dmp

Filesize
1.9MB

Download
memory/3256-2-0x00007FFA024E0000-0x00007FFA024F0000-memory.dmp

Filesize
64KB

Download
memory/3256-0-0x00007FFA024E0000-0x00007FFA024F0000-memory.dmp

Filesize
64KB

Download