e3596428cd648a2b0374346a990e71cf4af0feb6bb6ec51d8ec3e369f26e2bbe

Analysis

max time kernel
120s
max time network
138s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
12/02/2024, 05:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

geode/resources/geode.loader/APISheet-hd.xml
Size

6KB
MD5

b3be4aa674c35b9c9c07d545364b036e
SHA1

2554db77e27504c363b8c16c75f4bb752bb35b92
SHA256

e96a2d5bc8f0fb5faf06a67f5a022e985852dcaea70d20cd73a3d27271648e52
SHA512

c4d011e96a913c71b8ab34b996e8ea589f7150d3b28b50e30aa4461df481912b3cc18d3e55352123f6f47f3d1fe32136c82fe9855f1676bb6b2eda59029d555b
SSDEEP

96:CyQcEcodcstuO30cRcCcEc+zcHucAWgWS9cpcrc+cfE:XRRSt

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{86A2A021-C966-11EE-A675-6E556AB52A45} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "413877136"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60e93e5c735dda01	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b0720b1d8642c344adb870a2e9178664000000000200000000001066000000010000200000005bc562532e4825903c8187ff827aec301f16b311bdb2ef7d2a1f81e00ee7cf63000000000e800000000200002000000047620cd916d83cdfac6d84589bb3fa59276093832a665de6773960e1e132ff30200000004770f6a40565e0c569917b0454cae9114140a58f5fb75e02c256dd6e7a84d25c400000000969a0450257071f4de3fc7f4401047042923bdbe2cfa239901a6c86c93918789546d87280a270f4acc33fbc959f5d348826d41c8da87bfe3c4e95bd1f0560df	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b0720b1d8642c344adb870a2e917866400000000020000000000106600000001000020000000f5a2942a8209718e63d44e34ee50f6f8ba95bc5ffccc3c77c92f18801d8c919e000000000e800000000200002000000044ad20f62746d48a2994aef7c9e4ea6a76edbc5e79efe6d8e4013a62a6ba61c7900000005a98f82de6627fef60d90060118a42a2eeea38fcc768dc18af1a9a6d9f0b8639ab3bc23a9c2a0afe57c898f5dff1240138f0b8cae58e91670a12cc21fb226dc1abb60fd078bda403da606ed585db3af11d110088adcbec2db280ac31555ea7b0abdef620994fe6a8adf25ebcdf419bdc3227b9d4a6ceba318005abc0f3bf9576aac20e50718fd5c6f3a1a546169b6b99400000007ac64300e10741e4e84bf0b0cb3eec24ebc017a771e2e13f44da9e57582836c3562ede45dffe8bd36b856164ae3b890b886a4c600dcdd2bfbd90253ef3c1eb89	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2200	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2200	IEXPLORE.EXE
2200	IEXPLORE.EXE
2772	IEXPLORE.EXE
2772	IEXPLORE.EXE
2772	IEXPLORE.EXE
2772	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 2052	2236	MSOXMLED.EXE	28
PID 2236 wrote to memory of 2052	2236	MSOXMLED.EXE	28
PID 2236 wrote to memory of 2052	2236	MSOXMLED.EXE	28
PID 2236 wrote to memory of 2052	2236	MSOXMLED.EXE	28
PID 2052 wrote to memory of 2200	2052	iexplore.exe	29
PID 2052 wrote to memory of 2200	2052	iexplore.exe	29
PID 2052 wrote to memory of 2200	2052	iexplore.exe	29
PID 2052 wrote to memory of 2200	2052	iexplore.exe	29
PID 2200 wrote to memory of 2772	2200	IEXPLORE.EXE	30
PID 2200 wrote to memory of 2772	2200	IEXPLORE.EXE	30
PID 2200 wrote to memory of 2772	2200	IEXPLORE.EXE	30
PID 2200 wrote to memory of 2772	2200	IEXPLORE.EXE	30

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\geode\resources\geode.loader\APISheet-hd.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2052
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2200
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2200 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9cdfb4e3962d19fd7047fa8760332825

SHA1
a1aff9a35bf0d334f1b0490ae42d194c91fb496f

SHA256
7b73a800eeb5e2127f67243a0501b9fb714a3794ed21dfecb90fd22ff2ac07fc

SHA512
2182cb42615473a35465ffde5b7e48a8ce9f8667f9fe490024de0624ef16e9880a6a6ce763b3367a624078c30dca29a1792990f8594c204c994fa1bc31a8737e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f5f58b028a7f936995401e001e026b34

SHA1
d0ab3c17fa278dda077e9b15776f08e70baee201

SHA256
a557f3ba80c76b062afdc010d069740a69bdd53d82a3b05635a7ec33f7fd1ca3

SHA512
3d5cc8719e4d32f879d64935843f306f7ff81417f7d8a74253bed3c7252d7b76f3751c644b61aad1801f7a90966ef85412d30a056c98c1b029cd9b83ca304248

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1c1340bccec020655fbbd2dc153801a9

SHA1
1eaf8d262c4e1e90669dba78e8085bc3fd93af73

SHA256
5e349629e78ef8ce37310395ce873b9781548db151e586d30efdb665cf1e6bb5

SHA512
2600561901ba41e88752f8405e4987cfb326888ed0ec6853ddcdfeec7dc499610951a9b4a5b035de1641b587e16c5dae88fe6212005fd79bbae5f8de8ae7b1eb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
181460c345b45dcb2f2cc3fdcaff6edb

SHA1
d6b83c9ef90929d7f9be6c3d84670970a4abe8b7

SHA256
06eccc74a84c41560152d878ec6ed464947b708da5b3b3d7bf6af803bec6b1a3

SHA512
2042418e0f5773fd57e858486162449ce08b377204b783d46a63c694e105caf51263903677827e9e2fbf83866a3c7f574f8c0592eb594742a87cc060b0a19ca4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
452ae8289ab3c81d0164dbf957b9df3c

SHA1
a8623b64ad81153dc3d4cfeeafed8c212428ea4e

SHA256
adbfcab16ec1c15b3b1f8d4cf8700f5f28a0bcbd665f1a21ff29e2537709da91

SHA512
6e1e15f50946eb89ede84109c558294faa96f216f548d3c4d662c9f3ee5702002314596976c42153c30adc69c972deaaf4e5c0393f58d68e3694bf22aed7e003

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0165a744137e078e8cbed72f120cdea0

SHA1
6b2edc254bb005d24716583b76ccf9cbeb3b388e

SHA256
d15a1d32d0a30c1acb42bc9633d0ea608b847498f93b610fb3b621c0d086b2ee

SHA512
0d1a9ddd8aeffab9a4cbdb05b6ed377e15ea4f03ab1f1a27a7d0c4885dc8f35c865917ba90d21fdef57e36814e3f5458857b7a7e32bd0c5014fe36a3145fd718

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5f78c33e8b5ecb11f49f27cc155b1365

SHA1
a6c53039322753f75fa4f7fafea602726ec55719

SHA256
72f681fb6b73e49b76b243bf1c6367b2cea70890bb2826d7c4fd9f04d511cb96

SHA512
7db0a451377c70dc559f8a1cf5573010f244e261e524be9fe7894294360eebf772a280b99dfb7da18afd1e9a579abe40c5a68480cd38b7d32a2a8c91fe700cf7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c368e5ccfb6b26af42bfcf78b027af3e

SHA1
91c745650bb06c6abbe5ba9e629da13f7a8220ce

SHA256
920e20faef3837546eeb42a51d46bceba0f5a0bfb8999ad989cb6cbf6f9a2f85

SHA512
3eb20626ae735014e9a170974432a81ad7a885e8e1414e5ead1c5ed68fac7ac97a0dcc387ebb93c44c651627e76085fc2626ff24eafc70018036695821582ea6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
894e5306fff25442d7aa45a769d69807

SHA1
da9fb9ee88e572e7bb84af384b64e1999694f7af

SHA256
535a324186b86df4fd1d6cf99262e58532854b6ec56fb0279d4d7f164f9db673

SHA512
9043af089d63e14362e19dfaa9e69633247021f2ad212d8673a20476aec2264c3b28fd97cb0259eac9706a7896c2fc0878f79a635594cc70b04d62abc1ea87eb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
90ee033b86c5089ed2d7d0553aaa7880

SHA1
4a3eaaa7b1febce74859138ab5ffd1d871f69c64

SHA256
e220e5a69f9a873aeb57423339312005ab4d2a384f22eec1ccbad7c5c9f83db9

SHA512
b110769ecbe63f669737f39d726edd2de4efe4eec2c59dca8681e024928e15aebadde9d37c8dbf67a6dceb654d1cf227efd39cbe27205086eabc626de0f970ac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
fdd594edfd312cd00b03e9ae101ebe3e

SHA1
c4a7399da0616235eb1956a99c99624039667cb4

SHA256
26db8b28010b97be0e7a0ef5d4f6c0da320e562f337f462e3a257b2bbbf87ec9

SHA512
a433a609967abb87befe9ab5d213733ce3207a7786a0c2a572a065ac9987f90536fb5679b5b2104bd7f2c4034ea69868c224b48e959cc64d8c1cbd61dec41876

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4ce0f7fa22170ade21d7d06fc0c90564

SHA1
1790f236c78483a17903d120351d271d55703ab8

SHA256
73490a47259e297175e727aeaaef6456d2cad8b5ca44373398307d9171161ee6

SHA512
4607e6920000b77f1f7a24c82bacefd6129cf2c0bedca02d640c7954d39ff73503d6226d401b5250088ef770f76b104c149b5f2885bbdff8980d58746f233248

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6f8fccf4fb238f7aee01b00fb6853355

SHA1
d82e98f3b442098b188aaddadc53ba28857befe3

SHA256
84941eddb24c043d43391066c382bcbca12598fbb8bbb2d60cdc80232b60e95b

SHA512
8df1dcda79c60aa79f65f9bab63c0d5c8f41aadea24ed25cce4afc4a92262eb316e183caeb358a150807ab653286b981baac23f070e53c1b6c46d6ea61af2272

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab99E2.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar9A92.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit