b4fb522c3ace596c6464955c11a33f2de2fbc23a1eba91cbdcf3b4ced7e16413

Analysis

max time kernel
136s
max time network
136s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
23-11-2024 23:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

geode/resources/geode.loader/BlankSheet-hd.xml
Size

28KB
MD5

b37efa16cdd383fc1a8d70db34a471eb
SHA1

cbe34193485de0eec3cd0c82c0201062fdf58fb4
SHA256

85266e450e8e3025fe6254c7afbcfc59eea09f04a0142e767033296e1f58d1d1
SHA512

cb7e53075744a8640b119a9dbf99e61c79bdb781e093aadc6758aa6b6101c264933409c9800436e927db8e6a35cf8275d628797dcc4223905e727830e1747fd1
SSDEEP

96:CybcRcSzc37NDnbzF3KeQxgPbzQDfrLTSbzkh54wkws3bzDwjgouz6duzFuzHbzK:X5778ha8ym40TWP646digb2Wy

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSOXMLED.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000078a0cc6b0b830b4fbbc12dd3fac6f542000000000200000000001066000000010000200000005512669cbe16126b96ff39247febfca527afd7f149049aa0ec7853e1678dfa6d000000000e800000000200002000000046edc5e53ed213ec36cc7004e350ef20e90764a6fab2882a7ef343281eb5b510200000000a3db355325f7d391491dcccb36b0864caa23b379e004a1510f61001e809c06340000000e4e219e9586766f5c3d0912be17423b670a0093c7d161bd2ced9571c0605f24b5c084e7e1efc5cf189fa4de21cc5cf016100ec282c26c9f29f500e06d7f619b9	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "438565917"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{921634A1-A9F1-11EF-98BD-527E38F5B48B} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000078a0cc6b0b830b4fbbc12dd3fac6f542000000000200000000001066000000010000200000005f31409b8435fb5ee2cf65a1be3173cf9f2dfc86f7e95b0ba16fe40a0b028c49000000000e8000000002000020000000d5ee66de6c24b3e715f25efd364154df459b65e2e931d0ca66697806bc524a6e90000000947a6a2ad5f3c40890d3b37e9f6534ddca5962bc40c7bf3d766629d867de5aa2109cb8cfcbbad756f34e6a976c2551bf399e792cec642731d8e48210def1a22819b430301b47640477f91e684623529fb3376cf62b8a21321ae242c8ff79346641fa579a0b61681958104147efd4a88413451f2a12af8b0ccdc24faafd49f19f05afb8c3b88e5148bf4c10683751b4fa400000006c37fb0af68c99ac125c48fee7a75583c6133437e50c62bcced3f70602d5c3da3abc2862363f645d83e79221978d5c12de895613984331ae00d01f59da4c6a59	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 502fc966fe3ddb01	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2848	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2848	IEXPLORE.EXE
2848	IEXPLORE.EXE
2696	IEXPLORE.EXE
2696	IEXPLORE.EXE
2696	IEXPLORE.EXE
2696	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2012 wrote to memory of 2720	2012	MSOXMLED.EXE	30
PID 2012 wrote to memory of 2720	2012	MSOXMLED.EXE	30
PID 2012 wrote to memory of 2720	2012	MSOXMLED.EXE	30
PID 2012 wrote to memory of 2720	2012	MSOXMLED.EXE	30
PID 2720 wrote to memory of 2848	2720	iexplore.exe	31
PID 2720 wrote to memory of 2848	2720	iexplore.exe	31
PID 2720 wrote to memory of 2848	2720	iexplore.exe	31
PID 2720 wrote to memory of 2848	2720	iexplore.exe	31
PID 2848 wrote to memory of 2696	2848	IEXPLORE.EXE	32
PID 2848 wrote to memory of 2696	2848	IEXPLORE.EXE	32
PID 2848 wrote to memory of 2696	2848	IEXPLORE.EXE	32
PID 2848 wrote to memory of 2696	2848	IEXPLORE.EXE	32

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\geode\resources\geode.loader\BlankSheet-hd.xml"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2720
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2848
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2848 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
03a8bf70061ef780557aac6460321f43

SHA1
b46745334e56f1ca5b228857ffe981e11cae620c

SHA256
77d1160c7aa51b9bd6d25b48833b9bf35b25f2bb215a1229a573ff5078e4cfd4

SHA512
050c5d6add87100bd39df2d7bf469570f2e813c00db6ac8d00406c1717a334102c88b84935be713255c6068b4a30927504cd66d5a6f4ca8bf52b84760770ef8f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3afda7a58df52ed175753afbf95e2955

SHA1
94ed8f7058b079f2b230583434e09dee49bc9022

SHA256
13584473873e8d205ea0f513a054ecf01262c30dc3b53773f9615c20be57bcc8

SHA512
ae3dec29c79d2eb65a26d2c6d7dc7334b767454104d66d952671f3d0ad4f3411933ce2d0700745fb764f0ddcd612797b89208bae6592b18cbd2228fa8107ea64

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1254febe2f0251bd26859dfda8200138

SHA1
2d7586e9b9ee708ad95f48cd1a62a1ff923d2f36

SHA256
ce5bd38339ac53fbefa8c5bccd2f71e696f666db18dcc7403ccf3cb8b2ffceb7

SHA512
c6e1287d47f503747651b6246d82d82ec65d566772e5b587e200a05e4de98d16fe18aa356c44d658384bc0a9f23a556b14a61d0ab3005bf61c9761ceeefdeccf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
49c978161f90a15046f4efda94a24fbf

SHA1
a6056f1cc694125ab7ee087f6c5d9a5d33166760

SHA256
f5e244f16c96013f3fe486ac4a054267662bbe5370dc5e5c1f016f5b9f7a77ac

SHA512
741c44cadb1a6162a1ad73f85103d17e832a55cc788363d38aa9549c99d088b0a7cfd0fb112eac41065754fd77c5633f11511941be2096657f7b711ecbef1aa4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
38866925b598de3c34ebdcec77d97ba0

SHA1
f4af341c47ea89b4bc03ebfd0578b853a9f2e996

SHA256
9c86a5a0b7db012a4dde96d5367d8355ad49998bca17c501486f1966345d0dd2

SHA512
999fbb40b98ace97da7cb3ec8364a4478326794fb9b2e98271faaad4f34e444284cfc359e32e25544dacf605c44f876f8c98f3294dce6d2797aaae5104283013

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
601dcadfe4ba245b1fde73a2d26bb731

SHA1
b62219d98ce1d1762a5a032cb20e72ae4d2261bc

SHA256
29bb69ed3aaefe2dc855a2e1900f967b44279cd684e0a7d210a4f63a2762201e

SHA512
3a0c4b32379e2e4b8bba21845a6b3cd2388adb37bc4abdea86be4f4e6724e6246f8c06b6f5b93b74060c953093e3d352a3d6609060b75e2d091518adc8b9191a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
381607b2f768baac01005931b3783b18

SHA1
0f7834d7cfdcd89bbe84ee44a60935fb705178a6

SHA256
4655f2557a7a97332fb690f5adf2d8962d0968a33e542feb25cac060a6e08645

SHA512
490323014d59c4dd8b6da0d2ee52605afba1c550c1c100ab9d11c06b584251be63e68e6896bc99eac0e98ab46a4a324399a8572b809759ceaedb26b0d9da8ea6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
379a944fbe51b91b20215e38d5c3bf43

SHA1
dfe8aa4c87995b17cb329691970fed69a0983d72

SHA256
04f3a953689359722999e163102405e0b2ff7e3f78815597268081a025f4cd00

SHA512
f36bef7b9520932ca69775de364d9e6ebf1aabf461ebf19f49d1935bb9ed9f9ce01b7171af83fa023411d052f03828c45fec4b2b0810448e3f951f55e0d712d8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9e662160ac844c53ef00711a7a976028

SHA1
f07b5fe0c1a92f26bccfe47fe127dc1e84cadb8f

SHA256
97d6d3c4196e89ebc5f9fd5c6d81de1d1a7580734bc596dededf779c798322b0

SHA512
91466fc49a5edd76984ba49ab270c31f7cf705df1664a302847fae2f12a0802fd8ead83a46493e74c91cca7c74e10ebd1a591062356b5a2b57e78020f1810a66

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
05de2f94a94bb59f6b2600b3dd3f1fee

SHA1
16e2fdd3dba33895e842898f0d524e4d013cb9a9

SHA256
03cdb39c4128bb20408dfd6be6890a2ae6103760351d381b9683166768f3ea24

SHA512
71a766364ec31761e7ef709e2b4d31dc101da764f3c19b12449eb61f2a7d4d87176775d92066f3b3b8a0748a946231b5a012dc9986674e8ee6c557310efe1d41

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
659dfdcee1dca840928ad5bf4c4b5faf

SHA1
c5a74b92fa2ce900d5f74d30405a7d138e827d5d

SHA256
2d750f87a1bfd60a2104aa5f8c419688e12d428b1348e0733ef3aea0ff58d1fb

SHA512
2500ae151c6b10605d9c359001504f67f907b821149cd46db236bc905e3ea532f58d52b3be435c39e24289a5de732d44abfda8dd5226b275080be923646074e8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0786040f1c992d5a2ece5a5f92f3a080

SHA1
ac6b24514bf0491965dd753099920229b408acf2

SHA256
f0a83425bdb219a2fc552bd595b433c1cbc7b6887bf0faf7d11168b48508b869

SHA512
af2d5d091da97c90d87c7f4f82fd871a1f278df11038da3238f42a2e9b9cb6e3b0395bc2c9709c34c7c487ac51e928e376638f67aeae5e3553515da248bf9790

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c22a8ba15c1b666b010b0c7b94df4d14

SHA1
1c9a694a76657bcfe56a61c108aaeb28ede3cb77

SHA256
5105af340a990521e3caec2661eff256272aad57ded7a8b2a653184d6f32e4f9

SHA512
a1f3c429bf83556fb708fa2d1f089150ef72b508a3e9c1c197389eae67c1505534ecaae78b8f920082b2e0f0a07dc088e0529c0daef8d2cc45d2e93cb2bf3946

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
656ad9e9be99de429b9e527306979e9f

SHA1
46ffcd2700abf79364413de3047b2cb05cae1a16

SHA256
4a82d31c232bc207fdb23b9988bc93672ed19c2986a327f5e0556515ec3ed83d

SHA512
5172729cfd687497456c685d5b7f8610572977f0a1163f54dee0e817b75a1c9b8eaf371005a71e61284ca343f231098eb2622c14b3ca05f2ff0e4da6aadea269

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3719.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar379A.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit