8ae976c8b28baa222b4fd527cccbad2d1102ed21c68f9082c53835fde94c2397

Analysis

max time kernel
119s
max time network
144s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
28/03/2025, 13:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Payload/Hot Tub.app/Firebase_FirebaseCore.bundle/PrivacyInfo.xml
Size

855B
MD5

01481a78735eb6813ce4f5d85d4230ff
SHA1

b1ad8e84596a742232cfda15edf51d0ca5b314bd
SHA256

11e31f5f6b60e80ebd5901549fce5043f9af3e683f874022945000b405306c3f
SHA512

9df8c09641f2183703db320e69b6b6b4b0118e695ba42c58026556b7a99f67d1c4b1bc1992fd9fbc03cc67665e6ec56aa3d23780209b1e082ad656f6f3d7989f

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSOXMLED.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003c733ea3fb44f944939ccecdd8e82be300000000020000000000106600000001000020000000afbe41328976bd67cb75f2e3e29e1ed906fae77683177155037ab6598e23e37a000000000e8000000002000020000000b80437f970e811de89ad7cec38c6a3bf5d969b152c0e8cc27c30eacd884b702e9000000098167f2022a4002b5359a182de696c3a318c215c704f3bd81272da12c8db68ba1d60b8c86aa9063ce8067b6dec01262670ccd2c8fb1ff050216ff9184991e7d28e51dd91dafc2da70d21208323e7d7634f9ada7fd177230f7edee98e1afdd5aacb244d0466a164884c03cd270e3d8d801fb36ef26a68b00753b53573c32580ed2ce0e849f8b70d9d530421621054a986400000008590a566ee80603e9e23aa7c116e30623028608500e917202cc53494d184c4c959e7c29f5760588f72060c0f67b4a7d8c6c044aea4d0dce7a870b0dee0080ee1	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "449331080"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{23CABA71-0BDA-11F0-8D2A-5E7C7FDA70D7} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003c733ea3fb44f944939ccecdd8e82be300000000020000000000106600000001000020000000aac9097a361fd25b68be25951425ce435cd0e5ef10a9f38bb8c0f127de4e98d5000000000e8000000002000020000000183a02506d4339b1144cefb5b3004e6dbca70f72c801e0fb268e3135aea3b0812000000011337e450cd2b81c0331248feab6b85af94a09793a65c69ac663ba95f074f5a7400000000513983fc10ec4e884638fe17eb6d5470d32bc8dfa1124b6cf738b98dbbe4204a5d2b1b301e06effecaf55a852775eca35666ed99e14a87644d33fefc138b728	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10314ef8e69fdb01	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2928	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2928	IEXPLORE.EXE
2928	IEXPLORE.EXE
2916	IEXPLORE.EXE
2916	IEXPLORE.EXE
2916	IEXPLORE.EXE
2916	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2340 wrote to memory of 2904	2340	MSOXMLED.EXE	31
PID 2340 wrote to memory of 2904	2340	MSOXMLED.EXE	31
PID 2340 wrote to memory of 2904	2340	MSOXMLED.EXE	31
PID 2340 wrote to memory of 2904	2340	MSOXMLED.EXE	31
PID 2904 wrote to memory of 2928	2904	iexplore.exe	32
PID 2904 wrote to memory of 2928	2904	iexplore.exe	32
PID 2904 wrote to memory of 2928	2904	iexplore.exe	32
PID 2904 wrote to memory of 2928	2904	iexplore.exe	32
PID 2928 wrote to memory of 2916	2928	IEXPLORE.EXE	33
PID 2928 wrote to memory of 2916	2928	IEXPLORE.EXE	33
PID 2928 wrote to memory of 2916	2928	IEXPLORE.EXE	33
PID 2928 wrote to memory of 2916	2928	IEXPLORE.EXE	33

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Payload\Hot Tub.app\Firebase_FirebaseCore.bundle\PrivacyInfo.xml"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2340
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2904
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2928
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2928 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
71KB

MD5
83142242e97b8953c386f988aa694e4a

SHA1
833ed12fc15b356136dcdd27c61a50f59c5c7d50

SHA256
d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755

SHA512
bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0f9c26193e05df3602aa31c1041c7dcf

SHA1
fdf718e16f5b8d4b57f52cecff6b8c4c92bdc98b

SHA256
b19c5b0c74a7ac34c1f97d7a9977076f25df6ae7fd526590d05f6a53ac2edbfb

SHA512
6be39014a16604efa9ea7e247bd9b3016de36962a4eba825a5c13d5faad3f212178f7b3fa2d1dd3f2b0b3e7aeeba51d62a88c97e2aaf30ac43ad302585bf3c54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
289820d46923b3789b8c7a458aaf3793

SHA1
118f6e9586c54049c22677aa9aacd2f1eb161a75

SHA256
0ecbb323434de8fc3a4e29ef20125c1a133bd1c690607e27dc7032d60fcb3b69

SHA512
24492943c8333d28e37a321dca456c80f675d15a66b17e735f449f73deeb63cbf59bc4ea9d0b833c3fd0c5b6acaaf0989e80535da965e96b184d506d5df9c691

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5ff5bc72b400eb37e46a4773df232b0c

SHA1
ca9d0a530bee254b156dd6e3e8140e35440c91c8

SHA256
55562caba807d4ae9dd069adb3f5239f55101562fcef7c492dbaa998428a0c7c

SHA512
7dc4add3ae5feff2f572421f04b0194bf803fc947b4b0678cb4e8bb284c5333143d5ca99f34b46028fec32649ed0970073228b5cb6c1330cedcec1c951f602b4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d96601e0782857c23c54630b4c5ce36d

SHA1
6679bb55723021c4fdc4bfaa421eefacd4174b73

SHA256
08a058c8e15422630d6bd9c66fcd50e0de8252ad6fa4c3fed13133fbd3ea52d8

SHA512
0038ed4fbdfabdc5003c8c506f3dd5e3136c06fc8a41be9f65a68dc7cb27a00f3351bc4d5422e1816c8a6de0fe9deb9b75fb9e2f82b67972daeb2fd313a7f2eb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
bf03d417f980704456bc3c8f35ede574

SHA1
341e10f32a6f81394342a19d75121c7a296d0b7b

SHA256
3c62604161c12ebd55ea179cb9d068c6633d58531f3ebf5d99590c5f37d2f247

SHA512
b495d11f79d6efe0e5e2c22862cc866a57b96d061c7fb5feb27037d824657c7cfadbf4edb432e1459ffa07361303327d73c182f55c2c0c6e921119c332fe3162

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
141df528f4a319a1eb43697b9066d61e

SHA1
db3670ada90e75cc90ff1086a56eea74fb1cbb51

SHA256
74787f4929a41f4d5c1ee771216f0945dabb74b991e4d5e6db0ccc424623b868

SHA512
7ef0cf720346d7ab80d545b94cc4af51394c0c12043dcf066a42cd97b9cff89738d7ca0cf678351309ed01b3c608f7e5e776776e2610ecfaf41c9f8fe0a5e999

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4df8deb9e4aaaff6ddab60f1c3da5d67

SHA1
5f617d7e8133464b51cb5ca1001e68746ca06b22

SHA256
d8cba768eabe662a9abee1a7724b038ad103ab22438d06a31358270578b3f411

SHA512
a6b88d1a29e15af291de1d942754acbb08693631502e864bcf22d8f0cf5398cd7814c2f2578a8859460ff9de90e2eaa54a6d581ade48c5edb25c31f9989725cf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a26a57dd51554f7e6e54a50403eea63a

SHA1
57bfbe52b6a9db7e1ff0709894e7f399da094e66

SHA256
e57e384aeed053de5bab93d03bbc97a75d652f6e20c045375333f4615ee06d0d

SHA512
cea51a0491168850c6e7751682141cdf0457203ad9f6e51f3740589774c7803eaf8ca54a008d8eae0743f5aa7308c222c85f7d28487ecee1f073f7d3163eeef4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
160269851147b607fd1ed6fd27938c9d

SHA1
f284543f024f1eb6f38e2726a17d341f7d061800

SHA256
da012af56b3396d29fe2409ddb47b0f9c46b0e887052dc77f4ea2eba1011de73

SHA512
f688ef51f69ef28cc80161fdc89da5583c237f9acf38d797e56e22aa56c8170f77bbdbd7ca1ab46726f1040218906453d5c1b1ed22b28bad3be7f32905c991b2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
bce2f953bc38554cc141ac2124fbfe69

SHA1
6e17a4a894046790607010e86dea677c15e54fbd

SHA256
7466fac36b12b794853f7edbe298518527e422278aa25b4ec44949757de537d9

SHA512
8ae0665fe52de23322565023c8eb16136b9fe9c7a024f6020e34225796f78a08491a221608f6d6fcbed8c4193c46bc7e4c6c6ecd2a459f24cc8ff86299103705

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e952771027da565292f7efb3507e0978

SHA1
1d10b831a17c7c1a558b57ce944e5598bd88b0b0

SHA256
f549f815889f5d6625b50c2e3700e27324a5ee2a025b8b1345525b8df6571b2b

SHA512
ce203e6375ae1e10f55a666fc26a5b8deed48b626d1cbe59ba39b5c1e58fa993f6fa6ec70c2461b806e7393eba041ba89a40789819ea203f75fe6fee5c578c3d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6e49c4be51e98b5a5899462afad03424

SHA1
32d8d2381b7dced0a27dcf10bf5ab33f576d418b

SHA256
f6d7735f5e11912a3e1617d9c17c11910e5d67d474d5b6d34f383efde02be300

SHA512
28c1bb16db5461b9509b58099ca9659d3203f831b1e1af439deabe7addb3eff9d4c06afb18a7cf9a7d7c2c4f7eb8800f51dd583a2dbc3408ea80388a1c419964

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0e83b66ca30bc09e6b89f4a8350324d9

SHA1
b4ca073640619b9df59fad2841f9f90e9bb69515

SHA256
f03102ce3f28c3d43bc34e6a451514e459fed9f38309ea8601055c9a0856f02f

SHA512
eb75427d2bf0d7af316cd4c977632b7f02457f0d69a660fe866b646a7668f5252095f236ec19f0bd6f518580ff40292eee56c10a9389f30b2e31156263954ea2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3E9.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar50A.tmp

Filesize
183KB

MD5
109cab5505f5e065b63d01361467a83b

SHA1
4ed78955b9272a9ed689b51bf2bf4a86a25e53fc

SHA256
ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673

SHA512
753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

Download Submit