8ae976c8b28baa222b4fd527cccbad2d1102ed21c68f9082c53835fde94c2397

Analysis

max time kernel
120s
max time network
140s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
28/03/2025, 13:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Payload/Hot Tub.app/Firebase_FirebaseCoreExtension.bundle/PrivacyInfo.xml
Size

478B
MD5

bb9f4bab20013bcc198a617873aaeca5
SHA1

ea20654845b3ac3eb3a2e1f1e0da9e0e18ca4864
SHA256

1377eccedff8f8320f78040e9c9d3e17ecc0ea569594b56af0ef17be44197c7a
SHA512

e162daa56a0ea3f32f8c1ed2e37c319820882c108401feff6579cc43d077844c45e67b99b17b2f51894dff1a97c11c87c6f088e0fac2007f408bfcfd59154b0a

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSOXMLED.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d057d7fbe69fdb01	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "449331082"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d56494e07354234aa255dcd0c7bd3cea000000000200000000001066000000010000200000009b59a800e7e20f656744a1ecf5acd44eb3eaa33c218ed115937168d6344a73cb000000000e80000000020000200000007360007b26d33f2fa5149351f095b3ff1af640f28374e6ccaeeca8a9377f02099000000072b628ed716151f2f8622072faf7e4f03df0a728b7e67867ec97ebd5430b7c9977500fc1b7295ade97d7ed879043bf6e07f065a18c024f76f749608b7986a402f8343405ef6c70ab54cb544c311ceddf0936ed41af5c5ce8b9e51fc52136f18963e967465036abbb2dbb3762e791ef9a730ac2dfdd9c520019faba80ddc83efe7521d2d48506b262ab8b4f61c0adcd11400000005c771fc428411681d9c3bc2020a43737c5642ab9e9e46f4d24c5f3c2e29f59641bd6952cf5a03c316ffc9886b6304c4a5da53d743738739c3a17095f4cb37f76	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d56494e07354234aa255dcd0c7bd3cea00000000020000000000106600000001000020000000608d3ff69e21d00803994d77b557bc9a3e0f686bd1cacc0569675c1c4f6a777f000000000e8000000002000020000000d44656be019b26eb0c7785a266a31491fa0acc30e82138835eb866b0cad2b692200000003b5b6098696cd88276fd570821d96825b271bf56d9d37b3f3a3e8a71e62d9bf7400000002f5ec6d7975b82f385ade8a55ad83ecac16278560e3089375a92218edc1f9d0d633dbfc4f4abf1a6a1bd0e2a585404240fd11e495cd63c28d235ceeffa606552	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{275FC811-0BDA-11F0-B656-D686196AC2C0} = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2316	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2316	IEXPLORE.EXE
2316	IEXPLORE.EXE
1796	IEXPLORE.EXE
1796	IEXPLORE.EXE
1796	IEXPLORE.EXE
1796	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2596 wrote to memory of 2296	2596	MSOXMLED.EXE	30
PID 2596 wrote to memory of 2296	2596	MSOXMLED.EXE	30
PID 2596 wrote to memory of 2296	2596	MSOXMLED.EXE	30
PID 2596 wrote to memory of 2296	2596	MSOXMLED.EXE	30
PID 2296 wrote to memory of 2316	2296	iexplore.exe	31
PID 2296 wrote to memory of 2316	2296	iexplore.exe	31
PID 2296 wrote to memory of 2316	2296	iexplore.exe	31
PID 2296 wrote to memory of 2316	2296	iexplore.exe	31
PID 2316 wrote to memory of 1796	2316	IEXPLORE.EXE	32
PID 2316 wrote to memory of 1796	2316	IEXPLORE.EXE	32
PID 2316 wrote to memory of 1796	2316	IEXPLORE.EXE	32
PID 2316 wrote to memory of 1796	2316	IEXPLORE.EXE	32

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Payload\Hot Tub.app\Firebase_FirebaseCoreExtension.bundle\PrivacyInfo.xml"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2596
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2296
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2316
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2316 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
71KB

MD5
83142242e97b8953c386f988aa694e4a

SHA1
833ed12fc15b356136dcdd27c61a50f59c5c7d50

SHA256
d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755

SHA512
bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d5d9e0e1056bb9252669c496417a78e7

SHA1
5a1a7a9ef6577bfd097566c19f8c19aa88a8e04e

SHA256
1755b2d4b959d1833d727e743c41e2d94d6c4120b9bdb9c9043913f076c43103

SHA512
49d737f1a9279a835b9cac93bb7b714ff7804e134506eb0553a154cc811edae05d5224739b80bf73fb7681fecbbc1166fbf46c21bde0dd967ff073ce0458ea84

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d6b7d51f27105b0abcb8227501302d33

SHA1
643934c13fdbc92136c818fbb5d563dd4d26c296

SHA256
975a11029804a5b70c48c6a9616cfb882e8521d05ba07fadc712298875a5c0a1

SHA512
94e65b5a79902c1f7b381f76b33879cac00604e770390d0259f541fd45ace1531655cfc5fb5820bef5a065dfb4bb55fbcb96bbaf063717dd311f4e908e5b028b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
474fb0f81a4d413dd28a5189baf609f7

SHA1
487a690b9614167bbe85debab380ea76b7422a07

SHA256
7dd2835850ab89f507029185c2c2452d8c67d08c73ef6c4496375cdccad93210

SHA512
3ceed5560b70498e0d76173eeb82d9ca9c0ff540b4a65783c33d8407088fd7d9a24957a3aefda7b71312b839b8280081bc38124ee8f8ebbb7ac0f3617882325c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
51f780155df3e1d8f6b796798f654090

SHA1
1140e47fe405018f82c0763192756f6cb031711d

SHA256
479ed3ab43aed9415ee37da5f2e6e898b78ea3e1cb3970b1fdd5d630869c631d

SHA512
4f33c1f16f8061de9bf8c3c08cf009ebbc6be708b3e413773016b43f115ca42ddf55a7a9498f8982aea20aea6a1f2fe8753a3f1f093b12ea59025b24f96293f2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
eabbed72cb065ff6e9749765a79ba4aa

SHA1
aee6ce668992faab9f5b28f96155d1534d4edb80

SHA256
1b5b628c092356bf0cc5e44bed7c31593f3e2ccec150a392d1e5dc7e597abf72

SHA512
e48d60fe90ca819116d07881cc9fa67e2981683ab8e9f7a841b31cc11a6c9c6bc02ce1e7276fd2e1d8ddc79bbf466d3962d29958eeb18ca492b0f081868badc9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ae09eaf6257ddcf1a6ac1c64b11c4574

SHA1
b37d6767592ce5f32d2e2bf8e303b2aca32e4f39

SHA256
19011c93d0a59e849257478e1a531b4cd5fdaf483502dddf0237c2dbd4458598

SHA512
3b90558c839f03892444cec35d0af53715e480d6702c2b1b70cc54462e824cbac8fb3fc75fc5233c50a0bde007bc2a289061a4f71d7e3fa96d8d0e5c12c90735

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
490360167145971c7f966e3e6a872caa

SHA1
aa34be69c08aa60850ebad69ee254391b7ca4073

SHA256
1ab618c0f0f4e1577b1968db24d37b2932e303ed9cc2039d21f4a20f3cadab10

SHA512
b6d07d2d9e5dbde55e69935aeab3e93886ce60391540458370463199433dc25b2c9756d4a625f70cd49fd51fcdc05a15dc71d7421bd02f7b728023a36d2a63ba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
796b3d1322fd88ae971c68aefb0d0c96

SHA1
3f4b07148fda3609fd7dd014ec315af76bd7c6df

SHA256
4def839d48071dee20dce4ae8fd1de7431cae75068dd927e7c2cc34cb0b32ee3

SHA512
f6c0bf9a941c3fb4880a29428cf5f5d1cb5cb3613c6186c8d218f70b065d31441372f01607ec9a43908f12f18375ec09e5de8d47e6776cc76f06a4143ba5d2c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabD598.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarDA81.tmp

Filesize
183KB

MD5
109cab5505f5e065b63d01361467a83b

SHA1
4ed78955b9272a9ed689b51bf2bf4a86a25e53fc

SHA256
ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673

SHA512
753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

Download Submit