8ae976c8b28baa222b4fd527cccbad2d1102ed21c68f9082c53835fde94c2397

Analysis

max time kernel
122s
max time network
136s
platform
windows7_x64
resource
win7-20250207-en
resource tags

arch:x64arch:x86image:win7-20250207-enlocale:en-usos:windows7-x64system
submitted
28/03/2025, 13:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Payload/Hot Tub.app/Firebase_FirebaseCoreInternal.bundle/PrivacyInfo.xml
Size

855B
MD5

d9a1434ea74d42663991df3301fc37f4
SHA1

89fa1386ba9b6eaa0b1b8ca302bb8c41169fd03c
SHA256

5b7fe979423dede3e08afc29a42f00f6086275dc548a84c29774235863eed3ef
SHA512

bcd074775f37cb216fd41bb106f74a6be8bda5cff91af9481f222e431c23099225f370bdcc73f990434fecb816b36bbb90148e97a37b878f05ea37cd06cf27e5

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSOXMLED.EXE

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000596298383b88f045b768ac3737055a040000000002000000000010660000000100002000000081c34071bd8e9fab8b3aa1492ce5d02f5c37ba7b91d2b91441eb9bb392b1b640000000000e8000000002000020000000b3f091809c069f31eb004904bdba484918dc77f4a6e999529eb037a46ed8f83e20000000758dc3717fd50908a5d6a778d0133a4efe8ee08c7a50e6f310fd17377b91e74a40000000ceed0bdca7bdd0c0ab650386d79fbfa7c9e6a49651be97e99ce0bc1ea13811ba48c11a9402796518e64959fcf04066672c20f4cd6920ba37299c80f02a302965	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000596298383b88f045b768ac3737055a04000000000200000000001066000000010000200000002e507529dc031adf26870e17bd0676d289377bb336a561a675ca153b017eaee8000000000e8000000002000020000000e67eff42bea61b13162fb69a49c3ee8d2af91347c144990a622aa7e97d67bc8d90000000a15e834f4e7717922bfe66eb241a2a5b44941e1663dfb32363d7ad213253972a74a337f2de507552a2ef3c3df2cd0ebffd543bcd69276afb556ba880bace0dad5b4b8817244fd807dd83130df3b83a72eece135a422f413e82abda04bbe0beaed2989d92e882d35018047599d681803c7ab8e759478db74872ff194956cab0e38512474547b50e466477f57877eddeeb400000007073b846e1832712e9775563ccb9356c32f707fc8d7f37362542b11134392bc646eb40c428e5133f94dfd799538e5811f62b067e8761a6c0af7ddc92e192e6eb	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d00e8df8e69fdb01	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{23F8FE31-0BDA-11F0-A54E-EEE4B5DE6E77} = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "449331086"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2760	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2760	IEXPLORE.EXE
2760	IEXPLORE.EXE
2792	IEXPLORE.EXE
2792	IEXPLORE.EXE
2792	IEXPLORE.EXE
2792	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2740 wrote to memory of 2784	2740	MSOXMLED.EXE	30
PID 2740 wrote to memory of 2784	2740	MSOXMLED.EXE	30
PID 2740 wrote to memory of 2784	2740	MSOXMLED.EXE	30
PID 2740 wrote to memory of 2784	2740	MSOXMLED.EXE	30
PID 2784 wrote to memory of 2760	2784	iexplore.exe	31
PID 2784 wrote to memory of 2760	2784	iexplore.exe	31
PID 2784 wrote to memory of 2760	2784	iexplore.exe	31
PID 2784 wrote to memory of 2760	2784	iexplore.exe	31
PID 2760 wrote to memory of 2792	2760	IEXPLORE.EXE	32
PID 2760 wrote to memory of 2792	2760	IEXPLORE.EXE	32
PID 2760 wrote to memory of 2792	2760	IEXPLORE.EXE	32
PID 2760 wrote to memory of 2792	2760	IEXPLORE.EXE	32

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Payload\Hot Tub.app\Firebase_FirebaseCoreInternal.bundle\PrivacyInfo.xml"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2740
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2784
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2760
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2760 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
71KB

MD5
83142242e97b8953c386f988aa694e4a

SHA1
833ed12fc15b356136dcdd27c61a50f59c5c7d50

SHA256
d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755

SHA512
bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
88db9020fc978b77623aade37b212193

SHA1
09358d409af3ac0521bbe4ab43ab5b2d69bdd107

SHA256
3fc6f25956fe516c17cde226a38a33e0e810e514dccef1bdba04576ecb2944bf

SHA512
8e8799d5b051a100f877f2fe1603b12516e12651b816ef3eee4b21523d42cf3f1f4856da589233604083e5608c6b378832aaee33bf95a238781753b91af47850

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7ea7317e97a6afd1e150439df850c59c

SHA1
0687f1c4880b3d2e9509e91f7272b1b56a60de93

SHA256
4a52287264ad909fd07ba28db590a0edfbcaf63813ee20fdc0808ddacc58fe08

SHA512
d2ab0e81fa6c79baa314203e90e22a58e84126a2dedd8612aaa74e3c1e7d07946e4403748823bfedeb792a52fc4978aa5c9071ef44556d1f42f82514461e44cb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
28255c1d8d263062513f5a334496f929

SHA1
19b069bd76a6943f6fe559e44fa649bae8b05606

SHA256
48e77d405c53e01a06cf4030c1c1fee29ddda9c16b9fc994abb1dafb150343b5

SHA512
cf86acaddea542a9aac90a2de5a03062d8ab31d3251ca5bf07347e7e8f3758b225380786dc33ee18c389004d527a45a6cb5ddcbbbeebf970dca336cd59817019

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e83efd15bdea9137c093e8909d8eb2c2

SHA1
43f3861c83ade24d845ae6e83b8f6ca117519570

SHA256
55ca3256b129236c011dfd7389bf885d0e9b1f02681964939b7dbf3d262529c2

SHA512
a784a6da2243e0d1b0bf569077995f3672de6cad310e4ddf6bbef1514d230a53facee7dff40093c88fa511559fc3be65e85998cabac64d2651067c3aa4ade89b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
feb6550e6baa6b857bb642fad5687f03

SHA1
c0c5f68e14b23bc6ae1c3f52162e7ecaaad821aa

SHA256
39587ca423414123c6c738725e1c5bd9ca7c6051a52e40941dd4442bb8051ea7

SHA512
32f507d959cac5a4eda083a224213dc2a639ee929d792a1132abde241b92212a1f0cfe80c191aaf970295e3f5eaf6ffcec68d5731f6f43a73b948bc4800af756

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ee205f7c750f69d91e7d3e025d6cda46

SHA1
d3901c24eb3bbb5865f52ddbd8eb2851c643b69b

SHA256
6d2e8245820f363191eb6514dd6f13197f5c55aee7add8a00fe1e956bd1eecf2

SHA512
51763565b2e3b90c3faa84462dcaf926646874af958114b9d59ade6f4bcb98f579e8c43ce24489a4cfe23e2f31dddc1d7ab89b3bd798578081f3d8046487466a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
574a4741084ff035c205eed598691365

SHA1
4d308d4a79449524adebd59cb817056d63df6fa4

SHA256
3c037030e04142f5ac09564beb45b29c2e35e3aaff687bcea75b38d2ecffc5e5

SHA512
7782b1d2afb4be518a50628e8ec78c74e980fec6a6e2d03ea94398e95c3d5ae169a3468dfc7064310ac849bbf3819cb20cf8124c21bb2ffbaa6636f1a8d30af9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1962d87200c7166e801f076b89aa4d99

SHA1
06f4154fd2a5f11ba97fba932a188e0c8a773751

SHA256
96e0fba365c61eef1ec0320803ef7ca8b18fe2740e4a82643d3bc0ba634fdcda

SHA512
52b09da9b4aba060d7414778e4c8e8c09d6297bc45d00de784d012a76d87e3c2ad9533521493688c36cd90122a896d754f11f42c4b5b2aff80bac79b889e97ba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
63fb9416471521387bb00eee93b3e51a

SHA1
4bd0eccfa73b9605a3f007218c6836bfdc2a7cc8

SHA256
c87cd4b7150eba0091f71649ae66342928105960e629b8691946c38d2962a333

SHA512
0f695a09106507f1faf551e14f4bea473a258e8753d0d76154438b9d515a04ad8e1374a4f6fb406671a0849946a3723de432108229e908476b4a0020953b46d9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b805acdc290628a5c09e8e6f82515171

SHA1
9d3bdfc9f60332eea4dc84792b800d786257754d

SHA256
ca9631e5ddfac120efcbfc6b6d856d133c82fa9cb541d8fb4363ede3002e8386

SHA512
0c71b64f5e347aa4688f3f22aa6407ce540da5c7bac27513705eec345fdb96f9e7d416b36e575a92993a476ab6cc5089488e2ca05a2b4adaf2bc70c6a203676f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9b834312c787d79f414e93d65205daef

SHA1
86830a97af8919ae36270ee6a42d599b9c1e54fb

SHA256
a1077de180ea5bca0ef8790026fba6fc1918647a710d1d26674e8b071c1e745b

SHA512
27b099fd9679536c1f0e29a21e6defad0db4d0d00bd18320f008d0d58afc5450c54ac4d9f08de60c6578b7a3470fbb6a3914f0373d3641e6186b36f2444bf230

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1dc8fd7fa09fdff36762c97d12f6ed71

SHA1
ef32f85c3b26cffd8d65904464465634d46bfd51

SHA256
68751da386e87d1a07bf350e3e7c909917ceeb0681625fd8a9147b2a80a4ba5a

SHA512
88d7557dd27f0e5af7224ceedd879d26a3b36396a5b45337c3e29392ac2b942902281595b9f1d9b504909dc0739bb7482fd72496aae3e0d1a4afdf3ed48fab3a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
935124d9392e2a046b733f10177fcf0e

SHA1
e10c059dfb088a21a57f6116dcd3de031f16eb0e

SHA256
6524dbf4bc900000e317c8c62dcd58d7a11849a9d03c44bf2e9f0c4dcfea76d8

SHA512
75bb3cd492d358be84781d543097016c4c151d729d4ef9ce62ac751ad325c5853660c72d2fa4e0610314f7e9c2a94b1ad7f64d293219cd9ae9114b50ce0eecc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab143F.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar159D.tmp

Filesize
183KB

MD5
109cab5505f5e065b63d01361467a83b

SHA1
4ed78955b9272a9ed689b51bf2bf4a86a25e53fc

SHA256
ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673

SHA512
753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

Download Submit