8ae976c8b28baa222b4fd527cccbad2d1102ed21c68f9082c53835fde94c2397

Analysis

max time kernel
141s
max time network
151s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
28/03/2025, 13:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Payload/Hot Tub.app/Firebase_FirebaseInstallations.bundle/PrivacyInfo.xml
Size

1KB
MD5

909ec8a142f6427169254ceaadb3ba85
SHA1

59741426bef978c4608959cb1b27fc1abdee2d45
SHA256

cfbb3c4f76a66d53698bae91f7110c00f2148e6e6f13ad7d32592909bc010e51
SHA512

4fccee3177669409985a6822d9eeb36cff23333845396ed33cfbf88f4d862db597ec6a8843d7e82c29816c44c7f0926614e225a9416201b6c2413023b04b8466

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSOXMLED.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000b162c88be6795468a3ad00e32a1c0850000000002000000000010660000000100002000000041840fc58cc49900fb89b006495ca7a40abaccf76005c5d9ba4e54688e4a63ab000000000e800000000200002000000017e323e5d7fb753df50dcc992df3433e4d0f1861ff9ee1fcb9997d2af049e264200000002f1da1d04c21eb023859efe09f6e2944d279c4a4a03716a5fdec197bbc04cb744000000034949ab88ea8ec1b944084f4ae3397ddbff05084f0cc244e2af5a52f198d1e76f8e40a574024ac9cd90d5a59b144133834db2f0b2ebfe92440472a6e6d7447a4	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "449331125"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{2D889051-0BDA-11F0-9D46-D6B302822781} = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10789802e79fdb01	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000b162c88be6795468a3ad00e32a1c085000000000200000000001066000000010000200000003277b503cdb8f55b3b811ebcebe244e066a519998699992df1986d9c382b6ec4000000000e8000000002000020000000d8b014ef25593bc7ef195d32df370f92f175d9a6b6cf008dd07257bc0df163b890000000575720cf6e56a680fc2c71eee7caf42cd10dbb8ddc671b069eb6890537411a754d088d38ba5699549834b2d541d4d4e25d012079877cc7e33f41b30e83949db7e8be6b8972d34847befdd2ab90d83631fbf4f981d421bad39d6f9ccc87844a52bc7b170ad0606d2557f8f4fc2f5b09b612c6562416e010a05058fedc980103f694c251fc9be68a54f6055daaab5c4652400000001e96c6a1414266e88df9e39a001536d56e6fc80ae8e4c1f7b19341a47e1d66cd63f6c75473560dab810e33145f49898384ddadab075bd6b0b02e1d68df1cc04b	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2900	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2900	IEXPLORE.EXE
2900	IEXPLORE.EXE
2288	IEXPLORE.EXE
2288	IEXPLORE.EXE
2288	IEXPLORE.EXE
2288	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2076 wrote to memory of 2912	2076	MSOXMLED.EXE	30
PID 2076 wrote to memory of 2912	2076	MSOXMLED.EXE	30
PID 2076 wrote to memory of 2912	2076	MSOXMLED.EXE	30
PID 2076 wrote to memory of 2912	2076	MSOXMLED.EXE	30
PID 2912 wrote to memory of 2900	2912	iexplore.exe	31
PID 2912 wrote to memory of 2900	2912	iexplore.exe	31
PID 2912 wrote to memory of 2900	2912	iexplore.exe	31
PID 2912 wrote to memory of 2900	2912	iexplore.exe	31
PID 2900 wrote to memory of 2288	2900	IEXPLORE.EXE	32
PID 2900 wrote to memory of 2288	2900	IEXPLORE.EXE	32
PID 2900 wrote to memory of 2288	2900	IEXPLORE.EXE	32
PID 2900 wrote to memory of 2288	2900	IEXPLORE.EXE	32

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Payload\Hot Tub.app\Firebase_FirebaseInstallations.bundle\PrivacyInfo.xml"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2076
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2912
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2900
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2900 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
71KB

MD5
83142242e97b8953c386f988aa694e4a

SHA1
833ed12fc15b356136dcdd27c61a50f59c5c7d50

SHA256
d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755

SHA512
bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e7f8c699acc785ffb38a1ecc603a4145

SHA1
d597688eb9ccde51d9cfa398c0a62b502b13bdf1

SHA256
02c346a89ed9df9c979c6befffa75fe59e44ef265c000f84030e5f440eb9d0db

SHA512
17ba6f0ce9a6c28ef43aade84d14ac5d5095a387427dcdc844f4324c658a6c058865d8c3c3b84d661f6f7a051d4213c4c14df6fcef75e82f0c0afb66468df3a9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7d04a87a18acd596e8a1683b73dda25f

SHA1
d10fc78dea070bb81cedb16c3df39d2e5b7e873a

SHA256
1417cef9ff7c4b265179af1a5d3580baf01aacb771793e5c9682c86f69fe7ee5

SHA512
44a96386b68f78aa3c8718143ab25eda09fd2de7c22618a91735b87ff351c115fd11a6c131d2023cfd279f94860d90a27d9c76b9261338a1713799694e2e5631

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e0d8380d5420ad73a23c49161e6ff0f7

SHA1
2e8e77f04085a764307159931b53179e85f7666d

SHA256
fc151281ac9ebfc00dc09b8e65d0c589be33acdaac9c1f92047a863d731d8303

SHA512
f2acf197e3ed46caa92c4f117dd45e146f1635f0d7ad82d49e4b71eb91f30e1314826df92051c8b55c8597bee94a767a6d4e253210d110f7e51334aee4afdc07

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c5cf67fb6087ad5f487a59326322d408

SHA1
5b6ee176606fc87379d549b6f19807527f6b2c54

SHA256
f1875e206876c898258dff3a00001c00dd38f2f25df6c6feee630286b83e4383

SHA512
e8a246282adee4ba83168c78bed97da2c7caa0c62915139a0bc10e46071d224f321a30410494010b5cfdc4050272a697b9c1b5fdc344768540d6dad6aae27e7b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4b9e232dadbeef6386513cc99feda74d

SHA1
901f98d907559452e21bac0ca796b306d6385d7c

SHA256
1f5be684db3936fca6ecaa10259bf347a1fbfbae47230e14aad3710235f19a57

SHA512
d0a8d15f76dd8dba37f7797bd4bb3f8dd9a121b093b632169a8907dd8115f597875e3596ac0d851a4262990ceec3de7d09025a0325e1384040b53d200b986448

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
579f2e62b8c2f14f777a947be0bb7389

SHA1
339aca3ce65a7923ecd9d5d8638959eed8051e5e

SHA256
85ec626d75581edd9c1e9fda7cca84d7c4e78d322cad7f98377997c7802c6539

SHA512
bd9e331f0a714eb1a3d521c058d87977df04941bbaf6459f2a1c75f21e1a499ce41449f0a827258e0ac217020d88e7ef764f9a827566075b1f3b8162f87f9308

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
dc300b4fdf978b6b204fb6a164a8d794

SHA1
4189946a29ff509b4bdfe5275fcb7ea0c72670a3

SHA256
467a331b45ebc06e4e825338c61f0895537bb9dbcbec032320482d1b1964bef8

SHA512
aac63a78c1f6e73eff1e2706d5c7086701b9334f137c0b73b0f7503bd03ad31c3bd3707238f0f553301d5c13f0c4b3a9b69b98e732eb0ea8c860f9c177db20cb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3096d2815c3f1aa7911b2bf24145bc24

SHA1
8c520319e74e429d263ecc31246124c84e5e2caf

SHA256
05b351f71e6a9de9c4dab6cdb33f686822a144a95567d6002c9805723d395b8a

SHA512
8483a168ed0646166e45a4034e605446245e3580bd5c2aa23ecb261886e20f59ca2b15d390293f07e2e25cf5ccb9229b964295041a4f2a53a001e9c313ce0aab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1cb619004b6175f52d78cca76135bc57

SHA1
1edaa58def0450ebf0a3fad4ce7794d4b38edf34

SHA256
aaac8f231d2c593ed0fb6299461bac5774920ff11dc1b2f4388d7ee49d077009

SHA512
4c2cdb8c9667bd7c02b127d6ac955fa6836da9fd98ae42bbf2c93c60581a3df32b526e0db3dfd8d6e135b92acdb8c1785b694df03fbc4a6fcf89ff0d8f8df54d

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabCB0E.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarD0B1.tmp

Filesize
183KB

MD5
109cab5505f5e065b63d01361467a83b

SHA1
4ed78955b9272a9ed689b51bf2bf4a86a25e53fc

SHA256
ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673

SHA512
753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

Download Submit