8ae976c8b28baa222b4fd527cccbad2d1102ed21c68f9082c53835fde94c2397

Analysis

max time kernel
118s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
28/03/2025, 13:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Payload/Hot Tub.app/Frameworks/FirebaseAnalytics.framework/_CodeSignature/CodeResources.xml
Size

1KB
MD5

2232132871718ef545c4f6627bb1eacc
SHA1

361def0e6ae801d1a3a17b5851d9ff7b5d6bea98
SHA256

546153da3a026675abf1ce50e6d6eda7bb2b0364301a0c4b43a283f7f99008d5
SHA512

954d0b93e8e48ecec6512f680e42670febe594259952392c43042347157cf966654ccc07f34086320605dd9268556b1126b2e21af2d30aeb79b8b60bc305f646

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSOXMLED.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d0d6c4ff4dfeed479a2f23704b62e313000000000200000000001066000000010000200000008baa672e8ef8e92970c92d0040b4ee17131de0657b3150e1b261d77a6315ea0b000000000e80000000020000200000008a659f4ee584c287de73d7b0d252e7f357700321a860d15d6d6dd4313579aeed200000000b8cb1cf9cc3f98a16ae246b702973a6cae043a800960fbd450ae3180dc11bb940000000084c6d695dc23b950a60aa56164db91f854c0acde334506c7c9a802096c84a65026d147e57fa28274f0389e534b1218ac5dc3dbc895853add2fc088ffd34fc6f	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 80f704fce69fdb01	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d0d6c4ff4dfeed479a2f23704b62e313000000000200000000001066000000010000200000005f91f6cab728440392b03c80dcbd3de8413663d0e5652f5bdf8bec7ae8b670ca000000000e80000000020000200000001744004ae351b831fab5a9793dae30c57d4cc057f3c8dc4712027375c91f98b0900000000641f44759ec7cf9538330c218cc5b69f440dc72971acc008014f609bc0e4c3741f3c4124b94c5a4b637e6e3fcfd354bd02c6e136555467ebbb04713136b29947b6c688f0a7ab33667bce22988ded8d26ea04766c885bd9d51377582b207b56db8584ad77f7dec9c2655b6c95937bc90ffa293bcaf1ac7b2080dd384fda6c62c7de24d4f0bf72f537e30541eba82f16c40000000e398981c0ac824bbd2b7c5043b0fe0421752961e729a4fa2a91e1eef465afc015aa25d50f7bf907e8aa85d20837d3f04eef6adbfc6d7f1055cec2800e1d0ec9f	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "449331108"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{277338A1-0BDA-11F0-8BB8-FA59FB4FA467} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1980	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1980	IEXPLORE.EXE
1980	IEXPLORE.EXE
2368	IEXPLORE.EXE
2368	IEXPLORE.EXE
2368	IEXPLORE.EXE
2368	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1924 wrote to memory of 1652	1924	MSOXMLED.EXE	30
PID 1924 wrote to memory of 1652	1924	MSOXMLED.EXE	30
PID 1924 wrote to memory of 1652	1924	MSOXMLED.EXE	30
PID 1924 wrote to memory of 1652	1924	MSOXMLED.EXE	30
PID 1652 wrote to memory of 1980	1652	iexplore.exe	31
PID 1652 wrote to memory of 1980	1652	iexplore.exe	31
PID 1652 wrote to memory of 1980	1652	iexplore.exe	31
PID 1652 wrote to memory of 1980	1652	iexplore.exe	31
PID 1980 wrote to memory of 2368	1980	IEXPLORE.EXE	32
PID 1980 wrote to memory of 2368	1980	IEXPLORE.EXE	32
PID 1980 wrote to memory of 2368	1980	IEXPLORE.EXE	32
PID 1980 wrote to memory of 2368	1980	IEXPLORE.EXE	32

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Payload\Hot Tub.app\Frameworks\FirebaseAnalytics.framework\_CodeSignature\CodeResources.xml"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1924
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1652
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1980
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1980 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
71KB

MD5
83142242e97b8953c386f988aa694e4a

SHA1
833ed12fc15b356136dcdd27c61a50f59c5c7d50

SHA256
d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755

SHA512
bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9e318ecd826439642ce02e508d72ffb9

SHA1
29b692df70c721d8ba61a56a92e7437fe3fa9760

SHA256
d7abc2ff71346c331ff2716fd04f435d7684dd9c6619c1443bede3d5e16af885

SHA512
fc530828f7ba3ab35add547234dc37d98765031db526a4c437a06c2808d0ba13ce6f1eb94f1f3e1e2b44ff09e8d44db58ef070e994589487bcf54499435db98c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ab35d7571ff2d493053315ba70f5720b

SHA1
c42909451029d70172058e73da08aedcb7a31907

SHA256
19acedd2980211951704035c927606e1d92c9dcaa1a03d2a1362653b2a40f412

SHA512
859d85c2639b2a935a9273ea38d79caf6da35d01bca82c0aaaf13b420a45bb2b92bc60a95846320be2ce010d9f93892e917b84c54ae251886118110488a522f3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e8874c78d4dc16f1352cdea160fcd49f

SHA1
9d3c5737e6afdc4c10c721df93d9b54552697423

SHA256
5ea45951563ec50cb6eff2ec890def0f47de8a5c4901053389a7bef97a425ed4

SHA512
9d9daa78f5635077cda40e36e8c85ee8c9064d725492d995b95fdcc2ce6151e3c1fb1ce39578dacb77563ea95c0d1951a14fde50ae5f7de3e87a84703a487a34

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
439ec1019ab1f4a0fadf553d77fd4340

SHA1
e0257d57e2f48334222da7b95282063ba8faf8ef

SHA256
d5fb8b4a4ad2583575da37decc565edbe50dfab0bdd4b20162e733066507c5ab

SHA512
184cf737ba4c7d9ff7819fcb81cdf48a6c4974ec15c1524401453897f3ee8cbd9f3297ab39f8848f2fb9af078b7e4b75d9df0cb861f4e8fd41d7b5f0eb4b9172

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
dd7b1e54b995cadb8070d6952b334d6b

SHA1
37540429312558cff623b519e6ecbe4656a13d01

SHA256
eaf6b2b056358d00f5df567c4b145505a5faa346c6cc91c38ed2b7a01a35895a

SHA512
b4ee3bacddfc2a15c9317242194ab67af7bbcda8cae067878892280dc0f93d58ff0e6878a66e48a4785b8ae585f257ace7eda0ed9272df1209380e397c19243d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
16281d4fcb61f982624f8da3e958727c

SHA1
10af5e129f77e3ebf834d80083dba0ca8e956400

SHA256
38cbcea1515d269c004119c7202c15e373b4eeb2ed596f5c29e455334f10519e

SHA512
e14bfa140cca536125c8310825831b752cfa870c11aaa2c0a7ae6b0dd786e731636da76ed4c20f3614217c65ed8e5d2c8532f87492b1e1e20f98bbc4650b5c7c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8f1a5eccd614a647e997ed8ca6be238e

SHA1
9a1d82e6c245f78dbfeef7882dcc557e1ec4d206

SHA256
83e884a4d20fdc3731e8dd9b76c3fe01fef5f4af0488a9d1e93d9d15773cbe5c

SHA512
1ba0f2e48ce51ae5b9945127e65391a73e8e1ea03f9663e62fafcea53c03c13107c5624ea8e8318d205fc06379670ecaef58cfca96b08224b8560f138b062895

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a1b0341d33a964be3af72dff47c7bc9e

SHA1
8651e2066fb801ed12aa702750da6715b66149ad

SHA256
c4886add71ccafb32b69db226652e3a99a275d029c19b24f6e6e824ce1223902

SHA512
a1522dc10c32c012ef208a1ed99dac7f94b3e312bcb76d2f2862f91e23f988771896b6cfb2c03552cf8ce0be814425b54ef8e7b7c8df8c358f4666aae11a00ac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
de75d523bcbcab9cac7a8bbf078c5ed1

SHA1
022272fb53ba5f0133d25d66360807daa762537a

SHA256
cf6d7b0aea5c342d417670fb465e6694e69bf1c70afcb3770d6f5b4dda90d8d6

SHA512
82b60adb95432953f41fe62a6e36eedd913d988363736ced56ac9a53c711c52d7ce8cf5449533285f88d3896396328e54146f417964344485682dbb0cd5a02ce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
23a260e7974668cfe688bff56e98f972

SHA1
49f261052d7094da3406d634bb28e47f5ab6f55d

SHA256
be2095eb7c168282cd1755398fcea1972607e325086b404237c38b76fa2f8a3e

SHA512
f2e39a8da00c28928aad743aacec08fa0ffc4b95614931ffba2fef20cfcf04d284e501bc81abdf164b5906cd14e92e0018687fe1a486f0b7c2d17b11f49c8829

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabBC02.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarC8A6.tmp

Filesize
183KB

MD5
109cab5505f5e065b63d01361467a83b

SHA1
4ed78955b9272a9ed689b51bf2bf4a86a25e53fc

SHA256
ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673

SHA512
753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

Download Submit