a48650af2785567749c8e5dee1433acf71ddfffc3f602a8c0e3dbcc817098131

General

Target

GeometryDash.exe
Size

10.1MB
MD5

a0cf271bbf8d028b7ee5fbc429fce92b
SHA1

9604147c8a4cad0dfda9ef8d1de2d759e0e0c609
SHA256

a48650af2785567749c8e5dee1433acf71ddfffc3f602a8c0e3dbcc817098131
SHA512

c771393a5f9668cb55a006b4e51196eb8191b75b57461077ab37b5cc6fe83f7ce054c22bdcb6ca46ac9c64dea7555d94df627b85b2483db2696ef4ce9e413da0
SSDEEP

98304:6CBk0KiW1Ih0LRCh5jtk0LIQR23zkKmo2VxfS+VxfS:6CBk0KjI+RCh5Bk0LIQg3zkKX2LfL

Score

4^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe

Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
persistence privilege_escalation

Accessibility Features
T1546.008

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FileCoAuth.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FileCoAuth.exe

Modifies registry class 25 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\Root\Certificates	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\Disallowed\Certificates	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\Disallowed\CRLs	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\Root\CRLs	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\trust	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\trust\CRLs	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\CA\Certificates	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\Disallowed	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\Disallowed\CTLs	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\Root	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\Root\CTLs	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\CA	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\CA\CRLs	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\CA\CTLs	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\TrustedPeople	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\trust\Certificates	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\trust\CTLs	BackgroundTransferHost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	3356	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3356	AUDIODG.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1288	MiniSearchHost.exe
5308	osk.exe
5308	osk.exe
5308	osk.exe
5308	osk.exe
5308	osk.exe

C:\Users\Admin\AppData\Local\Temp\GeometryDash.exe
"C:\Users\Admin\AppData\Local\Temp\GeometryDash.exe"
1⤵
PID:1660

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1288

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:1788

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DevicesFlow -s DevicesFlowUserSvc
1⤵
PID:2460

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:1048

C:\Windows\System32\DataExchangeHost.exe
C:\Windows\System32\DataExchangeHost.exe -Embedding
1⤵
PID:1668

C:\Windows\system32\osk.exe
"C:\Windows\system32\osk.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:5308

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004E4 0x00000000000004E0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3356

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:3388

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
- System Location Discovery: System Language Discovery
PID:4924

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:4192

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
- System Location Discovery: System Language Discovery
PID:6108

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
1⤵
PID:3140

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

1

T1546

Accessibility Features

1

T1546.008

Privilege Escalation

Event Triggered Execution

1

T1546

Accessibility Features

1

T1546.008

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2025-4-13.2250.4924.1.odl

Filesize
706B

MD5
27cb1d808d73747da62b4654ea1eae3c

SHA1
4048f25dc5ca443e0fed75cca773f0369e9902bb

SHA256
1f8c585934a6c0c73320baea8ec69563a341ca2554cd23ceb7a3532b019b47f1

SHA512
aaaa499b5d50d06a5cf93ed39ea7caf51af23485069cfa40a1742da01f18c06a066af8416bb477ed48bb537b690643438b58f0fb96c05eec2df019c89fe04f49

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
24KB

MD5
d824406e1f1124ab69227ec413b849e6

SHA1
ef5c6b8989e389e4968dab6935d2b08838dcb81d

SHA256
1f02019a40de64da14706b44595ebdaa59e1cd5d8fd42aeab3a58cfd311629dc

SHA512
472e908698a402383828e6c5e5919bb298ef83aa094d1d380a754f260867498a766db1a1149fa02bc358e5f491e28c3a66d31955eafc43aaa5df12b3f8bea569

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
23KB

MD5
1d6389bbde29d9677bab58ed149d1b5b

SHA1
ea72c12a4c55cf5c93716a94ec0f15b05cd0d1e7

SHA256
2f8fa626982b7a28bafc77547575c0db9c5aaef71da58bbcdd9023676e3f9da0

SHA512
263ad5420f9b816cbb0f484a429c689dcf0ba1bf61d155190ab3f86f6c659b1064235473c1ed14652298aa43bf64e3a07f03726004616cba201cb8c2fc1d70ab

Download Submit

Resubmissions

Analysis

Sharing