Analysis
-
max time kernel
138s -
max time network
172s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
26-07-2021 12:57
Static task
static1
Behavioral task
behavioral1
Sample
392e471bab3700300378fd83bc108576acb6246f19c502972c00ddb4b9bac270.sample.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
392e471bab3700300378fd83bc108576acb6246f19c502972c00ddb4b9bac270.sample.exe
Resource
win10v20210410
General
-
Target
392e471bab3700300378fd83bc108576acb6246f19c502972c00ddb4b9bac270.sample.exe
-
Size
125KB
-
MD5
c4472cd02b1396ca49935f029db6a8ec
-
SHA1
fa4891fc8416a191d255fc186ef534d022d665e2
-
SHA256
392e471bab3700300378fd83bc108576acb6246f19c502972c00ddb4b9bac270
-
SHA512
4a7463bc0a6a88d6eb7b2964b6212429ae8a7cd5f02abda2ecabecb1b2b374419fc48c4124386bdf184cef6f27ede998d245c3a0dbb97050e1639c7fb1a37ce5
Malware Config
Extracted
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.txt
cerber
http://cerberhhyed5frqa.onion.to/AA89-A485-DC83-0006-4055
http://cerberhhyed5frqa.onion.cab/AA89-A485-DC83-0006-4055
http://cerberhhyed5frqa.onion.nu/AA89-A485-DC83-0006-4055
http://cerberhhyed5frqa.onion.link/AA89-A485-DC83-0006-4055
http://cerberhhyed5frqa.tor2web.org/AA89-A485-DC83-0006-4055
http://cerberhhyed5frqa.onion/AA89-A485-DC83-0006-4055
Extracted
C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html
http://cerberhhyed5frqa.onion.to/AA89-A485-DC83-0006-4055
http://cerberhhyed5frqa.onion.cab/AA89-A485-DC83-0006-4055
http://cerberhhyed5frqa.onion.nu/AA89-A485-DC83-0006-4055
http://cerberhhyed5frqa.onion.link/AA89-A485-DC83-0006-4055
http://cerberhhyed5frqa.tor2web.org/AA89-A485-DC83-0006-4055
http://cerberhhyed5frqa.onion/AA89-A485-DC83-0006-4055
Signatures
-
Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
-
suricata: ET MALWARE Ransomware/Cerber Checkin 2
-
suricata: ET MALWARE Ransomware/Cerber Checkin M3 (11)
-
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
392e471bab3700300378fd83bc108576acb6246f19c502972c00ddb4b9bac270.sample.exenetbtugc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{F7A21D6E-5744-E3E1-1E0E-7FCE223524B1}\\netbtugc.exe\"" 392e471bab3700300378fd83bc108576acb6246f19c502972c00ddb4b9bac270.sample.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{F7A21D6E-5744-E3E1-1E0E-7FCE223524B1}\\netbtugc.exe\"" netbtugc.exe -
Executes dropped EXE 3 IoCs
Processes:
netbtugc.exenetbtugc.exenetbtugc.exepid process 1280 netbtugc.exe 1752 netbtugc.exe 1708 netbtugc.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1604 cmd.exe -
Drops startup file 2 IoCs
Processes:
netbtugc.exe392e471bab3700300378fd83bc108576acb6246f19c502972c00ddb4b9bac270.sample.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\netbtugc.lnk netbtugc.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\netbtugc.lnk 392e471bab3700300378fd83bc108576acb6246f19c502972c00ddb4b9bac270.sample.exe -
Loads dropped DLL 3 IoCs
Processes:
392e471bab3700300378fd83bc108576acb6246f19c502972c00ddb4b9bac270.sample.exenetbtugc.exepid process 1660 392e471bab3700300378fd83bc108576acb6246f19c502972c00ddb4b9bac270.sample.exe 1660 392e471bab3700300378fd83bc108576acb6246f19c502972c00ddb4b9bac270.sample.exe 1280 netbtugc.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 8 IoCs
Processes:
392e471bab3700300378fd83bc108576acb6246f19c502972c00ddb4b9bac270.sample.exenetbtugc.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce 392e471bab3700300378fd83bc108576acb6246f19c502972c00ddb4b9bac270.sample.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\netbtugc = "\"C:\\Users\\Admin\\AppData\\Roaming\\{F7A21D6E-5744-E3E1-1E0E-7FCE223524B1}\\netbtugc.exe\"" 392e471bab3700300378fd83bc108576acb6246f19c502972c00ddb4b9bac270.sample.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run netbtugc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\netbtugc = "\"C:\\Users\\Admin\\AppData\\Roaming\\{F7A21D6E-5744-E3E1-1E0E-7FCE223524B1}\\netbtugc.exe\"" netbtugc.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce netbtugc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\netbtugc = "\"C:\\Users\\Admin\\AppData\\Roaming\\{F7A21D6E-5744-E3E1-1E0E-7FCE223524B1}\\netbtugc.exe\"" netbtugc.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run 392e471bab3700300378fd83bc108576acb6246f19c502972c00ddb4b9bac270.sample.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\netbtugc = "\"C:\\Users\\Admin\\AppData\\Roaming\\{F7A21D6E-5744-E3E1-1E0E-7FCE223524B1}\\netbtugc.exe\"" 392e471bab3700300378fd83bc108576acb6246f19c502972c00ddb4b9bac270.sample.exe -
Processes:
netbtugc.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA netbtugc.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 5 ipinfo.io -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
netbtugc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmpA026.bmp" netbtugc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 2 IoCs
Processes:
taskkill.exetaskkill.exepid process 1544 taskkill.exe 2288 taskkill.exe -
Modifies Control Panel 4 IoCs
Processes:
392e471bab3700300378fd83bc108576acb6246f19c502972c00ddb4b9bac270.sample.exenetbtugc.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Desktop 392e471bab3700300378fd83bc108576acb6246f19c502972c00ddb4b9bac270.sample.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{F7A21D6E-5744-E3E1-1E0E-7FCE223524B1}\\netbtugc.exe\"" 392e471bab3700300378fd83bc108576acb6246f19c502972c00ddb4b9bac270.sample.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Desktop netbtugc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{F7A21D6E-5744-E3E1-1E0E-7FCE223524B1}\\netbtugc.exe\"" netbtugc.exe -
Processes:
iexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{2793DFD1-EE15-11EB-A1A8-4E3F7CC12DEF} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002521c7600145884f842cd3bc0fbb787000000000020000000000106600000001000020000000c79342e893200f382b3e9a4a1358b900fe863841dff6bc21659208dbc2c02d2a000000000e8000000002000020000000c48ba181aabd738740d63c9bd3274923f7242cf2c6326adb927146cb459b47a620000000e1219220bd5ce075c344566863b062bbb569181a2ecc364a1ac1ea9fade1b27d40000000d36822cbcad1542b9f7b0d68146bcb898063c547e45271977169281195c6a83006ff6c507bd52afcd60c984d705315b29046a9a4bf852854666ba019d1d7dcfa iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002521c7600145884f842cd3bc0fbb7870000000000200000000001066000000010000200000003cb88ee44d940e758e119dda93b66facc200d4e7bc694fceb808e99e1a61e5b0000000000e8000000002000020000000a4fe978f322d404460d3538ccfed298fe9ff712c6baecd9194e744965943f30a900000006af8799b5e9b42c737bb85fa4024c32dba28bf0ff8b309e9b5313370e2e0605923036ffac7af5767ca786b25f536f945eeadf8dff1ed39e4365e21b8ad512b9ee16a0c9426dfbd3fafafb9f693ecbf8a05b601762a69202c9e71ddce3a1813f73fc218c8b099d0fd4517a70f071b009a746468c591734d3d23ab40aabd9c2686ecd7d783a2fc9cfbedf2c871c8f9ccab40000000371d7a6a6299c8bfeb0f37597d6b9d4e012d4ab1cb2dbc8b4f71dfe80a81897c3ebf30fc2f852b7fec205efc2b9a5d1545b04b08f46bc2f4ac9bed9aa64728fe iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{27D8E7B1-EE15-11EB-A1A8-4E3F7CC12DEF} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "334070994" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 508b4cec2182d701 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe -
Runs ping.exe 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
netbtugc.exepid process 1280 netbtugc.exe 1280 netbtugc.exe 1280 netbtugc.exe 1280 netbtugc.exe 1280 netbtugc.exe 1280 netbtugc.exe 1280 netbtugc.exe 1280 netbtugc.exe 1280 netbtugc.exe 1280 netbtugc.exe 1280 netbtugc.exe 1280 netbtugc.exe 1280 netbtugc.exe 1280 netbtugc.exe 1280 netbtugc.exe 1280 netbtugc.exe 1280 netbtugc.exe 1280 netbtugc.exe 1280 netbtugc.exe 1280 netbtugc.exe 1280 netbtugc.exe 1280 netbtugc.exe 1280 netbtugc.exe 1280 netbtugc.exe 1280 netbtugc.exe 1280 netbtugc.exe 1280 netbtugc.exe 1280 netbtugc.exe 1280 netbtugc.exe 1280 netbtugc.exe 1280 netbtugc.exe 1280 netbtugc.exe 1280 netbtugc.exe 1280 netbtugc.exe 1280 netbtugc.exe 1280 netbtugc.exe 1280 netbtugc.exe 1280 netbtugc.exe 1280 netbtugc.exe 1280 netbtugc.exe 1280 netbtugc.exe 1280 netbtugc.exe 1280 netbtugc.exe 1280 netbtugc.exe 1280 netbtugc.exe 1280 netbtugc.exe 1280 netbtugc.exe 1280 netbtugc.exe 1280 netbtugc.exe 1280 netbtugc.exe 1280 netbtugc.exe 1280 netbtugc.exe 1280 netbtugc.exe 1280 netbtugc.exe 1280 netbtugc.exe 1280 netbtugc.exe 1280 netbtugc.exe 1280 netbtugc.exe 1280 netbtugc.exe 1280 netbtugc.exe 1280 netbtugc.exe 1280 netbtugc.exe 1280 netbtugc.exe 1280 netbtugc.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
Processes:
392e471bab3700300378fd83bc108576acb6246f19c502972c00ddb4b9bac270.sample.exenetbtugc.exetaskkill.exenetbtugc.exenetbtugc.exeAUDIODG.EXEtaskkill.exedescription pid process Token: SeDebugPrivilege 1660 392e471bab3700300378fd83bc108576acb6246f19c502972c00ddb4b9bac270.sample.exe Token: SeDebugPrivilege 1280 netbtugc.exe Token: SeDebugPrivilege 1544 taskkill.exe Token: SeDebugPrivilege 1752 netbtugc.exe Token: SeDebugPrivilege 1708 netbtugc.exe Token: 33 2052 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2052 AUDIODG.EXE Token: 33 2052 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2052 AUDIODG.EXE Token: SeDebugPrivilege 2288 taskkill.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
iexplore.exeiexplore.exepid process 1680 iexplore.exe 1284 iexplore.exe 1680 iexplore.exe -
Suspicious use of SetWindowsHookEx 14 IoCs
Processes:
iexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXEpid process 1680 iexplore.exe 1680 iexplore.exe 1680 iexplore.exe 1680 iexplore.exe 1284 iexplore.exe 1284 iexplore.exe 1688 IEXPLORE.EXE 1688 IEXPLORE.EXE 1688 IEXPLORE.EXE 1688 IEXPLORE.EXE 284 IEXPLORE.EXE 284 IEXPLORE.EXE 1688 IEXPLORE.EXE 1688 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 54 IoCs
Processes:
392e471bab3700300378fd83bc108576acb6246f19c502972c00ddb4b9bac270.sample.execmd.exetaskeng.exenetbtugc.exeiexplore.exeiexplore.execmd.exedescription pid process target process PID 1660 wrote to memory of 1280 1660 392e471bab3700300378fd83bc108576acb6246f19c502972c00ddb4b9bac270.sample.exe netbtugc.exe PID 1660 wrote to memory of 1280 1660 392e471bab3700300378fd83bc108576acb6246f19c502972c00ddb4b9bac270.sample.exe netbtugc.exe PID 1660 wrote to memory of 1280 1660 392e471bab3700300378fd83bc108576acb6246f19c502972c00ddb4b9bac270.sample.exe netbtugc.exe PID 1660 wrote to memory of 1280 1660 392e471bab3700300378fd83bc108576acb6246f19c502972c00ddb4b9bac270.sample.exe netbtugc.exe PID 1660 wrote to memory of 1604 1660 392e471bab3700300378fd83bc108576acb6246f19c502972c00ddb4b9bac270.sample.exe cmd.exe PID 1660 wrote to memory of 1604 1660 392e471bab3700300378fd83bc108576acb6246f19c502972c00ddb4b9bac270.sample.exe cmd.exe PID 1660 wrote to memory of 1604 1660 392e471bab3700300378fd83bc108576acb6246f19c502972c00ddb4b9bac270.sample.exe cmd.exe PID 1660 wrote to memory of 1604 1660 392e471bab3700300378fd83bc108576acb6246f19c502972c00ddb4b9bac270.sample.exe cmd.exe PID 1604 wrote to memory of 1544 1604 cmd.exe taskkill.exe PID 1604 wrote to memory of 1544 1604 cmd.exe taskkill.exe PID 1604 wrote to memory of 1544 1604 cmd.exe taskkill.exe PID 1604 wrote to memory of 1544 1604 cmd.exe taskkill.exe PID 1604 wrote to memory of 1808 1604 cmd.exe PING.EXE PID 1604 wrote to memory of 1808 1604 cmd.exe PING.EXE PID 1604 wrote to memory of 1808 1604 cmd.exe PING.EXE PID 1604 wrote to memory of 1808 1604 cmd.exe PING.EXE PID 1568 wrote to memory of 1752 1568 taskeng.exe netbtugc.exe PID 1568 wrote to memory of 1752 1568 taskeng.exe netbtugc.exe PID 1568 wrote to memory of 1752 1568 taskeng.exe netbtugc.exe PID 1568 wrote to memory of 1752 1568 taskeng.exe netbtugc.exe PID 1280 wrote to memory of 1680 1280 netbtugc.exe iexplore.exe PID 1280 wrote to memory of 1680 1280 netbtugc.exe iexplore.exe PID 1280 wrote to memory of 1680 1280 netbtugc.exe iexplore.exe PID 1280 wrote to memory of 1680 1280 netbtugc.exe iexplore.exe PID 1280 wrote to memory of 968 1280 netbtugc.exe NOTEPAD.EXE PID 1280 wrote to memory of 968 1280 netbtugc.exe NOTEPAD.EXE PID 1280 wrote to memory of 968 1280 netbtugc.exe NOTEPAD.EXE PID 1280 wrote to memory of 968 1280 netbtugc.exe NOTEPAD.EXE PID 1568 wrote to memory of 1708 1568 taskeng.exe netbtugc.exe PID 1568 wrote to memory of 1708 1568 taskeng.exe netbtugc.exe PID 1568 wrote to memory of 1708 1568 taskeng.exe netbtugc.exe PID 1568 wrote to memory of 1708 1568 taskeng.exe netbtugc.exe PID 1680 wrote to memory of 1688 1680 iexplore.exe IEXPLORE.EXE PID 1680 wrote to memory of 1688 1680 iexplore.exe IEXPLORE.EXE PID 1680 wrote to memory of 1688 1680 iexplore.exe IEXPLORE.EXE PID 1680 wrote to memory of 1688 1680 iexplore.exe IEXPLORE.EXE PID 1284 wrote to memory of 284 1284 iexplore.exe IEXPLORE.EXE PID 1284 wrote to memory of 284 1284 iexplore.exe IEXPLORE.EXE PID 1284 wrote to memory of 284 1284 iexplore.exe IEXPLORE.EXE PID 1284 wrote to memory of 284 1284 iexplore.exe IEXPLORE.EXE PID 1280 wrote to memory of 596 1280 netbtugc.exe WScript.exe PID 1280 wrote to memory of 596 1280 netbtugc.exe WScript.exe PID 1280 wrote to memory of 596 1280 netbtugc.exe WScript.exe PID 1280 wrote to memory of 596 1280 netbtugc.exe WScript.exe PID 1280 wrote to memory of 2252 1280 netbtugc.exe cmd.exe PID 1280 wrote to memory of 2252 1280 netbtugc.exe cmd.exe PID 1280 wrote to memory of 2252 1280 netbtugc.exe cmd.exe PID 1280 wrote to memory of 2252 1280 netbtugc.exe cmd.exe PID 2252 wrote to memory of 2288 2252 cmd.exe taskkill.exe PID 2252 wrote to memory of 2288 2252 cmd.exe taskkill.exe PID 2252 wrote to memory of 2288 2252 cmd.exe taskkill.exe PID 2252 wrote to memory of 2332 2252 cmd.exe PING.EXE PID 2252 wrote to memory of 2332 2252 cmd.exe PING.EXE PID 2252 wrote to memory of 2332 2252 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\392e471bab3700300378fd83bc108576acb6246f19c502972c00ddb4b9bac270.sample.exe"C:\Users\Admin\AppData\Local\Temp\392e471bab3700300378fd83bc108576acb6246f19c502972c00ddb4b9bac270.sample.exe"1⤵
- Adds policy Run key to start application
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Modifies Control Panel
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\{F7A21D6E-5744-E3E1-1E0E-7FCE223524B1}\netbtugc.exe"C:\Users\Admin\AppData\Roaming\{F7A21D6E-5744-E3E1-1E0E-7FCE223524B1}\netbtugc.exe"2⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1680 CREDAT:275457 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt3⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"3⤵
-
C:\Windows\system32\cmd.exe/d /c taskkill /t /f /im "netbtugc.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{F7A21D6E-5744-E3E1-1E0E-7FCE223524B1}\netbtugc.exe" > NUL3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /t /f /im "netbtugc.exe"4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\PING.EXEping -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.exe/d /c taskkill /t /f /im "392e471bab3700300378fd83bc108576acb6246f19c502972c00ddb4b9bac270.sample.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\392e471bab3700300378fd83bc108576acb6246f19c502972c00ddb4b9bac270.sample.exe" > NUL2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /t /f /im "392e471bab3700300378fd83bc108576acb6246f19c502972c00ddb4b9bac270.sample.exe"3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\PING.EXEping -n 1 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\system32\taskeng.exetaskeng.exe {798E8EE4-CE89-484A-85CE-128FA6F0A739} S-1-5-21-2513283230-931923277-594887482-1000:MRBKYMNO\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\{F7A21D6E-5744-E3E1-1E0E-7FCE223524B1}\netbtugc.exeC:\Users\Admin\AppData\Roaming\{F7A21D6E-5744-E3E1-1E0E-7FCE223524B1}\netbtugc.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\{F7A21D6E-5744-E3E1-1E0E-7FCE223524B1}\netbtugc.exeC:\Users\Admin\AppData\Roaming\{F7A21D6E-5744-E3E1-1E0E-7FCE223524B1}\netbtugc.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1284 CREDAT:275457 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x1ac1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{2793DFD1-EE15-11EB-A1A8-4E3F7CC12DEF}.datMD5
88f9c1ed07689da90ed772afc774aeaa
SHA1bc857b521917fd93e79ca015dca146caf8798c51
SHA256f6a158ea4cefdb5e114e8549fd46ae311735fe2098bab1bbc96ba3dbee4627cb
SHA512f10f900c136c75e6047715090979fd8f0b5e8326a88dc225eda2db4e300268d6f30227b02e66e4f3dd508093b1cb69f81bf1b3e8c88aec9db906e1a30cb21aae
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\BX2OIPZX.txtMD5
1885da683e864a5583304108e404d52c
SHA175832c5ad2b4f9e35a9e97c5ffd4f07cfac584ee
SHA2560db22dad3b3582a8c8b97e17355ee2cf3bf0d9b9c7cfdef7896561e14be89937
SHA5128d0377dc4938bfc7b291af4b62d8398975176e732aeb4fed400e4c6ecb2bb398a65aa3a60135864e8867defd11aa753e602d52275fac669e801d9107fa78edd4
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\netbtugc.lnkMD5
be96320ca5a5a8f59a1dfee89e38f48f
SHA145322b03fe27f085af081b7cbc775ce40a2f5306
SHA256782157a48c63f8f94c9a5d94930154e7ae7d108c9ae332c83545906d26e26fcb
SHA51204b2731267d5d38873fd8b3d76f7a3e87de135ff6177d9866be972b1b3a2e3a635ec81d8539302652d660e3e19e5cf446ca7d77e782971d559f4bbe1c880281b
-
C:\Users\Admin\AppData\Roaming\{F7A21D6E-5744-E3E1-1E0E-7FCE223524B1}\netbtugc.exeMD5
c4472cd02b1396ca49935f029db6a8ec
SHA1fa4891fc8416a191d255fc186ef534d022d665e2
SHA256392e471bab3700300378fd83bc108576acb6246f19c502972c00ddb4b9bac270
SHA5124a7463bc0a6a88d6eb7b2964b6212429ae8a7cd5f02abda2ecabecb1b2b374419fc48c4124386bdf184cef6f27ede998d245c3a0dbb97050e1639c7fb1a37ce5
-
C:\Users\Admin\AppData\Roaming\{F7A21D6E-5744-E3E1-1E0E-7FCE223524B1}\netbtugc.exeMD5
c4472cd02b1396ca49935f029db6a8ec
SHA1fa4891fc8416a191d255fc186ef534d022d665e2
SHA256392e471bab3700300378fd83bc108576acb6246f19c502972c00ddb4b9bac270
SHA5124a7463bc0a6a88d6eb7b2964b6212429ae8a7cd5f02abda2ecabecb1b2b374419fc48c4124386bdf184cef6f27ede998d245c3a0dbb97050e1639c7fb1a37ce5
-
C:\Users\Admin\AppData\Roaming\{F7A21D6E-5744-E3E1-1E0E-7FCE223524B1}\netbtugc.exeMD5
c4472cd02b1396ca49935f029db6a8ec
SHA1fa4891fc8416a191d255fc186ef534d022d665e2
SHA256392e471bab3700300378fd83bc108576acb6246f19c502972c00ddb4b9bac270
SHA5124a7463bc0a6a88d6eb7b2964b6212429ae8a7cd5f02abda2ecabecb1b2b374419fc48c4124386bdf184cef6f27ede998d245c3a0dbb97050e1639c7fb1a37ce5
-
C:\Users\Admin\AppData\Roaming\{F7A21D6E-5744-E3E1-1E0E-7FCE223524B1}\netbtugc.exeMD5
c4472cd02b1396ca49935f029db6a8ec
SHA1fa4891fc8416a191d255fc186ef534d022d665e2
SHA256392e471bab3700300378fd83bc108576acb6246f19c502972c00ddb4b9bac270
SHA5124a7463bc0a6a88d6eb7b2964b6212429ae8a7cd5f02abda2ecabecb1b2b374419fc48c4124386bdf184cef6f27ede998d245c3a0dbb97050e1639c7fb1a37ce5
-
C:\Users\Admin\Desktop\# DECRYPT MY FILES #.htmlMD5
29f3992f5b736f4796747e2437db1455
SHA1ce2ea958b6e5e582c1d8ea2706779d9043e79415
SHA256eb371d87cce75a4721e2b98813f55a456d0cc51ec2ba5b71ea5e92686e3128dc
SHA5128ca15269d0239184f2b12c24dd66c2ccd991db586d7b421b25ff41daca0b9c8a7776fd36b2746b7668eb27fd0e29c5d1214fe9945697a93a6b69344180c43dba
-
C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txtMD5
a4c21ea85a9644f3a242162edf0af2fa
SHA166c9add6a0fa9fdf73f74c913dca80ce7908cce2
SHA2564d649d393ac635edbe27c229491e32f3f3e19cb03fa5833b159a168ad915a0de
SHA5126f1563309ee0a9b4ea97767449ea11754f27c3fc1dbf5d94ee691461b62ed598c7ae2a356ab2a1d4048682a0da2c21c43c36552cd594494d6bebc1254be1602a
-
C:\Users\Admin\Desktop\# DECRYPT MY FILES #.urlMD5
b7b8d8cc95bada01b98441251f88dcf4
SHA1eb1e99ea487a7553474cf05bbb64010a27cd0e75
SHA2561a3ae88eb88d48e8baf3caa792d7d41538ccfd7bc8d48cf86920b6952247373c
SHA51219c6865ba3de6206debd10f3a7815ba4c07d5e35aefccd3a47a4dba5b8ca2dfd195827bc27a21a8d74504f486c1797485a3eb29e6e237a4d9623f781c2b31022
-
C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbsMD5
9d8c4bfbd009c4d6001e2125abaa8b02
SHA1cd040558172b5fca5b200447a281843956243741
SHA256a652297987f14317100f8c5f7eb26d1bc67eb8a64f0b39b72b5fd5046a9f29b0
SHA512c4c84f43642b805a105acce9ebc9f01aa0e6ef553ea32be3f8b890fc7440f0b7d3ddf99b9336bce20ce7a3d9b9f6434a704651a8af425ffc8407ba39d5de735f
-
\Users\Admin\AppData\Roaming\{F7A21D6E-5744-E3E1-1E0E-7FCE223524B1}\netbtugc.exeMD5
c4472cd02b1396ca49935f029db6a8ec
SHA1fa4891fc8416a191d255fc186ef534d022d665e2
SHA256392e471bab3700300378fd83bc108576acb6246f19c502972c00ddb4b9bac270
SHA5124a7463bc0a6a88d6eb7b2964b6212429ae8a7cd5f02abda2ecabecb1b2b374419fc48c4124386bdf184cef6f27ede998d245c3a0dbb97050e1639c7fb1a37ce5
-
\Users\Admin\AppData\Roaming\{F7A21D6E-5744-E3E1-1E0E-7FCE223524B1}\netbtugc.exeMD5
c4472cd02b1396ca49935f029db6a8ec
SHA1fa4891fc8416a191d255fc186ef534d022d665e2
SHA256392e471bab3700300378fd83bc108576acb6246f19c502972c00ddb4b9bac270
SHA5124a7463bc0a6a88d6eb7b2964b6212429ae8a7cd5f02abda2ecabecb1b2b374419fc48c4124386bdf184cef6f27ede998d245c3a0dbb97050e1639c7fb1a37ce5
-
\Users\Admin\AppData\Roaming\{F7A21D6E-5744-E3E1-1E0E-7FCE223524B1}\netbtugc.exeMD5
c4472cd02b1396ca49935f029db6a8ec
SHA1fa4891fc8416a191d255fc186ef534d022d665e2
SHA256392e471bab3700300378fd83bc108576acb6246f19c502972c00ddb4b9bac270
SHA5124a7463bc0a6a88d6eb7b2964b6212429ae8a7cd5f02abda2ecabecb1b2b374419fc48c4124386bdf184cef6f27ede998d245c3a0dbb97050e1639c7fb1a37ce5
-
memory/284-85-0x0000000000000000-mapping.dmp
-
memory/596-90-0x0000000000000000-mapping.dmp
-
memory/968-77-0x0000000000000000-mapping.dmp
-
memory/1280-63-0x0000000000000000-mapping.dmp
-
memory/1544-68-0x0000000000000000-mapping.dmp
-
memory/1604-67-0x0000000000000000-mapping.dmp
-
memory/1660-60-0x00000000752F1000-0x00000000752F3000-memory.dmpFilesize
8KB
-
memory/1680-76-0x000007FEFBD91000-0x000007FEFBD93000-memory.dmpFilesize
8KB
-
memory/1680-75-0x0000000000000000-mapping.dmp
-
memory/1688-83-0x0000000000000000-mapping.dmp
-
memory/1708-80-0x0000000000000000-mapping.dmp
-
memory/1752-71-0x0000000000000000-mapping.dmp
-
memory/1808-69-0x0000000000000000-mapping.dmp
-
memory/2252-92-0x0000000000000000-mapping.dmp
-
memory/2288-93-0x0000000000000000-mapping.dmp
-
memory/2332-94-0x0000000000000000-mapping.dmp