Overview

overview

8

Static

static

8

URLScan

urlscan

http://hugsa.bhptdt2...

windows10_x64

5

Analysis

  • max time kernel
    114s
  • max time network
    153s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    22-09-2021 20:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    http://hugsa.bhptdt21kfxkda7.insideplaza.com/?restore=aW5mb0BoYXJtb25pZW11c2lrenVnLmNo

  • Sample

    210922-y9hmpsgdfp

Score
5/10

Malware Config

Signatures

  • Drops file in System32 directory 6 IoCs
  • Drops file in Windows directory 1 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Modifies Internet Explorer settings 1 TTPs 49 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://hugsa.bhptdt21kfxkda7.insideplaza.com/?restore=aW5mb0BoYXJtb25pZW11c2lrenVnLmNo
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:800
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:800 CREDAT:82945 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:912
      • C:\Windows\SysWOW64\msdt.exe
        -modal "524344" -skip TRUE -path "C:\Windows\diagnostics\system\networking" -af "C:\Users\Admin\AppData\Local\Temp\NDF7E4E.tmp" -ep "NetworkDiagnosticsWeb"
        3⤵
        • Suspicious use of FindShellTrayWindow
        PID:3344
  • C:\Windows\SysWOW64\sdiagnhost.exe
    C:\Windows\SysWOW64\sdiagnhost.exe -Embedding
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1112
    • C:\Windows\SysWOW64\ipconfig.exe
      "C:\Windows\system32\ipconfig.exe" /all
      2⤵
      • Gathers network information
      PID:4396
    • C:\Windows\SysWOW64\ROUTE.EXE
      "C:\Windows\system32\ROUTE.EXE" print
      2⤵
        PID:4452
      • C:\Windows\SysWOW64\makecab.exe
        "C:\Windows\system32\makecab.exe" /f NetworkConfiguration.ddf
        2⤵
          PID:4496
      • \??\c:\windows\system32\svchost.exe
        c:\windows\system32\svchost.exe -k localservicenonetwork -s DPS
        1⤵
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        PID:1860
      • \??\c:\windows\system32\svchost.exe
        c:\windows\system32\svchost.exe -k localservice -s WdiServiceHost
        1⤵
        • Drops file in System32 directory
        PID:2780
        • C:\Windows\System32\rundll32.exe
          "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\winethc.dll",ForceProxyDetectionOnNextRun
          2⤵
            PID:4104

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
          MD5

          6184b0e7016067db51a6ecf5f3fec69c

          SHA1

          d95dc8253b3f7ee8eab391a9933de56929b7b9a8

          SHA256

          f0310616d9b89c76451b430a7849df7d6de967e7be98d4db98b18b13fd0d4c24

          SHA512

          1d5a39ff7c1a9896999b5a571ac198c8c7c667737f9970d1b81c49b6d20925bc800df7b5f2cc890a079646bcf8e7aba25934018e55cf555d1873f0f19dbf05c2

          Download Submit
        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
          MD5

          04dd170ddb7796f98a588975b09b5ec9

          SHA1

          369300064d4f9e50edf36def17876886de4107ee

          SHA256

          a17f325ea6628ca83411ecfd39ccadff7d514e264eb21eae1f528ec963f68b1b

          SHA512

          cd70b7ad4ad2de16ecf7953784a38cc7335d4729236873461da527582c32198d8dcd429ecea0a0b38af4d69a689467036247043879ac8e5ec90e9ebd56f6f127

          Download Submit
        • C:\Users\Admin\AppData\Local\Microsoft\NetTraces\NdfSession-09222021-2230.etl
          MD5

          7e8821c221e012f3c2aa887b4d3fd56d

          SHA1

          ef31f842de7cf5eea634e95b5617379deadee8da

          SHA256

          3826efa6aeb041e97a81f853940c5ef2eabded106738dc8840621dd261c7d3b2

          SHA512

          37340182b830a787c0003474fd11d1ed656b8274319827652d0a97768b8581e2d9d915ed01a389cdc66eefff7cb95040646195d8e5b3b306db5e1f07024c3ec2

          Download Submit
        • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\0QK9WTKJ.cookie
          MD5

          b5e6cda8664ec340bd5b51941a9b91cf

          SHA1

          aa7f6080f02119ed862ac674a19e88e54514ad20

          SHA256

          82f1a3f5771bebe3e4c612d254948e3f02ba7fb865200a42441f119559be27e2

          SHA512

          bcd09eaebfd812824c72a25764b592126dbce407603978f9270b759225dc6bbb07174cdb0d8510a198136b268c62cb803bc911db78a13ec2548120cafe9b0c8c

          Download Submit
        • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\0ULFM26Z.cookie
          MD5

          245c017b2cf5383ad45038fb9140bd23

          SHA1

          febd2edf6d54f1047bf8ed741b635a789a65228a

          SHA256

          ad427e6bcf3876dd5001f05882924ff892c92c2bed5462f8dfa031c37bdd2005

          SHA512

          c5f6470db6e97a04f589225390297aa6fa6b47cfee34327a716d5f890984826a53984d116d8ab1521088de76a32d0e7a156ff69750bd2b8124505d19d58b19d0

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\NDF7E4E.tmp
          MD5

          5d9ccd2378e3d22f23f79983f12cdae0

          SHA1

          5cbaccfd01f35b24535169bd855f65b0af451802

          SHA256

          9089e0e8d80ada682999d8dd6f4ea3a45711fa3acf4d21bcc89be957230c87c1

          SHA512

          b3fb4c302e1f5cd810e3b4260f9cc68c92a9b9f6a8bce3dee74aac8e6ce1469611276bf51b9d7fcf0170be4c10d6d226d0b4089ecbf36d376b27b2f894945da2

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\tmpD17F.tmp\NetworkConfiguration.cab
          MD5

          bc4f55073f44e2af1194d2c596ebb28f

          SHA1

          09bd5604203c480a4a145591e42d4e9c7ba62f1f

          SHA256

          101e386ecde210372dd340300905f321e4e51a31c717a064cbda5164001b6e48

          SHA512

          b1490c2ed192375c634ec9cb4065223c50d23c7315fd3924b39e8046d03552ca1cb2b3cac51e1ea85d76d6a8537f528a5449aa6f4edb83422ec9b106fa0bbad8

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\tmpD17F.tmp\NetworkConfiguration.ddf
          MD5

          00848049d4218c485d9e9d7a54aa3b5f

          SHA1

          d1d5f388221417985c365e8acaec127b971c40d0

          SHA256

          ffeafbb8e7163fd7ec9abc029076796c73cd7b4eddaeeda9ba394c547419769e

          SHA512

          3a4874a5289682e2b32108740feea586cb9ccdad9ca08bf30f67c9742370c081ad943ea714f08dbf722f9f98f3b0bb307619a8ba47f96b24301c68b0fd1086d9

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\tmpD17F.tmp\ipconfig.all.txt
          MD5

          1875d41ee5399e5e2cc0e92fb70fe0df

          SHA1

          783316dbdb0cd0f069d36ef5ffb2647169b17d1a

          SHA256

          1c3f94d8c19d0d71e2c583da9dc0e358c41acfc88859a78f5ea8ae439aa24111

          SHA512

          99a3b9ec9ef922529ca18f682aebf4f70910ad0beae4f115a9c4c508a81c76c7e1d603e706adefea132243f1dd47eb920ab34a362cbe8fb0420186ee481f0213

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\tmpD17F.tmp\route.print.txt
          MD5

          7bfdf5368fb8eeac826ac740263f32dd

          SHA1

          993c04220610a3b73cd9631820a6cd0a79b6192e

          SHA256

          d3b4fc7771e33476134a3815bf0fca2171ea0c63c886c5b2c0245cd1ba0c869e

          SHA512

          e3a32215b5a5b4b5b7c52999f247b4bb497b6aceb7dc7057d896449b0a26e5aee5e1ed187dcc67edc7531d5827bb5769a603a5088eecae855c3fdb631f5b13b8

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\tmpD17F.tmp\setup.inf
          MD5

          70d1b5e77d049806def5553e9145ca22

          SHA1

          d02bbab8bed9d47bc8f58b5e95c553bacbd1d279

          SHA256

          c66db634055c8f7934f5c27d62486743ccfa1a6fe2b3ebf32fe91094569b7b76

          SHA512

          75857417fbce991f96a89727cb704c6691a85e373594e64ad054b5d517b78bc4dd0c5ceb1c2f69443a1a5d671d5a8d2c4b34cbd8ec0071e69669dbcd96df21a7

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\tmpD17F.tmp\setup.rpt
          MD5

          aae9e3f4685b3542fcb47e12866295a7

          SHA1

          68555c21eb9a3b46a116aaf03def119a4fe43ae8

          SHA256

          3dfdbe995275f09bd3d540d4ddcd9280727c68dba264dc5bd29cdbe017c0e97e

          SHA512

          d8ba2b41397ba5e63a6ce287d00918d4ac1366737a386690d01205f8b827b58b9cc89cec5f843f5dd1666c6b1fd034dcc910f2e5190f6ba4df2ef2ee78e19347

          Download Submit
        • C:\Windows\TEMP\SDIAG_784cd8f4-dffb-4f19-b206-63bbe92b0042\NetworkDiagnosticsTroubleshoot.ps1
          MD5

          d18dd3c5d111eecbfec65251d357f3c1

          SHA1

          5cec3df9e5f7fe3ea0d7226e1461da2de2fad900

          SHA256

          fc9ce9f57cb224d13ea1b973fa084e8f7fd00dd172d84b7c14e31085c58fea5d

          SHA512

          6ce2eac565c0fc921f07881c2bb64ba73c670562a8b86456d718c1a75ab6097f623d49a608aa984075d1d764dcdca9b1cd95704f6bf817e7b1081b7b5ae0a7ce

          Download Submit
        • C:\Windows\TEMP\SDIAG_784cd8f4-dffb-4f19-b206-63bbe92b0042\StartDPSService.ps1
          MD5

          a660422059d953c6d681b53a6977100e

          SHA1

          0c95dd05514d062354c0eecc9ae8d437123305bb

          SHA256

          d19677234127c38a52aec23686775a8eb3f4e3a406f4a11804d97602d6c31813

          SHA512

          26f8cf9ac95ff649ecc2ed349bc6c7c3a04b188594d5c3289af8f2768ab59672bc95ffefcc83ed3ffa44edd0afeb16a4c2490e633a89fce7965843674d94b523

          Download Submit
        • C:\Windows\TEMP\SDIAG_784cd8f4-dffb-4f19-b206-63bbe92b0042\UtilityFunctions.ps1
          MD5

          c912faa190464ce7dec867464c35a8dc

          SHA1

          d1c6482dad37720db6bdc594c4757914d1b1dd70

          SHA256

          3891846307aa9e83bca66b13198455af72af45bf721a2fbd41840d47e2a91201

          SHA512

          5c34352d36459fd8fcda5b459a2e48601a033af31d802a90ed82c443a5a346b9480880d30c64db7ad0e4a8c35b98c98f69eceedad72f2a70d9c6cca74dce826a

          Download Submit
        • C:\Windows\TEMP\SDIAG_784cd8f4-dffb-4f19-b206-63bbe92b0042\UtilitySetConstants.ps1
          MD5

          0c75ae5e75c3e181d13768909c8240ba

          SHA1

          288403fc4bedaacebccf4f74d3073f082ef70eb9

          SHA256

          de5c231c645d3ae1e13694284997721509f5de64ee5c96c966cdfda9e294db3f

          SHA512

          8fc944515f41a837c61a6c4e5181ca273607a89e48fbf86cf8eb8db837aed095aa04fc3043029c3b5cb3710d59abfd86f086ac198200f634bfb1a5dd0823406b

          Download Submit
        • C:\Windows\TEMP\SDIAG_784cd8f4-dffb-4f19-b206-63bbe92b0042\en-US\LocalizationData.psd1
          MD5

          91e3038ec5ddc6a0924607b192117a68

          SHA1

          af46db32086ddd72fbf759ed136f7e66ad5b5b43

          SHA256

          7e23e58cc90aa265464cb2f5a9da9f2a04ba2541e84ab26a052cc17155a91080

          SHA512

          fc745c310d0157df2f588dc4f9b991c484712f7935b6e4128e02433c2a2b9cda2daf959af006f63c55a5a9a4e0c8e4caaa4c86d7a65a626d55822097dcb7fd84

          Download Submit
        • memory/800-114-0x00007FFAA5B60000-0x00007FFAA5BCB000-memory.dmp
          Filesize

          428KB

          Download
        • memory/912-115-0x0000000000000000-mapping.dmp
          Download
        • memory/1112-126-0x00000000069C0000-0x00000000069C1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1112-130-0x0000000006AA0000-0x0000000006AA1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1112-137-0x0000000008810000-0x0000000008811000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1112-138-0x00000000088F0000-0x00000000088F1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1112-141-0x0000000008A60000-0x0000000008A61000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1112-135-0x0000000007540000-0x0000000007541000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1112-134-0x0000000006CE0000-0x0000000006CE1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1112-133-0x0000000006BE0000-0x0000000006BE1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1112-132-0x0000000008200000-0x0000000008201000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1112-270-0x00000000012B1000-0x00000000012B2000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1112-131-0x0000000006C20000-0x0000000006C21000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1112-136-0x0000000007960000-0x0000000007961000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1112-124-0x0000000006ED0000-0x0000000006ED1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1112-125-0x00000000012B0000-0x00000000012B1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1112-127-0x0000000006A30000-0x0000000006A31000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1112-129-0x0000000006B10000-0x0000000006B11000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1112-128-0x0000000007B80000-0x0000000007B81000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3344-120-0x0000000000000000-mapping.dmp
          Download
        • memory/4396-385-0x0000000000000000-mapping.dmp
          Download
        • memory/4452-390-0x0000000000000000-mapping.dmp
          Download
        • memory/4496-395-0x0000000000000000-mapping.dmp
          Download