8d897a12318ed5062905521ba39ea19860f08409b23cf085f5e3c622df840632

Analysis

max time kernel
151s
max time network
137s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
12/10/2023, 09:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8d897a12318ed5062905521ba39ea19860f08409b23cf085f5e3c622df840632.exe
Size

536KB
MD5

04ccd586d42e6bc956b499ee4d513294
SHA1

a0ae681bc5b8d15ccc47f523ecd951ef13b60e6f
SHA256

8d897a12318ed5062905521ba39ea19860f08409b23cf085f5e3c622df840632
SHA512

9da52eb1168a0396b9e268ef7cc7ede7fe7635b8c931977846d6853e1531f36602d5b37a00b37156af90ed05de7b74bbbff6e15b87a75096a96f40253abd8c89
SSDEEP

12288:vhf0Bs9bDDq9hu53Ltp/p+gPhhwPOaoTJRkmOkx2LIa:vdQyDL9xp/BGA1RkmOkx2LF

Score

8^/10

upx

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\znxdXxQv.sys	netiougc.exe

Deletes itself 1 IoCs

pid	Process
2632	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2964	netiougc.exe

Loads dropped DLL 1 IoCs

pid	Process
1180	Explorer.EXE

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/340-0-0x0000000001080000-0x0000000001182000-memory.dmp	upx
behavioral1/memory/340-23-0x0000000001080000-0x0000000001182000-memory.dmp	upx
behavioral1/memory/340-71-0x0000000001080000-0x0000000001182000-memory.dmp	upx

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	114.114.114.114

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\ \Windows\System32\vj7ahf.sys	netiougc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\5d228	8d897a12318ed5062905521ba39ea19860f08409b23cf085f5e3c622df840632.exe
File created	C:\Windows\L6O5cstnJ.sys	netiougc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2480	timeout.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\New Windows\Allow\www.hao774.com	netiougc.exe
Key created	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\New Windows\Allow	netiougc.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	netiougc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	netiougc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	netiougc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	netiougc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	netiougc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
340	8d897a12318ed5062905521ba39ea19860f08409b23cf085f5e3c622df840632.exe
340	8d897a12318ed5062905521ba39ea19860f08409b23cf085f5e3c622df840632.exe
340	8d897a12318ed5062905521ba39ea19860f08409b23cf085f5e3c622df840632.exe
340	8d897a12318ed5062905521ba39ea19860f08409b23cf085f5e3c622df840632.exe
340	8d897a12318ed5062905521ba39ea19860f08409b23cf085f5e3c622df840632.exe
1180	Explorer.EXE
1180	Explorer.EXE
1180	Explorer.EXE
1180	Explorer.EXE
1180	Explorer.EXE
1180	Explorer.EXE
1180	Explorer.EXE
1180	Explorer.EXE
2964	netiougc.exe
2964	netiougc.exe
2964	netiougc.exe
2964	netiougc.exe
2964	netiougc.exe
2964	netiougc.exe
2964	netiougc.exe
2964	netiougc.exe
2964	netiougc.exe
2964	netiougc.exe
2964	netiougc.exe
2964	netiougc.exe
2964	netiougc.exe
2964	netiougc.exe
2964	netiougc.exe
2964	netiougc.exe
2964	netiougc.exe
2964	netiougc.exe
2964	netiougc.exe
2964	netiougc.exe
2964	netiougc.exe
2964	netiougc.exe
2964	netiougc.exe
2964	netiougc.exe
2964	netiougc.exe
2964	netiougc.exe
2964	netiougc.exe
2964	netiougc.exe
2964	netiougc.exe
2964	netiougc.exe
2964	netiougc.exe
2964	netiougc.exe
2964	netiougc.exe
2964	netiougc.exe
2964	netiougc.exe
2964	netiougc.exe
2964	netiougc.exe
2964	netiougc.exe
2964	netiougc.exe
2964	netiougc.exe
2964	netiougc.exe
2964	netiougc.exe
2964	netiougc.exe
2964	netiougc.exe
2964	netiougc.exe
2964	netiougc.exe
2964	netiougc.exe
2964	netiougc.exe
2964	netiougc.exe
2964	netiougc.exe
2964	netiougc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1180	Explorer.EXE

Suspicious behavior: LoadsDriver 3 IoCs

pid	Process
468	Process not Found
468	Process not Found
468	Process not Found

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	340	8d897a12318ed5062905521ba39ea19860f08409b23cf085f5e3c622df840632.exe
Token: SeTcbPrivilege	340	8d897a12318ed5062905521ba39ea19860f08409b23cf085f5e3c622df840632.exe
Token: SeDebugPrivilege	340	8d897a12318ed5062905521ba39ea19860f08409b23cf085f5e3c622df840632.exe
Token: SeDebugPrivilege	1180	Explorer.EXE
Token: SeTcbPrivilege	1180	Explorer.EXE
Token: SeDebugPrivilege	1180	Explorer.EXE
Token: SeDebugPrivilege	1180	Explorer.EXE
Token: SeDebugPrivilege	1180	Explorer.EXE
Token: SeIncBasePriorityPrivilege	340	8d897a12318ed5062905521ba39ea19860f08409b23cf085f5e3c622df840632.exe
Token: SeDebugPrivilege	1180	Explorer.EXE
Token: SeDebugPrivilege	2964	netiougc.exe
Token: SeDebugPrivilege	2964	netiougc.exe
Token: SeDebugPrivilege	2964	netiougc.exe
Token: SeDebugPrivilege	2964	netiougc.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2964	netiougc.exe
2964	netiougc.exe
2964	netiougc.exe
2964	netiougc.exe
2964	netiougc.exe
2964	netiougc.exe
2964	netiougc.exe
2964	netiougc.exe
2964	netiougc.exe
2964	netiougc.exe
2964	netiougc.exe
2964	netiougc.exe
2964	netiougc.exe
2964	netiougc.exe
2964	netiougc.exe
2964	netiougc.exe
2964	netiougc.exe
2964	netiougc.exe
2964	netiougc.exe
2964	netiougc.exe
2964	netiougc.exe
2964	netiougc.exe
2964	netiougc.exe
2964	netiougc.exe
2964	netiougc.exe
2964	netiougc.exe
2964	netiougc.exe
2964	netiougc.exe
2964	netiougc.exe
2964	netiougc.exe
2964	netiougc.exe
2964	netiougc.exe
2964	netiougc.exe
2964	netiougc.exe
2964	netiougc.exe
2964	netiougc.exe
2964	netiougc.exe
2964	netiougc.exe
2964	netiougc.exe
2964	netiougc.exe
2964	netiougc.exe
2964	netiougc.exe
2964	netiougc.exe
2964	netiougc.exe
2964	netiougc.exe
2964	netiougc.exe
2964	netiougc.exe
2964	netiougc.exe
2964	netiougc.exe
2964	netiougc.exe
2964	netiougc.exe
2964	netiougc.exe
2964	netiougc.exe
2964	netiougc.exe
2964	netiougc.exe
2964	netiougc.exe
2964	netiougc.exe
2964	netiougc.exe
2964	netiougc.exe
2964	netiougc.exe
2964	netiougc.exe
2964	netiougc.exe
2964	netiougc.exe
2964	netiougc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2964	netiougc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 340 wrote to memory of 1180	340	8d897a12318ed5062905521ba39ea19860f08409b23cf085f5e3c622df840632.exe	7
PID 340 wrote to memory of 1180	340	8d897a12318ed5062905521ba39ea19860f08409b23cf085f5e3c622df840632.exe	7
PID 340 wrote to memory of 1180	340	8d897a12318ed5062905521ba39ea19860f08409b23cf085f5e3c622df840632.exe	7
PID 1180 wrote to memory of 2964	1180	Explorer.EXE	28
PID 1180 wrote to memory of 2964	1180	Explorer.EXE	28
PID 1180 wrote to memory of 2964	1180	Explorer.EXE	28
PID 1180 wrote to memory of 2964	1180	Explorer.EXE	28
PID 1180 wrote to memory of 2964	1180	Explorer.EXE	28
PID 1180 wrote to memory of 2964	1180	Explorer.EXE	28
PID 1180 wrote to memory of 2964	1180	Explorer.EXE	28
PID 1180 wrote to memory of 2964	1180	Explorer.EXE	28
PID 1180 wrote to memory of 424	1180	Explorer.EXE	23
PID 1180 wrote to memory of 424	1180	Explorer.EXE	23
PID 1180 wrote to memory of 424	1180	Explorer.EXE	23
PID 1180 wrote to memory of 424	1180	Explorer.EXE	23
PID 1180 wrote to memory of 424	1180	Explorer.EXE	23
PID 340 wrote to memory of 2632	340	8d897a12318ed5062905521ba39ea19860f08409b23cf085f5e3c622df840632.exe	30
PID 340 wrote to memory of 2632	340	8d897a12318ed5062905521ba39ea19860f08409b23cf085f5e3c622df840632.exe	30
PID 340 wrote to memory of 2632	340	8d897a12318ed5062905521ba39ea19860f08409b23cf085f5e3c622df840632.exe	30
PID 340 wrote to memory of 2632	340	8d897a12318ed5062905521ba39ea19860f08409b23cf085f5e3c622df840632.exe	30
PID 2632 wrote to memory of 2480	2632	cmd.exe	32
PID 2632 wrote to memory of 2480	2632	cmd.exe	32
PID 2632 wrote to memory of 2480	2632	cmd.exe	32
PID 2632 wrote to memory of 2480	2632	cmd.exe	32
PID 2964 wrote to memory of 1180	2964	netiougc.exe	7
PID 2964 wrote to memory of 1180	2964	netiougc.exe	7
PID 2964 wrote to memory of 1180	2964	netiougc.exe	7
PID 2964 wrote to memory of 1180	2964	netiougc.exe	7
PID 2964 wrote to memory of 1180	2964	netiougc.exe	7
PID 2964 wrote to memory of 1180	2964	netiougc.exe	7
PID 2964 wrote to memory of 1180	2964	netiougc.exe	7
PID 2964 wrote to memory of 1180	2964	netiougc.exe	7
PID 2964 wrote to memory of 1180	2964	netiougc.exe	7
PID 2964 wrote to memory of 1180	2964	netiougc.exe	7
PID 2964 wrote to memory of 1180	2964	netiougc.exe	7
PID 2964 wrote to memory of 1180	2964	netiougc.exe	7
PID 2964 wrote to memory of 1180	2964	netiougc.exe	7
PID 2964 wrote to memory of 1180	2964	netiougc.exe	7
PID 2964 wrote to memory of 1180	2964	netiougc.exe	7
PID 2964 wrote to memory of 1180	2964	netiougc.exe	7
PID 2964 wrote to memory of 1180	2964	netiougc.exe	7
PID 2964 wrote to memory of 1180	2964	netiougc.exe	7
PID 2964 wrote to memory of 1180	2964	netiougc.exe	7
PID 2964 wrote to memory of 1180	2964	netiougc.exe	7
PID 2964 wrote to memory of 1180	2964	netiougc.exe	7
PID 2964 wrote to memory of 1180	2964	netiougc.exe	7
PID 2964 wrote to memory of 1180	2964	netiougc.exe	7
PID 2964 wrote to memory of 1180	2964	netiougc.exe	7
PID 2964 wrote to memory of 1180	2964	netiougc.exe	7
PID 2964 wrote to memory of 1180	2964	netiougc.exe	7
PID 2964 wrote to memory of 1180	2964	netiougc.exe	7
PID 2964 wrote to memory of 1180	2964	netiougc.exe	7
PID 2964 wrote to memory of 1180	2964	netiougc.exe	7
PID 2964 wrote to memory of 1180	2964	netiougc.exe	7
PID 2964 wrote to memory of 1180	2964	netiougc.exe	7
PID 2964 wrote to memory of 1180	2964	netiougc.exe	7
PID 2964 wrote to memory of 1180	2964	netiougc.exe	7
PID 2964 wrote to memory of 1180	2964	netiougc.exe	7
PID 2964 wrote to memory of 1180	2964	netiougc.exe	7
PID 2964 wrote to memory of 1180	2964	netiougc.exe	7
PID 2964 wrote to memory of 1180	2964	netiougc.exe	7
PID 2964 wrote to memory of 1180	2964	netiougc.exe	7
PID 2964 wrote to memory of 1180	2964	netiougc.exe	7
PID 2964 wrote to memory of 1180	2964	netiougc.exe	7

C:\Users\Admin\AppData\Local\Temp\8d897a12318ed5062905521ba39ea19860f08409b23cf085f5e3c622df840632.exe
"C:\Users\Admin\AppData\Local\Temp\8d897a12318ed5062905521ba39ea19860f08409b23cf085f5e3c622df840632.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:340
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Users\Admin\AppData\Local\Temp\8d897a12318ed5062905521ba39ea19860f08409b23cf085f5e3c622df840632.exe"
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2632
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 1
    3⤵
    - Delays execution with timeout.exe
    PID:2480

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1180
- C:\ProgramData\Microsoft\netiougc.exe
  "C:\ProgramData\Microsoft\netiougc.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2964

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\netiougc.exe

Filesize
26KB

MD5
bacfb6de1316e2b726074997e005f109

SHA1
0d96c7d6a7aeb228f0eae08b2a56d939321ade23

SHA256
312f9af98a9773fac98d679f72f2856e6bcd5512ea2a4727d4031f8b4c83c1a5

SHA512
a3de7c8b8736635cc7e7cee880465ab2b597ac1ec9ddcfdd99fac596f267ccfa4b3dcce79b26d5796db6878e1878e4312afe38a33cbbe98ee7de7a7453b2e748

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
bb9538c9f8000d25e7423519db54c09c

SHA1
92ec03e7ee427f8bc22bb4c9554ecb29a010cd4b

SHA256
4b3e0e281d9d75f7b69cee2e2f67b6abc64c2eabbe5fb3318bab0192811f2644

SHA512
932cfa7b62d715b53fb2d96911dc56216b7e071b5b96887551ca2e9d2117c5ff71f874a9832f084190b72df087959a70108f3b1b68f6d9487a2be4f6b464440f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e909bbf6e19f3e310db6c12efea79878

SHA1
f1da05b4c96dfa195fa613923115223d9f9f1337

SHA256
116a8fa9d098e579d57936ec89ee19cf3a5366ed7ac6991135bb3e2d66b09ffa

SHA512
10f330da6225c1ebf60b1bb1c0417410cd3cac3f4c934107a595738a58e52e2fef5e47485097e2fe9f94bf90c19428de256b6c74c8d1ae050248e6baa513abcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabC592.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarE570.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
\ProgramData\Microsoft\netiougc.exe

Filesize
26KB

MD5
bacfb6de1316e2b726074997e005f109

SHA1
0d96c7d6a7aeb228f0eae08b2a56d939321ade23

SHA256
312f9af98a9773fac98d679f72f2856e6bcd5512ea2a4727d4031f8b4c83c1a5

SHA512
a3de7c8b8736635cc7e7cee880465ab2b597ac1ec9ddcfdd99fac596f267ccfa4b3dcce79b26d5796db6878e1878e4312afe38a33cbbe98ee7de7a7453b2e748

Download Submit
memory/340-71-0x0000000001080000-0x0000000001182000-memory.dmp

Filesize
1.0MB

Download
memory/340-23-0x0000000001080000-0x0000000001182000-memory.dmp

Filesize
1.0MB

Download
memory/340-0-0x0000000001080000-0x0000000001182000-memory.dmp

Filesize
1.0MB

Download
memory/424-68-0x00000000008E0000-0x00000000008E3000-memory.dmp

Filesize
12KB

Download
memory/424-70-0x00000000008F0000-0x0000000000918000-memory.dmp

Filesize
160KB

Download
memory/424-61-0x00000000008A0000-0x00000000008C1000-memory.dmp

Filesize
132KB

Download
memory/1180-38-0x0000000009270000-0x0000000009367000-memory.dmp

Filesize
988KB

Download
memory/1180-141-0x0000000002E50000-0x0000000002E51000-memory.dmp

Filesize
4KB

Download
memory/1180-161-0x0000000002E50000-0x0000000002E51000-memory.dmp

Filesize
4KB

Download
memory/1180-149-0x0000000002E50000-0x0000000002E51000-memory.dmp

Filesize
4KB

Download
memory/1180-162-0x0000000002E50000-0x0000000002E51000-memory.dmp

Filesize
4KB

Download
memory/1180-35-0x0000000003EA0000-0x0000000003EA3000-memory.dmp

Filesize
12KB

Download
memory/1180-160-0x0000000002E50000-0x0000000002E51000-memory.dmp

Filesize
4KB

Download
memory/1180-147-0x0000000002E50000-0x0000000002E51000-memory.dmp

Filesize
4KB

Download
memory/1180-32-0x0000000003EA0000-0x0000000003EA3000-memory.dmp

Filesize
12KB

Download
memory/1180-26-0x0000000003E70000-0x0000000003E71000-memory.dmp

Filesize
4KB

Download
memory/1180-24-0x0000000008AC0000-0x0000000008BB3000-memory.dmp

Filesize
972KB

Download
memory/1180-4-0x0000000002200000-0x0000000002203000-memory.dmp

Filesize
12KB

Download
memory/1180-78-0x0000000009270000-0x0000000009367000-memory.dmp

Filesize
988KB

Download
memory/1180-5-0x0000000002BC0000-0x0000000002C39000-memory.dmp

Filesize
484KB

Download
memory/1180-6-0x0000000002200000-0x0000000002203000-memory.dmp

Filesize
12KB

Download
memory/1180-3-0x0000000002200000-0x0000000002203000-memory.dmp

Filesize
12KB

Download
memory/1180-139-0x0000000002E50000-0x0000000002E51000-memory.dmp

Filesize
4KB

Download
memory/1180-37-0x0000000002BC0000-0x0000000002C39000-memory.dmp

Filesize
484KB

Download
memory/1180-159-0x0000000002E50000-0x0000000002E51000-memory.dmp

Filesize
4KB

Download
memory/1180-142-0x0000000002E50000-0x0000000002E51000-memory.dmp

Filesize
4KB

Download
memory/1180-156-0x0000000002E50000-0x0000000002E51000-memory.dmp

Filesize
4KB

Download
memory/1180-157-0x0000000002E50000-0x0000000002E51000-memory.dmp

Filesize
4KB

Download
memory/1180-158-0x0000000002E50000-0x0000000002E51000-memory.dmp

Filesize
4KB

Download
memory/1180-143-0x0000000002E50000-0x0000000002E51000-memory.dmp

Filesize
4KB

Download
memory/1180-144-0x0000000002E50000-0x0000000002E51000-memory.dmp

Filesize
4KB

Download
memory/1180-145-0x0000000002E50000-0x0000000002E51000-memory.dmp

Filesize
4KB

Download
memory/1180-146-0x0000000002E50000-0x0000000002E51000-memory.dmp

Filesize
4KB

Download
memory/1180-150-0x0000000002E50000-0x0000000002E51000-memory.dmp

Filesize
4KB

Download
memory/1180-154-0x0000000002E50000-0x0000000002E51000-memory.dmp

Filesize
4KB

Download
memory/1180-155-0x0000000002E50000-0x0000000002E51000-memory.dmp

Filesize
4KB

Download
memory/1180-153-0x0000000002E50000-0x0000000002E51000-memory.dmp

Filesize
4KB

Download
memory/1180-152-0x0000000002E50000-0x0000000002E51000-memory.dmp

Filesize
4KB

Download
memory/1180-151-0x0000000002E50000-0x0000000002E51000-memory.dmp

Filesize
4KB

Download
memory/2964-59-0x0000000000420000-0x00000000004EB000-memory.dmp

Filesize
812KB

Download
memory/2964-148-0x0000000000650000-0x0000000000660000-memory.dmp

Filesize
64KB

Download
memory/2964-140-0x0000000003420000-0x00000000034C0000-memory.dmp

Filesize
640KB

Download
memory/2964-137-0x0000000003420000-0x00000000034C0000-memory.dmp

Filesize
640KB

Download
memory/2964-136-0x00000000006F0000-0x00000000006F1000-memory.dmp

Filesize
4KB

Download
memory/2964-135-0x0000000000660000-0x000000000066F000-memory.dmp

Filesize
60KB

Download
memory/2964-134-0x0000000000650000-0x0000000000651000-memory.dmp

Filesize
4KB

Download
memory/2964-133-0x0000000003420000-0x00000000034C0000-memory.dmp

Filesize
640KB

Download
memory/2964-132-0x0000000003420000-0x00000000034C0000-memory.dmp

Filesize
640KB

Download
memory/2964-131-0x0000000003420000-0x00000000034C0000-memory.dmp

Filesize
640KB

Download
memory/2964-130-0x0000000000660000-0x000000000066F000-memory.dmp

Filesize
60KB

Download
memory/2964-129-0x0000000000650000-0x0000000000651000-memory.dmp

Filesize
4KB

Download
memory/2964-128-0x00000000008F0000-0x0000000000918000-memory.dmp

Filesize
160KB

Download
memory/2964-127-0x0000000000650000-0x0000000000651000-memory.dmp

Filesize
4KB

Download
memory/2964-126-0x0000000000650000-0x0000000000651000-memory.dmp

Filesize
4KB

Download
memory/2964-125-0x0000000000420000-0x00000000004EB000-memory.dmp

Filesize
812KB

Download
memory/2964-124-0x0000000000420000-0x00000000004EB000-memory.dmp

Filesize
812KB

Download
memory/2964-123-0x00000000008F0000-0x0000000000918000-memory.dmp

Filesize
160KB

Download
memory/2964-121-0x0000000037B80000-0x0000000037B90000-memory.dmp

Filesize
64KB

Download
memory/2964-57-0x0000000000420000-0x00000000004EB000-memory.dmp

Filesize
812KB

Download
memory/2964-58-0x000007FEBF880000-0x000007FEBF890000-memory.dmp

Filesize
64KB

Download
memory/2964-54-0x0000000000090000-0x0000000000093000-memory.dmp

Filesize
12KB

Download
memory/2964-43-0x0000000000140000-0x0000000000203000-memory.dmp

Filesize
780KB

Download
memory/2964-206-0x0000000000650000-0x0000000000651000-memory.dmp

Filesize
4KB

Download