hxxps://www[.]nutaku[.]net/games/booty-calls/

Analysis

max time kernel
482s
max time network
593s
platform
windows11-21h2_x64
resource
win11-20231215-en
resource tags

arch:x64arch:x86image:win11-20231215-enlocale:en-usos:windows11-21h2-x64system
submitted
14/01/2024, 13:54

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://www.nutaku.net/games/booty-calls/

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2848	msedge.exe
2848	msedge.exe
2244	msedge.exe
2244	msedge.exe
756	identity_helper.exe
756	identity_helper.exe
3856	msedge.exe
3856	msedge.exe
3296	msedge.exe
3296	msedge.exe
3296	msedge.exe
3296	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2244 wrote to memory of 1504	2244	msedge.exe	49
PID 2244 wrote to memory of 1504	2244	msedge.exe	49
PID 2244 wrote to memory of 4756	2244	msedge.exe	81
PID 2244 wrote to memory of 4756	2244	msedge.exe	81
PID 2244 wrote to memory of 4756	2244	msedge.exe	81
PID 2244 wrote to memory of 4756	2244	msedge.exe	81
PID 2244 wrote to memory of 4756	2244	msedge.exe	81
PID 2244 wrote to memory of 4756	2244	msedge.exe	81
PID 2244 wrote to memory of 4756	2244	msedge.exe	81
PID 2244 wrote to memory of 4756	2244	msedge.exe	81
PID 2244 wrote to memory of 4756	2244	msedge.exe	81
PID 2244 wrote to memory of 4756	2244	msedge.exe	81
PID 2244 wrote to memory of 4756	2244	msedge.exe	81
PID 2244 wrote to memory of 4756	2244	msedge.exe	81
PID 2244 wrote to memory of 4756	2244	msedge.exe	81
PID 2244 wrote to memory of 4756	2244	msedge.exe	81
PID 2244 wrote to memory of 4756	2244	msedge.exe	81
PID 2244 wrote to memory of 4756	2244	msedge.exe	81
PID 2244 wrote to memory of 4756	2244	msedge.exe	81
PID 2244 wrote to memory of 4756	2244	msedge.exe	81
PID 2244 wrote to memory of 4756	2244	msedge.exe	81
PID 2244 wrote to memory of 4756	2244	msedge.exe	81
PID 2244 wrote to memory of 4756	2244	msedge.exe	81
PID 2244 wrote to memory of 4756	2244	msedge.exe	81
PID 2244 wrote to memory of 4756	2244	msedge.exe	81
PID 2244 wrote to memory of 4756	2244	msedge.exe	81
PID 2244 wrote to memory of 4756	2244	msedge.exe	81
PID 2244 wrote to memory of 4756	2244	msedge.exe	81
PID 2244 wrote to memory of 4756	2244	msedge.exe	81
PID 2244 wrote to memory of 4756	2244	msedge.exe	81
PID 2244 wrote to memory of 4756	2244	msedge.exe	81
PID 2244 wrote to memory of 4756	2244	msedge.exe	81
PID 2244 wrote to memory of 4756	2244	msedge.exe	81
PID 2244 wrote to memory of 4756	2244	msedge.exe	81
PID 2244 wrote to memory of 4756	2244	msedge.exe	81
PID 2244 wrote to memory of 4756	2244	msedge.exe	81
PID 2244 wrote to memory of 4756	2244	msedge.exe	81
PID 2244 wrote to memory of 4756	2244	msedge.exe	81
PID 2244 wrote to memory of 4756	2244	msedge.exe	81
PID 2244 wrote to memory of 4756	2244	msedge.exe	81
PID 2244 wrote to memory of 4756	2244	msedge.exe	81
PID 2244 wrote to memory of 4756	2244	msedge.exe	81
PID 2244 wrote to memory of 2848	2244	msedge.exe	80
PID 2244 wrote to memory of 2848	2244	msedge.exe	80
PID 2244 wrote to memory of 2624	2244	msedge.exe	82
PID 2244 wrote to memory of 2624	2244	msedge.exe	82
PID 2244 wrote to memory of 2624	2244	msedge.exe	82
PID 2244 wrote to memory of 2624	2244	msedge.exe	82
PID 2244 wrote to memory of 2624	2244	msedge.exe	82
PID 2244 wrote to memory of 2624	2244	msedge.exe	82
PID 2244 wrote to memory of 2624	2244	msedge.exe	82
PID 2244 wrote to memory of 2624	2244	msedge.exe	82
PID 2244 wrote to memory of 2624	2244	msedge.exe	82
PID 2244 wrote to memory of 2624	2244	msedge.exe	82
PID 2244 wrote to memory of 2624	2244	msedge.exe	82
PID 2244 wrote to memory of 2624	2244	msedge.exe	82
PID 2244 wrote to memory of 2624	2244	msedge.exe	82
PID 2244 wrote to memory of 2624	2244	msedge.exe	82
PID 2244 wrote to memory of 2624	2244	msedge.exe	82
PID 2244 wrote to memory of 2624	2244	msedge.exe	82
PID 2244 wrote to memory of 2624	2244	msedge.exe	82
PID 2244 wrote to memory of 2624	2244	msedge.exe	82
PID 2244 wrote to memory of 2624	2244	msedge.exe	82
PID 2244 wrote to memory of 2624	2244	msedge.exe	82

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.nutaku.net/games/booty-calls/
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc0a543cb8,0x7ffc0a543cc8,0x7ffc0a543cd8
  2⤵
  PID:1504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1952,6879410930965030571,14553797762255994510,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2384 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1952,6879410930965030571,14553797762255994510,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1964 /prefetch:2
  2⤵
  PID:4756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1952,6879410930965030571,14553797762255994510,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2828 /prefetch:8
  2⤵
  PID:2624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,6879410930965030571,14553797762255994510,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:1
  2⤵
  PID:2584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,6879410930965030571,14553797762255994510,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
  2⤵
  PID:816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,6879410930965030571,14553797762255994510,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5184 /prefetch:1
  2⤵
  PID:4440
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1952,6879410930965030571,14553797762255994510,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5656 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,6879410930965030571,14553797762255994510,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5160 /prefetch:1
  2⤵
  PID:1680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,6879410930965030571,14553797762255994510,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5640 /prefetch:1
  2⤵
  PID:2072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,6879410930965030571,14553797762255994510,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5764 /prefetch:1
  2⤵
  PID:3204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,6879410930965030571,14553797762255994510,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5776 /prefetch:1
  2⤵
  PID:2468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1952,6879410930965030571,14553797762255994510,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5000 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1952,6879410930965030571,14553797762255994510,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=3820 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3296

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:404

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ab16bd4ff2a8053c32cae8e2c4d25a66

SHA1
c1e041f30745a24f337adae3f4561d0f94f9e7cf

SHA256
5bafe572e81800f2a0bcd73872edb58a34972bf6134fac1432bdda1b7c0ebb70

SHA512
e4d7ee26645efa73e97b3453de0a3cf4a2374f758f625fac76e074c90413ad22fe17183e1611d5262cd1012da41a8d80b9718912af6bd5d807f4e972f591e69d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001a

Filesize
201KB

MD5
e3038f6bc551682771347013cf7e4e4f

SHA1
f4593aba87d0a96d6f91f0e59464d7d4c74ed77e

SHA256
6a55e169bc14e97dfcd7352b9bc4b834da37dd1e561282d8f2cc1dbf9964d29a

SHA512
4bee876cea29ad19e6c41d57b3b7228f05f33f422e007dc1a8288fd1a207deb882c2789422e255a76c5bf21544f475689e7192b9a8a80dc2e87c94ee0bc6d75f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
504B

MD5
2f78fdf57875459aa222953c713aa411

SHA1
db4c4791bfda6cfd1a9219a50d8d413440ac67c6

SHA256
87d353496b0532148995366a6f507af3dee36bb1b8bb834076af3c26e2415341

SHA512
23185b0c2edf4486e831b4e6cbbd5809f6499637230b30e7d9f9ebe9401f20ebe3fa4fa2218a83d29e2521e42e7f05f008c56e2b98ec4abe0972dafb52b9055a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
e5ce5b048825ed2bda5011abb7633423

SHA1
688965fbeff7b631a2702fb22901242284263d3d

SHA256
21386be0afdb6e2aea7e5ef57f1bacff2ac9438f32fbd35c05b43ed4e6a05c80

SHA512
dd8b54bf48e605c83fbdb5cd257735d797e2ccfcd4a26513bf85d12b489c4bff8e3d1f6a4b03aeca95f743cc42d11b6a453e790e6b9d86d5abdadb5a366ecde3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
4KB

MD5
032a4e24b2e7606493b97c1c2359eda8

SHA1
7da25e6713cc22049059714aac987adf08424fd3

SHA256
99546df73be23e02ed857e7fce665dca8ed4aac285f76b509868b6f948d499a9

SHA512
59756bd385086e665b79e27dd3ffa1b7715146ca0d2427cb88fe819d94ca29d6a93207677524c6570e4552f1a4dce0a2c54e2dfa188ee8243bd74423441caeef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
72ed6607665e57edbd73c8e2c7d84768

SHA1
c64675bdaac0f2c7c001554bdb00e4fa01ef5f25

SHA256
5ea7e5a6e0015d5b0b02231f157ab79cd740dec7ff49df3af974b6b6ca5cd93e

SHA512
cd97aca6d37e39244fe5619c0d4a5d451745ba45d6e7dd1890090d8af47cf6fa1a346c7c30d4279f5e7fbf7bbf8f5ee67470f7ec235208bdda83ded32ee7c84c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
25KB

MD5
ac2b1e1028003f95bdb29d2cc74186dc

SHA1
b3d75c41f59e96148e07ba1c10d27f67adfc5d79

SHA256
8b5480e0e913fbfd94380c8b791244d03a71a0d054950836441425e1727ba383

SHA512
2b43d48f809212b459e53284446f0dfb23de64cbd251dd76350115910b11e4605469ddb41f2bd31aa9a98e652790d6928adee38b39d4fc4e9107e6a4f7d20e68

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
e3f96c7d0a7efcb6ac1ecfbcc53ffb72

SHA1
c32eefb3a4cb80e79ae5cb2c45b0ab0c5416e157

SHA256
176457ee6b507a40549c42cd1a20d96f66121f1246ef2d73e445b291d5375974

SHA512
9294fffa977269d61db7cd0879fed77bc28f16140c35e4338d721627969c7de7bc4269242b86f895a3c128966cc6ce8641b78add695ebd836c2c59d3a8da06a7

Download Submit