c28c451c890e092bd79c62eeb493371dce5336337e87b7c6b1cd8ae3ccc6be8c

General

Target

c28c451c890e092bd79c62eeb493371dce5336337e87b7c6b1cd8ae3ccc6be8c.exe
Size

1.1MB
MD5

5b3383df0b033c0401892c1d6109f704
SHA1

91a4284ff14d31908079f87150e2b7456310d8fe
SHA256

c28c451c890e092bd79c62eeb493371dce5336337e87b7c6b1cd8ae3ccc6be8c
SHA512

5b873a1083c39d41fddb33b27794faef0e11eed5349e0cf52e8b4d084813dd782184841c7c4c40228e4865800571751bad488ec254850424800feb3d7204c4a6
SSDEEP

24576:YAHnh+eWsN3skA4RV1Hom2KXMmHa/ceoHYEdYxvc95:fh+ZkldoPK8Ya/ce0YEdYY

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2476	.exe

Loads dropped DLL 1 IoCs

pid	Process
2008	c28c451c890e092bd79c62eeb493371dce5336337e87b7c6b1cd8ae3ccc6be8c.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x000900000001630b-13.dat	autoit_exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2476 set thread context of 2464	2476	.exe	29
PID 2464 set thread context of 1180	2464	svchost.exe	21
PID 2464 set thread context of 2396	2464	svchost.exe	30
PID 2396 set thread context of 1180	2396	netbtugc.exe	21

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
2464	svchost.exe
2464	svchost.exe
2464	svchost.exe
2464	svchost.exe
2464	svchost.exe
2464	svchost.exe
2464	svchost.exe
2464	svchost.exe
2396	netbtugc.exe
2396	netbtugc.exe
2396	netbtugc.exe
2396	netbtugc.exe
2396	netbtugc.exe
2396	netbtugc.exe
2396	netbtugc.exe
2396	netbtugc.exe
2396	netbtugc.exe
2396	netbtugc.exe
2396	netbtugc.exe
2396	netbtugc.exe
2396	netbtugc.exe
2396	netbtugc.exe
2396	netbtugc.exe
2396	netbtugc.exe
2396	netbtugc.exe
2396	netbtugc.exe
2396	netbtugc.exe
2396	netbtugc.exe
2396	netbtugc.exe
2396	netbtugc.exe
2396	netbtugc.exe
2396	netbtugc.exe

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
2476	.exe
2464	svchost.exe
1180	Explorer.EXE
1180	Explorer.EXE
2396	netbtugc.exe
2396	netbtugc.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
2008	c28c451c890e092bd79c62eeb493371dce5336337e87b7c6b1cd8ae3ccc6be8c.exe
2008	c28c451c890e092bd79c62eeb493371dce5336337e87b7c6b1cd8ae3ccc6be8c.exe
2476	.exe
2476	.exe
1180	Explorer.EXE
1180	Explorer.EXE

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
2008	c28c451c890e092bd79c62eeb493371dce5336337e87b7c6b1cd8ae3ccc6be8c.exe
2008	c28c451c890e092bd79c62eeb493371dce5336337e87b7c6b1cd8ae3ccc6be8c.exe
2476	.exe
2476	.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2008 wrote to memory of 2476	2008	c28c451c890e092bd79c62eeb493371dce5336337e87b7c6b1cd8ae3ccc6be8c.exe	28
PID 2008 wrote to memory of 2476	2008	c28c451c890e092bd79c62eeb493371dce5336337e87b7c6b1cd8ae3ccc6be8c.exe	28
PID 2008 wrote to memory of 2476	2008	c28c451c890e092bd79c62eeb493371dce5336337e87b7c6b1cd8ae3ccc6be8c.exe	28
PID 2008 wrote to memory of 2476	2008	c28c451c890e092bd79c62eeb493371dce5336337e87b7c6b1cd8ae3ccc6be8c.exe	28
PID 2476 wrote to memory of 2464	2476	.exe	29
PID 2476 wrote to memory of 2464	2476	.exe	29
PID 2476 wrote to memory of 2464	2476	.exe	29
PID 2476 wrote to memory of 2464	2476	.exe	29
PID 2476 wrote to memory of 2464	2476	.exe	29
PID 1180 wrote to memory of 2396	1180	Explorer.EXE	30
PID 1180 wrote to memory of 2396	1180	Explorer.EXE	30
PID 1180 wrote to memory of 2396	1180	Explorer.EXE	30
PID 1180 wrote to memory of 2396	1180	Explorer.EXE	30

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1180
- C:\Users\Admin\AppData\Local\Temp\c28c451c890e092bd79c62eeb493371dce5336337e87b7c6b1cd8ae3ccc6be8c.exe
  "C:\Users\Admin\AppData\Local\Temp\c28c451c890e092bd79c62eeb493371dce5336337e87b7c6b1cd8ae3ccc6be8c.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2008
- - C:\Users\Admin\AppData\Local\directory\.exe
    "C:\Users\Admin\AppData\Local\Temp\c28c451c890e092bd79c62eeb493371dce5336337e87b7c6b1cd8ae3ccc6be8c.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2476
  - - C:\Windows\SysWOW64\svchost.exe
      "C:\Users\Admin\AppData\Local\Temp\c28c451c890e092bd79c62eeb493371dce5336337e87b7c6b1cd8ae3ccc6be8c.exe"
      4⤵
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      PID:2464
- C:\Windows\SysWOW64\netbtugc.exe
  "C:\Windows\SysWOW64\netbtugc.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:2396

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\pluffer

Filesize
264KB

MD5
eba12b6e2d11f1ec95eca0661b63f45e

SHA1
00b4aede24f26f2af9d378d7570a01100c25bdde

SHA256
fb60232dad8d45358487655a50447d82b3003a5b50444195cd8736988dc0d0bb

SHA512
f0deb3356a0c071ab5a116ee521e89672093eae6f7a93cd3eebe4ebd92aa764e50360fb022f932991c259b84b32c8fe20eaaba54e777e1897c3a9b51d8ecb3c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\pluffer

Filesize
264KB

MD5
4c71d0b1bd5e301fbef8c86ecbbd43f6

SHA1
513f533ce54cff9c22b6dab8afe782f427766446

SHA256
73492485dbd4ba4d244dfe546e3d8ba67b00e9bc3cc7a0250f365b592fef90ae

SHA512
504543ef24451c3c962a37423b65f8b0bffd11a664402c1f5d870b893b27d37b02f92d8542c5298da3236908150440c12807c4f3ef0f3ff9d313503522f0c878

Download Submit
\Users\Admin\AppData\Local\directory\.exe

Filesize
1.1MB

MD5
5b3383df0b033c0401892c1d6109f704

SHA1
91a4284ff14d31908079f87150e2b7456310d8fe

SHA256
c28c451c890e092bd79c62eeb493371dce5336337e87b7c6b1cd8ae3ccc6be8c

SHA512
5b873a1083c39d41fddb33b27794faef0e11eed5349e0cf52e8b4d084813dd782184841c7c4c40228e4865800571751bad488ec254850424800feb3d7204c4a6

Download Submit
memory/1180-39-0x0000000009020000-0x000000000C071000-memory.dmp

Filesize
48.3MB

Download
memory/1180-45-0x0000000009020000-0x000000000C071000-memory.dmp

Filesize
48.3MB

Download
memory/1180-36-0x0000000003C20000-0x0000000003D20000-memory.dmp

Filesize
1024KB

Download
memory/2008-11-0x0000000000290000-0x0000000000294000-memory.dmp

Filesize
16KB

Download
memory/2396-46-0x0000000000080000-0x00000000000BF000-memory.dmp

Filesize
252KB

Download
memory/2396-44-0x0000000000080000-0x00000000000BF000-memory.dmp

Filesize
252KB

Download
memory/2396-41-0x0000000000080000-0x00000000000BF000-memory.dmp

Filesize
252KB

Download
memory/2396-40-0x0000000000080000-0x00000000000BF000-memory.dmp

Filesize
252KB

Download
memory/2464-38-0x00000000003D0000-0x00000000003F1000-memory.dmp

Filesize
132KB

Download
memory/2464-37-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2464-35-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2464-43-0x00000000003D0000-0x00000000003F1000-memory.dmp

Filesize
132KB

Download
memory/2464-42-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2464-34-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2464-33-0x00000000008A0000-0x0000000000BA3000-memory.dmp

Filesize
3.0MB

Download
memory/2464-32-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing