88bd9c321e78561ad3a06e28f49adf5c09a2ad460c39c946ebffd3ec716276d3

General

Target

88bd9c321e78561ad3a06e28f49adf5c09a2ad460c39c946ebffd3ec716276d3.exe
Size

1.1MB
MD5

287e61624e5c839ff4b366e1969b3bce
SHA1

de64781dc1e8d8fa7c89c0e0e1952970efa6bafd
SHA256

88bd9c321e78561ad3a06e28f49adf5c09a2ad460c39c946ebffd3ec716276d3
SHA512

0a07311662b1b78e5030a1b3c6a5ea84ea4c5fdada5f954ecaa9d7183f3f3f103b3e4e9844344e4d87aaf24223dddb9ca9b11fa9f09178519eadaa0604007f49
SSDEEP

24576:gtb20pkaCqT5TBWgNQ7aVstv2/34RUf2aJabe8cXb6A:pVg5tQ7aVstv2/4RbI5

Score

5^/10

discovery

Malware Config

Signatures

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2464 set thread context of 2404	2464	88bd9c321e78561ad3a06e28f49adf5c09a2ad460c39c946ebffd3ec716276d3.exe	30
PID 2404 set thread context of 1100	2404	svchost.exe	18
PID 2404 set thread context of 3064	2404	svchost.exe	32
PID 3064 set thread context of 1100	3064	netbtugc.exe	18

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	88bd9c321e78561ad3a06e28f49adf5c09a2ad460c39c946ebffd3ec716276d3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netbtugc.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
2404	svchost.exe
2404	svchost.exe
2404	svchost.exe
2404	svchost.exe
2404	svchost.exe
2404	svchost.exe
2404	svchost.exe
2404	svchost.exe
3064	netbtugc.exe
3064	netbtugc.exe
3064	netbtugc.exe
3064	netbtugc.exe
3064	netbtugc.exe
3064	netbtugc.exe
3064	netbtugc.exe
3064	netbtugc.exe
3064	netbtugc.exe
3064	netbtugc.exe
3064	netbtugc.exe
3064	netbtugc.exe
3064	netbtugc.exe
3064	netbtugc.exe
3064	netbtugc.exe
3064	netbtugc.exe
3064	netbtugc.exe
3064	netbtugc.exe
3064	netbtugc.exe
3064	netbtugc.exe
3064	netbtugc.exe
3064	netbtugc.exe
3064	netbtugc.exe
3064	netbtugc.exe

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
2464	88bd9c321e78561ad3a06e28f49adf5c09a2ad460c39c946ebffd3ec716276d3.exe
2404	svchost.exe
1100	Explorer.EXE
1100	Explorer.EXE
3064	netbtugc.exe
3064	netbtugc.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2464	88bd9c321e78561ad3a06e28f49adf5c09a2ad460c39c946ebffd3ec716276d3.exe
2464	88bd9c321e78561ad3a06e28f49adf5c09a2ad460c39c946ebffd3ec716276d3.exe
1100	Explorer.EXE
1100	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2464	88bd9c321e78561ad3a06e28f49adf5c09a2ad460c39c946ebffd3ec716276d3.exe
2464	88bd9c321e78561ad3a06e28f49adf5c09a2ad460c39c946ebffd3ec716276d3.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2464 wrote to memory of 2404	2464	88bd9c321e78561ad3a06e28f49adf5c09a2ad460c39c946ebffd3ec716276d3.exe	30
PID 2464 wrote to memory of 2404	2464	88bd9c321e78561ad3a06e28f49adf5c09a2ad460c39c946ebffd3ec716276d3.exe	30
PID 2464 wrote to memory of 2404	2464	88bd9c321e78561ad3a06e28f49adf5c09a2ad460c39c946ebffd3ec716276d3.exe	30
PID 2464 wrote to memory of 2404	2464	88bd9c321e78561ad3a06e28f49adf5c09a2ad460c39c946ebffd3ec716276d3.exe	30
PID 2464 wrote to memory of 2404	2464	88bd9c321e78561ad3a06e28f49adf5c09a2ad460c39c946ebffd3ec716276d3.exe	30
PID 1100 wrote to memory of 3064	1100	Explorer.EXE	32
PID 1100 wrote to memory of 3064	1100	Explorer.EXE	32
PID 1100 wrote to memory of 3064	1100	Explorer.EXE	32
PID 1100 wrote to memory of 3064	1100	Explorer.EXE	32

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1100
- C:\Users\Admin\AppData\Local\Temp\88bd9c321e78561ad3a06e28f49adf5c09a2ad460c39c946ebffd3ec716276d3.exe
  "C:\Users\Admin\AppData\Local\Temp\88bd9c321e78561ad3a06e28f49adf5c09a2ad460c39c946ebffd3ec716276d3.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2464
- - C:\Windows\SysWOW64\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\88bd9c321e78561ad3a06e28f49adf5c09a2ad460c39c946ebffd3ec716276d3.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    PID:2404
- C:\Windows\SysWOW64\netbtugc.exe
  "C:\Windows\SysWOW64\netbtugc.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:3064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\orographically

Filesize
264KB

MD5
ad39c6bef2ee20589f7a6d816524b642

SHA1
b90b7c5ff956bcf4b28ec799ebbc142f0b1b03e3

SHA256
57b3edf2c964e554a548518224bd8c51f51cf208351977602ce5a6e79a01b531

SHA512
32f41606e357137ce8897a921acee0a365a0d2081b5f78926603c581c93d73c8653354ad5aff41509ad2b0631863c636e058c8fc065f7ccc599098b516262441

Download Submit
memory/1100-14-0x0000000003B70000-0x0000000003C70000-memory.dmp

Filesize
1024KB

Download
memory/2404-10-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2404-17-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2404-8-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2404-11-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2404-13-0x00000000001E0000-0x0000000000201000-memory.dmp

Filesize
132KB

Download
memory/2404-12-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2404-9-0x0000000000990000-0x0000000000C93000-memory.dmp

Filesize
3.0MB

Download
memory/2404-18-0x00000000001E0000-0x0000000000201000-memory.dmp

Filesize
132KB

Download
memory/2464-7-0x0000000000BF0000-0x0000000000FF0000-memory.dmp

Filesize
4.0MB

Download
memory/3064-16-0x0000000000080000-0x00000000000BF000-memory.dmp

Filesize
252KB

Download
memory/3064-15-0x0000000000080000-0x00000000000BF000-memory.dmp

Filesize
252KB

Download
memory/3064-19-0x00000000009D0000-0x0000000000CD3000-memory.dmp

Filesize
3.0MB

Download
memory/3064-20-0x0000000000080000-0x00000000000BF000-memory.dmp

Filesize
252KB

Download
memory/3064-21-0x0000000000460000-0x0000000000500000-memory.dmp

Filesize
640KB

Download
memory/3064-22-0x0000000000080000-0x00000000000BF000-memory.dmp

Filesize
252KB

Download
memory/3064-23-0x0000000000460000-0x0000000000500000-memory.dmp

Filesize
640KB

Download

Analysis

Sharing