88bd9c321e78561ad3a06e28f49adf5c09a2ad460c39c946ebffd3ec716276d3

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20/11/2024, 03:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

88bd9c321e78561ad3a06e28f49adf5c09a2ad460c39c946ebffd3ec716276d3.exe
Size

1.1MB
MD5

287e61624e5c839ff4b366e1969b3bce
SHA1

de64781dc1e8d8fa7c89c0e0e1952970efa6bafd
SHA256

88bd9c321e78561ad3a06e28f49adf5c09a2ad460c39c946ebffd3ec716276d3
SHA512

0a07311662b1b78e5030a1b3c6a5ea84ea4c5fdada5f954ecaa9d7183f3f3f103b3e4e9844344e4d87aaf24223dddb9ca9b11fa9f09178519eadaa0604007f49
SSDEEP

24576:gtb20pkaCqT5TBWgNQ7aVstv2/34RUf2aJabe8cXb6A:pVg5tQ7aVstv2/4RbI5

Score

5^/10

discovery

Malware Config

Signatures

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 3984 set thread context of 4424	3984	88bd9c321e78561ad3a06e28f49adf5c09a2ad460c39c946ebffd3ec716276d3.exe	86
PID 4424 set thread context of 3460	4424	svchost.exe	56
PID 4424 set thread context of 760	4424	svchost.exe	96
PID 760 set thread context of 3460	760	netbtugc.exe	56
PID 760 set thread context of 2940	760	netbtugc.exe	97

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	88bd9c321e78561ad3a06e28f49adf5c09a2ad460c39c946ebffd3ec716276d3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netbtugc.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	netbtugc.exe

Suspicious behavior: EnumeratesProcesses 60 IoCs

pid	Process
4424	svchost.exe
4424	svchost.exe
4424	svchost.exe
4424	svchost.exe
4424	svchost.exe
4424	svchost.exe
4424	svchost.exe
4424	svchost.exe
4424	svchost.exe
4424	svchost.exe
4424	svchost.exe
4424	svchost.exe
4424	svchost.exe
4424	svchost.exe
4424	svchost.exe
4424	svchost.exe
760	netbtugc.exe
760	netbtugc.exe
760	netbtugc.exe
760	netbtugc.exe
760	netbtugc.exe
760	netbtugc.exe
760	netbtugc.exe
760	netbtugc.exe
760	netbtugc.exe
760	netbtugc.exe
760	netbtugc.exe
760	netbtugc.exe
760	netbtugc.exe
760	netbtugc.exe
760	netbtugc.exe
760	netbtugc.exe
760	netbtugc.exe
760	netbtugc.exe
760	netbtugc.exe
760	netbtugc.exe
760	netbtugc.exe
760	netbtugc.exe
760	netbtugc.exe
760	netbtugc.exe
760	netbtugc.exe
760	netbtugc.exe
760	netbtugc.exe
760	netbtugc.exe
760	netbtugc.exe
760	netbtugc.exe
760	netbtugc.exe
760	netbtugc.exe
760	netbtugc.exe
760	netbtugc.exe
760	netbtugc.exe
760	netbtugc.exe
760	netbtugc.exe
760	netbtugc.exe
760	netbtugc.exe
760	netbtugc.exe
760	netbtugc.exe
760	netbtugc.exe
760	netbtugc.exe
760	netbtugc.exe

Suspicious behavior: MapViewOfSection 8 IoCs

pid	Process
3984	88bd9c321e78561ad3a06e28f49adf5c09a2ad460c39c946ebffd3ec716276d3.exe
4424	svchost.exe
3460	Explorer.EXE
3460	Explorer.EXE
760	netbtugc.exe
760	netbtugc.exe
760	netbtugc.exe
760	netbtugc.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3984	88bd9c321e78561ad3a06e28f49adf5c09a2ad460c39c946ebffd3ec716276d3.exe
3984	88bd9c321e78561ad3a06e28f49adf5c09a2ad460c39c946ebffd3ec716276d3.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
3984	88bd9c321e78561ad3a06e28f49adf5c09a2ad460c39c946ebffd3ec716276d3.exe
3984	88bd9c321e78561ad3a06e28f49adf5c09a2ad460c39c946ebffd3ec716276d3.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3460	Explorer.EXE

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3984 wrote to memory of 4424	3984	88bd9c321e78561ad3a06e28f49adf5c09a2ad460c39c946ebffd3ec716276d3.exe	86
PID 3984 wrote to memory of 4424	3984	88bd9c321e78561ad3a06e28f49adf5c09a2ad460c39c946ebffd3ec716276d3.exe	86
PID 3984 wrote to memory of 4424	3984	88bd9c321e78561ad3a06e28f49adf5c09a2ad460c39c946ebffd3ec716276d3.exe	86
PID 3984 wrote to memory of 4424	3984	88bd9c321e78561ad3a06e28f49adf5c09a2ad460c39c946ebffd3ec716276d3.exe	86
PID 3460 wrote to memory of 760	3460	Explorer.EXE	96
PID 3460 wrote to memory of 760	3460	Explorer.EXE	96
PID 3460 wrote to memory of 760	3460	Explorer.EXE	96
PID 760 wrote to memory of 2940	760	netbtugc.exe	97
PID 760 wrote to memory of 2940	760	netbtugc.exe	97

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3460
- C:\Users\Admin\AppData\Local\Temp\88bd9c321e78561ad3a06e28f49adf5c09a2ad460c39c946ebffd3ec716276d3.exe
  "C:\Users\Admin\AppData\Local\Temp\88bd9c321e78561ad3a06e28f49adf5c09a2ad460c39c946ebffd3ec716276d3.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:3984
- - C:\Windows\SysWOW64\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\88bd9c321e78561ad3a06e28f49adf5c09a2ad460c39c946ebffd3ec716276d3.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    PID:4424
- C:\Windows\SysWOW64\netbtugc.exe
  "C:\Windows\SysWOW64\netbtugc.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:760
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:2940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\autB4D9.tmp

Filesize
264KB

MD5
ad39c6bef2ee20589f7a6d816524b642

SHA1
b90b7c5ff956bcf4b28ec799ebbc142f0b1b03e3

SHA256
57b3edf2c964e554a548518224bd8c51f51cf208351977602ce5a6e79a01b531

SHA512
32f41606e357137ce8897a921acee0a365a0d2081b5f78926603c581c93d73c8653354ad5aff41509ad2b0631863c636e058c8fc065f7ccc599098b516262441

Download Submit
memory/760-16-0x0000000000870000-0x00000000008AF000-memory.dmp

Filesize
252KB

Download
memory/760-19-0x0000000000FD0000-0x000000000131A000-memory.dmp

Filesize
3.3MB

Download
memory/760-20-0x0000000000870000-0x00000000008AF000-memory.dmp

Filesize
252KB

Download
memory/760-21-0x0000000000E50000-0x0000000000EF0000-memory.dmp

Filesize
640KB

Download
memory/760-22-0x0000000000870000-0x00000000008AF000-memory.dmp

Filesize
252KB

Download
memory/760-23-0x0000000000E50000-0x0000000000EF0000-memory.dmp

Filesize
640KB

Download
memory/760-15-0x0000000000870000-0x00000000008AF000-memory.dmp

Filesize
252KB

Download
memory/2940-33-0x00000178F8570000-0x00000178F8659000-memory.dmp

Filesize
932KB

Download
memory/3460-32-0x0000000008070000-0x0000000008190000-memory.dmp

Filesize
1.1MB

Download
memory/3460-24-0x0000000008070000-0x0000000008190000-memory.dmp

Filesize
1.1MB

Download
memory/3460-25-0x0000000008070000-0x0000000008190000-memory.dmp

Filesize
1.1MB

Download
memory/3984-8-0x0000000001060000-0x0000000001460000-memory.dmp

Filesize
4.0MB

Download
memory/4424-12-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4424-18-0x00000000006F0000-0x0000000000711000-memory.dmp

Filesize
132KB

Download
memory/4424-17-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4424-14-0x00000000006F0000-0x0000000000711000-memory.dmp

Filesize
132KB

Download
memory/4424-13-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4424-11-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4424-10-0x0000000001000000-0x000000000134A000-memory.dmp

Filesize
3.3MB

Download
memory/4424-9-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download