betabot | 6ca72b7d95f2194e902cac169cabc9dff55335046f5edabe3d6b6bb3d9a22bee

Analysis

max time kernel
150s
max time network
146s
platform
windows7_x64
resource
win7v20201028
submitted
05-11-2020 22:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6ca72b7d95f2194e902cac169cabc9dff55335046f5edabe3d6b6bb3d9a22bee.exe
Size

710KB
MD5

3e01b25d00cf3a9d93e4d4934fbeb8d1
SHA1

db596e58d89f5cbb2ac89c38f8a03a7b09aa90fa
SHA256

6ca72b7d95f2194e902cac169cabc9dff55335046f5edabe3d6b6bb3d9a22bee
SHA512

bcb72c63699f1353bd5d3e9a2e8a8e1ce85174d481a88821d99f8be5ffa59f4ff4ba3ef7a24725b3e09807ded257f39e6a5e7b3d17b6d975f76d33661292c672

Score

10^/10

betabot backdoor botnet evasion persistence trojan

Malware Config

Signatures

BetaBot
Beta Bot is a Trojan that infects computers and disables Antivirus.
trojan backdoor botnet betabot

Modifies firewall policy service 2 TTPs 4 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	explorer.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0"	explorer.exe

Executes dropped EXE 3 IoCs

Processes:

yy955acu5q9_1.exe73gmgguy39.exeq1qq3gcg.exe

pid process

532 yy955acu5q9_1.exe
1312 73gmgguy39.exe
972 q1qq3gcg.exe
Sets file execution options in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.

Query Registry
T1012

System Information Discovery
T1082

Processes:

explorer.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe
Loads dropped DLL 3 IoCs

Processes:

explorer.exe

pid process

1952 explorer.exe
1952 explorer.exe
1952 explorer.exe

pid	process
532	yy955acu5q9_1.exe
1312	73gmgguy39.exe
972	q1qq3gcg.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorer.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 2.09 = "C:\\ProgramData\\Google Updater 2.09\\yy955acu5q9.exe"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Updater 2.09 = "\"C:\\ProgramData\\Google Updater 2.09\\yy955acu5q9.exe\""	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 2.09 = "\"C:\\ProgramData\\Google Updater 2.09\\yy955acu5q9.exe\""	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	explorer.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

6ca72b7d95f2194e902cac169cabc9dff55335046f5edabe3d6b6bb3d9a22bee.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	6ca72b7d95f2194e902cac169cabc9dff55335046f5edabe3d6b6bb3d9a22bee.exe

Drops desktop.ini file(s) 1 IoCs

Processes:

explorer.exe

description ioc process

File opened for modification C:\ProgramData\Google Updater 2.09\desktop.ini explorer.exe

description	ioc	process
File opened for modification	C:\ProgramData\Google Updater 2.09\desktop.ini	explorer.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs

Processes:

6ca72b7d95f2194e902cac169cabc9dff55335046f5edabe3d6b6bb3d9a22bee.exeexplorer.exe

pid	process
1740	6ca72b7d95f2194e902cac169cabc9dff55335046f5edabe3d6b6bb3d9a22bee.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

6ca72b7d95f2194e902cac169cabc9dff55335046f5edabe3d6b6bb3d9a22bee.exeyy955acu5q9_1.exe

description	pid	process	target process
PID 288 set thread context of 1740	288	6ca72b7d95f2194e902cac169cabc9dff55335046f5edabe3d6b6bb3d9a22bee.exe	6ca72b7d95f2194e902cac169cabc9dff55335046f5edabe3d6b6bb3d9a22bee.exe
PID 532 set thread context of 0	532	yy955acu5q9_1.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

6ca72b7d95f2194e902cac169cabc9dff55335046f5edabe3d6b6bb3d9a22bee.exeexplorer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	6ca72b7d95f2194e902cac169cabc9dff55335046f5edabe3d6b6bb3d9a22bee.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	6ca72b7d95f2194e902cac169cabc9dff55335046f5edabe3d6b6bb3d9a22bee.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	explorer.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	explorer.exe

Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3"	explorer.exe

Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1"	explorer.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\VersionManager\DownloadVersionList = "0"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\VersionManager	explorer.exe

NTFS ADS 2 IoCs

Processes:

explorer.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\yy955acu5q9_1.exe:14EDFC78	explorer.exe
File created	C:\Users\Admin\AppData\Local\Temp\yy955acu5q9_1.exe:14EDFC78	explorer.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

explorer.exe

pid	process
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

q1qq3gcg.exe73gmgguy39.exe

pid process

972 q1qq3gcg.exe
1312 73gmgguy39.exe

pid	process
972	q1qq3gcg.exe
1312	73gmgguy39.exe

Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

6ca72b7d95f2194e902cac169cabc9dff55335046f5edabe3d6b6bb3d9a22bee.exeexplorer.exe

pid	process
1740	6ca72b7d95f2194e902cac169cabc9dff55335046f5edabe3d6b6bb3d9a22bee.exe
1740	6ca72b7d95f2194e902cac169cabc9dff55335046f5edabe3d6b6bb3d9a22bee.exe
1952	explorer.exe
1952	explorer.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

6ca72b7d95f2194e902cac169cabc9dff55335046f5edabe3d6b6bb3d9a22bee.exe

pid process

1740 6ca72b7d95f2194e902cac169cabc9dff55335046f5edabe3d6b6bb3d9a22bee.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

Processes:

6ca72b7d95f2194e902cac169cabc9dff55335046f5edabe3d6b6bb3d9a22bee.exeexplorer.exe

description	pid	process
Token: SeDebugPrivilege	1740	6ca72b7d95f2194e902cac169cabc9dff55335046f5edabe3d6b6bb3d9a22bee.exe
Token: SeRestorePrivilege	1740	6ca72b7d95f2194e902cac169cabc9dff55335046f5edabe3d6b6bb3d9a22bee.exe
Token: SeBackupPrivilege	1740	6ca72b7d95f2194e902cac169cabc9dff55335046f5edabe3d6b6bb3d9a22bee.exe
Token: SeLoadDriverPrivilege	1740	6ca72b7d95f2194e902cac169cabc9dff55335046f5edabe3d6b6bb3d9a22bee.exe
Token: SeCreatePagefilePrivilege	1740	6ca72b7d95f2194e902cac169cabc9dff55335046f5edabe3d6b6bb3d9a22bee.exe
Token: SeShutdownPrivilege	1740	6ca72b7d95f2194e902cac169cabc9dff55335046f5edabe3d6b6bb3d9a22bee.exe
Token: SeTakeOwnershipPrivilege	1740	6ca72b7d95f2194e902cac169cabc9dff55335046f5edabe3d6b6bb3d9a22bee.exe
Token: SeChangeNotifyPrivilege	1740	6ca72b7d95f2194e902cac169cabc9dff55335046f5edabe3d6b6bb3d9a22bee.exe
Token: SeCreateTokenPrivilege	1740	6ca72b7d95f2194e902cac169cabc9dff55335046f5edabe3d6b6bb3d9a22bee.exe
Token: SeMachineAccountPrivilege	1740	6ca72b7d95f2194e902cac169cabc9dff55335046f5edabe3d6b6bb3d9a22bee.exe
Token: SeSecurityPrivilege	1740	6ca72b7d95f2194e902cac169cabc9dff55335046f5edabe3d6b6bb3d9a22bee.exe
Token: SeAssignPrimaryTokenPrivilege	1740	6ca72b7d95f2194e902cac169cabc9dff55335046f5edabe3d6b6bb3d9a22bee.exe
Token: SeCreateGlobalPrivilege	1740	6ca72b7d95f2194e902cac169cabc9dff55335046f5edabe3d6b6bb3d9a22bee.exe
Token: 33	1740	6ca72b7d95f2194e902cac169cabc9dff55335046f5edabe3d6b6bb3d9a22bee.exe
Token: SeDebugPrivilege	1952	explorer.exe
Token: SeRestorePrivilege	1952	explorer.exe
Token: SeBackupPrivilege	1952	explorer.exe
Token: SeLoadDriverPrivilege	1952	explorer.exe
Token: SeCreatePagefilePrivilege	1952	explorer.exe
Token: SeShutdownPrivilege	1952	explorer.exe
Token: SeTakeOwnershipPrivilege	1952	explorer.exe
Token: SeChangeNotifyPrivilege	1952	explorer.exe
Token: SeCreateTokenPrivilege	1952	explorer.exe
Token: SeMachineAccountPrivilege	1952	explorer.exe
Token: SeSecurityPrivilege	1952	explorer.exe
Token: SeAssignPrimaryTokenPrivilege	1952	explorer.exe
Token: SeCreateGlobalPrivilege	1952	explorer.exe
Token: 33	1952	explorer.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

73gmgguy39.exeq1qq3gcg.exe

pid process

1312 73gmgguy39.exe
972 q1qq3gcg.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

q1qq3gcg.exe73gmgguy39.exe

pid process

972 q1qq3gcg.exe
1312 73gmgguy39.exe
1312 73gmgguy39.exe
972 q1qq3gcg.exe

pid	process
1312	73gmgguy39.exe
972	q1qq3gcg.exe

pid	process
972	q1qq3gcg.exe
1312	73gmgguy39.exe
1312	73gmgguy39.exe
972	q1qq3gcg.exe

Suspicious use of WriteProcessMemory 46 IoCs

Processes:

6ca72b7d95f2194e902cac169cabc9dff55335046f5edabe3d6b6bb3d9a22bee.exe6ca72b7d95f2194e902cac169cabc9dff55335046f5edabe3d6b6bb3d9a22bee.exeexplorer.exe

description	pid	process	target process
PID 288 wrote to memory of 1740	288	6ca72b7d95f2194e902cac169cabc9dff55335046f5edabe3d6b6bb3d9a22bee.exe	6ca72b7d95f2194e902cac169cabc9dff55335046f5edabe3d6b6bb3d9a22bee.exe
PID 288 wrote to memory of 1740	288	6ca72b7d95f2194e902cac169cabc9dff55335046f5edabe3d6b6bb3d9a22bee.exe	6ca72b7d95f2194e902cac169cabc9dff55335046f5edabe3d6b6bb3d9a22bee.exe
PID 288 wrote to memory of 1740	288	6ca72b7d95f2194e902cac169cabc9dff55335046f5edabe3d6b6bb3d9a22bee.exe	6ca72b7d95f2194e902cac169cabc9dff55335046f5edabe3d6b6bb3d9a22bee.exe
PID 288 wrote to memory of 1740	288	6ca72b7d95f2194e902cac169cabc9dff55335046f5edabe3d6b6bb3d9a22bee.exe	6ca72b7d95f2194e902cac169cabc9dff55335046f5edabe3d6b6bb3d9a22bee.exe
PID 288 wrote to memory of 1740	288	6ca72b7d95f2194e902cac169cabc9dff55335046f5edabe3d6b6bb3d9a22bee.exe	6ca72b7d95f2194e902cac169cabc9dff55335046f5edabe3d6b6bb3d9a22bee.exe
PID 288 wrote to memory of 1740	288	6ca72b7d95f2194e902cac169cabc9dff55335046f5edabe3d6b6bb3d9a22bee.exe	6ca72b7d95f2194e902cac169cabc9dff55335046f5edabe3d6b6bb3d9a22bee.exe
PID 1740 wrote to memory of 1952	1740	6ca72b7d95f2194e902cac169cabc9dff55335046f5edabe3d6b6bb3d9a22bee.exe	explorer.exe
PID 1740 wrote to memory of 1952	1740	6ca72b7d95f2194e902cac169cabc9dff55335046f5edabe3d6b6bb3d9a22bee.exe	explorer.exe
PID 1740 wrote to memory of 1952	1740	6ca72b7d95f2194e902cac169cabc9dff55335046f5edabe3d6b6bb3d9a22bee.exe	explorer.exe
PID 1740 wrote to memory of 1952	1740	6ca72b7d95f2194e902cac169cabc9dff55335046f5edabe3d6b6bb3d9a22bee.exe	explorer.exe
PID 1740 wrote to memory of 1952	1740	6ca72b7d95f2194e902cac169cabc9dff55335046f5edabe3d6b6bb3d9a22bee.exe	explorer.exe
PID 1740 wrote to memory of 1952	1740	6ca72b7d95f2194e902cac169cabc9dff55335046f5edabe3d6b6bb3d9a22bee.exe	explorer.exe
PID 1740 wrote to memory of 1952	1740	6ca72b7d95f2194e902cac169cabc9dff55335046f5edabe3d6b6bb3d9a22bee.exe	explorer.exe
PID 1952 wrote to memory of 1168	1952	explorer.exe	Dwm.exe
PID 1952 wrote to memory of 1168	1952	explorer.exe	Dwm.exe
PID 1952 wrote to memory of 1168	1952	explorer.exe	Dwm.exe
PID 1952 wrote to memory of 1168	1952	explorer.exe	Dwm.exe
PID 1952 wrote to memory of 1168	1952	explorer.exe	Dwm.exe
PID 1952 wrote to memory of 1168	1952	explorer.exe	Dwm.exe
PID 1952 wrote to memory of 1220	1952	explorer.exe	Explorer.EXE
PID 1952 wrote to memory of 1220	1952	explorer.exe	Explorer.EXE
PID 1952 wrote to memory of 1220	1952	explorer.exe	Explorer.EXE
PID 1952 wrote to memory of 1220	1952	explorer.exe	Explorer.EXE
PID 1952 wrote to memory of 1220	1952	explorer.exe	Explorer.EXE
PID 1952 wrote to memory of 1220	1952	explorer.exe	Explorer.EXE
PID 1952 wrote to memory of 532	1952	explorer.exe	yy955acu5q9_1.exe
PID 1952 wrote to memory of 532	1952	explorer.exe	yy955acu5q9_1.exe
PID 1952 wrote to memory of 532	1952	explorer.exe	yy955acu5q9_1.exe
PID 1952 wrote to memory of 532	1952	explorer.exe	yy955acu5q9_1.exe
PID 1952 wrote to memory of 532	1952	explorer.exe	yy955acu5q9_1.exe
PID 1952 wrote to memory of 532	1952	explorer.exe	yy955acu5q9_1.exe
PID 1952 wrote to memory of 532	1952	explorer.exe	yy955acu5q9_1.exe
PID 1952 wrote to memory of 1312	1952	explorer.exe	73gmgguy39.exe
PID 1952 wrote to memory of 1312	1952	explorer.exe	73gmgguy39.exe
PID 1952 wrote to memory of 1312	1952	explorer.exe	73gmgguy39.exe
PID 1952 wrote to memory of 1312	1952	explorer.exe	73gmgguy39.exe
PID 1952 wrote to memory of 1312	1952	explorer.exe	73gmgguy39.exe
PID 1952 wrote to memory of 1312	1952	explorer.exe	73gmgguy39.exe
PID 1952 wrote to memory of 1312	1952	explorer.exe	73gmgguy39.exe
PID 1952 wrote to memory of 972	1952	explorer.exe	q1qq3gcg.exe
PID 1952 wrote to memory of 972	1952	explorer.exe	q1qq3gcg.exe
PID 1952 wrote to memory of 972	1952	explorer.exe	q1qq3gcg.exe
PID 1952 wrote to memory of 972	1952	explorer.exe	q1qq3gcg.exe
PID 1952 wrote to memory of 972	1952	explorer.exe	q1qq3gcg.exe
PID 1952 wrote to memory of 972	1952	explorer.exe	q1qq3gcg.exe
PID 1952 wrote to memory of 972	1952	explorer.exe	q1qq3gcg.exe

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1168

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1220

C:\Users\Admin\AppData\Local\Temp\6ca72b7d95f2194e902cac169cabc9dff55335046f5edabe3d6b6bb3d9a22bee.exe
"C:\Users\Admin\AppData\Local\Temp\6ca72b7d95f2194e902cac169cabc9dff55335046f5edabe3d6b6bb3d9a22bee.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:288

C:\Users\Admin\AppData\Local\Temp\6ca72b7d95f2194e902cac169cabc9dff55335046f5edabe3d6b6bb3d9a22bee.exe
"C:\Users\Admin\AppData\Local\Temp\6ca72b7d95f2194e902cac169cabc9dff55335046f5edabe3d6b6bb3d9a22bee.exe"
3⤵
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1740

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
4⤵
- Modifies firewall policy service
- Checks BIOS information in registry
- Loads dropped DLL
- Adds Run key to start application
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1952

C:\Users\Admin\AppData\Local\Temp\yy955acu5q9_1.exe
/suac
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:532

C:\Users\Admin\AppData\Local\Temp\73gmgguy39.exe
"C:\Users\Admin\AppData\Local\Temp\73gmgguy39.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1312

C:\Users\Admin\AppData\Local\Temp\q1qq3gcg.exe
"C:\Users\Admin\AppData\Local\Temp\q1qq3gcg.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:972

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\73gmgguy39.exe
MD5
8b24634b0ef69cbe9c50db7fefbe302e

SHA1
4ff6c1f82191ab1ce371b432c6f9d9d2f2b9adcc

SHA256
f11b4d253e6e8ece1b9fec752dafa180bb4989505ae76a4356f9b373c617812e

SHA512
1e66c7d335f6cbed4e67613af07e1ac076fc0d2dc0f09cc756361daf765231b5d48ff9059bceff2aefcbe4d1078b776ad4f4b08164c0a6d3f5b873cc36414dd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\73gmgguy39.exe
MD5
8b24634b0ef69cbe9c50db7fefbe302e

SHA1
4ff6c1f82191ab1ce371b432c6f9d9d2f2b9adcc

SHA256
f11b4d253e6e8ece1b9fec752dafa180bb4989505ae76a4356f9b373c617812e

SHA512
1e66c7d335f6cbed4e67613af07e1ac076fc0d2dc0f09cc756361daf765231b5d48ff9059bceff2aefcbe4d1078b776ad4f4b08164c0a6d3f5b873cc36414dd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dbg.txt
MD5
233d32ef4619c20d997073308ae77be5

SHA1
1aad63cba98c4851d9139ffc9bd34a9033af3922

SHA256
ca9f2d160d56cb2da0817e8905e2b20539f7fe0953af09913362aba1f8811143

SHA512
97c52a6d7144a7e16a31f966f31e21ee6836c214ef01ea6031df063c9fe48adeff30378ff8b5b72e25d6a9c8c77875c66c7e73f08860cd7c055ac951ad2ca9e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dbg.txt
MD5
605e9ec302dbfd6e2f70359cee9a95cd

SHA1
08c55f1ebb5a005f0e17182f48801dad048ee6fc

SHA256
55491c04f7bdcb3305836ab70d036c05bf18ae4342bbeb538eb597deb6251137

SHA512
3ba192150a3fc6943d8200d5d5b13fdc6a7295343f45f49da31415300018ad242c34ce626857137896e46bc5443e1429d5461a184981308296783a9ec348812d

Download Submit
C:\Users\Admin\AppData\Local\Temp\q1qq3gcg.exe
MD5
c7948777384f447d7964e80a5293810e

SHA1
035365a28bee0a196901f93932e1e62762ad20b4

SHA256
43c0f2925d3949ec5ae103a0423b35b65e5eed6676a64b5b642aaf5baf609f6c

SHA512
e5fca7eac77e9fc0a18f07782e4e810961c82f5c3a502f437fd982cf28918af909b28d1e5c2f85e765ceb1f1ecc2d202eb9911140af0fdb111ee38646fa49960

Download Submit
C:\Users\Admin\AppData\Local\Temp\q1qq3gcg.exe
MD5
c7948777384f447d7964e80a5293810e

SHA1
035365a28bee0a196901f93932e1e62762ad20b4

SHA256
43c0f2925d3949ec5ae103a0423b35b65e5eed6676a64b5b642aaf5baf609f6c

SHA512
e5fca7eac77e9fc0a18f07782e4e810961c82f5c3a502f437fd982cf28918af909b28d1e5c2f85e765ceb1f1ecc2d202eb9911140af0fdb111ee38646fa49960

Download Submit
C:\Users\Admin\AppData\Local\Temp\yy955acu5q9_1.exe
MD5
3e01b25d00cf3a9d93e4d4934fbeb8d1

SHA1
db596e58d89f5cbb2ac89c38f8a03a7b09aa90fa

SHA256
6ca72b7d95f2194e902cac169cabc9dff55335046f5edabe3d6b6bb3d9a22bee

SHA512
bcb72c63699f1353bd5d3e9a2e8a8e1ce85174d481a88821d99f8be5ffa59f4ff4ba3ef7a24725b3e09807ded257f39e6a5e7b3d17b6d975f76d33661292c672

Download Submit
C:\Users\Admin\AppData\Local\Temp\yy955acu5q9_1.exe
MD5
3e01b25d00cf3a9d93e4d4934fbeb8d1

SHA1
db596e58d89f5cbb2ac89c38f8a03a7b09aa90fa

SHA256
6ca72b7d95f2194e902cac169cabc9dff55335046f5edabe3d6b6bb3d9a22bee

SHA512
bcb72c63699f1353bd5d3e9a2e8a8e1ce85174d481a88821d99f8be5ffa59f4ff4ba3ef7a24725b3e09807ded257f39e6a5e7b3d17b6d975f76d33661292c672

Download Submit
\Users\Admin\AppData\Local\Temp\73gmgguy39.exe
MD5
8b24634b0ef69cbe9c50db7fefbe302e

SHA1
4ff6c1f82191ab1ce371b432c6f9d9d2f2b9adcc

SHA256
f11b4d253e6e8ece1b9fec752dafa180bb4989505ae76a4356f9b373c617812e

SHA512
1e66c7d335f6cbed4e67613af07e1ac076fc0d2dc0f09cc756361daf765231b5d48ff9059bceff2aefcbe4d1078b776ad4f4b08164c0a6d3f5b873cc36414dd1

Download Submit
\Users\Admin\AppData\Local\Temp\q1qq3gcg.exe
MD5
c7948777384f447d7964e80a5293810e

SHA1
035365a28bee0a196901f93932e1e62762ad20b4

SHA256
43c0f2925d3949ec5ae103a0423b35b65e5eed6676a64b5b642aaf5baf609f6c

SHA512
e5fca7eac77e9fc0a18f07782e4e810961c82f5c3a502f437fd982cf28918af909b28d1e5c2f85e765ceb1f1ecc2d202eb9911140af0fdb111ee38646fa49960

Download Submit
\Users\Admin\AppData\Local\Temp\yy955acu5q9_1.exe
MD5
3e01b25d00cf3a9d93e4d4934fbeb8d1

SHA1
db596e58d89f5cbb2ac89c38f8a03a7b09aa90fa

SHA256
6ca72b7d95f2194e902cac169cabc9dff55335046f5edabe3d6b6bb3d9a22bee

SHA512
bcb72c63699f1353bd5d3e9a2e8a8e1ce85174d481a88821d99f8be5ffa59f4ff4ba3ef7a24725b3e09807ded257f39e6a5e7b3d17b6d975f76d33661292c672

Download Submit
memory/288-2-0x0000000001E10000-0x0000000001E11000-memory.dmp

Filesize
4KB

Download
memory/532-14-0x0000000001D60000-0x0000000001D61000-memory.dmp

Filesize
4KB

Download
memory/532-11-0x0000000000000000-mapping.dmp

Download
memory/972-26-0x000007FEF5080000-0x000007FEF5A6C000-memory.dmp

Filesize
9.9MB

Download
memory/972-23-0x0000000000000000-mapping.dmp

Download
memory/972-27-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1008-9-0x000007FEF7140000-0x000007FEF73BA000-memory.dmp

Filesize
2.5MB

Download
memory/1312-20-0x0000000000B10000-0x0000000000B11000-memory.dmp

Filesize
4KB

Download
memory/1312-19-0x000007FEF5080000-0x000007FEF5A6C000-memory.dmp

Filesize
9.9MB

Download
memory/1312-16-0x0000000000000000-mapping.dmp

Download
memory/1740-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1740-5-0x00000000029D0000-0x0000000002B51000-memory.dmp

Filesize
1.5MB

Download
memory/1740-4-0x00000000025B0000-0x00000000026CB000-memory.dmp

Filesize
1.1MB

Download
memory/1740-3-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1740-1-0x00000000004015C6-mapping.dmp

Download
memory/1952-6-0x0000000000000000-mapping.dmp

Download