Analysis Overview
SHA256
ccab681baa683fa5d1bc2c11f786b67800eca96442ace9372c8dd5d31b5366e2
Threat Level: Known bad
The file e0a124e431d01bf7b194ad5a2f8c0435471c0e1b062e165c3db211186a1ea901.zip was found to be: Known bad.
Malicious Activity Summary
Modifies firewall policy service
BetaBot
Executes dropped EXE
Sets file execution options in registry
Loads dropped DLL
Deletes itself
Checks BIOS information in registry
Adds Run key to start application
Checks whether UAC is enabled
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
NSIS installer
Modifies Internet Explorer settings
Checks processor information in registry
Modifies Internet Explorer Protected Mode
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Enumerates system info in registry
Runs ping.exe
Modifies Internet Explorer Protected Mode Banner
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-02-15 10:32
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2021-02-15 10:32
Reported
2021-02-15 10:38
Platform
win10v20201028
Max time kernel
300s
Max time network
295s
Command Line
Signatures
BetaBot
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" | C:\Windows\SysWOW64\explorer.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AudioSes.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AudioSes.exe | N/A |
Sets file execution options in registry
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Windows\SysWOW64\explorer.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AudioSes.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\GoogIeUpdater = "C:\\ProgramData\\GoogIeUpdater\\e31911mqq.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\GoogIeUpdater = "\"C:\\ProgramData\\GoogIeUpdater\\e31911mqq.exe\"" | C:\Windows\SysWOW64\explorer.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\AudioSes.exe | N/A |
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AudioSes.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2880 set thread context of 4056 | N/A | C:\Users\Admin\AppData\Local\Temp\AudioSes.exe | C:\Users\Admin\AppData\Local\Temp\AudioSes.exe |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\AudioSes.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\AudioSes.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\SysWOW64\explorer.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Windows\SysWOW64\explorer.exe | N/A |
Modifies Internet Explorer Protected Mode
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
Modifies Internet Explorer Protected Mode Banner
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" | C:\Windows\SysWOW64\explorer.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\explorer.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AudioSes.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AudioSes.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AudioSes.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e0a124e431d01bf7b194ad5a2f8c0435471c0e1b062e165c3db211186a1ea901.exe
"C:\Users\Admin\AppData\Local\Temp\e0a124e431d01bf7b194ad5a2f8c0435471c0e1b062e165c3db211186a1ea901.exe"
C:\Users\Admin\AppData\Local\Temp\AudioSes.exe
"C:\Users\Admin\AppData\Local\Temp\AudioSes.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 100 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\e0a124e431d01bf7b194ad5a2f8c0435471c0e1b062e165c3db211186a1ea901.exe"& ping 1.1.1.1 -n 1 -w 900 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\e0a124e431d01bf7b194ad5a2f8c0435471c0e1b062e165c3db211186a1ea901.exe"
C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 100
C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 900
C:\Users\Admin\AppData\Local\Temp\AudioSes.exe
"C:\Users\Admin\AppData\Local\Temp\AudioSes.exe"
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
Network
| Country | Destination | Domain | Proto |
| N/A | 52.114.133.61:443 | tcp | |
| N/A | 8.8.8.8:53 | update.microsoft.com | udp |
| N/A | 40.70.224.146:80 | update.microsoft.com | tcp |
| N/A | 8.8.8.8:53 | betabot.pw | udp |
| N/A | 8.8.8.8:53 | betabot.pw | udp |
| N/A | 8.8.8.8:53 | betabot.pw | udp |
| N/A | 8.8.8.8:53 | betabot.pw | udp |
| N/A | 8.8.8.8:53 | betabot.pw | udp |
| N/A | 8.8.8.8:53 | betabot.pw | udp |
| N/A | 8.8.8.8:53 | betabot.pw | udp |
| N/A | 8.8.8.8:53 | betabot.pw | udp |
| N/A | 8.8.8.8:53 | betabot.pw | udp |
| N/A | 8.8.8.8:53 | betabot.pw | udp |
| N/A | 8.8.8.8:53 | betabot.pw | udp |
| N/A | 8.8.8.8:53 | betabot.pw | udp |
| N/A | 8.8.8.8:53 | betabot.pw | udp |
| N/A | 8.8.8.8:53 | udp | |
| N/A | 51.140.157.153:443 | tcp | |
| N/A | 8.8.8.8:53 | udp | |
| N/A | 93.184.220.29:80 | tcp |
Files
memory/360-2-0x0000000002340000-0x0000000002341000-memory.dmp
memory/360-3-0x00000000732A0000-0x000000007398E000-memory.dmp
memory/360-4-0x0000000004B30000-0x0000000004BBD000-memory.dmp
memory/360-5-0x0000000004BC0000-0x0000000004BC1000-memory.dmp
memory/360-6-0x0000000004A90000-0x0000000004B1B000-memory.dmp
memory/360-8-0x0000000000692000-0x0000000000693000-memory.dmp
memory/360-7-0x0000000000690000-0x0000000000691000-memory.dmp
memory/360-9-0x0000000000693000-0x0000000000694000-memory.dmp
memory/360-10-0x0000000000694000-0x0000000000696000-memory.dmp
memory/360-11-0x0000000002320000-0x0000000002321000-memory.dmp
memory/360-12-0x0000000000696000-0x0000000000698000-memory.dmp
memory/360-13-0x0000000000698000-0x0000000000699000-memory.dmp
memory/2880-14-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\AudioSes.exe
| MD5 | 043af181d5788fae0a7bc3faf74c287e |
| SHA1 | f2a20f5ffd9d2a0cff50c9a030c88e3943a0c65f |
| SHA256 | 21e58ba4dddbb85983c87192bd76812f06bec3c48582fde844aaf7c16fcbb196 |
| SHA512 | 99108600ca35f217f2cf118ffdf01f983cea903d3bca94d085dfd40e1a91f32eed66a4e8d2655678ee9580c91be2de78a8da4c321c2fae26a7705fcf0d57dda5 |
memory/812-16-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\AudioSes.exe
| MD5 | 043af181d5788fae0a7bc3faf74c287e |
| SHA1 | f2a20f5ffd9d2a0cff50c9a030c88e3943a0c65f |
| SHA256 | 21e58ba4dddbb85983c87192bd76812f06bec3c48582fde844aaf7c16fcbb196 |
| SHA512 | 99108600ca35f217f2cf118ffdf01f983cea903d3bca94d085dfd40e1a91f32eed66a4e8d2655678ee9580c91be2de78a8da4c321c2fae26a7705fcf0d57dda5 |
\Users\Admin\AppData\Local\Temp\nsc5924.tmp\System.dll
| MD5 | 3f176d1ee13b0d7d6bd92e1c7a0b9bae |
| SHA1 | fe582246792774c2c9dd15639ffa0aca90d6fd0b |
| SHA256 | fa4ab1d6f79fd677433a31ada7806373a789d34328da46ccb0449bbf347bd73e |
| SHA512 | 0a69124819b7568d0dea4e9e85ce8fe61c7ba697c934e3a95e2dcfb9f252b1d9da7faf8774b6e8efd614885507acc94987733eba09a2f5e7098b774dfc8524b6 |
memory/196-19-0x0000000000000000-mapping.dmp
memory/3292-20-0x0000000000000000-mapping.dmp
memory/2880-21-0x0000000002140000-0x0000000002177000-memory.dmp
C:\Users\Admin\Desktop\AddInvoke.bmp
| MD5 | 78201364461fa883724ab731ec7de8ba |
| SHA1 | 0a6843b1fa2eb29f90d9754a16662a833e04dce9 |
| SHA256 | d927cada2d6490ac6a3308cfcba207550a565d841e17f2bc530e0f10aaa14722 |
| SHA512 | cab20f38bbbf9bb70283e98a8f723323ee6d7390f7b276bc392b87810bec1649272ea8b81643becfe643e6533479aad7d812a9ab2dd7e597489981e15774406f |
memory/4056-23-0x00000000004015C6-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\AudioSes.exe
| MD5 | 043af181d5788fae0a7bc3faf74c287e |
| SHA1 | f2a20f5ffd9d2a0cff50c9a030c88e3943a0c65f |
| SHA256 | 21e58ba4dddbb85983c87192bd76812f06bec3c48582fde844aaf7c16fcbb196 |
| SHA512 | 99108600ca35f217f2cf118ffdf01f983cea903d3bca94d085dfd40e1a91f32eed66a4e8d2655678ee9580c91be2de78a8da4c321c2fae26a7705fcf0d57dda5 |
memory/4056-28-0x0000000000560000-0x0000000000561000-memory.dmp
memory/4056-27-0x0000000000510000-0x000000000051D000-memory.dmp
memory/4056-26-0x00000000007F0000-0x0000000000856000-memory.dmp
memory/4056-25-0x0000000000400000-0x0000000000435000-memory.dmp
memory/4056-29-0x0000000000880000-0x000000000088C000-memory.dmp
memory/728-30-0x0000000000000000-mapping.dmp
memory/728-31-0x0000000000150000-0x0000000000590000-memory.dmp
memory/728-32-0x0000000002A00000-0x0000000002AD6000-memory.dmp
memory/728-36-0x0000000002D00000-0x0000000002D01000-memory.dmp
memory/728-38-0x0000000002E30000-0x0000000002E32000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2021-02-15 10:32
Reported
2021-02-15 11:03
Platform
win7v20201028
Max time kernel
1800s
Max time network
1800s
Command Line
Signatures
BetaBot
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" | C:\Windows\SysWOW64\explorer.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AudioSes.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AudioSes.exe | N/A |
Sets file execution options in registry
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Windows\SysWOW64\explorer.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e0a124e431d01bf7b194ad5a2f8c0435471c0e1b062e165c3db211186a1ea901.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AudioSes.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AudioSes.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\GoogIeUpdater = "C:\\ProgramData\\GoogIeUpdater\\omai5a5oi.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\GoogIeUpdater = "\"C:\\ProgramData\\GoogIeUpdater\\omai5a5oi.exe\"" | C:\Windows\SysWOW64\explorer.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\AudioSes.exe | N/A |
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AudioSes.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1752 set thread context of 1064 | N/A | C:\Users\Admin\AppData\Local\Temp\AudioSes.exe | C:\Users\Admin\AppData\Local\Temp\AudioSes.exe |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\AudioSes.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\AudioSes.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\explorer.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Windows\SysWOW64\explorer.exe | N/A |
Modifies Internet Explorer Protected Mode
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
Modifies Internet Explorer Protected Mode Banner
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" | C:\Windows\SysWOW64\explorer.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\explorer.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AudioSes.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AudioSes.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AudioSes.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
C:\Users\Admin\AppData\Local\Temp\e0a124e431d01bf7b194ad5a2f8c0435471c0e1b062e165c3db211186a1ea901.exe
"C:\Users\Admin\AppData\Local\Temp\e0a124e431d01bf7b194ad5a2f8c0435471c0e1b062e165c3db211186a1ea901.exe"
C:\Users\Admin\AppData\Local\Temp\AudioSes.exe
"C:\Users\Admin\AppData\Local\Temp\AudioSes.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 100 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\e0a124e431d01bf7b194ad5a2f8c0435471c0e1b062e165c3db211186a1ea901.exe"& ping 1.1.1.1 -n 1 -w 900 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\e0a124e431d01bf7b194ad5a2f8c0435471c0e1b062e165c3db211186a1ea901.exe"
C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 100
C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 900
C:\Users\Admin\AppData\Local\Temp\AudioSes.exe
"C:\Users\Admin\AppData\Local\Temp\AudioSes.exe"
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | google.com | udp |
| N/A | 216.58.208.110:80 | google.com | tcp |
| N/A | 8.8.8.8:53 | betabot.pw | udp |
| N/A | 10.7.0.65:5355 | udp | |
| N/A | 8.8.8.8:53 | betabot.pw | udp |
| N/A | 10.7.0.65:5355 | udp |
Files
memory/1932-2-0x0000000001FE0000-0x0000000001FF1000-memory.dmp
memory/1932-3-0x0000000073D80000-0x000000007446E000-memory.dmp
memory/1932-4-0x0000000004991000-0x0000000004992000-memory.dmp
memory/1932-5-0x00000000047F0000-0x000000000487D000-memory.dmp
memory/1932-11-0x00000000020A0000-0x000000000212B000-memory.dmp
memory/1932-13-0x0000000004993000-0x0000000004994000-memory.dmp
memory/1932-14-0x0000000004994000-0x0000000004996000-memory.dmp
memory/1932-12-0x0000000004992000-0x0000000004993000-memory.dmp
memory/1932-15-0x0000000002030000-0x0000000002031000-memory.dmp
memory/1932-16-0x000000000499A000-0x00000000049AB000-memory.dmp
\Users\Admin\AppData\Local\Temp\AudioSes.exe
| MD5 | 043af181d5788fae0a7bc3faf74c287e |
| SHA1 | f2a20f5ffd9d2a0cff50c9a030c88e3943a0c65f |
| SHA256 | 21e58ba4dddbb85983c87192bd76812f06bec3c48582fde844aaf7c16fcbb196 |
| SHA512 | 99108600ca35f217f2cf118ffdf01f983cea903d3bca94d085dfd40e1a91f32eed66a4e8d2655678ee9580c91be2de78a8da4c321c2fae26a7705fcf0d57dda5 |
memory/1752-18-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\AudioSes.exe
| MD5 | 043af181d5788fae0a7bc3faf74c287e |
| SHA1 | f2a20f5ffd9d2a0cff50c9a030c88e3943a0c65f |
| SHA256 | 21e58ba4dddbb85983c87192bd76812f06bec3c48582fde844aaf7c16fcbb196 |
| SHA512 | 99108600ca35f217f2cf118ffdf01f983cea903d3bca94d085dfd40e1a91f32eed66a4e8d2655678ee9580c91be2de78a8da4c321c2fae26a7705fcf0d57dda5 |
memory/1752-20-0x00000000750C1000-0x00000000750C3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\AudioSes.exe
| MD5 | 043af181d5788fae0a7bc3faf74c287e |
| SHA1 | f2a20f5ffd9d2a0cff50c9a030c88e3943a0c65f |
| SHA256 | 21e58ba4dddbb85983c87192bd76812f06bec3c48582fde844aaf7c16fcbb196 |
| SHA512 | 99108600ca35f217f2cf118ffdf01f983cea903d3bca94d085dfd40e1a91f32eed66a4e8d2655678ee9580c91be2de78a8da4c321c2fae26a7705fcf0d57dda5 |
\Users\Admin\AppData\Local\Temp\nsxD5B.tmp\System.dll
| MD5 | 3f176d1ee13b0d7d6bd92e1c7a0b9bae |
| SHA1 | fe582246792774c2c9dd15639ffa0aca90d6fd0b |
| SHA256 | fa4ab1d6f79fd677433a31ada7806373a789d34328da46ccb0449bbf347bd73e |
| SHA512 | 0a69124819b7568d0dea4e9e85ce8fe61c7ba697c934e3a95e2dcfb9f252b1d9da7faf8774b6e8efd614885507acc94987733eba09a2f5e7098b774dfc8524b6 |
memory/604-23-0x0000000000000000-mapping.dmp
memory/348-24-0x0000000000000000-mapping.dmp
memory/576-25-0x0000000000000000-mapping.dmp
memory/1752-26-0x00000000004A0000-0x00000000004D7000-memory.dmp
\Users\Admin\AppData\Local\Temp\AudioSes.exe
| MD5 | 043af181d5788fae0a7bc3faf74c287e |
| SHA1 | f2a20f5ffd9d2a0cff50c9a030c88e3943a0c65f |
| SHA256 | 21e58ba4dddbb85983c87192bd76812f06bec3c48582fde844aaf7c16fcbb196 |
| SHA512 | 99108600ca35f217f2cf118ffdf01f983cea903d3bca94d085dfd40e1a91f32eed66a4e8d2655678ee9580c91be2de78a8da4c321c2fae26a7705fcf0d57dda5 |
memory/1064-28-0x00000000004015C6-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\AudioSes.exe
| MD5 | 043af181d5788fae0a7bc3faf74c287e |
| SHA1 | f2a20f5ffd9d2a0cff50c9a030c88e3943a0c65f |
| SHA256 | 21e58ba4dddbb85983c87192bd76812f06bec3c48582fde844aaf7c16fcbb196 |
| SHA512 | 99108600ca35f217f2cf118ffdf01f983cea903d3bca94d085dfd40e1a91f32eed66a4e8d2655678ee9580c91be2de78a8da4c321c2fae26a7705fcf0d57dda5 |
memory/1064-31-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1064-33-0x0000000000240000-0x0000000000241000-memory.dmp
memory/1064-34-0x0000000000250000-0x000000000025D000-memory.dmp
memory/1064-36-0x0000000000610000-0x000000000061C000-memory.dmp
memory/1064-35-0x00000000003D0000-0x00000000003D1000-memory.dmp
memory/1064-32-0x00000000002B0000-0x0000000000316000-memory.dmp
memory/372-37-0x0000000000000000-mapping.dmp
memory/372-39-0x00000000742D1000-0x00000000742D3000-memory.dmp
memory/372-40-0x0000000076EA0000-0x0000000077021000-memory.dmp
memory/372-41-0x0000000000520000-0x00000000005F6000-memory.dmp
memory/1064-46-0x00000000003F0000-0x00000000003F1000-memory.dmp
memory/372-45-0x0000000000250000-0x000000000025C000-memory.dmp
memory/372-48-0x0000000000600000-0x0000000000602000-memory.dmp
memory/1260-49-0x00000000036D0000-0x00000000036D6000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2021-02-15 10:32
Reported
2021-02-15 10:34
Platform
win10v20201028
Max time kernel
57s
Max time network
50s
Command Line
Signatures
BetaBot
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" | C:\Windows\SysWOW64\explorer.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AudioSes.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AudioSes.exe | N/A |
Sets file execution options in registry
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Windows\SysWOW64\explorer.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AudioSes.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\GoogIeUpdater = "C:\\ProgramData\\GoogIeUpdater\\1uq3u19o95.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\GoogIeUpdater = "\"C:\\ProgramData\\GoogIeUpdater\\1uq3u19o95.exe\"" | C:\Windows\SysWOW64\explorer.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\AudioSes.exe | N/A |
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AudioSes.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 372 set thread context of 3888 | N/A | C:\Users\Admin\AppData\Local\Temp\AudioSes.exe | C:\Users\Admin\AppData\Local\Temp\AudioSes.exe |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\AudioSes.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\AudioSes.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\SysWOW64\explorer.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Windows\SysWOW64\explorer.exe | N/A |
Modifies Internet Explorer Protected Mode
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
Modifies Internet Explorer Protected Mode Banner
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" | C:\Windows\SysWOW64\explorer.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\explorer.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e0a124e431d01bf7b194ad5a2f8c0435471c0e1b062e165c3db211186a1ea901.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AudioSes.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AudioSes.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AudioSes.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e0a124e431d01bf7b194ad5a2f8c0435471c0e1b062e165c3db211186a1ea901.exe
"C:\Users\Admin\AppData\Local\Temp\e0a124e431d01bf7b194ad5a2f8c0435471c0e1b062e165c3db211186a1ea901.exe"
C:\Users\Admin\AppData\Local\Temp\AudioSes.exe
"C:\Users\Admin\AppData\Local\Temp\AudioSes.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 100 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\e0a124e431d01bf7b194ad5a2f8c0435471c0e1b062e165c3db211186a1ea901.exe"& ping 1.1.1.1 -n 1 -w 900 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\e0a124e431d01bf7b194ad5a2f8c0435471c0e1b062e165c3db211186a1ea901.exe"
C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 100
C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 900
C:\Users\Admin\AppData\Local\Temp\AudioSes.exe
"C:\Users\Admin\AppData\Local\Temp\AudioSes.exe"
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | windowsupdate.microsoft.com | udp |
| N/A | 52.185.71.28:80 | windowsupdate.microsoft.com | tcp |
| N/A | 8.8.8.8:53 | betabot.pw | udp |
| N/A | 8.8.8.8:53 | betabot.pw | udp |
Files
memory/1192-2-0x0000000002270000-0x0000000002271000-memory.dmp
memory/1192-3-0x0000000073A10000-0x00000000740FE000-memory.dmp
memory/1192-4-0x0000000004BF0000-0x0000000004C7D000-memory.dmp
memory/1192-5-0x0000000004D10000-0x0000000004D11000-memory.dmp
memory/1192-6-0x0000000004B60000-0x0000000004BEB000-memory.dmp
memory/1192-8-0x0000000004D02000-0x0000000004D03000-memory.dmp
memory/1192-7-0x0000000004D00000-0x0000000004D01000-memory.dmp
memory/1192-9-0x0000000004D03000-0x0000000004D04000-memory.dmp
memory/1192-10-0x0000000004D04000-0x0000000004D06000-memory.dmp
memory/1192-13-0x0000000004D06000-0x0000000004D08000-memory.dmp
memory/372-12-0x0000000000000000-mapping.dmp
memory/1192-11-0x0000000004CA0000-0x0000000004CA1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\AudioSes.exe
| MD5 | 043af181d5788fae0a7bc3faf74c287e |
| SHA1 | f2a20f5ffd9d2a0cff50c9a030c88e3943a0c65f |
| SHA256 | 21e58ba4dddbb85983c87192bd76812f06bec3c48582fde844aaf7c16fcbb196 |
| SHA512 | 99108600ca35f217f2cf118ffdf01f983cea903d3bca94d085dfd40e1a91f32eed66a4e8d2655678ee9580c91be2de78a8da4c321c2fae26a7705fcf0d57dda5 |
memory/1192-14-0x0000000004D08000-0x0000000004D09000-memory.dmp
memory/2652-16-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\nsf6CDB.tmp\System.dll
| MD5 | 3f176d1ee13b0d7d6bd92e1c7a0b9bae |
| SHA1 | fe582246792774c2c9dd15639ffa0aca90d6fd0b |
| SHA256 | fa4ab1d6f79fd677433a31ada7806373a789d34328da46ccb0449bbf347bd73e |
| SHA512 | 0a69124819b7568d0dea4e9e85ce8fe61c7ba697c934e3a95e2dcfb9f252b1d9da7faf8774b6e8efd614885507acc94987733eba09a2f5e7098b774dfc8524b6 |
C:\Users\Admin\AppData\Local\Temp\AudioSes.exe
| MD5 | 043af181d5788fae0a7bc3faf74c287e |
| SHA1 | f2a20f5ffd9d2a0cff50c9a030c88e3943a0c65f |
| SHA256 | 21e58ba4dddbb85983c87192bd76812f06bec3c48582fde844aaf7c16fcbb196 |
| SHA512 | 99108600ca35f217f2cf118ffdf01f983cea903d3bca94d085dfd40e1a91f32eed66a4e8d2655678ee9580c91be2de78a8da4c321c2fae26a7705fcf0d57dda5 |
memory/1016-19-0x0000000000000000-mapping.dmp
memory/2312-20-0x0000000000000000-mapping.dmp
memory/372-21-0x00000000096B0000-0x00000000096E7000-memory.dmp
memory/3888-22-0x00000000004015C6-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\AudioSes.exe
| MD5 | 043af181d5788fae0a7bc3faf74c287e |
| SHA1 | f2a20f5ffd9d2a0cff50c9a030c88e3943a0c65f |
| SHA256 | 21e58ba4dddbb85983c87192bd76812f06bec3c48582fde844aaf7c16fcbb196 |
| SHA512 | 99108600ca35f217f2cf118ffdf01f983cea903d3bca94d085dfd40e1a91f32eed66a4e8d2655678ee9580c91be2de78a8da4c321c2fae26a7705fcf0d57dda5 |
memory/3888-24-0x0000000000400000-0x0000000000435000-memory.dmp
memory/3888-25-0x00000000021C0000-0x0000000002226000-memory.dmp
memory/3888-26-0x0000000000590000-0x000000000059D000-memory.dmp
memory/3888-27-0x0000000000A70000-0x0000000000A71000-memory.dmp
memory/3888-28-0x0000000002680000-0x000000000268C000-memory.dmp
memory/1532-29-0x0000000000000000-mapping.dmp
memory/1532-30-0x00000000010F0000-0x0000000001530000-memory.dmp
memory/1532-31-0x0000000001000000-0x00000000010D6000-memory.dmp
memory/3888-35-0x0000000002670000-0x0000000002671000-memory.dmp
memory/1532-37-0x0000000006B30000-0x0000000006B32000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2021-02-15 10:32
Reported
2021-02-15 10:43
Platform
win10v20201028
Max time kernel
598s
Max time network
584s
Command Line
Signatures
BetaBot
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" | C:\Windows\SysWOW64\explorer.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AudioSes.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AudioSes.exe | N/A |
Sets file execution options in registry
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Windows\SysWOW64\explorer.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AudioSes.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\GoogIeUpdater = "C:\\ProgramData\\GoogIeUpdater\\9aua935mc37ccek.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\GoogIeUpdater = "\"C:\\ProgramData\\GoogIeUpdater\\9aua935mc37ccek.exe\"" | C:\Windows\SysWOW64\explorer.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\AudioSes.exe | N/A |
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AudioSes.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 688 set thread context of 1220 | N/A | C:\Users\Admin\AppData\Local\Temp\AudioSes.exe | C:\Users\Admin\AppData\Local\Temp\AudioSes.exe |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\AudioSes.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\AudioSes.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Windows\SysWOW64\explorer.exe | N/A |
Modifies Internet Explorer Protected Mode
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
Modifies Internet Explorer Protected Mode Banner
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" | C:\Windows\SysWOW64\explorer.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\explorer.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AudioSes.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AudioSes.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AudioSes.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e0a124e431d01bf7b194ad5a2f8c0435471c0e1b062e165c3db211186a1ea901.exe
"C:\Users\Admin\AppData\Local\Temp\e0a124e431d01bf7b194ad5a2f8c0435471c0e1b062e165c3db211186a1ea901.exe"
C:\Users\Admin\AppData\Local\Temp\AudioSes.exe
"C:\Users\Admin\AppData\Local\Temp\AudioSes.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 100 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\e0a124e431d01bf7b194ad5a2f8c0435471c0e1b062e165c3db211186a1ea901.exe"& ping 1.1.1.1 -n 1 -w 900 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\e0a124e431d01bf7b194ad5a2f8c0435471c0e1b062e165c3db211186a1ea901.exe"
C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 100
C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 900
C:\Users\Admin\AppData\Local\Temp\AudioSes.exe
"C:\Users\Admin\AppData\Local\Temp\AudioSes.exe"
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | windowsupdate.microsoft.com | udp |
| N/A | 52.185.71.28:80 | windowsupdate.microsoft.com | tcp |
| N/A | 8.8.8.8:53 | betabot.pw | udp |
| N/A | 8.8.8.8:53 | betabot.pw | udp |
| N/A | 8.8.8.8:53 | betabot.pw | udp |
| N/A | 8.8.8.8:53 | betabot.pw | udp |
| N/A | 8.8.8.8:53 | betabot.pw | udp |
| N/A | 8.8.8.8:53 | betabot.pw | udp |
| N/A | 8.8.8.8:53 | betabot.pw | udp |
| N/A | 8.8.8.8:53 | betabot.pw | udp |
| N/A | 8.8.8.8:53 | betabot.pw | udp |
| N/A | 8.8.8.8:53 | betabot.pw | udp |
| N/A | 8.8.8.8:53 | betabot.pw | udp |
| N/A | 8.8.8.8:53 | betabot.pw | udp |
| N/A | 8.8.8.8:53 | betabot.pw | udp |
| N/A | 8.8.8.8:53 | betabot.pw | udp |
| N/A | 8.8.8.8:53 | betabot.pw | udp |
| N/A | 8.8.8.8:53 | betabot.pw | udp |
| N/A | 8.8.8.8:53 | betabot.pw | udp |
| N/A | 8.8.8.8:53 | betabot.pw | udp |
| N/A | 8.8.8.8:53 | betabot.pw | udp |
| N/A | 8.8.8.8:53 | betabot.pw | udp |
| N/A | 8.8.8.8:53 | betabot.pw | udp |
| N/A | 8.8.8.8:53 | betabot.pw | udp |
| N/A | 8.8.8.8:53 | betabot.pw | udp |
| N/A | 8.8.8.8:53 | betabot.pw | udp |
| N/A | 8.8.8.8:53 | betabot.pw | udp |
| N/A | 8.8.8.8:53 | betabot.pw | udp |
Files
memory/1456-2-0x0000000002310000-0x0000000002311000-memory.dmp
memory/1456-3-0x00000000734E0000-0x0000000073BCE000-memory.dmp
memory/1456-4-0x0000000004CA0000-0x0000000004D2D000-memory.dmp
memory/1456-5-0x0000000004D30000-0x0000000004D31000-memory.dmp
memory/1456-6-0x0000000004B90000-0x0000000004C1B000-memory.dmp
memory/1456-7-0x0000000004C90000-0x0000000004C91000-memory.dmp
memory/1456-8-0x0000000004C92000-0x0000000004C93000-memory.dmp
memory/1456-9-0x0000000004C93000-0x0000000004C94000-memory.dmp
memory/1456-11-0x0000000002580000-0x0000000002581000-memory.dmp
memory/1456-10-0x0000000004C94000-0x0000000004C96000-memory.dmp
memory/1456-13-0x0000000004C98000-0x0000000004C99000-memory.dmp
memory/1456-12-0x0000000004C96000-0x0000000004C98000-memory.dmp
memory/688-14-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\AudioSes.exe
| MD5 | 043af181d5788fae0a7bc3faf74c287e |
| SHA1 | f2a20f5ffd9d2a0cff50c9a030c88e3943a0c65f |
| SHA256 | 21e58ba4dddbb85983c87192bd76812f06bec3c48582fde844aaf7c16fcbb196 |
| SHA512 | 99108600ca35f217f2cf118ffdf01f983cea903d3bca94d085dfd40e1a91f32eed66a4e8d2655678ee9580c91be2de78a8da4c321c2fae26a7705fcf0d57dda5 |
memory/1008-16-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\AudioSes.exe
| MD5 | 043af181d5788fae0a7bc3faf74c287e |
| SHA1 | f2a20f5ffd9d2a0cff50c9a030c88e3943a0c65f |
| SHA256 | 21e58ba4dddbb85983c87192bd76812f06bec3c48582fde844aaf7c16fcbb196 |
| SHA512 | 99108600ca35f217f2cf118ffdf01f983cea903d3bca94d085dfd40e1a91f32eed66a4e8d2655678ee9580c91be2de78a8da4c321c2fae26a7705fcf0d57dda5 |
\Users\Admin\AppData\Local\Temp\nsp9EA9.tmp\System.dll
| MD5 | 3f176d1ee13b0d7d6bd92e1c7a0b9bae |
| SHA1 | fe582246792774c2c9dd15639ffa0aca90d6fd0b |
| SHA256 | fa4ab1d6f79fd677433a31ada7806373a789d34328da46ccb0449bbf347bd73e |
| SHA512 | 0a69124819b7568d0dea4e9e85ce8fe61c7ba697c934e3a95e2dcfb9f252b1d9da7faf8774b6e8efd614885507acc94987733eba09a2f5e7098b774dfc8524b6 |
memory/2260-19-0x0000000000000000-mapping.dmp
memory/688-20-0x00000000096C0000-0x00000000096F7000-memory.dmp
memory/2112-21-0x0000000000000000-mapping.dmp
memory/1220-22-0x00000000004015C6-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\AudioSes.exe
| MD5 | 043af181d5788fae0a7bc3faf74c287e |
| SHA1 | f2a20f5ffd9d2a0cff50c9a030c88e3943a0c65f |
| SHA256 | 21e58ba4dddbb85983c87192bd76812f06bec3c48582fde844aaf7c16fcbb196 |
| SHA512 | 99108600ca35f217f2cf118ffdf01f983cea903d3bca94d085dfd40e1a91f32eed66a4e8d2655678ee9580c91be2de78a8da4c321c2fae26a7705fcf0d57dda5 |
memory/1220-24-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1220-25-0x0000000002140000-0x00000000021A6000-memory.dmp
memory/1220-26-0x00000000004C0000-0x00000000004CD000-memory.dmp
memory/188-27-0x0000000000000000-mapping.dmp
memory/1220-29-0x0000000002670000-0x000000000267C000-memory.dmp
memory/1220-28-0x0000000002640000-0x0000000002641000-memory.dmp
memory/188-30-0x0000000001060000-0x00000000014A0000-memory.dmp
memory/188-31-0x00000000034A0000-0x0000000003576000-memory.dmp
memory/1220-35-0x0000000002660000-0x0000000002661000-memory.dmp
memory/188-37-0x0000000005300000-0x0000000005302000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2021-02-15 10:32
Reported
2021-02-15 11:03
Platform
win10v20201028
Max time kernel
1798s
Max time network
1796s
Command Line
Signatures
BetaBot
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" | C:\Windows\SysWOW64\explorer.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AudioSes.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AudioSes.exe | N/A |
Sets file execution options in registry
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Windows\SysWOW64\explorer.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AudioSes.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\GoogIeUpdater = "C:\\ProgramData\\GoogIeUpdater\\91ma33u57.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\GoogIeUpdater = "\"C:\\ProgramData\\GoogIeUpdater\\91ma33u57.exe\"" | C:\Windows\SysWOW64\explorer.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\AudioSes.exe | N/A |
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AudioSes.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4232 set thread context of 888 | N/A | C:\Users\Admin\AppData\Local\Temp\AudioSes.exe | C:\Users\Admin\AppData\Local\Temp\AudioSes.exe |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\AudioSes.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\AudioSes.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\explorer.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Windows\SysWOW64\explorer.exe | N/A |
Modifies Internet Explorer Protected Mode
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
Modifies Internet Explorer Protected Mode Banner
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" | C:\Windows\SysWOW64\explorer.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\explorer.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AudioSes.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AudioSes.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AudioSes.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e0a124e431d01bf7b194ad5a2f8c0435471c0e1b062e165c3db211186a1ea901.exe
"C:\Users\Admin\AppData\Local\Temp\e0a124e431d01bf7b194ad5a2f8c0435471c0e1b062e165c3db211186a1ea901.exe"
C:\Users\Admin\AppData\Local\Temp\AudioSes.exe
"C:\Users\Admin\AppData\Local\Temp\AudioSes.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 100 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\e0a124e431d01bf7b194ad5a2f8c0435471c0e1b062e165c3db211186a1ea901.exe"& ping 1.1.1.1 -n 1 -w 900 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\e0a124e431d01bf7b194ad5a2f8c0435471c0e1b062e165c3db211186a1ea901.exe"
C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 100
C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 900
C:\Users\Admin\AppData\Local\Temp\AudioSes.exe
"C:\Users\Admin\AppData\Local\Temp\AudioSes.exe"
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | google.com | udp |
| N/A | 216.58.208.110:80 | google.com | tcp |
| N/A | 8.8.8.8:53 | betabot.pw | udp |
| N/A | 8.8.8.8:53 | betabot.pw | udp |
| N/A | 8.8.8.8:53 | betabot.pw | udp |
| N/A | 8.8.8.8:53 | betabot.pw | udp |
| N/A | 8.8.8.8:53 | betabot.pw | udp |
| N/A | 8.8.8.8:53 | betabot.pw | udp |
| N/A | 8.8.8.8:53 | betabot.pw | udp |
| N/A | 8.8.8.8:53 | betabot.pw | udp |
| N/A | 8.8.8.8:53 | betabot.pw | udp |
| N/A | 8.8.8.8:53 | betabot.pw | udp |
| N/A | 8.8.8.8:53 | betabot.pw | udp |
| N/A | 8.8.8.8:53 | betabot.pw | udp |
| N/A | 8.8.8.8:53 | betabot.pw | udp |
| N/A | 8.8.8.8:53 | betabot.pw | udp |
| N/A | 8.8.8.8:53 | betabot.pw | udp |
| N/A | 8.8.8.8:53 | betabot.pw | udp |
| N/A | 8.8.8.8:53 | betabot.pw | udp |
| N/A | 8.8.8.8:53 | betabot.pw | udp |
| N/A | 8.8.8.8:53 | betabot.pw | udp |
| N/A | 8.8.8.8:53 | betabot.pw | udp |
| N/A | 8.8.8.8:53 | betabot.pw | udp |
| N/A | 8.8.8.8:53 | betabot.pw | udp |
| N/A | 8.8.8.8:53 | betabot.pw | udp |
| N/A | 8.8.8.8:53 | betabot.pw | udp |
| N/A | 8.8.8.8:53 | betabot.pw | udp |
| N/A | 8.8.8.8:53 | betabot.pw | udp |
| N/A | 8.8.8.8:53 | betabot.pw | udp |
| N/A | 8.8.8.8:53 | betabot.pw | udp |
| N/A | 8.8.8.8:53 | betabot.pw | udp |
| N/A | 8.8.8.8:53 | betabot.pw | udp |
| N/A | 8.8.8.8:53 | betabot.pw | udp |
| N/A | 8.8.8.8:53 | betabot.pw | udp |
| N/A | 8.8.8.8:53 | betabot.pw | udp |
| N/A | 8.8.8.8:53 | betabot.pw | udp |
| N/A | 8.8.8.8:53 | betabot.pw | udp |
| N/A | 8.8.8.8:53 | betabot.pw | udp |
| N/A | 8.8.8.8:53 | betabot.pw | udp |
| N/A | 8.8.8.8:53 | betabot.pw | udp |
| N/A | 8.8.8.8:53 | betabot.pw | udp |
| N/A | 8.8.8.8:53 | betabot.pw | udp |
| N/A | 8.8.8.8:53 | betabot.pw | udp |
| N/A | 8.8.8.8:53 | betabot.pw | udp |
| N/A | 8.8.8.8:53 | betabot.pw | udp |
| N/A | 8.8.8.8:53 | betabot.pw | udp |
| N/A | 8.8.8.8:53 | betabot.pw | udp |
| N/A | 8.8.8.8:53 | betabot.pw | udp |
| N/A | 8.8.8.8:53 | betabot.pw | udp |
| N/A | 8.8.8.8:53 | betabot.pw | udp |
| N/A | 8.8.8.8:53 | betabot.pw | udp |
| N/A | 8.8.8.8:53 | betabot.pw | udp |
| N/A | 8.8.8.8:53 | betabot.pw | udp |
| N/A | 8.8.8.8:53 | betabot.pw | udp |
| N/A | 8.8.8.8:53 | betabot.pw | udp |
| N/A | 8.8.8.8:53 | betabot.pw | udp |
| N/A | 8.8.8.8:53 | betabot.pw | udp |
| N/A | 8.8.8.8:53 | betabot.pw | udp |
| N/A | 8.8.8.8:53 | betabot.pw | udp |
| N/A | 8.8.8.8:53 | betabot.pw | udp |
| N/A | 8.8.8.8:53 | betabot.pw | udp |
| N/A | 8.8.8.8:53 | betabot.pw | udp |
| N/A | 8.8.8.8:53 | betabot.pw | udp |
| N/A | 8.8.8.8:53 | betabot.pw | udp |
| N/A | 8.8.8.8:53 | betabot.pw | udp |
| N/A | 8.8.8.8:53 | betabot.pw | udp |
| N/A | 8.8.8.8:53 | betabot.pw | udp |
| N/A | 8.8.8.8:53 | betabot.pw | udp |
| N/A | 8.8.8.8:53 | betabot.pw | udp |
| N/A | 8.8.8.8:53 | betabot.pw | udp |
| N/A | 8.8.8.8:53 | betabot.pw | udp |
| N/A | 8.8.8.8:53 | betabot.pw | udp |
| N/A | 8.8.8.8:53 | betabot.pw | udp |
| N/A | 8.8.8.8:53 | betabot.pw | udp |
| N/A | 8.8.8.8:53 | betabot.pw | udp |
| N/A | 8.8.8.8:53 | betabot.pw | udp |
| N/A | 8.8.8.8:53 | betabot.pw | udp |
| N/A | 8.8.8.8:53 | betabot.pw | udp |
| N/A | 8.8.8.8:53 | betabot.pw | udp |
| N/A | 8.8.8.8:53 | betabot.pw | udp |
| N/A | 8.8.8.8:53 | betabot.pw | udp |
| N/A | 8.8.8.8:53 | betabot.pw | udp |
| N/A | 8.8.8.8:53 | betabot.pw | udp |
Files
memory/4680-2-0x00000000022C0000-0x00000000022C1000-memory.dmp
memory/4680-3-0x0000000073900000-0x0000000073FEE000-memory.dmp
memory/4680-4-0x0000000002650000-0x00000000026DD000-memory.dmp
memory/4680-5-0x0000000004B40000-0x0000000004B41000-memory.dmp
memory/4680-6-0x0000000005040000-0x00000000050CB000-memory.dmp
memory/4680-7-0x0000000002140000-0x0000000002141000-memory.dmp
memory/4680-8-0x0000000002142000-0x0000000002143000-memory.dmp
memory/4680-9-0x0000000002143000-0x0000000002144000-memory.dmp
memory/4680-10-0x0000000002144000-0x0000000002146000-memory.dmp
memory/4680-11-0x00000000024F0000-0x00000000024F1000-memory.dmp
memory/4680-12-0x0000000002146000-0x0000000002148000-memory.dmp
memory/4680-13-0x0000000002148000-0x0000000002149000-memory.dmp
memory/4232-14-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\AudioSes.exe
| MD5 | 043af181d5788fae0a7bc3faf74c287e |
| SHA1 | f2a20f5ffd9d2a0cff50c9a030c88e3943a0c65f |
| SHA256 | 21e58ba4dddbb85983c87192bd76812f06bec3c48582fde844aaf7c16fcbb196 |
| SHA512 | 99108600ca35f217f2cf118ffdf01f983cea903d3bca94d085dfd40e1a91f32eed66a4e8d2655678ee9580c91be2de78a8da4c321c2fae26a7705fcf0d57dda5 |
memory/3120-16-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\AudioSes.exe
| MD5 | 043af181d5788fae0a7bc3faf74c287e |
| SHA1 | f2a20f5ffd9d2a0cff50c9a030c88e3943a0c65f |
| SHA256 | 21e58ba4dddbb85983c87192bd76812f06bec3c48582fde844aaf7c16fcbb196 |
| SHA512 | 99108600ca35f217f2cf118ffdf01f983cea903d3bca94d085dfd40e1a91f32eed66a4e8d2655678ee9580c91be2de78a8da4c321c2fae26a7705fcf0d57dda5 |
\Users\Admin\AppData\Local\Temp\nst358F.tmp\System.dll
| MD5 | 3f176d1ee13b0d7d6bd92e1c7a0b9bae |
| SHA1 | fe582246792774c2c9dd15639ffa0aca90d6fd0b |
| SHA256 | fa4ab1d6f79fd677433a31ada7806373a789d34328da46ccb0449bbf347bd73e |
| SHA512 | 0a69124819b7568d0dea4e9e85ce8fe61c7ba697c934e3a95e2dcfb9f252b1d9da7faf8774b6e8efd614885507acc94987733eba09a2f5e7098b774dfc8524b6 |
memory/4192-19-0x0000000000000000-mapping.dmp
memory/4268-20-0x0000000000000000-mapping.dmp
memory/4232-21-0x00000000096E0000-0x0000000009717000-memory.dmp
C:\Users\Admin\Desktop\DismountBackup.sql
| MD5 | 7d620d9beafe1f6909dc2b709f699b1f |
| SHA1 | e59908c56bd5866c47c1509191e7d8759e5aaf6f |
| SHA256 | 6c6fb72aae43e3182034065a3d1805b779ce4f4f17895962588c3194eb11e7ae |
| SHA512 | f5804fb3708434d338e0360fa8df11436040a72898792f988ac4bccc57de43f848a6a719f52fc3772ec2e9c3e091b14972b0e381d85298b68463b921491bb52f |
memory/888-23-0x00000000004015C6-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\AudioSes.exe
| MD5 | 043af181d5788fae0a7bc3faf74c287e |
| SHA1 | f2a20f5ffd9d2a0cff50c9a030c88e3943a0c65f |
| SHA256 | 21e58ba4dddbb85983c87192bd76812f06bec3c48582fde844aaf7c16fcbb196 |
| SHA512 | 99108600ca35f217f2cf118ffdf01f983cea903d3bca94d085dfd40e1a91f32eed66a4e8d2655678ee9580c91be2de78a8da4c321c2fae26a7705fcf0d57dda5 |
memory/888-25-0x0000000000400000-0x0000000000435000-memory.dmp
memory/888-26-0x0000000002150000-0x00000000021B6000-memory.dmp
memory/888-27-0x00000000005A0000-0x00000000005AD000-memory.dmp
memory/888-28-0x0000000002640000-0x0000000002641000-memory.dmp
memory/888-29-0x0000000002670000-0x000000000267C000-memory.dmp
memory/1060-30-0x0000000000000000-mapping.dmp
memory/1060-31-0x00000000002D0000-0x0000000000710000-memory.dmp
memory/1060-32-0x0000000003280000-0x0000000003356000-memory.dmp
memory/888-36-0x0000000002660000-0x0000000002661000-memory.dmp
memory/1060-38-0x00000000062A0000-0x00000000062A2000-memory.dmp