Analysis Overview
SHA256
4efd9a3fa2d25d6706213feb3299dd0f73777aad01217b9e3df046064fdbbb7e
Threat Level: Known bad
The file Documento--SII--33875.bin was found to be: Known bad.
Malicious Activity Summary
BetaBot
Modifies firewall policy service
Executes dropped EXE
Sets file execution options in registry
Checks BIOS information in registry
Reads user/profile data of web browsers
Loads dropped DLL
Checks whether UAC is enabled
Drops desktop.ini file(s)
Adds Run key to start application
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Enumerates physical storage devices
Checks processor information in registry
Modifies Internet Explorer settings
Modifies Internet Explorer Protected Mode Banner
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Modifies Internet Explorer Protected Mode
NTFS ADS
Suspicious behavior: RenamesItself
Enumerates system info in registry
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-03-10 10:35
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2021-03-10 10:35
Reported
2021-03-10 10:37
Platform
win7v20201028
Max time kernel
151s
Max time network
150s
Command Line
Signatures
BetaBot
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" | C:\Windows\SysWOW64\explorer.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3ce9om5c3u5_1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1aek5ikgy73.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ki7ym5c7i7ym.exe | N/A |
Sets file execution options in registry
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Windows\SysWOW64\explorer.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ki7ym5c7i7ym.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 2.0 = "\"C:\\ProgramData\\Google Updater 2.0\\3ce9om5c3u5.exe\"" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 2.0 = "C:\\ProgramData\\Google Updater 2.0\\3ce9om5c3u5.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Updater 2.0 = "\"C:\\ProgramData\\Google Updater 2.0\\3ce9om5c3u5.exe\"" | C:\Windows\SysWOW64\explorer.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\Documento--SII--33875.bin.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\ProgramData\Google Updater 2.0\desktop.ini | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Documento--SII--33875.bin.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1616 set thread context of 1940 | N/A | C:\Users\Admin\AppData\Local\Temp\Documento--SII--33875.bin.exe | C:\Users\Admin\AppData\Local\Temp\Documento--SII--33875.bin.exe |
| PID 1536 set thread context of 0 | N/A | C:\Users\Admin\AppData\Local\Temp\3ce9om5c3u5_1.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\Documento--SII--33875.bin.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\Documento--SII--33875.bin.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Windows\SysWOW64\explorer.exe | N/A |
Modifies Internet Explorer Protected Mode
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
Modifies Internet Explorer Protected Mode Banner
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" | C:\Windows\SysWOW64\explorer.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\VersionManager\DownloadVersionList = "0" | C:\Windows\SysWOW64\explorer.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Local\Temp\3ce9om5c3u5_1.exe:14EDFC78 | C:\Windows\SysWOW64\explorer.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\Temp\3ce9om5c3u5_1.exe:14EDFC78 | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Documento--SII--33875.bin.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Documento--SII--33875.bin.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Documento--SII--33875.bin.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1aek5ikgy73.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
C:\Users\Admin\AppData\Local\Temp\Documento--SII--33875.bin.exe
"C:\Users\Admin\AppData\Local\Temp\Documento--SII--33875.bin.exe"
C:\Users\Admin\AppData\Local\Temp\Documento--SII--33875.bin.exe
"C:\Users\Admin\AppData\Local\Temp\Documento--SII--33875.bin.exe"
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Users\Admin\AppData\Local\Temp\3ce9om5c3u5_1.exe
/suac
C:\Users\Admin\AppData\Local\Temp\1aek5ikgy73.exe
"C:\Users\Admin\AppData\Local\Temp\1aek5ikgy73.exe"
C:\Users\Admin\AppData\Local\Temp\ki7ym5c7i7ym.exe
"C:\Users\Admin\AppData\Local\Temp\ki7ym5c7i7ym.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 93.184.220.29:80 | tcp | |
| N/A | 93.184.220.29:80 | tcp | |
| N/A | 204.79.197.200:443 | tcp | |
| N/A | 8.8.8.8:53 | microsoft.com | udp |
| N/A | 104.215.148.63:80 | microsoft.com | tcp |
| N/A | 8.8.8.8:53 | rusianlover.icu | udp |
| N/A | 8.8.8.8:53 | rusianlover.icu | udp |
| N/A | 212.114.52.43:80 | rusianlover.icu | tcp |
| N/A | 8.8.8.8:53 | zakriasons.co | udp |
| N/A | 104.21.55.228:80 | zakriasons.co | tcp |
| N/A | 104.21.55.228:443 | zakriasons.co | tcp |
| N/A | 8.8.8.8:53 | estrelladamm.icu | udp |
| N/A | 8.210.47.214:80 | estrelladamm.icu | tcp |
| N/A | 204.79.197.200:443 | tcp | |
| N/A | 8.8.8.8:53 | rusianlover.icu | udp |
| N/A | 212.114.52.43:80 | rusianlover.icu | tcp |
| N/A | 172.217.168.206:443 | tcp | |
| N/A | 172.217.168.206:443 | tcp | |
| N/A | 216.58.214.14:443 | tcp | |
| N/A | 216.58.214.14:443 | tcp | |
| N/A | 172.217.19.195:443 | tcp | |
| N/A | 172.217.19.195:443 | tcp | |
| N/A | 172.217.17.68:443 | tcp | |
| N/A | 172.217.168.226:443 | tcp | |
| N/A | 172.217.168.226:443 | tcp | |
| N/A | 172.217.17.68:443 | tcp | |
| N/A | 212.114.52.43:80 | rusianlover.icu | tcp |
Files
memory/1940-2-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1940-3-0x00000000004015C6-mapping.dmp
memory/1940-4-0x00000000765A1000-0x00000000765A3000-memory.dmp
memory/1940-6-0x0000000001C90000-0x0000000001CF6000-memory.dmp
memory/1940-7-0x0000000000240000-0x0000000000241000-memory.dmp
memory/1940-8-0x00000000003C0000-0x00000000003CD000-memory.dmp
memory/1940-5-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1940-9-0x0000000001C30000-0x0000000001C31000-memory.dmp
memory/1940-10-0x00000000024E0000-0x00000000024EC000-memory.dmp
memory/2040-11-0x0000000000000000-mapping.dmp
memory/2040-13-0x0000000075211000-0x0000000075213000-memory.dmp
memory/2040-14-0x0000000077BE0000-0x0000000077D61000-memory.dmp
memory/2040-15-0x0000000000160000-0x000000000029A000-memory.dmp
memory/2040-19-0x0000000000450000-0x000000000045C000-memory.dmp
memory/2040-20-0x0000000000440000-0x0000000000441000-memory.dmp
memory/2040-22-0x0000000000870000-0x0000000000872000-memory.dmp
memory/1088-23-0x000007FEF7BD0000-0x000007FEF7E4A000-memory.dmp
memory/1088-24-0x0000000000100000-0x0000000000106000-memory.dmp
\Users\Admin\AppData\Local\Temp\3ce9om5c3u5_1.exe
| MD5 | 2ced2c14eece71c72c5e45e8a607bb4c |
| SHA1 | 13a700a297a7e5697d69bb743c3b256ac10a14e2 |
| SHA256 | 4efd9a3fa2d25d6706213feb3299dd0f73777aad01217b9e3df046064fdbbb7e |
| SHA512 | 199cb38d7f20f64b30d2cb2ba56dab6c0d3b2685d85a990c085060752071b9620d131c5c25bba9b3140c9816ae3515d6b7dbf794d3dd71db15bb8d3f4eb04f06 |
memory/1536-26-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\3ce9om5c3u5_1.exe
| MD5 | 2ced2c14eece71c72c5e45e8a607bb4c |
| SHA1 | 13a700a297a7e5697d69bb743c3b256ac10a14e2 |
| SHA256 | 4efd9a3fa2d25d6706213feb3299dd0f73777aad01217b9e3df046064fdbbb7e |
| SHA512 | 199cb38d7f20f64b30d2cb2ba56dab6c0d3b2685d85a990c085060752071b9620d131c5c25bba9b3140c9816ae3515d6b7dbf794d3dd71db15bb8d3f4eb04f06 |
C:\Users\Admin\AppData\Local\Temp\3ce9om5c3u5_1.exe
| MD5 | 2ced2c14eece71c72c5e45e8a607bb4c |
| SHA1 | 13a700a297a7e5697d69bb743c3b256ac10a14e2 |
| SHA256 | 4efd9a3fa2d25d6706213feb3299dd0f73777aad01217b9e3df046064fdbbb7e |
| SHA512 | 199cb38d7f20f64b30d2cb2ba56dab6c0d3b2685d85a990c085060752071b9620d131c5c25bba9b3140c9816ae3515d6b7dbf794d3dd71db15bb8d3f4eb04f06 |
\Users\Admin\AppData\Local\Temp\1aek5ikgy73.exe
| MD5 | 08cdfd0d3a406601c42f087da16ec6c8 |
| SHA1 | 48fd8eef568d2372e2a883283e58e5def81fef07 |
| SHA256 | eb7cea525ecef555356c13b6948c21ddad4b8a622ff4c027f285c0c096570253 |
| SHA512 | d522fc9c5815c93a1dc114c63db53879346e435397cad79a105a412cb18459335a1bfc3cfc9e7f6469cd703e2014538aa3c649442b80214a945e76ed50d26940 |
memory/692-30-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\1aek5ikgy73.exe
| MD5 | 08cdfd0d3a406601c42f087da16ec6c8 |
| SHA1 | 48fd8eef568d2372e2a883283e58e5def81fef07 |
| SHA256 | eb7cea525ecef555356c13b6948c21ddad4b8a622ff4c027f285c0c096570253 |
| SHA512 | d522fc9c5815c93a1dc114c63db53879346e435397cad79a105a412cb18459335a1bfc3cfc9e7f6469cd703e2014538aa3c649442b80214a945e76ed50d26940 |
\Users\Admin\AppData\Local\Temp\ki7ym5c7i7ym.exe
| MD5 | 50803bdba827e6ae4600da26b5e81800 |
| SHA1 | e3650665dd57b79514d33fe8e8d8ff8429b52c55 |
| SHA256 | 02dce269070bfec91e4f01a67d774167f8208f17211e8027d8a7fe3dc62a356b |
| SHA512 | c641b6937d93b76e592f69b35d8e0f8236c985a56bae41b78fca29a1b6f16f2c75fb25941d6957a1e761a64d66acbdf9673cf13434d3cc6f7901904105e19c50 |
C:\Users\Admin\AppData\Local\Temp\ki7ym5c7i7ym.exe
| MD5 | 50803bdba827e6ae4600da26b5e81800 |
| SHA1 | e3650665dd57b79514d33fe8e8d8ff8429b52c55 |
| SHA256 | 02dce269070bfec91e4f01a67d774167f8208f17211e8027d8a7fe3dc62a356b |
| SHA512 | c641b6937d93b76e592f69b35d8e0f8236c985a56bae41b78fca29a1b6f16f2c75fb25941d6957a1e761a64d66acbdf9673cf13434d3cc6f7901904105e19c50 |
memory/908-35-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\ki7ym5c7i7ym.exe
| MD5 | 50803bdba827e6ae4600da26b5e81800 |
| SHA1 | e3650665dd57b79514d33fe8e8d8ff8429b52c55 |
| SHA256 | 02dce269070bfec91e4f01a67d774167f8208f17211e8027d8a7fe3dc62a356b |
| SHA512 | c641b6937d93b76e592f69b35d8e0f8236c985a56bae41b78fca29a1b6f16f2c75fb25941d6957a1e761a64d66acbdf9673cf13434d3cc6f7901904105e19c50 |
memory/908-39-0x0000000000990000-0x0000000000991000-memory.dmp
\Users\Admin\AppData\Local\Temp\Costura\1ACF592E7018DA88DDC32B96D203A4BE\32\sqlite3.dll
| MD5 | 0a855f27a1e48991d14c593cb930d2b2 |
| SHA1 | 01935b77a59ab90be4af37bb4e8bc57fbdcf23a1 |
| SHA256 | 43d11ddfa64be9a2eeb94574f21fd45334e4598506f3d5ae1446c7a0add10300 |
| SHA512 | bfc680d50d043c438c0c4bc97f7830010bf302e9e81296c57b1a06e3e87a2000444e44fadec20ca2025260bf745629971bfca02ff59469085fc7eada7912e873 |
memory/1272-41-0x0000000002A80000-0x0000000002A86000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2021-03-10 10:35
Reported
2021-03-10 10:37
Platform
win10v20201028
Max time kernel
150s
Max time network
150s
Command Line
Signatures
BetaBot
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" | C:\Windows\SysWOW64\explorer.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\uq175yw9_1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\yc35us719gy71.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a995u771kkuo5.exe | N/A |
Sets file execution options in registry
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Windows\SysWOW64\explorer.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a995u771kkuo5.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 2.0 = "C:\\ProgramData\\Google Updater 2.0\\uq175yw9.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Updater 2.0 = "\"C:\\ProgramData\\Google Updater 2.0\\uq175yw9.exe\"" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 2.0 = "\"C:\\ProgramData\\Google Updater 2.0\\uq175yw9.exe\"" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce | C:\Windows\SysWOW64\explorer.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\Documento--SII--33875.bin.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\ProgramData\Google Updater 2.0\desktop.ini | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Documento--SII--33875.bin.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4692 set thread context of 5020 | N/A | C:\Users\Admin\AppData\Local\Temp\Documento--SII--33875.bin.exe | C:\Users\Admin\AppData\Local\Temp\Documento--SII--33875.bin.exe |
| PID 996 set thread context of 0 | N/A | C:\Users\Admin\AppData\Local\Temp\uq175yw9_1.exe | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\Documento--SII--33875.bin.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\Documento--SII--33875.bin.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\explorer.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Windows\SysWOW64\explorer.exe | N/A |
Modifies Internet Explorer Protected Mode
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
Modifies Internet Explorer Protected Mode Banner
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" | C:\Windows\SysWOW64\explorer.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\VersionManager\DownloadVersionList = "0" | C:\Windows\SysWOW64\explorer.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Local\Temp\uq175yw9_1.exe:14EDFC78 | C:\Windows\SysWOW64\explorer.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\Temp\uq175yw9_1.exe:14EDFC78 | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Documento--SII--33875.bin.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Documento--SII--33875.bin.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Documento--SII--33875.bin.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\yc35us719gy71.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Documento--SII--33875.bin.exe
"C:\Users\Admin\AppData\Local\Temp\Documento--SII--33875.bin.exe"
C:\Users\Admin\AppData\Local\Temp\Documento--SII--33875.bin.exe
"C:\Users\Admin\AppData\Local\Temp\Documento--SII--33875.bin.exe"
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Users\Admin\AppData\Local\Temp\uq175yw9_1.exe
/suac
C:\Users\Admin\AppData\Local\Temp\yc35us719gy71.exe
"C:\Users\Admin\AppData\Local\Temp\yc35us719gy71.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\sysnative\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\sysnative\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\sysnative\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData\Google Updater 2.0\'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\sysnative\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\'
C:\Users\Admin\AppData\Local\Temp\a995u771kkuo5.exe
"C:\Users\Admin\AppData\Local\Temp\a995u771kkuo5.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | microsoft.com | udp |
| N/A | 104.215.148.63:80 | microsoft.com | tcp |
| N/A | 8.8.8.8:53 | rusianlover.icu | udp |
| N/A | 8.8.8.8:53 | rusianlover.icu | udp |
| N/A | 212.114.52.43:80 | rusianlover.icu | tcp |
| N/A | 8.8.8.8:53 | zakriasons.co | udp |
| N/A | 104.21.55.228:80 | zakriasons.co | tcp |
| N/A | 104.21.55.228:443 | zakriasons.co | tcp |
| N/A | 8.8.8.8:53 | ctldl.windowsupdate.com | udp |
| N/A | 8.8.8.8:53 | estrelladamm.icu | udp |
| N/A | 8.210.47.214:80 | estrelladamm.icu | tcp |
| N/A | 212.114.52.43:80 | rusianlover.icu | tcp |
| N/A | 212.114.52.43:80 | rusianlover.icu | tcp |
Files
memory/5020-3-0x00000000004015C6-mapping.dmp
memory/5020-2-0x0000000000400000-0x0000000000435000-memory.dmp
memory/5020-4-0x0000000000400000-0x0000000000435000-memory.dmp
memory/5020-5-0x0000000002260000-0x00000000022C6000-memory.dmp
memory/5020-7-0x0000000002770000-0x0000000002771000-memory.dmp
memory/5020-6-0x0000000000A90000-0x0000000000A9D000-memory.dmp
memory/5020-8-0x00000000027A0000-0x00000000027AC000-memory.dmp
memory/416-9-0x0000000000000000-mapping.dmp
memory/5020-10-0x0000000002790000-0x0000000002791000-memory.dmp
memory/416-11-0x00000000012C0000-0x0000000001700000-memory.dmp
memory/416-12-0x0000000000600000-0x000000000073A000-memory.dmp
memory/416-13-0x0000000000A90000-0x0000000000A9D000-memory.dmp
memory/416-17-0x00000000012B0000-0x00000000012B2000-memory.dmp
memory/996-18-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\uq175yw9_1.exe
| MD5 | 2ced2c14eece71c72c5e45e8a607bb4c |
| SHA1 | 13a700a297a7e5697d69bb743c3b256ac10a14e2 |
| SHA256 | 4efd9a3fa2d25d6706213feb3299dd0f73777aad01217b9e3df046064fdbbb7e |
| SHA512 | 199cb38d7f20f64b30d2cb2ba56dab6c0d3b2685d85a990c085060752071b9620d131c5c25bba9b3140c9816ae3515d6b7dbf794d3dd71db15bb8d3f4eb04f06 |
C:\Users\Admin\AppData\Local\Temp\uq175yw9_1.exe
| MD5 | 2ced2c14eece71c72c5e45e8a607bb4c |
| SHA1 | 13a700a297a7e5697d69bb743c3b256ac10a14e2 |
| SHA256 | 4efd9a3fa2d25d6706213feb3299dd0f73777aad01217b9e3df046064fdbbb7e |
| SHA512 | 199cb38d7f20f64b30d2cb2ba56dab6c0d3b2685d85a990c085060752071b9620d131c5c25bba9b3140c9816ae3515d6b7dbf794d3dd71db15bb8d3f4eb04f06 |
C:\Users\Admin\AppData\Local\Temp\yc35us719gy71.exe
| MD5 | 08cdfd0d3a406601c42f087da16ec6c8 |
| SHA1 | 48fd8eef568d2372e2a883283e58e5def81fef07 |
| SHA256 | eb7cea525ecef555356c13b6948c21ddad4b8a622ff4c027f285c0c096570253 |
| SHA512 | d522fc9c5815c93a1dc114c63db53879346e435397cad79a105a412cb18459335a1bfc3cfc9e7f6469cd703e2014538aa3c649442b80214a945e76ed50d26940 |
memory/1236-21-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\yc35us719gy71.exe
| MD5 | 08cdfd0d3a406601c42f087da16ec6c8 |
| SHA1 | 48fd8eef568d2372e2a883283e58e5def81fef07 |
| SHA256 | eb7cea525ecef555356c13b6948c21ddad4b8a622ff4c027f285c0c096570253 |
| SHA512 | d522fc9c5815c93a1dc114c63db53879346e435397cad79a105a412cb18459335a1bfc3cfc9e7f6469cd703e2014538aa3c649442b80214a945e76ed50d26940 |
memory/1884-26-0x0000000000000000-mapping.dmp
memory/944-27-0x0000000000000000-mapping.dmp
memory/2232-29-0x0000000000000000-mapping.dmp
memory/2088-28-0x0000000000000000-mapping.dmp
memory/944-31-0x00007FFCF2620000-0x00007FFCF300C000-memory.dmp
memory/1884-30-0x00007FFCF2620000-0x00007FFCF300C000-memory.dmp
memory/2088-32-0x00007FFCF2620000-0x00007FFCF300C000-memory.dmp
memory/944-34-0x000001F005990000-0x000001F005992000-memory.dmp
memory/2232-35-0x0000014F648E0000-0x0000014F648E2000-memory.dmp
memory/944-36-0x000001F005993000-0x000001F005995000-memory.dmp
memory/1884-37-0x0000023E1C970000-0x0000023E1C972000-memory.dmp
memory/2232-33-0x00007FFCF2620000-0x00007FFCF300C000-memory.dmp
memory/1884-38-0x0000023E1C973000-0x0000023E1C975000-memory.dmp
memory/2088-39-0x000001AC71D60000-0x000001AC71D62000-memory.dmp
memory/2232-40-0x0000014F648E3000-0x0000014F648E5000-memory.dmp
memory/2088-41-0x000001AC71D63000-0x000001AC71D65000-memory.dmp
memory/944-42-0x000001F005960000-0x000001F005961000-memory.dmp
memory/4500-46-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\a995u771kkuo5.exe
| MD5 | 50803bdba827e6ae4600da26b5e81800 |
| SHA1 | e3650665dd57b79514d33fe8e8d8ff8429b52c55 |
| SHA256 | 02dce269070bfec91e4f01a67d774167f8208f17211e8027d8a7fe3dc62a356b |
| SHA512 | c641b6937d93b76e592f69b35d8e0f8236c985a56bae41b78fca29a1b6f16f2c75fb25941d6957a1e761a64d66acbdf9673cf13434d3cc6f7901904105e19c50 |
memory/1884-47-0x0000023E1F410000-0x0000023E1F411000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a995u771kkuo5.exe
| MD5 | 50803bdba827e6ae4600da26b5e81800 |
| SHA1 | e3650665dd57b79514d33fe8e8d8ff8429b52c55 |
| SHA256 | 02dce269070bfec91e4f01a67d774167f8208f17211e8027d8a7fe3dc62a356b |
| SHA512 | c641b6937d93b76e592f69b35d8e0f8236c985a56bae41b78fca29a1b6f16f2c75fb25941d6957a1e761a64d66acbdf9673cf13434d3cc6f7901904105e19c50 |
memory/2088-54-0x000001AC71D66000-0x000001AC71D68000-memory.dmp
memory/1884-55-0x0000023E1C976000-0x0000023E1C978000-memory.dmp
memory/4500-53-0x0000000002CB0000-0x0000000002CB1000-memory.dmp
\Users\Admin\AppData\Local\Temp\Costura\1ACF592E7018DA88DDC32B96D203A4BE\32\sqlite3.dll
| MD5 | 0a855f27a1e48991d14c593cb930d2b2 |
| SHA1 | 01935b77a59ab90be4af37bb4e8bc57fbdcf23a1 |
| SHA256 | 43d11ddfa64be9a2eeb94574f21fd45334e4598506f3d5ae1446c7a0add10300 |
| SHA512 | bfc680d50d043c438c0c4bc97f7830010bf302e9e81296c57b1a06e3e87a2000444e44fadec20ca2025260bf745629971bfca02ff59469085fc7eada7912e873 |
memory/944-57-0x000001F005996000-0x000001F005998000-memory.dmp
memory/2232-58-0x0000014F648E6000-0x0000014F648E8000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 8592ba100a78835a6b94d5949e13dfc1 |
| SHA1 | 63e901200ab9a57c7dd4c078d7f75dcd3b357020 |
| SHA256 | fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c |
| SHA512 | 87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 51a4b659b594c8c34fb19f137a25ab16 |
| SHA1 | 8f30640240a0a924f911e1cd8e1f3dc67416c217 |
| SHA256 | 9a60727320e185f17b79fcc7715d6f3bc8ef09812e1cd27962b8ffd867dd8f28 |
| SHA512 | 2790a76baea9d53f2af22217200a0096b8ecd700f0fe52984af8099b3621776c2348181cc4205309c5e63bae6ad2723cfb5867938cf81d06cef9d330a8b625da |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 2d3b7c2d13e0a9248e8c991a3e2b10f1 |
| SHA1 | a1be75c9958f4a86914ac7d1e03c18225ff7218f |
| SHA256 | 629df4004840bc9857155d6346dd0dd54eb696e12643781b7860618964708877 |
| SHA512 | 22bf007501d31d0aedceb72b9ba27e27e427bf0e364930e1127c65c5e9c252020730fe7c7d644e179737a90085e0ac68fadedd460a2500e9eae0847f5eb668b5 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/2088-63-0x000001AC71D68000-0x000001AC71D69000-memory.dmp
memory/944-64-0x000001F005998000-0x000001F005999000-memory.dmp
memory/2232-65-0x0000014F648E8000-0x0000014F648E9000-memory.dmp
memory/1884-66-0x0000023E1C978000-0x0000023E1C979000-memory.dmp