Malware Analysis Report

2024-11-30 19:59

Sample ID 210520-86favxw862
Target 888079.dat
SHA256 b8d0da9ced6a8c38190e638895ad179d4f73ce78d1e7af59353babded269ae37
Tags
betabot backdoor botnet evasion persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b8d0da9ced6a8c38190e638895ad179d4f73ce78d1e7af59353babded269ae37

Threat Level: Known bad

The file 888079.dat was found to be: Known bad.

Malicious Activity Summary

betabot backdoor botnet evasion persistence trojan

Modifies firewall policy service

BetaBot

Downloads MZ/PE file

Sets file execution options in registry

Sets file to hidden

Executes dropped EXE

Checks BIOS information in registry

Loads dropped DLL

Drops desktop.ini file(s)

Checks whether UAC is enabled

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Modifies Internet Explorer Protected Mode

Kills process with taskkill

NTFS ADS

Modifies Internet Explorer settings

Modifies registry class

Modifies Internet Explorer Protected Mode Banner

Delays execution with timeout.exe

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Views/modifies file attributes

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-05-20 21:52

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-05-20 21:52

Reported

2021-05-20 21:55

Platform

win7v20210410

Max time kernel

149s

Max time network

149s

Command Line

C:\Windows\Explorer.EXE

Signatures

BetaBot

trojan backdoor botnet betabot

Modifies firewall policy service

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile C:\Windows\SysWOW64\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" C:\Windows\SysWOW64\explorer.exe N/A

Downloads MZ/PE file

Sets file execution options in registry

persistence

Sets file to hidden

evasion

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\SysWOW64\explorer.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Updater 2.09 = "\"C:\\ProgramData\\Google Updater 2.09\\q315m5mq1.exe\"" C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 2.09 = "\"C:\\ProgramData\\Google Updater 2.09\\q315m5mq1.exe\"" C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 2.09 = "C:\\ProgramData\\Google Updater 2.09\\q315m5mq1.exe" C:\Windows\SysWOW64\explorer.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\log\cnvk\brokerf.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\ProgramData\Google Updater 2.09\desktop.ini C:\Windows\SysWOW64\explorer.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1400 set thread context of 1780 N/A C:\log\cnvk\brokerf.exe C:\log\cnvk\brokerf.exe
PID 1504 set thread context of 0 N/A C:\Users\Admin\AppData\Local\Temp\q315m5mq1_1.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\log\cnvk\brokerf.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\log\cnvk\brokerf.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\SysWOW64\explorer.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies Internet Explorer Protected Mode

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" C:\Windows\SysWOW64\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" C:\Windows\SysWOW64\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" C:\Windows\SysWOW64\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" C:\Windows\SysWOW64\explorer.exe N/A

Modifies Internet Explorer Protected Mode Banner

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" C:\Windows\SysWOW64\explorer.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Windows\SysWOW64\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\VersionManager\DownloadVersionList = "0" C:\Windows\SysWOW64\explorer.exe N/A

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Local\Temp\q315m5mq1_1.exe:14EDFC78 C:\Windows\SysWOW64\explorer.exe N/A
File created C:\Users\Admin\AppData\Local\Temp\q315m5mq1_1.exe:14EDFC78 C:\Windows\SysWOW64\explorer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\log\cnvk\brokerf.exe N/A
Token: SeRestorePrivilege N/A C:\log\cnvk\brokerf.exe N/A
Token: SeBackupPrivilege N/A C:\log\cnvk\brokerf.exe N/A
Token: SeLoadDriverPrivilege N/A C:\log\cnvk\brokerf.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\log\cnvk\brokerf.exe N/A
Token: SeShutdownPrivilege N/A C:\log\cnvk\brokerf.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\log\cnvk\brokerf.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\log\cnvk\brokerf.exe N/A
Token: SeCreateTokenPrivilege N/A C:\log\cnvk\brokerf.exe N/A
Token: SeMachineAccountPrivilege N/A C:\log\cnvk\brokerf.exe N/A
Token: SeSecurityPrivilege N/A C:\log\cnvk\brokerf.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\log\cnvk\brokerf.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\log\cnvk\brokerf.exe N/A
Token: 33 N/A C:\log\cnvk\brokerf.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\explorer.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\geueci1ous7.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2040 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\15a23e5e766596dbc471b4e4afa49316c141a8ee981194c0508f73b0a7f2ccf0.exe C:\Windows\SysWOW64\WScript.exe
PID 2040 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\15a23e5e766596dbc471b4e4afa49316c141a8ee981194c0508f73b0a7f2ccf0.exe C:\Windows\SysWOW64\WScript.exe
PID 2040 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\15a23e5e766596dbc471b4e4afa49316c141a8ee981194c0508f73b0a7f2ccf0.exe C:\Windows\SysWOW64\WScript.exe
PID 2040 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\15a23e5e766596dbc471b4e4afa49316c141a8ee981194c0508f73b0a7f2ccf0.exe C:\Windows\SysWOW64\WScript.exe
PID 1776 wrote to memory of 1068 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1776 wrote to memory of 1068 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1776 wrote to memory of 1068 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1776 wrote to memory of 1068 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1068 wrote to memory of 980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1068 wrote to memory of 980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1068 wrote to memory of 980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1068 wrote to memory of 980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1068 wrote to memory of 820 N/A C:\Windows\SysWOW64\cmd.exe C:\log\cnvk\sbn.exe
PID 1068 wrote to memory of 820 N/A C:\Windows\SysWOW64\cmd.exe C:\log\cnvk\sbn.exe
PID 1068 wrote to memory of 820 N/A C:\Windows\SysWOW64\cmd.exe C:\log\cnvk\sbn.exe
PID 1068 wrote to memory of 820 N/A C:\Windows\SysWOW64\cmd.exe C:\log\cnvk\sbn.exe
PID 1068 wrote to memory of 864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1068 wrote to memory of 864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1068 wrote to memory of 864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1068 wrote to memory of 864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1068 wrote to memory of 1668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 1068 wrote to memory of 1668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 1068 wrote to memory of 1668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 1068 wrote to memory of 1668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 1068 wrote to memory of 640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1068 wrote to memory of 640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1068 wrote to memory of 640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1068 wrote to memory of 640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1668 wrote to memory of 572 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1668 wrote to memory of 572 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1668 wrote to memory of 572 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1668 wrote to memory of 572 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 572 wrote to memory of 1648 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 572 wrote to memory of 1648 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 572 wrote to memory of 1648 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 572 wrote to memory of 1648 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 572 wrote to memory of 1260 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 572 wrote to memory of 1260 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 572 wrote to memory of 1260 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 572 wrote to memory of 1260 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 572 wrote to memory of 1400 N/A C:\Windows\SysWOW64\cmd.exe C:\log\cnvk\brokerf.exe
PID 572 wrote to memory of 1400 N/A C:\Windows\SysWOW64\cmd.exe C:\log\cnvk\brokerf.exe
PID 572 wrote to memory of 1400 N/A C:\Windows\SysWOW64\cmd.exe C:\log\cnvk\brokerf.exe
PID 572 wrote to memory of 1400 N/A C:\Windows\SysWOW64\cmd.exe C:\log\cnvk\brokerf.exe
PID 1400 wrote to memory of 1780 N/A C:\log\cnvk\brokerf.exe C:\log\cnvk\brokerf.exe
PID 1400 wrote to memory of 1780 N/A C:\log\cnvk\brokerf.exe C:\log\cnvk\brokerf.exe
PID 1400 wrote to memory of 1780 N/A C:\log\cnvk\brokerf.exe C:\log\cnvk\brokerf.exe
PID 1400 wrote to memory of 1780 N/A C:\log\cnvk\brokerf.exe C:\log\cnvk\brokerf.exe
PID 1400 wrote to memory of 1780 N/A C:\log\cnvk\brokerf.exe C:\log\cnvk\brokerf.exe
PID 1400 wrote to memory of 1780 N/A C:\log\cnvk\brokerf.exe C:\log\cnvk\brokerf.exe
PID 572 wrote to memory of 1368 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 572 wrote to memory of 1368 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 572 wrote to memory of 1368 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 572 wrote to memory of 1368 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 572 wrote to memory of 1688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 572 wrote to memory of 1688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 572 wrote to memory of 1688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 572 wrote to memory of 1688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 572 wrote to memory of 400 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 572 wrote to memory of 400 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 572 wrote to memory of 400 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 572 wrote to memory of 400 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 572 wrote to memory of 804 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 572 wrote to memory of 804 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Users\Admin\AppData\Local\Temp\15a23e5e766596dbc471b4e4afa49316c141a8ee981194c0508f73b0a7f2ccf0.exe

"C:\Users\Admin\AppData\Local\Temp\15a23e5e766596dbc471b4e4afa49316c141a8ee981194c0508f73b0a7f2ccf0.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\log\cnvk\ftoris.vbs"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\log\cnvk\yioi.bat" "

C:\Windows\SysWOW64\timeout.exe

timeout 0

C:\log\cnvk\sbn.exe

"sbn.exe" e -pyu7y8y87ds8yhsd89scd99 37419879283209asda0su9jho90asdf0s9.rar

C:\Windows\SysWOW64\timeout.exe

timeout 4

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\log\cnvk\oll.vbs"

C:\Windows\SysWOW64\timeout.exe

timeout 6

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\log\cnvk\p541seed.bat" "

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1406895149-1235333697-6211268171722296216-1992013981-17122753707052267971861869376"

C:\Windows\SysWOW64\attrib.exe

attrib +s +h "C:\log\"

C:\Windows\SysWOW64\timeout.exe

timeout 2

C:\log\cnvk\brokerf.exe

brokerf.exe /start

C:\log\cnvk\brokerf.exe

brokerf.exe /start

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im sbn.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im sbn.exe

C:\Windows\SysWOW64\attrib.exe

attrib -s -h "C:\log\cnvk\brokerf.exe"

C:\Windows\SysWOW64\timeout.exe

timeout 6

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Users\Admin\AppData\Local\Temp\q315m5mq1_1.exe

/suac

C:\Users\Admin\AppData\Local\Temp\geueci1ous7.exe

"C:\Users\Admin\AppData\Local\Temp\geueci1ous7.exe"

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 google.com udp
N/A 172.217.20.110:80 google.com tcp
N/A 8.8.8.8:53 russk17.icu udp
N/A 8.8.8.8:53 russk17.icu udp
N/A 198.12.112.202:80 russk17.icu tcp
N/A 8.8.8.8:53 morningstarlincoln.co.uk udp
N/A 79.170.44.146:80 morningstarlincoln.co.uk tcp
N/A 8.8.8.8:53 russk17.icu udp
N/A 198.12.112.202:80 russk17.icu tcp

Files

memory/2040-60-0x0000000076281000-0x0000000076283000-memory.dmp

memory/2040-61-0x0000000000240000-0x0000000000241000-memory.dmp

memory/1776-62-0x0000000000000000-mapping.dmp

C:\log\cnvk\ftoris.vbs

MD5 0bd7eb0367eea35fa03b8baf753e3dbf
SHA1 5d99d076b6094be05ab24b292fab8b51a81926b5
SHA256 b5b186b0c9d71d1dc7024cc0dedb17df1f052c93a33f6af0cd4651362245be7d
SHA512 1f1452a1f1ac4d1687a50f6e405fda5517f53e46fc624675320b2e2d64de6bff7b4437a5e2e081d0cd81617cec50c0c6ef1d43bdc9387154af5616dcfc2a5cb6

C:\log\cnvk\yioi.bat

MD5 b9c02e786af554bf4e548d218cb59406
SHA1 1afcdfc05077c6fe8367e005532af76dbe890c63
SHA256 9d5adff2c0c256bdfe6537b1064cfaf9be420434d295b4c4b506949fe6d8eafd
SHA512 6f89efa5c09ed4a44c291185b98e3c50c7bd81b2adb931daab8f526646cc59fa42b889fb870b8603f24e2ab0a46f0d6ad00bed2cc92e44827a6c854f58541243

memory/1068-66-0x0000000000000000-mapping.dmp

C:\log\cnvk\config.pfps

MD5 74938c40bb1e343a5f7fee8ce12636fd
SHA1 102a9af450b63e4e29fcb8221b783a6f0e657fc7
SHA256 48649028ecc8644c77faa53e2c7eb3c84811d4ff5d76965dfc123e7031bbde7f
SHA512 953425cb722318119c033293a676aac4eec93d95dbdcda727366d3cbc011c3a4e81953e300340015bd7bdbba7cfabdcaf55adc5e68ff7c18f542bb42dd7ab370

memory/980-68-0x0000000000000000-mapping.dmp

\log\cnvk\sbn.exe

MD5 7acbec84b096b08259d9bf7f358aab7e
SHA1 00b8e3575bb33447628a90826bdc4c6b2d7e7a19
SHA256 6a7215d2253a7822d5e1907345b7311d9830d19bf5e01d4f674b0086ae06df5c
SHA512 2fed20945ed825e77c7bcd98294640ce89747ff1b428bfe4e782b9fd61493be5d4e5fb3ec3d341e33bffeb659654d47d62d623902bd821eab3e1b9ef88c18c23

C:\log\cnvk\sbn.exe

MD5 7acbec84b096b08259d9bf7f358aab7e
SHA1 00b8e3575bb33447628a90826bdc4c6b2d7e7a19
SHA256 6a7215d2253a7822d5e1907345b7311d9830d19bf5e01d4f674b0086ae06df5c
SHA512 2fed20945ed825e77c7bcd98294640ce89747ff1b428bfe4e782b9fd61493be5d4e5fb3ec3d341e33bffeb659654d47d62d623902bd821eab3e1b9ef88c18c23

memory/820-71-0x0000000000000000-mapping.dmp

C:\log\cnvk\sbn.exe

MD5 7acbec84b096b08259d9bf7f358aab7e
SHA1 00b8e3575bb33447628a90826bdc4c6b2d7e7a19
SHA256 6a7215d2253a7822d5e1907345b7311d9830d19bf5e01d4f674b0086ae06df5c
SHA512 2fed20945ed825e77c7bcd98294640ce89747ff1b428bfe4e782b9fd61493be5d4e5fb3ec3d341e33bffeb659654d47d62d623902bd821eab3e1b9ef88c18c23

memory/864-74-0x0000000000000000-mapping.dmp

C:\log\cnvk\oll.vbs

MD5 aad7b3fbdc2b543dd2cc773d89d8bc17
SHA1 4b680e56de180c6674f86f0e228eaf7801ef182e
SHA256 a0e42e327432a1fa0afb90ae4407671e9f6b6611a7db64c0f7c0cbb48c73be75
SHA512 9eb3a9203198458a2d52ce66355446939d7bc5c6c656efe1d0e03485f1b181ce65a7ebbfceb434b2535543e61e018e83720de2f4d72303af19796f3b7c9bfdbb

memory/1668-77-0x0000000000000000-mapping.dmp

memory/640-78-0x0000000000000000-mapping.dmp

C:\log\cnvk\p541seed.bat

MD5 fb6bc7bd7f1d2813765c0dd42d96d62d
SHA1 c6d3306967de66dcbcd4340269a5c9ff62ede54f
SHA256 ae0c4df3946ecbc710c852b300a4450197881d7077c62b7cf2b612eacf2bb6da
SHA512 572fe41b1421e16ea5a99dcf5334924c0d1bf1cf7eaf3b3961c73c906c745e144feaffb813cb26d351c3b60f32c11a6d126a066f305d792ca1808d7cd9572e7d

memory/572-81-0x0000000000000000-mapping.dmp

memory/1648-82-0x0000000000000000-mapping.dmp

memory/1260-83-0x0000000000000000-mapping.dmp

\log\cnvk\brokerf.exe

MD5 1e7da6a53a16210ffaaf28feaa1a38ad
SHA1 a6559654ef5b0b5fb9b006ee7b411cf962177dba
SHA256 f7cceb61dd5807edcc2afe0e95d0de6149bcad1b20e3903bd2b3b8b82ae6b3a3
SHA512 fe8213507d7fd56c1f54d13f9054341f92e4145195acba6f764b924c090ba1b0d788f2dac9a3bac747d733d111ff1adfe37a83e194ee07cf7bffa84da0c093f3

C:\log\cnvk\brokerf.exe

MD5 1e7da6a53a16210ffaaf28feaa1a38ad
SHA1 a6559654ef5b0b5fb9b006ee7b411cf962177dba
SHA256 f7cceb61dd5807edcc2afe0e95d0de6149bcad1b20e3903bd2b3b8b82ae6b3a3
SHA512 fe8213507d7fd56c1f54d13f9054341f92e4145195acba6f764b924c090ba1b0d788f2dac9a3bac747d733d111ff1adfe37a83e194ee07cf7bffa84da0c093f3

memory/1400-87-0x0000000000000000-mapping.dmp

\log\cnvk\brokerf.exe

MD5 1e7da6a53a16210ffaaf28feaa1a38ad
SHA1 a6559654ef5b0b5fb9b006ee7b411cf962177dba
SHA256 f7cceb61dd5807edcc2afe0e95d0de6149bcad1b20e3903bd2b3b8b82ae6b3a3
SHA512 fe8213507d7fd56c1f54d13f9054341f92e4145195acba6f764b924c090ba1b0d788f2dac9a3bac747d733d111ff1adfe37a83e194ee07cf7bffa84da0c093f3

C:\log\cnvk\brokerf.exe

MD5 1e7da6a53a16210ffaaf28feaa1a38ad
SHA1 a6559654ef5b0b5fb9b006ee7b411cf962177dba
SHA256 f7cceb61dd5807edcc2afe0e95d0de6149bcad1b20e3903bd2b3b8b82ae6b3a3
SHA512 fe8213507d7fd56c1f54d13f9054341f92e4145195acba6f764b924c090ba1b0d788f2dac9a3bac747d733d111ff1adfe37a83e194ee07cf7bffa84da0c093f3

memory/1780-89-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1780-90-0x00000000004015C6-mapping.dmp

C:\log\cnvk\brokerf.exe

MD5 1e7da6a53a16210ffaaf28feaa1a38ad
SHA1 a6559654ef5b0b5fb9b006ee7b411cf962177dba
SHA256 f7cceb61dd5807edcc2afe0e95d0de6149bcad1b20e3903bd2b3b8b82ae6b3a3
SHA512 fe8213507d7fd56c1f54d13f9054341f92e4145195acba6f764b924c090ba1b0d788f2dac9a3bac747d733d111ff1adfe37a83e194ee07cf7bffa84da0c093f3

memory/1780-94-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1368-93-0x0000000000000000-mapping.dmp

memory/1780-95-0x0000000001CD0000-0x0000000001D36000-memory.dmp

memory/1780-96-0x0000000000340000-0x000000000034D000-memory.dmp

memory/1780-97-0x0000000000330000-0x0000000000331000-memory.dmp

memory/1688-98-0x0000000000000000-mapping.dmp

memory/400-99-0x0000000000000000-mapping.dmp

memory/804-100-0x0000000000000000-mapping.dmp

memory/1084-101-0x0000000000000000-mapping.dmp

memory/1084-103-0x0000000074B51000-0x0000000074B53000-memory.dmp

memory/1084-108-0x0000000077AA0000-0x0000000077C20000-memory.dmp

memory/1084-109-0x0000000000160000-0x00000000002AD000-memory.dmp

memory/1084-107-0x00000000003E0000-0x00000000003EC000-memory.dmp

memory/1780-105-0x0000000000890000-0x000000000089C000-memory.dmp

memory/1780-104-0x00000000005D0000-0x00000000005D1000-memory.dmp

memory/1780-112-0x00000000005F0000-0x00000000005F1000-memory.dmp

memory/804-114-0x00000000009D0000-0x0000000000B1D000-memory.dmp

memory/572-115-0x00000000020A0000-0x00000000021ED000-memory.dmp

memory/1084-116-0x0000000000A20000-0x0000000000A22000-memory.dmp

\Users\Admin\AppData\Local\Temp\q315m5mq1_1.exe

MD5 1e7da6a53a16210ffaaf28feaa1a38ad
SHA1 a6559654ef5b0b5fb9b006ee7b411cf962177dba
SHA256 f7cceb61dd5807edcc2afe0e95d0de6149bcad1b20e3903bd2b3b8b82ae6b3a3
SHA512 fe8213507d7fd56c1f54d13f9054341f92e4145195acba6f764b924c090ba1b0d788f2dac9a3bac747d733d111ff1adfe37a83e194ee07cf7bffa84da0c093f3

memory/1504-118-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\q315m5mq1_1.exe

MD5 1e7da6a53a16210ffaaf28feaa1a38ad
SHA1 a6559654ef5b0b5fb9b006ee7b411cf962177dba
SHA256 f7cceb61dd5807edcc2afe0e95d0de6149bcad1b20e3903bd2b3b8b82ae6b3a3
SHA512 fe8213507d7fd56c1f54d13f9054341f92e4145195acba6f764b924c090ba1b0d788f2dac9a3bac747d733d111ff1adfe37a83e194ee07cf7bffa84da0c093f3

C:\Users\Admin\AppData\Local\Temp\q315m5mq1_1.exe

MD5 1e7da6a53a16210ffaaf28feaa1a38ad
SHA1 a6559654ef5b0b5fb9b006ee7b411cf962177dba
SHA256 f7cceb61dd5807edcc2afe0e95d0de6149bcad1b20e3903bd2b3b8b82ae6b3a3
SHA512 fe8213507d7fd56c1f54d13f9054341f92e4145195acba6f764b924c090ba1b0d788f2dac9a3bac747d733d111ff1adfe37a83e194ee07cf7bffa84da0c093f3

\Users\Admin\AppData\Local\Temp\geueci1ous7.exe

MD5 07f2ddc571ace474d3d7c0e5efd051a2
SHA1 ddb49e4e422c5a7a6e9db9c92776c2531bf10ca8
SHA256 4524311e34beb91833ab812e17dc231724539c892dfeacd24ccdd8c2951a1b8f
SHA512 4d453dfe4d4b642a71917efd75f2f4aebf8d3e964f3be589a643694d633ed5f7934c1a392559a264ba870746da122735dc7999ad4cc40d58f19a60d04e20ae3e

C:\Users\Admin\AppData\Local\Temp\geueci1ous7.exe

MD5 07f2ddc571ace474d3d7c0e5efd051a2
SHA1 ddb49e4e422c5a7a6e9db9c92776c2531bf10ca8
SHA256 4524311e34beb91833ab812e17dc231724539c892dfeacd24ccdd8c2951a1b8f
SHA512 4d453dfe4d4b642a71917efd75f2f4aebf8d3e964f3be589a643694d633ed5f7934c1a392559a264ba870746da122735dc7999ad4cc40d58f19a60d04e20ae3e

memory/1760-122-0x0000000000000000-mapping.dmp

memory/440-126-0x00000000025A0000-0x00000000025A6000-memory.dmp

memory/1272-127-0x0000000002960000-0x0000000002966000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2021-05-20 21:52

Reported

2021-05-20 21:55

Platform

win10v20210408

Max time kernel

149s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\15a23e5e766596dbc471b4e4afa49316c141a8ee981194c0508f73b0a7f2ccf0.exe"

Signatures

BetaBot

trojan backdoor botnet betabot

Modifies firewall policy service

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile C:\Windows\SysWOW64\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" C:\Windows\SysWOW64\explorer.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\log\cnvk\sbn.exe N/A
N/A N/A C:\log\cnvk\brokerf.exe N/A
N/A N/A C:\log\cnvk\brokerf.exe N/A

Sets file execution options in registry

persistence

Sets file to hidden

evasion

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\SysWOW64\explorer.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Updater 2.09 = "\"C:\\ProgramData\\Google Updater 2.09\\39931771.exe\"" C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 2.09 = "C:\\ProgramData\\Google Updater 2.09\\39931771.exe" C:\Windows\SysWOW64\explorer.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\log\cnvk\brokerf.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2228 set thread context of 2820 N/A C:\log\cnvk\brokerf.exe C:\log\cnvk\brokerf.exe

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\log\cnvk\brokerf.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\log\cnvk\brokerf.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\SysWOW64\explorer.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies Internet Explorer Protected Mode

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" C:\Windows\SysWOW64\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" C:\Windows\SysWOW64\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" C:\Windows\SysWOW64\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" C:\Windows\SysWOW64\explorer.exe N/A

Modifies Internet Explorer Protected Mode Banner

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" C:\Windows\SysWOW64\explorer.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\explorer.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\15a23e5e766596dbc471b4e4afa49316c141a8ee981194c0508f73b0a7f2ccf0.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings C:\Windows\SysWOW64\cmd.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\log\cnvk\brokerf.exe N/A
N/A N/A C:\log\cnvk\brokerf.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\log\cnvk\brokerf.exe N/A
Token: SeRestorePrivilege N/A C:\log\cnvk\brokerf.exe N/A
Token: SeBackupPrivilege N/A C:\log\cnvk\brokerf.exe N/A
Token: SeLoadDriverPrivilege N/A C:\log\cnvk\brokerf.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\log\cnvk\brokerf.exe N/A
Token: SeShutdownPrivilege N/A C:\log\cnvk\brokerf.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\log\cnvk\brokerf.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\log\cnvk\brokerf.exe N/A
Token: SeCreateTokenPrivilege N/A C:\log\cnvk\brokerf.exe N/A
Token: SeMachineAccountPrivilege N/A C:\log\cnvk\brokerf.exe N/A
Token: SeSecurityPrivilege N/A C:\log\cnvk\brokerf.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\log\cnvk\brokerf.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\log\cnvk\brokerf.exe N/A
Token: 33 N/A C:\log\cnvk\brokerf.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 668 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Local\Temp\15a23e5e766596dbc471b4e4afa49316c141a8ee981194c0508f73b0a7f2ccf0.exe C:\Windows\SysWOW64\WScript.exe
PID 668 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Local\Temp\15a23e5e766596dbc471b4e4afa49316c141a8ee981194c0508f73b0a7f2ccf0.exe C:\Windows\SysWOW64\WScript.exe
PID 668 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Local\Temp\15a23e5e766596dbc471b4e4afa49316c141a8ee981194c0508f73b0a7f2ccf0.exe C:\Windows\SysWOW64\WScript.exe
PID 3808 wrote to memory of 560 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3808 wrote to memory of 560 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3808 wrote to memory of 560 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 560 wrote to memory of 192 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 560 wrote to memory of 192 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 560 wrote to memory of 192 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 560 wrote to memory of 208 N/A C:\Windows\SysWOW64\cmd.exe C:\log\cnvk\sbn.exe
PID 560 wrote to memory of 208 N/A C:\Windows\SysWOW64\cmd.exe C:\log\cnvk\sbn.exe
PID 560 wrote to memory of 208 N/A C:\Windows\SysWOW64\cmd.exe C:\log\cnvk\sbn.exe
PID 560 wrote to memory of 2872 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 560 wrote to memory of 2872 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 560 wrote to memory of 2872 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 560 wrote to memory of 1308 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 560 wrote to memory of 1308 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 560 wrote to memory of 1308 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 560 wrote to memory of 1192 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 560 wrote to memory of 1192 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 560 wrote to memory of 1192 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1308 wrote to memory of 1724 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1308 wrote to memory of 1724 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1308 wrote to memory of 1724 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1724 wrote to memory of 1592 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1724 wrote to memory of 1592 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1724 wrote to memory of 1592 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1724 wrote to memory of 1828 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1724 wrote to memory of 1828 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1724 wrote to memory of 1828 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1724 wrote to memory of 2228 N/A C:\Windows\SysWOW64\cmd.exe C:\log\cnvk\brokerf.exe
PID 1724 wrote to memory of 2228 N/A C:\Windows\SysWOW64\cmd.exe C:\log\cnvk\brokerf.exe
PID 1724 wrote to memory of 2228 N/A C:\Windows\SysWOW64\cmd.exe C:\log\cnvk\brokerf.exe
PID 2228 wrote to memory of 2820 N/A C:\log\cnvk\brokerf.exe C:\log\cnvk\brokerf.exe
PID 2228 wrote to memory of 2820 N/A C:\log\cnvk\brokerf.exe C:\log\cnvk\brokerf.exe
PID 2228 wrote to memory of 2820 N/A C:\log\cnvk\brokerf.exe C:\log\cnvk\brokerf.exe
PID 2228 wrote to memory of 2820 N/A C:\log\cnvk\brokerf.exe C:\log\cnvk\brokerf.exe
PID 2228 wrote to memory of 2820 N/A C:\log\cnvk\brokerf.exe C:\log\cnvk\brokerf.exe
PID 1724 wrote to memory of 528 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1724 wrote to memory of 528 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1724 wrote to memory of 528 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1724 wrote to memory of 192 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1724 wrote to memory of 192 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1724 wrote to memory of 192 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1724 wrote to memory of 2840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1724 wrote to memory of 2840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1724 wrote to memory of 2840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1724 wrote to memory of 512 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1724 wrote to memory of 512 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1724 wrote to memory of 512 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2820 wrote to memory of 668 N/A C:\log\cnvk\brokerf.exe C:\Windows\SysWOW64\explorer.exe
PID 2820 wrote to memory of 668 N/A C:\log\cnvk\brokerf.exe C:\Windows\SysWOW64\explorer.exe
PID 2820 wrote to memory of 668 N/A C:\log\cnvk\brokerf.exe C:\Windows\SysWOW64\explorer.exe
PID 668 wrote to memory of 1724 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\cmd.exe
PID 668 wrote to memory of 1724 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\cmd.exe
PID 668 wrote to memory of 512 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\timeout.exe
PID 668 wrote to memory of 512 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\timeout.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\15a23e5e766596dbc471b4e4afa49316c141a8ee981194c0508f73b0a7f2ccf0.exe

"C:\Users\Admin\AppData\Local\Temp\15a23e5e766596dbc471b4e4afa49316c141a8ee981194c0508f73b0a7f2ccf0.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\log\cnvk\ftoris.vbs"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\log\cnvk\yioi.bat" "

C:\Windows\SysWOW64\timeout.exe

timeout 0

C:\log\cnvk\sbn.exe

"sbn.exe" e -pyu7y8y87ds8yhsd89scd99 37419879283209asda0su9jho90asdf0s9.rar

C:\Windows\SysWOW64\timeout.exe

timeout 4

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\log\cnvk\oll.vbs"

C:\Windows\SysWOW64\timeout.exe

timeout 6

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\log\cnvk\p541seed.bat" "

C:\Windows\SysWOW64\attrib.exe

attrib +s +h "C:\log\"

C:\Windows\SysWOW64\timeout.exe

timeout 2

C:\log\cnvk\brokerf.exe

brokerf.exe /start

C:\log\cnvk\brokerf.exe

brokerf.exe /start

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im sbn.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im sbn.exe

C:\Windows\SysWOW64\attrib.exe

attrib -s -h "C:\log\cnvk\brokerf.exe"

C:\Windows\SysWOW64\timeout.exe

timeout 6

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 update.microsoft.com udp
N/A 8.8.8.8:53 russk18.icu udp
N/A 8.8.8.8:53 russk19.icu udp
N/A 8.8.8.8:53 russk20.icu udp
N/A 8.8.8.8:53 russk21.icu udp
N/A 8.8.8.8:53 moscow13.at udp

Files

memory/668-114-0x0000000000790000-0x000000000083E000-memory.dmp

memory/3808-115-0x0000000000000000-mapping.dmp

C:\log\cnvk\ftoris.vbs

MD5 0bd7eb0367eea35fa03b8baf753e3dbf
SHA1 5d99d076b6094be05ab24b292fab8b51a81926b5
SHA256 b5b186b0c9d71d1dc7024cc0dedb17df1f052c93a33f6af0cd4651362245be7d
SHA512 1f1452a1f1ac4d1687a50f6e405fda5517f53e46fc624675320b2e2d64de6bff7b4437a5e2e081d0cd81617cec50c0c6ef1d43bdc9387154af5616dcfc2a5cb6

C:\log\cnvk\yioi.bat

MD5 b9c02e786af554bf4e548d218cb59406
SHA1 1afcdfc05077c6fe8367e005532af76dbe890c63
SHA256 9d5adff2c0c256bdfe6537b1064cfaf9be420434d295b4c4b506949fe6d8eafd
SHA512 6f89efa5c09ed4a44c291185b98e3c50c7bd81b2adb931daab8f526646cc59fa42b889fb870b8603f24e2ab0a46f0d6ad00bed2cc92e44827a6c854f58541243

memory/560-118-0x0000000000000000-mapping.dmp

C:\log\cnvk\config.pfps

MD5 74938c40bb1e343a5f7fee8ce12636fd
SHA1 102a9af450b63e4e29fcb8221b783a6f0e657fc7
SHA256 48649028ecc8644c77faa53e2c7eb3c84811d4ff5d76965dfc123e7031bbde7f
SHA512 953425cb722318119c033293a676aac4eec93d95dbdcda727366d3cbc011c3a4e81953e300340015bd7bdbba7cfabdcaf55adc5e68ff7c18f542bb42dd7ab370

memory/192-120-0x0000000000000000-mapping.dmp

memory/208-121-0x0000000000000000-mapping.dmp

C:\log\cnvk\sbn.exe

MD5 7acbec84b096b08259d9bf7f358aab7e
SHA1 00b8e3575bb33447628a90826bdc4c6b2d7e7a19
SHA256 6a7215d2253a7822d5e1907345b7311d9830d19bf5e01d4f674b0086ae06df5c
SHA512 2fed20945ed825e77c7bcd98294640ce89747ff1b428bfe4e782b9fd61493be5d4e5fb3ec3d341e33bffeb659654d47d62d623902bd821eab3e1b9ef88c18c23

memory/2872-123-0x0000000000000000-mapping.dmp

C:\log\cnvk\oll.vbs

MD5 aad7b3fbdc2b543dd2cc773d89d8bc17
SHA1 4b680e56de180c6674f86f0e228eaf7801ef182e
SHA256 a0e42e327432a1fa0afb90ae4407671e9f6b6611a7db64c0f7c0cbb48c73be75
SHA512 9eb3a9203198458a2d52ce66355446939d7bc5c6c656efe1d0e03485f1b181ce65a7ebbfceb434b2535543e61e018e83720de2f4d72303af19796f3b7c9bfdbb

memory/1308-125-0x0000000000000000-mapping.dmp

memory/1192-126-0x0000000000000000-mapping.dmp

C:\log\cnvk\p541seed.bat

MD5 fb6bc7bd7f1d2813765c0dd42d96d62d
SHA1 c6d3306967de66dcbcd4340269a5c9ff62ede54f
SHA256 ae0c4df3946ecbc710c852b300a4450197881d7077c62b7cf2b612eacf2bb6da
SHA512 572fe41b1421e16ea5a99dcf5334924c0d1bf1cf7eaf3b3961c73c906c745e144feaffb813cb26d351c3b60f32c11a6d126a066f305d792ca1808d7cd9572e7d

memory/1724-128-0x0000000000000000-mapping.dmp

memory/1592-129-0x0000000000000000-mapping.dmp

memory/1828-130-0x0000000000000000-mapping.dmp

memory/2228-131-0x0000000000000000-mapping.dmp

C:\log\cnvk\brokerf.exe

MD5 1e7da6a53a16210ffaaf28feaa1a38ad
SHA1 a6559654ef5b0b5fb9b006ee7b411cf962177dba
SHA256 f7cceb61dd5807edcc2afe0e95d0de6149bcad1b20e3903bd2b3b8b82ae6b3a3
SHA512 fe8213507d7fd56c1f54d13f9054341f92e4145195acba6f764b924c090ba1b0d788f2dac9a3bac747d733d111ff1adfe37a83e194ee07cf7bffa84da0c093f3

C:\log\cnvk\brokerf.exe

MD5 1e7da6a53a16210ffaaf28feaa1a38ad
SHA1 a6559654ef5b0b5fb9b006ee7b411cf962177dba
SHA256 f7cceb61dd5807edcc2afe0e95d0de6149bcad1b20e3903bd2b3b8b82ae6b3a3
SHA512 fe8213507d7fd56c1f54d13f9054341f92e4145195acba6f764b924c090ba1b0d788f2dac9a3bac747d733d111ff1adfe37a83e194ee07cf7bffa84da0c093f3

memory/2820-134-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2820-135-0x00000000004015C6-mapping.dmp

C:\log\cnvk\brokerf.exe

MD5 1e7da6a53a16210ffaaf28feaa1a38ad
SHA1 a6559654ef5b0b5fb9b006ee7b411cf962177dba
SHA256 f7cceb61dd5807edcc2afe0e95d0de6149bcad1b20e3903bd2b3b8b82ae6b3a3
SHA512 fe8213507d7fd56c1f54d13f9054341f92e4145195acba6f764b924c090ba1b0d788f2dac9a3bac747d733d111ff1adfe37a83e194ee07cf7bffa84da0c093f3

memory/528-137-0x0000000000000000-mapping.dmp

memory/2820-139-0x00000000021A0000-0x0000000002206000-memory.dmp

memory/2820-140-0x0000000000440000-0x00000000004EE000-memory.dmp

memory/2820-138-0x0000000000400000-0x0000000000435000-memory.dmp

memory/192-141-0x0000000000000000-mapping.dmp

memory/2840-142-0x0000000000000000-mapping.dmp

memory/512-143-0x0000000000000000-mapping.dmp

memory/668-144-0x0000000000000000-mapping.dmp

memory/2820-146-0x0000000002660000-0x000000000266C000-memory.dmp

memory/2820-145-0x0000000000910000-0x0000000000911000-memory.dmp

memory/668-147-0x0000000000810000-0x0000000000C4F000-memory.dmp

memory/668-148-0x0000000000490000-0x00000000005DD000-memory.dmp

memory/668-149-0x0000000002DA0000-0x0000000002ED6000-memory.dmp

memory/668-150-0x0000000002DA0000-0x0000000002ED6000-memory.dmp

memory/668-152-0x0000000004660000-0x0000000004661000-memory.dmp

C:\log\cnvk\sbn.exe

MD5 7acbec84b096b08259d9bf7f358aab7e
SHA1 00b8e3575bb33447628a90826bdc4c6b2d7e7a19
SHA256 6a7215d2253a7822d5e1907345b7311d9830d19bf5e01d4f674b0086ae06df5c
SHA512 2fed20945ed825e77c7bcd98294640ce89747ff1b428bfe4e782b9fd61493be5d4e5fb3ec3d341e33bffeb659654d47d62d623902bd821eab3e1b9ef88c18c23

memory/1724-155-0x0000000003B50000-0x0000000003C9D000-memory.dmp

memory/668-156-0x0000000006090000-0x0000000006092000-memory.dmp