Malware Analysis Report

2024-11-30 20:00

Sample ID 210520-y8e6rkez36
Target 2f0dcc11_by_Libranalysis
SHA256 b8d0da9ced6a8c38190e638895ad179d4f73ce78d1e7af59353babded269ae37
Tags
betabot backdoor botnet evasion persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b8d0da9ced6a8c38190e638895ad179d4f73ce78d1e7af59353babded269ae37

Threat Level: Known bad

The file 2f0dcc11_by_Libranalysis was found to be: Known bad.

Malicious Activity Summary

betabot backdoor botnet evasion persistence trojan

Modifies firewall policy service

BetaBot

Sets file to hidden

Downloads MZ/PE file

Executes dropped EXE

Sets file execution options in registry

Loads dropped DLL

Checks BIOS information in registry

Drops desktop.ini file(s)

Adds Run key to start application

Checks whether UAC is enabled

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Enumerates physical storage devices

Kills process with taskkill

Suspicious behavior: MapViewOfSection

Suspicious behavior: EnumeratesProcesses

Modifies Internet Explorer Protected Mode

Delays execution with timeout.exe

Checks processor information in registry

NTFS ADS

Modifies Internet Explorer settings

Suspicious use of SetWindowsHookEx

Views/modifies file attributes

Enumerates system info in registry

Modifies Internet Explorer Protected Mode Banner

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-05-20 22:03

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-05-20 22:03

Reported

2021-05-20 22:05

Platform

win7v20210410

Max time kernel

150s

Max time network

149s

Command Line

"C:\Windows\system32\Dwm.exe"

Signatures

BetaBot

trojan backdoor botnet betabot

Modifies firewall policy service

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile C:\Windows\SysWOW64\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" C:\Windows\SysWOW64\explorer.exe N/A

Downloads MZ/PE file

Sets file execution options in registry

persistence

Sets file to hidden

evasion

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\SysWOW64\explorer.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 2.09 = "\"C:\\ProgramData\\Google Updater 2.09\\s75g5e1117oww.exe\"" C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 2.09 = "C:\\ProgramData\\Google Updater 2.09\\s75g5e1117oww.exe" C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Updater 2.09 = "\"C:\\ProgramData\\Google Updater 2.09\\s75g5e1117oww.exe\"" C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce C:\Windows\SysWOW64\explorer.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\log\cnvk\brokerf.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\ProgramData\Google Updater 2.09\desktop.ini C:\Windows\SysWOW64\explorer.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 672 set thread context of 1440 N/A C:\log\cnvk\brokerf.exe C:\log\cnvk\brokerf.exe
PID 1712 set thread context of 0 N/A C:\Users\Admin\AppData\Local\Temp\s75g5e1117oww_1.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\log\cnvk\brokerf.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\log\cnvk\brokerf.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\SysWOW64\explorer.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\SysWOW64\explorer.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies Internet Explorer Protected Mode

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" C:\Windows\SysWOW64\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" C:\Windows\SysWOW64\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" C:\Windows\SysWOW64\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" C:\Windows\SysWOW64\explorer.exe N/A

Modifies Internet Explorer Protected Mode Banner

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" C:\Windows\SysWOW64\explorer.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Windows\SysWOW64\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\VersionManager\DownloadVersionList = "0" C:\Windows\SysWOW64\explorer.exe N/A

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Local\Temp\s75g5e1117oww_1.exe:14EDFC78 C:\Windows\SysWOW64\explorer.exe N/A
File created C:\Users\Admin\AppData\Local\Temp\s75g5e1117oww_1.exe:14EDFC78 C:\Windows\SysWOW64\explorer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\log\cnvk\brokerf.exe N/A
Token: SeRestorePrivilege N/A C:\log\cnvk\brokerf.exe N/A
Token: SeBackupPrivilege N/A C:\log\cnvk\brokerf.exe N/A
Token: SeLoadDriverPrivilege N/A C:\log\cnvk\brokerf.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\log\cnvk\brokerf.exe N/A
Token: SeShutdownPrivilege N/A C:\log\cnvk\brokerf.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\log\cnvk\brokerf.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\log\cnvk\brokerf.exe N/A
Token: SeCreateTokenPrivilege N/A C:\log\cnvk\brokerf.exe N/A
Token: SeMachineAccountPrivilege N/A C:\log\cnvk\brokerf.exe N/A
Token: SeSecurityPrivilege N/A C:\log\cnvk\brokerf.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\log\cnvk\brokerf.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\log\cnvk\brokerf.exe N/A
Token: 33 N/A C:\log\cnvk\brokerf.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\explorer.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\aq3uo73eww5mk5.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 772 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\15a23e5e766596dbc471b4e4afa49316c141a8ee981194c0508f73b0a7f2ccf0.exe C:\Windows\SysWOW64\WScript.exe
PID 772 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\15a23e5e766596dbc471b4e4afa49316c141a8ee981194c0508f73b0a7f2ccf0.exe C:\Windows\SysWOW64\WScript.exe
PID 772 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\15a23e5e766596dbc471b4e4afa49316c141a8ee981194c0508f73b0a7f2ccf0.exe C:\Windows\SysWOW64\WScript.exe
PID 772 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\15a23e5e766596dbc471b4e4afa49316c141a8ee981194c0508f73b0a7f2ccf0.exe C:\Windows\SysWOW64\WScript.exe
PID 1200 wrote to memory of 1368 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1200 wrote to memory of 1368 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1200 wrote to memory of 1368 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1200 wrote to memory of 1368 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1368 wrote to memory of 1720 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1368 wrote to memory of 1720 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1368 wrote to memory of 1720 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1368 wrote to memory of 1720 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1368 wrote to memory of 432 N/A C:\Windows\SysWOW64\cmd.exe C:\log\cnvk\sbn.exe
PID 1368 wrote to memory of 432 N/A C:\Windows\SysWOW64\cmd.exe C:\log\cnvk\sbn.exe
PID 1368 wrote to memory of 432 N/A C:\Windows\SysWOW64\cmd.exe C:\log\cnvk\sbn.exe
PID 1368 wrote to memory of 432 N/A C:\Windows\SysWOW64\cmd.exe C:\log\cnvk\sbn.exe
PID 1368 wrote to memory of 824 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1368 wrote to memory of 824 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1368 wrote to memory of 824 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1368 wrote to memory of 824 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1368 wrote to memory of 1532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 1368 wrote to memory of 1532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 1368 wrote to memory of 1532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 1368 wrote to memory of 1532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 1368 wrote to memory of 1072 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1368 wrote to memory of 1072 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1368 wrote to memory of 1072 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1368 wrote to memory of 1072 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1532 wrote to memory of 992 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1532 wrote to memory of 992 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1532 wrote to memory of 992 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1532 wrote to memory of 992 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 992 wrote to memory of 1068 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 992 wrote to memory of 1068 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 992 wrote to memory of 1068 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 992 wrote to memory of 1068 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 992 wrote to memory of 640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 992 wrote to memory of 640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 992 wrote to memory of 640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 992 wrote to memory of 640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 992 wrote to memory of 672 N/A C:\Windows\SysWOW64\cmd.exe C:\log\cnvk\brokerf.exe
PID 992 wrote to memory of 672 N/A C:\Windows\SysWOW64\cmd.exe C:\log\cnvk\brokerf.exe
PID 992 wrote to memory of 672 N/A C:\Windows\SysWOW64\cmd.exe C:\log\cnvk\brokerf.exe
PID 992 wrote to memory of 672 N/A C:\Windows\SysWOW64\cmd.exe C:\log\cnvk\brokerf.exe
PID 672 wrote to memory of 1440 N/A C:\log\cnvk\brokerf.exe C:\log\cnvk\brokerf.exe
PID 672 wrote to memory of 1440 N/A C:\log\cnvk\brokerf.exe C:\log\cnvk\brokerf.exe
PID 672 wrote to memory of 1440 N/A C:\log\cnvk\brokerf.exe C:\log\cnvk\brokerf.exe
PID 672 wrote to memory of 1440 N/A C:\log\cnvk\brokerf.exe C:\log\cnvk\brokerf.exe
PID 672 wrote to memory of 1440 N/A C:\log\cnvk\brokerf.exe C:\log\cnvk\brokerf.exe
PID 672 wrote to memory of 1440 N/A C:\log\cnvk\brokerf.exe C:\log\cnvk\brokerf.exe
PID 992 wrote to memory of 1920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 992 wrote to memory of 1920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 992 wrote to memory of 1920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 992 wrote to memory of 1920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 992 wrote to memory of 1520 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 992 wrote to memory of 1520 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 992 wrote to memory of 1520 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 992 wrote to memory of 1520 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 992 wrote to memory of 1540 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 992 wrote to memory of 1540 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 992 wrote to memory of 1540 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 992 wrote to memory of 1540 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 992 wrote to memory of 1736 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 992 wrote to memory of 1736 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\15a23e5e766596dbc471b4e4afa49316c141a8ee981194c0508f73b0a7f2ccf0.exe

"C:\Users\Admin\AppData\Local\Temp\15a23e5e766596dbc471b4e4afa49316c141a8ee981194c0508f73b0a7f2ccf0.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\log\cnvk\ftoris.vbs"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\log\cnvk\yioi.bat" "

C:\Windows\SysWOW64\timeout.exe

timeout 0

C:\log\cnvk\sbn.exe

"sbn.exe" e -pyu7y8y87ds8yhsd89scd99 37419879283209asda0su9jho90asdf0s9.rar

C:\Windows\SysWOW64\timeout.exe

timeout 4

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\log\cnvk\oll.vbs"

C:\Windows\SysWOW64\timeout.exe

timeout 6

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\log\cnvk\p541seed.bat" "

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "34292233716930543511386088397416748714-543701515-345788923769361485412797549"

C:\Windows\SysWOW64\attrib.exe

attrib +s +h "C:\log\"

C:\Windows\SysWOW64\timeout.exe

timeout 2

C:\log\cnvk\brokerf.exe

brokerf.exe /start

C:\log\cnvk\brokerf.exe

brokerf.exe /start

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im sbn.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im sbn.exe

C:\Windows\SysWOW64\attrib.exe

attrib -s -h "C:\log\cnvk\brokerf.exe"

C:\Windows\SysWOW64\timeout.exe

timeout 6

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Users\Admin\AppData\Local\Temp\s75g5e1117oww_1.exe

/suac

C:\Users\Admin\AppData\Local\Temp\aq3uo73eww5mk5.exe

"C:\Users\Admin\AppData\Local\Temp\aq3uo73eww5mk5.exe"

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 windowsupdate.microsoft.com udp
N/A 52.185.71.28:80 windowsupdate.microsoft.com tcp
N/A 8.8.8.8:53 russk17.icu udp
N/A 8.8.8.8:53 russk17.icu udp
N/A 198.12.112.202:80 russk17.icu tcp
N/A 8.8.8.8:53 morningstarlincoln.co.uk udp
N/A 79.170.44.146:80 morningstarlincoln.co.uk tcp
N/A 8.8.8.8:53 russk17.icu udp
N/A 198.12.112.202:80 russk17.icu tcp

Files

memory/772-60-0x0000000075EF1000-0x0000000075EF3000-memory.dmp

memory/772-61-0x0000000000240000-0x0000000000241000-memory.dmp

memory/1200-62-0x0000000000000000-mapping.dmp

C:\log\cnvk\ftoris.vbs

MD5 0bd7eb0367eea35fa03b8baf753e3dbf
SHA1 5d99d076b6094be05ab24b292fab8b51a81926b5
SHA256 b5b186b0c9d71d1dc7024cc0dedb17df1f052c93a33f6af0cd4651362245be7d
SHA512 1f1452a1f1ac4d1687a50f6e405fda5517f53e46fc624675320b2e2d64de6bff7b4437a5e2e081d0cd81617cec50c0c6ef1d43bdc9387154af5616dcfc2a5cb6

C:\log\cnvk\yioi.bat

MD5 b9c02e786af554bf4e548d218cb59406
SHA1 1afcdfc05077c6fe8367e005532af76dbe890c63
SHA256 9d5adff2c0c256bdfe6537b1064cfaf9be420434d295b4c4b506949fe6d8eafd
SHA512 6f89efa5c09ed4a44c291185b98e3c50c7bd81b2adb931daab8f526646cc59fa42b889fb870b8603f24e2ab0a46f0d6ad00bed2cc92e44827a6c854f58541243

memory/1368-66-0x0000000000000000-mapping.dmp

C:\log\cnvk\config.pfps

MD5 74938c40bb1e343a5f7fee8ce12636fd
SHA1 102a9af450b63e4e29fcb8221b783a6f0e657fc7
SHA256 48649028ecc8644c77faa53e2c7eb3c84811d4ff5d76965dfc123e7031bbde7f
SHA512 953425cb722318119c033293a676aac4eec93d95dbdcda727366d3cbc011c3a4e81953e300340015bd7bdbba7cfabdcaf55adc5e68ff7c18f542bb42dd7ab370

memory/1720-68-0x0000000000000000-mapping.dmp

\log\cnvk\sbn.exe

MD5 7acbec84b096b08259d9bf7f358aab7e
SHA1 00b8e3575bb33447628a90826bdc4c6b2d7e7a19
SHA256 6a7215d2253a7822d5e1907345b7311d9830d19bf5e01d4f674b0086ae06df5c
SHA512 2fed20945ed825e77c7bcd98294640ce89747ff1b428bfe4e782b9fd61493be5d4e5fb3ec3d341e33bffeb659654d47d62d623902bd821eab3e1b9ef88c18c23

C:\log\cnvk\sbn.exe

MD5 7acbec84b096b08259d9bf7f358aab7e
SHA1 00b8e3575bb33447628a90826bdc4c6b2d7e7a19
SHA256 6a7215d2253a7822d5e1907345b7311d9830d19bf5e01d4f674b0086ae06df5c
SHA512 2fed20945ed825e77c7bcd98294640ce89747ff1b428bfe4e782b9fd61493be5d4e5fb3ec3d341e33bffeb659654d47d62d623902bd821eab3e1b9ef88c18c23

memory/432-71-0x0000000000000000-mapping.dmp

C:\log\cnvk\sbn.exe

MD5 7acbec84b096b08259d9bf7f358aab7e
SHA1 00b8e3575bb33447628a90826bdc4c6b2d7e7a19
SHA256 6a7215d2253a7822d5e1907345b7311d9830d19bf5e01d4f674b0086ae06df5c
SHA512 2fed20945ed825e77c7bcd98294640ce89747ff1b428bfe4e782b9fd61493be5d4e5fb3ec3d341e33bffeb659654d47d62d623902bd821eab3e1b9ef88c18c23

memory/824-74-0x0000000000000000-mapping.dmp

C:\log\cnvk\oll.vbs

MD5 aad7b3fbdc2b543dd2cc773d89d8bc17
SHA1 4b680e56de180c6674f86f0e228eaf7801ef182e
SHA256 a0e42e327432a1fa0afb90ae4407671e9f6b6611a7db64c0f7c0cbb48c73be75
SHA512 9eb3a9203198458a2d52ce66355446939d7bc5c6c656efe1d0e03485f1b181ce65a7ebbfceb434b2535543e61e018e83720de2f4d72303af19796f3b7c9bfdbb

memory/1532-77-0x0000000000000000-mapping.dmp

memory/1072-78-0x0000000000000000-mapping.dmp

C:\log\cnvk\p541seed.bat

MD5 fb6bc7bd7f1d2813765c0dd42d96d62d
SHA1 c6d3306967de66dcbcd4340269a5c9ff62ede54f
SHA256 ae0c4df3946ecbc710c852b300a4450197881d7077c62b7cf2b612eacf2bb6da
SHA512 572fe41b1421e16ea5a99dcf5334924c0d1bf1cf7eaf3b3961c73c906c745e144feaffb813cb26d351c3b60f32c11a6d126a066f305d792ca1808d7cd9572e7d

memory/992-81-0x0000000000000000-mapping.dmp

memory/1068-82-0x0000000000000000-mapping.dmp

memory/640-83-0x0000000000000000-mapping.dmp

\log\cnvk\brokerf.exe

MD5 1e7da6a53a16210ffaaf28feaa1a38ad
SHA1 a6559654ef5b0b5fb9b006ee7b411cf962177dba
SHA256 f7cceb61dd5807edcc2afe0e95d0de6149bcad1b20e3903bd2b3b8b82ae6b3a3
SHA512 fe8213507d7fd56c1f54d13f9054341f92e4145195acba6f764b924c090ba1b0d788f2dac9a3bac747d733d111ff1adfe37a83e194ee07cf7bffa84da0c093f3

C:\log\cnvk\brokerf.exe

MD5 1e7da6a53a16210ffaaf28feaa1a38ad
SHA1 a6559654ef5b0b5fb9b006ee7b411cf962177dba
SHA256 f7cceb61dd5807edcc2afe0e95d0de6149bcad1b20e3903bd2b3b8b82ae6b3a3
SHA512 fe8213507d7fd56c1f54d13f9054341f92e4145195acba6f764b924c090ba1b0d788f2dac9a3bac747d733d111ff1adfe37a83e194ee07cf7bffa84da0c093f3

\log\cnvk\brokerf.exe

MD5 1e7da6a53a16210ffaaf28feaa1a38ad
SHA1 a6559654ef5b0b5fb9b006ee7b411cf962177dba
SHA256 f7cceb61dd5807edcc2afe0e95d0de6149bcad1b20e3903bd2b3b8b82ae6b3a3
SHA512 fe8213507d7fd56c1f54d13f9054341f92e4145195acba6f764b924c090ba1b0d788f2dac9a3bac747d733d111ff1adfe37a83e194ee07cf7bffa84da0c093f3

memory/672-87-0x0000000000000000-mapping.dmp

C:\log\cnvk\brokerf.exe

MD5 1e7da6a53a16210ffaaf28feaa1a38ad
SHA1 a6559654ef5b0b5fb9b006ee7b411cf962177dba
SHA256 f7cceb61dd5807edcc2afe0e95d0de6149bcad1b20e3903bd2b3b8b82ae6b3a3
SHA512 fe8213507d7fd56c1f54d13f9054341f92e4145195acba6f764b924c090ba1b0d788f2dac9a3bac747d733d111ff1adfe37a83e194ee07cf7bffa84da0c093f3

memory/1440-89-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1440-90-0x00000000004015C6-mapping.dmp

C:\log\cnvk\brokerf.exe

MD5 1e7da6a53a16210ffaaf28feaa1a38ad
SHA1 a6559654ef5b0b5fb9b006ee7b411cf962177dba
SHA256 f7cceb61dd5807edcc2afe0e95d0de6149bcad1b20e3903bd2b3b8b82ae6b3a3
SHA512 fe8213507d7fd56c1f54d13f9054341f92e4145195acba6f764b924c090ba1b0d788f2dac9a3bac747d733d111ff1adfe37a83e194ee07cf7bffa84da0c093f3

memory/1920-93-0x0000000000000000-mapping.dmp

memory/1520-94-0x0000000000000000-mapping.dmp

memory/1540-95-0x0000000000000000-mapping.dmp

memory/1736-96-0x0000000000000000-mapping.dmp

memory/1440-97-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1440-98-0x00000000002A0000-0x0000000000306000-memory.dmp

memory/1440-100-0x0000000000240000-0x000000000024D000-memory.dmp

memory/1440-101-0x0000000000500000-0x0000000000501000-memory.dmp

memory/1440-99-0x0000000000230000-0x0000000000231000-memory.dmp

memory/1440-102-0x0000000001ED0000-0x0000000001EDC000-memory.dmp

memory/268-103-0x0000000000000000-mapping.dmp

memory/268-105-0x0000000074981000-0x0000000074983000-memory.dmp

memory/268-106-0x0000000077AE0000-0x0000000077C60000-memory.dmp

memory/268-107-0x0000000000230000-0x000000000037D000-memory.dmp

memory/268-111-0x0000000000460000-0x000000000046C000-memory.dmp

memory/268-112-0x00000000003D0000-0x00000000003D1000-memory.dmp

memory/1736-114-0x0000000002050000-0x000000000219D000-memory.dmp

memory/992-115-0x0000000001F40000-0x0000000001FD4000-memory.dmp

memory/268-116-0x00000000009A0000-0x00000000009A2000-memory.dmp

\Users\Admin\AppData\Local\Temp\s75g5e1117oww_1.exe

MD5 1e7da6a53a16210ffaaf28feaa1a38ad
SHA1 a6559654ef5b0b5fb9b006ee7b411cf962177dba
SHA256 f7cceb61dd5807edcc2afe0e95d0de6149bcad1b20e3903bd2b3b8b82ae6b3a3
SHA512 fe8213507d7fd56c1f54d13f9054341f92e4145195acba6f764b924c090ba1b0d788f2dac9a3bac747d733d111ff1adfe37a83e194ee07cf7bffa84da0c093f3

memory/1712-118-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\s75g5e1117oww_1.exe

MD5 1e7da6a53a16210ffaaf28feaa1a38ad
SHA1 a6559654ef5b0b5fb9b006ee7b411cf962177dba
SHA256 f7cceb61dd5807edcc2afe0e95d0de6149bcad1b20e3903bd2b3b8b82ae6b3a3
SHA512 fe8213507d7fd56c1f54d13f9054341f92e4145195acba6f764b924c090ba1b0d788f2dac9a3bac747d733d111ff1adfe37a83e194ee07cf7bffa84da0c093f3

C:\Users\Admin\AppData\Local\Temp\s75g5e1117oww_1.exe

MD5 1e7da6a53a16210ffaaf28feaa1a38ad
SHA1 a6559654ef5b0b5fb9b006ee7b411cf962177dba
SHA256 f7cceb61dd5807edcc2afe0e95d0de6149bcad1b20e3903bd2b3b8b82ae6b3a3
SHA512 fe8213507d7fd56c1f54d13f9054341f92e4145195acba6f764b924c090ba1b0d788f2dac9a3bac747d733d111ff1adfe37a83e194ee07cf7bffa84da0c093f3

\Users\Admin\AppData\Local\Temp\aq3uo73eww5mk5.exe

MD5 07f2ddc571ace474d3d7c0e5efd051a2
SHA1 ddb49e4e422c5a7a6e9db9c92776c2531bf10ca8
SHA256 4524311e34beb91833ab812e17dc231724539c892dfeacd24ccdd8c2951a1b8f
SHA512 4d453dfe4d4b642a71917efd75f2f4aebf8d3e964f3be589a643694d633ed5f7934c1a392559a264ba870746da122735dc7999ad4cc40d58f19a60d04e20ae3e

C:\Users\Admin\AppData\Local\Temp\aq3uo73eww5mk5.exe

MD5 07f2ddc571ace474d3d7c0e5efd051a2
SHA1 ddb49e4e422c5a7a6e9db9c92776c2531bf10ca8
SHA256 4524311e34beb91833ab812e17dc231724539c892dfeacd24ccdd8c2951a1b8f
SHA512 4d453dfe4d4b642a71917efd75f2f4aebf8d3e964f3be589a643694d633ed5f7934c1a392559a264ba870746da122735dc7999ad4cc40d58f19a60d04e20ae3e

memory/1584-122-0x0000000000000000-mapping.dmp

memory/1068-126-0x0000000003A60000-0x0000000003A66000-memory.dmp

memory/1288-127-0x00000000021D0000-0x00000000021D6000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2021-05-20 22:03

Reported

2021-05-20 22:05

Platform

win10v20210408

Max time kernel

149s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\15a23e5e766596dbc471b4e4afa49316c141a8ee981194c0508f73b0a7f2ccf0.exe"

Signatures

BetaBot

trojan backdoor botnet betabot

Modifies firewall policy service

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile C:\Windows\SysWOW64\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" C:\Windows\SysWOW64\explorer.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\log\cnvk\sbn.exe N/A
N/A N/A C:\log\cnvk\brokerf.exe N/A
N/A N/A C:\log\cnvk\brokerf.exe N/A

Sets file execution options in registry

persistence

Sets file to hidden

evasion

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\SysWOW64\explorer.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 2.09 = "C:\\ProgramData\\Google Updater 2.09\\9k3yk779591957.exe" C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Updater 2.09 = "\"C:\\ProgramData\\Google Updater 2.09\\9k3yk779591957.exe\"" C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce C:\Windows\SysWOW64\explorer.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\log\cnvk\brokerf.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1688 set thread context of 1808 N/A C:\log\cnvk\brokerf.exe C:\log\cnvk\brokerf.exe

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\log\cnvk\brokerf.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\log\cnvk\brokerf.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\SysWOW64\explorer.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\SysWOW64\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Windows\SysWOW64\explorer.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies Internet Explorer Protected Mode

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" C:\Windows\SysWOW64\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" C:\Windows\SysWOW64\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" C:\Windows\SysWOW64\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" C:\Windows\SysWOW64\explorer.exe N/A

Modifies Internet Explorer Protected Mode Banner

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" C:\Windows\SysWOW64\explorer.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\explorer.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\15a23e5e766596dbc471b4e4afa49316c141a8ee981194c0508f73b0a7f2ccf0.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings C:\Windows\SysWOW64\cmd.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\log\cnvk\brokerf.exe N/A
N/A N/A C:\log\cnvk\brokerf.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\log\cnvk\brokerf.exe N/A
Token: SeRestorePrivilege N/A C:\log\cnvk\brokerf.exe N/A
Token: SeBackupPrivilege N/A C:\log\cnvk\brokerf.exe N/A
Token: SeLoadDriverPrivilege N/A C:\log\cnvk\brokerf.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\log\cnvk\brokerf.exe N/A
Token: SeShutdownPrivilege N/A C:\log\cnvk\brokerf.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\log\cnvk\brokerf.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\log\cnvk\brokerf.exe N/A
Token: SeCreateTokenPrivilege N/A C:\log\cnvk\brokerf.exe N/A
Token: SeMachineAccountPrivilege N/A C:\log\cnvk\brokerf.exe N/A
Token: SeSecurityPrivilege N/A C:\log\cnvk\brokerf.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\log\cnvk\brokerf.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\log\cnvk\brokerf.exe N/A
Token: 33 N/A C:\log\cnvk\brokerf.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4660 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\15a23e5e766596dbc471b4e4afa49316c141a8ee981194c0508f73b0a7f2ccf0.exe C:\Windows\SysWOW64\WScript.exe
PID 4660 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\15a23e5e766596dbc471b4e4afa49316c141a8ee981194c0508f73b0a7f2ccf0.exe C:\Windows\SysWOW64\WScript.exe
PID 4660 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\15a23e5e766596dbc471b4e4afa49316c141a8ee981194c0508f73b0a7f2ccf0.exe C:\Windows\SysWOW64\WScript.exe
PID 756 wrote to memory of 3224 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 756 wrote to memory of 3224 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 756 wrote to memory of 3224 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3224 wrote to memory of 3856 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3224 wrote to memory of 3856 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3224 wrote to memory of 3856 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3224 wrote to memory of 3832 N/A C:\Windows\SysWOW64\cmd.exe C:\log\cnvk\sbn.exe
PID 3224 wrote to memory of 3832 N/A C:\Windows\SysWOW64\cmd.exe C:\log\cnvk\sbn.exe
PID 3224 wrote to memory of 3832 N/A C:\Windows\SysWOW64\cmd.exe C:\log\cnvk\sbn.exe
PID 3224 wrote to memory of 3476 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3224 wrote to memory of 3476 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3224 wrote to memory of 3476 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3224 wrote to memory of 640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 3224 wrote to memory of 640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 3224 wrote to memory of 640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 3224 wrote to memory of 648 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3224 wrote to memory of 648 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3224 wrote to memory of 648 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 640 wrote to memory of 488 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 640 wrote to memory of 488 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 640 wrote to memory of 488 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 488 wrote to memory of 1220 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 488 wrote to memory of 1220 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 488 wrote to memory of 1220 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 488 wrote to memory of 1380 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 488 wrote to memory of 1380 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 488 wrote to memory of 1380 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 488 wrote to memory of 1688 N/A C:\Windows\SysWOW64\cmd.exe C:\log\cnvk\brokerf.exe
PID 488 wrote to memory of 1688 N/A C:\Windows\SysWOW64\cmd.exe C:\log\cnvk\brokerf.exe
PID 488 wrote to memory of 1688 N/A C:\Windows\SysWOW64\cmd.exe C:\log\cnvk\brokerf.exe
PID 1688 wrote to memory of 1808 N/A C:\log\cnvk\brokerf.exe C:\log\cnvk\brokerf.exe
PID 1688 wrote to memory of 1808 N/A C:\log\cnvk\brokerf.exe C:\log\cnvk\brokerf.exe
PID 1688 wrote to memory of 1808 N/A C:\log\cnvk\brokerf.exe C:\log\cnvk\brokerf.exe
PID 1688 wrote to memory of 1808 N/A C:\log\cnvk\brokerf.exe C:\log\cnvk\brokerf.exe
PID 1688 wrote to memory of 1808 N/A C:\log\cnvk\brokerf.exe C:\log\cnvk\brokerf.exe
PID 488 wrote to memory of 2012 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 488 wrote to memory of 2012 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 488 wrote to memory of 2012 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 488 wrote to memory of 2624 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 488 wrote to memory of 2624 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 488 wrote to memory of 2624 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 488 wrote to memory of 2812 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 488 wrote to memory of 2812 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 488 wrote to memory of 2812 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1808 wrote to memory of 3004 N/A C:\log\cnvk\brokerf.exe C:\Windows\SysWOW64\explorer.exe
PID 1808 wrote to memory of 3004 N/A C:\log\cnvk\brokerf.exe C:\Windows\SysWOW64\explorer.exe
PID 1808 wrote to memory of 3004 N/A C:\log\cnvk\brokerf.exe C:\Windows\SysWOW64\explorer.exe
PID 488 wrote to memory of 3056 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 488 wrote to memory of 3056 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 488 wrote to memory of 3056 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3004 wrote to memory of 488 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\cmd.exe
PID 3004 wrote to memory of 488 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\cmd.exe
PID 3004 wrote to memory of 3056 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\timeout.exe
PID 3004 wrote to memory of 3056 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\timeout.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\15a23e5e766596dbc471b4e4afa49316c141a8ee981194c0508f73b0a7f2ccf0.exe

"C:\Users\Admin\AppData\Local\Temp\15a23e5e766596dbc471b4e4afa49316c141a8ee981194c0508f73b0a7f2ccf0.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\log\cnvk\ftoris.vbs"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\log\cnvk\yioi.bat" "

C:\Windows\SysWOW64\timeout.exe

timeout 0

C:\log\cnvk\sbn.exe

"sbn.exe" e -pyu7y8y87ds8yhsd89scd99 37419879283209asda0su9jho90asdf0s9.rar

C:\Windows\SysWOW64\timeout.exe

timeout 4

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\log\cnvk\oll.vbs"

C:\Windows\SysWOW64\timeout.exe

timeout 6

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\log\cnvk\p541seed.bat" "

C:\Windows\SysWOW64\attrib.exe

attrib +s +h "C:\log\"

C:\Windows\SysWOW64\timeout.exe

timeout 2

C:\log\cnvk\brokerf.exe

brokerf.exe /start

C:\log\cnvk\brokerf.exe

brokerf.exe /start

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im sbn.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im sbn.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\attrib.exe

attrib -s -h "C:\log\cnvk\brokerf.exe"

C:\Windows\SysWOW64\timeout.exe

timeout 6

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 microsoft.com udp
N/A 8.8.8.8:53 update.microsoft.com udp
N/A 8.8.8.8:53 russk18.icu udp
N/A 8.8.8.8:53 russk19.icu udp
N/A 8.8.8.8:53 russk20.icu udp
N/A 8.8.8.8:53 russk21.icu udp
N/A 8.8.8.8:53 moscow13.at udp

Files

memory/4660-114-0x00000000008B0000-0x00000000008B1000-memory.dmp

memory/756-115-0x0000000000000000-mapping.dmp

C:\log\cnvk\ftoris.vbs

MD5 0bd7eb0367eea35fa03b8baf753e3dbf
SHA1 5d99d076b6094be05ab24b292fab8b51a81926b5
SHA256 b5b186b0c9d71d1dc7024cc0dedb17df1f052c93a33f6af0cd4651362245be7d
SHA512 1f1452a1f1ac4d1687a50f6e405fda5517f53e46fc624675320b2e2d64de6bff7b4437a5e2e081d0cd81617cec50c0c6ef1d43bdc9387154af5616dcfc2a5cb6

C:\log\cnvk\yioi.bat

MD5 b9c02e786af554bf4e548d218cb59406
SHA1 1afcdfc05077c6fe8367e005532af76dbe890c63
SHA256 9d5adff2c0c256bdfe6537b1064cfaf9be420434d295b4c4b506949fe6d8eafd
SHA512 6f89efa5c09ed4a44c291185b98e3c50c7bd81b2adb931daab8f526646cc59fa42b889fb870b8603f24e2ab0a46f0d6ad00bed2cc92e44827a6c854f58541243

memory/3224-118-0x0000000000000000-mapping.dmp

C:\log\cnvk\config.pfps

MD5 74938c40bb1e343a5f7fee8ce12636fd
SHA1 102a9af450b63e4e29fcb8221b783a6f0e657fc7
SHA256 48649028ecc8644c77faa53e2c7eb3c84811d4ff5d76965dfc123e7031bbde7f
SHA512 953425cb722318119c033293a676aac4eec93d95dbdcda727366d3cbc011c3a4e81953e300340015bd7bdbba7cfabdcaf55adc5e68ff7c18f542bb42dd7ab370

memory/3856-120-0x0000000000000000-mapping.dmp

memory/3832-121-0x0000000000000000-mapping.dmp

C:\log\cnvk\sbn.exe

MD5 7acbec84b096b08259d9bf7f358aab7e
SHA1 00b8e3575bb33447628a90826bdc4c6b2d7e7a19
SHA256 6a7215d2253a7822d5e1907345b7311d9830d19bf5e01d4f674b0086ae06df5c
SHA512 2fed20945ed825e77c7bcd98294640ce89747ff1b428bfe4e782b9fd61493be5d4e5fb3ec3d341e33bffeb659654d47d62d623902bd821eab3e1b9ef88c18c23

memory/3476-123-0x0000000000000000-mapping.dmp

C:\log\cnvk\oll.vbs

MD5 aad7b3fbdc2b543dd2cc773d89d8bc17
SHA1 4b680e56de180c6674f86f0e228eaf7801ef182e
SHA256 a0e42e327432a1fa0afb90ae4407671e9f6b6611a7db64c0f7c0cbb48c73be75
SHA512 9eb3a9203198458a2d52ce66355446939d7bc5c6c656efe1d0e03485f1b181ce65a7ebbfceb434b2535543e61e018e83720de2f4d72303af19796f3b7c9bfdbb

memory/640-125-0x0000000000000000-mapping.dmp

memory/648-126-0x0000000000000000-mapping.dmp

C:\log\cnvk\p541seed.bat

MD5 fb6bc7bd7f1d2813765c0dd42d96d62d
SHA1 c6d3306967de66dcbcd4340269a5c9ff62ede54f
SHA256 ae0c4df3946ecbc710c852b300a4450197881d7077c62b7cf2b612eacf2bb6da
SHA512 572fe41b1421e16ea5a99dcf5334924c0d1bf1cf7eaf3b3961c73c906c745e144feaffb813cb26d351c3b60f32c11a6d126a066f305d792ca1808d7cd9572e7d

memory/488-128-0x0000000000000000-mapping.dmp

memory/1220-129-0x0000000000000000-mapping.dmp

memory/1380-130-0x0000000000000000-mapping.dmp

memory/1688-131-0x0000000000000000-mapping.dmp

C:\log\cnvk\brokerf.exe

MD5 1e7da6a53a16210ffaaf28feaa1a38ad
SHA1 a6559654ef5b0b5fb9b006ee7b411cf962177dba
SHA256 f7cceb61dd5807edcc2afe0e95d0de6149bcad1b20e3903bd2b3b8b82ae6b3a3
SHA512 fe8213507d7fd56c1f54d13f9054341f92e4145195acba6f764b924c090ba1b0d788f2dac9a3bac747d733d111ff1adfe37a83e194ee07cf7bffa84da0c093f3

C:\log\cnvk\brokerf.exe

MD5 1e7da6a53a16210ffaaf28feaa1a38ad
SHA1 a6559654ef5b0b5fb9b006ee7b411cf962177dba
SHA256 f7cceb61dd5807edcc2afe0e95d0de6149bcad1b20e3903bd2b3b8b82ae6b3a3
SHA512 fe8213507d7fd56c1f54d13f9054341f92e4145195acba6f764b924c090ba1b0d788f2dac9a3bac747d733d111ff1adfe37a83e194ee07cf7bffa84da0c093f3

memory/1808-134-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1808-135-0x00000000004015C6-mapping.dmp

C:\log\cnvk\brokerf.exe

MD5 1e7da6a53a16210ffaaf28feaa1a38ad
SHA1 a6559654ef5b0b5fb9b006ee7b411cf962177dba
SHA256 f7cceb61dd5807edcc2afe0e95d0de6149bcad1b20e3903bd2b3b8b82ae6b3a3
SHA512 fe8213507d7fd56c1f54d13f9054341f92e4145195acba6f764b924c090ba1b0d788f2dac9a3bac747d733d111ff1adfe37a83e194ee07cf7bffa84da0c093f3

memory/2012-137-0x0000000000000000-mapping.dmp

memory/1808-138-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2624-139-0x0000000000000000-mapping.dmp

memory/2812-140-0x0000000000000000-mapping.dmp

memory/3056-141-0x0000000000000000-mapping.dmp

memory/1808-142-0x0000000002160000-0x00000000021C6000-memory.dmp

memory/1808-143-0x0000000000440000-0x000000000058A000-memory.dmp

memory/1808-144-0x0000000002630000-0x0000000002631000-memory.dmp

memory/3004-146-0x0000000000000000-mapping.dmp

memory/1808-145-0x0000000002660000-0x000000000266C000-memory.dmp

memory/3004-147-0x0000000000100000-0x000000000053F000-memory.dmp

memory/3004-148-0x0000000002C00000-0x0000000002D4D000-memory.dmp

memory/3004-149-0x0000000002890000-0x000000000289D000-memory.dmp

memory/3004-151-0x0000000002E50000-0x0000000002F86000-memory.dmp

memory/1808-152-0x0000000002650000-0x0000000002651000-memory.dmp

memory/3004-153-0x0000000002E50000-0x0000000002F86000-memory.dmp

C:\log\cnvk\sbn.exe

MD5 7acbec84b096b08259d9bf7f358aab7e
SHA1 00b8e3575bb33447628a90826bdc4c6b2d7e7a19
SHA256 6a7215d2253a7822d5e1907345b7311d9830d19bf5e01d4f674b0086ae06df5c
SHA512 2fed20945ed825e77c7bcd98294640ce89747ff1b428bfe4e782b9fd61493be5d4e5fb3ec3d341e33bffeb659654d47d62d623902bd821eab3e1b9ef88c18c23

memory/488-155-0x0000000003610000-0x000000000375D000-memory.dmp

memory/3004-156-0x0000000002E50000-0x0000000002F86000-memory.dmp