Analysis Overview
SHA256
a5122b7a02ae525036dbef78c6d6042a8c2cd4888a6451c2baca96a0a68ed259
Threat Level: Known bad
The file sample.js was found to be: Known bad.
Malicious Activity Summary
BetaBot
Modifies firewall policy service
Downloads MZ/PE file
Sets file execution options in registry
Blocklisted process makes network request
Sets file to hidden
Executes dropped EXE
Checks BIOS information in registry
Maps connected drives based on registry
Adds Run key to start application
Drops desktop.ini file(s)
Checks whether UAC is enabled
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Enumerates physical storage devices
Kills process with taskkill
Enumerates system info in registry
NTFS ADS
Views/modifies file attributes
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: MapViewOfSection
Modifies Internet Explorer Protected Mode Banner
Modifies Internet Explorer settings
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Runs ping.exe
Modifies system certificate store
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Modifies registry class
Suspicious behavior: GetForegroundWindowSpam
Modifies Internet Explorer Protected Mode
Checks processor information in registry
Delays execution with timeout.exe
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-05-31 13:47
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2021-05-31 13:47
Reported
2021-05-31 13:49
Platform
win10v20210410
Max time kernel
149s
Max time network
124s
Command Line
Signatures
BetaBot
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" | C:\Windows\SysWOW64\explorer.exe | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\692915.dat | N/A |
| N/A | N/A | C:\5jhc441685fd778294a59039\updtcp\portable.exe | N/A |
| N/A | N/A | C:\5jhc441685fd778294a59039\updtcp\psh.exe | N/A |
| N/A | N/A | C:\5jhc441685fd778294a59039\updtcp\psh.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7991i79wo_1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3m3cu9i5s3.exe | N/A |
Sets file execution options in registry
Sets file to hidden
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Windows\SysWOW64\explorer.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 2.09 = "C:\\ProgramData\\Google Updater 2.09\\7991i79wo.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Updater 2.09 = "\"C:\\ProgramData\\Google Updater 2.09\\7991i79wo.exe\"" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 2.09 = "\"C:\\ProgramData\\Google Updater 2.09\\7991i79wo.exe\"" | C:\Windows\SysWOW64\explorer.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\5jhc441685fd778294a59039\updtcp\psh.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\SysWOW64\cmd.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\ProgramData\Google Updater 2.09\desktop.ini | C:\Windows\SysWOW64\explorer.exe | N/A |
Maps connected drives based on registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\5jhc441685fd778294a59039\updtcp\psh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2024 set thread context of 3568 | N/A | C:\5jhc441685fd778294a59039\updtcp\psh.exe | C:\5jhc441685fd778294a59039\updtcp\psh.exe |
| PID 2732 set thread context of 0 | N/A | C:\Users\Admin\AppData\Local\Temp\7991i79wo_1.exe | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\5jhc441685fd778294a59039\updtcp\psh.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\5jhc441685fd778294a59039\updtcp\psh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\explorer.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Windows\SysWOW64\explorer.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies Internet Explorer Protected Mode
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
Modifies Internet Explorer Protected Mode Banner
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" | C:\Windows\SysWOW64\explorer.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\DownloadVersionList = "0" | C:\Windows\SysWOW64\explorer.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\692915.dat | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings | C:\Windows\SysWOW64\cmd.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Windows\system32\wscript.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Windows\system32\wscript.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Local\Temp\7991i79wo_1.exe:14EDFC78 | C:\Windows\SysWOW64\explorer.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\Temp\7991i79wo_1.exe:14EDFC78 | C:\Windows\SysWOW64\explorer.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3m3cu9i5s3.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\5jhc441685fd778294a59039\updtcp\psh.exe | N/A |
| N/A | N/A | C:\5jhc441685fd778294a59039\updtcp\psh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\5jhc441685fd778294a59039\updtcp\psh.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\5jhc441685fd778294a59039\updtcp\psh.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\5jhc441685fd778294a59039\updtcp\psh.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\5jhc441685fd778294a59039\updtcp\psh.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\5jhc441685fd778294a59039\updtcp\psh.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\5jhc441685fd778294a59039\updtcp\psh.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\5jhc441685fd778294a59039\updtcp\psh.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\5jhc441685fd778294a59039\updtcp\psh.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\5jhc441685fd778294a59039\updtcp\psh.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\5jhc441685fd778294a59039\updtcp\psh.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\5jhc441685fd778294a59039\updtcp\psh.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\5jhc441685fd778294a59039\updtcp\psh.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\5jhc441685fd778294a59039\updtcp\psh.exe | N/A |
| Token: 33 | N/A | C:\5jhc441685fd778294a59039\updtcp\psh.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3m3cu9i5s3.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3m3cu9i5s3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3m3cu9i5s3.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\sample.js
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\692915.dat
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\692915.dat
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\5jhc441685fd778294a59039\updtcp\video.vbs"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\5jhc441685fd778294a59039\updtcp\win23.bat" "
C:\Windows\SysWOW64\timeout.exe
timeout 0
C:\Windows\SysWOW64\PING.EXE
ping edwtq ewqdztw d8twd7
C:\5jhc441685fd778294a59039\updtcp\portable.exe
"portable.exe" e -pIUASU7yyadsih8i32d8hadshias tcp.rar
C:\Windows\SysWOW64\timeout.exe
timeout 6
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\5jhc441685fd778294a59039\updtcp\khg389214.vbs"
C:\Windows\SysWOW64\timeout.exe
timeout 7
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\5jhc441685fd778294a59039\updtcp\wier.bat" "
C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\5jhc441685fd778294a59039"
C:\Windows\SysWOW64\timeout.exe
timeout 2
C:\5jhc441685fd778294a59039\updtcp\psh.exe
psh.exe /start
C:\5jhc441685fd778294a59039\updtcp\psh.exe
psh.exe /start
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im portable.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im portable.exe
C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\5jhc441685fd778294a59039\updtcp\psh.exe"
C:\Windows\SysWOW64\timeout.exe
timeout 4
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Users\Admin\AppData\Local\Temp\7991i79wo_1.exe
/suac
C:\Users\Admin\AppData\Local\Temp\3m3cu9i5s3.exe
"C:\Users\Admin\AppData\Local\Temp\3m3cu9i5s3.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | licuadora1x.xyz | udp |
| N/A | 198.54.120.173:443 | licuadora1x.xyz | tcp |
| N/A | 8.8.8.8:53 | google.com | udp |
| N/A | 172.217.20.110:80 | google.com | tcp |
| N/A | 8.8.8.8:53 | russk16.icu | udp |
| N/A | 8.8.8.8:53 | russk17.icu | udp |
| N/A | 8.8.8.8:53 | russk17.icu | udp |
| N/A | 108.62.12.4:80 | russk17.icu | tcp |
| N/A | 8.8.8.8:53 | adentity.com.mx | udp |
| N/A | 206.189.227.255:80 | adentity.com.mx | tcp |
| N/A | 108.62.12.4:80 | russk17.icu | tcp |
Files
memory/3408-114-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\692915.dat
| MD5 | 6bb45c53fc7f643cb2c20a59801e9a9d |
| SHA1 | 7820e7a2ce24022683f15bc651d1d824ae738b7e |
| SHA256 | d0e95b938160932bf633ae1d6469ad9ace641d5a54fd567c1b9462bd62934f82 |
| SHA512 | 3f93cf01c93a5942b8df9faa8f7c44c3965d84f89f71c559698c0bf53162acc2e3a83b54e98b1cd77c5ff500f14b6e98bdc921b5dbd3ea135f7a99d1ca0a5d61 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\692915.dat
| MD5 | 6bb45c53fc7f643cb2c20a59801e9a9d |
| SHA1 | 7820e7a2ce24022683f15bc651d1d824ae738b7e |
| SHA256 | d0e95b938160932bf633ae1d6469ad9ace641d5a54fd567c1b9462bd62934f82 |
| SHA512 | 3f93cf01c93a5942b8df9faa8f7c44c3965d84f89f71c559698c0bf53162acc2e3a83b54e98b1cd77c5ff500f14b6e98bdc921b5dbd3ea135f7a99d1ca0a5d61 |
memory/3408-117-0x0000000002590000-0x0000000002591000-memory.dmp
memory/60-118-0x0000000000000000-mapping.dmp
C:\5jhc441685fd778294a59039\updtcp\video.vbs
| MD5 | 87b123f86cda5a902af0f3c3673ebae0 |
| SHA1 | a93f593da9e18343eb7cbc4a8df8eefaae31e179 |
| SHA256 | a5c96e4fd40ef2ae88fe66fa38178020b69059a2765614e6aa671f46057ef5c0 |
| SHA512 | fe5e78bb66304e1b4ed13eafd3cb93816511941756ecfa613aaaeba7a0f468aad7e2dfece27f124b5db79a8afe1fb655ef2bd3d6bbd9eb4d42e457dd42775b2f |
C:\5jhc441685fd778294a59039\updtcp\win23.bat
| MD5 | e3e6e937b62671102f2d588c3b63dadd |
| SHA1 | 2059e852dd09a1f9dc22655c3a52ad29e4d9ce70 |
| SHA256 | 762f9ddb99827165175408a90ab56139ed9d8c88d8c9cfec4871ec286d3b6016 |
| SHA512 | cc52bb6ee086f2dac9c93d101c747731c3a5bed6b4ea3c9c27796ee135bca91c89a90f41b119f137049f09f6f459193c593d3ff48343dc35ba6dfb2ef2077f05 |
memory/2288-121-0x0000000000000000-mapping.dmp
C:\5jhc441685fd778294a59039\updtcp\tcpport21
| MD5 | af02568d8919fc4cb567a40ae21d25ec |
| SHA1 | 7e98bdb23e6b44332afcfe5f3a099016b7dad279 |
| SHA256 | a5d15ee0959085dab12cd7dd12da181444cc063e4e3e20a7d17319105097c6fd |
| SHA512 | 933d7a29ff7166ee9514fd3548597739ca293eb9094097ec716b51949e5f3f733d379ed03175ce29f25424ad62d794ab8df1dd5625653d4fbd2b75a8b2caa920 |
memory/1820-123-0x0000000000000000-mapping.dmp
memory/2424-124-0x0000000000000000-mapping.dmp
memory/788-125-0x0000000000000000-mapping.dmp
C:\5jhc441685fd778294a59039\updtcp\portable.exe
| MD5 | af8f66afc7877cfa7fd23a532916ec96 |
| SHA1 | df0fb0fb8c1a77872d8de28416fff394f1a6aec1 |
| SHA256 | b0197158ca288dae24b2335515ebfa7a3ddf78dba0ff344118fbc1cfb8b75a68 |
| SHA512 | 508578541d239e029e6ae3faaf1ebea45292bdba6ad2262cda3dba78bd026c9d9273756f2459ae0118cac5b3690fd83935be692a48fda89539a553fe4786dcd0 |
memory/64-127-0x0000000000000000-mapping.dmp
C:\5jhc441685fd778294a59039\updtcp\khg389214.vbs
| MD5 | ec4694dbfd7699e4d15181d6c4fa1818 |
| SHA1 | 3d7424eac4f9d4c199e4a10bbb664d0794301b25 |
| SHA256 | 1e853f2a93fd8c4763b48339a0a8a154a553c5e0dad1d763d60085491986c806 |
| SHA512 | 049c2b3390770fd5777eaba9e78239fc5e8250cfcd8f1154b0244ba00412377e6c353c7b3b600b23196bf85cc525f67ecff7da7f42a031c3bf6138bc51518d56 |
memory/2068-129-0x0000000000000000-mapping.dmp
memory/1968-130-0x0000000000000000-mapping.dmp
memory/2420-132-0x0000000000000000-mapping.dmp
C:\5jhc441685fd778294a59039\updtcp\wier.bat
| MD5 | d8cf8ebd43d707b8f7ac09dca3f69e89 |
| SHA1 | 8425069acebb996f4517cfc62fb65de3b9315b8c |
| SHA256 | c8c84a5c185cdfcecaafcee8e927fb8024d7e42a86f7b88437cf64f027a3fc7f |
| SHA512 | 4c4a6bbd6820ccc7ff49ca6feae3055a8357fb3747e0c116239f8cdeac1bdc679df6825c822e7be7ec286065fb21f2f33275ddbcb80bcc51a75c6f2752ba5798 |
memory/3496-133-0x0000000000000000-mapping.dmp
memory/3400-134-0x0000000000000000-mapping.dmp
memory/2024-135-0x0000000000000000-mapping.dmp
C:\5jhc441685fd778294a59039\updtcp\psh.exe
| MD5 | b51fde142cb8410161f4c51ed213baa3 |
| SHA1 | 310b2e40b998157e36dc2b805d5580199bb2d467 |
| SHA256 | d342c9bee8477aa97acd123b15899b50bc89e1e5b3451d42f8e64785e4bbecba |
| SHA512 | 82568d8f34db5421a6e1756e841d1a6f765987401b4f7d3389365e11b0967e30b1380e1db028dfb267a2c341b954c2507a725afb2941b3ba51e998601b6ba076 |
C:\5jhc441685fd778294a59039\updtcp\psh.exe
| MD5 | b51fde142cb8410161f4c51ed213baa3 |
| SHA1 | 310b2e40b998157e36dc2b805d5580199bb2d467 |
| SHA256 | d342c9bee8477aa97acd123b15899b50bc89e1e5b3451d42f8e64785e4bbecba |
| SHA512 | 82568d8f34db5421a6e1756e841d1a6f765987401b4f7d3389365e11b0967e30b1380e1db028dfb267a2c341b954c2507a725afb2941b3ba51e998601b6ba076 |
memory/3568-138-0x0000000000400000-0x0000000000435000-memory.dmp
C:\5jhc441685fd778294a59039\updtcp\psh.exe
| MD5 | b51fde142cb8410161f4c51ed213baa3 |
| SHA1 | 310b2e40b998157e36dc2b805d5580199bb2d467 |
| SHA256 | d342c9bee8477aa97acd123b15899b50bc89e1e5b3451d42f8e64785e4bbecba |
| SHA512 | 82568d8f34db5421a6e1756e841d1a6f765987401b4f7d3389365e11b0967e30b1380e1db028dfb267a2c341b954c2507a725afb2941b3ba51e998601b6ba076 |
memory/3568-139-0x00000000004015C6-mapping.dmp
memory/3944-141-0x0000000000000000-mapping.dmp
memory/2696-142-0x0000000000000000-mapping.dmp
memory/2740-143-0x0000000000000000-mapping.dmp
memory/3280-144-0x0000000000000000-mapping.dmp
memory/3568-145-0x0000000000400000-0x0000000000435000-memory.dmp
memory/3568-146-0x0000000000790000-0x00000000007F6000-memory.dmp
memory/3568-147-0x0000000000800000-0x000000000080D000-memory.dmp
memory/3568-148-0x0000000002630000-0x0000000002631000-memory.dmp
memory/3568-149-0x0000000002660000-0x000000000266C000-memory.dmp
memory/4060-150-0x0000000000000000-mapping.dmp
memory/4060-151-0x0000000000EF0000-0x000000000132F000-memory.dmp
memory/4060-152-0x0000000003630000-0x0000000003770000-memory.dmp
memory/4060-156-0x0000000005700000-0x0000000005701000-memory.dmp
C:\5jhc441685fd778294a59039\updtcp\portable.exe
| MD5 | af8f66afc7877cfa7fd23a532916ec96 |
| SHA1 | df0fb0fb8c1a77872d8de28416fff394f1a6aec1 |
| SHA256 | b0197158ca288dae24b2335515ebfa7a3ddf78dba0ff344118fbc1cfb8b75a68 |
| SHA512 | 508578541d239e029e6ae3faaf1ebea45292bdba6ad2262cda3dba78bd026c9d9273756f2459ae0118cac5b3690fd83935be692a48fda89539a553fe4786dcd0 |
memory/2288-159-0x00000000045F0000-0x0000000004730000-memory.dmp
memory/2420-161-0x0000000003B40000-0x0000000003C80000-memory.dmp
memory/2288-162-0x0000000004FF0000-0x0000000004FF1000-memory.dmp
memory/4060-165-0x0000000006DE0000-0x0000000006DE2000-memory.dmp
memory/2732-166-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\7991i79wo_1.exe
| MD5 | b51fde142cb8410161f4c51ed213baa3 |
| SHA1 | 310b2e40b998157e36dc2b805d5580199bb2d467 |
| SHA256 | d342c9bee8477aa97acd123b15899b50bc89e1e5b3451d42f8e64785e4bbecba |
| SHA512 | 82568d8f34db5421a6e1756e841d1a6f765987401b4f7d3389365e11b0967e30b1380e1db028dfb267a2c341b954c2507a725afb2941b3ba51e998601b6ba076 |
C:\Users\Admin\AppData\Local\Temp\7991i79wo_1.exe
| MD5 | b51fde142cb8410161f4c51ed213baa3 |
| SHA1 | 310b2e40b998157e36dc2b805d5580199bb2d467 |
| SHA256 | d342c9bee8477aa97acd123b15899b50bc89e1e5b3451d42f8e64785e4bbecba |
| SHA512 | 82568d8f34db5421a6e1756e841d1a6f765987401b4f7d3389365e11b0967e30b1380e1db028dfb267a2c341b954c2507a725afb2941b3ba51e998601b6ba076 |
C:\Users\Admin\AppData\Local\Temp\3m3cu9i5s3.exe
| MD5 | 2abb9a0fbbbc79ad7813fe461d6cf84d |
| SHA1 | 1c0f4652edc982c1f395410a150c4a86036b3868 |
| SHA256 | 4cbcbf9b7c7a1409be0f7829def9cbca6a703e6bde0400256ca0d038d0bf056a |
| SHA512 | ca5f6e295c702684a4d83d67ee75a0b372f2c7f77277f79cb58f331d5ccfec82bda0897455c136dfbb00f3bf5a30175d5b84607f55b50259b1833e69ffb56684 |
C:\Users\Admin\AppData\Local\Temp\3m3cu9i5s3.exe
| MD5 | 2abb9a0fbbbc79ad7813fe461d6cf84d |
| SHA1 | 1c0f4652edc982c1f395410a150c4a86036b3868 |
| SHA256 | 4cbcbf9b7c7a1409be0f7829def9cbca6a703e6bde0400256ca0d038d0bf056a |
| SHA512 | ca5f6e295c702684a4d83d67ee75a0b372f2c7f77277f79cb58f331d5ccfec82bda0897455c136dfbb00f3bf5a30175d5b84607f55b50259b1833e69ffb56684 |
memory/2340-169-0x0000000000000000-mapping.dmp
memory/2340-172-0x0000000000D10000-0x0000000000D11000-memory.dmp
memory/2340-174-0x0000000003000000-0x0000000003002000-memory.dmp
memory/2340-175-0x0000000003003000-0x0000000003005000-memory.dmp
memory/2340-177-0x0000000003005000-0x0000000003007000-memory.dmp
memory/2340-176-0x0000000003009000-0x000000000300F000-memory.dmp
memory/2340-178-0x0000000003007000-0x0000000003009000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2021-05-31 13:47
Reported
2021-05-31 13:50
Platform
win7v20210408
Max time kernel
107s
Max time network
75s
Command Line
Signatures
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\sample.js
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x168
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | licuadora1x.xyz | udp |
Files
memory/1740-59-0x000007FEFC251000-0x000007FEFC253000-memory.dmp