Analysis Overview
SHA256
bb59999f614b16236e8d36f8a8d1174f8bb917a88d7d93e3eef60457e917f1a6
Threat Level: Known bad
The file JW388194 37737.exe was found to be: Known bad.
Malicious Activity Summary
Modifies firewall policy service
BetaBot
Executes dropped EXE
Sets file execution options in registry
Downloads MZ/PE file
Checks BIOS information in registry
Loads dropped DLL
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
Checks whether UAC is enabled
Adds Run key to start application
Drops desktop.ini file(s)
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Modifies Internet Explorer Protected Mode Banner
NTFS ADS
Modifies Internet Explorer settings
Suspicious behavior: MapViewOfSection
Checks processor information in registry
Enumerates system info in registry
Suspicious use of AdjustPrivilegeToken
outlook_office_path
Modifies Internet Explorer Protected Mode
Suspicious use of WriteProcessMemory
outlook_win_path
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-11-25 07:52
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2021-11-25 07:52
Reported
2021-11-25 07:57
Platform
win7-en-20211014
Max time kernel
301s
Max time network
300s
Command Line
Signatures
BetaBot
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\explorer.exe | N/A |
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\QRIOCEWYOCOPPOURPQ OPU CP UEOQWPRUOP U\fat32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\QRIOCEWYOCOPPOURPQ OPU CP UEOQWPRUOP U\fat32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9s3s1k77c3k_1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\173kiokuck3s.exe | N/A |
Sets file execution options in registry
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Windows\SysWOW64\explorer.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JW388194 37737.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JW388194 37737.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\173kiokuck3s.exe | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\173kiokuck3s.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\173kiokuck3s.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\173kiokuck3s.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 2.09 = "\"C:\\ProgramData\\Google Updater 2.09\\9s3s1k77c3k.exe\"" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 2.09 = "C:\\ProgramData\\Google Updater 2.09\\9s3s1k77c3k.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Updater 2.09 = "\"C:\\ProgramData\\Google Updater 2.09\\9s3s1k77c3k.exe\"" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce | C:\Windows\SysWOW64\explorer.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\QRIOCEWYOCOPPOURPQ OPU CP UEOQWPRUOP U\fat32.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\ProgramData\Google Updater 2.09\desktop.ini | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\QRIOCEWYOCOPPOURPQ OPU CP UEOQWPRUOP U\fat32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 240 set thread context of 580 | N/A | C:\Users\Admin\AppData\Roaming\QRIOCEWYOCOPPOURPQ OPU CP UEOQWPRUOP U\fat32.exe | C:\Users\Admin\AppData\Roaming\QRIOCEWYOCOPPOURPQ OPU CP UEOQWPRUOP U\fat32.exe |
| PID 928 set thread context of 0 | N/A | C:\Users\Admin\AppData\Local\Temp\9s3s1k77c3k_1.exe | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Roaming\QRIOCEWYOCOPPOURPQ OPU CP UEOQWPRUOP U\fat32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Roaming\QRIOCEWYOCOPPOURPQ OPU CP UEOQWPRUOP U\fat32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\explorer.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Windows\SysWOW64\explorer.exe | N/A |
Modifies Internet Explorer Protected Mode
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
Modifies Internet Explorer Protected Mode Banner
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" | C:\Windows\SysWOW64\explorer.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\VersionManager\DownloadVersionList = "0" | C:\Windows\SysWOW64\explorer.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Local\Temp\9s3s1k77c3k_1.exe:14EDFC78 | C:\Windows\SysWOW64\explorer.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\Temp\9s3s1k77c3k_1.exe:14EDFC78 | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\QRIOCEWYOCOPPOURPQ OPU CP UEOQWPRUOP U\fat32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\QRIOCEWYOCOPPOURPQ OPU CP UEOQWPRUOP U\fat32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\173kiokuck3s.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\173kiokuck3s.exe | N/A |
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
C:\Users\Admin\AppData\Local\Temp\JW388194 37737.exe
"C:\Users\Admin\AppData\Local\Temp\JW388194 37737.exe"
C:\Users\Admin\AppData\Roaming\QRIOCEWYOCOPPOURPQ OPU CP UEOQWPRUOP U\fat32.exe
"C:\Users\Admin\AppData\Roaming\QRIOCEWYOCOPPOURPQ OPU CP UEOQWPRUOP U\fat32.exe"
C:\Users\Admin\AppData\Roaming\QRIOCEWYOCOPPOURPQ OPU CP UEOQWPRUOP U\fat32.exe
"C:\Users\Admin\AppData\Roaming\QRIOCEWYOCOPPOURPQ OPU CP UEOQWPRUOP U\fat32.exe"
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Users\Admin\AppData\Local\Temp\9s3s1k77c3k_1.exe
/suac
C:\Users\Admin\AppData\Local\Temp\173kiokuck3s.exe
"C:\Users\Admin\AppData\Local\Temp\173kiokuck3s.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | microsoft.com | udp |
| SG | 104.215.148.63:80 | microsoft.com | tcp |
| US | 8.8.8.8:53 | russk18.icu | udp |
| US | 8.8.8.8:53 | russk19.icu | udp |
| US | 8.8.8.8:53 | russk19.icu | udp |
| DE | 160.20.147.189:80 | russk19.icu | tcp |
| US | 8.8.8.8:53 | ggcsservices.com | udp |
| US | 159.203.85.191:80 | ggcsservices.com | tcp |
| US | 159.203.85.191:80 | ggcsservices.com | tcp |
| US | 159.203.85.191:80 | ggcsservices.com | tcp |
| US | 8.8.8.8:53 | russk19.icu | udp |
| DE | 160.20.147.189:80 | russk19.icu | tcp |
| DE | 160.20.147.189:80 | russk19.icu | tcp |
| DE | 160.20.147.189:80 | russk19.icu | tcp |
Files
memory/468-55-0x00000000757A1000-0x00000000757A3000-memory.dmp
memory/468-56-0x0000000000240000-0x0000000000241000-memory.dmp
\Users\Admin\AppData\Roaming\QRIOCEWYOCOPPOURPQ OPU CP UEOQWPRUOP U\fat32.exe
| MD5 | 6b0fdb749ab5508a83e91fe5eac6331d |
| SHA1 | 2bb3d5cd4a224445e8d8268efbc7165d06ed3cbb |
| SHA256 | 2c0bf71f46ed0b1b6ce31c54f35d4b7d04422a7a12333f2b7d87dcece4ae03d1 |
| SHA512 | 2d1e30d156f22d1986226ac9df21de04f2dac4883499f68661d5d9f0029b651cd097ea44b9d3d8f002e07b9993378082dd0599c22ea9fc3802668f31446f2278 |
memory/240-59-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\QRIOCEWYOCOPPOURPQ OPU CP UEOQWPRUOP U\fat32.exe
| MD5 | 6b0fdb749ab5508a83e91fe5eac6331d |
| SHA1 | 2bb3d5cd4a224445e8d8268efbc7165d06ed3cbb |
| SHA256 | 2c0bf71f46ed0b1b6ce31c54f35d4b7d04422a7a12333f2b7d87dcece4ae03d1 |
| SHA512 | 2d1e30d156f22d1986226ac9df21de04f2dac4883499f68661d5d9f0029b651cd097ea44b9d3d8f002e07b9993378082dd0599c22ea9fc3802668f31446f2278 |
\Users\Admin\AppData\Roaming\QRIOCEWYOCOPPOURPQ OPU CP UEOQWPRUOP U\fat32.exe
| MD5 | 6b0fdb749ab5508a83e91fe5eac6331d |
| SHA1 | 2bb3d5cd4a224445e8d8268efbc7165d06ed3cbb |
| SHA256 | 2c0bf71f46ed0b1b6ce31c54f35d4b7d04422a7a12333f2b7d87dcece4ae03d1 |
| SHA512 | 2d1e30d156f22d1986226ac9df21de04f2dac4883499f68661d5d9f0029b651cd097ea44b9d3d8f002e07b9993378082dd0599c22ea9fc3802668f31446f2278 |
C:\Users\Admin\AppData\Roaming\QRIOCEWYOCOPPOURPQ OPU CP UEOQWPRUOP U\fat32.exe
| MD5 | 6b0fdb749ab5508a83e91fe5eac6331d |
| SHA1 | 2bb3d5cd4a224445e8d8268efbc7165d06ed3cbb |
| SHA256 | 2c0bf71f46ed0b1b6ce31c54f35d4b7d04422a7a12333f2b7d87dcece4ae03d1 |
| SHA512 | 2d1e30d156f22d1986226ac9df21de04f2dac4883499f68661d5d9f0029b651cd097ea44b9d3d8f002e07b9993378082dd0599c22ea9fc3802668f31446f2278 |
memory/580-62-0x0000000000400000-0x0000000000435000-memory.dmp
memory/580-63-0x0000000000400000-0x0000000000435000-memory.dmp
memory/580-64-0x00000000004015C6-mapping.dmp
C:\Users\Admin\AppData\Roaming\QRIOCEWYOCOPPOURPQ OPU CP UEOQWPRUOP U\fat32.exe
| MD5 | 6b0fdb749ab5508a83e91fe5eac6331d |
| SHA1 | 2bb3d5cd4a224445e8d8268efbc7165d06ed3cbb |
| SHA256 | 2c0bf71f46ed0b1b6ce31c54f35d4b7d04422a7a12333f2b7d87dcece4ae03d1 |
| SHA512 | 2d1e30d156f22d1986226ac9df21de04f2dac4883499f68661d5d9f0029b651cd097ea44b9d3d8f002e07b9993378082dd0599c22ea9fc3802668f31446f2278 |
memory/580-67-0x0000000000400000-0x0000000000435000-memory.dmp
memory/580-68-0x0000000000440000-0x00000000004A6000-memory.dmp
memory/580-72-0x0000000000240000-0x0000000000241000-memory.dmp
memory/580-74-0x0000000000500000-0x0000000000501000-memory.dmp
memory/580-73-0x0000000000250000-0x000000000025D000-memory.dmp
memory/580-71-0x0000000000440000-0x00000000004A6000-memory.dmp
memory/580-70-0x0000000000400000-0x0000000000435000-memory.dmp
memory/580-75-0x0000000001D90000-0x0000000001D9C000-memory.dmp
memory/756-76-0x0000000000000000-mapping.dmp
memory/756-78-0x0000000074C51000-0x0000000074C53000-memory.dmp
memory/756-79-0x00000000774D0000-0x0000000077650000-memory.dmp
memory/756-80-0x0000000000150000-0x00000000002A1000-memory.dmp
memory/756-81-0x0000000000440000-0x000000000044C000-memory.dmp
memory/580-82-0x0000000001D80000-0x0000000001D81000-memory.dmp
memory/756-83-0x00000000008A0000-0x00000000008A2000-memory.dmp
\Users\Admin\AppData\Local\Temp\9s3s1k77c3k_1.exe
| MD5 | 6b0fdb749ab5508a83e91fe5eac6331d |
| SHA1 | 2bb3d5cd4a224445e8d8268efbc7165d06ed3cbb |
| SHA256 | 2c0bf71f46ed0b1b6ce31c54f35d4b7d04422a7a12333f2b7d87dcece4ae03d1 |
| SHA512 | 2d1e30d156f22d1986226ac9df21de04f2dac4883499f68661d5d9f0029b651cd097ea44b9d3d8f002e07b9993378082dd0599c22ea9fc3802668f31446f2278 |
C:\Users\Admin\AppData\Local\Temp\9s3s1k77c3k_1.exe
| MD5 | 6b0fdb749ab5508a83e91fe5eac6331d |
| SHA1 | 2bb3d5cd4a224445e8d8268efbc7165d06ed3cbb |
| SHA256 | 2c0bf71f46ed0b1b6ce31c54f35d4b7d04422a7a12333f2b7d87dcece4ae03d1 |
| SHA512 | 2d1e30d156f22d1986226ac9df21de04f2dac4883499f68661d5d9f0029b651cd097ea44b9d3d8f002e07b9993378082dd0599c22ea9fc3802668f31446f2278 |
memory/928-85-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\9s3s1k77c3k_1.exe
| MD5 | 6b0fdb749ab5508a83e91fe5eac6331d |
| SHA1 | 2bb3d5cd4a224445e8d8268efbc7165d06ed3cbb |
| SHA256 | 2c0bf71f46ed0b1b6ce31c54f35d4b7d04422a7a12333f2b7d87dcece4ae03d1 |
| SHA512 | 2d1e30d156f22d1986226ac9df21de04f2dac4883499f68661d5d9f0029b651cd097ea44b9d3d8f002e07b9993378082dd0599c22ea9fc3802668f31446f2278 |
memory/1348-88-0x00000000025B0000-0x00000000025B6000-memory.dmp
\Users\Admin\AppData\Local\Temp\173kiokuck3s.exe
| MD5 | d79538d481522090c4d6ea18be680dc0 |
| SHA1 | 68e45dd6b03011dd6f9fc766764f7e5da0001836 |
| SHA256 | 43566095adf3e00feb284d35e0e2f5c086e5f92f6fb6302ac0a42edb1044afe1 |
| SHA512 | b3d9c52bc0ea2483c0a2d57badb47864693d9e4b843bfb069c54c699c033c25462ef5a916ea6e39158dd2d39375a0d67db9dabb9c44a043d8fed73cf7859188d |
memory/1480-90-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\173kiokuck3s.exe
| MD5 | d79538d481522090c4d6ea18be680dc0 |
| SHA1 | 68e45dd6b03011dd6f9fc766764f7e5da0001836 |
| SHA256 | 43566095adf3e00feb284d35e0e2f5c086e5f92f6fb6302ac0a42edb1044afe1 |
| SHA512 | b3d9c52bc0ea2483c0a2d57badb47864693d9e4b843bfb069c54c699c033c25462ef5a916ea6e39158dd2d39375a0d67db9dabb9c44a043d8fed73cf7859188d |
C:\Users\Admin\AppData\Local\Temp\173kiokuck3s.exe
| MD5 | d79538d481522090c4d6ea18be680dc0 |
| SHA1 | 68e45dd6b03011dd6f9fc766764f7e5da0001836 |
| SHA256 | 43566095adf3e00feb284d35e0e2f5c086e5f92f6fb6302ac0a42edb1044afe1 |
| SHA512 | b3d9c52bc0ea2483c0a2d57badb47864693d9e4b843bfb069c54c699c033c25462ef5a916ea6e39158dd2d39375a0d67db9dabb9c44a043d8fed73cf7859188d |
memory/1480-93-0x0000000000E30000-0x0000000000E31000-memory.dmp
\Users\Admin\AppData\Local\Temp\Costura\1ACF592E7018DA88DDC32B96D203A4BE\32\sqlite3.dll
| MD5 | 0a855f27a1e48991d14c593cb930d2b2 |
| SHA1 | 01935b77a59ab90be4af37bb4e8bc57fbdcf23a1 |
| SHA256 | 43d11ddfa64be9a2eeb94574f21fd45334e4598506f3d5ae1446c7a0add10300 |
| SHA512 | bfc680d50d043c438c0c4bc97f7830010bf302e9e81296c57b1a06e3e87a2000444e44fadec20ca2025260bf745629971bfca02ff59469085fc7eada7912e873 |
Analysis: behavioral2
Detonation Overview
Submitted
2021-11-25 07:52
Reported
2021-11-25 07:57
Platform
win10-en-20211014
Max time kernel
301s
Max time network
289s
Command Line
Signatures
BetaBot
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\explorer.exe | N/A |
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\QRIOCEWYOCOPPOURPQ OPU CP UEOQWPRUOP U\fat32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\QRIOCEWYOCOPPOURPQ OPU CP UEOQWPRUOP U\fat32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\y7i1u75s1g1w9_1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\m3swie9355u37.exe | N/A |
Sets file execution options in registry
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Windows\SysWOW64\explorer.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\m3swie9355u37.exe | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\m3swie9355u37.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\m3swie9355u37.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\m3swie9355u37.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 2.09 = "C:\\ProgramData\\Google Updater 2.09\\y7i1u75s1g1w9.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Updater 2.09 = "\"C:\\ProgramData\\Google Updater 2.09\\y7i1u75s1g1w9.exe\"" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 2.09 = "\"C:\\ProgramData\\Google Updater 2.09\\y7i1u75s1g1w9.exe\"" | C:\Windows\SysWOW64\explorer.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\QRIOCEWYOCOPPOURPQ OPU CP UEOQWPRUOP U\fat32.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\ProgramData\Google Updater 2.09\desktop.ini | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\QRIOCEWYOCOPPOURPQ OPU CP UEOQWPRUOP U\fat32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1272 set thread context of 1372 | N/A | C:\Users\Admin\AppData\Roaming\QRIOCEWYOCOPPOURPQ OPU CP UEOQWPRUOP U\fat32.exe | C:\Users\Admin\AppData\Roaming\QRIOCEWYOCOPPOURPQ OPU CP UEOQWPRUOP U\fat32.exe |
| PID 1192 set thread context of 0 | N/A | C:\Users\Admin\AppData\Local\Temp\y7i1u75s1g1w9_1.exe | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Roaming\QRIOCEWYOCOPPOURPQ OPU CP UEOQWPRUOP U\fat32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Roaming\QRIOCEWYOCOPPOURPQ OPU CP UEOQWPRUOP U\fat32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\explorer.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Windows\SysWOW64\explorer.exe | N/A |
Modifies Internet Explorer Protected Mode
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
Modifies Internet Explorer Protected Mode Banner
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" | C:\Windows\SysWOW64\explorer.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\VersionManager\DownloadVersionList = "0" | C:\Windows\SysWOW64\explorer.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Local\Temp\y7i1u75s1g1w9_1.exe:14EDFC78 | C:\Windows\SysWOW64\explorer.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\Temp\y7i1u75s1g1w9_1.exe:14EDFC78 | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\QRIOCEWYOCOPPOURPQ OPU CP UEOQWPRUOP U\fat32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\QRIOCEWYOCOPPOURPQ OPU CP UEOQWPRUOP U\fat32.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\m3swie9355u37.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\m3swie9355u37.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\JW388194 37737.exe
"C:\Users\Admin\AppData\Local\Temp\JW388194 37737.exe"
C:\Users\Admin\AppData\Roaming\QRIOCEWYOCOPPOURPQ OPU CP UEOQWPRUOP U\fat32.exe
"C:\Users\Admin\AppData\Roaming\QRIOCEWYOCOPPOURPQ OPU CP UEOQWPRUOP U\fat32.exe"
C:\Users\Admin\AppData\Roaming\QRIOCEWYOCOPPOURPQ OPU CP UEOQWPRUOP U\fat32.exe
"C:\Users\Admin\AppData\Roaming\QRIOCEWYOCOPPOURPQ OPU CP UEOQWPRUOP U\fat32.exe"
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Users\Admin\AppData\Local\Temp\y7i1u75s1g1w9_1.exe
/suac
C:\Users\Admin\AppData\Local\Temp\m3swie9355u37.exe
"C:\Users\Admin\AppData\Local\Temp\m3swie9355u37.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | windowsupdate.microsoft.com | udp |
| US | 52.185.71.28:80 | windowsupdate.microsoft.com | tcp |
| US | 8.8.8.8:53 | russk18.icu | udp |
| US | 8.8.8.8:53 | time.windows.com | udp |
| US | 168.61.215.74:123 | time.windows.com | udp |
| US | 8.8.8.8:53 | russk19.icu | udp |
| US | 8.8.8.8:53 | russk19.icu | udp |
| DE | 160.20.147.189:80 | russk19.icu | tcp |
| US | 8.8.8.8:53 | ggcsservices.com | udp |
| US | 159.203.85.191:80 | ggcsservices.com | tcp |
| US | 159.203.85.191:80 | ggcsservices.com | tcp |
| US | 159.203.85.191:80 | ggcsservices.com | tcp |
| DE | 160.20.147.189:80 | russk19.icu | tcp |
| DE | 160.20.147.189:80 | russk19.icu | tcp |
| DE | 160.20.147.189:80 | russk19.icu | tcp |
Files
memory/1920-115-0x00000000007A0000-0x00000000008EA000-memory.dmp
memory/1272-116-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\QRIOCEWYOCOPPOURPQ OPU CP UEOQWPRUOP U\fat32.exe
| MD5 | 6b0fdb749ab5508a83e91fe5eac6331d |
| SHA1 | 2bb3d5cd4a224445e8d8268efbc7165d06ed3cbb |
| SHA256 | 2c0bf71f46ed0b1b6ce31c54f35d4b7d04422a7a12333f2b7d87dcece4ae03d1 |
| SHA512 | 2d1e30d156f22d1986226ac9df21de04f2dac4883499f68661d5d9f0029b651cd097ea44b9d3d8f002e07b9993378082dd0599c22ea9fc3802668f31446f2278 |
C:\Users\Admin\AppData\Roaming\QRIOCEWYOCOPPOURPQ OPU CP UEOQWPRUOP U\fat32.exe
| MD5 | 6b0fdb749ab5508a83e91fe5eac6331d |
| SHA1 | 2bb3d5cd4a224445e8d8268efbc7165d06ed3cbb |
| SHA256 | 2c0bf71f46ed0b1b6ce31c54f35d4b7d04422a7a12333f2b7d87dcece4ae03d1 |
| SHA512 | 2d1e30d156f22d1986226ac9df21de04f2dac4883499f68661d5d9f0029b651cd097ea44b9d3d8f002e07b9993378082dd0599c22ea9fc3802668f31446f2278 |
memory/1372-119-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1372-120-0x00000000004015C6-mapping.dmp
C:\Users\Admin\AppData\Roaming\QRIOCEWYOCOPPOURPQ OPU CP UEOQWPRUOP U\fat32.exe
| MD5 | 6b0fdb749ab5508a83e91fe5eac6331d |
| SHA1 | 2bb3d5cd4a224445e8d8268efbc7165d06ed3cbb |
| SHA256 | 2c0bf71f46ed0b1b6ce31c54f35d4b7d04422a7a12333f2b7d87dcece4ae03d1 |
| SHA512 | 2d1e30d156f22d1986226ac9df21de04f2dac4883499f68661d5d9f0029b651cd097ea44b9d3d8f002e07b9993378082dd0599c22ea9fc3802668f31446f2278 |
memory/1372-122-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1372-123-0x0000000002130000-0x0000000002196000-memory.dmp
memory/1372-125-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1372-126-0x0000000002130000-0x0000000002196000-memory.dmp
memory/1372-128-0x0000000002630000-0x0000000002631000-memory.dmp
memory/1372-127-0x0000000000570000-0x000000000057D000-memory.dmp
memory/1372-129-0x0000000002660000-0x000000000266C000-memory.dmp
memory/296-130-0x0000000000000000-mapping.dmp
memory/296-131-0x0000000000E20000-0x000000000125F000-memory.dmp
memory/296-132-0x0000000000840000-0x0000000000991000-memory.dmp
memory/296-133-0x0000000000540000-0x0000000000563000-memory.dmp
memory/296-134-0x0000000000540000-0x0000000000563000-memory.dmp
memory/1372-135-0x0000000002650000-0x0000000002651000-memory.dmp
memory/296-136-0x0000000000DF0000-0x0000000000DF2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\y7i1u75s1g1w9_1.exe
| MD5 | 6b0fdb749ab5508a83e91fe5eac6331d |
| SHA1 | 2bb3d5cd4a224445e8d8268efbc7165d06ed3cbb |
| SHA256 | 2c0bf71f46ed0b1b6ce31c54f35d4b7d04422a7a12333f2b7d87dcece4ae03d1 |
| SHA512 | 2d1e30d156f22d1986226ac9df21de04f2dac4883499f68661d5d9f0029b651cd097ea44b9d3d8f002e07b9993378082dd0599c22ea9fc3802668f31446f2278 |
memory/1192-137-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\y7i1u75s1g1w9_1.exe
| MD5 | 6b0fdb749ab5508a83e91fe5eac6331d |
| SHA1 | 2bb3d5cd4a224445e8d8268efbc7165d06ed3cbb |
| SHA256 | 2c0bf71f46ed0b1b6ce31c54f35d4b7d04422a7a12333f2b7d87dcece4ae03d1 |
| SHA512 | 2d1e30d156f22d1986226ac9df21de04f2dac4883499f68661d5d9f0029b651cd097ea44b9d3d8f002e07b9993378082dd0599c22ea9fc3802668f31446f2278 |
memory/2752-140-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\m3swie9355u37.exe
| MD5 | d79538d481522090c4d6ea18be680dc0 |
| SHA1 | 68e45dd6b03011dd6f9fc766764f7e5da0001836 |
| SHA256 | 43566095adf3e00feb284d35e0e2f5c086e5f92f6fb6302ac0a42edb1044afe1 |
| SHA512 | b3d9c52bc0ea2483c0a2d57badb47864693d9e4b843bfb069c54c699c033c25462ef5a916ea6e39158dd2d39375a0d67db9dabb9c44a043d8fed73cf7859188d |
C:\Users\Admin\AppData\Local\Temp\m3swie9355u37.exe
| MD5 | d79538d481522090c4d6ea18be680dc0 |
| SHA1 | 68e45dd6b03011dd6f9fc766764f7e5da0001836 |
| SHA256 | 43566095adf3e00feb284d35e0e2f5c086e5f92f6fb6302ac0a42edb1044afe1 |
| SHA512 | b3d9c52bc0ea2483c0a2d57badb47864693d9e4b843bfb069c54c699c033c25462ef5a916ea6e39158dd2d39375a0d67db9dabb9c44a043d8fed73cf7859188d |
memory/2752-143-0x0000000000DA0000-0x0000000000DA1000-memory.dmp
\Users\Admin\AppData\Local\Temp\Costura\1ACF592E7018DA88DDC32B96D203A4BE\32\sqlite3.dll
| MD5 | 0a855f27a1e48991d14c593cb930d2b2 |
| SHA1 | 01935b77a59ab90be4af37bb4e8bc57fbdcf23a1 |
| SHA256 | 43d11ddfa64be9a2eeb94574f21fd45334e4598506f3d5ae1446c7a0add10300 |
| SHA512 | bfc680d50d043c438c0c4bc97f7830010bf302e9e81296c57b1a06e3e87a2000444e44fadec20ca2025260bf745629971bfca02ff59469085fc7eada7912e873 |