Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
12-07-2022 13:01
Static task
static1
Behavioral task
behavioral1
Sample
Plugins/CmdBar.dll
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Plugins/CmdBar.dll
Resource
win10v2004-20220414-en
Behavioral task
behavioral3
Sample
betab.exe
Resource
win7-20220414-en
Behavioral task
behavioral4
Sample
betab.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral5
Sample
ioncube_loader_lin_5.4.so
Resource
ubuntu1804-amd64-en-20211208
General
-
Target
betab.exe
-
Size
407KB
-
MD5
0837a200fd5a11fab728f51384eb8cce
-
SHA1
7133b6733d36d28aa19b9366689845b356f2b9fd
-
SHA256
2701eb12bc858772f0fbb29b7c18c4780afecba78e778f4363a78fc8b39feb48
-
SHA512
176903813e8b28327f671ee4429a3ab51899e446c63cc84d182cbb6ebe68a85b61e22a83696b9b01e5cb251e7fcaa58c296b237a965045832568eda9b727a86f
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 4 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" explorer.exe -
Executes dropped EXE 2 IoCs
Processes:
2.exe1.exepid process 1124 2.exe 948 1.exe -
Sets file execution options in registry 2 TTPs 4 IoCs
Processes:
1.exeexplorer.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\773souaea9m37u.exe 1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\773souaea9m37u.exe\DisableExceptionChainValidation 1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "sxq.exe" explorer.exe -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorer.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe -
Loads dropped DLL 2 IoCs
Processes:
betab.exepid process 1932 betab.exe 1932 betab.exe -
Adds Run key to start application 2 TTPs 5 IoCs
Processes:
explorer.exeExplorer.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Updater 2.0 = "\"C:\\ProgramData\\Google Updater 2.0\\773souaea9m37u.exe\"" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Search = "C:\\ProgramData\\SearchEngine.exe" Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 2.0 = "C:\\ProgramData\\Google Updater 2.0\\773souaea9m37u.exe" explorer.exe -
Processes:
1.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 1.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs
Processes:
1.exeexplorer.exepid process 948 1.exe 1096 explorer.exe 1096 explorer.exe 1096 explorer.exe 1096 explorer.exe 1096 explorer.exe 1096 explorer.exe 1096 explorer.exe 1096 explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
1.exeexplorer.exeExplorer.EXEdescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 1.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Explorer.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz Explorer.EXE -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer explorer.exe -
Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" explorer.exe -
Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" explorer.exe -
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main explorer.exe -
Suspicious behavior: EnumeratesProcesses 13 IoCs
Processes:
2.exeexplorer.exepid process 1124 2.exe 1096 explorer.exe 1096 explorer.exe 1096 explorer.exe 1096 explorer.exe 1096 explorer.exe 1096 explorer.exe 1096 explorer.exe 1096 explorer.exe 1096 explorer.exe 1096 explorer.exe 1096 explorer.exe 1096 explorer.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
1.exeexplorer.exepid process 948 1.exe 948 1.exe 1096 explorer.exe 1096 explorer.exe 1096 explorer.exe -
Suspicious use of AdjustPrivilegeToken 30 IoCs
Processes:
2.exe1.exeExplorer.EXEexplorer.exedescription pid process Token: SeDebugPrivilege 1124 2.exe Token: SeDebugPrivilege 948 1.exe Token: SeRestorePrivilege 948 1.exe Token: SeBackupPrivilege 948 1.exe Token: SeLoadDriverPrivilege 948 1.exe Token: SeCreatePagefilePrivilege 948 1.exe Token: SeShutdownPrivilege 948 1.exe Token: SeTakeOwnershipPrivilege 948 1.exe Token: SeChangeNotifyPrivilege 948 1.exe Token: SeCreateTokenPrivilege 948 1.exe Token: SeMachineAccountPrivilege 948 1.exe Token: SeSecurityPrivilege 948 1.exe Token: SeAssignPrimaryTokenPrivilege 948 1.exe Token: SeCreateGlobalPrivilege 948 1.exe Token: 33 948 1.exe Token: SeCreateGlobalPrivilege 1320 Explorer.EXE Token: SeDebugPrivilege 1096 explorer.exe Token: SeRestorePrivilege 1096 explorer.exe Token: SeBackupPrivilege 1096 explorer.exe Token: SeLoadDriverPrivilege 1096 explorer.exe Token: SeCreatePagefilePrivilege 1096 explorer.exe Token: SeShutdownPrivilege 1096 explorer.exe Token: SeTakeOwnershipPrivilege 1096 explorer.exe Token: SeChangeNotifyPrivilege 1096 explorer.exe Token: SeCreateTokenPrivilege 1096 explorer.exe Token: SeMachineAccountPrivilege 1096 explorer.exe Token: SeSecurityPrivilege 1096 explorer.exe Token: SeAssignPrimaryTokenPrivilege 1096 explorer.exe Token: SeCreateGlobalPrivilege 1096 explorer.exe Token: 33 1096 explorer.exe -
Suspicious use of UnmapMainImage 2 IoCs
Processes:
2.exe1.exepid process 1124 2.exe 948 1.exe -
Suspicious use of WriteProcessMemory 43 IoCs
Processes:
betab.exe2.exe1.exeexplorer.exedescription pid process target process PID 1932 wrote to memory of 1124 1932 betab.exe 2.exe PID 1932 wrote to memory of 1124 1932 betab.exe 2.exe PID 1932 wrote to memory of 1124 1932 betab.exe 2.exe PID 1932 wrote to memory of 1124 1932 betab.exe 2.exe PID 1124 wrote to memory of 1320 1124 2.exe Explorer.EXE PID 1124 wrote to memory of 1320 1124 2.exe Explorer.EXE PID 1124 wrote to memory of 1320 1124 2.exe Explorer.EXE PID 1124 wrote to memory of 1320 1124 2.exe Explorer.EXE PID 1124 wrote to memory of 1320 1124 2.exe Explorer.EXE PID 1124 wrote to memory of 1320 1124 2.exe Explorer.EXE PID 1124 wrote to memory of 1320 1124 2.exe Explorer.EXE PID 1124 wrote to memory of 1320 1124 2.exe Explorer.EXE PID 1124 wrote to memory of 1320 1124 2.exe Explorer.EXE PID 1124 wrote to memory of 1320 1124 2.exe Explorer.EXE PID 1932 wrote to memory of 948 1932 betab.exe 1.exe PID 1932 wrote to memory of 948 1932 betab.exe 1.exe PID 1932 wrote to memory of 948 1932 betab.exe 1.exe PID 1932 wrote to memory of 948 1932 betab.exe 1.exe PID 948 wrote to memory of 1096 948 1.exe explorer.exe PID 948 wrote to memory of 1096 948 1.exe explorer.exe PID 948 wrote to memory of 1096 948 1.exe explorer.exe PID 948 wrote to memory of 1096 948 1.exe explorer.exe PID 948 wrote to memory of 1096 948 1.exe explorer.exe PID 948 wrote to memory of 1096 948 1.exe explorer.exe PID 948 wrote to memory of 1096 948 1.exe explorer.exe PID 1096 wrote to memory of 1268 1096 explorer.exe Dwm.exe PID 1096 wrote to memory of 1268 1096 explorer.exe Dwm.exe PID 1096 wrote to memory of 1268 1096 explorer.exe Dwm.exe PID 1096 wrote to memory of 1268 1096 explorer.exe Dwm.exe PID 1096 wrote to memory of 1268 1096 explorer.exe Dwm.exe PID 1096 wrote to memory of 1268 1096 explorer.exe Dwm.exe PID 1096 wrote to memory of 1320 1096 explorer.exe Explorer.EXE PID 1096 wrote to memory of 1320 1096 explorer.exe Explorer.EXE PID 1096 wrote to memory of 1320 1096 explorer.exe Explorer.EXE PID 1096 wrote to memory of 1320 1096 explorer.exe Explorer.EXE PID 1096 wrote to memory of 1320 1096 explorer.exe Explorer.EXE PID 1096 wrote to memory of 1320 1096 explorer.exe Explorer.EXE PID 1096 wrote to memory of 1916 1096 explorer.exe DllHost.exe PID 1096 wrote to memory of 1916 1096 explorer.exe DllHost.exe PID 1096 wrote to memory of 1916 1096 explorer.exe DllHost.exe PID 1096 wrote to memory of 1916 1096 explorer.exe DllHost.exe PID 1096 wrote to memory of 1916 1096 explorer.exe DllHost.exe PID 1096 wrote to memory of 1916 1096 explorer.exe DllHost.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Adds Run key to start application
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1320 -
C:\Users\Admin\AppData\Local\Temp\betab.exe"C:\Users\Admin\AppData\Local\Temp\betab.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Users\Admin\AppData\Roaming\2.exe"C:\Users\Admin\AppData\Roaming\2.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1124
-
-
C:\Users\Admin\AppData\Roaming\1.exe"C:\Users\Admin\AppData\Roaming\1.exe"3⤵
- Executes dropped EXE
- Sets file execution options in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:948 -
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe4⤵
- Modifies firewall policy service
- Sets file execution options in registry
- Checks BIOS information in registry
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1096
-
-
-
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1268
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1916
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
255KB
MD59c94decb82adea9cf528ddb56ff5fef1
SHA1d0d3dfb1ea87ea5a72a8e759e35c4bdaed4cfabb
SHA2562a59aa5d2ed61d359908f7cf6c8b099104627869c778a61d92201f392e7aa85e
SHA5123ab32bb2abb5b92e49cc322d29f0bdbc8de79aace3782bd30079455ffcc6f07ecd7c8d10522c0fce07dade813219886fdab7f8ff9e91685a2af42e22302e393c
-
Filesize
255KB
MD59c94decb82adea9cf528ddb56ff5fef1
SHA1d0d3dfb1ea87ea5a72a8e759e35c4bdaed4cfabb
SHA2562a59aa5d2ed61d359908f7cf6c8b099104627869c778a61d92201f392e7aa85e
SHA5123ab32bb2abb5b92e49cc322d29f0bdbc8de79aace3782bd30079455ffcc6f07ecd7c8d10522c0fce07dade813219886fdab7f8ff9e91685a2af42e22302e393c
-
Filesize
186KB
MD55adfa47d7c60b040350f0030c73e4a8f
SHA1cd396b9c81718a20f34413f73082690051a708e3
SHA256e1014e6e143d5bd95b776777c730ec7c5ba67b82d9e60e78c28ff9eebb3ea2b8
SHA512ffd7f515cd3670bd66ed096e77b9845d5e3566ff12755a1ab870dceff3d9d5081e518c5da72f6821727de2ead7d5df18246786968c9abb514a0699992e4a084a
-
Filesize
186KB
MD55adfa47d7c60b040350f0030c73e4a8f
SHA1cd396b9c81718a20f34413f73082690051a708e3
SHA256e1014e6e143d5bd95b776777c730ec7c5ba67b82d9e60e78c28ff9eebb3ea2b8
SHA512ffd7f515cd3670bd66ed096e77b9845d5e3566ff12755a1ab870dceff3d9d5081e518c5da72f6821727de2ead7d5df18246786968c9abb514a0699992e4a084a
-
Filesize
255KB
MD59c94decb82adea9cf528ddb56ff5fef1
SHA1d0d3dfb1ea87ea5a72a8e759e35c4bdaed4cfabb
SHA2562a59aa5d2ed61d359908f7cf6c8b099104627869c778a61d92201f392e7aa85e
SHA5123ab32bb2abb5b92e49cc322d29f0bdbc8de79aace3782bd30079455ffcc6f07ecd7c8d10522c0fce07dade813219886fdab7f8ff9e91685a2af42e22302e393c
-
Filesize
186KB
MD55adfa47d7c60b040350f0030c73e4a8f
SHA1cd396b9c81718a20f34413f73082690051a708e3
SHA256e1014e6e143d5bd95b776777c730ec7c5ba67b82d9e60e78c28ff9eebb3ea2b8
SHA512ffd7f515cd3670bd66ed096e77b9845d5e3566ff12755a1ab870dceff3d9d5081e518c5da72f6821727de2ead7d5df18246786968c9abb514a0699992e4a084a