Analysis
-
max time kernel
151s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
12-07-2022 13:01
Static task
static1
Behavioral task
behavioral1
Sample
Plugins/CmdBar.dll
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Plugins/CmdBar.dll
Resource
win10v2004-20220414-en
Behavioral task
behavioral3
Sample
betab.exe
Resource
win7-20220414-en
Behavioral task
behavioral4
Sample
betab.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral5
Sample
ioncube_loader_lin_5.4.so
Resource
ubuntu1804-amd64-en-20211208
General
-
Target
betab.exe
-
Size
407KB
-
MD5
0837a200fd5a11fab728f51384eb8cce
-
SHA1
7133b6733d36d28aa19b9366689845b356f2b9fd
-
SHA256
2701eb12bc858772f0fbb29b7c18c4780afecba78e778f4363a78fc8b39feb48
-
SHA512
176903813e8b28327f671ee4429a3ab51899e446c63cc84d182cbb6ebe68a85b61e22a83696b9b01e5cb251e7fcaa58c296b237a965045832568eda9b727a86f
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 4 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile explorer.exe -
Executes dropped EXE 2 IoCs
Processes:
2.exe1.exepid process 4376 2.exe 2576 1.exe -
Sets file execution options in registry 2 TTPs 4 IoCs
Processes:
1.exeexplorer.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\51g7s9suk35k.exe 1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\51g7s9suk35k.exe\DisableExceptionChainValidation 1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "jzgyjwump.exe" explorer.exe -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorer.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe -
Adds Run key to start application 2 TTPs 5 IoCs
Processes:
explorer.exeExplorer.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Google Updater 2.0 = "\"C:\\ProgramData\\Google Updater 2.0\\51g7s9suk35k.exe\"" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Search = "C:\\ProgramData\\SearchEngine.exe" Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 2.0 = "C:\\ProgramData\\Google Updater 2.0\\51g7s9suk35k.exe" explorer.exe Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run explorer.exe -
Processes:
1.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 1.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
Processes:
1.exeexplorer.exepid process 2576 1.exe 2088 explorer.exe 2088 explorer.exe 2088 explorer.exe 2088 explorer.exe 2088 explorer.exe 2088 explorer.exe 2088 explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 232 2088 WerFault.exe explorer.exe -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
1.exeexplorer.exeExplorer.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 1.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Explorer.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz Explorer.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 1.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer explorer.exe -
Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" explorer.exe -
Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" explorer.exe -
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Internet Explorer\Main explorer.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
2.exeexplorer.exepid process 4376 2.exe 4376 2.exe 2088 explorer.exe 2088 explorer.exe 2088 explorer.exe 2088 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3032 Explorer.EXE -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
1.exepid process 2576 1.exe 2576 1.exe -
Suspicious use of AdjustPrivilegeToken 36 IoCs
Processes:
2.exe1.exeExplorer.EXEexplorer.exedescription pid process Token: SeDebugPrivilege 4376 2.exe Token: SeDebugPrivilege 2576 1.exe Token: SeRestorePrivilege 2576 1.exe Token: SeBackupPrivilege 2576 1.exe Token: SeLoadDriverPrivilege 2576 1.exe Token: SeCreatePagefilePrivilege 2576 1.exe Token: SeShutdownPrivilege 2576 1.exe Token: SeTakeOwnershipPrivilege 2576 1.exe Token: SeChangeNotifyPrivilege 2576 1.exe Token: SeCreateTokenPrivilege 2576 1.exe Token: SeMachineAccountPrivilege 2576 1.exe Token: SeSecurityPrivilege 2576 1.exe Token: SeAssignPrimaryTokenPrivilege 2576 1.exe Token: SeCreateGlobalPrivilege 2576 1.exe Token: 33 2576 1.exe Token: SeCreateGlobalPrivilege 3032 Explorer.EXE Token: SeDebugPrivilege 2088 explorer.exe Token: SeRestorePrivilege 2088 explorer.exe Token: SeBackupPrivilege 2088 explorer.exe Token: SeLoadDriverPrivilege 2088 explorer.exe Token: SeCreatePagefilePrivilege 2088 explorer.exe Token: SeShutdownPrivilege 2088 explorer.exe Token: SeTakeOwnershipPrivilege 2088 explorer.exe Token: SeChangeNotifyPrivilege 2088 explorer.exe Token: SeCreateTokenPrivilege 2088 explorer.exe Token: SeMachineAccountPrivilege 2088 explorer.exe Token: SeSecurityPrivilege 2088 explorer.exe Token: SeAssignPrimaryTokenPrivilege 2088 explorer.exe Token: SeCreateGlobalPrivilege 2088 explorer.exe Token: 33 2088 explorer.exe Token: SeShutdownPrivilege 3032 Explorer.EXE Token: SeCreatePagefilePrivilege 3032 Explorer.EXE Token: SeShutdownPrivilege 3032 Explorer.EXE Token: SeCreatePagefilePrivilege 3032 Explorer.EXE Token: SeShutdownPrivilege 3032 Explorer.EXE Token: SeCreatePagefilePrivilege 3032 Explorer.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 3032 Explorer.EXE 3032 Explorer.EXE -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
betab.exe2.exe1.exedescription pid process target process PID 1348 wrote to memory of 4376 1348 betab.exe 2.exe PID 1348 wrote to memory of 4376 1348 betab.exe 2.exe PID 1348 wrote to memory of 4376 1348 betab.exe 2.exe PID 4376 wrote to memory of 3032 4376 2.exe Explorer.EXE PID 4376 wrote to memory of 3032 4376 2.exe Explorer.EXE PID 4376 wrote to memory of 3032 4376 2.exe Explorer.EXE PID 4376 wrote to memory of 3032 4376 2.exe Explorer.EXE PID 4376 wrote to memory of 3032 4376 2.exe Explorer.EXE PID 4376 wrote to memory of 3032 4376 2.exe Explorer.EXE PID 4376 wrote to memory of 3032 4376 2.exe Explorer.EXE PID 4376 wrote to memory of 3032 4376 2.exe Explorer.EXE PID 4376 wrote to memory of 3032 4376 2.exe Explorer.EXE PID 4376 wrote to memory of 3032 4376 2.exe Explorer.EXE PID 1348 wrote to memory of 2576 1348 betab.exe 1.exe PID 1348 wrote to memory of 2576 1348 betab.exe 1.exe PID 1348 wrote to memory of 2576 1348 betab.exe 1.exe PID 2576 wrote to memory of 2088 2576 1.exe explorer.exe PID 2576 wrote to memory of 2088 2576 1.exe explorer.exe PID 2576 wrote to memory of 2088 2576 1.exe explorer.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Adds Run key to start application
- Checks processor information in registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3032 -
C:\Users\Admin\AppData\Local\Temp\betab.exe"C:\Users\Admin\AppData\Local\Temp\betab.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1348 -
C:\Users\Admin\AppData\Roaming\2.exe"C:\Users\Admin\AppData\Roaming\2.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4376
-
-
C:\Users\Admin\AppData\Roaming\1.exe"C:\Users\Admin\AppData\Roaming\1.exe"3⤵
- Executes dropped EXE
- Sets file execution options in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe4⤵
- Modifies firewall policy service
- Sets file execution options in registry
- Checks BIOS information in registry
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2088 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2088 -s 10645⤵
- Program crash
PID:232
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2088 -ip 20881⤵PID:2988
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
255KB
MD59c94decb82adea9cf528ddb56ff5fef1
SHA1d0d3dfb1ea87ea5a72a8e759e35c4bdaed4cfabb
SHA2562a59aa5d2ed61d359908f7cf6c8b099104627869c778a61d92201f392e7aa85e
SHA5123ab32bb2abb5b92e49cc322d29f0bdbc8de79aace3782bd30079455ffcc6f07ecd7c8d10522c0fce07dade813219886fdab7f8ff9e91685a2af42e22302e393c
-
Filesize
255KB
MD59c94decb82adea9cf528ddb56ff5fef1
SHA1d0d3dfb1ea87ea5a72a8e759e35c4bdaed4cfabb
SHA2562a59aa5d2ed61d359908f7cf6c8b099104627869c778a61d92201f392e7aa85e
SHA5123ab32bb2abb5b92e49cc322d29f0bdbc8de79aace3782bd30079455ffcc6f07ecd7c8d10522c0fce07dade813219886fdab7f8ff9e91685a2af42e22302e393c
-
Filesize
186KB
MD55adfa47d7c60b040350f0030c73e4a8f
SHA1cd396b9c81718a20f34413f73082690051a708e3
SHA256e1014e6e143d5bd95b776777c730ec7c5ba67b82d9e60e78c28ff9eebb3ea2b8
SHA512ffd7f515cd3670bd66ed096e77b9845d5e3566ff12755a1ab870dceff3d9d5081e518c5da72f6821727de2ead7d5df18246786968c9abb514a0699992e4a084a
-
Filesize
186KB
MD55adfa47d7c60b040350f0030c73e4a8f
SHA1cd396b9c81718a20f34413f73082690051a708e3
SHA256e1014e6e143d5bd95b776777c730ec7c5ba67b82d9e60e78c28ff9eebb3ea2b8
SHA512ffd7f515cd3670bd66ed096e77b9845d5e3566ff12755a1ab870dceff3d9d5081e518c5da72f6821727de2ead7d5df18246786968c9abb514a0699992e4a084a