Analysis Overview
SHA256
4a833b842da4b80715e9b02dc862fc3fd5fcda28a0e559e982876d024262b7f7
Threat Level: Known bad
The file 4a833b842da4b80715e9b02dc862fc3fd5fcda28a0e559e982876d024262b7f7 was found to be: Known bad.
Malicious Activity Summary
Modifies firewall policy service
BetaBot
Executes dropped EXE
Sets file execution options in registry
Loads dropped DLL
Checks BIOS information in registry
Checks whether UAC is enabled
Adds Run key to start application
Suspicious use of NtSetInformationThreadHideFromDebugger
Program crash
Enumerates physical storage devices
NSIS installer
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Checks processor information in registry
Enumerates system info in registry
Modifies Internet Explorer Protected Mode Banner
Modifies Internet Explorer Protected Mode
Modifies Internet Explorer settings
Suspicious behavior: MapViewOfSection
Suspicious use of UnmapMainImage
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-07-12 13:01
Signatures
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral5
Detonation Overview
Submitted
2022-07-12 13:01
Reported
2022-07-12 18:13
Platform
ubuntu1804-amd64-en-20211208
Max time kernel
0s
Command Line
Signatures
Processes
./ioncube_loader_lin_5.4.so
[./ioncube_loader_lin_5.4.so]
Network
Files
Analysis: behavioral1
Detonation Overview
Submitted
2022-07-12 13:01
Reported
2022-07-12 18:15
Platform
win7-20220414-en
Max time kernel
44s
Max time network
48s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1600 wrote to memory of 908 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1600 wrote to memory of 908 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1600 wrote to memory of 908 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1600 wrote to memory of 908 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1600 wrote to memory of 908 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1600 wrote to memory of 908 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1600 wrote to memory of 908 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\CmdBar.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\CmdBar.dll,#1
Network
Files
memory/908-54-0x0000000000000000-mapping.dmp
memory/908-55-0x0000000075CD1000-0x0000000075CD3000-memory.dmp
memory/908-56-0x00000000001A1000-0x00000000001AB000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-07-12 13:01
Reported
2022-07-12 18:16
Platform
win10v2004-20220414-en
Max time kernel
93s
Max time network
152s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 396 wrote to memory of 5080 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 396 wrote to memory of 5080 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 396 wrote to memory of 5080 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\CmdBar.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\CmdBar.dll,#1
Network
| Country | Destination | Domain | Proto |
| NL | 20.50.201.200:443 | tcp | |
| NL | 67.26.111.254:80 | tcp | |
| NL | 67.26.111.254:80 | tcp | |
| NL | 67.26.111.254:80 | tcp |
Files
memory/5080-130-0x0000000000000000-mapping.dmp
memory/5080-131-0x0000000000720000-0x0000000000737000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2022-07-12 13:01
Reported
2022-07-12 18:16
Platform
win7-20220414-en
Max time kernel
150s
Max time network
149s
Command Line
Signatures
BetaBot
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" | C:\Windows\SysWOW64\explorer.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\1.exe | N/A |
Sets file execution options in registry
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\773souaea9m37u.exe | C:\Users\Admin\AppData\Roaming\1.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\773souaea9m37u.exe\DisableExceptionChainValidation | C:\Users\Admin\AppData\Roaming\1.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "sxq.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Windows\SysWOW64\explorer.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\betab.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\betab.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Updater 2.0 = "\"C:\\ProgramData\\Google Updater 2.0\\773souaea9m37u.exe\"" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Search = "C:\\ProgramData\\SearchEngine.exe" | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 2.0 = "C:\\ProgramData\\Google Updater 2.0\\773souaea9m37u.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\1.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\1.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Roaming\1.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Roaming\1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\Explorer.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\Explorer.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Windows\SysWOW64\explorer.exe | N/A |
Modifies Internet Explorer Protected Mode
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
Modifies Internet Explorer Protected Mode Banner
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" | C:\Windows\SysWOW64\explorer.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\2.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\1.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\2.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\1.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Roaming\1.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Roaming\1.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Users\Admin\AppData\Roaming\1.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Users\Admin\AppData\Roaming\1.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Roaming\1.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Users\Admin\AppData\Roaming\1.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Users\Admin\AppData\Roaming\1.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Users\Admin\AppData\Roaming\1.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Users\Admin\AppData\Roaming\1.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Roaming\1.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Users\Admin\AppData\Roaming\1.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Users\Admin\AppData\Roaming\1.exe | N/A |
| Token: 33 | N/A | C:\Users\Admin\AppData\Roaming\1.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\1.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
C:\Users\Admin\AppData\Local\Temp\betab.exe
"C:\Users\Admin\AppData\Local\Temp\betab.exe"
C:\Users\Admin\AppData\Roaming\2.exe
"C:\Users\Admin\AppData\Roaming\2.exe"
C:\Users\Admin\AppData\Roaming\1.exe
"C:\Users\Admin\AppData\Roaming\1.exe"
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
Network
| Country | Destination | Domain | Proto |
| NL | 142.250.179.142:80 | tcp | |
| NL | 142.250.179.142:80 | tcp | |
| US | 8.8.8.8:53 | google-public-dns-a.google.com | udp |
| RU | 80.87.198.206:43548 | tcp | |
| RU | 194.58.92.63:43548 | tcp | |
| US | 8.8.8.8:53 | google-public-dns-a.google.com | udp |
| US | 20.109.209.108:80 | update.microsoft.com | tcp |
| US | 8.8.8.8:53 | google-public-dns-a.google.com | udp |
| NL | 185.212.128.200:80 | tcp | |
| NL | 185.212.128.200:80 | tcp | |
| US | 8.8.8.8:53 | google-public-dns-a.google.com | udp |
| US | 8.8.8.8:53 | google-public-dns-a.google.com | udp |
| NL | 142.250.179.142:80 | tcp | |
| NL | 142.250.179.142:80 | tcp | |
| NL | 185.212.128.200:80 | tcp |
Files
memory/1932-54-0x00000000757C1000-0x00000000757C3000-memory.dmp
\Users\Admin\AppData\Roaming\2.exe
| MD5 | 5adfa47d7c60b040350f0030c73e4a8f |
| SHA1 | cd396b9c81718a20f34413f73082690051a708e3 |
| SHA256 | e1014e6e143d5bd95b776777c730ec7c5ba67b82d9e60e78c28ff9eebb3ea2b8 |
| SHA512 | ffd7f515cd3670bd66ed096e77b9845d5e3566ff12755a1ab870dceff3d9d5081e518c5da72f6821727de2ead7d5df18246786968c9abb514a0699992e4a084a |
memory/1124-56-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\2.exe
| MD5 | 5adfa47d7c60b040350f0030c73e4a8f |
| SHA1 | cd396b9c81718a20f34413f73082690051a708e3 |
| SHA256 | e1014e6e143d5bd95b776777c730ec7c5ba67b82d9e60e78c28ff9eebb3ea2b8 |
| SHA512 | ffd7f515cd3670bd66ed096e77b9845d5e3566ff12755a1ab870dceff3d9d5081e518c5da72f6821727de2ead7d5df18246786968c9abb514a0699992e4a084a |
memory/1320-59-0x0000000002220000-0x0000000002235000-memory.dmp
memory/1320-60-0x0000000002220000-0x0000000002235000-memory.dmp
memory/1320-62-0x0000000002220000-0x0000000002235000-memory.dmp
memory/1320-63-0x0000000002220000-0x0000000002235000-memory.dmp
memory/1320-64-0x0000000002220000-0x0000000002235000-memory.dmp
memory/1320-65-0x0000000002220000-0x0000000002235000-memory.dmp
memory/1320-66-0x0000000002220000-0x0000000002235000-memory.dmp
memory/1320-67-0x0000000002220000-0x0000000002235000-memory.dmp
memory/1320-69-0x0000000002220000-0x0000000002235000-memory.dmp
memory/1124-70-0x0000000000400000-0x0000000000426000-memory.dmp
\Users\Admin\AppData\Roaming\1.exe
| MD5 | 9c94decb82adea9cf528ddb56ff5fef1 |
| SHA1 | d0d3dfb1ea87ea5a72a8e759e35c4bdaed4cfabb |
| SHA256 | 2a59aa5d2ed61d359908f7cf6c8b099104627869c778a61d92201f392e7aa85e |
| SHA512 | 3ab32bb2abb5b92e49cc322d29f0bdbc8de79aace3782bd30079455ffcc6f07ecd7c8d10522c0fce07dade813219886fdab7f8ff9e91685a2af42e22302e393c |
memory/948-72-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\1.exe
| MD5 | 9c94decb82adea9cf528ddb56ff5fef1 |
| SHA1 | d0d3dfb1ea87ea5a72a8e759e35c4bdaed4cfabb |
| SHA256 | 2a59aa5d2ed61d359908f7cf6c8b099104627869c778a61d92201f392e7aa85e |
| SHA512 | 3ab32bb2abb5b92e49cc322d29f0bdbc8de79aace3782bd30079455ffcc6f07ecd7c8d10522c0fce07dade813219886fdab7f8ff9e91685a2af42e22302e393c |
memory/948-76-0x0000000001B70000-0x0000000001BD6000-memory.dmp
memory/948-78-0x0000000000400000-0x0000000000443000-memory.dmp
memory/948-80-0x0000000001B70000-0x0000000001BD6000-memory.dmp
memory/948-81-0x00000000003C0000-0x00000000003CD000-memory.dmp
memory/1320-79-0x0000000002220000-0x0000000002235000-memory.dmp
memory/948-82-0x0000000002270000-0x000000000227C000-memory.dmp
C:\Users\Admin\AppData\Roaming\2.exe
| MD5 | 5adfa47d7c60b040350f0030c73e4a8f |
| SHA1 | cd396b9c81718a20f34413f73082690051a708e3 |
| SHA256 | e1014e6e143d5bd95b776777c730ec7c5ba67b82d9e60e78c28ff9eebb3ea2b8 |
| SHA512 | ffd7f515cd3670bd66ed096e77b9845d5e3566ff12755a1ab870dceff3d9d5081e518c5da72f6821727de2ead7d5df18246786968c9abb514a0699992e4a084a |
C:\Users\Admin\AppData\Roaming\1.exe
| MD5 | 9c94decb82adea9cf528ddb56ff5fef1 |
| SHA1 | d0d3dfb1ea87ea5a72a8e759e35c4bdaed4cfabb |
| SHA256 | 2a59aa5d2ed61d359908f7cf6c8b099104627869c778a61d92201f392e7aa85e |
| SHA512 | 3ab32bb2abb5b92e49cc322d29f0bdbc8de79aace3782bd30079455ffcc6f07ecd7c8d10522c0fce07dade813219886fdab7f8ff9e91685a2af42e22302e393c |
memory/1096-85-0x0000000000000000-mapping.dmp
memory/1096-87-0x0000000073E91000-0x0000000073E93000-memory.dmp
memory/948-88-0x0000000000400000-0x0000000000435000-memory.dmp
memory/948-89-0x0000000001B70000-0x0000000001BD6000-memory.dmp
memory/1096-90-0x0000000076F10000-0x0000000077090000-memory.dmp
memory/1096-91-0x0000000000110000-0x00000000001B9000-memory.dmp
memory/1096-92-0x00000000008F0000-0x00000000008FC000-memory.dmp
memory/1320-93-0x0000000002210000-0x0000000002216000-memory.dmp
memory/1320-94-0x0000000002220000-0x0000000002235000-memory.dmp
memory/1096-95-0x0000000076F10000-0x0000000077090000-memory.dmp
memory/1096-96-0x0000000000110000-0x00000000001B9000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2022-07-12 13:01
Reported
2022-07-12 18:16
Platform
win10v2004-20220414-en
Max time kernel
151s
Max time network
144s
Command Line
Signatures
BetaBot
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile | C:\Windows\SysWOW64\explorer.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\1.exe | N/A |
Sets file execution options in registry
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\51g7s9suk35k.exe | C:\Users\Admin\AppData\Roaming\1.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\51g7s9suk35k.exe\DisableExceptionChainValidation | C:\Users\Admin\AppData\Roaming\1.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "jzgyjwump.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Windows\SysWOW64\explorer.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Google Updater 2.0 = "\"C:\\ProgramData\\Google Updater 2.0\\51g7s9suk35k.exe\"" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Search = "C:\\ProgramData\\SearchEngine.exe" | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 2.0 = "C:\\ProgramData\\Google Updater 2.0\\51g7s9suk35k.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\explorer.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\1.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\1.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\explorer.exe |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Roaming\1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\Explorer.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\Explorer.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Roaming\1.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Windows\SysWOW64\explorer.exe | N/A |
Modifies Internet Explorer Protected Mode
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
Modifies Internet Explorer Protected Mode Banner
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" | C:\Windows\SysWOW64\explorer.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\2.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\1.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\2.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\1.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Roaming\1.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Roaming\1.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Users\Admin\AppData\Roaming\1.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Users\Admin\AppData\Roaming\1.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Roaming\1.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Users\Admin\AppData\Roaming\1.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Users\Admin\AppData\Roaming\1.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Users\Admin\AppData\Roaming\1.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Users\Admin\AppData\Roaming\1.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Roaming\1.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Users\Admin\AppData\Roaming\1.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Users\Admin\AppData\Roaming\1.exe | N/A |
| Token: 33 | N/A | C:\Users\Admin\AppData\Roaming\1.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\betab.exe
"C:\Users\Admin\AppData\Local\Temp\betab.exe"
C:\Users\Admin\AppData\Roaming\2.exe
"C:\Users\Admin\AppData\Roaming\2.exe"
C:\Users\Admin\AppData\Roaming\1.exe
"C:\Users\Admin\AppData\Roaming\1.exe"
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2088 -ip 2088
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2088 -s 1064
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | google-public-dns-a.google.com | udp |
| US | 8.8.8.8:53 | google-public-dns-a.google.com | udp |
| RU | 80.87.198.206:43548 | tcp | |
| RU | 194.58.92.63:43548 | tcp | |
| US | 8.8.8.8:53 | google-public-dns-a.google.com | udp |
| US | 8.8.8.8:53 | google-public-dns-a.google.com | udp |
| US | 20.44.10.122:443 | tcp | |
| US | 8.8.8.8:53 | google-public-dns-a.google.com | udp |
| US | 93.184.220.29:80 | tcp | |
| FR | 2.22.147.96:80 | tcp | |
| US | 8.8.8.8:53 | google-public-dns-a.google.com | udp |
| US | 8.8.8.8:53 | google-public-dns-a.google.com | udp |
| NL | 8.248.7.254:80 | tcp | |
| US | 8.8.8.8:53 | google-public-dns-a.google.com | udp |
| US | 8.8.8.8:53 | google-public-dns-a.google.com | udp |
| US | 8.8.8.8:53 | google-public-dns-a.google.com | udp |
| US | 8.8.8.8:53 | google-public-dns-a.google.com | udp |
| NL | 8.248.7.254:80 | tcp | |
| US | 8.8.8.8:53 | google-public-dns-a.google.com | udp |
| US | 8.8.8.8:53 | google-public-dns-a.google.com | udp |
| US | 8.8.8.8:53 | google-public-dns-a.google.com | udp |
| US | 8.8.8.8:53 | google-public-dns-a.google.com | udp |
Files
memory/4376-130-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\2.exe
| MD5 | 5adfa47d7c60b040350f0030c73e4a8f |
| SHA1 | cd396b9c81718a20f34413f73082690051a708e3 |
| SHA256 | e1014e6e143d5bd95b776777c730ec7c5ba67b82d9e60e78c28ff9eebb3ea2b8 |
| SHA512 | ffd7f515cd3670bd66ed096e77b9845d5e3566ff12755a1ab870dceff3d9d5081e518c5da72f6821727de2ead7d5df18246786968c9abb514a0699992e4a084a |
memory/4376-132-0x0000000000400000-0x0000000000426000-memory.dmp
memory/2576-133-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\1.exe
| MD5 | 9c94decb82adea9cf528ddb56ff5fef1 |
| SHA1 | d0d3dfb1ea87ea5a72a8e759e35c4bdaed4cfabb |
| SHA256 | 2a59aa5d2ed61d359908f7cf6c8b099104627869c778a61d92201f392e7aa85e |
| SHA512 | 3ab32bb2abb5b92e49cc322d29f0bdbc8de79aace3782bd30079455ffcc6f07ecd7c8d10522c0fce07dade813219886fdab7f8ff9e91685a2af42e22302e393c |
memory/2576-136-0x0000000000400000-0x0000000000443000-memory.dmp
memory/3032-137-0x0000000001450000-0x0000000001465000-memory.dmp
memory/2576-138-0x00000000022F0000-0x0000000002356000-memory.dmp
memory/2576-139-0x00000000022F0000-0x0000000002356000-memory.dmp
memory/2576-141-0x0000000000400000-0x0000000000443000-memory.dmp
C:\Users\Admin\AppData\Roaming\2.exe
| MD5 | 5adfa47d7c60b040350f0030c73e4a8f |
| SHA1 | cd396b9c81718a20f34413f73082690051a708e3 |
| SHA256 | e1014e6e143d5bd95b776777c730ec7c5ba67b82d9e60e78c28ff9eebb3ea2b8 |
| SHA512 | ffd7f515cd3670bd66ed096e77b9845d5e3566ff12755a1ab870dceff3d9d5081e518c5da72f6821727de2ead7d5df18246786968c9abb514a0699992e4a084a |
C:\Users\Admin\AppData\Roaming\1.exe
| MD5 | 9c94decb82adea9cf528ddb56ff5fef1 |
| SHA1 | d0d3dfb1ea87ea5a72a8e759e35c4bdaed4cfabb |
| SHA256 | 2a59aa5d2ed61d359908f7cf6c8b099104627869c778a61d92201f392e7aa85e |
| SHA512 | 3ab32bb2abb5b92e49cc322d29f0bdbc8de79aace3782bd30079455ffcc6f07ecd7c8d10522c0fce07dade813219886fdab7f8ff9e91685a2af42e22302e393c |
memory/2088-144-0x0000000000000000-mapping.dmp
memory/2576-145-0x00000000027F0000-0x00000000027FC000-memory.dmp
memory/2576-146-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2576-147-0x00000000022F0000-0x0000000002356000-memory.dmp
memory/2088-148-0x0000000000AE0000-0x0000000000F13000-memory.dmp
memory/2088-149-0x0000000001220000-0x00000000012C9000-memory.dmp
memory/2088-150-0x0000000001680000-0x000000000168D000-memory.dmp
memory/2088-151-0x0000000001220000-0x00000000012C9000-memory.dmp
memory/3032-152-0x0000000001450000-0x0000000001465000-memory.dmp