Analysis Overview
SHA256
003d956c79e94020bd1c15c118ed6533a76cc1932ed5c05dd303d3b7564739e3
Threat Level: Known bad
The file CFDI_826271.zip was found to be: Known bad.
Malicious Activity Summary
BetaBot
Modifies firewall policy service
suricata: ET MALWARE Win32/Neurevt.A/Betabot Check-in 4
Sets file execution options in registry
Downloads MZ/PE file
Executes dropped EXE
Sets file to hidden
Loads dropped DLL
Checks BIOS information in registry
Checks computer location settings
Adds Run key to start application
Drops desktop.ini file(s)
Checks whether UAC is enabled
Suspicious use of SetThreadContext
Suspicious use of NtSetInformationThreadHideFromDebugger
Program crash
Enumerates physical storage devices
Views/modifies file attributes
Modifies Internet Explorer settings
Suspicious behavior: MapViewOfSection
Runs net.exe
Modifies Internet Explorer Protected Mode Banner
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Discovers systems in the same network
NTFS ADS
Suspicious behavior: CmdExeWriteProcessMemorySpam
Enumerates system info in registry
Suspicious use of AdjustPrivilegeToken
Modifies registry class
Delays execution with timeout.exe
Modifies Internet Explorer Protected Mode
Checks processor information in registry
Kills process with taskkill
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-07-13 06:30
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-07-13 06:30
Reported
2022-07-13 06:33
Platform
win7-20220414-en
Max time kernel
160s
Max time network
177s
Command Line
Signatures
BetaBot
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" | C:\Windows\SysWOW64\explorer.exe | N/A |
suricata: ET MALWARE Win32/Neurevt.A/Betabot Check-in 4
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\controllevel\foldersDef\Gozip.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\controllevel\foldersDef\miktotik.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\controllevel\foldersDef\miktotik.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ug17ku7qs1_1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\i1u7oaaai5sm9.exe | N/A |
Sets file execution options in registry
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ug17ku7qs1.exe | C:\Users\Admin\AppData\Roaming\controllevel\foldersDef\miktotik.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ug17ku7qs1.exe\DisableExceptionChainValidation | C:\Users\Admin\AppData\Roaming\controllevel\foldersDef\miktotik.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "lhjwfuhstp.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Windows\SysWOW64\explorer.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\controllevel\foldersDef\miktotik.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 2.09 = "C:\\ProgramData\\Google Updater 2.09\\ug17ku7qs1.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Updater 2.09 = "\"C:\\ProgramData\\Google Updater 2.09\\ug17ku7qs1.exe\"" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 2.09 = "\"C:\\ProgramData\\Google Updater 2.09\\ug17ku7qs1.exe\"" | C:\Windows\SysWOW64\explorer.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\controllevel\foldersDef\miktotik.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\ProgramData\Google Updater 2.09\desktop.ini | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\controllevel\foldersDef\miktotik.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 760 set thread context of 1820 | N/A | C:\Users\Admin\AppData\Roaming\controllevel\foldersDef\miktotik.exe | C:\Users\Admin\AppData\Roaming\controllevel\foldersDef\miktotik.exe |
| PID 1028 set thread context of 0 | N/A | C:\Users\Admin\AppData\Local\Temp\ug17ku7qs1_1.exe | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Roaming\controllevel\foldersDef\miktotik.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Roaming\controllevel\foldersDef\miktotik.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Discovers systems in the same network
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\net.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Windows\SysWOW64\explorer.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies Internet Explorer Protected Mode
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
Modifies Internet Explorer Protected Mode Banner
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" | C:\Windows\SysWOW64\explorer.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\VersionManager\DownloadVersionList = "0" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Windows\SysWOW64\explorer.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Local\Temp\ug17ku7qs1_1.exe:14EDFC78 | C:\Windows\SysWOW64\explorer.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\Temp\ug17ku7qs1_1.exe:14EDFC78 | C:\Windows\SysWOW64\explorer.exe | N/A |
Runs net.exe
Suspicious behavior: CmdExeWriteProcessMemorySpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\net.exe | N/A |
| N/A | N/A | C:\Windows\system32\net.exe | N/A |
| N/A | N/A | C:\Windows\system32\nltest.exe | N/A |
| N/A | N/A | C:\Windows\system32\nltest.exe | N/A |
| N/A | N/A | C:\Windows\system32\net.exe | N/A |
| N/A | N/A | C:\Windows\system32\choice.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\controllevel\foldersDef\miktotik.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\controllevel\foldersDef\miktotik.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
C:\Users\Admin\AppData\Local\Temp\CFDI_826271_53535.exe
"C:\Users\Admin\AppData\Local\Temp\CFDI_826271_53535.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\controllevel\foldersDef\terminalweu.vbs"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Roaming\controllevel\foldersDef\fit3274.bat" "
C:\Windows\SysWOW64\timeout.exe
timeout 7
C:\Users\Admin\AppData\Roaming\controllevel\foldersDef\Gozip.exe
"Gozip.exe" e -p398FsVBddjkd8cwr nmh3745.rar
C:\Windows\SysWOW64\timeout.exe
timeout 6
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\controllevel\foldersDef\7els.vbs"
C:\Windows\SysWOW64\timeout.exe
timeout 8
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Roaming\controllevel\foldersDef\def.bat" "
C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\Users\Admin\AppData\Roaming\controllevel"
C:\Windows\SysWOW64\timeout.exe
timeout 1
C:\Users\Admin\AppData\Roaming\controllevel\foldersDef\miktotik.exe
miktotik.exe /start
C:\Users\Admin\AppData\Roaming\controllevel\foldersDef\miktotik.exe
miktotik.exe /start
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Gozip.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Gozip.exe
C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Roaming\controllevel\foldersDef"
C:\Windows\SysWOW64\timeout.exe
timeout 4
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Users\Admin\AppData\Local\Temp\ug17ku7qs1_1.exe
/suac
C:\Users\Admin\AppData\Local\Temp\i1u7oaaai5sm9.exe
"C:\Users\Admin\AppData\Local\Temp\i1u7oaaai5sm9.exe"
C:\Windows\system32\cmd.exe
"cmd.exe" /c net group "Domain Admins" /domain
C:\Windows\system32\net.exe
net group "Domain Admins" /domain
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 group "Domain Admins" /domain
C:\Windows\system32\cmd.exe
"cmd.exe" /c net group "domain computers" /domain
C:\Windows\system32\net.exe
net group "domain computers" /domain
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 group "domain computers" /domain
C:\Windows\system32\cmd.exe
"cmd.exe" /c nltest /domain_trusts /all_trusts
C:\Windows\system32\nltest.exe
nltest /domain_trusts /all_trusts
C:\Windows\system32\cmd.exe
"cmd.exe" /c nltest /domain_trusts
C:\Windows\system32\nltest.exe
nltest /domain_trusts
C:\Windows\system32\cmd.exe
"cmd.exe" /c net view /all
C:\Windows\system32\net.exe
net view /all
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\i1u7oaaai5sm9.exe" && /C choice /C Y /N /D Y /T 3 & Del "shfolder.dll" && Del LAG1 && Del LAG2
C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | google.com | udp |
| NL | 142.250.179.142:80 | google.com | tcp |
| US | 8.8.8.8:53 | russk19.icu | udp |
| US | 8.8.8.8:53 | russk20.icu | udp |
| US | 8.8.8.8:53 | russk21.icu | udp |
| US | 8.8.8.8:53 | russk21.icu | udp |
| RU | 62.204.41.171:80 | russk21.icu | tcp |
| RU | 62.204.41.171:80 | russk21.icu | tcp |
| US | 8.8.8.8:53 | russk21.icu | udp |
Files
memory/552-54-0x0000000075501000-0x0000000075503000-memory.dmp
memory/1260-55-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\controllevel\foldersDef\terminalweu.vbs
| MD5 | bf045999e4ca77b57de18d5ff25e1272 |
| SHA1 | e8dab3a106e479a53c4ea61443c2ff7873d17c67 |
| SHA256 | 89f2f0f40f06ed45b155adf713b127931ebb41c162e08e0cda75ecb9e10fdf17 |
| SHA512 | e191b410d97f021d3dd55ad3565559cf0f3dd6dcc7157f7d6ff60dd610128dfe875cc00f67106653df758e07b6d845fc4e7a7ee290f8d7d8a58d58a90a018f6a |
C:\Users\Admin\AppData\Roaming\controllevel\foldersDef\fit3274.bat
| MD5 | 814380ebb377d7ebca662c6ac563eec0 |
| SHA1 | 3487cf2382cd0bc87a677e637de1ae40ccfbc13b |
| SHA256 | b58d9796ee64ea6731a6e54fdeb997ebc4ac148e3982e9c48fdc1f79d1531136 |
| SHA512 | 41737175039c4f62159be44fcd683aff05be9f7ea97b7061222d34528995768cf1656c617991a5d7a5595bd958687a5adbeb208fe961aa2afb4fd2bf2a8d7d66 |
memory/1264-59-0x0000000000000000-mapping.dmp
memory/2012-61-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\controllevel\foldersDef\Preferences.dat
| MD5 | b1aa11c4722efbcaaf5ebf5f17880d17 |
| SHA1 | b4b8578e13eb1a860524e827ac8bdd5d8ece604b |
| SHA256 | 2e7ba0fb3f5edd6091e13e0d3a127210813433e46cea81a61a211d6a95457e27 |
| SHA512 | a7668dfca645f63b571aff7ac11709b5578a4cd5947bf468fba11e4f5d455ef1b0917acc12c558e7b27d2eff1a8debb19b2c7783b7742c97c81b54fedcedd7b5 |
\Users\Admin\AppData\Roaming\controllevel\foldersDef\Gozip.exe
| MD5 | 061f64173293969577916832be29b90d |
| SHA1 | b05b80385de20463a80b6c9c39bd1d53123aab9b |
| SHA256 | 34dfe4869b0a524c63cc4696fafe30c83a22dc5fe4b994b9fe777f2c986733ce |
| SHA512 | 66e284f7c7e40af988ab09ff48cc786d287ac906368042d98d313be764058f01ecb5c3a7ab8d4336ee6494ea4a1347e73f0f2b4f3baec25ca6bcec1d888bd3da |
C:\Users\Admin\AppData\Roaming\controllevel\foldersDef\Gozip.exe
| MD5 | 061f64173293969577916832be29b90d |
| SHA1 | b05b80385de20463a80b6c9c39bd1d53123aab9b |
| SHA256 | 34dfe4869b0a524c63cc4696fafe30c83a22dc5fe4b994b9fe777f2c986733ce |
| SHA512 | 66e284f7c7e40af988ab09ff48cc786d287ac906368042d98d313be764058f01ecb5c3a7ab8d4336ee6494ea4a1347e73f0f2b4f3baec25ca6bcec1d888bd3da |
C:\Users\Admin\AppData\Roaming\controllevel\foldersDef\Gozip.exe
| MD5 | 061f64173293969577916832be29b90d |
| SHA1 | b05b80385de20463a80b6c9c39bd1d53123aab9b |
| SHA256 | 34dfe4869b0a524c63cc4696fafe30c83a22dc5fe4b994b9fe777f2c986733ce |
| SHA512 | 66e284f7c7e40af988ab09ff48cc786d287ac906368042d98d313be764058f01ecb5c3a7ab8d4336ee6494ea4a1347e73f0f2b4f3baec25ca6bcec1d888bd3da |
memory/880-66-0x0000000000000000-mapping.dmp
memory/556-69-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\controllevel\foldersDef\7els.vbs
| MD5 | 8f5293bc4ace65a9f51ba97bddcd7eee |
| SHA1 | e11a5055530092c3a805d757110c4f8761976eef |
| SHA256 | a48489f790e76faeaaed41f123031e708881226c224030213861cba419ca34f4 |
| SHA512 | c319cf12985d57b3d00737107a20e0c06a236d654064255dcc7023aa312871b52d399a9e9a55743fb3a446d2624a1049013f0ca8132ed6b6432658c396fa981d |
memory/1792-72-0x0000000000000000-mapping.dmp
memory/272-73-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\controllevel\foldersDef\def.bat
| MD5 | bf223a7df3a7feecfcb49a5d01d781d9 |
| SHA1 | d8b2b0f48887e63928576773efe1ab5776d7dfb0 |
| SHA256 | 494cc4d4211c1ed3f88255a46d501040b885c9b5cca26dcae5e37185d883957e |
| SHA512 | e15ca76450e99b21982efeeba4c148c9f28dddd85ae0fdb43e496813a4556b83022e2bb1d553de1c851065e09c7866bc6a9829da84dc0fcf3b269a03b0857fc2 |
memory/608-77-0x0000000000000000-mapping.dmp
memory/1504-79-0x0000000000000000-mapping.dmp
memory/576-81-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Roaming\controllevel\foldersDef\miktotik.exe
| MD5 | 6ed0cca96fe69be3b775499509f0b029 |
| SHA1 | e1c57829dd8947cc09b8b4ffcaaad07939efbb2d |
| SHA256 | bcb590cab5558665d9728ce52a8ea71c3f6fd348725071cec88dfb8bfd8989ab |
| SHA512 | a64e382cd0ecdc3eba26709c6b94c737349b51a4ffb4a50b5805104c87661a5cb3c6b6902af8a926de9f248e0712343d1533d8129ba401fbe7712ddbabbf37b5 |
C:\Users\Admin\AppData\Roaming\controllevel\foldersDef\miktotik.exe
| MD5 | 6ed0cca96fe69be3b775499509f0b029 |
| SHA1 | e1c57829dd8947cc09b8b4ffcaaad07939efbb2d |
| SHA256 | bcb590cab5558665d9728ce52a8ea71c3f6fd348725071cec88dfb8bfd8989ab |
| SHA512 | a64e382cd0ecdc3eba26709c6b94c737349b51a4ffb4a50b5805104c87661a5cb3c6b6902af8a926de9f248e0712343d1533d8129ba401fbe7712ddbabbf37b5 |
memory/760-86-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Roaming\controllevel\foldersDef\miktotik.exe
| MD5 | 6ed0cca96fe69be3b775499509f0b029 |
| SHA1 | e1c57829dd8947cc09b8b4ffcaaad07939efbb2d |
| SHA256 | bcb590cab5558665d9728ce52a8ea71c3f6fd348725071cec88dfb8bfd8989ab |
| SHA512 | a64e382cd0ecdc3eba26709c6b94c737349b51a4ffb4a50b5805104c87661a5cb3c6b6902af8a926de9f248e0712343d1533d8129ba401fbe7712ddbabbf37b5 |
C:\Users\Admin\AppData\Roaming\controllevel\foldersDef\miktotik.exe
| MD5 | 6ed0cca96fe69be3b775499509f0b029 |
| SHA1 | e1c57829dd8947cc09b8b4ffcaaad07939efbb2d |
| SHA256 | bcb590cab5558665d9728ce52a8ea71c3f6fd348725071cec88dfb8bfd8989ab |
| SHA512 | a64e382cd0ecdc3eba26709c6b94c737349b51a4ffb4a50b5805104c87661a5cb3c6b6902af8a926de9f248e0712343d1533d8129ba401fbe7712ddbabbf37b5 |
memory/608-89-0x0000000000250000-0x00000000002EB000-memory.dmp
memory/1820-93-0x0000000000400000-0x0000000000435000-memory.dmp
memory/760-92-0x0000000000400000-0x000000000049B000-memory.dmp
\Users\Admin\AppData\Roaming\controllevel\foldersDef\miktotik.exe
| MD5 | 6ed0cca96fe69be3b775499509f0b029 |
| SHA1 | e1c57829dd8947cc09b8b4ffcaaad07939efbb2d |
| SHA256 | bcb590cab5558665d9728ce52a8ea71c3f6fd348725071cec88dfb8bfd8989ab |
| SHA512 | a64e382cd0ecdc3eba26709c6b94c737349b51a4ffb4a50b5805104c87661a5cb3c6b6902af8a926de9f248e0712343d1533d8129ba401fbe7712ddbabbf37b5 |
memory/608-90-0x0000000000250000-0x00000000002EB000-memory.dmp
memory/1820-96-0x00000000004015C6-mapping.dmp
memory/1820-95-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1820-100-0x0000000000400000-0x0000000000435000-memory.dmp
memory/760-99-0x0000000000400000-0x000000000049B000-memory.dmp
C:\Users\Admin\AppData\Roaming\controllevel\foldersDef\miktotik.exe
| MD5 | 6ed0cca96fe69be3b775499509f0b029 |
| SHA1 | e1c57829dd8947cc09b8b4ffcaaad07939efbb2d |
| SHA256 | bcb590cab5558665d9728ce52a8ea71c3f6fd348725071cec88dfb8bfd8989ab |
| SHA512 | a64e382cd0ecdc3eba26709c6b94c737349b51a4ffb4a50b5805104c87661a5cb3c6b6902af8a926de9f248e0712343d1533d8129ba401fbe7712ddbabbf37b5 |
memory/1720-103-0x0000000000000000-mapping.dmp
memory/1820-104-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1820-106-0x0000000000440000-0x00000000004A6000-memory.dmp
memory/856-108-0x0000000000000000-mapping.dmp
memory/2028-110-0x0000000000000000-mapping.dmp
memory/2004-112-0x0000000000000000-mapping.dmp
memory/1820-114-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1820-116-0x00000000003E0000-0x00000000003ED000-memory.dmp
memory/1820-115-0x0000000000440000-0x00000000004A6000-memory.dmp
memory/1820-117-0x00000000020C0000-0x00000000020CC000-memory.dmp
memory/2024-118-0x0000000000000000-mapping.dmp
memory/2024-120-0x0000000073F81000-0x0000000073F83000-memory.dmp
memory/2024-121-0x0000000077110000-0x0000000077290000-memory.dmp
memory/2024-122-0x0000000000410000-0x0000000000566000-memory.dmp
memory/2024-123-0x0000000002210000-0x000000000221C000-memory.dmp
memory/1820-124-0x0000000000440000-0x00000000004A6000-memory.dmp
memory/2024-125-0x0000000077110000-0x0000000077290000-memory.dmp
memory/2024-126-0x0000000000410000-0x0000000000566000-memory.dmp
memory/1208-127-0x00000000025A0000-0x00000000025A6000-memory.dmp
\Users\Admin\AppData\Local\Temp\ug17ku7qs1_1.exe
| MD5 | 6ed0cca96fe69be3b775499509f0b029 |
| SHA1 | e1c57829dd8947cc09b8b4ffcaaad07939efbb2d |
| SHA256 | bcb590cab5558665d9728ce52a8ea71c3f6fd348725071cec88dfb8bfd8989ab |
| SHA512 | a64e382cd0ecdc3eba26709c6b94c737349b51a4ffb4a50b5805104c87661a5cb3c6b6902af8a926de9f248e0712343d1533d8129ba401fbe7712ddbabbf37b5 |
memory/1028-132-0x0000000000400000-0x000000000049B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ug17ku7qs1_1.exe
| MD5 | 6ed0cca96fe69be3b775499509f0b029 |
| SHA1 | e1c57829dd8947cc09b8b4ffcaaad07939efbb2d |
| SHA256 | bcb590cab5558665d9728ce52a8ea71c3f6fd348725071cec88dfb8bfd8989ab |
| SHA512 | a64e382cd0ecdc3eba26709c6b94c737349b51a4ffb4a50b5805104c87661a5cb3c6b6902af8a926de9f248e0712343d1533d8129ba401fbe7712ddbabbf37b5 |
memory/1028-129-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\ug17ku7qs1_1.exe
| MD5 | 6ed0cca96fe69be3b775499509f0b029 |
| SHA1 | e1c57829dd8947cc09b8b4ffcaaad07939efbb2d |
| SHA256 | bcb590cab5558665d9728ce52a8ea71c3f6fd348725071cec88dfb8bfd8989ab |
| SHA512 | a64e382cd0ecdc3eba26709c6b94c737349b51a4ffb4a50b5805104c87661a5cb3c6b6902af8a926de9f248e0712343d1533d8129ba401fbe7712ddbabbf37b5 |
\Users\Admin\AppData\Local\Temp\i1u7oaaai5sm9.exe
| MD5 | 60a1564d18f20769eb65478cc5bc56c0 |
| SHA1 | 15ba12509eb288ed4e47162714f86777d8819976 |
| SHA256 | deccabcc57c6a41b9e2e1f3f97b9425831304f69387299adf1405350d2f5d110 |
| SHA512 | e1e2228963e1f0f0b80b9c5deb47da740b6fec376ebb7ae8e23ce31c2cadc02d63959f6bf3c66c949498f66a1eb44def5a8e467cf82d6ac3855bfc9241ebfc71 |
C:\Users\Admin\AppData\Local\Temp\i1u7oaaai5sm9.exe
| MD5 | 60a1564d18f20769eb65478cc5bc56c0 |
| SHA1 | 15ba12509eb288ed4e47162714f86777d8819976 |
| SHA256 | deccabcc57c6a41b9e2e1f3f97b9425831304f69387299adf1405350d2f5d110 |
| SHA512 | e1e2228963e1f0f0b80b9c5deb47da740b6fec376ebb7ae8e23ce31c2cadc02d63959f6bf3c66c949498f66a1eb44def5a8e467cf82d6ac3855bfc9241ebfc71 |
C:\Users\Admin\AppData\Local\Temp\i1u7oaaai5sm9.exe
| MD5 | 60a1564d18f20769eb65478cc5bc56c0 |
| SHA1 | 15ba12509eb288ed4e47162714f86777d8819976 |
| SHA256 | deccabcc57c6a41b9e2e1f3f97b9425831304f69387299adf1405350d2f5d110 |
| SHA512 | e1e2228963e1f0f0b80b9c5deb47da740b6fec376ebb7ae8e23ce31c2cadc02d63959f6bf3c66c949498f66a1eb44def5a8e467cf82d6ac3855bfc9241ebfc71 |
memory/1884-135-0x0000000000000000-mapping.dmp
memory/1884-137-0x0000000000E30000-0x0000000000E38000-memory.dmp
memory/540-138-0x0000000000000000-mapping.dmp
memory/1936-139-0x0000000000000000-mapping.dmp
memory/1952-140-0x0000000000000000-mapping.dmp
memory/1392-141-0x0000000000000000-mapping.dmp
memory/1744-142-0x0000000000000000-mapping.dmp
memory/1972-143-0x0000000000000000-mapping.dmp
memory/1732-144-0x0000000000000000-mapping.dmp
memory/1568-145-0x0000000000000000-mapping.dmp
\??\PIPE\NETLOGON
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/1600-147-0x0000000000000000-mapping.dmp
memory/1532-148-0x0000000000000000-mapping.dmp
memory/936-149-0x0000000000000000-mapping.dmp
memory/1360-150-0x0000000000000000-mapping.dmp
memory/1884-151-0x000007FEFB7B1000-0x000007FEFB7B3000-memory.dmp
memory/1976-152-0x0000000000000000-mapping.dmp
memory/576-153-0x0000000000000000-mapping.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-07-13 06:30
Reported
2022-07-13 06:32
Platform
win10v2004-20220414-en
Max time kernel
92s
Max time network
152s
Command Line
Signatures
BetaBot
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" | C:\Windows\SysWOW64\explorer.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\controllevel\foldersDef\Gozip.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\controllevel\foldersDef\miktotik.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\controllevel\foldersDef\miktotik.exe | N/A |
Sets file execution options in registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\agao3ew5akqy7k9.exe\DisableExceptionChainValidation | C:\Users\Admin\AppData\Roaming\controllevel\foldersDef\miktotik.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "bqbhvllvhp.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\agao3ew5akqy7k9.exe | C:\Users\Admin\AppData\Roaming\controllevel\foldersDef\miktotik.exe | N/A |
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Windows\SysWOW64\explorer.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\CFDI_826271_53535.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\cmd.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 2.09 = "C:\\ProgramData\\Google Updater 2.09\\agao3ew5akqy7k9.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Google Updater 2.09 = "\"C:\\ProgramData\\Google Updater 2.09\\agao3ew5akqy7k9.exe\"" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce | C:\Windows\SysWOW64\explorer.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\controllevel\foldersDef\miktotik.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\controllevel\foldersDef\miktotik.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3804 set thread context of 4176 | N/A | C:\Users\Admin\AppData\Roaming\controllevel\foldersDef\miktotik.exe | C:\Users\Admin\AppData\Roaming\controllevel\foldersDef\miktotik.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\explorer.exe |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Roaming\controllevel\foldersDef\miktotik.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Roaming\controllevel\foldersDef\miktotik.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\explorer.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Windows\SysWOW64\explorer.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies Internet Explorer Protected Mode
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
Modifies Internet Explorer Protected Mode Banner
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" | C:\Windows\SysWOW64\explorer.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\explorer.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\CFDI_826271_53535.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\controllevel\foldersDef\miktotik.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\controllevel\foldersDef\miktotik.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\CFDI_826271_53535.exe
"C:\Users\Admin\AppData\Local\Temp\CFDI_826271_53535.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\controllevel\foldersDef\terminalweu.vbs"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\controllevel\foldersDef\fit3274.bat" "
C:\Windows\SysWOW64\timeout.exe
timeout 7
C:\Users\Admin\AppData\Roaming\controllevel\foldersDef\Gozip.exe
"Gozip.exe" e -p398FsVBddjkd8cwr nmh3745.rar
C:\Windows\SysWOW64\timeout.exe
timeout 6
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\controllevel\foldersDef\7els.vbs"
C:\Windows\SysWOW64\timeout.exe
timeout 8
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\controllevel\foldersDef\def.bat" "
C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\Users\Admin\AppData\Roaming\controllevel"
C:\Windows\SysWOW64\timeout.exe
timeout 1
C:\Users\Admin\AppData\Roaming\controllevel\foldersDef\miktotik.exe
miktotik.exe /start
C:\Users\Admin\AppData\Roaming\controllevel\foldersDef\miktotik.exe
miktotik.exe /start
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Gozip.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Gozip.exe
C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Roaming\controllevel\foldersDef"
C:\Windows\SysWOW64\timeout.exe
timeout 4
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1540 -ip 1540
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1540 -s 1060
Network
| Country | Destination | Domain | Proto |
| GB | 51.104.15.253:443 | tcp | |
| NL | 104.110.191.140:80 | tcp | |
| NL | 104.110.191.133:80 | tcp | |
| NL | 104.110.191.140:80 | tcp | |
| FR | 2.16.119.157:443 | tcp |
Files
memory/672-130-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\controllevel\foldersDef\terminalweu.vbs
| MD5 | bf045999e4ca77b57de18d5ff25e1272 |
| SHA1 | e8dab3a106e479a53c4ea61443c2ff7873d17c67 |
| SHA256 | 89f2f0f40f06ed45b155adf713b127931ebb41c162e08e0cda75ecb9e10fdf17 |
| SHA512 | e191b410d97f021d3dd55ad3565559cf0f3dd6dcc7157f7d6ff60dd610128dfe875cc00f67106653df758e07b6d845fc4e7a7ee290f8d7d8a58d58a90a018f6a |
C:\Users\Admin\AppData\Roaming\controllevel\foldersDef\fit3274.bat
| MD5 | 814380ebb377d7ebca662c6ac563eec0 |
| SHA1 | 3487cf2382cd0bc87a677e637de1ae40ccfbc13b |
| SHA256 | b58d9796ee64ea6731a6e54fdeb997ebc4ac148e3982e9c48fdc1f79d1531136 |
| SHA512 | 41737175039c4f62159be44fcd683aff05be9f7ea97b7061222d34528995768cf1656c617991a5d7a5595bd958687a5adbeb208fe961aa2afb4fd2bf2a8d7d66 |
memory/2504-133-0x0000000000000000-mapping.dmp
memory/736-134-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\controllevel\foldersDef\Preferences.dat
| MD5 | b1aa11c4722efbcaaf5ebf5f17880d17 |
| SHA1 | b4b8578e13eb1a860524e827ac8bdd5d8ece604b |
| SHA256 | 2e7ba0fb3f5edd6091e13e0d3a127210813433e46cea81a61a211d6a95457e27 |
| SHA512 | a7668dfca645f63b571aff7ac11709b5578a4cd5947bf468fba11e4f5d455ef1b0917acc12c558e7b27d2eff1a8debb19b2c7783b7742c97c81b54fedcedd7b5 |
memory/2400-136-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\controllevel\foldersDef\Gozip.exe
| MD5 | 061f64173293969577916832be29b90d |
| SHA1 | b05b80385de20463a80b6c9c39bd1d53123aab9b |
| SHA256 | 34dfe4869b0a524c63cc4696fafe30c83a22dc5fe4b994b9fe777f2c986733ce |
| SHA512 | 66e284f7c7e40af988ab09ff48cc786d287ac906368042d98d313be764058f01ecb5c3a7ab8d4336ee6494ea4a1347e73f0f2b4f3baec25ca6bcec1d888bd3da |
memory/1972-138-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\controllevel\foldersDef\7els.vbs
| MD5 | 8f5293bc4ace65a9f51ba97bddcd7eee |
| SHA1 | e11a5055530092c3a805d757110c4f8761976eef |
| SHA256 | a48489f790e76faeaaed41f123031e708881226c224030213861cba419ca34f4 |
| SHA512 | c319cf12985d57b3d00737107a20e0c06a236d654064255dcc7023aa312871b52d399a9e9a55743fb3a446d2624a1049013f0ca8132ed6b6432658c396fa981d |
memory/2568-140-0x0000000000000000-mapping.dmp
memory/1068-141-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\controllevel\foldersDef\def.bat
| MD5 | bf223a7df3a7feecfcb49a5d01d781d9 |
| SHA1 | d8b2b0f48887e63928576773efe1ab5776d7dfb0 |
| SHA256 | 494cc4d4211c1ed3f88255a46d501040b885c9b5cca26dcae5e37185d883957e |
| SHA512 | e15ca76450e99b21982efeeba4c148c9f28dddd85ae0fdb43e496813a4556b83022e2bb1d553de1c851065e09c7866bc6a9829da84dc0fcf3b269a03b0857fc2 |
memory/4696-143-0x0000000000000000-mapping.dmp
memory/1060-144-0x0000000000000000-mapping.dmp
memory/3988-145-0x0000000000000000-mapping.dmp
memory/3804-146-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\controllevel\foldersDef\miktotik.exe
| MD5 | 6ed0cca96fe69be3b775499509f0b029 |
| SHA1 | e1c57829dd8947cc09b8b4ffcaaad07939efbb2d |
| SHA256 | bcb590cab5558665d9728ce52a8ea71c3f6fd348725071cec88dfb8bfd8989ab |
| SHA512 | a64e382cd0ecdc3eba26709c6b94c737349b51a4ffb4a50b5805104c87661a5cb3c6b6902af8a926de9f248e0712343d1533d8129ba401fbe7712ddbabbf37b5 |
C:\Users\Admin\AppData\Roaming\controllevel\foldersDef\miktotik.exe
| MD5 | 6ed0cca96fe69be3b775499509f0b029 |
| SHA1 | e1c57829dd8947cc09b8b4ffcaaad07939efbb2d |
| SHA256 | bcb590cab5558665d9728ce52a8ea71c3f6fd348725071cec88dfb8bfd8989ab |
| SHA512 | a64e382cd0ecdc3eba26709c6b94c737349b51a4ffb4a50b5805104c87661a5cb3c6b6902af8a926de9f248e0712343d1533d8129ba401fbe7712ddbabbf37b5 |
memory/4176-150-0x0000000000400000-0x0000000000435000-memory.dmp
memory/3804-153-0x0000000000400000-0x000000000049B000-memory.dmp
memory/4176-154-0x0000000000400000-0x0000000000435000-memory.dmp
C:\Users\Admin\AppData\Roaming\controllevel\foldersDef\miktotik.exe
| MD5 | 6ed0cca96fe69be3b775499509f0b029 |
| SHA1 | e1c57829dd8947cc09b8b4ffcaaad07939efbb2d |
| SHA256 | bcb590cab5558665d9728ce52a8ea71c3f6fd348725071cec88dfb8bfd8989ab |
| SHA512 | a64e382cd0ecdc3eba26709c6b94c737349b51a4ffb4a50b5805104c87661a5cb3c6b6902af8a926de9f248e0712343d1533d8129ba401fbe7712ddbabbf37b5 |
memory/4176-149-0x0000000000000000-mapping.dmp
memory/3960-155-0x0000000000000000-mapping.dmp
memory/4176-156-0x0000000000400000-0x0000000000435000-memory.dmp
memory/4176-157-0x0000000000400000-0x0000000000435000-memory.dmp
memory/4176-158-0x0000000002180000-0x00000000021E6000-memory.dmp
memory/4176-159-0x0000000002180000-0x00000000021E6000-memory.dmp
memory/1244-161-0x0000000000000000-mapping.dmp
memory/4180-162-0x0000000000000000-mapping.dmp
memory/4604-163-0x0000000000000000-mapping.dmp
memory/1540-164-0x0000000000000000-mapping.dmp
memory/4176-165-0x00000000005A0000-0x00000000005AD000-memory.dmp
memory/4176-166-0x0000000002690000-0x000000000269C000-memory.dmp
memory/4176-167-0x0000000002180000-0x00000000021E6000-memory.dmp
memory/1540-168-0x0000000000D00000-0x0000000001133000-memory.dmp
memory/1540-169-0x0000000000700000-0x0000000000856000-memory.dmp
C:\Users\Admin\AppData\Roaming\controllevel\foldersDef\Gozip.exe
| MD5 | 061f64173293969577916832be29b90d |
| SHA1 | b05b80385de20463a80b6c9c39bd1d53123aab9b |
| SHA256 | 34dfe4869b0a524c63cc4696fafe30c83a22dc5fe4b994b9fe777f2c986733ce |
| SHA512 | 66e284f7c7e40af988ab09ff48cc786d287ac906368042d98d313be764058f01ecb5c3a7ab8d4336ee6494ea4a1347e73f0f2b4f3baec25ca6bcec1d888bd3da |
memory/2504-171-0x0000000002C20000-0x0000000002D76000-memory.dmp
memory/1540-172-0x0000000000700000-0x0000000000856000-memory.dmp