Analysis Overview
SHA256
cccb98520d7b5747bbec8af8fcc1d245eaccea92a346c30309c3333519933451
Threat Level: Known bad
The file cccb98520d7b5747bbec8af8fcc1d245eaccea92a346c30309c3333519933451 was found to be: Known bad.
Malicious Activity Summary
Modifies firewall policy service
BetaBot
Sets file execution options in registry
Loads dropped DLL
Checks BIOS information in registry
Adds Run key to start application
Checks whether UAC is enabled
Suspicious use of SetThreadContext
Suspicious use of NtSetInformationThreadHideFromDebugger
Enumerates physical storage devices
Program crash
NSIS installer
Suspicious behavior: RenamesItself
Modifies Internet Explorer Protected Mode Banner
Enumerates system info in registry
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Checks processor information in registry
Modifies Internet Explorer Protected Mode
Modifies Internet Explorer settings
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-10-01 18:58
Signatures
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2022-10-01 18:58
Reported
2022-10-01 19:35
Platform
win10v2004-20220901-en
Max time kernel
148s
Max time network
154s
Command Line
Signatures
BetaBot
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile | C:\Windows\SysWOW64\explorer.exe | N/A |
Sets file execution options in registry
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "vzqhrgtrgm.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\a1y75uiq5.exe | C:\Users\Admin\AppData\Local\Temp\cccb98520d7b5747bbec8af8fcc1d245eaccea92a346c30309c3333519933451.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\a1y75uiq5.exe\DisableExceptionChainValidation | C:\Users\Admin\AppData\Local\Temp\cccb98520d7b5747bbec8af8fcc1d245eaccea92a346c30309c3333519933451.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Windows\SysWOW64\explorer.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cccb98520d7b5747bbec8af8fcc1d245eaccea92a346c30309c3333519933451.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cccb98520d7b5747bbec8af8fcc1d245eaccea92a346c30309c3333519933451.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Windows Search 5.3.10 = "C:\\ProgramData\\Windows Search 5.3.10\\a1y75uiq5.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Search 5.3.10 = "\"C:\\ProgramData\\Windows Search 5.3.10\\a1y75uiq5.exe\"" | C:\Windows\SysWOW64\explorer.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\cccb98520d7b5747bbec8af8fcc1d245eaccea92a346c30309c3333519933451.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cccb98520d7b5747bbec8af8fcc1d245eaccea92a346c30309c3333519933451.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 5056 set thread context of 744 | N/A | C:\Users\Admin\AppData\Local\Temp\cccb98520d7b5747bbec8af8fcc1d245eaccea92a346c30309c3333519933451.exe | C:\Users\Admin\AppData\Local\Temp\cccb98520d7b5747bbec8af8fcc1d245eaccea92a346c30309c3333519933451.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\explorer.exe |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\cccb98520d7b5747bbec8af8fcc1d245eaccea92a346c30309c3333519933451.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\cccb98520d7b5747bbec8af8fcc1d245eaccea92a346c30309c3333519933451.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\SysWOW64\explorer.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Windows\SysWOW64\explorer.exe | N/A |
Modifies Internet Explorer Protected Mode
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
Modifies Internet Explorer Protected Mode Banner
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" | C:\Windows\SysWOW64\explorer.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cccb98520d7b5747bbec8af8fcc1d245eaccea92a346c30309c3333519933451.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cccb98520d7b5747bbec8af8fcc1d245eaccea92a346c30309c3333519933451.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cccb98520d7b5747bbec8af8fcc1d245eaccea92a346c30309c3333519933451.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\cccb98520d7b5747bbec8af8fcc1d245eaccea92a346c30309c3333519933451.exe
"C:\Users\Admin\AppData\Local\Temp\cccb98520d7b5747bbec8af8fcc1d245eaccea92a346c30309c3333519933451.exe"
C:\Users\Admin\AppData\Local\Temp\cccb98520d7b5747bbec8af8fcc1d245eaccea92a346c30309c3333519933451.exe
"C:\Users\Admin\AppData\Local\Temp\cccb98520d7b5747bbec8af8fcc1d245eaccea92a346c30309c3333519933451.exe"
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4504 -ip 4504
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4504 -s 1120
Network
| Country | Destination | Domain | Proto |
| NL | 104.80.225.205:443 | tcp | |
| US | 20.189.173.4:443 | tcp | |
| US | 8.253.183.120:80 | tcp | |
| US | 8.253.183.120:80 | tcp | |
| US | 8.253.183.120:80 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\nseB86A.tmp\System.dll
| MD5 | 883eff06ac96966270731e4e22817e11 |
| SHA1 | 523c87c98236cbc04430e87ec19b977595092ac8 |
| SHA256 | 44e5dfd551b38e886214bd6b9c8ee913c4c4d1f085a6575d97c3e892b925da82 |
| SHA512 | 60333253342476911c84bbc1d9bf8a29f811207787fdd6107dce8d2b6e031669303f28133ffc811971ed7792087fe90fb1faabc0af4e91c298ba51e28109a390 |
C:\Users\Admin\AppData\Local\Temp\rabblements.dll
| MD5 | e0291ba7745237498e06465b622cee9d |
| SHA1 | f1bac955e343ea7530f63197b7c29af40ae0388a |
| SHA256 | e389ea70bde9d21be265a9adda6cdfd3aae6d59b2526df2bb18ae7c7cc4aa13a |
| SHA512 | 87d6834e1a8c4166a0f1cdcc38908798c9a75684ea118ea4b99ee2d322c26268d0a352fa437840c1f45de0830fe2361cbc21a516ef49c88be9c3f8eb415f3dd6 |
memory/744-134-0x0000000000000000-mapping.dmp
memory/744-135-0x0000000000400000-0x0000000000434000-memory.dmp
memory/5056-136-0x0000000074540000-0x0000000074566000-memory.dmp
memory/5056-138-0x0000000074540000-0x0000000074566000-memory.dmp
memory/744-139-0x0000000000400000-0x0000000000434000-memory.dmp
memory/744-140-0x0000000000400000-0x0000000000434000-memory.dmp
memory/744-141-0x0000000000900000-0x0000000000963000-memory.dmp
memory/744-143-0x0000000000400000-0x0000000000434000-memory.dmp
memory/744-145-0x0000000000460000-0x000000000046D000-memory.dmp
memory/744-144-0x0000000000900000-0x0000000000963000-memory.dmp
memory/744-146-0x00000000026A0000-0x00000000026AC000-memory.dmp
memory/4504-147-0x0000000000000000-mapping.dmp
memory/4504-148-0x0000000000480000-0x00000000008B3000-memory.dmp
memory/4504-149-0x00000000008F0000-0x000000000099A000-memory.dmp
memory/744-150-0x0000000000900000-0x0000000000963000-memory.dmp
memory/4504-151-0x00000000008F0000-0x000000000099A000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2022-10-01 18:58
Reported
2022-10-01 19:35
Platform
win7-20220901-en
Max time kernel
146s
Max time network
50s
Command Line
Signatures
BetaBot
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" | C:\Windows\SysWOW64\explorer.exe | N/A |
Sets file execution options in registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\7meqsyyu7m75a.exe\DisableExceptionChainValidation | C:\Users\Admin\AppData\Local\Temp\cccb98520d7b5747bbec8af8fcc1d245eaccea92a346c30309c3333519933451.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "djmvq.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\7meqsyyu7m75a.exe | C:\Users\Admin\AppData\Local\Temp\cccb98520d7b5747bbec8af8fcc1d245eaccea92a346c30309c3333519933451.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Windows\SysWOW64\explorer.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cccb98520d7b5747bbec8af8fcc1d245eaccea92a346c30309c3333519933451.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cccb98520d7b5747bbec8af8fcc1d245eaccea92a346c30309c3333519933451.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Search 5.3.10 = "\"C:\\ProgramData\\Windows Search 5.3.10\\7meqsyyu7m75a.exe\"" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Windows Search 5.3.10 = "C:\\ProgramData\\Windows Search 5.3.10\\7meqsyyu7m75a.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\cccb98520d7b5747bbec8af8fcc1d245eaccea92a346c30309c3333519933451.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cccb98520d7b5747bbec8af8fcc1d245eaccea92a346c30309c3333519933451.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1700 set thread context of 1728 | N/A | C:\Users\Admin\AppData\Local\Temp\cccb98520d7b5747bbec8af8fcc1d245eaccea92a346c30309c3333519933451.exe | C:\Users\Admin\AppData\Local\Temp\cccb98520d7b5747bbec8af8fcc1d245eaccea92a346c30309c3333519933451.exe |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\cccb98520d7b5747bbec8af8fcc1d245eaccea92a346c30309c3333519933451.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\cccb98520d7b5747bbec8af8fcc1d245eaccea92a346c30309c3333519933451.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\explorer.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Windows\SysWOW64\explorer.exe | N/A |
Modifies Internet Explorer Protected Mode
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
Modifies Internet Explorer Protected Mode Banner
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" | C:\Windows\SysWOW64\explorer.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cccb98520d7b5747bbec8af8fcc1d245eaccea92a346c30309c3333519933451.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cccb98520d7b5747bbec8af8fcc1d245eaccea92a346c30309c3333519933451.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cccb98520d7b5747bbec8af8fcc1d245eaccea92a346c30309c3333519933451.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
C:\Users\Admin\AppData\Local\Temp\cccb98520d7b5747bbec8af8fcc1d245eaccea92a346c30309c3333519933451.exe
"C:\Users\Admin\AppData\Local\Temp\cccb98520d7b5747bbec8af8fcc1d245eaccea92a346c30309c3333519933451.exe"
C:\Users\Admin\AppData\Local\Temp\cccb98520d7b5747bbec8af8fcc1d245eaccea92a346c30309c3333519933451.exe
"C:\Users\Admin\AppData\Local\Temp\cccb98520d7b5747bbec8af8fcc1d245eaccea92a346c30309c3333519933451.exe"
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | update.microsoft.com | udp |
| US | 20.72.235.82:80 | update.microsoft.com | tcp |
| US | 8.8.8.8:53 | webdomains.ws | udp |
| US | 8.8.8.8:53 | webdomains.ws | udp |
| US | 64.70.19.203:80 | webdomains.ws | tcp |
Files
memory/1700-54-0x0000000076BA1000-0x0000000076BA3000-memory.dmp
\Users\Admin\AppData\Local\Temp\nsi8BA.tmp\System.dll
| MD5 | 883eff06ac96966270731e4e22817e11 |
| SHA1 | 523c87c98236cbc04430e87ec19b977595092ac8 |
| SHA256 | 44e5dfd551b38e886214bd6b9c8ee913c4c4d1f085a6575d97c3e892b925da82 |
| SHA512 | 60333253342476911c84bbc1d9bf8a29f811207787fdd6107dce8d2b6e031669303f28133ffc811971ed7792087fe90fb1faabc0af4e91c298ba51e28109a390 |
\Users\Admin\AppData\Local\Temp\rabblements.dll
| MD5 | e0291ba7745237498e06465b622cee9d |
| SHA1 | f1bac955e343ea7530f63197b7c29af40ae0388a |
| SHA256 | e389ea70bde9d21be265a9adda6cdfd3aae6d59b2526df2bb18ae7c7cc4aa13a |
| SHA512 | 87d6834e1a8c4166a0f1cdcc38908798c9a75684ea118ea4b99ee2d322c26268d0a352fa437840c1f45de0830fe2361cbc21a516ef49c88be9c3f8eb415f3dd6 |
memory/1728-57-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1728-58-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1728-59-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1728-60-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1728-61-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1728-63-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1728-64-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1700-65-0x0000000075250000-0x0000000075276000-memory.dmp
memory/1728-66-0x00000000004015C6-mapping.dmp
memory/1700-68-0x0000000075250000-0x0000000075276000-memory.dmp
memory/1728-69-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1728-71-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1728-72-0x0000000001C90000-0x0000000001CF3000-memory.dmp
memory/1728-74-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1728-75-0x0000000001C90000-0x0000000001CF3000-memory.dmp
memory/1728-76-0x00000000003E0000-0x00000000003ED000-memory.dmp
memory/1728-77-0x0000000002500000-0x000000000250C000-memory.dmp
memory/1548-78-0x0000000000000000-mapping.dmp
memory/1548-80-0x0000000075301000-0x0000000075303000-memory.dmp
memory/1728-81-0x0000000001C90000-0x0000000001CF3000-memory.dmp
memory/1548-82-0x0000000077DD0000-0x0000000077F50000-memory.dmp
memory/1548-84-0x00000000008B0000-0x00000000008BC000-memory.dmp
memory/1548-83-0x00000000000D0000-0x000000000017A000-memory.dmp
memory/1208-85-0x00000000025E0000-0x00000000025E6000-memory.dmp
memory/1548-86-0x0000000077DD0000-0x0000000077F50000-memory.dmp
memory/1548-87-0x00000000000D0000-0x000000000017A000-memory.dmp