585c1ffefbcbbae5811c68424e54d24147ce28138c0740dae5e86ce66aec1686

General

Target

BetternetForWindows.exe
Size

621KB
MD5

8c192cfbfe08e5c362dddafd8e0e9c13
SHA1

8faf6cd8c02271d86ed86b3defa2c9aaa3a4ba3c
SHA256

585c1ffefbcbbae5811c68424e54d24147ce28138c0740dae5e86ce66aec1686
SHA512

b3a330a0af8970e062700bdab30f12547fcf6e44eebc7e7f5cbd0c4966eba0aa4865d390b81bf2899c4a6deeedf80f19465c922f1b3df1228bec2f0c8699c9f8
SSDEEP

6144:3Ya6thzb4aJJgrokyfmVwA8WALhg5TAvKuc79Nnu83aPTUA+C5+YR/ZXo8Vgy93V:3YD5bVJJgrjyi8fAUSuKVKPh+EBZX1Am

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1444	Betternet.WebInstaller.exe

Loads dropped DLL 1 IoCs

pid	Process
944	BetternetForWindows.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 4 IoCs

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	Betternet.WebInstaller.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	Betternet.WebInstaller.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	Betternet.WebInstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	Betternet.WebInstaller.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1812	dw20.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 944 wrote to memory of 1444	944	BetternetForWindows.exe	28
PID 944 wrote to memory of 1444	944	BetternetForWindows.exe	28
PID 944 wrote to memory of 1444	944	BetternetForWindows.exe	28
PID 944 wrote to memory of 1444	944	BetternetForWindows.exe	28
PID 1444 wrote to memory of 1812	1444	Betternet.WebInstaller.exe	30
PID 1444 wrote to memory of 1812	1444	Betternet.WebInstaller.exe	30
PID 1444 wrote to memory of 1812	1444	Betternet.WebInstaller.exe	30

C:\Users\Admin\AppData\Local\Temp\BetternetForWindows.exe
"C:\Users\Admin\AppData\Local\Temp\BetternetForWindows.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:944
- C:\Users\Admin\AppData\Local\Temp\nsy12C.tmp\Betternet.WebInstaller.exe
  "C:\Users\Admin\AppData\Local\Temp\nsy12C.tmp\Betternet.WebInstaller.exe"
  2⤵
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of WriteProcessMemory
  PID:1444
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
    dw20.exe -x -s 1612
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    PID:1812

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsy12C.tmp\Betternet.WebInstaller.exe

Filesize
354KB

MD5
f8f4bf622cf28ea87802404696a496b3

SHA1
d9866362c0c8413fe9ba3a7adf985805b95cd7a1

SHA256
712a0c6456f831ed47be38e52e31d0536992611e41dbd7c9b9fc87f08ee89c72

SHA512
8f8c30f8a6ec4011ce1219ee008fc42cbed726864a82d8922f4b571f828b7803fe095a5a47b48126b76833609cdb9685d84d20273b8d197d56678f051d2e4074

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy12C.tmp\Betternet.WebInstaller.exe

Filesize
354KB

MD5
f8f4bf622cf28ea87802404696a496b3

SHA1
d9866362c0c8413fe9ba3a7adf985805b95cd7a1

SHA256
712a0c6456f831ed47be38e52e31d0536992611e41dbd7c9b9fc87f08ee89c72

SHA512
8f8c30f8a6ec4011ce1219ee008fc42cbed726864a82d8922f4b571f828b7803fe095a5a47b48126b76833609cdb9685d84d20273b8d197d56678f051d2e4074

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy12C.tmp\Betternet.WebInstaller.exe.config

Filesize
332B

MD5
b5216c3af56142ca8618d4c9b72fba6e

SHA1
f91430650ffe1e0f11f0695617d80d30956d2067

SHA256
5f0d941557aebc77e55d0b0af4d0b17e11f3bdee6df5b60651061e027f90d76d

SHA512
af6de69853d42f06ebeee6185ead238f7ade4cbd026ac166d4fc313d97e1eb83c1b215010fc12abefc871c237d50abe4bea241477850b8705a187ec146308743

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy12C.tmp\Newtonsoft.Json.dll

Filesize
493KB

MD5
1390b082700afc53a7aa320f3259325e

SHA1
8f72572ad084ef145fd3286930af6b70ba622384

SHA256
7beb6a951b92af14322a382cf105fff8d0dc63518b33556b98e09daca0cb6d07

SHA512
ace3b9548bb8d29805673ac4611a141e4c026c5d09a63bd399f904d28ea274f9e0ff682b99adce25a66ccdd7e3f03e0a45ca9ae0a67e88d9d1c83cb34180b8d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy12C.tmp\Vpn.WebInstaller.Common.dll

Filesize
192KB

MD5
1d9d6a640d31a1807bea270d0a39c141

SHA1
8e3ae3a3da1a337696133908a57fb5df2e6a0e13

SHA256
ecd52311dfdb1c95cbabb93d672875ac842c7c58b64985c31c3d0a69c38c807e

SHA512
7e9d12acf3aec2af7d5e9cee60ff0f0938766e9bc18fa5375876e11f582f61036de5c51e79e8dc9b5f1456180951774081d76473682ef7877a9f282c548dcf4c

Download Submit
\Users\Admin\AppData\Local\Temp\nsy12C.tmp\Betternet.WebInstaller.exe

Filesize
354KB

MD5
f8f4bf622cf28ea87802404696a496b3

SHA1
d9866362c0c8413fe9ba3a7adf985805b95cd7a1

SHA256
712a0c6456f831ed47be38e52e31d0536992611e41dbd7c9b9fc87f08ee89c72

SHA512
8f8c30f8a6ec4011ce1219ee008fc42cbed726864a82d8922f4b571f828b7803fe095a5a47b48126b76833609cdb9685d84d20273b8d197d56678f051d2e4074

Download Submit
memory/944-54-0x0000000075491000-0x0000000075493000-memory.dmp

Filesize
8KB

Download
memory/1444-60-0x000007FEF3940000-0x000007FEF4363000-memory.dmp

Filesize
10.1MB

Download
memory/1444-62-0x000007FEF2970000-0x000007FEF393A000-memory.dmp

Filesize
15.8MB

Download
memory/1444-63-0x000007FEED8B0000-0x000007FEEEB03000-memory.dmp

Filesize
18.3MB

Download
memory/1444-66-0x0000000000B36000-0x0000000000B55000-memory.dmp

Filesize
124KB

Download
memory/1444-69-0x0000000000B36000-0x0000000000B55000-memory.dmp

Filesize
124KB

Download
memory/1812-68-0x000007FEFBDD1000-0x000007FEFBDD3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing