5dfa7816c521fa59c1e558ca48e39632257afa88b97b901160e2ff97ad63e681

Analysis

max time kernel
154s
max time network
166s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
19/02/2024, 18:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

beta.exe
Size

139.5MB
MD5

809ca215de4598350eaeddb5a94ebbba
SHA1

caccfadb6b96dc6155696f6309c3ea492078bb5c
SHA256

0f702f8ac538e810649808f0d9b6000e1aa4360849633c0ed76ec36e2cfc8332
SHA512

1521a30cf760277a24ed1446d29eb71af297582ac2d8b4546a322ec9690a8094963a194d7f2fdec65e2e59673c8f912557182e673af8d46cd29bd20989cdae36
SSDEEP

786432:f14w5ThzHwQBgmoLWv+K18nCzKdo5DTdvfMQr6SSmPuvh8tSIW68:f14kpHwQjCWv+K18CedmVvEQEpcJW

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
2980	beta.exe
2980	beta.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	ipinfo.io
4	ipinfo.io
6	ipinfo.io

Collects information from the system 1 TTPs 1 IoCs

Uses WMIC.exe to find detailed system information.

Data from Local System

T1005

pid	Process
2800	WMIC.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
940	WMIC.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

pid	Process
2400	tasklist.exe
1952	tasklist.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2980	beta.exe
2980	beta.exe
832	beta.exe
1692	powershell.exe
2980	beta.exe
2980	beta.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2400	tasklist.exe
Token: SeIncreaseQuotaPrivilege	2656	WMIC.exe
Token: SeSecurityPrivilege	2656	WMIC.exe
Token: SeTakeOwnershipPrivilege	2656	WMIC.exe
Token: SeLoadDriverPrivilege	2656	WMIC.exe
Token: SeSystemProfilePrivilege	2656	WMIC.exe
Token: SeSystemtimePrivilege	2656	WMIC.exe
Token: SeProfSingleProcessPrivilege	2656	WMIC.exe
Token: SeIncBasePriorityPrivilege	2656	WMIC.exe
Token: SeCreatePagefilePrivilege	2656	WMIC.exe
Token: SeBackupPrivilege	2656	WMIC.exe
Token: SeRestorePrivilege	2656	WMIC.exe
Token: SeShutdownPrivilege	2656	WMIC.exe
Token: SeDebugPrivilege	2656	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2656	WMIC.exe
Token: SeRemoteShutdownPrivilege	2656	WMIC.exe
Token: SeUndockPrivilege	2656	WMIC.exe
Token: SeManageVolumePrivilege	2656	WMIC.exe
Token: 33	2656	WMIC.exe
Token: 34	2656	WMIC.exe
Token: 35	2656	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2656	WMIC.exe
Token: SeSecurityPrivilege	2656	WMIC.exe
Token: SeTakeOwnershipPrivilege	2656	WMIC.exe
Token: SeLoadDriverPrivilege	2656	WMIC.exe
Token: SeSystemProfilePrivilege	2656	WMIC.exe
Token: SeSystemtimePrivilege	2656	WMIC.exe
Token: SeProfSingleProcessPrivilege	2656	WMIC.exe
Token: SeIncBasePriorityPrivilege	2656	WMIC.exe
Token: SeCreatePagefilePrivilege	2656	WMIC.exe
Token: SeBackupPrivilege	2656	WMIC.exe
Token: SeRestorePrivilege	2656	WMIC.exe
Token: SeShutdownPrivilege	2656	WMIC.exe
Token: SeDebugPrivilege	2656	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2656	WMIC.exe
Token: SeRemoteShutdownPrivilege	2656	WMIC.exe
Token: SeUndockPrivilege	2656	WMIC.exe
Token: SeManageVolumePrivilege	2656	WMIC.exe
Token: 33	2656	WMIC.exe
Token: 34	2656	WMIC.exe
Token: 35	2656	WMIC.exe
Token: SeShutdownPrivilege	2980	beta.exe
Token: SeShutdownPrivilege	2980	beta.exe
Token: SeDebugPrivilege	1952	tasklist.exe
Token: SeShutdownPrivilege	2980	beta.exe
Token: SeShutdownPrivilege	2980	beta.exe
Token: SeIncreaseQuotaPrivilege	2800	WMIC.exe
Token: SeSecurityPrivilege	2800	WMIC.exe
Token: SeTakeOwnershipPrivilege	2800	WMIC.exe
Token: SeLoadDriverPrivilege	2800	WMIC.exe
Token: SeSystemProfilePrivilege	2800	WMIC.exe
Token: SeSystemtimePrivilege	2800	WMIC.exe
Token: SeProfSingleProcessPrivilege	2800	WMIC.exe
Token: SeIncBasePriorityPrivilege	2800	WMIC.exe
Token: SeCreatePagefilePrivilege	2800	WMIC.exe
Token: SeBackupPrivilege	2800	WMIC.exe
Token: SeRestorePrivilege	2800	WMIC.exe
Token: SeShutdownPrivilege	2800	WMIC.exe
Token: SeDebugPrivilege	2800	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2800	WMIC.exe
Token: SeRemoteShutdownPrivilege	2800	WMIC.exe
Token: SeUndockPrivilege	2800	WMIC.exe
Token: SeManageVolumePrivilege	2800	WMIC.exe
Token: 33	2800	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2980 wrote to memory of 2660	2980	beta.exe	28
PID 2980 wrote to memory of 2660	2980	beta.exe	28
PID 2980 wrote to memory of 2660	2980	beta.exe	28
PID 2660 wrote to memory of 2400	2660	cmd.exe	30
PID 2660 wrote to memory of 2400	2660	cmd.exe	30
PID 2660 wrote to memory of 2400	2660	cmd.exe	30
PID 2980 wrote to memory of 2688	2980	beta.exe	31
PID 2980 wrote to memory of 2688	2980	beta.exe	31
PID 2980 wrote to memory of 2688	2980	beta.exe	31
PID 2980 wrote to memory of 2688	2980	beta.exe	31
PID 2980 wrote to memory of 2688	2980	beta.exe	31
PID 2980 wrote to memory of 2688	2980	beta.exe	31
PID 2980 wrote to memory of 2688	2980	beta.exe	31
PID 2980 wrote to memory of 2688	2980	beta.exe	31
PID 2980 wrote to memory of 2688	2980	beta.exe	31
PID 2980 wrote to memory of 2688	2980	beta.exe	31
PID 2980 wrote to memory of 2688	2980	beta.exe	31
PID 2980 wrote to memory of 2688	2980	beta.exe	31
PID 2980 wrote to memory of 2688	2980	beta.exe	31
PID 2980 wrote to memory of 2688	2980	beta.exe	31
PID 2980 wrote to memory of 2688	2980	beta.exe	31
PID 2980 wrote to memory of 2688	2980	beta.exe	31
PID 2980 wrote to memory of 2688	2980	beta.exe	31
PID 2980 wrote to memory of 2688	2980	beta.exe	31
PID 2980 wrote to memory of 2688	2980	beta.exe	31
PID 2980 wrote to memory of 2688	2980	beta.exe	31
PID 2980 wrote to memory of 2688	2980	beta.exe	31
PID 2980 wrote to memory of 2688	2980	beta.exe	31
PID 2980 wrote to memory of 2688	2980	beta.exe	31
PID 2980 wrote to memory of 2688	2980	beta.exe	31
PID 2980 wrote to memory of 2688	2980	beta.exe	31
PID 2980 wrote to memory of 2688	2980	beta.exe	31
PID 2980 wrote to memory of 2688	2980	beta.exe	31
PID 2980 wrote to memory of 2688	2980	beta.exe	31
PID 2980 wrote to memory of 2688	2980	beta.exe	31
PID 2980 wrote to memory of 2688	2980	beta.exe	31
PID 2980 wrote to memory of 2688	2980	beta.exe	31
PID 2980 wrote to memory of 2688	2980	beta.exe	31
PID 2980 wrote to memory of 2688	2980	beta.exe	31
PID 2980 wrote to memory of 2688	2980	beta.exe	31
PID 2980 wrote to memory of 2688	2980	beta.exe	31
PID 2980 wrote to memory of 2688	2980	beta.exe	31
PID 2980 wrote to memory of 2688	2980	beta.exe	31
PID 2980 wrote to memory of 2688	2980	beta.exe	31
PID 2980 wrote to memory of 2688	2980	beta.exe	31
PID 2980 wrote to memory of 2688	2980	beta.exe	31
PID 2980 wrote to memory of 2688	2980	beta.exe	31
PID 2980 wrote to memory of 2600	2980	beta.exe	33
PID 2980 wrote to memory of 2600	2980	beta.exe	33
PID 2980 wrote to memory of 2600	2980	beta.exe	33
PID 2600 wrote to memory of 2656	2600	cmd.exe	35
PID 2600 wrote to memory of 2656	2600	cmd.exe	35
PID 2600 wrote to memory of 2656	2600	cmd.exe	35
PID 2980 wrote to memory of 456	2980	beta.exe	36
PID 2980 wrote to memory of 456	2980	beta.exe	36
PID 2980 wrote to memory of 456	2980	beta.exe	36
PID 2980 wrote to memory of 1964	2980	beta.exe	37
PID 2980 wrote to memory of 1964	2980	beta.exe	37
PID 2980 wrote to memory of 1964	2980	beta.exe	37
PID 2980 wrote to memory of 1656	2980	beta.exe	39
PID 2980 wrote to memory of 1656	2980	beta.exe	39
PID 2980 wrote to memory of 1656	2980	beta.exe	39
PID 2980 wrote to memory of 1656	2980	beta.exe	39
PID 2980 wrote to memory of 1656	2980	beta.exe	39

C:\Users\Admin\AppData\Local\Temp\beta.exe
"C:\Users\Admin\AppData\Local\Temp\beta.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2980
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2660
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2400
- C:\Users\Admin\AppData\Local\Temp\beta.exe
  "C:\Users\Admin\AppData\Local\Temp\beta.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\script" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1064 --field-trial-handle=1172,12297190215503712724,16299863361032233907,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  PID:2688
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=2980 get ExecutablePath"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2600
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic process where processid=2980 get ExecutablePath
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2656
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:456
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1952
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "net session"
  2⤵
  PID:1964
- - C:\Windows\system32\net.exe
    net session
    3⤵
    PID:1960
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 session
      4⤵
      PID:668
- C:\Users\Admin\AppData\Local\Temp\beta.exe
  "C:\Users\Admin\AppData\Local\Temp\beta.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\script" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1428 --field-trial-handle=1172,12297190215503712724,16299863361032233907,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  PID:1656
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic computersystem get totalphysicalmemory | more +1"
  2⤵
  PID:544
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic computersystem get totalphysicalmemory
    3⤵
    PID:880
- - C:\Windows\system32\more.com
    more +1
    3⤵
    PID:1752
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"
  2⤵
  PID:556
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic csproduct get uuid
    3⤵
    PID:2452
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic OS get caption, osarchitecture | more +1"
  2⤵
  PID:312
- - C:\Windows\system32\more.com
    more +1
    3⤵
    PID:2364
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic OS get caption, osarchitecture
    3⤵
    PID:2756
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "echo %NUMBER_OF_PROCESSORS%"
  2⤵
  PID:1180
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic logicaldisk get size"
  2⤵
  PID:1216
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic logicaldisk get size
    3⤵
    - Collects information from the system
    - Suspicious use of AdjustPrivilegeToken
    PID:2800
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get name | more +1"
  2⤵
  PID:2956
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get name
    3⤵
    PID:2476
- - C:\Windows\system32\more.com
    more +1
    3⤵
    PID:688
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController get name | more +1"
  2⤵
  PID:1748
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic PATH Win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:940
- - C:\Windows\system32\more.com
    more +1
    3⤵
    PID:1160
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
  2⤵
  PID:1904
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1692
- C:\Users\Admin\AppData\Local\Temp\beta.exe
  "C:\Users\Admin\AppData\Local\Temp\beta.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\script" --mojo-platform-channel-handle=1576 --field-trial-handle=1172,12297190215503712724,16299863361032233907,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:832
- C:\Users\Admin\AppData\Local\Temp\beta.exe
  "C:\Users\Admin\AppData\Local\Temp\beta.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\script" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1232 --field-trial-handle=1172,12297190215503712724,16299863361032233907,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  PID:2176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\53f57340-cb0d-491a-8716-9ec1c9d51fd9.tmp.node

Filesize
656KB

MD5
788a631f0fa606ca6b1332febad3cdce

SHA1
61283245cc3d46bd65e0965cfaf890eec4c1e944

SHA256
4f6924ce99fe122590302d42d9b818a09758c88a5e17e82afa0cf5de3485aefe

SHA512
b84d5355e7ef4e471c772a94c17d93efa2d62545bb8cf19cacf28f679083f1619acbb98a5f185ea50e5fa659020b583a2a4b23b671d0464c30f7770c73320421

Download Submit
\Users\Admin\AppData\Local\Temp\ae82b6d4-0a54-49b5-8507-0285c3d09531.tmp.node

Filesize
1.8MB

MD5
3072b68e3c226aff39e6782d025f25a8

SHA1
cf559196d74fa490ac8ce192db222c9f5c5a006a

SHA256
7fb52b781709b065c240b6b81394be6e72e53fe11d7c8e0f7b49dd417eb78a01

SHA512
61ebc72c20195e99244d95af1ab44fa06201a1aee2b5da04490fdc4312e8324a40b0e15a7b42fab5179753d767c1d08ae1a7a56ac71a6e100e63f83db849ee61

Download Submit
memory/1692-156-0x000007FEF3400000-0x000007FEF3D9D000-memory.dmp

Filesize
9.6MB

Download
memory/1692-158-0x00000000027E0000-0x0000000002860000-memory.dmp

Filesize
512KB

Download
memory/1692-153-0x000000001B340000-0x000000001B622000-memory.dmp

Filesize
2.9MB

Download
memory/1692-154-0x0000000001DE0000-0x0000000001DE8000-memory.dmp

Filesize
32KB

Download
memory/1692-155-0x000007FEF3400000-0x000007FEF3D9D000-memory.dmp

Filesize
9.6MB

Download
memory/1692-166-0x00000000027E0000-0x0000000002860000-memory.dmp

Filesize
512KB

Download
memory/1692-157-0x00000000027E0000-0x0000000002860000-memory.dmp

Filesize
512KB

Download
memory/1692-165-0x00000000027E0000-0x0000000002860000-memory.dmp

Filesize
512KB

Download
memory/1692-159-0x00000000027E0000-0x0000000002860000-memory.dmp

Filesize
512KB

Download
memory/1692-162-0x000007FEF3400000-0x000007FEF3D9D000-memory.dmp

Filesize
9.6MB

Download
memory/1692-163-0x00000000027E0000-0x0000000002860000-memory.dmp

Filesize
512KB

Download
memory/1692-164-0x00000000027E0000-0x0000000002860000-memory.dmp

Filesize
512KB

Download
memory/2688-42-0x0000000077D10000-0x0000000077D11000-memory.dmp

Filesize
4KB

Download
memory/2688-9-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download