36ea391cec988df62698d3099f31387b4df5502c64b54d78e3164ff2455c51c2

Analysis

max time kernel
137s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10-03-2024 09:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Betacraft/Betacraft.exe
Size

10.0MB
MD5

37521dbf26b4ef6e592d36eedd5cc070
SHA1

5f5410cb9940cdb6e536a7183275a403d3a7416e
SHA256

71c66559e00822440a29ebe5509bceb71c005cdc482af327c461c6b18fb79b77
SHA512

43a3902e7a62b4d40093e7f9a7ae9b1884ee5528df4636713ed66ccd2d8e27068c47be5ed46953b8f1cfd8709f525c757179a80fd22ca18997a4e4238b8a44e7
SSDEEP

196608:CkHWUv4Kw3IDvnSiKFuSoVVBPUeFlEav+LDUI:5WUQ4jnSiKFuBBPUmlEav+XUI

Score

7^/10

discovery

Malware Config

Signatures

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2364	icacls.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
77	raw.githubusercontent.com
78	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
17	checkip.amazonaws.com

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2680	Betacraft.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2680	Betacraft.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2680	Betacraft.exe
2680	Betacraft.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2680 wrote to memory of 4620	2680	Betacraft.exe	97
PID 2680 wrote to memory of 4620	2680	Betacraft.exe	97
PID 4620 wrote to memory of 1840	4620	cmd.exe	99
PID 4620 wrote to memory of 1840	4620	cmd.exe	99
PID 1840 wrote to memory of 2364	1840	javaw.exe	104
PID 1840 wrote to memory of 2364	1840	javaw.exe	104

C:\Users\Admin\AppData\Local\Temp\Betacraft\Betacraft.exe
"C:\Users\Admin\AppData\Local\Temp\Betacraft\Betacraft.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2680
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe" -version 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4620
- - C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe
    "C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe" -version
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1840
  - - C:\Windows\system32\icacls.exe
      C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
      4⤵
      Modifies file permissions
      PID:2364

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4016 --field-trial-handle=2280,i,716736634476467098,11449718822158202904,262144 --variations-seed-version /prefetch:8
1⤵
PID:1600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
ff7e723ac5684c71c8ddac27068f0423

SHA1
bc4dacd9c0038f4ba4097bfe9d9bc00623e60eba

SHA256
894e78ead99405b5a45b2b475e39b6d707c535be8f9768ade17a25e63ac6942b

SHA512
bb141b90c4ec5b0ed48710973ce22417878503c619e7d5e233a92341b5f720daea199b4ba20452dc74efecd2154a0630b25323ea4e7d2422d5e68510637e4b0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Betacraft\betacraft\accounts.json

Filesize
35B

MD5
3d3e0082d0868a787ae22a11465d7090

SHA1
edbe4d5cc3e1871051be5280e4c550e20e6904ce

SHA256
91e51d7b6069e603fd5800c79c24de66ed13fa37458011e53e1a1f52d61e9075

SHA512
8ac596ceb71c5ec3aaa8aa8819c7a21b3d07e310ff5a99fb940a2dd5ff64db5b08ec1e26cfb5be1bb43a1de52187f129998edef4459e002244c986125276c388

Download Submit
C:\Users\Admin\AppData\Local\Temp\Betacraft\betacraft\instances\c\bc_instance.json

Filesize
308B

MD5
5e5888469f27da89c013d480fd8f6bac

SHA1
e8ea2cdbec5477f395a55406ff4a1b3b029267a8

SHA256
87d77db53b5101bfb73b2d49db5cd765e1beec77a17598e2d3becbe99a423495

SHA512
9fd3dae5ac07087da5374326d1ef44a7d10b60bcabe786351f81a8ff3afac6d614e2b2bff703b319dfeb3cefab30a33b42d38e83b10d0d26f30c73aa8bfbf41e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Betacraft\betacraft\java_repo.json

Filesize
4KB

MD5
f41611e8d9ef1f673819f98bef4d9cec

SHA1
058475f0d75d45fe8e3beb0797e3b99d16e63a1b

SHA256
def0499b833b9d0571b5571f7041a8fe99e1496c60622087b268b7a0ed599cd9

SHA512
5f95a716625179be46bfbb82edc9484877fbb211f155d89bbd96a848a3b37266153bb573ba2e072132542181df2bc4b1e28d029e39002bd4073ba97c162a6aad

Download Submit
C:\Users\Admin\AppData\Local\Temp\Betacraft\betacraft\lang\English.json

Filesize
4KB

MD5
d6f17ddadb39ad6e3ef85a15a7901131

SHA1
7cb08d60111fc909d7abd81d03c19893984cf51e

SHA256
513a05f2b72f43374d1179d471a70ad3d63cc1ceeadf20a25d87f984caece5da

SHA512
939760deeb4de741c7da6b0292e0db00ea9a52fff712b123c0c7b234e0bfb81a1a824e7b9af59c428a5172dad6ec7cfa3a04f51bf001bea77a90548bb1e0782d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Betacraft\betacraft\settings.json

Filesize
437B

MD5
5ed107d09cbd42ec5546fac453862d99

SHA1
ba317d6ff87922c0a9c3816d38f8bac340abd6dc

SHA256
04fc8a719ea629ca9d26746cb9156ad5c252ebfff2011e56b445e351098cd31b

SHA512
f6562eb75fca3bd6ae1dcfbfb092aac280b47168df34663500d0a56d549b9a424f933b8c38dfc3862fc72bf188529c4c6ad6768a8c07fae4747d97eb8e8ebb28

Download Submit
C:\Users\Admin\AppData\Local\Temp\Betacraft\betacraft\settings.json

Filesize
529B

MD5
dff4efe1e845beed7b0f4422f33adbb4

SHA1
99687c37931802ed903616923e92cd39371a82a9

SHA256
2e2e0fbf3601224f98be11ddea228b1b1916416ce2ef78721cd564058ab34f2c

SHA512
c6413204b3b09b9cd6eb83f2dfcef935bdaa8163fccc43ffbdf62ffac4d7ba431b84bc97da9e09ffc2043637d60a125fe69fabb3a20b60cfae66103e62906a34

Download Submit
C:\Users\Admin\AppData\Local\Temp\Betacraft\betacraft\settings.json

Filesize
342B

MD5
98caeebd087c5d13bac18b8bffb44eae

SHA1
d613307244036c94646374b30881a20f5067ce82

SHA256
bb13312ea5e7d0c65bbbba5772b34b8662b93a39518cb53b288a12564ca8370d

SHA512
498fa817cdc936c75d23c8a948bd0643f9fe3e42d5f6c7c0c06c75831772cd9749fc8e9270f809e3aede649c18abf575cef1e8405070afc7a07474eea184b33b

Download Submit
memory/1840-62-0x0000020CA6A50000-0x0000020CA7A50000-memory.dmp

Filesize
16.0MB

Download
memory/1840-74-0x0000020CA5230000-0x0000020CA5231000-memory.dmp

Filesize
4KB

Download
memory/2680-109-0x00007FFEAA3C0000-0x00007FFEAAA1C000-memory.dmp

Filesize
6.4MB

Download
memory/2680-53-0x00007FFEBD090000-0x00007FFEBD0AA000-memory.dmp

Filesize
104KB

Download
memory/2680-59-0x00007FFEBCCC0000-0x00007FFEBCCD5000-memory.dmp

Filesize
84KB

Download
memory/2680-61-0x00007FFEB35B0000-0x00007FFEB362C000-memory.dmp

Filesize
496KB

Download
memory/2680-58-0x00007FFEAA2B0000-0x00007FFEAA3B7000-memory.dmp

Filesize
1.0MB

Download
memory/2680-57-0x00007FFEAA3C0000-0x00007FFEAAA1C000-memory.dmp

Filesize
6.4MB

Download
memory/2680-56-0x00007FFEABFF0000-0x00007FFEAC1D4000-memory.dmp

Filesize
1.9MB

Download
memory/2680-55-0x0000000064940000-0x0000000064956000-memory.dmp

Filesize
88KB

Download
memory/2680-78-0x00007FFEAAD80000-0x00007FFEAB6E0000-memory.dmp

Filesize
9.4MB

Download
memory/2680-54-0x00007FFEAAD80000-0x00007FFEAB6E0000-memory.dmp

Filesize
9.4MB

Download
memory/2680-0-0x000001A1F0EE0000-0x000001A1F0EF0000-memory.dmp

Filesize
64KB

Download
memory/2680-116-0x00007FF6495C0000-0x00007FF64E98C000-memory.dmp

Filesize
83.8MB

Download
memory/2680-121-0x00007FFEAB6E0000-0x00007FFEABD1F000-memory.dmp

Filesize
6.2MB

Download
memory/2680-123-0x00007FFEAAD80000-0x00007FFEAB6E0000-memory.dmp

Filesize
9.4MB

Download
memory/2680-126-0x00007FFEAA3C0000-0x00007FFEAAA1C000-memory.dmp

Filesize
6.4MB

Download
memory/2680-60-0x00007FFEBCCA0000-0x00007FFEBCCB6000-memory.dmp

Filesize
88KB

Download
memory/2680-199-0x00007FF6495C0000-0x00007FF64E98C000-memory.dmp

Filesize
83.8MB

Download
memory/2680-207-0x00007FFEAB6E0000-0x00007FFEABD1F000-memory.dmp

Filesize
6.2MB

Download
memory/2680-209-0x00007FFEAAD80000-0x00007FFEAB6E0000-memory.dmp

Filesize
9.4MB

Download
memory/2680-212-0x00007FFEAA3C0000-0x00007FFEAAA1C000-memory.dmp

Filesize
6.4MB

Download
memory/2680-218-0x00007FFEAB6E0000-0x00007FFEABD1F000-memory.dmp

Filesize
6.2MB

Download
memory/2680-220-0x00007FFEAAD80000-0x00007FFEAB6E0000-memory.dmp

Filesize
9.4MB

Download
memory/2680-221-0x0000000064940000-0x0000000064956000-memory.dmp

Filesize
88KB

Download
memory/2680-223-0x00007FFEAA3C0000-0x00007FFEAAA1C000-memory.dmp

Filesize
6.4MB

Download
memory/2680-224-0x00007FFEAA2B0000-0x00007FFEAA3B7000-memory.dmp

Filesize
1.0MB

Download
memory/2680-232-0x00007FFEAB6E0000-0x00007FFEABD1F000-memory.dmp

Filesize
6.2MB

Download
memory/2680-234-0x00007FFEAAD80000-0x00007FFEAB6E0000-memory.dmp

Filesize
9.4MB

Download
memory/2680-52-0x00007FFEAB6E0000-0x00007FFEABD1F000-memory.dmp

Filesize
6.2MB

Download
memory/2680-50-0x00007FF6495C0000-0x00007FF64E98C000-memory.dmp

Filesize
83.8MB

Download
memory/2680-2-0x00007FFEBCCA0000-0x00007FFEBCCB6000-memory.dmp

Filesize
88KB

Download
memory/2680-1-0x00007FFEBCCC0000-0x00007FFEBCCD5000-memory.dmp

Filesize
84KB

Download