Analysis

  • max time kernel
    1736s
  • max time network
    1165s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-de
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-delocale:de-deos:windows10-2004-x64systemwindows
  • submitted
    20-05-2024 12:35

General

  • Target

    Beatware Internal v1.8.exe

  • Size

    7.4MB

  • MD5

    c3347bb80d40975abea0fb9392ff730c

  • SHA1

    551f40a65f2380e93fc0e5e466c052486b69674b

  • SHA256

    09056146a9fc630956948e30d8d9c58272a887fa0c4fc3e839cf21ab740f1a8e

  • SHA512

    038d7f67729b9674ce59088450d6ee7d4904e7ca843c9cb737b7fb539b5a8c9e97a9456f83e694010eba6a842ccd63f688ac281806cc279832030fec63d0aac2

  • SSDEEP

    98304:3vP93uKPFjSHD5Fy3+1ZILwKcATnBRHusa4m7BS3:3vP93uKdjSHtFLmwK1rB2

Score
7/10

Malware Config

Signatures

  • VMProtect packed file 2 IoCs

    Detects executables packed with VMProtect commercial packer.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
  • Suspicious use of FindShellTrayWindow 26 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.8.exe
    "C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.8.exe"
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3240
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      2⤵
        PID:2792
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.8.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4736
        • C:\Windows\system32\certutil.exe
          certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.8.exe" MD5
          3⤵
            PID:4400
          • C:\Windows\system32\find.exe
            find /i /v "md5"
            3⤵
              PID:4604
            • C:\Windows\system32\find.exe
              find /i /v "certutil"
              3⤵
                PID:3980
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c cls
              2⤵
                PID:3848
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://beatware.xyz/discord
                2⤵
                • Enumerates system info in registry
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of SendNotifyMessage
                • Suspicious use of WriteProcessMemory
                PID:4116
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff64f646f8,0x7fff64f64708,0x7fff64f64718
                  3⤵
                    PID:4100
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,5573018397690273113,6024873919223509426,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2
                    3⤵
                      PID:1436
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,5573018397690273113,6024873919223509426,131072 --lang=de --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:3
                      3⤵
                      • Suspicious behavior: EnumeratesProcesses
                      PID:1332
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,5573018397690273113,6024873919223509426,131072 --lang=de --service-sandbox-type=utility --mojo-platform-channel-handle=2504 /prefetch:8
                      3⤵
                        PID:2848
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,5573018397690273113,6024873919223509426,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
                        3⤵
                          PID:4648
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,5573018397690273113,6024873919223509426,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3480 /prefetch:1
                          3⤵
                            PID:3304
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,5573018397690273113,6024873919223509426,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4620 /prefetch:1
                            3⤵
                              PID:1588
                          • C:\Windows\system32\cmd.exe
                            C:\Windows\system32\cmd.exe /c cls
                            2⤵
                              PID:448
                            • C:\Windows\system32\cmd.exe
                              C:\Windows\system32\cmd.exe /c cls
                              2⤵
                                PID:4516
                              • C:\Windows\system32\cmd.exe
                                C:\Windows\system32\cmd.exe /c cls
                                2⤵
                                  PID:2556
                              • C:\Windows\System32\CompPkgSrv.exe
                                C:\Windows\System32\CompPkgSrv.exe -Embedding
                                1⤵
                                  PID:4748
                                • C:\Windows\System32\CompPkgSrv.exe
                                  C:\Windows\System32\CompPkgSrv.exe -Embedding
                                  1⤵
                                    PID:3588
                                  • C:\Windows\System32\rundll32.exe
                                    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                    1⤵
                                      PID:2992

                                    Network

                                    MITRE ATT&CK Enterprise v15

                                    Replay Monitor

                                    Loading Replay Monitor...

                                    Downloads

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                      Filesize

                                      152B

                                      MD5

                                      4dc6fc5e708279a3310fe55d9c44743d

                                      SHA1

                                      a42e8bdf9d1c25ef3e223d59f6b1d16b095f46d2

                                      SHA256

                                      a1c5f48659d4b3af960971b3a0f433a95fee5bfafe5680a34110c68b342377d8

                                      SHA512

                                      5874b2310187f242b852fa6dcded244cc860abb2be4f6f5a6a1db8322e12e1fef8f825edc0aae75adbb7284a2cd64730650d0643b1e2bb7ead9350e50e1d8c13

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                      Filesize

                                      152B

                                      MD5

                                      c9c4c494f8fba32d95ba2125f00586a3

                                      SHA1

                                      8a600205528aef7953144f1cf6f7a5115e3611de

                                      SHA256

                                      a0ca609205813c307df9122c0c5b0967c5472755700f615b0033129cf7d6b35b

                                      SHA512

                                      9d30cea6cfc259e97b0305f8b5cd19774044fb78feedfcef2014b2947f2e6a101273bc4ad30db9cc1724e62eb441266d7df376e28ac58693f128b9cce2c7d20d

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\6d3ef498-d32e-4b9f-9de7-efad20942e9d.tmp

                                      Filesize

                                      5KB

                                      MD5

                                      cb1b3a9e09b36103765a491ec1d9fb39

                                      SHA1

                                      d7e2d6f4a36df05a656953b8ace30675009ae586

                                      SHA256

                                      d22fb33da39dc5eb388e7ca261d68c98e4dc81f5e34ae33e0d4eaacf58515a15

                                      SHA512

                                      6e8496c9db232251ef7cb02fa8f2acec0b505e55c74aae135c579bd207ef5a748f9a722ff86622704525d844fbd4c92fc12676b2b85889085baf257cfd626bd9

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                                      Filesize

                                      397B

                                      MD5

                                      2decdc7aa2ceb52adc402e9cc1d2aeea

                                      SHA1

                                      749c25fbf45753378ccc721f83feef17b862daa1

                                      SHA256

                                      26913a7f84cf46417d06baa147cc69b8f5b7d18177e014abe3b97c995d7a222a

                                      SHA512

                                      7123e836e7fa42e5ca376a248e0614edda216a849e91f53a2011cfdc26cca1a1b83f6a82ed5cd1f0172b7478230987348b4387b0ff9e85466beb1e08020d6189

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                      Filesize

                                      6KB

                                      MD5

                                      acfd1da3162731ac21b50012975d29b2

                                      SHA1

                                      c4ef8a72d5ec3dce60ed00748d80bbe3cbe5f90e

                                      SHA256

                                      8c24533ee920d6687a3550d8ef4dd5ef37870b7b6fdcf2ed49d31749d3f8465c

                                      SHA512

                                      f31229f2b5a48e1ab9dc59b06bd6ab7ab88cdc1ad26bb1c16abe8f25d3cd385048fb65d49bba80c5b2bba8f4d03a6d4a55d04abfa3068689f028cfe5caea52b1

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                      Filesize

                                      11KB

                                      MD5

                                      ac81582cd036cc7f450bb6d848f03b7f

                                      SHA1

                                      a836d13afcd442817a0ef6c7b58102aaa0a5b05a

                                      SHA256

                                      45656956809e320259dac133042506e8125e2712f5757c565cc94af48f26d104

                                      SHA512

                                      257591b9acc33898413b1bbec112f3acb73905da8e06b13b153405d193c617139c0e4a368a5e5912fc754951b022e246d25c9ceade9d18bef7480258fcdf41dc

                                    • memory/3240-0-0x00007FF73D2B5000-0x00007FF73D61E000-memory.dmp

                                      Filesize

                                      3.4MB

                                    • memory/3240-2-0x00007FF73D220000-0x00007FF73DB9A000-memory.dmp

                                      Filesize

                                      9.5MB

                                    • memory/3240-1-0x00007FFF84150000-0x00007FFF84152000-memory.dmp

                                      Filesize

                                      8KB

                                    • memory/3240-120-0x00007FF73D2B5000-0x00007FF73D61E000-memory.dmp

                                      Filesize

                                      3.4MB

                                    • memory/3240-121-0x00007FF73D220000-0x00007FF73DB9A000-memory.dmp

                                      Filesize

                                      9.5MB