Analysis

  • max time kernel
    1795s
  • max time network
    1804s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-de
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-delocale:de-deos:windows10-2004-x64systemwindows
  • submitted
    20-05-2024 13:52

General

  • Target

    Beatware Internal v1.8.exe

  • Size

    7.4MB

  • MD5

    c3347bb80d40975abea0fb9392ff730c

  • SHA1

    551f40a65f2380e93fc0e5e466c052486b69674b

  • SHA256

    09056146a9fc630956948e30d8d9c58272a887fa0c4fc3e839cf21ab740f1a8e

  • SHA512

    038d7f67729b9674ce59088450d6ee7d4904e7ca843c9cb737b7fb539b5a8c9e97a9456f83e694010eba6a842ccd63f688ac281806cc279832030fec63d0aac2

  • SSDEEP

    98304:3vP93uKPFjSHD5Fy3+1ZILwKcATnBRHusa4m7BS3:3vP93uKdjSHtFLmwK1rB2

Score
7/10

Malware Config

Signatures

  • VMProtect packed file 2 IoCs

    Detects executables packed with VMProtect commercial packer.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.8.exe
    "C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.8.exe"
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3192
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      2⤵
        PID:32
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.8.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4160
        • C:\Windows\system32\certutil.exe
          certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.8.exe" MD5
          3⤵
            PID:4120
          • C:\Windows\system32\find.exe
            find /i /v "md5"
            3⤵
              PID:3484
            • C:\Windows\system32\find.exe
              find /i /v "certutil"
              3⤵
                PID:2292
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c cls
              2⤵
                PID:2952
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://beatware.xyz/discord
                2⤵
                  PID:2592
                • C:\Windows\system32\cmd.exe
                  C:\Windows\system32\cmd.exe /c cls
                  2⤵
                    PID:4548
                  • C:\Windows\system32\cmd.exe
                    C:\Windows\system32\cmd.exe /c cls
                    2⤵
                      PID:1964
                    • C:\Windows\system32\cmd.exe
                      C:\Windows\system32\cmd.exe /c start cmd /C color b && title Error && echo check_section_integrity() failed, don't tamper with the program. && timeout /t 5
                      2⤵
                      • Suspicious use of WriteProcessMemory
                      PID:1308
                      • C:\Windows\system32\cmd.exe
                        cmd /C color b
                        3⤵
                          PID:1152
                        • C:\Windows\system32\timeout.exe
                          timeout /t 5
                          3⤵
                          • Delays execution with timeout.exe
                          PID:4660
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=de --js-flags=--ms-user-locale=de_DE --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --mojo-platform-channel-handle=760 --field-trial-handle=2280,i,12495260388534045372,17604500157273288941,262144 --variations-seed-version /prefetch:1
                      1⤵
                        PID:1828
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=de --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5160 --field-trial-handle=2280,i,12495260388534045372,17604500157273288941,262144 --variations-seed-version /prefetch:8
                        1⤵
                          PID:816
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=de --js-flags=--ms-user-locale=de_DE --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --mojo-platform-channel-handle=5736 --field-trial-handle=2280,i,12495260388534045372,17604500157273288941,262144 --variations-seed-version /prefetch:1
                          1⤵
                            PID:4864
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=de --js-flags=--ms-user-locale=de_DE --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --mojo-platform-channel-handle=5652 --field-trial-handle=2280,i,12495260388534045372,17604500157273288941,262144 --variations-seed-version /prefetch:1
                            1⤵
                              PID:4736
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=de --service-sandbox-type=audio --no-appcompat-clear --mojo-platform-channel-handle=5076 --field-trial-handle=2280,i,12495260388534045372,17604500157273288941,262144 --variations-seed-version /prefetch:8
                              1⤵
                                PID:2244
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=de --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=5952 --field-trial-handle=2280,i,12495260388534045372,17604500157273288941,262144 --variations-seed-version /prefetch:8
                                1⤵
                                • Modifies registry class
                                PID:2924
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=de --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5192 --field-trial-handle=2280,i,12495260388534045372,17604500157273288941,262144 --variations-seed-version /prefetch:8
                                1⤵
                                  PID:3744
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=de --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --mojo-platform-channel-handle=5264 --field-trial-handle=2280,i,12495260388534045372,17604500157273288941,262144 --variations-seed-version /prefetch:8
                                  1⤵
                                    PID:4524
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=de --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5788 --field-trial-handle=2280,i,12495260388534045372,17604500157273288941,262144 --variations-seed-version /prefetch:8
                                    1⤵
                                      PID:4712

                                    Network

                                    MITRE ATT&CK Enterprise v15

                                    Replay Monitor

                                    Loading Replay Monitor...

                                    Downloads

                                    • memory/3192-0-0x00007FF6035D5000-0x00007FF60393E000-memory.dmp

                                      Filesize

                                      3.4MB

                                    • memory/3192-1-0x00007FF991FB0000-0x00007FF991FB2000-memory.dmp

                                      Filesize

                                      8KB

                                    • memory/3192-6-0x00007FF603540000-0x00007FF603EBA000-memory.dmp

                                      Filesize

                                      9.5MB

                                    • memory/3192-7-0x00007FF6035D5000-0x00007FF60393E000-memory.dmp

                                      Filesize

                                      3.4MB

                                    • memory/3192-8-0x00007FF603540000-0x00007FF603EBA000-memory.dmp

                                      Filesize

                                      9.5MB