Analysis
-
max time kernel
1795s -
max time network
1804s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-de -
resource tags
arch:x64arch:x86image:win10v2004-20240226-delocale:de-deos:windows10-2004-x64systemwindows -
submitted
20-05-2024 13:52
Behavioral task
behavioral1
Sample
Beatware Internal v1.8.exe
Resource
win10v2004-20240226-de
8 signatures
1800 seconds
General
-
Target
Beatware Internal v1.8.exe
-
Size
7.4MB
-
MD5
c3347bb80d40975abea0fb9392ff730c
-
SHA1
551f40a65f2380e93fc0e5e466c052486b69674b
-
SHA256
09056146a9fc630956948e30d8d9c58272a887fa0c4fc3e839cf21ab740f1a8e
-
SHA512
038d7f67729b9674ce59088450d6ee7d4904e7ca843c9cb737b7fb539b5a8c9e97a9456f83e694010eba6a842ccd63f688ac281806cc279832030fec63d0aac2
-
SSDEEP
98304:3vP93uKPFjSHD5Fy3+1ZILwKcATnBRHusa4m7BS3:3vP93uKdjSHtFLmwK1rB2
Score
7/10
Malware Config
Signatures
-
resource yara_rule behavioral1/memory/3192-6-0x00007FF603540000-0x00007FF603EBA000-memory.dmp vmprotect behavioral1/memory/3192-8-0x00007FF603540000-0x00007FF603EBA000-memory.dmp vmprotect -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
flow ioc 53 discord.com 54 discord.com 55 discord.com 59 discord.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs
pid Process 3192 Beatware Internal v1.8.exe 3192 Beatware Internal v1.8.exe 3192 Beatware Internal v1.8.exe 3192 Beatware Internal v1.8.exe 3192 Beatware Internal v1.8.exe 3192 Beatware Internal v1.8.exe 3192 Beatware Internal v1.8.exe 3192 Beatware Internal v1.8.exe 3192 Beatware Internal v1.8.exe 3192 Beatware Internal v1.8.exe 3192 Beatware Internal v1.8.exe 3192 Beatware Internal v1.8.exe 3192 Beatware Internal v1.8.exe 3192 Beatware Internal v1.8.exe 3192 Beatware Internal v1.8.exe 3192 Beatware Internal v1.8.exe 3192 Beatware Internal v1.8.exe 3192 Beatware Internal v1.8.exe 3192 Beatware Internal v1.8.exe 3192 Beatware Internal v1.8.exe 3192 Beatware Internal v1.8.exe 3192 Beatware Internal v1.8.exe 3192 Beatware Internal v1.8.exe 3192 Beatware Internal v1.8.exe 3192 Beatware Internal v1.8.exe 3192 Beatware Internal v1.8.exe 3192 Beatware Internal v1.8.exe 3192 Beatware Internal v1.8.exe 3192 Beatware Internal v1.8.exe 3192 Beatware Internal v1.8.exe 3192 Beatware Internal v1.8.exe 3192 Beatware Internal v1.8.exe 3192 Beatware Internal v1.8.exe 3192 Beatware Internal v1.8.exe 3192 Beatware Internal v1.8.exe 3192 Beatware Internal v1.8.exe 3192 Beatware Internal v1.8.exe 3192 Beatware Internal v1.8.exe 3192 Beatware Internal v1.8.exe 3192 Beatware Internal v1.8.exe 3192 Beatware Internal v1.8.exe 3192 Beatware Internal v1.8.exe 3192 Beatware Internal v1.8.exe 3192 Beatware Internal v1.8.exe 3192 Beatware Internal v1.8.exe 3192 Beatware Internal v1.8.exe 3192 Beatware Internal v1.8.exe 3192 Beatware Internal v1.8.exe 3192 Beatware Internal v1.8.exe 3192 Beatware Internal v1.8.exe 3192 Beatware Internal v1.8.exe 3192 Beatware Internal v1.8.exe 3192 Beatware Internal v1.8.exe 3192 Beatware Internal v1.8.exe 3192 Beatware Internal v1.8.exe 3192 Beatware Internal v1.8.exe 3192 Beatware Internal v1.8.exe 3192 Beatware Internal v1.8.exe 3192 Beatware Internal v1.8.exe 3192 Beatware Internal v1.8.exe 3192 Beatware Internal v1.8.exe 3192 Beatware Internal v1.8.exe 3192 Beatware Internal v1.8.exe 3192 Beatware Internal v1.8.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
pid Process 4660 timeout.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3808065738-1666277613-1125846146-1000\{72633604-4B8D-4E0B-AFAE-F34A1ED93294} msedge.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3192 Beatware Internal v1.8.exe 3192 Beatware Internal v1.8.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 3192 wrote to memory of 32 3192 Beatware Internal v1.8.exe 87 PID 3192 wrote to memory of 32 3192 Beatware Internal v1.8.exe 87 PID 3192 wrote to memory of 4160 3192 Beatware Internal v1.8.exe 88 PID 3192 wrote to memory of 4160 3192 Beatware Internal v1.8.exe 88 PID 4160 wrote to memory of 4120 4160 cmd.exe 89 PID 4160 wrote to memory of 4120 4160 cmd.exe 89 PID 4160 wrote to memory of 3484 4160 cmd.exe 90 PID 4160 wrote to memory of 3484 4160 cmd.exe 90 PID 4160 wrote to memory of 2292 4160 cmd.exe 91 PID 4160 wrote to memory of 2292 4160 cmd.exe 91 PID 3192 wrote to memory of 2952 3192 Beatware Internal v1.8.exe 92 PID 3192 wrote to memory of 2952 3192 Beatware Internal v1.8.exe 92 PID 3192 wrote to memory of 2592 3192 Beatware Internal v1.8.exe 93 PID 3192 wrote to memory of 2592 3192 Beatware Internal v1.8.exe 93 PID 3192 wrote to memory of 4548 3192 Beatware Internal v1.8.exe 94 PID 3192 wrote to memory of 4548 3192 Beatware Internal v1.8.exe 94 PID 3192 wrote to memory of 1964 3192 Beatware Internal v1.8.exe 98 PID 3192 wrote to memory of 1964 3192 Beatware Internal v1.8.exe 98 PID 3192 wrote to memory of 1308 3192 Beatware Internal v1.8.exe 124 PID 3192 wrote to memory of 1308 3192 Beatware Internal v1.8.exe 124 PID 1308 wrote to memory of 1152 1308 cmd.exe 125 PID 1308 wrote to memory of 1152 1308 cmd.exe 125 PID 1308 wrote to memory of 4660 1308 cmd.exe 126 PID 1308 wrote to memory of 4660 1308 cmd.exe 126
Processes
-
C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.8.exe"C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.8.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3192 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:32
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.8.exe" MD5 | find /i /v "md5" | find /i /v "certutil"2⤵
- Suspicious use of WriteProcessMemory
PID:4160 -
C:\Windows\system32\certutil.execertutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.8.exe" MD53⤵PID:4120
-
-
C:\Windows\system32\find.exefind /i /v "md5"3⤵PID:3484
-
-
C:\Windows\system32\find.exefind /i /v "certutil"3⤵PID:2292
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:2952
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://beatware.xyz/discord2⤵PID:2592
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:4548
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:1964
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c start cmd /C color b && title Error && echo check_section_integrity() failed, don't tamper with the program. && timeout /t 52⤵
- Suspicious use of WriteProcessMemory
PID:1308 -
C:\Windows\system32\cmd.execmd /C color b3⤵PID:1152
-
-
C:\Windows\system32\timeout.exetimeout /t 53⤵
- Delays execution with timeout.exe
PID:4660
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=de --js-flags=--ms-user-locale=de_DE --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --mojo-platform-channel-handle=760 --field-trial-handle=2280,i,12495260388534045372,17604500157273288941,262144 --variations-seed-version /prefetch:11⤵PID:1828
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=de --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5160 --field-trial-handle=2280,i,12495260388534045372,17604500157273288941,262144 --variations-seed-version /prefetch:81⤵PID:816
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=de --js-flags=--ms-user-locale=de_DE --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --mojo-platform-channel-handle=5736 --field-trial-handle=2280,i,12495260388534045372,17604500157273288941,262144 --variations-seed-version /prefetch:11⤵PID:4864
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=de --js-flags=--ms-user-locale=de_DE --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --mojo-platform-channel-handle=5652 --field-trial-handle=2280,i,12495260388534045372,17604500157273288941,262144 --variations-seed-version /prefetch:11⤵PID:4736
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=de --service-sandbox-type=audio --no-appcompat-clear --mojo-platform-channel-handle=5076 --field-trial-handle=2280,i,12495260388534045372,17604500157273288941,262144 --variations-seed-version /prefetch:81⤵PID:2244
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=de --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=5952 --field-trial-handle=2280,i,12495260388534045372,17604500157273288941,262144 --variations-seed-version /prefetch:81⤵
- Modifies registry class
PID:2924
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=de --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5192 --field-trial-handle=2280,i,12495260388534045372,17604500157273288941,262144 --variations-seed-version /prefetch:81⤵PID:3744
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=de --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --mojo-platform-channel-handle=5264 --field-trial-handle=2280,i,12495260388534045372,17604500157273288941,262144 --variations-seed-version /prefetch:81⤵PID:4524
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=de --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5788 --field-trial-handle=2280,i,12495260388534045372,17604500157273288941,262144 --variations-seed-version /prefetch:81⤵PID:4712