3dd251ad68b127cbbb2457425a53637983effc91f7d1ce869ac8e531933fdfeb

Analysis

max time kernel
147s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
20/11/2024, 05:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Beta wolf multi tool.exe
Size

157KB
MD5

86304bd184c7260044fedd5466fc202a
SHA1

c795f461ab47f15968b013fa6acfae0c19fafdac
SHA256

3dd251ad68b127cbbb2457425a53637983effc91f7d1ce869ac8e531933fdfeb
SHA512

3de9dcacac7dd097f35c736004a37b8c649d1d89c5ead01e7a17e175670936acd16349384714fd211c6c3bcd93b93aaa1e52b289beccbc906aa726e8ced92c0c
SSDEEP

3072:dahKyd2n31u5GWp1icKAArDZz4N9GhbkrNEk1bT:dahOSp0yN90QE8

Score

6^/10

discovery persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	Beta wolf multi tool.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 16 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
5012	PING.EXE
4844	PING.EXE
2760	PING.EXE
3988	PING.EXE
2448	PING.EXE
4592	PING.EXE
4452	PING.EXE
3028	PING.EXE
4436	PING.EXE
2072	PING.EXE
3120	PING.EXE
2320	PING.EXE
4416	PING.EXE
2380	PING.EXE
860	PING.EXE
3000	PING.EXE

Modifies registry class 4 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe

Runs ping.exe 1 TTPs 16 IoCs

Remote System Discovery

T1018

pid	Process
4844	PING.EXE
3028	PING.EXE
2380	PING.EXE
2448	PING.EXE
860	PING.EXE
4436	PING.EXE
3000	PING.EXE
4416	PING.EXE
2072	PING.EXE
3988	PING.EXE
4592	PING.EXE
5012	PING.EXE
2760	PING.EXE
3120	PING.EXE
2320	PING.EXE
4452	PING.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	1328	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1328	AUDIODG.EXE

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 4712 wrote to memory of 3592	4712	Beta wolf multi tool.exe	79
PID 4712 wrote to memory of 3592	4712	Beta wolf multi tool.exe	79
PID 3592 wrote to memory of 4652	3592	cmd.exe	81
PID 3592 wrote to memory of 4652	3592	cmd.exe	81
PID 3592 wrote to memory of 3028	3592	cmd.exe	84
PID 3592 wrote to memory of 3028	3592	cmd.exe	84
PID 3592 wrote to memory of 5012	3592	cmd.exe	85
PID 3592 wrote to memory of 5012	3592	cmd.exe	85
PID 3592 wrote to memory of 4436	3592	cmd.exe	86
PID 3592 wrote to memory of 4436	3592	cmd.exe	86
PID 3592 wrote to memory of 4844	3592	cmd.exe	87
PID 3592 wrote to memory of 4844	3592	cmd.exe	87
PID 3592 wrote to memory of 2760	3592	cmd.exe	88
PID 3592 wrote to memory of 2760	3592	cmd.exe	88
PID 3592 wrote to memory of 3000	3592	cmd.exe	89
PID 3592 wrote to memory of 3000	3592	cmd.exe	89
PID 3592 wrote to memory of 4416	3592	cmd.exe	91
PID 3592 wrote to memory of 4416	3592	cmd.exe	91
PID 3592 wrote to memory of 2072	3592	cmd.exe	92
PID 3592 wrote to memory of 2072	3592	cmd.exe	92
PID 3592 wrote to memory of 2380	3592	cmd.exe	93
PID 3592 wrote to memory of 2380	3592	cmd.exe	93
PID 3592 wrote to memory of 3988	3592	cmd.exe	94
PID 3592 wrote to memory of 3988	3592	cmd.exe	94
PID 3592 wrote to memory of 2448	3592	cmd.exe	95
PID 3592 wrote to memory of 2448	3592	cmd.exe	95
PID 3592 wrote to memory of 860	3592	cmd.exe	96
PID 3592 wrote to memory of 860	3592	cmd.exe	96
PID 3592 wrote to memory of 3120	3592	cmd.exe	97
PID 3592 wrote to memory of 3120	3592	cmd.exe	97
PID 3592 wrote to memory of 2320	3592	cmd.exe	98
PID 3592 wrote to memory of 2320	3592	cmd.exe	98
PID 3592 wrote to memory of 4592	3592	cmd.exe	99
PID 3592 wrote to memory of 4592	3592	cmd.exe	99
PID 3592 wrote to memory of 4452	3592	cmd.exe	100
PID 3592 wrote to memory of 4452	3592	cmd.exe	100
PID 3592 wrote to memory of 1836	3592	cmd.exe	101
PID 3592 wrote to memory of 1836	3592	cmd.exe	101

C:\Users\Admin\AppData\Local\Temp\Beta wolf multi tool.exe
"C:\Users\Admin\AppData\Local\Temp\Beta wolf multi tool.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4712
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c "Beta wolf multi tool.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3592
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:4652
- - C:\Windows\system32\PING.EXE
    ping localhost -n 2
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:3028
- - C:\Windows\system32\PING.EXE
    ping localhost -n 2
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:5012
- - C:\Windows\system32\PING.EXE
    ping localhost -n 3
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:4436
- - C:\Windows\system32\PING.EXE
    ping localhost -n 3
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:4844
- - C:\Windows\system32\PING.EXE
    ping localhost -n 2
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2760
- - C:\Windows\system32\PING.EXE
    ping localhost -n 5
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:3000
- - C:\Windows\system32\PING.EXE
    ping localhost -n 1
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:4416
- - C:\Windows\system32\PING.EXE
    ping localhost -n 1
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2072
- - C:\Windows\system32\PING.EXE
    ping localhost -n 1
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2380
- - C:\Windows\system32\PING.EXE
    ping localhost -n 1
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:3988
- - C:\Windows\system32\PING.EXE
    ping localhost -n 1
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2448
- - C:\Windows\system32\PING.EXE
    ping localhost -n 1
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:860
- - C:\Windows\system32\PING.EXE
    ping localhost -n 1
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:3120
- - C:\Windows\system32\PING.EXE
    ping localhost -n 1
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2320
- - C:\Windows\system32\PING.EXE
    ping localhost -n 1
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:4592
- - C:\Windows\system32\PING.EXE
    ping 8.8.8.8
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:4452
- - C:\Windows\system32\nslookup.exe
    nslookup vbin.net
    3⤵
    PID:1836

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004E8 0x00000000000004D4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1328

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:4700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\1aec2c12-2a09-4738-8afd-1666064a32be.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Beta wolf multi tool.bat

Filesize
15KB

MD5
60a00b221314623ee1b2cb035e4c04bf

SHA1
691dc5bfee957d81123d2a7c32a4f240ee058850

SHA256
82db40080c2d2ba8d1d3119791a26a54c0be16577e75ea504a6e7c9836a9953f

SHA512
ae20a6541c5f595a181beff09f3a1e63f272c9bc0719cfc31a0806f906d02d53b0e1cbcdee01399c0be798597e21026ce30c52ac8a452ed27aec5c78ac5df959

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads