Overview
overview
10Static
static
10foo/0044d6...f7.exe
windows7-x64
1foo/0044d6...f7.exe
windows10-2004-x64
3foo/034e4c...a9.exe
windows7-x64
4foo/034e4c...a9.exe
windows10-2004-x64
4foo/035fa2...72.exe
windows7-x64
6foo/035fa2...72.exe
windows10-2004-x64
6foo/04884a...1b.exe
windows7-x64
7foo/04884a...1b.exe
windows10-2004-x64
7foo/06ed82...59.exe
windows7-x64
7foo/06ed82...59.exe
windows10-2004-x64
7foo/07470b...68.exe
windows7-x64
7foo/07470b...68.exe
windows10-2004-x64
7foo/078adb...c0.exe
windows7-x64
10foo/078adb...c0.exe
windows10-2004-x64
10foo/09e5c8...b4.exe
windows7-x64
3foo/09e5c8...b4.exe
windows10-2004-x64
3foo/0becfe...f4.exe
windows7-x64
10foo/0becfe...f4.exe
windows10-2004-x64
10foo/1a78d3...a3.exe
windows7-x64
5foo/1a78d3...a3.exe
windows10-2004-x64
7foo/1ffe82...a6.exe
windows7-x64
10foo/1ffe82...a6.exe
windows10-2004-x64
10foo/255028...e1.dll
windows7-x64
3foo/255028...e1.dll
windows10-2004-x64
3foo/27601d...cc.exe
windows7-x64
7foo/27601d...cc.exe
windows10-2004-x64
7foo/27f911...49.exe
windows7-x64
10foo/27f911...49.exe
windows10-2004-x64
10foo/28408c...c5.exe
windows7-x64
10foo/28408c...c5.exe
windows10-2004-x64
7$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3Analysis
-
max time kernel
90s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
21-12-2024 17:46
Static task
static1
Behavioral task
behavioral1
Sample
foo/0044d66e4abf7c4af6b5d207065320f7.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
foo/0044d66e4abf7c4af6b5d207065320f7.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
foo/034e4c62965f8d5dd5d5a2ce34a53ba9.exe
Resource
win7-20241023-en
Behavioral task
behavioral4
Sample
foo/034e4c62965f8d5dd5d5a2ce34a53ba9.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
foo/035fa2f2fae0a8fad733686a7d9ea772.exe
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
foo/035fa2f2fae0a8fad733686a7d9ea772.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
foo/04884a82d01d733f245d921e1f74fb1b.exe
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
foo/04884a82d01d733f245d921e1f74fb1b.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
foo/06ed82e88e1f68cc08602d7cd8ec5f59.exe
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
foo/06ed82e88e1f68cc08602d7cd8ec5f59.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
foo/07470b6ede84f02ec31ab0a601cdc068.exe
Resource
win7-20240708-en
Behavioral task
behavioral12
Sample
foo/07470b6ede84f02ec31ab0a601cdc068.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
foo/078adb95b1a0a6449d8c4ece796deac0.exe
Resource
win7-20241023-en
Behavioral task
behavioral14
Sample
foo/078adb95b1a0a6449d8c4ece796deac0.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
foo/09e5c88a0592763e0c4f30fb88d663b4.exe
Resource
win7-20240729-en
Behavioral task
behavioral16
Sample
foo/09e5c88a0592763e0c4f30fb88d663b4.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
foo/0becfedf4d0b9ad5251aca33274a4cf4.exe
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
foo/0becfedf4d0b9ad5251aca33274a4cf4.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral19
Sample
foo/1a78d313f2891bd468f78694814a28a3.exe
Resource
win7-20241010-en
Behavioral task
behavioral20
Sample
foo/1a78d313f2891bd468f78694814a28a3.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral21
Sample
foo/1ffe827beb75335731cb6f052a8ec3a6.exe
Resource
win7-20240729-en
Behavioral task
behavioral22
Sample
foo/1ffe827beb75335731cb6f052a8ec3a6.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral23
Sample
foo/255028f2f37838e92f84f27c68aaf4e1.dll
Resource
win7-20240903-en
Behavioral task
behavioral24
Sample
foo/255028f2f37838e92f84f27c68aaf4e1.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral25
Sample
foo/27601d095e5b3761d9289584415a73cc.exe
Resource
win7-20240903-en
Behavioral task
behavioral26
Sample
foo/27601d095e5b3761d9289584415a73cc.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral27
Sample
foo/27f9116902c35a9b784c703762bbd249.exe
Resource
win7-20240903-en
Behavioral task
behavioral28
Sample
foo/27f9116902c35a9b784c703762bbd249.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral29
Sample
foo/28408caa2961caecd35c9f8f7c1aecc5.exe
Resource
win7-20241010-en
Behavioral task
behavioral30
Sample
foo/28408caa2961caecd35c9f8f7c1aecc5.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral31
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240903-en
Behavioral task
behavioral32
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20241007-en
General
-
Target
foo/27f9116902c35a9b784c703762bbd249.exe
-
Size
1.3MB
-
MD5
27f9116902c35a9b784c703762bbd249
-
SHA1
1f398a7f5bb032a30c2207e5e692524691b8a09e
-
SHA256
548b424bedcb831086fb9ab5b6e284a7a71a53e430acad99155153a869844570
-
SHA512
c046022a16f572eda5f60484d61190491579ee0d9d883d8f760859bbde0730dcfe4a603f847162d8901f6a87140da6a9c53134e8b7c2f9fa6192584765e94ff6
-
SSDEEP
24576:aCdxte/80jYLT3U1jfsWarh061/ZfElRw0bMQ0j:7w80cTsjkWarx/ulA
Malware Config
Signatures
-
Betabot family
-
Modifies firewall policy service 3 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" explorer.exe -
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\eae57m53ycw1.exe 27f9116902c35a9b784c703762bbd249.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\eae57m53ycw1.exe\DisableExceptionChainValidation 27f9116902c35a9b784c703762bbd249.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "uztczxxm.exe" explorer.exe -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Task Protect 2.3 = "C:\\ProgramData\\Task Protect 2.3\\eae57m53ycw1.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Task Protect 2.3 = "\"C:\\ProgramData\\Task Protect 2.3\\eae57m53ycw1.exe\"" explorer.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 27f9116902c35a9b784c703762bbd249.exe -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\eae57m53ycw1.exe\DisableExceptionChainValidation 27f9116902c35a9b784c703762bbd249.exe -
AutoIT Executable 2 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral28/memory/4424-20-0x0000000001000000-0x00000000011BD000-memory.dmp autoit_exe behavioral28/memory/1932-23-0x0000000000530000-0x000000000067E000-memory.dmp autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
pid Process 1932 27f9116902c35a9b784c703762bbd249.exe 4424 explorer.exe 4424 explorer.exe 4424 explorer.exe 4424 explorer.exe 4424 explorer.exe 4424 explorer.exe 4424 explorer.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2924 set thread context of 1932 2924 27f9116902c35a9b784c703762bbd249.exe 90 -
Program crash 1 IoCs
pid pid_target Process procid_target 1428 4424 WerFault.exe 91 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 27f9116902c35a9b784c703762bbd249.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 27f9116902c35a9b784c703762bbd249.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 27f9116902c35a9b784c703762bbd249.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 27f9116902c35a9b784c703762bbd249.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer explorer.exe -
Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" explorer.exe -
Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" explorer.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\Main explorer.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4424 explorer.exe 4424 explorer.exe 4424 explorer.exe 4424 explorer.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 1932 27f9116902c35a9b784c703762bbd249.exe 1932 27f9116902c35a9b784c703762bbd249.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1932 27f9116902c35a9b784c703762bbd249.exe -
Suspicious use of AdjustPrivilegeToken 28 IoCs
description pid Process Token: SeDebugPrivilege 1932 27f9116902c35a9b784c703762bbd249.exe Token: SeRestorePrivilege 1932 27f9116902c35a9b784c703762bbd249.exe Token: SeBackupPrivilege 1932 27f9116902c35a9b784c703762bbd249.exe Token: SeLoadDriverPrivilege 1932 27f9116902c35a9b784c703762bbd249.exe Token: SeCreatePagefilePrivilege 1932 27f9116902c35a9b784c703762bbd249.exe Token: SeShutdownPrivilege 1932 27f9116902c35a9b784c703762bbd249.exe Token: SeTakeOwnershipPrivilege 1932 27f9116902c35a9b784c703762bbd249.exe Token: SeChangeNotifyPrivilege 1932 27f9116902c35a9b784c703762bbd249.exe Token: SeCreateTokenPrivilege 1932 27f9116902c35a9b784c703762bbd249.exe Token: SeMachineAccountPrivilege 1932 27f9116902c35a9b784c703762bbd249.exe Token: SeSecurityPrivilege 1932 27f9116902c35a9b784c703762bbd249.exe Token: SeAssignPrimaryTokenPrivilege 1932 27f9116902c35a9b784c703762bbd249.exe Token: SeCreateGlobalPrivilege 1932 27f9116902c35a9b784c703762bbd249.exe Token: 33 1932 27f9116902c35a9b784c703762bbd249.exe Token: SeDebugPrivilege 4424 explorer.exe Token: SeRestorePrivilege 4424 explorer.exe Token: SeBackupPrivilege 4424 explorer.exe Token: SeLoadDriverPrivilege 4424 explorer.exe Token: SeCreatePagefilePrivilege 4424 explorer.exe Token: SeShutdownPrivilege 4424 explorer.exe Token: SeTakeOwnershipPrivilege 4424 explorer.exe Token: SeChangeNotifyPrivilege 4424 explorer.exe Token: SeCreateTokenPrivilege 4424 explorer.exe Token: SeMachineAccountPrivilege 4424 explorer.exe Token: SeSecurityPrivilege 4424 explorer.exe Token: SeAssignPrimaryTokenPrivilege 4424 explorer.exe Token: SeCreateGlobalPrivilege 4424 explorer.exe Token: 33 4424 explorer.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2924 wrote to memory of 1932 2924 27f9116902c35a9b784c703762bbd249.exe 90 PID 2924 wrote to memory of 1932 2924 27f9116902c35a9b784c703762bbd249.exe 90 PID 2924 wrote to memory of 1932 2924 27f9116902c35a9b784c703762bbd249.exe 90 PID 2924 wrote to memory of 1932 2924 27f9116902c35a9b784c703762bbd249.exe 90 PID 2924 wrote to memory of 1932 2924 27f9116902c35a9b784c703762bbd249.exe 90 PID 1932 wrote to memory of 4424 1932 27f9116902c35a9b784c703762bbd249.exe 91 PID 1932 wrote to memory of 4424 1932 27f9116902c35a9b784c703762bbd249.exe 91 PID 1932 wrote to memory of 4424 1932 27f9116902c35a9b784c703762bbd249.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\foo\27f9116902c35a9b784c703762bbd249.exe"C:\Users\Admin\AppData\Local\Temp\foo\27f9116902c35a9b784c703762bbd249.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Users\Admin\AppData\Local\Temp\foo\27f9116902c35a9b784c703762bbd249.exe"C:\Users\Admin\AppData\Local\Temp\foo\27f9116902c35a9b784c703762bbd249.exe"2⤵
- Event Triggered Execution: Image File Execution Options Injection
- Checks whether UAC is enabled
- Indicator Removal: Clear Persistence
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
- Modifies firewall policy service
- Event Triggered Execution: Image File Execution Options Injection
- Checks BIOS information in registry
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4424 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4424 -s 10684⤵
- Program crash
PID:1428
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4424 -ip 44241⤵PID:2360
Network
-
Remote address:8.8.8.8:53Request149.220.183.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request149.220.183.52.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request88.210.23.2.in-addr.arpaIN PTRResponse88.210.23.2.in-addr.arpaIN PTRa2-23-210-88deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request17.160.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request196.249.167.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request154.239.44.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request56.163.245.4.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request18.31.95.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request21.49.80.91.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request209.205.72.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request172.214.232.199.in-addr.arpaIN PTRResponse
-
146 B 147 B 2 1
DNS Request
149.220.183.52.in-addr.arpa
DNS Request
149.220.183.52.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
88.210.23.2.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
17.160.190.20.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
196.249.167.52.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
154.239.44.20.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
56.163.245.4.in-addr.arpa
-
70 B 144 B 1 1
DNS Request
18.31.95.13.in-addr.arpa
-
70 B 145 B 1 1
DNS Request
21.49.80.91.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
209.205.72.20.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.214.232.199.in-addr.arpa
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Image File Execution Options Injection
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Image File Execution Options Injection
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Indicator Removal
1Clear Persistence
1Modify Registry
5