betabot | 8940ee6fe6900beb6113cbd48e2f54f81e36b3806bbb6c73ae514982cc98a710

Analysis

max time kernel
95s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
28/01/2025, 13:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

24c7a082a3712ad00cea6f1bfee81f9c.exe
Size

1.2MB
MD5

24c7a082a3712ad00cea6f1bfee81f9c
SHA1

67f06a9982358afdf69163b3fd642c231fa0a9c4
SHA256

8940ee6fe6900beb6113cbd48e2f54f81e36b3806bbb6c73ae514982cc98a710
SHA512

ad9097c842e517fa034e5abecb07851cad0d1e5c0433cc1765bf95ee20869d445290fc71e2d20bf7121f780c3336eb0c2397c20c7e8ee541dbf946061442b783
SSDEEP

24576:q7kybXvovms3JuIfILdzxtJzJOJTe87RMMeQjm:KMZJuIwLdNtJzJOJTJeQS

Score

10^/10

betabot backdoor botnet defense_evasion discovery persistence trojan

Malware Config

Signatures

BetaBot
Beta Bot is a Trojan that infects computers and disables Antivirus.
trojan backdoor botnet betabot
Betabot family
betabot

Modifies firewall policy service 3 TTPs 4 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	explorer.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0"	explorer.exe

UAC bypass 3 TTPs 2 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dd.exe

Disables RegEdit via registry modification 1 IoCs

defense_evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	dd.exe

Disables Task Manager via registry modification
defense_evasion

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 4 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "cynxawuh.exe"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscsy7m7iaomsmg.exe	dd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscsy7m7iaomsmg.exe\DisableExceptionChainValidation	dd.exe

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorer.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	24c7a082a3712ad00cea6f1bfee81f9c.exe

Executes dropped EXE 2 IoCs

pid	Process
2756	dd.exe
4708	dd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\VShost = "C:\\ProgramData\\VShost\\cscsy7m7iaomsmg.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VShost = "\"C:\\ProgramData\\VShost\\cscsy7m7iaomsmg.exe\""	explorer.exe

Checks whether UAC is enabled 1 TTPs 3 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dd.exe

Indicator Removal: Clear Persistence 1 TTPs 1 IoCs

remove IFEO.

defense_evasion

Clear Persistence

T1070.009

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscsy7m7iaomsmg.exe\DisableExceptionChainValidation	dd.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs

pid	Process
4708	dd.exe
1928	explorer.exe
1928	explorer.exe
1928	explorer.exe
1928	explorer.exe
1928	explorer.exe
1928	explorer.exe
1928	explorer.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2756 set thread context of 4708	2756	dd.exe	87

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1916	1928	WerFault.exe	93

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	24c7a082a3712ad00cea6f1bfee81f9c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mspaint.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Checks SCSI registry key(s) 3 TTPs 36 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	PaintStudio.View.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	PaintStudio.View.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	PaintStudio.View.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	PaintStudio.View.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	PaintStudio.View.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	PaintStudio.View.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	PaintStudio.View.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	PaintStudio.View.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	PaintStudio.View.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	PaintStudio.View.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	PaintStudio.View.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	PaintStudio.View.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	PaintStudio.View.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	PaintStudio.View.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	PaintStudio.View.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	PaintStudio.View.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	PaintStudio.View.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	PaintStudio.View.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	PaintStudio.View.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	PaintStudio.View.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	PaintStudio.View.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	PaintStudio.View.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	PaintStudio.View.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	PaintStudio.View.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	PaintStudio.View.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	PaintStudio.View.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	PaintStudio.View.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	PaintStudio.View.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	PaintStudio.View.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	PaintStudio.View.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	PaintStudio.View.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	PaintStudio.View.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	PaintStudio.View.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	PaintStudio.View.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	PaintStudio.View.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	PaintStudio.View.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	dd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dd.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	explorer.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	explorer.exe

Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3"	explorer.exe

Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1"	explorer.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Main	explorer.exe

Modifies registry class 17 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	24c7a082a3712ad00cea6f1bfee81f9c.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\MuiCache	PaintStudio.View.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache	PaintStudio.View.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Content\CacheVersion = "1"	PaintStudio.View.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\History	PaintStudio.View.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:"	PaintStudio.View.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings	PaintStudio.View.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Content	PaintStudio.View.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Content\CacheLimit = "51200"	PaintStudio.View.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Cookies	PaintStudio.View.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\History\CacheVersion = "1"	PaintStudio.View.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	PaintStudio.View.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache	PaintStudio.View.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix	PaintStudio.View.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CacheVersion = "1"	PaintStudio.View.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CacheLimit = "1"	PaintStudio.View.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\History\CacheLimit = "1"	PaintStudio.View.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2588	PaintStudio.View.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3168	mspaint.exe
3168	mspaint.exe
2756	dd.exe
2756	dd.exe
2756	dd.exe
2756	dd.exe
2756	dd.exe
2756	dd.exe
1928	explorer.exe
1928	explorer.exe
1928	explorer.exe
1928	explorer.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
4708	dd.exe
4708	dd.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

description	pid	Process
Token: SeDebugPrivilege	3924	24c7a082a3712ad00cea6f1bfee81f9c.exe
Token: SeDebugPrivilege	2756	dd.exe
Token: SeDebugPrivilege	4708	dd.exe
Token: SeRestorePrivilege	4708	dd.exe
Token: SeBackupPrivilege	4708	dd.exe
Token: SeLoadDriverPrivilege	4708	dd.exe
Token: SeCreatePagefilePrivilege	4708	dd.exe
Token: SeShutdownPrivilege	4708	dd.exe
Token: SeTakeOwnershipPrivilege	4708	dd.exe
Token: SeChangeNotifyPrivilege	4708	dd.exe
Token: SeCreateTokenPrivilege	4708	dd.exe
Token: SeMachineAccountPrivilege	4708	dd.exe
Token: SeSecurityPrivilege	4708	dd.exe
Token: SeAssignPrimaryTokenPrivilege	4708	dd.exe
Token: SeCreateGlobalPrivilege	4708	dd.exe
Token: 33	4708	dd.exe
Token: SeDebugPrivilege	2588	PaintStudio.View.exe
Token: SeDebugPrivilege	2588	PaintStudio.View.exe
Token: SeDebugPrivilege	1928	explorer.exe
Token: SeRestorePrivilege	1928	explorer.exe
Token: SeBackupPrivilege	1928	explorer.exe
Token: SeLoadDriverPrivilege	1928	explorer.exe
Token: SeCreatePagefilePrivilege	1928	explorer.exe
Token: SeShutdownPrivilege	1928	explorer.exe
Token: SeTakeOwnershipPrivilege	1928	explorer.exe
Token: SeChangeNotifyPrivilege	1928	explorer.exe
Token: SeCreateTokenPrivilege	1928	explorer.exe
Token: SeMachineAccountPrivilege	1928	explorer.exe
Token: SeSecurityPrivilege	1928	explorer.exe
Token: SeAssignPrimaryTokenPrivilege	1928	explorer.exe
Token: SeCreateGlobalPrivilege	1928	explorer.exe
Token: 33	1928	explorer.exe
Token: SeDebugPrivilege	2588	PaintStudio.View.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3168	mspaint.exe
2588	PaintStudio.View.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 3924 wrote to memory of 3168	3924	24c7a082a3712ad00cea6f1bfee81f9c.exe	82
PID 3924 wrote to memory of 3168	3924	24c7a082a3712ad00cea6f1bfee81f9c.exe	82
PID 3924 wrote to memory of 3168	3924	24c7a082a3712ad00cea6f1bfee81f9c.exe	82
PID 3924 wrote to memory of 2756	3924	24c7a082a3712ad00cea6f1bfee81f9c.exe	83
PID 3924 wrote to memory of 2756	3924	24c7a082a3712ad00cea6f1bfee81f9c.exe	83
PID 3924 wrote to memory of 2756	3924	24c7a082a3712ad00cea6f1bfee81f9c.exe	83
PID 2756 wrote to memory of 4708	2756	dd.exe	87
PID 2756 wrote to memory of 4708	2756	dd.exe	87
PID 2756 wrote to memory of 4708	2756	dd.exe	87
PID 2756 wrote to memory of 4708	2756	dd.exe	87
PID 2756 wrote to memory of 4708	2756	dd.exe	87
PID 2756 wrote to memory of 4708	2756	dd.exe	87
PID 2756 wrote to memory of 4708	2756	dd.exe	87
PID 2756 wrote to memory of 4708	2756	dd.exe	87
PID 2756 wrote to memory of 4708	2756	dd.exe	87
PID 2756 wrote to memory of 4708	2756	dd.exe	87
PID 4708 wrote to memory of 1928	4708	dd.exe	93
PID 4708 wrote to memory of 1928	4708	dd.exe	93
PID 4708 wrote to memory of 1928	4708	dd.exe	93

System policy modification 1 TTPs 2 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dd.exe

C:\Users\Admin\AppData\Local\Temp\24c7a082a3712ad00cea6f1bfee81f9c.exe
"C:\Users\Admin\AppData\Local\Temp\24c7a082a3712ad00cea6f1bfee81f9c.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3924
- C:\Windows\SysWOW64\mspaint.exe
  "C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Pictures\세이클x 번개녀 원나잇 홈런 시리즈 3탄 - 몸매 죽이는 E컵 자연산 슴가 현직 모델녀.mp4_20160810_215820.611.jpg" /ForceBootstrapPaint3D
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:3168
- C:\Users\Admin\Pictures\dd.exe
  "C:\Users\Admin\Pictures\dd.exe"
  2⤵
  - UAC bypass
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2756
- - C:\Users\Admin\Pictures\dd.exe
    "C:\Users\Admin\Pictures\dd.exe"
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Indicator Removal: Clear Persistence
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4708
  - - C:\Windows\SysWOW64\explorer.exe
      C:\Windows\SysWOW64\explorer.exe
      4⤵
      Modifies firewall policy service
      Event Triggered Execution: Image File Execution Options Injection
      Checks BIOS information in registry
      Adds Run key to start application
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Enumerates system info in registry
      Modifies Internet Explorer Protected Mode
      Modifies Internet Explorer Protected Mode Banner
      Modifies Internet Explorer settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1928
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 1116
        5⤵
        Program crash
        
        PID:1916

C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe
"C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe"
1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 180 -p 1928 -ip 1928
1⤵
PID:1972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

Clear Persistence

T1070.009

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\Projects\Projects.json

Filesize
368B

MD5
dbc90257ddcd87a2fc7216ebdcbdc8c7

SHA1
58eaba4af684be1d04bf76e3c137a27a81d0c558

SHA256
57301f52e6ae709b9724624f187bd9b4cd24ce554847df6b470fe103b1d4b373

SHA512
df3546a2ea90c58ab4ba4ae320f0e19f1bf458df55597d74268e3330bec44deecae0b8ea20d1f02398bcfccdd3af2660fe04e8e4ba172887f3aa9f72ea71868e

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\cloudCommunitySettings.json

Filesize
2KB

MD5
f4e4a03ebd0ab3a953c56a300d61d223

SHA1
97a9acf22c3bdd6989d7c120c21077c4d5a9a80e

SHA256
52bfb22aa2d7b0ce083d312fb8fa8dcda3063207186f99fc259aebd9064cbedc

SHA512
12aa71eea45720a4d7d057da0b662635671e4cd165ad2e0d30a3d2a43950b47dd60c26c1bbbe049418f815850e571b8d93e4c8b8cbbd686abc3cf7926ba719c2

Download Submit
C:\Users\Admin\Pictures\dd.exe

Filesize
233KB

MD5
34ddf5905488a9b275df4c58aaf5d847

SHA1
5bb563413be0c957692aa91fdaf86a6e60cba22a

SHA256
d5adec27977bf202eb056c2eb8f36115d398cc0536ca38b16bf7514623a5c069

SHA512
b3c11b7f4046392f58802c0c0c09041a29478942064ac2834bc0f18cc564549be58101bdf499159021aed0c65e0bd7140ff43bad33520ae549076de8dea891b7

Download Submit
C:\Users\Admin\Pictures\세이클x 번개녀 원나잇 홈런 시리즈 3탄 - 몸매 죽이는 E컵 자연산 슴가 현직 모델녀.mp4_20160810_215820.611.jpg

Filesize
93KB

MD5
992e7555ccbc6b82af6ab64cad41cdd0

SHA1
773616e3f157bddbcde7026b3d2d0b65f3809602

SHA256
8deed2818ffed9549644eea1aa5bed8807a5a1ca9e9b76b15a566d827ae25efa

SHA512
e28f12e19060a83a4799e0b2f72ae4c970b90b9442a0a0e28f902be5a920d8a7d08acd96d040d0ba580929401221ebfd69218f5ef13340de5a0ca253dd1eb656

Download Submit
memory/1928-40-0x0000000000A10000-0x0000000000E44000-memory.dmp

Filesize
4.2MB

Download
memory/1928-41-0x0000000000A10000-0x0000000000E44000-memory.dmp

Filesize
4.2MB

Download
memory/1928-42-0x0000000000F50000-0x0000000000FF4000-memory.dmp

Filesize
656KB

Download
memory/1928-72-0x0000000000A10000-0x0000000000E43000-memory.dmp

Filesize
4.2MB

Download
memory/2756-39-0x00000000755A0000-0x0000000075B51000-memory.dmp

Filesize
5.7MB

Download
memory/2756-24-0x00000000755A0000-0x0000000075B51000-memory.dmp

Filesize
5.7MB

Download
memory/2756-25-0x00000000755A0000-0x0000000075B51000-memory.dmp

Filesize
5.7MB

Download
memory/2756-26-0x00000000755A0000-0x0000000075B51000-memory.dmp

Filesize
5.7MB

Download
memory/3924-4-0x00000000755A0000-0x0000000075B51000-memory.dmp

Filesize
5.7MB

Download
memory/3924-0-0x00000000755A2000-0x00000000755A3000-memory.dmp

Filesize
4KB

Download
memory/3924-23-0x00000000755A0000-0x0000000075B51000-memory.dmp

Filesize
5.7MB

Download
memory/3924-3-0x00000000755A0000-0x0000000075B51000-memory.dmp

Filesize
5.7MB

Download
memory/3924-2-0x00000000755A0000-0x0000000075B51000-memory.dmp

Filesize
5.7MB

Download
memory/3924-1-0x00000000755A0000-0x0000000075B51000-memory.dmp

Filesize
5.7MB

Download
memory/4708-29-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4708-37-0x0000000002E70000-0x0000000002ED6000-memory.dmp

Filesize
408KB

Download
memory/4708-30-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4708-31-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4708-34-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4708-35-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4708-28-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4708-27-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download