Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Sept. 19, 2023, 11:03 a.m.	Sept. 19, 2023, 11:05 a.m.

Size	7.6MB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`1c9f3c0258e923c07e1943498c789a3d`
SHA256	`925329eac4d8dfc71dfd0d222e935b31fb340bbb70367c7abf6553d921b64e55`
CRC32	`358CAD29`
ssdeep	`196608:o9/4OSUKi7eAGR6EGOUqJNTUQ0uG2DWMyoim06EV5X:U/4OSZeeLcvqJNF0uJW3/HX`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description) Is_DotNET_EXE - (no description)

Betro.exe "C:\Users\test22\AppData\Local\Temp\Betro.exe"
2560
- Betro.exe "C:\Users\test22\AppData\Local\Temp\Betro.exe"
  2672
- cmd.exe "cmd" /c mkdir "C:\Users\test22\AppData\Roaming\uno"
  2736
- cmd.exe "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\test22\AppData\Roaming\uno\uno.exe'" /f
  2788
  - schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\test22\AppData\Roaming\uno\uno.exe'" /f
    2908
- cmd.exe "cmd" /c copy "C:\Users\test22\AppData\Local\Temp\Betro.exe" "C:\Users\test22\AppData\Roaming\uno\uno.exe"
  2828

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
185.225.75.68	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49170 -> 185.225.75.68:3569	906200095	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (BitRAT)	undefined
TCP 192.168.56.101:49168 -> 185.225.75.68:3569	906200095	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (BitRAT)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.2 192.168.56.101:49170 185.225.75.68:3569	CN=BTR1	CN=BTR1	bf:1e:2a:14:2b:9d:78:53:b3:aa:a2:ae:7f:02:ef:09:a4:a6:3e:61
TLS 1.2 192.168.56.101:49168 185.225.75.68:3569	CN=BTR1	CN=BTR1	bf:1e:2a:14:2b:9d:78:53:b3:aa:a2:ae:7f:02:ef:09:a4:a6:3e:61

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Sept. 19, 2023, 11:03 a.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW Sept. 19, 2023, 11:03 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Sept. 19, 2023, 11:03 a.m.			0	0
IsDebuggerPresent Sept. 19, 2023, 11:03 a.m.			0	0

Uses Windows APIs to generate a cryptographic key (22 events)

Time & API	Arguments	Status	Return
CryptExportKey Sept. 19, 2023, 11:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00efb130 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 19, 2023, 11:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00efb130 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 19, 2023, 11:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00efb130 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 19, 2023, 11:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00efb130 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 19, 2023, 11:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00efb1f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 19, 2023, 11:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00efb1f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 19, 2023, 11:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00efb1f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 19, 2023, 11:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00efb2f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 19, 2023, 11:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00efb2f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 19, 2023, 11:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00efb2f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 19, 2023, 11:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00efb2f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 19, 2023, 11:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00efb170 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 19, 2023, 11:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00efb170 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 19, 2023, 11:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00efb130 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 19, 2023, 11:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00f9dcd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 19, 2023, 11:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00f9dcd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 19, 2023, 11:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00f9dcd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 19, 2023, 11:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00f9dcd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 19, 2023, 11:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00fc7410 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 19, 2023, 11:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00fc7410 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 19, 2023, 11:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00fc7410 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 19, 2023, 11:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00fc7410 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 19, 2023, 11:03 a.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (28 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Sept. 19, 2023, 11:03 a.m.	process_identifier: 2560 region_size: 1048576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00fe0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 19, 2023, 11:03 a.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x010a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 19, 2023, 11:03 a.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x727a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 19, 2023, 11:03 a.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x727a2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 19, 2023, 11:03 a.m.	process_identifier: 2560 region_size: 2228224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02950000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 19, 2023, 11:03 a.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 19, 2023, 11:03 a.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a32000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 19, 2023, 11:03 a.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b4c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 19, 2023, 11:03 a.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c90000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 19, 2023, 11:03 a.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b65000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 19, 2023, 11:03 a.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b6b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 19, 2023, 11:03 a.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b67000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 19, 2023, 11:03 a.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b56000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 19, 2023, 11:03 a.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b5a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 19, 2023, 11:03 a.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b57000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 19, 2023, 11:03 a.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a3a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 19, 2023, 11:03 a.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00cbf000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 19, 2023, 11:03 a.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00cb0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 19, 2023, 11:03 a.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c91000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 19, 2023, 11:03 a.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c92000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 19, 2023, 11:03 a.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c93000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 19, 2023, 11:03 a.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c94000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 19, 2023, 11:03 a.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c95000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 19, 2023, 11:03 a.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c96000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 19, 2023, 11:03 a.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b4a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 19, 2023, 11:03 a.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b4d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 19, 2023, 11:03 a.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c97000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 19, 2023, 11:03 a.m.	process_identifier: 2672 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bc2000 process_handle: 0xffffffff	1

Creates a suspicious process (2 events)

cmdline	"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\test22\AppData\Roaming\uno\uno.exe'" /f
cmdline	schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\test22\AppData\Roaming\uno\uno.exe'" /f

A process created a hidden window (3 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW Sept. 19, 2023, 11:03 a.m.	thread_identifier: 2740 thread_handle: 0x000002a4 process_identifier: 2736 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "cmd" /c mkdir "C:\Users\test22\AppData\Roaming\uno" filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x000002b8	1	1
CreateProcessInternalW Sept. 19, 2023, 11:03 a.m.	thread_identifier: 2792 thread_handle: 0x000002a4 process_identifier: 2788 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\test22\AppData\Roaming\uno\uno.exe'" /f filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x000002c4	1	1
CreateProcessInternalW Sept. 19, 2023, 11:03 a.m.	thread_identifier: 2832 thread_handle: 0x000002a4 process_identifier: 2828 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "cmd" /c copy "C:\Users\test22\AppData\Local\Temp\Betro.exe" "C:\Users\test22\AppData\Roaming\uno\uno.exe" filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x000002c8	1	1

The binary likely contains encrypted or compressed data indicative of a packer (3 events)

section

{u'size_of_data': u'0x00786800', u'virtual_address': u'0x00002000', u'entropy': 7.999674105757972, u'name': u'.text', u'virtual_size': u'0x0078669c'}

entropy

7.99967410576

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x0000ea00', u'virtual_address': u'0x0078a000', u'entropy': 7.804171414391342, u'name': u'.rsrc', u'virtual_size': u'0x0000e82c'}

entropy

7.80417141439

description

A section with a high entropy has been found

entropy

0.9999356085

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Sept. 19, 2023, 11:03 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW Sept. 19, 2023, 11:03 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1	0

Potentially malicious URLs were found in the process memory dump (1 event)

url	https://curl.haxx.se/docs/http-cookies.html

Yara rule detected in process memory (23 events)

description	Create a windows service	rule	Create_Service
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communication using DGA	rule	Network_DGA
description	Escalate priviledges	rule	Escalate_priviledges
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Communications smtp	rule	network_smtp_raw
description	Communications use DNS	rule	Network_DNS
description	Take ScreenShot	rule	ScreenShot
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	Run a KeyLogger	rule	KeyLogger
description	File Downloader	rule	Network_Downloader

Uses Windows utilities for basic Windows functionality (3 events)

cmdline	"cmd" /c mkdir "C:\Users\test22\AppData\Roaming\uno"
cmdline	"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\test22\AppData\Roaming\uno\uno.exe'" /f
cmdline	schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\test22\AppData\Roaming\uno\uno.exe'" /f

Communicates with host for which no DNS query was performed (1 event)

host

185.225.75.68

Allocates execute permission to another process indicative of possible code injection (2 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Sept. 19, 2023, 11:03 a.m.	process_identifier: 2672 region_size: 3989504 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000288		3221225496	0
NtAllocateVirtualMemory Sept. 19, 2023, 11:03 a.m.	process_identifier: 2672 region_size: 3989504 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ba0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000288	1	0	0

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation Sept. 19, 2023, 11:03 a.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

A process attempted to delay the analysis task. (1 event)

description

Betro.exe tried to sleep 2728691 seconds, actually delayed analysis time by 2728691 seconds

Installs itself for autorun at Windows startup (2 events)

cmdline	"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\test22\AppData\Roaming\uno\uno.exe'" /f
cmdline	schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\test22\AppData\Roaming\uno\uno.exe'" /f

Installs an hook procedure to monitor for mouse events (1 event)

Time & API	Arguments	Status	Return	Repeated
SetWindowsHookExW Sept. 19, 2023, 11:03 a.m.	thread_identifier: 0 callback_function: 0x00caf84a hook_identifier: 14 (WH_MOUSE_LL) module_address: 0x00000000	1	1114583	0

Potential code injection by writing to the memory of another process (3 events)

Time & API	Arguments	Status	Return
WriteProcessMemory Sept. 19, 2023, 11:03 a.m.	buffer: MZÿÿ¸@8º´ Í!¸LÍ!This program cannot be run in DOS mode. $ÞVcÛ7 7 7 .«ü7 .«þ]7 .«ÿ¾7 Ê7 ¡i7 E ý6 i7 i Æ7 GÈÝ7 GÈÜ7 GÈÆ7 7ß5 n7 GÈÃ7 ¡i °7 ¡i7 i7 i7 Rich7 PELòÓÛ`àì-<¤(.@à<D¤8(:¼I¬4Ð 2@Ì8.textê-ì- `.rdata¶º .¼ ð-@@.dataÀ8"¬8@À.gfidsø`:Î9@@.tls :à9@À.reloc¼I:Jâ9@B base_address: 0x00ba0000 process_identifier: 2672 process_handle: 0x00000288	1	1
WriteProcessMemory Sept. 19, 2023, 11:03 a.m.	buffer: base_address: 0x00f48000 process_identifier: 2672 process_handle: 0x00000288	1	1
WriteProcessMemory Sept. 19, 2023, 11:03 a.m.	buffer: º base_address: 0x7efde008 process_identifier: 2672 process_handle: 0x00000288	1	1

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Sept. 19, 2023, 11:03 a.m.	buffer: MZÿÿ¸@8º´ Í!¸LÍ!This program cannot be run in DOS mode. $ÞVcÛ7 7 7 .«ü7 .«þ]7 .«ÿ¾7 Ê7 ¡i7 E ý6 i7 i Æ7 GÈÝ7 GÈÜ7 GÈÆ7 7ß5 n7 GÈÃ7 ¡i °7 ¡i7 i7 i7 Rich7 PELòÓÛ`àì-<¤(.@à<D¤8(:¼I¬4Ð 2@Ì8.textê-ì- `.rdata¶º .¼ ð-@@.dataÀ8"¬8@À.gfidsø`:Î9@@.tls :à9@À.reloc¼I:Jâ9@B base_address: 0x00ba0000 process_identifier: 2672 process_handle: 0x00000288	1	1	0

Creates a windows hook that monitors keyboard input (keylogger) (1 event)

Time & API	Arguments	Status	Return	Repeated
SetWindowsHookExW Sept. 19, 2023, 11:03 a.m.	thread_identifier: 0 callback_function: 0x00c6a8cc hook_identifier: 13 (WH_KEYBOARD_LL) module_address: 0x00000000	1	590279	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2560 called NtSetContextThread to modify thread in remote process 2672
NtSetContextThread Sept. 19, 2023, 11:03 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 6857864 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000284 process_identifier: 2672	1	0	0

Appends a known multi-family ransomware file extension to files that have been encrypted (1 event)

file	C:\Users\test22\AppData\Local\f9be9104\plg\c039198306863035fea360c1237d8088.enc

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2560 resumed a thread in remote process 2672
NtResumeThread Sept. 19, 2023, 11:03 a.m.	thread_handle: 0x00000284 suspend_count: 1 process_identifier: 2672	1	0	0

Executed a process and injected code into it, probably while unpacking (50 out of 54 events)

Time & API	Arguments	Status	Return
NtResumeThread Sept. 19, 2023, 11:03 a.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 2560	1	0
NtResumeThread Sept. 19, 2023, 11:03 a.m.	thread_handle: 0x00000154 suspend_count: 1 process_identifier: 2560	1	0
NtResumeThread Sept. 19, 2023, 11:03 a.m.	thread_handle: 0x00000190 suspend_count: 1 process_identifier: 2560	1	0
NtResumeThread Sept. 19, 2023, 11:03 a.m.	thread_handle: 0x00000208 suspend_count: 1 process_identifier: 2560	1	0
NtGetContextThread Sept. 19, 2023, 11:03 a.m.	thread_handle: 0x000000e8	1	0
NtGetContextThread Sept. 19, 2023, 11:03 a.m.	thread_handle: 0x000000e8	1	0
NtResumeThread Sept. 19, 2023, 11:03 a.m.	thread_handle: 0x000000e8 suspend_count: 1 process_identifier: 2560	1	0
CreateProcessInternalW Sept. 19, 2023, 11:03 a.m.	thread_identifier: 2676 thread_handle: 0x00000284 process_identifier: 2672 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\Betro.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\Betro.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\Betro.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000288	1	1
NtGetContextThread Sept. 19, 2023, 11:03 a.m.	thread_handle: 0x00000284	1	0
NtAllocateVirtualMemory Sept. 19, 2023, 11:03 a.m.	process_identifier: 2672 region_size: 3989504 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000288		3221225496
NtAllocateVirtualMemory Sept. 19, 2023, 11:03 a.m.	process_identifier: 2672 region_size: 3989504 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ba0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000288	1	0
WriteProcessMemory Sept. 19, 2023, 11:03 a.m.	buffer: MZÿÿ¸@8º´ Í!¸LÍ!This program cannot be run in DOS mode. $ÞVcÛ7 7 7 .«ü7 .«þ]7 .«ÿ¾7 Ê7 ¡i7 E ý6 i7 i Æ7 GÈÝ7 GÈÜ7 GÈÆ7 7ß5 n7 GÈÃ7 ¡i °7 ¡i7 i7 i7 Rich7 PELòÓÛ`àì-<¤(.@à<D¤8(:¼I¬4Ð 2@Ì8.textê-ì- `.rdata¶º .¼ ð-@@.dataÀ8"¬8@À.gfidsø`:Î9@@.tls :à9@À.reloc¼I:Jâ9@B base_address: 0x00ba0000 process_identifier: 2672 process_handle: 0x00000288	1	1
WriteProcessMemory Sept. 19, 2023, 11:03 a.m.	buffer: base_address: 0x00ba1000 process_identifier: 2672 process_handle: 0x00000288	1	1
WriteProcessMemory Sept. 19, 2023, 11:03 a.m.	buffer: base_address: 0x00e80000 process_identifier: 2672 process_handle: 0x00000288	1	1
WriteProcessMemory Sept. 19, 2023, 11:03 a.m.	buffer: base_address: 0x00f2c000 process_identifier: 2672 process_handle: 0x00000288	1	1
WriteProcessMemory Sept. 19, 2023, 11:03 a.m.	buffer: base_address: 0x00f46000 process_identifier: 2672 process_handle: 0x00000288	1	1
WriteProcessMemory Sept. 19, 2023, 11:03 a.m.	buffer: base_address: 0x00f48000 process_identifier: 2672 process_handle: 0x00000288	1	1
WriteProcessMemory Sept. 19, 2023, 11:03 a.m.	buffer: base_address: 0x00f49000 process_identifier: 2672 process_handle: 0x00000288	1	1
WriteProcessMemory Sept. 19, 2023, 11:03 a.m.	buffer: º base_address: 0x7efde008 process_identifier: 2672 process_handle: 0x00000288	1	1
NtSetContextThread Sept. 19, 2023, 11:03 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 6857864 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000284 process_identifier: 2672	1	0
NtResumeThread Sept. 19, 2023, 11:03 a.m.	thread_handle: 0x00000284 suspend_count: 1 process_identifier: 2672	1	0
CreateProcessInternalW Sept. 19, 2023, 11:03 a.m.	thread_identifier: 2740 thread_handle: 0x000002a4 process_identifier: 2736 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "cmd" /c mkdir "C:\Users\test22\AppData\Roaming\uno" filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x000002b8	1	1
CreateProcessInternalW Sept. 19, 2023, 11:03 a.m.	thread_identifier: 2792 thread_handle: 0x000002a4 process_identifier: 2788 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\test22\AppData\Roaming\uno\uno.exe'" /f filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x000002c4	1	1
CreateProcessInternalW Sept. 19, 2023, 11:03 a.m.	thread_identifier: 2832 thread_handle: 0x000002a4 process_identifier: 2828 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "cmd" /c copy "C:\Users\test22\AppData\Local\Temp\Betro.exe" "C:\Users\test22\AppData\Roaming\uno\uno.exe" filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x000002c8	1	1
NtResumeThread Sept. 19, 2023, 11:03 a.m.	thread_handle: 0x000002c4 suspend_count: 1 process_identifier: 2672	1	0
NtResumeThread Sept. 19, 2023, 11:03 a.m.	thread_handle: 0x000002cc suspend_count: 1 process_identifier: 2672	1	0
NtResumeThread Sept. 19, 2023, 11:03 a.m.	thread_handle: 0x000002d4 suspend_count: 1 process_identifier: 2672	1	0
NtResumeThread Sept. 19, 2023, 11:03 a.m.	thread_handle: 0x000002e4 suspend_count: 1 process_identifier: 2672	1	0
NtResumeThread Sept. 19, 2023, 11:03 a.m.	thread_handle: 0x000002ec suspend_count: 1 process_identifier: 2672	1	0
NtResumeThread Sept. 19, 2023, 11:03 a.m.	thread_handle: 0x000002fc suspend_count: 1 process_identifier: 2672	1	0
NtResumeThread Sept. 19, 2023, 11:03 a.m.	thread_handle: 0x00000334 suspend_count: 1 process_identifier: 2672	1	0
NtResumeThread Sept. 19, 2023, 11:03 a.m.	thread_handle: 0x00000380 suspend_count: 1 process_identifier: 2672	1	0
NtResumeThread Sept. 19, 2023, 11:03 a.m.	thread_handle: 0x00000388 suspend_count: 1 process_identifier: 2672	1	0
NtResumeThread Sept. 19, 2023, 11:03 a.m.	thread_handle: 0x0000037c suspend_count: 1 process_identifier: 2672	1	0
NtResumeThread Sept. 19, 2023, 11:03 a.m.	thread_handle: 0x00000380 suspend_count: 1 process_identifier: 2672	1	0
NtResumeThread Sept. 19, 2023, 11:03 a.m.	thread_handle: 0x00000384 suspend_count: 1 process_identifier: 2672	1	0
NtResumeThread Sept. 19, 2023, 11:04 a.m.	thread_handle: 0x00000398 suspend_count: 1 process_identifier: 2672	1	0
NtResumeThread Sept. 19, 2023, 11:04 a.m.	thread_handle: 0x00000384 suspend_count: 1 process_identifier: 2672	1	0
NtResumeThread Sept. 19, 2023, 11:04 a.m.	thread_handle: 0x00000398 suspend_count: 1 process_identifier: 2672	1	0
NtResumeThread Sept. 19, 2023, 11:04 a.m.	thread_handle: 0x00000398 suspend_count: 1 process_identifier: 2672	1	0
NtResumeThread Sept. 19, 2023, 11:04 a.m.	thread_handle: 0x0000037c suspend_count: 1 process_identifier: 2672	1	0
NtResumeThread Sept. 19, 2023, 11:04 a.m.	thread_handle: 0x00000110 suspend_count: 1 process_identifier: 2672	1	0
NtResumeThread Sept. 19, 2023, 11:04 a.m.	thread_handle: 0x00000380 suspend_count: 1 process_identifier: 2672	1	0
NtResumeThread Sept. 19, 2023, 11:04 a.m.	thread_handle: 0x00000398 suspend_count: 1 process_identifier: 2672	1	0
NtResumeThread Sept. 19, 2023, 11:04 a.m.	thread_handle: 0x000002b8 suspend_count: 1 process_identifier: 2672	1	0
NtResumeThread Sept. 19, 2023, 11:04 a.m.	thread_handle: 0x00000398 suspend_count: 1 process_identifier: 2672	1	0
NtResumeThread Sept. 19, 2023, 11:05 a.m.	thread_handle: 0x000001dc suspend_count: 1 process_identifier: 2672	1	0
NtResumeThread Sept. 19, 2023, 11:05 a.m.	thread_handle: 0x00000398 suspend_count: 1 process_identifier: 2672	1	0
NtResumeThread Sept. 19, 2023, 11:05 a.m.	thread_handle: 0x000002b8 suspend_count: 1 process_identifier: 2672	1	0
NtResumeThread Sept. 19, 2023, 11:05 a.m.	thread_handle: 0x00000110 suspend_count: 1 process_identifier: 2672	1	0

File has been identified by 37 AntiVirus engines on VirusTotal as malicious (37 events)

Lionic	Trojan.Win32.Generic.4!c
Malwarebytes	Trojan.Crypt.MSIL
Sangfor	Trojan.Win32.Save.a
Alibaba	Trojan:MSIL/Kryptik.9cbfdf9b
CrowdStrike	win/malicious_confidence_100% (W)
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of MSIL/Kryptik.AHUA
APEX	Malicious
Cynet	Malicious (score: 100)
Kaspersky	HEUR:Trojan.MSIL.Tasker.gen
Avast	Win32:RATX-gen [Trj]
Sophos	Mal/Generic-S
DrWeb	Trojan.Siggen21.30399
McAfee-GW-Edition	BehavesLike.Win32.AgentTesla.wc
Trapmine	malicious.high.ml.score
FireEye	Generic.mg.1c9f3c0258e923c0
Emsisoft	Trojan.GenericKD.69351359 (B)
SentinelOne	Static AI - Malicious PE
Gridinsoft	Trojan.Win32.BitRAT.bot
Microsoft	Trojan:Win32/Znyonm
ViRobot	Trojan.Win.Z.Kryptik.7951872
ZoneAlarm	HEUR:Trojan.MSIL.Tasker.gen
Google	Detected
AhnLab-V3	Trojan/Win.Generic.R476688
McAfee	Artemis!1C9F3C0258E9
Cylance	unsafe
Panda	Trj/Chgt.AD
TrendMicro-HouseCall	TROJ_GEN.R002H0DII23
Rising	Malware.Obfus/MSIL@AI.100 (RDM.MSIL2:uW+7HxykJ9AP5YKiYGqdfg)
Ikarus	Trojan.MSIL.Crypt
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	MSIL/Kryptik.AHUA!tr
BitDefenderTheta	Gen:NN.ZemsilF.36662.@p0@ayn!Q6li
AVG	Win32:RATX-gen [Trj]
Cybereason	malicious.a5eff1
DeepInstinct	MALICIOUS

Betro.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All