Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Sept. 19, 2023, 11:17 a.m.	Sept. 19, 2023, 11:20 a.m.

Size	7.6MB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`1c9f3c0258e923c07e1943498c789a3d`
SHA256	`925329eac4d8dfc71dfd0d222e935b31fb340bbb70367c7abf6553d921b64e55`
CRC32	`358CAD29`
ssdeep	`196608:o9/4OSUKi7eAGR6EGOUqJNTUQ0uG2DWMyoim06EV5X:U/4OSZeeLcvqJNF0uJW3/HX`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description) Is_DotNET_EXE - (no description)

Betro.exe "C:\Users\test22\AppData\Local\Temp\Betro.exe"
2652
- Betro.exe "C:\Users\test22\AppData\Local\Temp\Betro.exe"
  2760
- cmd.exe "cmd" /c mkdir "C:\Users\test22\AppData\Roaming\uno"
  2824
- cmd.exe "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\test22\AppData\Roaming\uno\uno.exe'" /f
  2876
  - schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\test22\AppData\Roaming\uno\uno.exe'" /f
    2996
- cmd.exe "cmd" /c copy "C:\Users\test22\AppData\Local\Temp\Betro.exe" "C:\Users\test22\AppData\Roaming\uno\uno.exe"
  2916

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch
185.225.75.68	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49168 -> 185.225.75.68:3569	906200095	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (BitRAT)	undefined
TCP 192.168.56.101:49170 -> 185.225.75.68:3569	906200095	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (BitRAT)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.2 192.168.56.101:49168 185.225.75.68:3569	CN=BTR1	CN=BTR1	bf:1e:2a:14:2b:9d:78:53:b3:aa:a2:ae:7f:02:ef:09:a4:a6:3e:61
TLS 1.2 192.168.56.101:49170 185.225.75.68:3569	CN=BTR1	CN=BTR1	bf:1e:2a:14:2b:9d:78:53:b3:aa:a2:ae:7f:02:ef:09:a4:a6:3e:61

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Sept. 19, 2023, 11:18 a.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW Sept. 19, 2023, 11:17 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Sept. 19, 2023, 11:17 a.m.			0	0
IsDebuggerPresent Sept. 19, 2023, 11:17 a.m.			0	0

Uses Windows APIs to generate a cryptographic key (22 events)

Time & API	Arguments	Status	Return
CryptExportKey Sept. 19, 2023, 11:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00b7b130 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 19, 2023, 11:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00b7b130 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 19, 2023, 11:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00b7b130 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 19, 2023, 11:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00b7b130 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 19, 2023, 11:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00b7b1f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 19, 2023, 11:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00b7b1f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 19, 2023, 11:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00b7b1f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 19, 2023, 11:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00b7b2f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 19, 2023, 11:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00b7b2f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 19, 2023, 11:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00b7b2f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 19, 2023, 11:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00b7b2f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 19, 2023, 11:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00b7b170 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 19, 2023, 11:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00b7b170 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 19, 2023, 11:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00b7b130 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 19, 2023, 11:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00c1dcd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 19, 2023, 11:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00c1dcd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 19, 2023, 11:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00c1dcd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 19, 2023, 11:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00c1dcd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 19, 2023, 11:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00c47410 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 19, 2023, 11:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00c47410 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 19, 2023, 11:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00c47410 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 19, 2023, 11:17 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00c47410 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 19, 2023, 11:17 a.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (28 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Sept. 19, 2023, 11:17 a.m.	process_identifier: 2652 region_size: 786432 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c60000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 19, 2023, 11:17 a.m.	process_identifier: 2652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ce0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 19, 2023, 11:17 a.m.	process_identifier: 2652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x727a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 19, 2023, 11:17 a.m.	process_identifier: 2652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x727a2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 19, 2023, 11:17 a.m.	process_identifier: 2652 region_size: 1638400 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02760000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 19, 2023, 11:17 a.m.	process_identifier: 2652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 19, 2023, 11:17 a.m.	process_identifier: 2652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00cb2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 19, 2023, 11:17 a.m.	process_identifier: 2652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ccc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 19, 2023, 11:17 a.m.	process_identifier: 2652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00e10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 19, 2023, 11:17 a.m.	process_identifier: 2652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d25000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 19, 2023, 11:17 a.m.	process_identifier: 2652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d2b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 19, 2023, 11:17 a.m.	process_identifier: 2652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d27000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 19, 2023, 11:17 a.m.	process_identifier: 2652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00cd6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 19, 2023, 11:17 a.m.	process_identifier: 2652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00cda000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 19, 2023, 11:17 a.m.	process_identifier: 2652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00cd7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 19, 2023, 11:17 a.m.	process_identifier: 2652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00cba000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 19, 2023, 11:17 a.m.	process_identifier: 2652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00e7f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 19, 2023, 11:17 a.m.	process_identifier: 2652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00e70000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 19, 2023, 11:17 a.m.	process_identifier: 2652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00e11000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 19, 2023, 11:17 a.m.	process_identifier: 2652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00e12000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 19, 2023, 11:17 a.m.	process_identifier: 2652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00e13000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 19, 2023, 11:17 a.m.	process_identifier: 2652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00e14000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 19, 2023, 11:17 a.m.	process_identifier: 2652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00e15000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 19, 2023, 11:17 a.m.	process_identifier: 2652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00e16000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 19, 2023, 11:17 a.m.	process_identifier: 2652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00cca000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 19, 2023, 11:17 a.m.	process_identifier: 2652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ccd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 19, 2023, 11:17 a.m.	process_identifier: 2652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00e17000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 19, 2023, 11:18 a.m.	process_identifier: 2760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73fb2000 process_handle: 0xffffffff	1

Creates a suspicious process (2 events)

cmdline	schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\test22\AppData\Roaming\uno\uno.exe'" /f
cmdline	"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\test22\AppData\Roaming\uno\uno.exe'" /f

A process created a hidden window (3 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW Sept. 19, 2023, 11:17 a.m.	thread_identifier: 2828 thread_handle: 0x000002a8 process_identifier: 2824 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "cmd" /c mkdir "C:\Users\test22\AppData\Roaming\uno" filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x000002bc	1	1
CreateProcessInternalW Sept. 19, 2023, 11:17 a.m.	thread_identifier: 2880 thread_handle: 0x000002a8 process_identifier: 2876 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\test22\AppData\Roaming\uno\uno.exe'" /f filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x000002c8	1	1
CreateProcessInternalW Sept. 19, 2023, 11:17 a.m.	thread_identifier: 2920 thread_handle: 0x000002a8 process_identifier: 2916 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "cmd" /c copy "C:\Users\test22\AppData\Local\Temp\Betro.exe" "C:\Users\test22\AppData\Roaming\uno\uno.exe" filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x000002cc	1	1

The binary likely contains encrypted or compressed data indicative of a packer (3 events)

section

{u'size_of_data': u'0x00786800', u'virtual_address': u'0x00002000', u'entropy': 7.999674105757972, u'name': u'.text', u'virtual_size': u'0x0078669c'}

entropy

7.99967410576

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x0000ea00', u'virtual_address': u'0x0078a000', u'entropy': 7.804171414391342, u'name': u'.rsrc', u'virtual_size': u'0x0000e82c'}

entropy

7.80417141439

description

A section with a high entropy has been found

entropy

0.9999356085

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Sept. 19, 2023, 11:18 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW Sept. 19, 2023, 11:18 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1	0

Potentially malicious URLs were found in the process memory dump (1 event)

url	https://curl.haxx.se/docs/http-cookies.html

Yara rule detected in process memory (23 events)

description	Create a windows service	rule	Create_Service
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communication using DGA	rule	Network_DGA
description	Escalate priviledges	rule	Escalate_priviledges
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Communications smtp	rule	network_smtp_raw
description	Communications use DNS	rule	Network_DNS
description	Take ScreenShot	rule	ScreenShot
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	Run a KeyLogger	rule	KeyLogger
description	File Downloader	rule	Network_Downloader

Uses Windows utilities for basic Windows functionality (3 events)

cmdline	"cmd" /c mkdir "C:\Users\test22\AppData\Roaming\uno"
cmdline	schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\test22\AppData\Roaming\uno\uno.exe'" /f
cmdline	"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\test22\AppData\Roaming\uno\uno.exe'" /f

Communicates with host for which no DNS query was performed (1 event)

host

185.225.75.68

Allocates execute permission to another process indicative of possible code injection (2 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Sept. 19, 2023, 11:17 a.m.	process_identifier: 2760 region_size: 3989504 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000028c		3221225496	0
NtAllocateVirtualMemory Sept. 19, 2023, 11:17 a.m.	process_identifier: 2760 region_size: 3989504 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bf0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000028c	1	0	0

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation Sept. 19, 2023, 11:18 a.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

A process attempted to delay the analysis task. (1 event)

description

Betro.exe tried to sleep 2728690 seconds, actually delayed analysis time by 2728690 seconds

Installs itself for autorun at Windows startup (2 events)

cmdline	schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\test22\AppData\Roaming\uno\uno.exe'" /f
cmdline	"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\test22\AppData\Roaming\uno\uno.exe'" /f

Installs an hook procedure to monitor for mouse events (1 event)

Time & API	Arguments	Status	Return	Repeated
SetWindowsHookExW Sept. 19, 2023, 11:18 a.m.	thread_identifier: 0 callback_function: 0x00cff84a hook_identifier: 14 (WH_MOUSE_LL) module_address: 0x00000000	1	1311197	0

Potential code injection by writing to the memory of another process (3 events)

Time & API	Arguments	Status	Return
WriteProcessMemory Sept. 19, 2023, 11:17 a.m.	buffer: MZÿÿ¸@8º´ Í!¸LÍ!This program cannot be run in DOS mode. $ÞVcÛ7 7 7 .«ü7 .«þ]7 .«ÿ¾7 Ê7 ¡i7 E ý6 i7 i Æ7 GÈÝ7 GÈÜ7 GÈÆ7 7ß5 n7 GÈÃ7 ¡i °7 ¡i7 i7 i7 Rich7 PELòÓÛ`àì-<¤(.@à<D¤8(:¼I¬4Ð 2@Ì8.textê-ì- `.rdata¶º .¼ ð-@@.dataÀ8"¬8@À.gfidsø`:Î9@@.tls :à9@À.reloc¼I:Jâ9@B base_address: 0x00bf0000 process_identifier: 2760 process_handle: 0x0000028c	1	1
WriteProcessMemory Sept. 19, 2023, 11:17 a.m.	buffer: base_address: 0x00f98000 process_identifier: 2760 process_handle: 0x0000028c	1	1
WriteProcessMemory Sept. 19, 2023, 11:17 a.m.	buffer: ¿ base_address: 0x7efde008 process_identifier: 2760 process_handle: 0x0000028c	1	1

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Sept. 19, 2023, 11:17 a.m.	buffer: MZÿÿ¸@8º´ Í!¸LÍ!This program cannot be run in DOS mode. $ÞVcÛ7 7 7 .«ü7 .«þ]7 .«ÿ¾7 Ê7 ¡i7 E ý6 i7 i Æ7 GÈÝ7 GÈÜ7 GÈÆ7 7ß5 n7 GÈÃ7 ¡i °7 ¡i7 i7 i7 Rich7 PELòÓÛ`àì-<¤(.@à<D¤8(:¼I¬4Ð 2@Ì8.textê-ì- `.rdata¶º .¼ ð-@@.dataÀ8"¬8@À.gfidsø`:Î9@@.tls :à9@À.reloc¼I:Jâ9@B base_address: 0x00bf0000 process_identifier: 2760 process_handle: 0x0000028c	1	1	0

Creates a windows hook that monitors keyboard input (keylogger) (1 event)

Time & API	Arguments	Status	Return	Repeated
SetWindowsHookExW Sept. 19, 2023, 11:18 a.m.	thread_identifier: 0 callback_function: 0x00cba8cc hook_identifier: 13 (WH_KEYBOARD_LL) module_address: 0x00000000	1	4456871	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2652 called NtSetContextThread to modify thread in remote process 2760
NtSetContextThread Sept. 19, 2023, 11:17 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 6857864 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000288 process_identifier: 2760	1	0	0

Appends a known multi-family ransomware file extension to files that have been encrypted (1 event)

file	C:\Users\test22\AppData\Local\f9be9104\plg\c039198306863035fea360c1237d8088.enc

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2652 resumed a thread in remote process 2760
NtResumeThread Sept. 19, 2023, 11:17 a.m.	thread_handle: 0x00000288 suspend_count: 1 process_identifier: 2760	1	0	0

Executed a process and injected code into it, probably while unpacking (50 out of 54 events)

Time & API	Arguments	Status	Return
NtResumeThread Sept. 19, 2023, 11:17 a.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 2652	1	0
NtResumeThread Sept. 19, 2023, 11:17 a.m.	thread_handle: 0x00000158 suspend_count: 1 process_identifier: 2652	1	0
NtResumeThread Sept. 19, 2023, 11:17 a.m.	thread_handle: 0x00000194 suspend_count: 1 process_identifier: 2652	1	0
NtResumeThread Sept. 19, 2023, 11:17 a.m.	thread_handle: 0x0000020c suspend_count: 1 process_identifier: 2652	1	0
NtGetContextThread Sept. 19, 2023, 11:17 a.m.	thread_handle: 0x000000ec	1	0
NtGetContextThread Sept. 19, 2023, 11:17 a.m.	thread_handle: 0x000000ec	1	0
NtResumeThread Sept. 19, 2023, 11:17 a.m.	thread_handle: 0x000000ec suspend_count: 1 process_identifier: 2652	1	0
CreateProcessInternalW Sept. 19, 2023, 11:17 a.m.	thread_identifier: 2764 thread_handle: 0x00000288 process_identifier: 2760 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\Betro.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\Betro.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\Betro.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x0000028c	1	1
NtGetContextThread Sept. 19, 2023, 11:17 a.m.	thread_handle: 0x00000288	1	0
NtAllocateVirtualMemory Sept. 19, 2023, 11:17 a.m.	process_identifier: 2760 region_size: 3989504 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000028c		3221225496
NtAllocateVirtualMemory Sept. 19, 2023, 11:17 a.m.	process_identifier: 2760 region_size: 3989504 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bf0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000028c	1	0
WriteProcessMemory Sept. 19, 2023, 11:17 a.m.	buffer: MZÿÿ¸@8º´ Í!¸LÍ!This program cannot be run in DOS mode. $ÞVcÛ7 7 7 .«ü7 .«þ]7 .«ÿ¾7 Ê7 ¡i7 E ý6 i7 i Æ7 GÈÝ7 GÈÜ7 GÈÆ7 7ß5 n7 GÈÃ7 ¡i °7 ¡i7 i7 i7 Rich7 PELòÓÛ`àì-<¤(.@à<D¤8(:¼I¬4Ð 2@Ì8.textê-ì- `.rdata¶º .¼ ð-@@.dataÀ8"¬8@À.gfidsø`:Î9@@.tls :à9@À.reloc¼I:Jâ9@B base_address: 0x00bf0000 process_identifier: 2760 process_handle: 0x0000028c	1	1
WriteProcessMemory Sept. 19, 2023, 11:17 a.m.	buffer: base_address: 0x00bf1000 process_identifier: 2760 process_handle: 0x0000028c	1	1
WriteProcessMemory Sept. 19, 2023, 11:17 a.m.	buffer: base_address: 0x00ed0000 process_identifier: 2760 process_handle: 0x0000028c	1	1
WriteProcessMemory Sept. 19, 2023, 11:17 a.m.	buffer: base_address: 0x00f7c000 process_identifier: 2760 process_handle: 0x0000028c	1	1
WriteProcessMemory Sept. 19, 2023, 11:17 a.m.	buffer: base_address: 0x00f96000 process_identifier: 2760 process_handle: 0x0000028c	1	1
WriteProcessMemory Sept. 19, 2023, 11:17 a.m.	buffer: base_address: 0x00f98000 process_identifier: 2760 process_handle: 0x0000028c	1	1
WriteProcessMemory Sept. 19, 2023, 11:17 a.m.	buffer: base_address: 0x00f99000 process_identifier: 2760 process_handle: 0x0000028c	1	1
WriteProcessMemory Sept. 19, 2023, 11:17 a.m.	buffer: ¿ base_address: 0x7efde008 process_identifier: 2760 process_handle: 0x0000028c	1	1
NtSetContextThread Sept. 19, 2023, 11:17 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 6857864 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000288 process_identifier: 2760	1	0
NtResumeThread Sept. 19, 2023, 11:17 a.m.	thread_handle: 0x00000288 suspend_count: 1 process_identifier: 2760	1	0
CreateProcessInternalW Sept. 19, 2023, 11:17 a.m.	thread_identifier: 2828 thread_handle: 0x000002a8 process_identifier: 2824 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "cmd" /c mkdir "C:\Users\test22\AppData\Roaming\uno" filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x000002bc	1	1
CreateProcessInternalW Sept. 19, 2023, 11:17 a.m.	thread_identifier: 2880 thread_handle: 0x000002a8 process_identifier: 2876 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\test22\AppData\Roaming\uno\uno.exe'" /f filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x000002c8	1	1
CreateProcessInternalW Sept. 19, 2023, 11:17 a.m.	thread_identifier: 2920 thread_handle: 0x000002a8 process_identifier: 2916 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "cmd" /c copy "C:\Users\test22\AppData\Local\Temp\Betro.exe" "C:\Users\test22\AppData\Roaming\uno\uno.exe" filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x000002cc	1	1
NtResumeThread Sept. 19, 2023, 11:18 a.m.	thread_handle: 0x000002c8 suspend_count: 1 process_identifier: 2760	1	0
NtResumeThread Sept. 19, 2023, 11:18 a.m.	thread_handle: 0x000002d0 suspend_count: 1 process_identifier: 2760	1	0
NtResumeThread Sept. 19, 2023, 11:18 a.m.	thread_handle: 0x000002d8 suspend_count: 1 process_identifier: 2760	1	0
NtResumeThread Sept. 19, 2023, 11:18 a.m.	thread_handle: 0x000002e0 suspend_count: 1 process_identifier: 2760	1	0
NtResumeThread Sept. 19, 2023, 11:18 a.m.	thread_handle: 0x000002e8 suspend_count: 1 process_identifier: 2760	1	0
NtResumeThread Sept. 19, 2023, 11:18 a.m.	thread_handle: 0x00000300 suspend_count: 1 process_identifier: 2760	1	0
NtResumeThread Sept. 19, 2023, 11:18 a.m.	thread_handle: 0x0000034c suspend_count: 1 process_identifier: 2760	1	0
NtResumeThread Sept. 19, 2023, 11:18 a.m.	thread_handle: 0x00000384 suspend_count: 1 process_identifier: 2760	1	0
NtResumeThread Sept. 19, 2023, 11:18 a.m.	thread_handle: 0x0000038c suspend_count: 1 process_identifier: 2760	1	0
NtResumeThread Sept. 19, 2023, 11:18 a.m.	thread_handle: 0x00000380 suspend_count: 1 process_identifier: 2760	1	0
NtResumeThread Sept. 19, 2023, 11:18 a.m.	thread_handle: 0x00000384 suspend_count: 1 process_identifier: 2760	1	0
NtResumeThread Sept. 19, 2023, 11:18 a.m.	thread_handle: 0x00000388 suspend_count: 1 process_identifier: 2760	1	0
NtResumeThread Sept. 19, 2023, 11:18 a.m.	thread_handle: 0x0000039c suspend_count: 1 process_identifier: 2760	1	0
NtResumeThread Sept. 19, 2023, 11:18 a.m.	thread_handle: 0x00000394 suspend_count: 1 process_identifier: 2760	1	0
NtResumeThread Sept. 19, 2023, 11:18 a.m.	thread_handle: 0x0000039c suspend_count: 1 process_identifier: 2760	1	0
NtResumeThread Sept. 19, 2023, 11:18 a.m.	thread_handle: 0x00000114 suspend_count: 1 process_identifier: 2760	1	0
NtResumeThread Sept. 19, 2023, 11:18 a.m.	thread_handle: 0x00000384 suspend_count: 1 process_identifier: 2760	1	0
NtResumeThread Sept. 19, 2023, 11:18 a.m.	thread_handle: 0x00000114 suspend_count: 1 process_identifier: 2760	1	0
NtResumeThread Sept. 19, 2023, 11:18 a.m.	thread_handle: 0x00000384 suspend_count: 1 process_identifier: 2760	1	0
NtResumeThread Sept. 19, 2023, 11:18 a.m.	thread_handle: 0x0000039c suspend_count: 1 process_identifier: 2760	1	0
NtResumeThread Sept. 19, 2023, 11:19 a.m.	thread_handle: 0x000001dc suspend_count: 1 process_identifier: 2760	1	0
NtResumeThread Sept. 19, 2023, 11:19 a.m.	thread_handle: 0x00000114 suspend_count: 1 process_identifier: 2760	1	0
NtResumeThread Sept. 19, 2023, 11:19 a.m.	thread_handle: 0x000001dc suspend_count: 1 process_identifier: 2760	1	0
NtResumeThread Sept. 19, 2023, 11:19 a.m.	thread_handle: 0x00000114 suspend_count: 1 process_identifier: 2760	1	0
NtResumeThread Sept. 19, 2023, 11:19 a.m.	thread_handle: 0x000002bc suspend_count: 1 process_identifier: 2760	1	0
NtResumeThread Sept. 19, 2023, 11:19 a.m.	thread_handle: 0x00000114 suspend_count: 1 process_identifier: 2760	1	0

File has been identified by 37 AntiVirus engines on VirusTotal as malicious (37 events)

Lionic	Trojan.Win32.Generic.4!c
Malwarebytes	Trojan.Crypt.MSIL
Sangfor	Trojan.Win32.Save.a
Alibaba	Trojan:MSIL/Kryptik.9cbfdf9b
CrowdStrike	win/malicious_confidence_100% (W)
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of MSIL/Kryptik.AHUA
APEX	Malicious
Cynet	Malicious (score: 100)
Kaspersky	HEUR:Trojan.MSIL.Tasker.gen
Avast	Win32:RATX-gen [Trj]
Sophos	Mal/Generic-S
DrWeb	Trojan.Siggen21.30399
McAfee-GW-Edition	BehavesLike.Win32.AgentTesla.wc
Trapmine	malicious.high.ml.score
FireEye	Generic.mg.1c9f3c0258e923c0
Emsisoft	Trojan.GenericKD.69351359 (B)
SentinelOne	Static AI - Malicious PE
Gridinsoft	Trojan.Win32.BitRAT.bot
Microsoft	Trojan:Win32/Znyonm
ViRobot	Trojan.Win.Z.Kryptik.7951872
ZoneAlarm	HEUR:Trojan.MSIL.Tasker.gen
Google	Detected
AhnLab-V3	Trojan/Win.Generic.R476688
McAfee	Artemis!1C9F3C0258E9
Cylance	unsafe
Panda	Trj/Chgt.AD
TrendMicro-HouseCall	TROJ_GEN.R002H0DII23
Rising	Malware.Obfus/MSIL@AI.100 (RDM.MSIL2:uW+7HxykJ9AP5YKiYGqdfg)
Ikarus	Trojan.MSIL.Crypt
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	MSIL/Kryptik.AHUA!tr
BitDefenderTheta	Gen:NN.ZemsilF.36662.@p0@ayn!Q6li
AVG	Win32:RATX-gen [Trj]
Cybereason	malicious.a5eff1
DeepInstinct	MALICIOUS

Betro.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All