| URL: | http://dwrapper-dev.herokuapp.com/beetle-cab.cab |
| Full analysis: | https://app.any.run/tasks/81899d40-2fa9-4e59-acac-94c47e47bc5c |
| Verdict: | Malicious activity |
| Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
| Analysis date: | June 26, 2023, 04:33:49 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MD5: | BD8E5AE36D88769DC2EB67FDBDC43258 |
| SHA1: | F432312E763C10287D6E437D5878ED41FB18FF02 |
| SHA256: | 54832E3C4FF757E22E693191CAC6575500510FF26180D2B83651081D1C580CDA |
| SSDEEP: | 3:N1KaSMpBsSxYIOu:CaHn3Ou |
MALICIOUS
Bypass execution policy to execute commands
- powershell.exe (PID: 908)
Starts Visual C# compiler
- powershell.exe (PID: 908)
Registers / Runs the DLL via REGSVR32.EXE
- cmd.exe (PID: 2600)
SUSPICIOUS
Executing commands from ".cmd" file
- explorer.exe (PID: 1068)
- mshta.exe (PID: 2864)
- RuntimePack.exe (PID: 3276)
- DirectX.exe (PID: 5308)
Executable content was dropped or overwritten
- 7za.exe (PID: 1160)
- csc.exe (PID: 528)
- mshta.exe (PID: 2864)
- SearcherBar.exe (PID: 1156)
- aria2c.exe (PID: 528)
- aria2c.exe (PID: 2336)
- aria2c.exe (PID: 1832)
- RuntimePack.exe (PID: 3276)
- cmd.exe (PID: 2600)
- DirectX.exe (PID: 5308)
- xcopy.exe (PID: 4812)
- xcopy.exe (PID: 4428)
- xcopy.exe (PID: 4192)
- Chrone.exe (PID: 2180)
Possibly malicious use of IEX has been detected
- cmd.exe (PID: 1472)
The process hide an interactive prompt from the user
- cmd.exe (PID: 1472)
Starts POWERSHELL.EXE for commands execution
- cmd.exe (PID: 1472)
Starts CMD.EXE for commands execution
- explorer.exe (PID: 1068)
- mshta.exe (PID: 2864)
- RuntimePack.exe (PID: 3276)
- cmd.exe (PID: 2600)
- DirectX.exe (PID: 5308)
The process hides Powershell's copyright startup banner
- cmd.exe (PID: 1472)
The process bypasses the loading of PowerShell profile settings
- cmd.exe (PID: 1472)
Get information on the list of running processes
- cmd.exe (PID: 1472)
Uses RUNDLL32.EXE to load library
- mshta.exe (PID: 2864)
Uses .NET C# to load dll
- powershell.exe (PID: 908)
Uses NETSH.EXE to delete a firewall rule or allowed programs
- cmd.exe (PID: 2968)
Starts SC.EXE for service management
- cmd.exe (PID: 3868)
Uses WMIC.EXE to obtain system information
- cmd.exe (PID: 768)
Starts application with an unusual extension
- cmd.exe (PID: 3064)
Uses NETSH.EXE to add a firewall rule or allowed programs
- cmd.exe (PID: 2640)
Uses NETSH.EXE to obtain data on the network
- cmd.exe (PID: 3064)
Application launched itself
- cmd.exe (PID: 2600)
Uses REG/REGEDIT.EXE to modify registry
- cmd.exe (PID: 2600)
- cmd.exe (PID: 6016)
INFO
Application launched itself
- iexplore.exe (PID: 2096)
The process uses the downloaded file
- iexplore.exe (PID: 2096)
- WinRAR.exe (PID: 4012)
Executable content was dropped or overwritten
- WinRAR.exe (PID: 4012)
The executable file from the user directory is run by the CMD process
- SearcherBar.exe (PID: 3880)
- SearcherBar.exe (PID: 2616)
- RuntimePack.exe (PID: 3828)
- RuntimePack.exe (PID: 3276)
- RuntimePack.exe (PID: 2368)
- SearcherBar.exe (PID: 1156)
- WOT.exe (PID: 2264)
- WOW.exe (PID: 2592)
- WOT.exe (PID: 2056)
- WOT.exe (PID: 2540)
- DirectX.exe (PID: 5532)
- DirectX.exe (PID: 5972)
- WOW.exe (PID: 3868)
- WOW.exe (PID: 1356)
- DirectX.exe (PID: 5308)
- Chrone.exe (PID: 4500)
- Chrone.exe (PID: 2180)
- DriverPack-Alice.exe (PID: 5632)
- Chrone.exe (PID: 2044)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
Total processes
665
Monitored processes
444
Malicious processes
14
Suspicious processes
3
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process |
|---|---|---|---|---|
| 120 | "C:\Windows\System32\cmd.exe" /c ""tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Users\admin\Desktop\beetle-cab\ext\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/ANTIVIRUS-1.mp3" -o "C:\Users\admin\AppData\Roaming\DRPSu\temp\wget_log_85378.log" & echo DONE > "C:\Users\admin\AppData\Roaming\DRPSu\temp\wget_finished_85378.txt"" | C:\Windows\System32\cmd.exe | — | mshta.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
| 120 | "C:\Windows\System32\cmd.exe" /c ""tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Users\admin\Desktop\beetle-cab\ext\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/ISTART_4.mp3" -o "C:\Users\admin\AppData\Roaming\DRPSu\temp\wget_log_23224.log" & echo DONE > "C:\Users\admin\AppData\Roaming\DRPSu\temp\wget_finished_23224.txt"" | C:\Windows\System32\cmd.exe | — | mshta.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
| 128 | "C:\Windows\System32\cmd.exe" /c ""tools\aria2c.exe" "http://dl.driverpack.io/soft/SearcherBar.exe.torrent" --dir="C:\Users\admin\AppData\Roaming\DRPSu\PROGRAMS" --quiet --continue --min-split-size=1M --follow-torrent=true --check-integrity --seed-time=0 --bt-stop-timeout=120 || echo Done & call echo Done %^errorLevel% > "C:\Users\admin\AppData\Roaming\DRPSu\temp\run_command_32064.txt"" | C:\Windows\System32\cmd.exe | — | mshta.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
| 148 | "C:\Windows\System32\cmd.exe" /c ""tools\aria2c.exe" "http://dl.driverpack.io/tools/DriverPack-Alice.exe.torrent" --dir="C:\Users\admin\AppData\Roaming\DRPSu\PROGRAMS" --quiet --continue --min-split-size=1M --follow-torrent=true --check-integrity --seed-time=0 --bt-stop-timeout=120 || echo Done & call echo Done %^errorLevel% > "C:\Users\admin\AppData\Roaming\DRPSu\temp\run_command_31806.txt"" | C:\Windows\System32\cmd.exe | — | mshta.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
| 268 | "C:\Windows\System32\cmd.exe" /c ""tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Users\admin\Desktop\beetle-cab\ext\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/TEAM-PROOF-1.mp3" -o "C:\Users\admin\AppData\Roaming\DRPSu\temp\wget_log_15862.log" & echo DONE > "C:\Users\admin\AppData\Roaming\DRPSu\temp\wget_finished_15862.txt"" | C:\Windows\System32\cmd.exe | — | mshta.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
| 268 | "tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Users\admin\Desktop\beetle-cab\ext\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/COMPILATION-3.mp3" -o "C:\Users\admin\AppData\Roaming\DRPSu\temp\wget_log_28220.log" | C:\Users\admin\Desktop\beetle-cab\ext\Tools\driverpack-wget.exe | — | cmd.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
| 312 | compact.exe /i /c /a /f "C:\Windows\System32\msflxgrd.ocx" | C:\Windows\System32\compact.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: File Compress Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
| 328 | "tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Users\admin\Desktop\beetle-cab\ext\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/intro.mp3" -o "C:\Users\admin\AppData\Roaming\DRPSu\temp\wget_log_31194.log" | C:\Users\admin\Desktop\beetle-cab\ext\Tools\driverpack-wget.exe | — | cmd.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
| 328 | "tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Users\admin\Desktop\beetle-cab\ext\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/UTILS-1.mp3" -o "C:\Users\admin\AppData\Roaming\DRPSu\temp\wget_log_49509.log" | C:\Users\admin\Desktop\beetle-cab\ext\Tools\driverpack-wget.exe | — | cmd.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
| 528 | "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\0ws0bko1.cmdline" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | powershell.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Visual C# Command Line Compiler Exit code: 0 Version: 4.0.30319.34209 built by: FX452RTMGDR | ||||
Total events
14 174
Read events
14 080
Write events
94
Delete events
0
Modification events
| (PID) Process: | (1068) explorer.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.check.0 |
| Operation: | write | Name: | CheckSetting |
Value: 01000000D08C9DDF0115D1118C7A00C04FC297EB010000003D77C3133A5D7248BA6D7744BB9A3E16000000000200000000001066000000010000200000004A9CAAC251DD88A0E7E33FFB23F636A225CB7CC4485369C7C9B03862A811D096000000000E8000000002000020000000659B7585C71088AEEB1875008044DFB4B07623A0B20C3E867A78A9695191E29230000000F9C4E47AAD7D214C673E4CDC8385C59DDC5AE0E28396FCF21F9D028C590E79749BDDC16862F8E26B3D4F8E8966EEF17C4000000006EE6EDF8BC2D3544F7C9D682CF07277A50A34FA9DF6D8FB7B39CA5834F62523E20C12EF252EC87A75BE0FA4A5D7BD80B713248892E659363C3419474A1FEA18 | |||
| (PID) Process: | (2096) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing |
| Operation: | write | Name: | NTPDaysSinceLastAutoMigration |
Value: 0 | |||
| (PID) Process: | (2096) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing |
| Operation: | write | Name: | NTPLastLaunchHighDateTime |
Value: 30847387 | |||
| (PID) Process: | (2096) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager |
| Operation: | write | Name: | NextCheckForUpdateHighDateTime |
Value: 30847437 | |||
| (PID) Process: | (2096) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies |
| Operation: | write | Name: | CachePrefix |
Value: Cookie: | |||
| (PID) Process: | (2096) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History |
| Operation: | write | Name: | CachePrefix |
Value: Visited: | |||
| (PID) Process: | (2096) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main |
| Operation: | write | Name: | CompatibilityFlags |
Value: 0 | |||
| (PID) Process: | (2096) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
| (PID) Process: | (2096) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | IntranetName |
Value: 1 | |||
| (PID) Process: | (2096) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
Executable files
632
Suspicious files
474
Text files
1 510
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3580 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\beetle-cab.cab.ibwpifw.partial | — | |
MD5:— | SHA256:— | |||
| 2096 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\beetle-cab.cab | — | |
MD5:— | SHA256:— | |||
| 4012 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa4012.3834\beetle-cab\arc.7z | — | |
MD5:— | SHA256:— | |||
| 4012 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa4012.5845\beetle-cab\arc.7z | — | |
MD5:— | SHA256:— | |||
| 1068 | explorer.exe | — | ||
MD5:— | SHA256:— | |||
| 3580 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\beetle-cab[1].cab | compressed | |
MD5:48EB8E33733B720AE639EE63A18C8643 | SHA256:A06F08AEF2C8E6CFA3F8C3283D9AE19091D726B5FE56420A391A39DDE0232243 | |||
| 2096 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{A7D2C855-13DA-11EE-B2B4-12A9866C77DE}.dat | binary | |
MD5:59F5C310FB850C79F9DDCEC7E9CBBB91 | SHA256:36F613352C5E895D69709F4F92DDB4043CDF2F960C430F56B020B16875261F38 | |||
| 2096 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\beetle-cab.cab.ibwpifw.partial:Zone.Identifier | text | |
MD5:FBCCF14D504B7B2DBCB5A5BDA75BD93B | SHA256:EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913 | |||
| 2096 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 | binary | |
MD5:8ED1BB05965DBA4EAB12E54CC2FB38B5 | SHA256:32C6FA4DA5614C7AD931839203CE92B3DB964769581F7E2F9486135F99C3BE73 | |||
| 4012 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa4012.3834\beetle-cab\7za.exe | executable | |
MD5:90AAC6489F6B226BF7DC1ADABFDB1259 | SHA256:BA7F3627715614D113C1E1CD7DD9D47E3402A1E8A7404043E08BC14939364549 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1 093
TCP/UDP connections
400
DNS requests
53
Threats
6 312
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
— | — | GET | 301 | 188.114.96.3:80 | http://allfont.ru/cache/css/lucida-console.css | US | — | — | whitelisted |
— | — | GET | 301 | 188.114.96.3:80 | http://allfont.ru/allfont.css?fonts=lucida-console | US | — | — | whitelisted |
3580 | iexplore.exe | GET | 200 | 46.137.15.86:80 | http://dwrapper-dev.herokuapp.com/beetle-cab.cab | IE | compressed | 12.5 Mb | suspicious |
2096 | iexplore.exe | GET | 200 | 93.184.221.240:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?46c5966c2e623678 | US | compressed | 4.70 Kb | whitelisted |
2096 | iexplore.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | US | binary | 471 b | whitelisted |
— | — | GET | 200 | 142.250.185.67:80 | http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D | US | binary | 1.41 Kb | whitelisted |
2096 | iexplore.exe | GET | 200 | 93.184.221.240:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?eab8baa27358998b | US | compressed | 4.70 Kb | whitelisted |
— | — | HEAD | 200 | 87.117.239.151:80 | http://dl.driverpack.io/updates/beetle/driverpack-wget.exe | GB | — | — | malicious |
— | — | POST | 202 | 37.9.8.75:80 | http://update.drp.su/api/events | RU | compressed | 141 b | malicious |
— | — | GET | 200 | 104.18.21.226:80 | http://ocsp2.globalsign.com/rootr5/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBQiD0S5cIHyfrLTJ1fvAkJWflH%2B2QQUPeYpSJvqB8ohREom3m7e0oPQn1kCDQHuXyKVQkkF%2BQGRqNw%3D | US | binary | 1.25 Kb | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
— | — | 142.250.185.67:80 | ocsp.pki.goog | GOOGLE | US | whitelisted |
— | — | 87.117.235.115:80 | auth.drp.su | Iomart Cloud Services Limited | GB | suspicious |
— | — | 87.250.251.119:443 | mc.yandex.ru | YANDEX LLC | RU | whitelisted |
— | — | 37.9.8.75:80 | update.drp.su | OOO Network of data-centers Selectel | RU | malicious |
— | — | 104.18.21.226:80 | ocsp.globalsign.com | CLOUDFLARENET | — | shared |
— | — | 87.117.239.151:80 | dl.driverpack.io | Iomart Cloud Services Limited | GB | malicious |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
3580 | iexplore.exe | 46.137.15.86:80 | dwrapper-dev.herokuapp.com | AMAZON-02 | IE | suspicious |
1076 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
dwrapper-dev.herokuapp.com |
| suspicious |
r20swj13mr.microsoft.com |
| whitelisted |
iecvlist.microsoft.com |
| whitelisted |
ctldl.windowsupdate.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
allfont.ru |
| whitelisted |
ocsp.pki.goog |
| whitelisted |
auth.drp.su |
| suspicious |
mc.yandex.ru |
| whitelisted |
update.drp.su |
| malicious |
Threats
PID | Process | Class | Message |
|---|---|---|---|
— | — | Potentially Bad Traffic | ET DNS Query for .su TLD (Soviet Union) Often Malware Related |
— | — | Possibly Unwanted Program Detected | ET ADWARE_PUP DriverPack Domain in DNS Query |
— | — | Possibly Unwanted Program Detected | ET ADWARE_PUP Observed DNS Query to DriverPack Domain ( .drp .su) |
— | — | Potentially Bad Traffic | ET DNS Query for .su TLD (Soviet Union) Often Malware Related |
— | — | Possibly Unwanted Program Detected | ET ADWARE_PUP DriverPack Domain in DNS Query |
— | — | Possibly Unwanted Program Detected | ET ADWARE_PUP Observed DNS Query to DriverPack Domain ( .drp .su) |
— | — | Potentially Bad Traffic | ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related |
— | — | Potentially Bad Traffic | ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related |
— | — | Potentially Bad Traffic | ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related |
— | — | Potentially Bad Traffic | ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related |