analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Betternet VPN For Windows 4.4.2 Premium.rar

Full analysis: https://app.any.run/tasks/cb374af3-b530-4849-8b35-a9f6f8778530
Verdict: Malicious activity
Analysis date: October 14, 2019, 01:02:25
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

76ABFD81718342CF14F499C17840A328

SHA1:

C79FF36EFAA08C0EEE9D53377C1ED667914835FE

SHA256:

984732FBC931E19E50F7A03E43E13F6E9D979CB82182E53CEF14504FA841FD98

SSDEEP:

196608:W5LzNJ6kk8cLbFLuy95H8lAmcbsB5LMUfijJw/g+:Iz2bFLxfyo2iVw/g+

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Betternet.Premium.VPN.v4.4.2.(Preactivated).exe (PID: 3132)
      • Betternet.Premium.VPN.v4.4.2.(Preactivated).exe (PID: 836)
      • tap-windows-9.21.2.exe (PID: 3032)
      • tapinstall.exe (PID: 2876)
      • tapinstall.exe (PID: 2456)
      • ns4D6D.tmp (PID: 3804)
      • ns4984.tmp (PID: 3724)

    • Changes settings of System certificates

      • MsiExec.exe (PID: 1752)
      • tapinstall.exe (PID: 2456)

    • Loads dropped or rewritten executable

      • tap-windows-9.21.2.exe (PID: 3032)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2304)
      • Betternet.Premium.VPN.v4.4.2.(Preactivated).exe (PID: 3132)
      • msiexec.exe (PID: 3860)
      • tap-windows-9.21.2.exe (PID: 3032)
      • tapinstall.exe (PID: 2456)
      • DrvInst.exe (PID: 2500)
      • DrvInst.exe (PID: 3624)

    • Uses REG.EXE to modify Windows registry

      • cmd.exe (PID: 3868)

    • Starts CMD.EXE for commands execution

      • Betternet.Premium.VPN.v4.4.2.(Preactivated).exe (PID: 3132)
      • WScript.exe (PID: 1520)

    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 2752)

    • Executes scripts

      • cmd.exe (PID: 3868)

    • Starts Microsoft Installer

      • cmd.exe (PID: 2752)

    • Starts application with an unusual extension

      • tap-windows-9.21.2.exe (PID: 3032)

    • Creates files in the program directory

      • tap-windows-9.21.2.exe (PID: 3032)

    • Modifies the open verb of a shell class

      • msiexec.exe (PID: 3860)

    • Creates files in the driver directory

      • DrvInst.exe (PID: 2500)
      • DrvInst.exe (PID: 3624)

    • Executed via COM

      • DrvInst.exe (PID: 2500)
      • DrvInst.exe (PID: 3624)

    • Removes files from Windows directory

      • DrvInst.exe (PID: 2500)
      • DrvInst.exe (PID: 3624)

    • Creates files in the Windows directory

      • DrvInst.exe (PID: 2500)
      • DrvInst.exe (PID: 3624)

    • Executed as Windows Service

      • vssvc.exe (PID: 2836)

  • INFO

    • Dropped object may contain Bitcoin addresses

      • Betternet.Premium.VPN.v4.4.2.(Preactivated).exe (PID: 3132)
      • msiexec.exe (PID: 3860)

    • Application launched itself

      • msiexec.exe (PID: 3860)

    • Creates files in the program directory

      • msiexec.exe (PID: 3860)

    • Creates a software uninstall entry

      • msiexec.exe (PID: 3860)

    • Low-level read access rights to disk partition

      • vssvc.exe (PID: 2836)

    • Searches for installed software

      • DrvInst.exe (PID: 2500)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
67
Monitored processes
25
Malicious processes
4
Suspicious processes
4

Behavior graph

Click at the process to see the details
drop and start drop and start start drop and start drop and start drop and start winrar.exe betternet.premium.vpn.v4.4.2.(preactivated).exe no specs betternet.premium.vpn.v4.4.2.(preactivated).exe cmd.exe no specs reg.exe no specs reg.exe no specs wscript.exe no specs cmd.exe no specs taskkill.exe no specs taskkill.exe no specs msiexec.exe no specs msiexec.exe msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs tap-windows-9.21.2.exe ns4984.tmp tapinstall.exe no specs ns4d6d.tmp tapinstall.exe drvinst.exe vssvc.exe no specs drvinst.exe

Process information

PID
CMD
Path
Indicators
Parent process
2304"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Betternet VPN For Windows 4.4.2 Premium.rar"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
836"C:\Users\admin\AppData\Local\Temp\Rar$EXa2304.49788\Betternet VPN For Windows 4.4.2 Premium\Betternet VPN For Windows 4.4.2 Premium\Betternet.Premium.VPN.v4.4.2.(Preactivated).exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa2304.49788\Betternet VPN For Windows 4.4.2 Premium\Betternet VPN For Windows 4.4.2 Premium\Betternet.Premium.VPN.v4.4.2.(Preactivated).exeWinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
3132"C:\Users\admin\AppData\Local\Temp\Rar$EXa2304.49788\Betternet VPN For Windows 4.4.2 Premium\Betternet VPN For Windows 4.4.2 Premium\Betternet.Premium.VPN.v4.4.2.(Preactivated).exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa2304.49788\Betternet VPN For Windows 4.4.2 Premium\Betternet VPN For Windows 4.4.2 Premium\Betternet.Premium.VPN.v4.4.2.(Preactivated).exe
WinRAR.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
3868cmd /c ""C:\Users\admin\AppData\Local\Temp\Start.bat" "C:\Windows\system32\cmd.exeBetternet.Premium.VPN.v4.4.2.(Preactivated).exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
944reg add "HKCU\Software\Microsoft\Windows Script Host\Settings" /V Enabled /T REG_DWORD /F /D 1C:\Windows\system32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3148reg add "HKLM\Software\Microsoft\Windows Script Host\Settings" /V Enabled /T REG_DWORD /F /D 1C:\Windows\system32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1520"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\Setup.vbs" C:\Windows\System32\WScript.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
2752cmd /c ""C:\Users\admin\AppData\Local\Temp\Setup.bat" "C:\Windows\System32\cmd.exeWScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
1296taskkill /IM Betternet.exe /FC:\Windows\system32\taskkill.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Terminates Processes
Exit code:
128
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2488taskkill /IM BetternetUpdater.exe /FC:\Windows\system32\taskkill.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Terminates Processes
Exit code:
128
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
3 266
Read events
2 575
Write events
0
Delete events
0

Modification events

No data
Executable files
80
Suspicious files
20
Text files
149
Unknown types
9

Dropped files

PID
Process
Filename
Type
3132Betternet.Premium.VPN.v4.4.2.(Preactivated).exeC:\Users\admin\AppData\Local\Temp\Betternet\ProgramFilesFolder\Betternet\4.4.2\Betternet.Windows.Services.dllexecutable
MD5:F7447E6AE2F1C3039A5DA938C9751D67
SHA256:637B4E39641BA0FCAC7EC8F27508E0DCAFADBF9162D2BD9ED5EC5F7DBAB90B96
3132Betternet.Premium.VPN.v4.4.2.(Preactivated).exeC:\Users\admin\AppData\Local\Temp\Son.vbstext
MD5:F6A8AE7965F47BB3C8DFD6524C3EDD7E
SHA256:2E99685DB8BEC6DB20965ECE3CEF3D5DF015AA136EE14827916781A63EE84282
3132Betternet.Premium.VPN.v4.4.2.(Preactivated).exeC:\Users\admin\AppData\Local\Temp\Betternet\ProgramFilesFolder\Betternet\4.4.2\Betternet.Windows.Sdk.dllexecutable
MD5:4F2B05A191F01BE95B899F9B83ACB9A9
SHA256:FCD3E9749C1416573FBD5B504A286C4FE44A84476D85BC15A148736F2E342D3F
3132Betternet.Premium.VPN.v4.4.2.(Preactivated).exeC:\Users\admin\AppData\Local\Temp\Betternet\ProgramFilesFolder\Betternet\4.4.2\AutoMapper.dllexecutable
MD5:D10B7FAFBC3C751835FB0AAD7A5F5FA0
SHA256:D1BAE44234C46B94B8CD35EE512577C1C04F0D79392922BB3F53A1B9FA7176C8
3132Betternet.Premium.VPN.v4.4.2.(Preactivated).exeC:\Users\admin\AppData\Local\Temp\Betternet\ProgramFilesFolder\Betternet\4.4.2\Betternet.exe.configxml
MD5:4464ED1586F856A16BFF1F09DB0B8078
SHA256:5C9F58A9C2276FED13C14AA5188163556CF73F571F62305A9CC5EC2182040265
3132Betternet.Premium.VPN.v4.4.2.(Preactivated).exeC:\Users\admin\AppData\Local\Temp\Betternet\ProgramFilesFolder\Betternet\4.4.2\Foundation.Common.dllexecutable
MD5:B2898278F667DBA10EC1586F060EF47E
SHA256:FD62A49A00A7BA371464A7D104DCE8B806DFC015B026A5197EE04530FCAB96E2
3132Betternet.Premium.VPN.v4.4.2.(Preactivated).exeC:\Users\admin\AppData\Local\Temp\Betternet\ProgramFilesFolder\Betternet\4.4.2\afvpn.tlbtlb
MD5:D15B904F28D79E9FB0AFFBB2A881E9EE
SHA256:F325884981442C6B3A59D0E68FE9F16C598C9BDB1AF0CED7515092BA75B9E2F2
3132Betternet.Premium.VPN.v4.4.2.(Preactivated).exeC:\Users\admin\AppData\Local\Temp\Betternet\ProgramFilesFolder\Betternet\4.4.2\Betternet.Windows.Infrastructure.dllexecutable
MD5:EFFE963874BECB25113C3AB1C43FC0A5
SHA256:93297290B003CCC84120850AF52757B33F69D10C3B1A4D9CF5EBF757E0A15D4A
3132Betternet.Premium.VPN.v4.4.2.(Preactivated).exeC:\Users\admin\AppData\Local\Temp\Betternet\ProgramFilesFolder\Betternet\4.4.2\Foundation.Common.Rpc.dllexecutable
MD5:BF3A053B69BDCA1936720D7AA7F3AB32
SHA256:3FD1FA75273C15FBA4619433DF2B195471AEE07E78B3C488DF1101E2ECA8069B
3132Betternet.Premium.VPN.v4.4.2.(Preactivated).exeC:\Users\admin\AppData\Local\Temp\Betternet\ProgramFilesFolder\Betternet\4.4.2\Foundation.Vpn.dllexecutable
MD5:DB556ECA7EB4171F79B77A5E3D699F01
SHA256:8140C302DA9FBE9C4366509AFE82FD39842A5F389C3FBD3D239DE9DCC7831622
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Betternet VPN For Windows 4.4.2 Premium.rar