Analysis
-
max time kernel
147s -
max time network
73s -
platform
windows10_x64 -
resource
win10 -
submitted
31-07-2020 11:43
General
-
Target
Customer Complaint letter NHBRC258812.PDF.exe
-
Size
329KB
-
MD5
69940b99a87df030b38ab4b04281d7ff
-
SHA1
a4cecf005b0777ed740e4dc9671e87349e3017cc
-
SHA256
9f829213a1f233378e8e9069adac865edfb8dd4a7e64998d273930c54ab258eb
-
SHA512
e43a7dedfcd91b104dcf77b45fd57e28b8dc20ce5a2ae0b094479c4651c8f60154695c13ac770e975d3cecd0d7cefd6d9237428c01cbea2ef1a85f9c29eae2dd
Score
10/10
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 3 IoCs
-
Enumerates system info in registry 2 TTPs 2 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Modifies firewall policy service 2 TTPs 4 IoCs
-
Modifies Internet Explorer settings 1 TTPs 4 IoCs
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
-
BetaBot
Beta Bot is a Trojan that infects computers and disables Antivirus.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs
-
Suspicious use of AdjustPrivilegeToken 28 IoCs
-
Suspicious behavior: RenamesItself 1 IoCs
-
Sets file execution options in registry 2 TTPs
-
Drops desktop.ini file(s) 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 30 IoCs
-
Adds Run key to start application 2 TTPs 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Customer Complaint letter NHBRC258812.PDF.exe"C:\Users\Admin\AppData\Local\Temp\Customer Complaint letter NHBRC258812.PDF.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Checks processor information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: RenamesItself
- Checks whether UAC is enabled
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
- Enumerates system info in registry
- Modifies firewall policy service
- Modifies Internet Explorer settings
- Checks processor information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Drops desktop.ini file(s)
- Checks whether UAC is enabled
- Checks BIOS information in registry
- Suspicious behavior: EnumeratesProcesses
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2928-0-0x0000000003599000-0x000000000359A000-memory.dmpFilesize
4KB
-
memory/2928-1-0x00000000052E0000-0x00000000052E1000-memory.dmpFilesize
4KB
-
memory/2928-2-0x0000000005780000-0x000000000583C000-memory.dmpFilesize
752KB
-
memory/2928-3-0x0000000005D00000-0x0000000006140000-memory.dmpFilesize
4.2MB
-
memory/4000-4-0x0000000000000000-mapping.dmp
-
memory/4000-5-0x0000000000900000-0x0000000000D40000-memory.dmpFilesize
4.2MB
-
memory/4000-6-0x0000000000900000-0x0000000000D40000-memory.dmpFilesize
4.2MB