Analysis
-
max time kernel
148s -
max time network
142s -
platform
windows7_x64 -
resource
win7 -
submitted
31-08-2020 09:48
General
-
Target
de.exe
-
Size
300KB
-
MD5
ae4f045f4a0b66fbf927f230e98a3648
-
SHA1
014ccaa6cd43ebf06f2fd4387f2ae6d899e2c6a0
-
SHA256
4a87068b0ac096d9472fa021fd6bdfcf7d218ae8716fabc2c027ebd595a2381f
-
SHA512
9fd676fb69426ea72a83d98b5aca2080fc273140fe3ab1cff65262529496637791a695c4d61baaa203fe831a0598586e039bfe079beae209d09d98fa9588e874
Score
10/10
Malware Config
Signatures
-
BetaBot
Beta Bot is a Trojan that infects computers and disables Antivirus.
-
Modifies firewall policy service 2 TTPs 4 IoCs
-
Sets file execution options in registry 2 TTPs
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Adds Run key to start application 2 TTPs 6 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Drops desktop.ini file(s) 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 10 IoCs
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 2 IoCs
-
Modifies Internet Explorer settings 1 TTPs 4 IoCs
-
Suspicious behavior: EnumeratesProcesses 15 IoCs
-
Suspicious behavior: MapViewOfSection 5 IoCs
-
Suspicious behavior: RenamesItself 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 28 IoCs
-
Suspicious use of WriteProcessMemory 25 IoCs
Processes
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\de.exe"C:\Users\Admin\AppData\Local\Temp\de.exe"2⤵
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
- Modifies firewall policy service
- Checks BIOS information in registry
- Adds Run key to start application
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/616-0-0x00000000061CB000-0x00000000061CC000-memory.dmpFilesize
4KB
-
memory/616-1-0x00000000078A0000-0x00000000078B1000-memory.dmpFilesize
68KB
-
memory/616-2-0x0000000007EF0000-0x0000000007FA5000-memory.dmpFilesize
724KB
-
memory/616-3-0x00000000082B0000-0x0000000008431000-memory.dmpFilesize
1.5MB
-
memory/1636-4-0x0000000000000000-mapping.dmp
-
memory/1976-5-0x000007FEF70B0000-0x000007FEF732A000-memory.dmpFilesize
2.5MB