Analysis
-
max time kernel
150s -
max time network
113s -
platform
windows10_x64 -
resource
win10v200722 -
submitted
31-08-2020 09:48
General
-
Target
de.exe
-
Size
300KB
-
MD5
ae4f045f4a0b66fbf927f230e98a3648
-
SHA1
014ccaa6cd43ebf06f2fd4387f2ae6d899e2c6a0
-
SHA256
4a87068b0ac096d9472fa021fd6bdfcf7d218ae8716fabc2c027ebd595a2381f
-
SHA512
9fd676fb69426ea72a83d98b5aca2080fc273140fe3ab1cff65262529496637791a695c4d61baaa203fe831a0598586e039bfe079beae209d09d98fa9588e874
Score
10/10
Malware Config
Signatures
-
BetaBot
Beta Bot is a Trojan that infects computers and disables Antivirus.
-
Modifies firewall policy service 2 TTPs 4 IoCs
-
Sets file execution options in registry 2 TTPs
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Adds Run key to start application 2 TTPs 6 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Drops desktop.ini file(s) 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 10 IoCs
-
Drops file in Windows directory 1 IoCs
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 2 IoCs
-
Modifies Internet Explorer settings 1 TTPs 4 IoCs
-
Modifies data under HKEY_USERS 5 IoCs
-
Suspicious behavior: EnumeratesProcesses 28 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious behavior: RenamesItself 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 30 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\de.exe"C:\Users\Admin\AppData\Local\Temp\de.exe"1⤵
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
- Modifies firewall policy service
- Checks BIOS information in registry
- Adds Run key to start application
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/60-0-0x0000000005F36000-0x0000000005F37000-memory.dmpFilesize
4KB
-
memory/60-1-0x0000000007B60000-0x0000000007B61000-memory.dmpFilesize
4KB
-
memory/60-2-0x00000000081C0000-0x0000000008275000-memory.dmpFilesize
724KB
-
memory/60-3-0x0000000008710000-0x0000000008B50000-memory.dmpFilesize
4.2MB
-
memory/3372-4-0x0000000000000000-mapping.dmp
-
memory/3372-5-0x0000000000C70000-0x00000000010B0000-memory.dmpFilesize
4.2MB
-
memory/3372-6-0x0000000000C70000-0x00000000010B0000-memory.dmpFilesize
4.2MB