Analysis
-
max time kernel
151s -
max time network
59s -
platform
windows7_x64 -
resource
win7v200722 -
submitted
04-09-2020 05:25
General
-
Target
KAAS GROUP CO LLC PROJECT - REQUIREMENTS QUANTITY.xlsx
-
Size
727KB
-
MD5
8bb4b1de922189a0ead4d3d53f90dee2
-
SHA1
f9f8e5cce299de26c7c4597466283de3fca99052
-
SHA256
3b20874d61fc9dccaf568e149987fa2d6b856b91822237394e778dd4ef989620
-
SHA512
7daf835a914b78e5849e1ea82c9ae94df2a6b75e2aebabd6031bfb0b7db577bc4c5f7bc8c7f9f5be5fd37c71d252c643b19f0a167a190ed2be8b6e561677ff98
Score
10/10
Malware Config
Signatures
-
BetaBot
Beta Bot is a Trojan that infects computers and disables Antivirus.
-
Modifies firewall policy service 2 TTPs 4 IoCs
-
Blacklisted process makes network request 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Sets file execution options in registry 2 TTPs
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Loads dropped DLL 4 IoCs
-
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 6 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Drops desktop.ini file(s) 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs
-
NSIS installer 10 IoCs
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 2 IoCs
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Modifies Internet Explorer settings 1 TTPs 4 IoCs
-
Modifies registry class 280 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 13 IoCs
-
Suspicious behavior: MapViewOfSection 7 IoCs
-
Suspicious use of AdjustPrivilegeToken 28 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of WriteProcessMemory 83 IoCs
Processes
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\KAAS GROUP CO LLC PROJECT - REQUIREMENTS QUANTITY.xlsx"2⤵
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blacklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\vbc.exe"C:\Users\Admin\AppData\Roaming\vbc.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe ShoonCataclysm,Uboats3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"4⤵
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe5⤵
- Modifies firewall policy service
- Checks BIOS information in registry
- Adds Run key to start application
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Bonehead
-
C:\Users\Admin\AppData\Local\Temp\ShoonCataclysm.DLL
-
C:\Users\Admin\AppData\Roaming\vbc.exe
-
C:\Users\Admin\AppData\Roaming\vbc.exe
-
\Users\Admin\AppData\Local\Temp\ShoonCataclysm.dll
-
\Users\Admin\AppData\Roaming\vbc.exe
-
\Users\Admin\AppData\Roaming\vbc.exe
-
\Users\Admin\AppData\Roaming\vbc.exe
-
memory/268-4-0x0000000000000000-mapping.dmp
-
memory/928-7-0x0000000000000000-mapping.dmp
-
memory/928-14-0x0000000000350000-0x0000000000385000-memory.dmpFilesize
212KB
-
memory/1432-19-0x0000000000000000-mapping.dmp
-
memory/1432-20-0x00000000750C0000-0x00000000750FC000-memory.dmpFilesize
240KB
-
memory/1432-21-0x0000000075320000-0x0000000075327000-memory.dmpFilesize
28KB
-
memory/1432-22-0x0000000074890000-0x00000000748AC000-memory.dmpFilesize
112KB
-
memory/1452-10-0x00000000024D0000-0x00000000024D1000-memory.dmpFilesize
4KB
-
memory/1452-8-0x00000000024D0000-0x00000000024D1000-memory.dmpFilesize
4KB
-
memory/1596-0-0x000007FEF8670000-0x000007FEF88EA000-memory.dmpFilesize
2.5MB
-
memory/2040-15-0x0000000000000000-mapping.dmp
-
memory/2040-16-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/2040-17-0x0000000002080000-0x0000000002133000-memory.dmpFilesize
716KB
-
memory/2040-18-0x0000000002CA0000-0x0000000002E21000-memory.dmpFilesize
1.5MB