Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10_x64 -
resource
win10 -
submitted
08-10-2020 12:43
General
-
Target
file.exe
-
Size
308KB
-
MD5
0d60363ed96a464ff943f7a5f8f4f1a9
-
SHA1
bf4e27ea98da9d4ee85f248e8c19e892dbcd964b
-
SHA256
a606cc038ea51f1a3093199c2faaa5181ea983e7da03ad72287d4ff968c9c766
-
SHA512
55ae2bbb7a95f0675783a3b39ee46f5a5a5f4464482f3edda091b77617334f4177c78e8af181f3d4f6b52cc6badfd514e754fb2c0ab06a502754c1a7d453d130
Score
10/10
Malware Config
Signatures
-
BetaBot
Beta Bot is a Trojan that infects computers and disables Antivirus.
-
Modifies firewall policy service 2 TTPs 4 IoCs
-
Sets file execution options in registry 2 TTPs
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Adds Run key to start application 2 TTPs 6 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Drops desktop.ini file(s) 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 2 IoCs
-
Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
-
Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
-
Modifies Internet Explorer settings 1 TTPs 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 30 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious behavior: RenamesItself 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 28 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
- Modifies firewall policy service
- Checks BIOS information in registry
- Adds Run key to start application
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1120-4-0x0000000000000000-mapping.dmp
-
memory/1120-5-0x0000000000AE0000-0x0000000000F20000-memory.dmpFilesize
4.2MB
-
memory/1120-6-0x0000000000AE0000-0x0000000000F20000-memory.dmpFilesize
4.2MB
-
memory/2808-0-0x00000000009B6000-0x00000000009B7000-memory.dmpFilesize
4KB
-
memory/2808-1-0x00000000025F0000-0x00000000025F1000-memory.dmpFilesize
4KB
-
memory/2808-2-0x0000000002B80000-0x0000000002C37000-memory.dmpFilesize
732KB
-
memory/2808-3-0x0000000002FD0000-0x0000000003410000-memory.dmpFilesize
4.2MB