betabot | 48ee79a7379d43d060969a9909836f4b3236c55ec551d1b33dd97c1c35f57a59

General

Target

G-00923 SCHEMATIC DRAWING.exe
Size

394KB
MD5

b11bd28d54e471b569bf6a7c3667314b
SHA1

86a1f4a6dacfb53c209ec2c083b78927b9817386
SHA256

48ee79a7379d43d060969a9909836f4b3236c55ec551d1b33dd97c1c35f57a59
SHA512

9b4bae35e16a4effe56592d00d8633ee456a48164787440e71fd9da8bb973f2389b1e328cf3370012bba361fdb8977f1edf23056425b197126b4c96667683f35

Score

10^/10

evasion trojan backdoor botnet betabot persistence

Malware Config

Signatures

BetaBot
Beta Bot is a Trojan that infects computers and disables Antivirus.
trojan backdoor botnet betabot

Modifies firewall policy service 2 TTPs 4 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	explorer.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0"	explorer.exe

Sets file execution options in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.

Query Registry
T1012

System Information Discovery
T1082

Processes:

explorer.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe
Loads dropped DLL 2 IoCs

Processes:

G-00923 SCHEMATIC DRAWING.exerundll32.exe

pid process

3888 G-00923 SCHEMATIC DRAWING.exe
2060 rundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorer.exe

pid	process
3888	G-00923 SCHEMATIC DRAWING.exe
2060	rundll32.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Chrome Updater = "\"C:\\ProgramData\\Chrome Updater\\7i1qyca1kew9.exe\""	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Chrome Updater = "C:\\ProgramData\\Chrome Updater\\7i1qyca1kew9.exe"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\Windows\CurrentVersion\Run\Chrome Updater = "\"C:\\ProgramData\\Chrome Updater\\7i1qyca1kew9.exe\""	explorer.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

cmd.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cmd.exe
Drops desktop.ini file(s) 1 IoCs

Processes:

explorer.exe

description ioc process

File opened for modification C:\ProgramData\Chrome Updater\desktop.ini explorer.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe

description	ioc	process
File opened for modification	C:\ProgramData\Chrome Updater\desktop.ini	explorer.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs

Processes:

cmd.exeexplorer.exe

pid	process
2216	cmd.exe
2420	explorer.exe
2420	explorer.exe
2420	explorer.exe
2420	explorer.exe
2420	explorer.exe
2420	explorer.exe
2420	explorer.exe
2420	explorer.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

cmd.exeexplorer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	cmd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	cmd.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	explorer.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

explorer.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	explorer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	explorer.exe

Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3"	explorer.exe

Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1"	explorer.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\Internet Explorer\Main	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\Internet Explorer\VersionManager	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\Internet Explorer\VersionManager\DownloadVersionList = "0"	explorer.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

rundll32.exeexplorer.exe

pid	process
2060	rundll32.exe
2060	rundll32.exe
2420	explorer.exe
2420	explorer.exe
2420	explorer.exe
2420	explorer.exe
2420	explorer.exe
2420	explorer.exe
2420	explorer.exe
2420	explorer.exe
2420	explorer.exe
2420	explorer.exe
2420	explorer.exe
2420	explorer.exe
2420	explorer.exe
2420	explorer.exe
2420	explorer.exe
2420	explorer.exe
2420	explorer.exe
2420	explorer.exe
2420	explorer.exe
2420	explorer.exe
2420	explorer.exe
2420	explorer.exe

Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

rundll32.execmd.exe

pid process

2060 rundll32.exe
2060 rundll32.exe
2216 cmd.exe
2216 cmd.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

Processes:

cmd.exeexplorer.exe

description	pid	process
Token: SeDebugPrivilege	2216	cmd.exe
Token: SeRestorePrivilege	2216	cmd.exe
Token: SeBackupPrivilege	2216	cmd.exe
Token: SeLoadDriverPrivilege	2216	cmd.exe
Token: SeCreatePagefilePrivilege	2216	cmd.exe
Token: SeShutdownPrivilege	2216	cmd.exe
Token: SeTakeOwnershipPrivilege	2216	cmd.exe
Token: SeChangeNotifyPrivilege	2216	cmd.exe
Token: SeCreateTokenPrivilege	2216	cmd.exe
Token: SeMachineAccountPrivilege	2216	cmd.exe
Token: SeSecurityPrivilege	2216	cmd.exe
Token: SeAssignPrimaryTokenPrivilege	2216	cmd.exe
Token: SeCreateGlobalPrivilege	2216	cmd.exe
Token: 33	2216	cmd.exe
Token: SeDebugPrivilege	2420	explorer.exe
Token: SeRestorePrivilege	2420	explorer.exe
Token: SeBackupPrivilege	2420	explorer.exe
Token: SeLoadDriverPrivilege	2420	explorer.exe
Token: SeCreatePagefilePrivilege	2420	explorer.exe
Token: SeShutdownPrivilege	2420	explorer.exe
Token: SeTakeOwnershipPrivilege	2420	explorer.exe
Token: SeChangeNotifyPrivilege	2420	explorer.exe
Token: SeCreateTokenPrivilege	2420	explorer.exe
Token: SeMachineAccountPrivilege	2420	explorer.exe
Token: SeSecurityPrivilege	2420	explorer.exe
Token: SeAssignPrimaryTokenPrivilege	2420	explorer.exe
Token: SeCreateGlobalPrivilege	2420	explorer.exe
Token: 33	2420	explorer.exe

Suspicious use of WriteProcessMemory 90 IoCs

Processes:

G-00923 SCHEMATIC DRAWING.exerundll32.exe

description	pid	process	target process
PID 3888 wrote to memory of 2060	3888	G-00923 SCHEMATIC DRAWING.exe	rundll32.exe
PID 3888 wrote to memory of 2060	3888	G-00923 SCHEMATIC DRAWING.exe	rundll32.exe
PID 3888 wrote to memory of 2060	3888	G-00923 SCHEMATIC DRAWING.exe	rundll32.exe
PID 2060 wrote to memory of 2144	2060	rundll32.exe	cmd.exe
PID 2060 wrote to memory of 2144	2060	rundll32.exe	cmd.exe
PID 2060 wrote to memory of 2144	2060	rundll32.exe	cmd.exe
PID 2060 wrote to memory of 2144	2060	rundll32.exe	cmd.exe
PID 2060 wrote to memory of 2216	2060	rundll32.exe	cmd.exe
PID 2060 wrote to memory of 2216	2060	rundll32.exe	cmd.exe
PID 2060 wrote to memory of 2216	2060	rundll32.exe	cmd.exe
PID 2060 wrote to memory of 2216	2060	rundll32.exe	cmd.exe
PID 2060 wrote to memory of 2216	2060	rundll32.exe	cmd.exe
PID 2060 wrote to memory of 2216	2060	rundll32.exe	cmd.exe
PID 2060 wrote to memory of 2216	2060	rundll32.exe	cmd.exe
PID 2060 wrote to memory of 2216	2060	rundll32.exe	cmd.exe
PID 2060 wrote to memory of 2216	2060	rundll32.exe	cmd.exe
PID 2060 wrote to memory of 2216	2060	rundll32.exe	cmd.exe
PID 2060 wrote to memory of 2216	2060	rundll32.exe	cmd.exe
PID 2060 wrote to memory of 2216	2060	rundll32.exe	cmd.exe
PID 2060 wrote to memory of 2216	2060	rundll32.exe	cmd.exe
PID 2060 wrote to memory of 2216	2060	rundll32.exe	cmd.exe
PID 2060 wrote to memory of 2216	2060	rundll32.exe	cmd.exe
PID 2060 wrote to memory of 2216	2060	rundll32.exe	cmd.exe
PID 2060 wrote to memory of 2216	2060	rundll32.exe	cmd.exe
PID 2060 wrote to memory of 2216	2060	rundll32.exe	cmd.exe
PID 2060 wrote to memory of 2216	2060	rundll32.exe	cmd.exe
PID 2060 wrote to memory of 2216	2060	rundll32.exe	cmd.exe
PID 2060 wrote to memory of 2216	2060	rundll32.exe	cmd.exe
PID 2060 wrote to memory of 2216	2060	rundll32.exe	cmd.exe
PID 2060 wrote to memory of 2216	2060	rundll32.exe	cmd.exe
PID 2060 wrote to memory of 2216	2060	rundll32.exe	cmd.exe
PID 2060 wrote to memory of 2216	2060	rundll32.exe	cmd.exe
PID 2060 wrote to memory of 2216	2060	rundll32.exe	cmd.exe
PID 2060 wrote to memory of 2216	2060	rundll32.exe	cmd.exe
PID 2060 wrote to memory of 2216	2060	rundll32.exe	cmd.exe
PID 2060 wrote to memory of 2216	2060	rundll32.exe	cmd.exe
PID 2060 wrote to memory of 2216	2060	rundll32.exe	cmd.exe
PID 2060 wrote to memory of 2216	2060	rundll32.exe	cmd.exe
PID 2060 wrote to memory of 2216	2060	rundll32.exe	cmd.exe
PID 2060 wrote to memory of 2216	2060	rundll32.exe	cmd.exe
PID 2060 wrote to memory of 2216	2060	rundll32.exe	cmd.exe
PID 2060 wrote to memory of 2216	2060	rundll32.exe	cmd.exe
PID 2060 wrote to memory of 2216	2060	rundll32.exe	cmd.exe
PID 2060 wrote to memory of 2216	2060	rundll32.exe	cmd.exe
PID 2060 wrote to memory of 2216	2060	rundll32.exe	cmd.exe
PID 2060 wrote to memory of 2216	2060	rundll32.exe	cmd.exe
PID 2060 wrote to memory of 2216	2060	rundll32.exe	cmd.exe
PID 2060 wrote to memory of 2216	2060	rundll32.exe	cmd.exe
PID 2060 wrote to memory of 2216	2060	rundll32.exe	cmd.exe
PID 2060 wrote to memory of 2216	2060	rundll32.exe	cmd.exe
PID 2060 wrote to memory of 2216	2060	rundll32.exe	cmd.exe
PID 2060 wrote to memory of 2216	2060	rundll32.exe	cmd.exe
PID 2060 wrote to memory of 2216	2060	rundll32.exe	cmd.exe
PID 2060 wrote to memory of 2216	2060	rundll32.exe	cmd.exe
PID 2060 wrote to memory of 2216	2060	rundll32.exe	cmd.exe
PID 2060 wrote to memory of 2216	2060	rundll32.exe	cmd.exe
PID 2060 wrote to memory of 2216	2060	rundll32.exe	cmd.exe
PID 2060 wrote to memory of 2216	2060	rundll32.exe	cmd.exe
PID 2060 wrote to memory of 2216	2060	rundll32.exe	cmd.exe
PID 2060 wrote to memory of 2216	2060	rundll32.exe	cmd.exe
PID 2060 wrote to memory of 2216	2060	rundll32.exe	cmd.exe
PID 2060 wrote to memory of 2216	2060	rundll32.exe	cmd.exe
PID 2060 wrote to memory of 2216	2060	rundll32.exe	cmd.exe
PID 2060 wrote to memory of 2216	2060	rundll32.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\G-00923 SCHEMATIC DRAWING.exe
"C:\Users\Admin\AppData\Local\Temp\G-00923 SCHEMATIC DRAWING.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3888

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe WestDermatology,Expectorator
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2060

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
3⤵
PID:2144

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
3⤵
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2216

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
4⤵
- Modifies firewall policy service
- Checks BIOS information in registry
- Adds Run key to start application
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2420

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

6

T1112

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Titian
MD5
0ac4fbc114e6d5d2920a813ddf0e8451

SHA1
748078c6fd488f9f1c43e5e061232bafe38d8666

SHA256
45831116f86f06b431e8489239d221df2b9c54957da1284035632eaf3082954a

SHA512
083b6af275fb713b5b3df10f70824d28645bc25781d8223e3ee7ecf25ef5012a57252128772cc7b43bf100fa0f3ba736c53df4d0c170793667c94da73a8d4eaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\WestDermatology.DLL
MD5
1956599b160db4aaed23805288bfda5e

SHA1
0c18b70736b0a0dfcce6e15a5c96cd901e49a650

SHA256
ac9e878bb0ae58e4930dd2ea7ad90b4db249e17d1ff3720138ff6dbe79b4b0ee

SHA512
7aa7fae37db2e56566ce4101c7312b8ea6870e9637dd5720fc398e8187a9031689035e7bb803af550848be4a3f913ae65f456f6958e48a5b360e367a68e0b6da

Download Submit
\Users\Admin\AppData\Local\Temp\WestDermatology.dll
MD5
1956599b160db4aaed23805288bfda5e

SHA1
0c18b70736b0a0dfcce6e15a5c96cd901e49a650

SHA256
ac9e878bb0ae58e4930dd2ea7ad90b4db249e17d1ff3720138ff6dbe79b4b0ee

SHA512
7aa7fae37db2e56566ce4101c7312b8ea6870e9637dd5720fc398e8187a9031689035e7bb803af550848be4a3f913ae65f456f6958e48a5b360e367a68e0b6da

Download Submit
\Users\Admin\AppData\Local\Temp\nsn4D6C.tmp\UserInfo.dll
MD5
e167f9a565781a30c03ff10370033319

SHA1
1858758b076946073de375c6eb1bec9867aa3689

SHA256
a912514823df595ba3a048099d3b89e925a4d41742afc67e772060952892f312

SHA512
96d8f5ac8e2c0961ba71075de52d12515e7a058cddf3fa1ec14e77545b0b5f4e29324a13e2eb287a447f1d24dc9f09e0a70b0a25401b0ef8d90e6e4a96ce6c61

Download Submit
memory/2060-1-0x0000000000000000-mapping.dmp

Download
memory/2060-5-0x0000000005370000-0x00000000053A5000-memory.dmp

Filesize
212KB

Download
memory/2216-6-0x0000000000000000-mapping.dmp

Download
memory/2216-7-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2216-8-0x0000000004F80000-0x0000000005022000-memory.dmp

Filesize
648KB

Download
memory/2216-9-0x00000000053D0000-0x0000000005810000-memory.dmp

Filesize
4.2MB

Download
memory/2420-10-0x0000000000000000-mapping.dmp

Download
memory/2420-11-0x0000000001300000-0x0000000001740000-memory.dmp

Filesize
4.2MB

Download
memory/2420-12-0x0000000001300000-0x0000000001740000-memory.dmp

Filesize
4.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads