Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10_x64 -
resource
win10v200722 -
submitted
13-10-2020 10:36
General
-
Target
Completed Finance Application and Required Documents.DOC.exe
-
Size
299KB
-
MD5
9e6a523473b8b248169a7c012df77e71
-
SHA1
077d03bbe5c57015103583eb9a6dd3afbc8e45a9
-
SHA256
aef47ea6290bbdfa6ca5994e556ba1d3a09200a525ab0aa11eb9fca8f324dfdf
-
SHA512
3772fd8794801af0851c56bdbd3c6174aec3cd719e0a4bd2957bc38f4baaec80e8fee55e654856eed8c5962d8f4f66b01e380ae57bd8b801fabbe69a352610c6
Score
10/10
Malware Config
Signatures
-
BetaBot
Beta Bot is a Trojan that infects computers and disables Antivirus.
-
Modifies firewall policy service 2 TTPs 4 IoCs
-
Sets file execution options in registry 2 TTPs
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Adds Run key to start application 2 TTPs 6 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Drops desktop.ini file(s) 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 2 IoCs
-
Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
-
Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
-
Modifies Internet Explorer settings 1 TTPs 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 32 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious behavior: RenamesItself 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 28 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Completed Finance Application and Required Documents.DOC.exe"C:\Users\Admin\AppData\Local\Temp\Completed Finance Application and Required Documents.DOC.exe"1⤵
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
- Modifies firewall policy service
- Checks BIOS information in registry
- Adds Run key to start application
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/408-1-0x0000000005060000-0x0000000005061000-memory.dmpFilesize
4KB
-
memory/408-2-0x0000000005670000-0x0000000005724000-memory.dmpFilesize
720KB
-
memory/408-3-0x0000000005C50000-0x0000000006090000-memory.dmpFilesize
4.2MB
-
memory/3492-4-0x0000000000000000-mapping.dmp
-
memory/3492-5-0x0000000000170000-0x00000000005B0000-memory.dmpFilesize
4.2MB
-
memory/3492-6-0x0000000000170000-0x00000000005B0000-memory.dmpFilesize
4.2MB