Overview

overview

10

Static

static

Documento-...in.exe

windows7_x64

10

Documento-...in.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    10-03-2021 10:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Documento--SII--33875.bin.exe

  • Size

    833KB

  • MD5

    2ced2c14eece71c72c5e45e8a607bb4c

  • SHA1

    13a700a297a7e5697d69bb743c3b256ac10a14e2

  • SHA256

    4efd9a3fa2d25d6706213feb3299dd0f73777aad01217b9e3df046064fdbbb7e

  • SHA512

    199cb38d7f20f64b30d2cb2ba56dab6c0d3b2685d85a990c085060752071b9620d131c5c25bba9b3140c9816ae3515d6b7dbf794d3dd71db15bb8d3f4eb04f06

Score
10/10
betabotbackdoorbotnetevasionpersistencespywaretrojan

Malware Config

Signatures

  • BetaBot

    Beta Bot is a Trojan that infects computers and disables Antivirus.

    trojanbackdoorbotnetbetabot
  • Modifies firewall policy service 2 TTPs 4 IoCs
    evasion
  • Executes dropped EXE 3 IoCs
  • Sets file execution options in registry 2 TTPs
    persistence
  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Drops desktop.ini file(s) 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
  • Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
    adwarespyware
  • NTFS ADS 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 42 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Documento--SII--33875.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\Documento--SII--33875.bin.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4692
    • C:\Users\Admin\AppData\Local\Temp\Documento--SII--33875.bin.exe
      "C:\Users\Admin\AppData\Local\Temp\Documento--SII--33875.bin.exe"
      2⤵
      • Checks whether UAC is enabled
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Checks processor information in registry
      • Suspicious behavior: MapViewOfSection
      • Suspicious behavior: RenamesItself
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:5020
      • C:\Windows\SysWOW64\explorer.exe
        C:\Windows\SysWOW64\explorer.exe
        3⤵
        • Modifies firewall policy service
        • Checks BIOS information in registry
        • Adds Run key to start application
        • Drops desktop.ini file(s)
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Checks processor information in registry
        • Enumerates system info in registry
        • Modifies Internet Explorer Protected Mode
        • Modifies Internet Explorer Protected Mode Banner
        • Modifies Internet Explorer settings
        • NTFS ADS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:416
        • C:\Users\Admin\AppData\Local\Temp\uq175yw9_1.exe
          /suac
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          PID:996
        • C:\Users\Admin\AppData\Local\Temp\yc35us719gy71.exe
          "C:\Users\Admin\AppData\Local\Temp\yc35us719gy71.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1236
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\sysnative\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1884
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\sysnative\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:944
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\sysnative\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData\Google Updater 2.0\'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2088
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\sysnative\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2232
        • C:\Users\Admin\AppData\Local\Temp\a995u771kkuo5.exe
          "C:\Users\Admin\AppData\Local\Temp\a995u771kkuo5.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          PID:4500

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

2
T1060

Privilege Escalation

Defense Evasion

Modify Registry

6
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

3
T1012

System Information Discovery

5
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    MD5

    8592ba100a78835a6b94d5949e13dfc1

    SHA1

    63e901200ab9a57c7dd4c078d7f75dcd3b357020

    SHA256

    fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

    SHA512

    87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    MD5

    51a4b659b594c8c34fb19f137a25ab16

    SHA1

    8f30640240a0a924f911e1cd8e1f3dc67416c217

    SHA256

    9a60727320e185f17b79fcc7715d6f3bc8ef09812e1cd27962b8ffd867dd8f28

    SHA512

    2790a76baea9d53f2af22217200a0096b8ecd700f0fe52984af8099b3621776c2348181cc4205309c5e63bae6ad2723cfb5867938cf81d06cef9d330a8b625da

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    MD5

    2d3b7c2d13e0a9248e8c991a3e2b10f1

    SHA1

    a1be75c9958f4a86914ac7d1e03c18225ff7218f

    SHA256

    629df4004840bc9857155d6346dd0dd54eb696e12643781b7860618964708877

    SHA512

    22bf007501d31d0aedceb72b9ba27e27e427bf0e364930e1127c65c5e9c252020730fe7c7d644e179737a90085e0ac68fadedd460a2500e9eae0847f5eb668b5

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\a995u771kkuo5.exe
    MD5

    50803bdba827e6ae4600da26b5e81800

    SHA1

    e3650665dd57b79514d33fe8e8d8ff8429b52c55

    SHA256

    02dce269070bfec91e4f01a67d774167f8208f17211e8027d8a7fe3dc62a356b

    SHA512

    c641b6937d93b76e592f69b35d8e0f8236c985a56bae41b78fca29a1b6f16f2c75fb25941d6957a1e761a64d66acbdf9673cf13434d3cc6f7901904105e19c50

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\a995u771kkuo5.exe
    MD5

    50803bdba827e6ae4600da26b5e81800

    SHA1

    e3650665dd57b79514d33fe8e8d8ff8429b52c55

    SHA256

    02dce269070bfec91e4f01a67d774167f8208f17211e8027d8a7fe3dc62a356b

    SHA512

    c641b6937d93b76e592f69b35d8e0f8236c985a56bae41b78fca29a1b6f16f2c75fb25941d6957a1e761a64d66acbdf9673cf13434d3cc6f7901904105e19c50

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\uq175yw9_1.exe
    MD5

    2ced2c14eece71c72c5e45e8a607bb4c

    SHA1

    13a700a297a7e5697d69bb743c3b256ac10a14e2

    SHA256

    4efd9a3fa2d25d6706213feb3299dd0f73777aad01217b9e3df046064fdbbb7e

    SHA512

    199cb38d7f20f64b30d2cb2ba56dab6c0d3b2685d85a990c085060752071b9620d131c5c25bba9b3140c9816ae3515d6b7dbf794d3dd71db15bb8d3f4eb04f06

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\uq175yw9_1.exe
    MD5

    2ced2c14eece71c72c5e45e8a607bb4c

    SHA1

    13a700a297a7e5697d69bb743c3b256ac10a14e2

    SHA256

    4efd9a3fa2d25d6706213feb3299dd0f73777aad01217b9e3df046064fdbbb7e

    SHA512

    199cb38d7f20f64b30d2cb2ba56dab6c0d3b2685d85a990c085060752071b9620d131c5c25bba9b3140c9816ae3515d6b7dbf794d3dd71db15bb8d3f4eb04f06

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\yc35us719gy71.exe
    MD5

    08cdfd0d3a406601c42f087da16ec6c8

    SHA1

    48fd8eef568d2372e2a883283e58e5def81fef07

    SHA256

    eb7cea525ecef555356c13b6948c21ddad4b8a622ff4c027f285c0c096570253

    SHA512

    d522fc9c5815c93a1dc114c63db53879346e435397cad79a105a412cb18459335a1bfc3cfc9e7f6469cd703e2014538aa3c649442b80214a945e76ed50d26940

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\yc35us719gy71.exe
    MD5

    08cdfd0d3a406601c42f087da16ec6c8

    SHA1

    48fd8eef568d2372e2a883283e58e5def81fef07

    SHA256

    eb7cea525ecef555356c13b6948c21ddad4b8a622ff4c027f285c0c096570253

    SHA512

    d522fc9c5815c93a1dc114c63db53879346e435397cad79a105a412cb18459335a1bfc3cfc9e7f6469cd703e2014538aa3c649442b80214a945e76ed50d26940

    Download Submit
  • \Users\Admin\AppData\Local\Temp\Costura\1ACF592E7018DA88DDC32B96D203A4BE\32\sqlite3.dll
    MD5

    0a855f27a1e48991d14c593cb930d2b2

    SHA1

    01935b77a59ab90be4af37bb4e8bc57fbdcf23a1

    SHA256

    43d11ddfa64be9a2eeb94574f21fd45334e4598506f3d5ae1446c7a0add10300

    SHA512

    bfc680d50d043c438c0c4bc97f7830010bf302e9e81296c57b1a06e3e87a2000444e44fadec20ca2025260bf745629971bfca02ff59469085fc7eada7912e873

    Download Submit
  • memory/416-17-0x00000000012B0000-0x00000000012B2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/416-9-0x0000000000000000-mapping.dmp
    Download
  • memory/416-11-0x00000000012C0000-0x0000000001700000-memory.dmp
    Filesize

    4.2MB

    Download
  • memory/416-13-0x0000000000A90000-0x0000000000A9D000-memory.dmp
    Filesize

    52KB

    Download
  • memory/416-12-0x0000000000600000-0x000000000073A000-memory.dmp
    Filesize

    1.2MB

    Download
  • memory/944-34-0x000001F005990000-0x000001F005992000-memory.dmp
    Filesize

    8KB

    Download
  • memory/944-57-0x000001F005996000-0x000001F005998000-memory.dmp
    Filesize

    8KB

    Download
  • memory/944-27-0x0000000000000000-mapping.dmp
    Download
  • memory/944-64-0x000001F005998000-0x000001F005999000-memory.dmp
    Filesize

    4KB

    Download
  • memory/944-42-0x000001F005960000-0x000001F005961000-memory.dmp
    Filesize

    4KB

    Download
  • memory/944-31-0x00007FFCF2620000-0x00007FFCF300C000-memory.dmp
    Filesize

    9.9MB

    Download
  • memory/944-36-0x000001F005993000-0x000001F005995000-memory.dmp
    Filesize

    8KB

    Download
  • memory/996-18-0x0000000000000000-mapping.dmp
    Download
  • memory/1236-21-0x0000000000000000-mapping.dmp
    Download
  • memory/1884-47-0x0000023E1F410000-0x0000023E1F411000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1884-26-0x0000000000000000-mapping.dmp
    Download
  • memory/1884-66-0x0000023E1C978000-0x0000023E1C979000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1884-30-0x00007FFCF2620000-0x00007FFCF300C000-memory.dmp
    Filesize

    9.9MB

    Download
  • memory/1884-37-0x0000023E1C970000-0x0000023E1C972000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1884-38-0x0000023E1C973000-0x0000023E1C975000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1884-55-0x0000023E1C976000-0x0000023E1C978000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2088-63-0x000001AC71D68000-0x000001AC71D69000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2088-39-0x000001AC71D60000-0x000001AC71D62000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2088-32-0x00007FFCF2620000-0x00007FFCF300C000-memory.dmp
    Filesize

    9.9MB

    Download
  • memory/2088-41-0x000001AC71D63000-0x000001AC71D65000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2088-28-0x0000000000000000-mapping.dmp
    Download
  • memory/2088-54-0x000001AC71D66000-0x000001AC71D68000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2232-40-0x0000014F648E3000-0x0000014F648E5000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2232-58-0x0000014F648E6000-0x0000014F648E8000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2232-29-0x0000000000000000-mapping.dmp
    Download
  • memory/2232-35-0x0000014F648E0000-0x0000014F648E2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2232-65-0x0000014F648E8000-0x0000014F648E9000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2232-33-0x00007FFCF2620000-0x00007FFCF300C000-memory.dmp
    Filesize

    9.9MB

    Download
  • memory/4500-53-0x0000000002CB0000-0x0000000002CB1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4500-46-0x0000000000000000-mapping.dmp
    Download
  • memory/5020-8-0x00000000027A0000-0x00000000027AC000-memory.dmp
    Filesize

    48KB

    Download
  • memory/5020-6-0x0000000000A90000-0x0000000000A9D000-memory.dmp
    Filesize

    52KB

    Download
  • memory/5020-7-0x0000000002770000-0x0000000002771000-memory.dmp
    Filesize

    4KB

    Download
  • memory/5020-5-0x0000000002260000-0x00000000022C6000-memory.dmp
    Filesize

    408KB

    Download
  • memory/5020-4-0x0000000000400000-0x0000000000435000-memory.dmp
    Filesize

    212KB

    Download
  • memory/5020-10-0x0000000002790000-0x0000000002791000-memory.dmp
    Filesize

    4KB

    Download
  • memory/5020-2-0x0000000000400000-0x0000000000435000-memory.dmp
    Filesize

    212KB

    Download
  • memory/5020-3-0x00000000004015C6-mapping.dmp
    Download