Analysis

  • max time kernel
    147s
  • max time network
    123s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    22-03-2021 15:28

General

  • Target

    6A1B1BD71C348B1701B67555A2AC314D.exe

  • Size

    829KB

  • MD5

    6a1b1bd71c348b1701b67555a2ac314d

  • SHA1

    cb6241cc299e72b22035b3a2d15063e93622c409

  • SHA256

    4241044fce8bace299a5a348c736970be1c89ecaf3aa0f28533486c915b8e1c1

  • SHA512

    315cdc82eeb209c2b5f60b1c1b9b8827f9a8be81db633f832735347f5828d149d0559cd69be2891df333bd2b605dcc7c912d5772b0476b4e2250bcb92ed99022

Malware Config

Signatures

  • BetaBot

    Beta Bot is a Trojan that infects computers and disables Antivirus.

  • Modifies firewall policy service 2 TTPs 4 IoCs
  • Executes dropped EXE 1 IoCs
  • Sets file execution options in registry 2 TTPs
  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Adds Run key to start application 2 TTPs 6 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Drops desktop.ini file(s) 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
  • Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
  • NTFS ADS 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 32 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 28 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6A1B1BD71C348B1701B67555A2AC314D.exe
    "C:\Users\Admin\AppData\Local\Temp\6A1B1BD71C348B1701B67555A2AC314D.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1404
    • C:\Users\Admin\AppData\Local\Temp\6A1B1BD71C348B1701B67555A2AC314D.exe
      "C:\Users\Admin\AppData\Local\Temp\6A1B1BD71C348B1701B67555A2AC314D.exe"
      2⤵
      • Checks whether UAC is enabled
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Checks processor information in registry
      • Suspicious behavior: MapViewOfSection
      • Suspicious behavior: RenamesItself
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3960
      • C:\Windows\SysWOW64\explorer.exe
        C:\Windows\SysWOW64\explorer.exe
        3⤵
        • Modifies firewall policy service
        • Checks BIOS information in registry
        • Adds Run key to start application
        • Drops desktop.ini file(s)
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Checks processor information in registry
        • Enumerates system info in registry
        • Modifies Internet Explorer Protected Mode
        • Modifies Internet Explorer Protected Mode Banner
        • Modifies Internet Explorer settings
        • NTFS ADS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1280
        • C:\Users\Admin\AppData\Local\Temp\9e3my3i53m5m_1.exe
          /suac
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          PID:2120

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\9e3my3i53m5m_1.exe

    MD5

    6a1b1bd71c348b1701b67555a2ac314d

    SHA1

    cb6241cc299e72b22035b3a2d15063e93622c409

    SHA256

    4241044fce8bace299a5a348c736970be1c89ecaf3aa0f28533486c915b8e1c1

    SHA512

    315cdc82eeb209c2b5f60b1c1b9b8827f9a8be81db633f832735347f5828d149d0559cd69be2891df333bd2b605dcc7c912d5772b0476b4e2250bcb92ed99022

  • C:\Users\Admin\AppData\Local\Temp\9e3my3i53m5m_1.exe

    MD5

    6a1b1bd71c348b1701b67555a2ac314d

    SHA1

    cb6241cc299e72b22035b3a2d15063e93622c409

    SHA256

    4241044fce8bace299a5a348c736970be1c89ecaf3aa0f28533486c915b8e1c1

    SHA512

    315cdc82eeb209c2b5f60b1c1b9b8827f9a8be81db633f832735347f5828d149d0559cd69be2891df333bd2b605dcc7c912d5772b0476b4e2250bcb92ed99022

  • memory/1280-9-0x0000000000000000-mapping.dmp

  • memory/1280-17-0x0000000005250000-0x0000000005252000-memory.dmp

    Filesize

    8KB

  • memory/1280-11-0x0000000003000000-0x0000000003139000-memory.dmp

    Filesize

    1.2MB

  • memory/1280-10-0x00000000008C0000-0x0000000000D00000-memory.dmp

    Filesize

    4.2MB

  • memory/2120-18-0x0000000000000000-mapping.dmp

  • memory/3960-6-0x0000000000580000-0x000000000058D000-memory.dmp

    Filesize

    52KB

  • memory/3960-8-0x00000000009B0000-0x00000000009BC000-memory.dmp

    Filesize

    48KB

  • memory/3960-7-0x0000000000980000-0x0000000000981000-memory.dmp

    Filesize

    4KB

  • memory/3960-13-0x00000000009A0000-0x00000000009A1000-memory.dmp

    Filesize

    4KB

  • memory/3960-5-0x00000000006E0000-0x0000000000746000-memory.dmp

    Filesize

    408KB

  • memory/3960-2-0x0000000000400000-0x0000000000435000-memory.dmp

    Filesize

    212KB

  • memory/3960-4-0x0000000000400000-0x0000000000435000-memory.dmp

    Filesize

    212KB

  • memory/3960-3-0x00000000004015C6-mapping.dmp