Analysis

  • max time kernel
    149s
  • max time network
    200s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    22-06-2021 18:14

General

  • Target

    aa.exe

  • Size

    3.5MB

  • MD5

    808e34a763acd79d01eeb1f54b18a551

  • SHA1

    df3f6e0f29d9d65a2afc401ab6938044f24c5506

  • SHA256

    86aab09b278fe8e538d8cecd28f2d7a32fe413724d5ee52e2815a3267a988595

  • SHA512

    9638d841bbbb059f6c6be89f3664ce68b4749585a523a776e51b6d591c6ccb60b6df3aa34d25bf8df7521f883b7e31108da64c1112ff3fd369945acc0885a31c

Malware Config

Signatures

  • BetaBot

    Beta Bot is a Trojan that infects computers and disables Antivirus.

  • Modifies firewall policy service 2 TTPs 4 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 5 IoCs
  • Sets file execution options in registry 2 TTPs
  • Sets file to hidden 1 TTPs

    Modifies file attributes to stop it showing in Explorer etc.

  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Loads dropped DLL 5 IoCs
  • Adds Run key to start application 2 TTPs 6 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Drops desktop.ini file(s) 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 11 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 5 IoCs
  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Kills process with taskkill 2 IoCs
  • Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
  • Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
  • NTFS ADS 2 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 37 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1196
      • C:\Users\Admin\AppData\Local\Temp\aa.exe
        "C:\Users\Admin\AppData\Local\Temp\aa.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1028
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\LMPupdate\set\435246.vbs"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:608
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c ""C:\LMPupdate\set\183.bat" "
            4⤵
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:332
            • C:\Windows\SysWOW64\timeout.exe
              timeout 0
              5⤵
              • Delays execution with timeout.exe
              PID:568
            • C:\Windows\SysWOW64\PING.EXE
              ping dhgfg sgudy
              5⤵
              • Runs ping.exe
              PID:1104
            • C:\LMPupdate\set\unpakedree.exe
              "unpakedree.exe" e -p67dah9fasdd8kja8ds9h9sad 43939237cx.rar
              5⤵
              • Executes dropped EXE
              PID:1872
            • C:\Windows\SysWOW64\timeout.exe
              timeout 5
              5⤵
              • Delays execution with timeout.exe
              PID:1496
            • C:\Windows\SysWOW64\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\LMPupdate\set\3980392CV.vbs"
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:760
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c ""C:\LMPupdate\set\48551.bat" "
                6⤵
                • Loads dropped DLL
                • Suspicious use of WriteProcessMemory
                PID:1504
                • C:\Windows\SysWOW64\attrib.exe
                  attrib +s +h "C:\LMPupdate\set"
                  7⤵
                  • Views/modifies file attributes
                  PID:876
                • C:\Windows\SysWOW64\timeout.exe
                  timeout 2
                  7⤵
                  • Delays execution with timeout.exe
                  PID:1644
                • C:\LMPupdate\set\xc829374091FD.exe
                  xc829374091FD.exe /start
                  7⤵
                  • Executes dropped EXE
                  • Suspicious use of SetThreadContext
                  • Suspicious use of WriteProcessMemory
                  PID:1548
                  • C:\LMPupdate\set\xc829374091FD.exe
                    xc829374091FD.exe /start
                    8⤵
                    • Executes dropped EXE
                    • Checks whether UAC is enabled
                    • Suspicious use of NtSetInformationThreadHideFromDebugger
                    • Checks processor information in registry
                    • Suspicious behavior: MapViewOfSection
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1344
                    • C:\Windows\SysWOW64\explorer.exe
                      C:\Windows\SysWOW64\explorer.exe
                      9⤵
                      • Modifies firewall policy service
                      • Checks BIOS information in registry
                      • Loads dropped DLL
                      • Adds Run key to start application
                      • Drops desktop.ini file(s)
                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                      • Checks processor information in registry
                      • Enumerates system info in registry
                      • Modifies Internet Explorer Protected Mode
                      • Modifies Internet Explorer Protected Mode Banner
                      • Modifies Internet Explorer settings
                      • NTFS ADS
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious behavior: MapViewOfSection
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2040
                      • C:\Users\Admin\AppData\Local\Temp\9q53193m7c9m37_1.exe
                        /suac
                        10⤵
                        • Executes dropped EXE
                        • Suspicious use of SetThreadContext
                        PID:1944
                      • C:\Users\Admin\AppData\Local\Temp\wy7q59o5ek533y.exe
                        "C:\Users\Admin\AppData\Local\Temp\wy7q59o5ek533y.exe"
                        10⤵
                        • Executes dropped EXE
                        • Suspicious behavior: GetForegroundWindowSpam
                        • Suspicious use of FindShellTrayWindow
                        • Suspicious use of SetWindowsHookEx
                        PID:1792
                • C:\Windows\SysWOW64\taskkill.exe
                  taskkill /f /im unpakedree.exe
                  7⤵
                  • Kills process with taskkill
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1552
                • C:\Windows\SysWOW64\taskkill.exe
                  taskkill /f /im unpakedree.exe
                  7⤵
                  • Kills process with taskkill
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1632
                • C:\Windows\SysWOW64\attrib.exe
                  attrib -s -h "C:\LMPupdate\set\xc829374091FD.exe"
                  7⤵
                  • Views/modifies file attributes
                  PID:568
                • C:\Windows\SysWOW64\timeout.exe
                  timeout 4
                  7⤵
                  • Delays execution with timeout.exe
                  PID:1648
            • C:\Windows\SysWOW64\timeout.exe
              timeout 6
              5⤵
              • Delays execution with timeout.exe
              PID:1900
      • C:\Windows\system32\taskmgr.exe
        "C:\Windows\system32\taskmgr.exe" /4
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:1012
      • C:\Windows\explorer.exe
        "C:\Windows\explorer.exe"
        2⤵
          PID:1568
      • C:\Windows\system32\Dwm.exe
        "C:\Windows\system32\Dwm.exe"
        1⤵
          PID:1168
        • C:\Windows\system32\DllHost.exe
          C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
          1⤵
            PID:436
          • C:\Windows\system32\AUDIODG.EXE
            C:\Windows\system32\AUDIODG.EXE 0x56c
            1⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:608

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\LMPupdate\set\183.bat

            MD5

            49d00501554543d18a49c5b93c4528f0

            SHA1

            7a73595e37fda30fb1554b9d8bfe8a855f803d0b

            SHA256

            74560d7c92a3cb7c3782e59fb45bd5a9b1a77a619fad985c4d5bdd17a48c2735

            SHA512

            9c6c296b4bd21de5d13dc56dc92eab363bbd982335858a09537a34f2394be5632d34e002dfa73e312f685f45126c3d5d497a3d7c4553c46bcf4b8c65c4178fb6

          • C:\LMPupdate\set\3980392CV.vbs

            MD5

            0c4747ed40d52d992d44951de476c21b

            SHA1

            24cc5271d1a379e0ebdd0814a1148ecd6e7c880a

            SHA256

            3c01bb32fd4de8574e37cb8293e61d869b8f5bbec69f3cb882a17d5d285b3264

            SHA512

            6e7a264c288c8939c5d8f482229c92915a9bef427b5b1b1df8d942ffded006feba548acfa08588327587f34928acb0912d6f464536f5beb8027b78def01cffe1

          • C:\LMPupdate\set\435246.vbs

            MD5

            f6e0c73782e7a0768006b7be0fc4a1a1

            SHA1

            2a5dea82a47544d00bfa99563fb899a41fa7a1f7

            SHA256

            8c968d170289989dcca0c9bb5f2381dd6e38c3cfb6a324e80dbb6e556e6c5317

            SHA512

            89827dcd80d9b5c2eedf18996a882feda400036df0b9691fc30701265f11528b0ab312dc69246f56e0388f75d2fa394329f502f9f796cbec702cd1dbfa9f2703

          • C:\LMPupdate\set\48551.bat

            MD5

            ec8f0f76fe14a110317c3b5c71fce669

            SHA1

            d41207a90b96b124630f3f8ad7f1657cd39a4dd2

            SHA256

            1447333e356ed3c1c5183ebef48730c370429c40137c2255585a1d3ba2a37614

            SHA512

            9e78bf61280430edbc2ed2c5869acc2cde3e92f236f2eabf83f715a0d6fbc3a79a420c94364cdf4863dd5ca68e4b0109eefb34f7571c5acdc14944eaebdf8b1f

          • C:\LMPupdate\set\unpakedree.exe

            MD5

            397a93800d56a2308bffc872d4a08032

            SHA1

            6f5334d51195a521e8a03f0e05ac777b96c77bc4

            SHA256

            efe3abcfde6e9846a99049a68e6a38d0bc42baa3ac1cf6f236c894abef0a7720

            SHA512

            7fc7b6c8ffe640295085cab4e56ba4c3eea9738a2c9fa27d1032fd60bb3a638e93cd2522058b6212dd7237366510a83c7d1d9b3cbd5f9712852c72959ace53eb

          • C:\LMPupdate\set\unpakedree.exe

            MD5

            397a93800d56a2308bffc872d4a08032

            SHA1

            6f5334d51195a521e8a03f0e05ac777b96c77bc4

            SHA256

            efe3abcfde6e9846a99049a68e6a38d0bc42baa3ac1cf6f236c894abef0a7720

            SHA512

            7fc7b6c8ffe640295085cab4e56ba4c3eea9738a2c9fa27d1032fd60bb3a638e93cd2522058b6212dd7237366510a83c7d1d9b3cbd5f9712852c72959ace53eb

          • C:\LMPupdate\set\x0329847998

            MD5

            a5a4cc669d306e9b25ae2202e1ccc565

            SHA1

            4e8e841ba4915641f989a061f092f95f9070d164

            SHA256

            3da185d70e391a0449a2e86823e181ca35f5356306a856701ec92cfee639c705

            SHA512

            5398c3722d4c6119d9a033558ca6fe0d57735b8259b4907cf1844ba2921e48ffad1ae9f1dcc760158857c6fb13572cb4dd897ee6f6c260efce247b2b793b0216

          • C:\LMPupdate\set\xc829374091FD.exe

            MD5

            a8d1d7e6c60c73faf55d64e724e97aa7

            SHA1

            9c0e3ff55ede8ad1e3a3e0eb8ff9ab467469f687

            SHA256

            5624eea08b241314b8bd13ee9429449c53085a6bb2bcc481655f1f28b4314122

            SHA512

            237507eef8f19f0f99dc15d30d43ec202963e00cb735902ac7304eb6cc8f658ab9db2b7952b94f082441a020725002dbf103dfc919e29235c87430fa19942df1

          • C:\LMPupdate\set\xc829374091FD.exe

            MD5

            a8d1d7e6c60c73faf55d64e724e97aa7

            SHA1

            9c0e3ff55ede8ad1e3a3e0eb8ff9ab467469f687

            SHA256

            5624eea08b241314b8bd13ee9429449c53085a6bb2bcc481655f1f28b4314122

            SHA512

            237507eef8f19f0f99dc15d30d43ec202963e00cb735902ac7304eb6cc8f658ab9db2b7952b94f082441a020725002dbf103dfc919e29235c87430fa19942df1

          • C:\LMPupdate\set\xc829374091FD.exe

            MD5

            a8d1d7e6c60c73faf55d64e724e97aa7

            SHA1

            9c0e3ff55ede8ad1e3a3e0eb8ff9ab467469f687

            SHA256

            5624eea08b241314b8bd13ee9429449c53085a6bb2bcc481655f1f28b4314122

            SHA512

            237507eef8f19f0f99dc15d30d43ec202963e00cb735902ac7304eb6cc8f658ab9db2b7952b94f082441a020725002dbf103dfc919e29235c87430fa19942df1

          • C:\Users\Admin\AppData\Local\Temp\9q53193m7c9m37_1.exe

            MD5

            a8d1d7e6c60c73faf55d64e724e97aa7

            SHA1

            9c0e3ff55ede8ad1e3a3e0eb8ff9ab467469f687

            SHA256

            5624eea08b241314b8bd13ee9429449c53085a6bb2bcc481655f1f28b4314122

            SHA512

            237507eef8f19f0f99dc15d30d43ec202963e00cb735902ac7304eb6cc8f658ab9db2b7952b94f082441a020725002dbf103dfc919e29235c87430fa19942df1

          • C:\Users\Admin\AppData\Local\Temp\9q53193m7c9m37_1.exe

            MD5

            a8d1d7e6c60c73faf55d64e724e97aa7

            SHA1

            9c0e3ff55ede8ad1e3a3e0eb8ff9ab467469f687

            SHA256

            5624eea08b241314b8bd13ee9429449c53085a6bb2bcc481655f1f28b4314122

            SHA512

            237507eef8f19f0f99dc15d30d43ec202963e00cb735902ac7304eb6cc8f658ab9db2b7952b94f082441a020725002dbf103dfc919e29235c87430fa19942df1

          • C:\Users\Admin\AppData\Local\Temp\wy7q59o5ek533y.exe

            MD5

            5aad89d35ec7e782a1efc68441f98bcc

            SHA1

            1bc02754a29cf413a2a89b68f89b25df3066847e

            SHA256

            35617cfc3e8cf02b91d59209fc1cd07c9c1bc4d639309d9ab0198cd60af05d29

            SHA512

            25490392971c0268d55886827db9f4ac3c35baf0803baf3342c2186c4dfa4de8c891ec30b4afd1d40f900671a841057dd30161306fa8239030d11bc820d68ea7

          • C:\Users\Admin\AppData\Local\Temp\wy7q59o5ek533y.exe

            MD5

            5aad89d35ec7e782a1efc68441f98bcc

            SHA1

            1bc02754a29cf413a2a89b68f89b25df3066847e

            SHA256

            35617cfc3e8cf02b91d59209fc1cd07c9c1bc4d639309d9ab0198cd60af05d29

            SHA512

            25490392971c0268d55886827db9f4ac3c35baf0803baf3342c2186c4dfa4de8c891ec30b4afd1d40f900671a841057dd30161306fa8239030d11bc820d68ea7

          • \LMPupdate\set\unpakedree.exe

            MD5

            397a93800d56a2308bffc872d4a08032

            SHA1

            6f5334d51195a521e8a03f0e05ac777b96c77bc4

            SHA256

            efe3abcfde6e9846a99049a68e6a38d0bc42baa3ac1cf6f236c894abef0a7720

            SHA512

            7fc7b6c8ffe640295085cab4e56ba4c3eea9738a2c9fa27d1032fd60bb3a638e93cd2522058b6212dd7237366510a83c7d1d9b3cbd5f9712852c72959ace53eb

          • \LMPupdate\set\xc829374091FD.exe

            MD5

            a8d1d7e6c60c73faf55d64e724e97aa7

            SHA1

            9c0e3ff55ede8ad1e3a3e0eb8ff9ab467469f687

            SHA256

            5624eea08b241314b8bd13ee9429449c53085a6bb2bcc481655f1f28b4314122

            SHA512

            237507eef8f19f0f99dc15d30d43ec202963e00cb735902ac7304eb6cc8f658ab9db2b7952b94f082441a020725002dbf103dfc919e29235c87430fa19942df1

          • \LMPupdate\set\xc829374091FD.exe

            MD5

            a8d1d7e6c60c73faf55d64e724e97aa7

            SHA1

            9c0e3ff55ede8ad1e3a3e0eb8ff9ab467469f687

            SHA256

            5624eea08b241314b8bd13ee9429449c53085a6bb2bcc481655f1f28b4314122

            SHA512

            237507eef8f19f0f99dc15d30d43ec202963e00cb735902ac7304eb6cc8f658ab9db2b7952b94f082441a020725002dbf103dfc919e29235c87430fa19942df1

          • \Users\Admin\AppData\Local\Temp\9q53193m7c9m37_1.exe

            MD5

            a8d1d7e6c60c73faf55d64e724e97aa7

            SHA1

            9c0e3ff55ede8ad1e3a3e0eb8ff9ab467469f687

            SHA256

            5624eea08b241314b8bd13ee9429449c53085a6bb2bcc481655f1f28b4314122

            SHA512

            237507eef8f19f0f99dc15d30d43ec202963e00cb735902ac7304eb6cc8f658ab9db2b7952b94f082441a020725002dbf103dfc919e29235c87430fa19942df1

          • \Users\Admin\AppData\Local\Temp\wy7q59o5ek533y.exe

            MD5

            5aad89d35ec7e782a1efc68441f98bcc

            SHA1

            1bc02754a29cf413a2a89b68f89b25df3066847e

            SHA256

            35617cfc3e8cf02b91d59209fc1cd07c9c1bc4d639309d9ab0198cd60af05d29

            SHA512

            25490392971c0268d55886827db9f4ac3c35baf0803baf3342c2186c4dfa4de8c891ec30b4afd1d40f900671a841057dd30161306fa8239030d11bc820d68ea7

          • memory/332-65-0x0000000000000000-mapping.dmp

          • memory/436-125-0x0000000002810000-0x0000000002816000-memory.dmp

            Filesize

            24KB

          • memory/568-67-0x0000000000000000-mapping.dmp

          • memory/568-101-0x0000000000000000-mapping.dmp

          • memory/608-61-0x0000000000000000-mapping.dmp

          • memory/760-77-0x0000000000000000-mapping.dmp

          • memory/876-82-0x0000000000000000-mapping.dmp

          • memory/1012-135-0x000007FEFB991000-0x000007FEFB993000-memory.dmp

            Filesize

            8KB

          • memory/1028-59-0x0000000075591000-0x0000000075593000-memory.dmp

            Filesize

            8KB

          • memory/1028-60-0x00000000001D0000-0x00000000001D1000-memory.dmp

            Filesize

            4KB

          • memory/1104-68-0x0000000000000000-mapping.dmp

          • memory/1168-136-0x00000000001A0000-0x00000000001A6000-memory.dmp

            Filesize

            24KB

          • memory/1196-119-0x0000000002AA0000-0x0000000002AA6000-memory.dmp

            Filesize

            24KB

          • memory/1344-98-0x0000000000290000-0x000000000029D000-memory.dmp

            Filesize

            52KB

          • memory/1344-89-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/1344-99-0x0000000000540000-0x0000000000541000-memory.dmp

            Filesize

            4KB

          • memory/1344-97-0x0000000000240000-0x0000000000241000-memory.dmp

            Filesize

            4KB

          • memory/1344-96-0x0000000000440000-0x00000000004A6000-memory.dmp

            Filesize

            408KB

          • memory/1344-94-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/1344-90-0x00000000004015C6-mapping.dmp

          • memory/1344-100-0x0000000001DD0000-0x0000000001DDC000-memory.dmp

            Filesize

            48KB

          • memory/1344-112-0x0000000001DC0000-0x0000000001DC1000-memory.dmp

            Filesize

            4KB

          • memory/1496-74-0x0000000000000000-mapping.dmp

          • memory/1504-81-0x0000000000000000-mapping.dmp

          • memory/1548-87-0x0000000000000000-mapping.dmp

          • memory/1552-93-0x0000000000000000-mapping.dmp

          • memory/1632-95-0x0000000000000000-mapping.dmp

          • memory/1644-83-0x0000000000000000-mapping.dmp

          • memory/1648-102-0x0000000000000000-mapping.dmp

          • memory/1792-134-0x000000001B38A000-0x000000001B38B000-memory.dmp

            Filesize

            4KB

          • memory/1792-131-0x000000001B387000-0x000000001B388000-memory.dmp

            Filesize

            4KB

          • memory/1792-130-0x000000001B386000-0x000000001B387000-memory.dmp

            Filesize

            4KB

          • memory/1792-132-0x000000001B388000-0x000000001B389000-memory.dmp

            Filesize

            4KB

          • memory/1792-128-0x000000001B362000-0x000000001B363000-memory.dmp

            Filesize

            4KB

          • memory/1792-133-0x000000001B389000-0x000000001B38A000-memory.dmp

            Filesize

            4KB

          • memory/1792-121-0x0000000000000000-mapping.dmp

          • memory/1792-124-0x0000000000C40000-0x0000000000C41000-memory.dmp

            Filesize

            4KB

          • memory/1792-127-0x000000001B360000-0x000000001B362000-memory.dmp

            Filesize

            8KB

          • memory/1792-129-0x000000001B367000-0x000000001B386000-memory.dmp

            Filesize

            124KB

          • memory/1872-71-0x0000000000000000-mapping.dmp

          • memory/1900-78-0x0000000000000000-mapping.dmp

          • memory/1944-116-0x0000000000000000-mapping.dmp

          • memory/2040-114-0x0000000002120000-0x0000000002122000-memory.dmp

            Filesize

            8KB

          • memory/2040-111-0x0000000001FE0000-0x0000000002060000-memory.dmp

            Filesize

            512KB

          • memory/2040-110-0x0000000001FE0000-0x0000000002060000-memory.dmp

            Filesize

            512KB

          • memory/2040-107-0x0000000000460000-0x000000000059E000-memory.dmp

            Filesize

            1.2MB

          • memory/2040-106-0x00000000772F0000-0x0000000077470000-memory.dmp

            Filesize

            1.5MB

          • memory/2040-105-0x00000000742C1000-0x00000000742C3000-memory.dmp

            Filesize

            8KB

          • memory/2040-103-0x0000000000000000-mapping.dmp