Analysis

  • max time kernel
    150s
  • max time network
    165s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    22-06-2021 18:14

General

  • Target

    aa.exe

  • Size

    3.5MB

  • MD5

    808e34a763acd79d01eeb1f54b18a551

  • SHA1

    df3f6e0f29d9d65a2afc401ab6938044f24c5506

  • SHA256

    86aab09b278fe8e538d8cecd28f2d7a32fe413724d5ee52e2815a3267a988595

  • SHA512

    9638d841bbbb059f6c6be89f3664ce68b4749585a523a776e51b6d591c6ccb60b6df3aa34d25bf8df7521f883b7e31108da64c1112ff3fd369945acc0885a31c

Malware Config

Signatures

  • BetaBot

    Beta Bot is a Trojan that infects computers and disables Antivirus.

  • Modifies firewall policy service 2 TTPs 4 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 5 IoCs
  • Sets file execution options in registry 2 TTPs
  • Sets file to hidden 1 TTPs

    Modifies file attributes to stop it showing in Explorer etc.

  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Adds Run key to start application 2 TTPs 6 IoCs
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
  • Drops desktop.ini file(s) 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 11 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 9 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 5 IoCs
  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Kills process with taskkill 2 IoCs
  • Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
  • Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
  • Modifies registry class 3 IoCs
  • NTFS ADS 2 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 28 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 32 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\aa.exe
    "C:\Users\Admin\AppData\Local\Temp\aa.exe"
    1⤵
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3540
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\LMPupdate\set\435246.vbs"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2804
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\LMPupdate\set\183.bat" "
        3⤵
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:3436
        • C:\Windows\SysWOW64\timeout.exe
          timeout 0
          4⤵
          • Delays execution with timeout.exe
          PID:208
        • C:\Windows\SysWOW64\PING.EXE
          ping dhgfg sgudy
          4⤵
          • Runs ping.exe
          PID:2816
        • C:\LMPupdate\set\unpakedree.exe
          "unpakedree.exe" e -p67dah9fasdd8kja8ds9h9sad 43939237cx.rar
          4⤵
          • Executes dropped EXE
          PID:3144
        • C:\Windows\SysWOW64\timeout.exe
          timeout 5
          4⤵
          • Delays execution with timeout.exe
          PID:1248
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\LMPupdate\set\3980392CV.vbs"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2144
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\LMPupdate\set\48551.bat" "
            5⤵
            • Checks whether UAC is enabled
            • Suspicious use of WriteProcessMemory
            PID:3872
            • C:\Windows\SysWOW64\attrib.exe
              attrib +s +h "C:\LMPupdate\set"
              6⤵
              • Views/modifies file attributes
              PID:2484
            • C:\Windows\SysWOW64\timeout.exe
              timeout 2
              6⤵
              • Delays execution with timeout.exe
              PID:2828
            • C:\LMPupdate\set\xc829374091FD.exe
              xc829374091FD.exe /start
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Suspicious use of WriteProcessMemory
              PID:2792
              • C:\LMPupdate\set\xc829374091FD.exe
                xc829374091FD.exe /start
                7⤵
                • Executes dropped EXE
                • Checks whether UAC is enabled
                • Suspicious use of NtSetInformationThreadHideFromDebugger
                • Checks processor information in registry
                • Suspicious behavior: MapViewOfSection
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:188
                • C:\Windows\SysWOW64\explorer.exe
                  C:\Windows\SysWOW64\explorer.exe
                  8⤵
                  • Modifies firewall policy service
                  • Checks BIOS information in registry
                  • Adds Run key to start application
                  • Drops desktop.ini file(s)
                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                  • Checks processor information in registry
                  • Enumerates system info in registry
                  • Modifies Internet Explorer Protected Mode
                  • Modifies Internet Explorer Protected Mode Banner
                  • Modifies Internet Explorer settings
                  • NTFS ADS
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious behavior: MapViewOfSection
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1548
                  • C:\Users\Admin\AppData\Local\Temp\1e57ciq55wge9_1.exe
                    /suac
                    9⤵
                    • Executes dropped EXE
                    • Suspicious use of SetThreadContext
                    PID:1772
                  • C:\Users\Admin\AppData\Local\Temp\37s3u9g3wa5w5.exe
                    "C:\Users\Admin\AppData\Local\Temp\37s3u9g3wa5w5.exe"
                    9⤵
                    • Executes dropped EXE
                    • Suspicious behavior: GetForegroundWindowSpam
                    • Suspicious use of FindShellTrayWindow
                    • Suspicious use of SetWindowsHookEx
                    PID:3512
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /f /im unpakedree.exe
              6⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:1920
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /f /im unpakedree.exe
              6⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:1468
            • C:\Windows\SysWOW64\attrib.exe
              attrib -s -h "C:\LMPupdate\set\xc829374091FD.exe"
              6⤵
              • Views/modifies file attributes
              PID:2088
            • C:\Windows\SysWOW64\timeout.exe
              timeout 4
              6⤵
              • Delays execution with timeout.exe
              PID:1828
        • C:\Windows\SysWOW64\timeout.exe
          timeout 6
          4⤵
          • Delays execution with timeout.exe
          PID:2288
  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    1⤵
      PID:3540
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        2⤵
        • Checks processor information in registry
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        PID:1856
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1856.0.1627484503\360541948" -parentBuildID 20200403170909 -prefsHandle 1528 -prefMapHandle 1500 -prefsLen 1 -prefMapSize 219680 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1856 "\\.\pipe\gecko-crash-server-pipe.1856" 1608 gpu
          3⤵
            PID:2564
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1856.3.1471842186\1553374617" -childID 1 -isForBrowser -prefsHandle 2224 -prefMapHandle 2220 -prefsLen 156 -prefMapSize 219680 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1856 "\\.\pipe\gecko-crash-server-pipe.1856" 2236 tab
            3⤵
              PID:2528
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1856.13.825623938\2053762801" -childID 2 -isForBrowser -prefsHandle 3440 -prefMapHandle 3436 -prefsLen 7013 -prefMapSize 219680 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1856 "\\.\pipe\gecko-crash-server-pipe.1856" 3428 tab
              3⤵
                PID:2940
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1856.20.214192916\1808397449" -childID 3 -isForBrowser -prefsHandle 4352 -prefMapHandle 3948 -prefsLen 7941 -prefMapSize 219680 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1856 "\\.\pipe\gecko-crash-server-pipe.1856" 4368 tab
                3⤵
                  PID:4236
            • C:\Windows\System32\rundll32.exe
              C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
              1⤵
                PID:4828

              Network

              MITRE ATT&CK Enterprise v6

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\LMPupdate\set\183.bat

                MD5

                49d00501554543d18a49c5b93c4528f0

                SHA1

                7a73595e37fda30fb1554b9d8bfe8a855f803d0b

                SHA256

                74560d7c92a3cb7c3782e59fb45bd5a9b1a77a619fad985c4d5bdd17a48c2735

                SHA512

                9c6c296b4bd21de5d13dc56dc92eab363bbd982335858a09537a34f2394be5632d34e002dfa73e312f685f45126c3d5d497a3d7c4553c46bcf4b8c65c4178fb6

              • C:\LMPupdate\set\3980392CV.vbs

                MD5

                0c4747ed40d52d992d44951de476c21b

                SHA1

                24cc5271d1a379e0ebdd0814a1148ecd6e7c880a

                SHA256

                3c01bb32fd4de8574e37cb8293e61d869b8f5bbec69f3cb882a17d5d285b3264

                SHA512

                6e7a264c288c8939c5d8f482229c92915a9bef427b5b1b1df8d942ffded006feba548acfa08588327587f34928acb0912d6f464536f5beb8027b78def01cffe1

              • C:\LMPupdate\set\435246.vbs

                MD5

                f6e0c73782e7a0768006b7be0fc4a1a1

                SHA1

                2a5dea82a47544d00bfa99563fb899a41fa7a1f7

                SHA256

                8c968d170289989dcca0c9bb5f2381dd6e38c3cfb6a324e80dbb6e556e6c5317

                SHA512

                89827dcd80d9b5c2eedf18996a882feda400036df0b9691fc30701265f11528b0ab312dc69246f56e0388f75d2fa394329f502f9f796cbec702cd1dbfa9f2703

              • C:\LMPupdate\set\48551.bat

                MD5

                ec8f0f76fe14a110317c3b5c71fce669

                SHA1

                d41207a90b96b124630f3f8ad7f1657cd39a4dd2

                SHA256

                1447333e356ed3c1c5183ebef48730c370429c40137c2255585a1d3ba2a37614

                SHA512

                9e78bf61280430edbc2ed2c5869acc2cde3e92f236f2eabf83f715a0d6fbc3a79a420c94364cdf4863dd5ca68e4b0109eefb34f7571c5acdc14944eaebdf8b1f

              • C:\LMPupdate\set\unpakedree.exe

                MD5

                397a93800d56a2308bffc872d4a08032

                SHA1

                6f5334d51195a521e8a03f0e05ac777b96c77bc4

                SHA256

                efe3abcfde6e9846a99049a68e6a38d0bc42baa3ac1cf6f236c894abef0a7720

                SHA512

                7fc7b6c8ffe640295085cab4e56ba4c3eea9738a2c9fa27d1032fd60bb3a638e93cd2522058b6212dd7237366510a83c7d1d9b3cbd5f9712852c72959ace53eb

              • C:\LMPupdate\set\unpakedree.exe

                MD5

                397a93800d56a2308bffc872d4a08032

                SHA1

                6f5334d51195a521e8a03f0e05ac777b96c77bc4

                SHA256

                efe3abcfde6e9846a99049a68e6a38d0bc42baa3ac1cf6f236c894abef0a7720

                SHA512

                7fc7b6c8ffe640295085cab4e56ba4c3eea9738a2c9fa27d1032fd60bb3a638e93cd2522058b6212dd7237366510a83c7d1d9b3cbd5f9712852c72959ace53eb

              • C:\LMPupdate\set\x0329847998

                MD5

                a5a4cc669d306e9b25ae2202e1ccc565

                SHA1

                4e8e841ba4915641f989a061f092f95f9070d164

                SHA256

                3da185d70e391a0449a2e86823e181ca35f5356306a856701ec92cfee639c705

                SHA512

                5398c3722d4c6119d9a033558ca6fe0d57735b8259b4907cf1844ba2921e48ffad1ae9f1dcc760158857c6fb13572cb4dd897ee6f6c260efce247b2b793b0216

              • C:\LMPupdate\set\xc829374091FD.exe

                MD5

                a8d1d7e6c60c73faf55d64e724e97aa7

                SHA1

                9c0e3ff55ede8ad1e3a3e0eb8ff9ab467469f687

                SHA256

                5624eea08b241314b8bd13ee9429449c53085a6bb2bcc481655f1f28b4314122

                SHA512

                237507eef8f19f0f99dc15d30d43ec202963e00cb735902ac7304eb6cc8f658ab9db2b7952b94f082441a020725002dbf103dfc919e29235c87430fa19942df1

              • C:\LMPupdate\set\xc829374091FD.exe

                MD5

                a8d1d7e6c60c73faf55d64e724e97aa7

                SHA1

                9c0e3ff55ede8ad1e3a3e0eb8ff9ab467469f687

                SHA256

                5624eea08b241314b8bd13ee9429449c53085a6bb2bcc481655f1f28b4314122

                SHA512

                237507eef8f19f0f99dc15d30d43ec202963e00cb735902ac7304eb6cc8f658ab9db2b7952b94f082441a020725002dbf103dfc919e29235c87430fa19942df1

              • C:\LMPupdate\set\xc829374091FD.exe

                MD5

                a8d1d7e6c60c73faf55d64e724e97aa7

                SHA1

                9c0e3ff55ede8ad1e3a3e0eb8ff9ab467469f687

                SHA256

                5624eea08b241314b8bd13ee9429449c53085a6bb2bcc481655f1f28b4314122

                SHA512

                237507eef8f19f0f99dc15d30d43ec202963e00cb735902ac7304eb6cc8f658ab9db2b7952b94f082441a020725002dbf103dfc919e29235c87430fa19942df1

              • C:\Users\Admin\AppData\Local\Temp\1e57ciq55wge9_1.exe

                MD5

                a8d1d7e6c60c73faf55d64e724e97aa7

                SHA1

                9c0e3ff55ede8ad1e3a3e0eb8ff9ab467469f687

                SHA256

                5624eea08b241314b8bd13ee9429449c53085a6bb2bcc481655f1f28b4314122

                SHA512

                237507eef8f19f0f99dc15d30d43ec202963e00cb735902ac7304eb6cc8f658ab9db2b7952b94f082441a020725002dbf103dfc919e29235c87430fa19942df1

              • C:\Users\Admin\AppData\Local\Temp\1e57ciq55wge9_1.exe

                MD5

                a8d1d7e6c60c73faf55d64e724e97aa7

                SHA1

                9c0e3ff55ede8ad1e3a3e0eb8ff9ab467469f687

                SHA256

                5624eea08b241314b8bd13ee9429449c53085a6bb2bcc481655f1f28b4314122

                SHA512

                237507eef8f19f0f99dc15d30d43ec202963e00cb735902ac7304eb6cc8f658ab9db2b7952b94f082441a020725002dbf103dfc919e29235c87430fa19942df1

              • C:\Users\Admin\AppData\Local\Temp\37s3u9g3wa5w5.exe

                MD5

                5aad89d35ec7e782a1efc68441f98bcc

                SHA1

                1bc02754a29cf413a2a89b68f89b25df3066847e

                SHA256

                35617cfc3e8cf02b91d59209fc1cd07c9c1bc4d639309d9ab0198cd60af05d29

                SHA512

                25490392971c0268d55886827db9f4ac3c35baf0803baf3342c2186c4dfa4de8c891ec30b4afd1d40f900671a841057dd30161306fa8239030d11bc820d68ea7

              • C:\Users\Admin\AppData\Local\Temp\37s3u9g3wa5w5.exe

                MD5

                5aad89d35ec7e782a1efc68441f98bcc

                SHA1

                1bc02754a29cf413a2a89b68f89b25df3066847e

                SHA256

                35617cfc3e8cf02b91d59209fc1cd07c9c1bc4d639309d9ab0198cd60af05d29

                SHA512

                25490392971c0268d55886827db9f4ac3c35baf0803baf3342c2186c4dfa4de8c891ec30b4afd1d40f900671a841057dd30161306fa8239030d11bc820d68ea7

              • memory/188-142-0x0000000002630000-0x0000000002631000-memory.dmp

                Filesize

                4KB

              • memory/188-139-0x0000000000400000-0x0000000000435000-memory.dmp

                Filesize

                212KB

              • memory/188-143-0x0000000002660000-0x000000000266C000-memory.dmp

                Filesize

                48KB

              • memory/188-141-0x00000000004C0000-0x000000000056E000-memory.dmp

                Filesize

                696KB

              • memory/188-140-0x00000000007A0000-0x0000000000806000-memory.dmp

                Filesize

                408KB

              • memory/188-135-0x0000000000400000-0x0000000000435000-memory.dmp

                Filesize

                212KB

              • memory/188-136-0x00000000004015C6-mapping.dmp

              • memory/208-120-0x0000000000000000-mapping.dmp

              • memory/1248-124-0x0000000000000000-mapping.dmp

              • memory/1468-144-0x0000000000000000-mapping.dmp

              • memory/1548-151-0x0000000002E50000-0x0000000002E5D000-memory.dmp

                Filesize

                52KB

              • memory/1548-157-0x0000000004BF0000-0x0000000004D7E000-memory.dmp

                Filesize

                1.6MB

              • memory/1548-150-0x0000000004BD0000-0x0000000004BD1000-memory.dmp

                Filesize

                4KB

              • memory/1548-149-0x0000000003200000-0x000000000333E000-memory.dmp

                Filesize

                1.2MB

              • memory/1548-148-0x00000000002D0000-0x000000000070F000-memory.dmp

                Filesize

                4.2MB

              • memory/1548-147-0x0000000000000000-mapping.dmp

              • memory/1772-158-0x0000000000000000-mapping.dmp

              • memory/1828-146-0x0000000000000000-mapping.dmp

              • memory/1856-172-0x0000000000000000-mapping.dmp

              • memory/1920-138-0x0000000000000000-mapping.dmp

              • memory/2088-145-0x0000000000000000-mapping.dmp

              • memory/2144-126-0x0000000000000000-mapping.dmp

              • memory/2288-127-0x0000000000000000-mapping.dmp

              • memory/2484-130-0x0000000000000000-mapping.dmp

              • memory/2528-179-0x0000000000000000-mapping.dmp

              • memory/2564-174-0x0000000000000000-mapping.dmp

              • memory/2792-132-0x0000000000000000-mapping.dmp

              • memory/2804-115-0x0000000000000000-mapping.dmp

              • memory/2816-121-0x0000000000000000-mapping.dmp

              • memory/2828-131-0x0000000000000000-mapping.dmp

              • memory/2940-182-0x0000000000000000-mapping.dmp

              • memory/3144-122-0x0000000000000000-mapping.dmp

              • memory/3436-118-0x0000000000000000-mapping.dmp

              • memory/3512-164-0x0000000000540000-0x0000000000541000-memory.dmp

                Filesize

                4KB

              • memory/3512-166-0x000000001B190000-0x000000001B192000-memory.dmp

                Filesize

                8KB

              • memory/3512-168-0x000000001B194000-0x000000001B195000-memory.dmp

                Filesize

                4KB

              • memory/3512-167-0x000000001B192000-0x000000001B194000-memory.dmp

                Filesize

                8KB

              • memory/3512-169-0x000000001B195000-0x000000001B197000-memory.dmp

                Filesize

                8KB

              • memory/3512-170-0x000000001B197000-0x000000001B199000-memory.dmp

                Filesize

                8KB

              • memory/3512-171-0x000000001B199000-0x000000001B19F000-memory.dmp

                Filesize

                24KB

              • memory/3512-161-0x0000000000000000-mapping.dmp

              • memory/3540-114-0x0000000000860000-0x0000000000861000-memory.dmp

                Filesize

                4KB

              • memory/3872-129-0x0000000000000000-mapping.dmp

              • memory/3872-156-0x0000000003130000-0x000000000326E000-memory.dmp

                Filesize

                1.2MB

              • memory/4236-184-0x0000000000000000-mapping.dmp