Malware Analysis Report

2024-11-30 20:02

Sample ID 211114-zkwnpsghb2
Target 1B2C4ED9193792BFE48A5722705085E2AFA7C14FD1951.exe
SHA256 1b2c4ed9193792bfe48a5722705085e2afa7c14fd19512cb280e9750924852b4
Tags
betabot backdoor botnet evasion persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1b2c4ed9193792bfe48a5722705085e2afa7c14fd19512cb280e9750924852b4

Threat Level: Known bad

The file 1B2C4ED9193792BFE48A5722705085E2AFA7C14FD1951.exe was found to be: Known bad.

Malicious Activity Summary

betabot backdoor botnet evasion persistence trojan

Modifies firewall policy service

BetaBot

Sets file execution options in registry

Checks BIOS information in registry

Checks whether UAC is enabled

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Enumerates physical storage devices

Creates scheduled task(s)

Checks processor information in registry

Modifies Internet Explorer settings

Enumerates system info in registry

Modifies Internet Explorer Protected Mode

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies Internet Explorer Protected Mode Banner

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-11-14 20:47

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-11-14 20:47

Reported

2021-11-14 20:49

Platform

win7-en-20211104

Max time kernel

150s

Max time network

145s

Command Line

C:\Windows\Explorer.EXE

Signatures

BetaBot

trojan backdoor botnet betabot

Modifies firewall policy service

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile C:\Windows\SysWOW64\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" C:\Windows\SysWOW64\explorer.exe N/A

Sets file execution options in registry

persistence

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\SysWOW64\explorer.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Networking Services = "C:\\ProgramData\\Networking Services\\3c1ia5wqm.exe" C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Windows\CurrentVersion\Run\Networking Services = "\"C:\\ProgramData\\Networking Services\\3c1ia5wqm.exe\"" C:\Windows\SysWOW64\explorer.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\1B2C4ED9193792BFE48A5722705085E2AFA7C14FD1951.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\1B2C4ED9193792BFE48A5722705085E2AFA7C14FD1951.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\1B2C4ED9193792BFE48A5722705085E2AFA7C14FD1951.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\1B2C4ED9193792BFE48A5722705085E2AFA7C14FD1951.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\SysWOW64\explorer.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\SysWOW64\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Windows\SysWOW64\explorer.exe N/A

Modifies Internet Explorer Protected Mode

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" C:\Windows\SysWOW64\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" C:\Windows\SysWOW64\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" C:\Windows\SysWOW64\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" C:\Windows\SysWOW64\explorer.exe N/A

Modifies Internet Explorer Protected Mode Banner

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" C:\Windows\SysWOW64\explorer.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\explorer.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1B2C4ED9193792BFE48A5722705085E2AFA7C14FD1951.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1B2C4ED9193792BFE48A5722705085E2AFA7C14FD1951.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1B2C4ED9193792BFE48A5722705085E2AFA7C14FD1951.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\1B2C4ED9193792BFE48A5722705085E2AFA7C14FD1951.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1B2C4ED9193792BFE48A5722705085E2AFA7C14FD1951.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1B2C4ED9193792BFE48A5722705085E2AFA7C14FD1951.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\1B2C4ED9193792BFE48A5722705085E2AFA7C14FD1951.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1B2C4ED9193792BFE48A5722705085E2AFA7C14FD1951.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1B2C4ED9193792BFE48A5722705085E2AFA7C14FD1951.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1B2C4ED9193792BFE48A5722705085E2AFA7C14FD1951.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1B2C4ED9193792BFE48A5722705085E2AFA7C14FD1951.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1B2C4ED9193792BFE48A5722705085E2AFA7C14FD1951.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1B2C4ED9193792BFE48A5722705085E2AFA7C14FD1951.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1B2C4ED9193792BFE48A5722705085E2AFA7C14FD1951.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1B2C4ED9193792BFE48A5722705085E2AFA7C14FD1951.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\1B2C4ED9193792BFE48A5722705085E2AFA7C14FD1951.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1592 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\1B2C4ED9193792BFE48A5722705085E2AFA7C14FD1951.exe C:\Windows\SysWOW64\schtasks.exe
PID 1592 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\1B2C4ED9193792BFE48A5722705085E2AFA7C14FD1951.exe C:\Windows\SysWOW64\schtasks.exe
PID 1592 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\1B2C4ED9193792BFE48A5722705085E2AFA7C14FD1951.exe C:\Windows\SysWOW64\schtasks.exe
PID 1592 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\1B2C4ED9193792BFE48A5722705085E2AFA7C14FD1951.exe C:\Windows\SysWOW64\schtasks.exe
PID 1592 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\1B2C4ED9193792BFE48A5722705085E2AFA7C14FD1951.exe C:\Users\Admin\AppData\Local\Temp\1B2C4ED9193792BFE48A5722705085E2AFA7C14FD1951.exe
PID 1592 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\1B2C4ED9193792BFE48A5722705085E2AFA7C14FD1951.exe C:\Users\Admin\AppData\Local\Temp\1B2C4ED9193792BFE48A5722705085E2AFA7C14FD1951.exe
PID 1592 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\1B2C4ED9193792BFE48A5722705085E2AFA7C14FD1951.exe C:\Users\Admin\AppData\Local\Temp\1B2C4ED9193792BFE48A5722705085E2AFA7C14FD1951.exe
PID 1592 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\1B2C4ED9193792BFE48A5722705085E2AFA7C14FD1951.exe C:\Users\Admin\AppData\Local\Temp\1B2C4ED9193792BFE48A5722705085E2AFA7C14FD1951.exe
PID 1592 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\1B2C4ED9193792BFE48A5722705085E2AFA7C14FD1951.exe C:\Users\Admin\AppData\Local\Temp\1B2C4ED9193792BFE48A5722705085E2AFA7C14FD1951.exe
PID 1592 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\1B2C4ED9193792BFE48A5722705085E2AFA7C14FD1951.exe C:\Users\Admin\AppData\Local\Temp\1B2C4ED9193792BFE48A5722705085E2AFA7C14FD1951.exe
PID 1592 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\1B2C4ED9193792BFE48A5722705085E2AFA7C14FD1951.exe C:\Users\Admin\AppData\Local\Temp\1B2C4ED9193792BFE48A5722705085E2AFA7C14FD1951.exe
PID 1592 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\1B2C4ED9193792BFE48A5722705085E2AFA7C14FD1951.exe C:\Users\Admin\AppData\Local\Temp\1B2C4ED9193792BFE48A5722705085E2AFA7C14FD1951.exe
PID 1592 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\1B2C4ED9193792BFE48A5722705085E2AFA7C14FD1951.exe C:\Users\Admin\AppData\Local\Temp\1B2C4ED9193792BFE48A5722705085E2AFA7C14FD1951.exe
PID 1592 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\1B2C4ED9193792BFE48A5722705085E2AFA7C14FD1951.exe C:\Users\Admin\AppData\Local\Temp\1B2C4ED9193792BFE48A5722705085E2AFA7C14FD1951.exe
PID 1592 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\1B2C4ED9193792BFE48A5722705085E2AFA7C14FD1951.exe C:\Users\Admin\AppData\Local\Temp\1B2C4ED9193792BFE48A5722705085E2AFA7C14FD1951.exe
PID 1796 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\1B2C4ED9193792BFE48A5722705085E2AFA7C14FD1951.exe C:\Windows\SysWOW64\explorer.exe
PID 1796 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\1B2C4ED9193792BFE48A5722705085E2AFA7C14FD1951.exe C:\Windows\SysWOW64\explorer.exe
PID 1796 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\1B2C4ED9193792BFE48A5722705085E2AFA7C14FD1951.exe C:\Windows\SysWOW64\explorer.exe
PID 1796 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\1B2C4ED9193792BFE48A5722705085E2AFA7C14FD1951.exe C:\Windows\SysWOW64\explorer.exe
PID 1796 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\1B2C4ED9193792BFE48A5722705085E2AFA7C14FD1951.exe C:\Windows\SysWOW64\explorer.exe
PID 1796 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\1B2C4ED9193792BFE48A5722705085E2AFA7C14FD1951.exe C:\Windows\SysWOW64\explorer.exe
PID 1796 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\1B2C4ED9193792BFE48A5722705085E2AFA7C14FD1951.exe C:\Windows\SysWOW64\explorer.exe
PID 1520 wrote to memory of 1168 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\Dwm.exe
PID 1520 wrote to memory of 1168 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\Dwm.exe
PID 1520 wrote to memory of 1168 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\Dwm.exe
PID 1520 wrote to memory of 1168 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\Dwm.exe
PID 1520 wrote to memory of 1168 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\Dwm.exe
PID 1520 wrote to memory of 1168 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\Dwm.exe
PID 1520 wrote to memory of 1192 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\Explorer.EXE
PID 1520 wrote to memory of 1192 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\Explorer.EXE
PID 1520 wrote to memory of 1192 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\Explorer.EXE
PID 1520 wrote to memory of 1192 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\Explorer.EXE
PID 1520 wrote to memory of 1192 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\Explorer.EXE
PID 1520 wrote to memory of 1192 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\Explorer.EXE
PID 1520 wrote to memory of 2028 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\DllHost.exe
PID 1520 wrote to memory of 2028 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\DllHost.exe
PID 1520 wrote to memory of 2028 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\DllHost.exe
PID 1520 wrote to memory of 2028 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\DllHost.exe
PID 1520 wrote to memory of 2028 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\DllHost.exe
PID 1520 wrote to memory of 2028 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\DllHost.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Users\Admin\AppData\Local\Temp\1B2C4ED9193792BFE48A5722705085E2AFA7C14FD1951.exe

"C:\Users\Admin\AppData\Local\Temp\1B2C4ED9193792BFE48A5722705085E2AFA7C14FD1951.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Update\f6t7gy8uio" /XML "C:\Users\Admin\AppData\Local\Temp\z591"

C:\Users\Admin\AppData\Local\Temp\1B2C4ED9193792BFE48A5722705085E2AFA7C14FD1951.exe

"C:\Users\Admin\AppData\Local\Temp\1B2C4ED9193792BFE48A5722705085E2AFA7C14FD1951.exe"

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

Network

Country Destination Domain Proto
US 8.8.8.8:53 microsoft.com udp
SG 104.215.148.63:80 microsoft.com tcp
US 8.8.8.8:53 vietnameseoverflow.us udp
US 8.8.8.8:53 faded.website udp
US 8.8.8.8:53 faded.website udp
US 172.67.201.53:80 faded.website tcp
US 172.67.201.53:443 faded.website tcp
US 8.8.8.8:53 faded.website udp
US 172.67.201.53:80 faded.website tcp
US 172.67.201.53:443 faded.website tcp

Files

memory/1592-55-0x0000000075491000-0x0000000075493000-memory.dmp

memory/1592-56-0x0000000000B60000-0x0000000000B61000-memory.dmp

memory/1344-57-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\z591

MD5 7e18f249af8861cde10c05443bb58549
SHA1 cfbd192def7dbf64b010abd8480317215c1f4461
SHA256 e98cdd2a43c7f27d78ae75050e6f353bf7c1af816ed10255b2c77289ec07a060
SHA512 9d304649ddf887b60462cd85560b6a564c019700d52c617f043f907da68091b84c7e7f18dc523b2e612a85dd2a7af28e3da5fd631668fdd622f3145229e66386

memory/1796-59-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1796-60-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1796-61-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1796-63-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1796-65-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1796-67-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1796-69-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1796-71-0x00000000004015C6-mapping.dmp

memory/1796-72-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1796-74-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1796-75-0x0000000000350000-0x00000000003B6000-memory.dmp

memory/1796-77-0x0000000000350000-0x00000000003B6000-memory.dmp

memory/1796-78-0x00000000000C0000-0x00000000000C1000-memory.dmp

memory/1796-79-0x00000000000D0000-0x00000000000DD000-memory.dmp

memory/1796-80-0x00000000003C0000-0x00000000003C1000-memory.dmp

memory/1796-81-0x00000000003F0000-0x00000000003FC000-memory.dmp

memory/1520-82-0x0000000000000000-mapping.dmp

memory/1520-84-0x00000000717B1000-0x00000000717B3000-memory.dmp

memory/1520-85-0x0000000077120000-0x00000000772A0000-memory.dmp

memory/1520-86-0x0000000000090000-0x0000000000140000-memory.dmp

memory/1520-87-0x00000000003C0000-0x00000000003CC000-memory.dmp

memory/1520-88-0x0000000000330000-0x0000000000331000-memory.dmp

memory/1520-89-0x0000000000400000-0x0000000000402000-memory.dmp

memory/1192-90-0x0000000002A20000-0x0000000002A26000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2021-11-14 20:47

Reported

2021-11-14 20:49

Platform

win10-en-20211104

Max time kernel

150s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1B2C4ED9193792BFE48A5722705085E2AFA7C14FD1951.exe"

Signatures

BetaBot

trojan backdoor botnet betabot

Modifies firewall policy service

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile C:\Windows\SysWOW64\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" C:\Windows\SysWOW64\explorer.exe N/A

Sets file execution options in registry

persistence

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\SysWOW64\explorer.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows\CurrentVersion\Run\Networking Services = "\"C:\\ProgramData\\Networking Services\\y1ko71ee.exe\"" C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Networking Services = "C:\\ProgramData\\Networking Services\\y1ko71ee.exe" C:\Windows\SysWOW64\explorer.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\1B2C4ED9193792BFE48A5722705085E2AFA7C14FD1951.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\1B2C4ED9193792BFE48A5722705085E2AFA7C14FD1951.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\1B2C4ED9193792BFE48A5722705085E2AFA7C14FD1951.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\1B2C4ED9193792BFE48A5722705085E2AFA7C14FD1951.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\SysWOW64\explorer.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\SysWOW64\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Windows\SysWOW64\explorer.exe N/A

Modifies Internet Explorer Protected Mode

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" C:\Windows\SysWOW64\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" C:\Windows\SysWOW64\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" C:\Windows\SysWOW64\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" C:\Windows\SysWOW64\explorer.exe N/A

Modifies Internet Explorer Protected Mode Banner

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" C:\Windows\SysWOW64\explorer.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\explorer.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1B2C4ED9193792BFE48A5722705085E2AFA7C14FD1951.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1B2C4ED9193792BFE48A5722705085E2AFA7C14FD1951.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1B2C4ED9193792BFE48A5722705085E2AFA7C14FD1951.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1B2C4ED9193792BFE48A5722705085E2AFA7C14FD1951.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1B2C4ED9193792BFE48A5722705085E2AFA7C14FD1951.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1B2C4ED9193792BFE48A5722705085E2AFA7C14FD1951.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1B2C4ED9193792BFE48A5722705085E2AFA7C14FD1951.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1B2C4ED9193792BFE48A5722705085E2AFA7C14FD1951.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\1B2C4ED9193792BFE48A5722705085E2AFA7C14FD1951.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1B2C4ED9193792BFE48A5722705085E2AFA7C14FD1951.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1B2C4ED9193792BFE48A5722705085E2AFA7C14FD1951.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\1B2C4ED9193792BFE48A5722705085E2AFA7C14FD1951.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1B2C4ED9193792BFE48A5722705085E2AFA7C14FD1951.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1B2C4ED9193792BFE48A5722705085E2AFA7C14FD1951.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1B2C4ED9193792BFE48A5722705085E2AFA7C14FD1951.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1B2C4ED9193792BFE48A5722705085E2AFA7C14FD1951.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1B2C4ED9193792BFE48A5722705085E2AFA7C14FD1951.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1B2C4ED9193792BFE48A5722705085E2AFA7C14FD1951.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1B2C4ED9193792BFE48A5722705085E2AFA7C14FD1951.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1B2C4ED9193792BFE48A5722705085E2AFA7C14FD1951.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\1B2C4ED9193792BFE48A5722705085E2AFA7C14FD1951.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2596 wrote to memory of 364 N/A C:\Users\Admin\AppData\Local\Temp\1B2C4ED9193792BFE48A5722705085E2AFA7C14FD1951.exe C:\Windows\SysWOW64\schtasks.exe
PID 2596 wrote to memory of 364 N/A C:\Users\Admin\AppData\Local\Temp\1B2C4ED9193792BFE48A5722705085E2AFA7C14FD1951.exe C:\Windows\SysWOW64\schtasks.exe
PID 2596 wrote to memory of 364 N/A C:\Users\Admin\AppData\Local\Temp\1B2C4ED9193792BFE48A5722705085E2AFA7C14FD1951.exe C:\Windows\SysWOW64\schtasks.exe
PID 2596 wrote to memory of 496 N/A C:\Users\Admin\AppData\Local\Temp\1B2C4ED9193792BFE48A5722705085E2AFA7C14FD1951.exe C:\Users\Admin\AppData\Local\Temp\1B2C4ED9193792BFE48A5722705085E2AFA7C14FD1951.exe
PID 2596 wrote to memory of 496 N/A C:\Users\Admin\AppData\Local\Temp\1B2C4ED9193792BFE48A5722705085E2AFA7C14FD1951.exe C:\Users\Admin\AppData\Local\Temp\1B2C4ED9193792BFE48A5722705085E2AFA7C14FD1951.exe
PID 2596 wrote to memory of 496 N/A C:\Users\Admin\AppData\Local\Temp\1B2C4ED9193792BFE48A5722705085E2AFA7C14FD1951.exe C:\Users\Admin\AppData\Local\Temp\1B2C4ED9193792BFE48A5722705085E2AFA7C14FD1951.exe
PID 2596 wrote to memory of 496 N/A C:\Users\Admin\AppData\Local\Temp\1B2C4ED9193792BFE48A5722705085E2AFA7C14FD1951.exe C:\Users\Admin\AppData\Local\Temp\1B2C4ED9193792BFE48A5722705085E2AFA7C14FD1951.exe
PID 2596 wrote to memory of 496 N/A C:\Users\Admin\AppData\Local\Temp\1B2C4ED9193792BFE48A5722705085E2AFA7C14FD1951.exe C:\Users\Admin\AppData\Local\Temp\1B2C4ED9193792BFE48A5722705085E2AFA7C14FD1951.exe
PID 2596 wrote to memory of 496 N/A C:\Users\Admin\AppData\Local\Temp\1B2C4ED9193792BFE48A5722705085E2AFA7C14FD1951.exe C:\Users\Admin\AppData\Local\Temp\1B2C4ED9193792BFE48A5722705085E2AFA7C14FD1951.exe
PID 2596 wrote to memory of 496 N/A C:\Users\Admin\AppData\Local\Temp\1B2C4ED9193792BFE48A5722705085E2AFA7C14FD1951.exe C:\Users\Admin\AppData\Local\Temp\1B2C4ED9193792BFE48A5722705085E2AFA7C14FD1951.exe
PID 2596 wrote to memory of 496 N/A C:\Users\Admin\AppData\Local\Temp\1B2C4ED9193792BFE48A5722705085E2AFA7C14FD1951.exe C:\Users\Admin\AppData\Local\Temp\1B2C4ED9193792BFE48A5722705085E2AFA7C14FD1951.exe
PID 2596 wrote to memory of 496 N/A C:\Users\Admin\AppData\Local\Temp\1B2C4ED9193792BFE48A5722705085E2AFA7C14FD1951.exe C:\Users\Admin\AppData\Local\Temp\1B2C4ED9193792BFE48A5722705085E2AFA7C14FD1951.exe
PID 2596 wrote to memory of 496 N/A C:\Users\Admin\AppData\Local\Temp\1B2C4ED9193792BFE48A5722705085E2AFA7C14FD1951.exe C:\Users\Admin\AppData\Local\Temp\1B2C4ED9193792BFE48A5722705085E2AFA7C14FD1951.exe
PID 496 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\1B2C4ED9193792BFE48A5722705085E2AFA7C14FD1951.exe C:\Windows\SysWOW64\explorer.exe
PID 496 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\1B2C4ED9193792BFE48A5722705085E2AFA7C14FD1951.exe C:\Windows\SysWOW64\explorer.exe
PID 496 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\1B2C4ED9193792BFE48A5722705085E2AFA7C14FD1951.exe C:\Windows\SysWOW64\explorer.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1B2C4ED9193792BFE48A5722705085E2AFA7C14FD1951.exe

"C:\Users\Admin\AppData\Local\Temp\1B2C4ED9193792BFE48A5722705085E2AFA7C14FD1951.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Update\f6t7gy8uio" /XML "C:\Users\Admin\AppData\Local\Temp\z505"

C:\Users\Admin\AppData\Local\Temp\1B2C4ED9193792BFE48A5722705085E2AFA7C14FD1951.exe

"C:\Users\Admin\AppData\Local\Temp\1B2C4ED9193792BFE48A5722705085E2AFA7C14FD1951.exe"

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 time.windows.com udp
NL 40.119.148.38:123 time.windows.com udp
US 8.8.8.8:53 microsoft.com udp
SG 104.215.148.63:80 microsoft.com tcp
US 8.8.8.8:53 vietnameseoverflow.us udp
US 8.8.8.8:53 faded.website udp
US 8.8.8.8:53 faded.website udp
US 104.21.85.23:80 faded.website tcp
US 104.21.85.23:443 faded.website tcp
US 104.21.85.23:80 faded.website tcp
US 104.21.85.23:443 faded.website tcp

Files

memory/2596-118-0x00000000025D0000-0x00000000025D1000-memory.dmp

memory/364-119-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\z505

MD5 127800071c1828ae18bdbb8eabbbd394
SHA1 b6cc0b1cc3ddb564dfd7d30f3fba327228255a93
SHA256 a7e099df5d8e8fa9de850acc1558c99fe6ff0451c982a2e9c6c6573f27992ab7
SHA512 68b3cc7b797d662ae442463523443610376614c3eb6969a83103473e83cf74e2188844fc2603c0b6376345f1afcad39f3778dc7e996095d3a0ffa4348c497d69

memory/496-121-0x0000000000400000-0x0000000000435000-memory.dmp

memory/496-122-0x0000000000400000-0x0000000000435000-memory.dmp

memory/496-123-0x0000000000400000-0x0000000000435000-memory.dmp

memory/496-124-0x0000000000400000-0x0000000000435000-memory.dmp

memory/496-125-0x0000000000400000-0x0000000000435000-memory.dmp

memory/496-127-0x00000000004015C6-mapping.dmp

memory/496-128-0x0000000000400000-0x0000000000435000-memory.dmp

memory/496-129-0x0000000002B80000-0x0000000002BE6000-memory.dmp

memory/496-131-0x0000000000400000-0x0000000000435000-memory.dmp

memory/496-132-0x0000000002B80000-0x0000000002BE6000-memory.dmp

memory/496-133-0x0000000000F00000-0x000000000104A000-memory.dmp

memory/496-134-0x0000000001490000-0x0000000001491000-memory.dmp

memory/496-135-0x0000000003050000-0x000000000305C000-memory.dmp

memory/1500-136-0x0000000000000000-mapping.dmp

memory/1500-137-0x0000000001190000-0x00000000015CF000-memory.dmp

memory/1500-138-0x0000000001080000-0x0000000001130000-memory.dmp

memory/1500-139-0x00000000039F0000-0x0000000003AC1000-memory.dmp

memory/496-140-0x0000000003040000-0x0000000003041000-memory.dmp

memory/1500-141-0x0000000006BE0000-0x0000000006BE2000-memory.dmp