Overview

overview

10

Static

static

9

9E4037F440...9E.exe

windows7_x64

10

9E4037F440...9E.exe

windows10_x64

10

Analysis

  • max time kernel
    149s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-en-20211104
  • submitted
    05-12-2021 16:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9E4037F440474202A6DDD5194A9DCA8DBC2B9F51E399E.exe

  • Size

    632KB

  • MD5

    fbff18a879c2a26601e5d4f366640ede

  • SHA1

    ef666c7d7ec1667b668ebf1c7e38876382da2fd0

  • SHA256

    9e4037f440474202a6ddd5194a9dca8dbc2b9f51e399ec42a465ba98c7920912

  • SHA512

    754cadb13884a49435bb01c32f4d30ee4ad595313a2c17efa1fc27094fe4f96cf9b46a8a3135de4d27ca9bc8d17044a99e79db7e0f963aaa76773fc0835bdd8f

Score
10/10
betabotbackdoorbotnetcryptoneevasionpackerpersistencetrojan

Malware Config

Signatures

  • BetaBot

    Beta Bot is a Trojan that infects computers and disables Antivirus.

    trojanbackdoorbotnetbetabot
  • Modifies firewall policy service 2 TTPs 8 IoCs
    evasion
  • Modifies security service 2 TTPs 1 IoCs
    evasion
  • CryptOne packer 2 IoCs

    Detects CryptOne packer defined in NCC blogpost.

    cryptonepacker
  • Disables taskbar notifications via registry modification
    evasion
  • Disables use of System Restore points 1 TTPs
    evasion
  • Executes dropped EXE 1 IoCs
  • Sets file execution options in registry 2 TTPs
    persistence
  • Sets service image path in registry 2 TTPs
    persistence
  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Checks for any installed AV software in registry 1 TTPs 2 IoCs
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Drops desktop.ini file(s) 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 11 IoCs
  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
  • Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 5 IoCs
    adwarespyware
  • NTFS ADS 2 IoCs
  • Runs regedit.exe 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 15 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 60 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1192
      • C:\Users\Admin\AppData\Local\Temp\9E4037F440474202A6DDD5194A9DCA8DBC2B9F51E399E.exe
        "C:\Users\Admin\AppData\Local\Temp\9E4037F440474202A6DDD5194A9DCA8DBC2B9F51E399E.exe"
        2⤵
        • Checks whether UAC is enabled
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Checks processor information in registry
        • Suspicious behavior: MapViewOfSection
        • Suspicious behavior: RenamesItself
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of UnmapMainImage
        • Suspicious use of WriteProcessMemory
        PID:1648
        • C:\Windows\SysWOW64\explorer.exe
          C:\Windows\SysWOW64\explorer.exe
          3⤵
          • Modifies firewall policy service
          • Checks BIOS information in registry
          • Loads dropped DLL
          • Adds Run key to start application
          • Drops desktop.ini file(s)
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Checks processor information in registry
          • Enumerates system info in registry
          • Modifies Internet Explorer Protected Mode
          • Modifies Internet Explorer Protected Mode Banner
          • Modifies Internet Explorer settings
          • NTFS ADS
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1100
          • C:\Users\Admin\AppData\Local\Temp\kcseyuq5c_1.exe
            /suac
            4⤵
            • Modifies firewall policy service
            • Executes dropped EXE
            • Checks for any installed AV software in registry
            • Checks whether UAC is enabled
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Checks processor information in registry
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of UnmapMainImage
            • Suspicious use of WriteProcessMemory
            PID:976
            • C:\Windows\SysWOW64\regedit.exe
              "C:\Windows\SysWOW64\regedit.exe"
              5⤵
              • Modifies security service
              • Adds Run key to start application
              • Modifies Internet Explorer settings
              • Runs regedit.exe
              • Suspicious use of AdjustPrivilegeToken
              PID:928
    • C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      1⤵
        PID:1168

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Modify Existing Service

      2
      T1031

      Registry Run Keys / Startup Folder

      3
      T1060

      Privilege Escalation

      Defense Evasion

      Modify Registry

      8
      T1112

      Credential Access

      Discovery

      Query Registry

      3
      T1012

      System Information Discovery

      4
      T1082

      Security Software Discovery

      1
      T1063

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Inhibit System Recovery

      1
      T1490

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\kcseyuq5c_1.exe
        MD5

        fbff18a879c2a26601e5d4f366640ede

        SHA1

        ef666c7d7ec1667b668ebf1c7e38876382da2fd0

        SHA256

        9e4037f440474202a6ddd5194a9dca8dbc2b9f51e399ec42a465ba98c7920912

        SHA512

        754cadb13884a49435bb01c32f4d30ee4ad595313a2c17efa1fc27094fe4f96cf9b46a8a3135de4d27ca9bc8d17044a99e79db7e0f963aaa76773fc0835bdd8f

        Download Submit
      • \Users\Admin\AppData\Local\Temp\kcseyuq5c_1.exe
        MD5

        fbff18a879c2a26601e5d4f366640ede

        SHA1

        ef666c7d7ec1667b668ebf1c7e38876382da2fd0

        SHA256

        9e4037f440474202a6ddd5194a9dca8dbc2b9f51e399ec42a465ba98c7920912

        SHA512

        754cadb13884a49435bb01c32f4d30ee4ad595313a2c17efa1fc27094fe4f96cf9b46a8a3135de4d27ca9bc8d17044a99e79db7e0f963aaa76773fc0835bdd8f

        Download Submit
      • memory/928-90-0x0000000000090000-0x000000000009B000-memory.dmp
        Filesize

        44KB

        Download
      • memory/928-89-0x0000000000A00000-0x0000000000A65000-memory.dmp
        Filesize

        404KB

        Download
      • memory/928-87-0x0000000000000000-mapping.dmp
        Download
      • memory/976-81-0x0000000002320000-0x0000000002386000-memory.dmp
        Filesize

        408KB

        Download
      • memory/976-86-0x0000000002B20000-0x0000000002B2C000-memory.dmp
        Filesize

        48KB

        Download
      • memory/976-85-0x0000000000400000-0x00000000004A1000-memory.dmp
        Filesize

        644KB

        Download
      • memory/976-83-0x0000000000400000-0x00000000004A1000-memory.dmp
        Filesize

        644KB

        Download
      • memory/976-84-0x0000000002320000-0x0000000002386000-memory.dmp
        Filesize

        408KB

        Download
      • memory/976-77-0x0000000000000000-mapping.dmp
        Download
      • memory/1100-68-0x0000000077120000-0x00000000772A0000-memory.dmp
        Filesize

        1.5MB

        Download
      • memory/1100-69-0x0000000000160000-0x0000000000268000-memory.dmp
        Filesize

        1.0MB

        Download
      • memory/1100-71-0x0000000000300000-0x000000000030D000-memory.dmp
        Filesize

        52KB

        Download
      • memory/1100-70-0x0000000000110000-0x0000000000111000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1100-73-0x0000000000530000-0x000000000053C000-memory.dmp
        Filesize

        48KB

        Download
      • memory/1100-74-0x0000000000570000-0x0000000000572000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1100-67-0x0000000074661000-0x0000000074663000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1100-65-0x0000000000000000-mapping.dmp
        Download
      • memory/1192-75-0x0000000002A20000-0x0000000002A26000-memory.dmp
        Filesize

        24KB

        Download
      • memory/1648-62-0x0000000000400000-0x00000000004A1000-memory.dmp
        Filesize

        644KB

        Download
      • memory/1648-72-0x0000000002B00000-0x0000000002B01000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1648-55-0x0000000075491000-0x0000000075493000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1648-64-0x0000000002B10000-0x0000000002B1C000-memory.dmp
        Filesize

        48KB

        Download
      • memory/1648-63-0x00000000023D0000-0x00000000023D1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1648-61-0x0000000002270000-0x00000000022D6000-memory.dmp
        Filesize

        408KB

        Download
      • memory/1648-60-0x0000000000400000-0x00000000004A1000-memory.dmp
        Filesize

        644KB

        Download
      • memory/1648-58-0x0000000002270000-0x00000000022D6000-memory.dmp
        Filesize

        408KB

        Download
      • memory/1648-56-0x00000000020F0000-0x0000000002123000-memory.dmp
        Filesize

        204KB

        Download