Overview

overview

10

Static

static

458412e9c3...3a.exe

windows7_x64

10

458412e9c3...3a.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    144s
  • max time network
    172s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    07-07-2022 11:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    458412e9c3954cb35d433c1347dd2349f823f6b92e0f63b19407527c81c5173a.exe

  • Size

    676KB

  • MD5

    8d2bedd39ea94e7fc099b5bf489eb37a

  • SHA1

    fa80956af1e01ef7c0ab1bd984a3da58af64b8a8

  • SHA256

    458412e9c3954cb35d433c1347dd2349f823f6b92e0f63b19407527c81c5173a

  • SHA512

    c9cc02ef277910b51b36505a47d93feeac8d5fbb31c766df547a460c120e0d88863d28a134a423540f96e41066f8f8558b5b2401163c272db892709c8951202a

Score
10/10
betabotbackdoorbotnetevasionpersistencetrojan

Malware Config

Signatures

  • BetaBot

    Beta Bot is a Trojan that infects computers and disables Antivirus.

    trojanbackdoorbotnetbetabot
  • Modifies firewall policy service 2 TTPs 4 IoCs
    evasion
  • Executes dropped EXE 2 IoCs
  • Sets file execution options in registry 2 TTPs 4 IoCs
    persistence
  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • NSIS installer 6 IoCs
    installer
  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
  • Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious behavior: MapViewOfSection 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 29 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\458412e9c3954cb35d433c1347dd2349f823f6b92e0f63b19407527c81c5173a.exe
    "C:\Users\Admin\AppData\Local\Temp\458412e9c3954cb35d433c1347dd2349f823f6b92e0f63b19407527c81c5173a.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3232
    • C:\Users\Admin\AppData\Local\Temp\my_pc.exe
      "C:\Users\Admin\AppData\Local\Temp\my_pc.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:4196
      • C:\Users\Admin\AppData\Local\Temp\my_pc.exe
        "C:\Users\Admin\AppData\Local\Temp\my_pc.exe"
        3⤵
        • Executes dropped EXE
        • Sets file execution options in registry
        • Checks whether UAC is enabled
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Checks processor information in registry
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4468
        • C:\Windows\SysWOW64\explorer.exe
          C:\Windows\SysWOW64\explorer.exe
          4⤵
          • Modifies firewall policy service
          • Sets file execution options in registry
          • Checks BIOS information in registry
          • Adds Run key to start application
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Checks processor information in registry
          • Enumerates system info in registry
          • Modifies Internet Explorer Protected Mode
          • Modifies Internet Explorer Protected Mode Banner
          • Modifies Internet Explorer settings
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2168
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 100 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\458412e9c3954cb35d433c1347dd2349f823f6b92e0f63b19407527c81c5173a.exe"& ping 1.1.1.1 -n 1 -w 900 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\458412e9c3954cb35d433c1347dd2349f823f6b92e0f63b19407527c81c5173a.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3428
      • C:\Windows\SysWOW64\PING.EXE
        ping 1.1.1.1 -n 1 -w 100
        3⤵
        • Runs ping.exe
        PID:3432
      • C:\Windows\SysWOW64\PING.EXE
        ping 1.1.1.1 -n 1 -w 900
        3⤵
        • Runs ping.exe
        PID:3000

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

2
T1060

Privilege Escalation

Defense Evasion

Modify Registry

6
T1112

Credential Access

Discovery

Query Registry

4
T1012

System Information Discovery

6
T1082

Remote System Discovery

1
T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\my_pc.exe
    Filesize

    429KB

    MD5

    e00e9b1d21625f31c4fb4daaf03fdea7

    SHA1

    750217a7a0c887bdec4b674d74d1509cb156aa2f

    SHA256

    de1d6d75c83bb57e59dbd2100492887c04cfbe80ecf25630b78591d4a5c12708

    SHA512

    acac51d87f55562e11f735c722235cc1acb01bfc144c9900c5b38a875ef0f262892afdf1dd4b439fdcb3af583e31ab75267ff9c307f44acbf4dbe2fafa443e57

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\my_pc.exe
    Filesize

    429KB

    MD5

    e00e9b1d21625f31c4fb4daaf03fdea7

    SHA1

    750217a7a0c887bdec4b674d74d1509cb156aa2f

    SHA256

    de1d6d75c83bb57e59dbd2100492887c04cfbe80ecf25630b78591d4a5c12708

    SHA512

    acac51d87f55562e11f735c722235cc1acb01bfc144c9900c5b38a875ef0f262892afdf1dd4b439fdcb3af583e31ab75267ff9c307f44acbf4dbe2fafa443e57

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\my_pc.exe
    Filesize

    429KB

    MD5

    e00e9b1d21625f31c4fb4daaf03fdea7

    SHA1

    750217a7a0c887bdec4b674d74d1509cb156aa2f

    SHA256

    de1d6d75c83bb57e59dbd2100492887c04cfbe80ecf25630b78591d4a5c12708

    SHA512

    acac51d87f55562e11f735c722235cc1acb01bfc144c9900c5b38a875ef0f262892afdf1dd4b439fdcb3af583e31ab75267ff9c307f44acbf4dbe2fafa443e57

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\nszEC99.tmp\System.dll
    Filesize

    11KB

    MD5

    3f176d1ee13b0d7d6bd92e1c7a0b9bae

    SHA1

    fe582246792774c2c9dd15639ffa0aca90d6fd0b

    SHA256

    fa4ab1d6f79fd677433a31ada7806373a789d34328da46ccb0449bbf347bd73e

    SHA512

    0a69124819b7568d0dea4e9e85ce8fe61c7ba697c934e3a95e2dcfb9f252b1d9da7faf8774b6e8efd614885507acc94987733eba09a2f5e7098b774dfc8524b6

    Download Submit
  • memory/2168-155-0x0000000000800000-0x00000000008D5000-memory.dmp
    Filesize

    852KB

    Download
  • memory/2168-146-0x0000000000000000-mapping.dmp
    Download
  • memory/2168-153-0x0000000000800000-0x00000000008D5000-memory.dmp
    Filesize

    852KB

    Download
  • memory/2168-154-0x0000000000800000-0x00000000008D5000-memory.dmp
    Filesize

    852KB

    Download
  • memory/2168-152-0x0000000000060000-0x0000000000493000-memory.dmp
    Filesize

    4.2MB

    Download
  • memory/3000-137-0x0000000000000000-mapping.dmp
    Download
  • memory/3232-130-0x0000000004B70000-0x0000000005114000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/3428-133-0x0000000000000000-mapping.dmp
    Download
  • memory/3432-136-0x0000000000000000-mapping.dmp
    Download
  • memory/4196-138-0x00000000022F0000-0x0000000002327000-memory.dmp
    Filesize

    220KB

    Download
  • memory/4196-141-0x00000000022F0000-0x0000000002327000-memory.dmp
    Filesize

    220KB

    Download
  • memory/4196-131-0x0000000000000000-mapping.dmp
    Download
  • memory/4468-142-0x0000000000400000-0x0000000000435000-memory.dmp
    Filesize

    212KB

    Download
  • memory/4468-148-0x0000000000830000-0x000000000083D000-memory.dmp
    Filesize

    52KB

    Download
  • memory/4468-149-0x00000000026A0000-0x00000000026AC000-memory.dmp
    Filesize

    48KB

    Download
  • memory/4468-150-0x0000000000400000-0x0000000000435000-memory.dmp
    Filesize

    212KB

    Download
  • memory/4468-151-0x00000000007C0000-0x0000000000826000-memory.dmp
    Filesize

    408KB

    Download
  • memory/4468-147-0x00000000007C0000-0x0000000000826000-memory.dmp
    Filesize

    408KB

    Download
  • memory/4468-144-0x00000000007C0000-0x0000000000826000-memory.dmp
    Filesize

    408KB

    Download
  • memory/4468-143-0x0000000000400000-0x0000000000435000-memory.dmp
    Filesize

    212KB

    Download
  • memory/4468-139-0x0000000000000000-mapping.dmp
    Download