Analysis
-
max time kernel
62s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20220722-en -
resource tags
-
submitted
25-07-2022 15:07
General
-
Target
55bf200391c8fba3a4b5dded96e2bde5798aa2dba263067035f2fa09ad32283f.exe
-
Size
849KB
-
MD5
0f97c0600cb950fe9430023345529356
-
SHA1
0464e631d06da0bc9a18a4b1b6252c436686914a
-
SHA256
55bf200391c8fba3a4b5dded96e2bde5798aa2dba263067035f2fa09ad32283f
-
SHA512
327d97ba76ee59a3ed800fe66bc13627eab90ca5dd0fac4335251b961df38cba976ac308d0933f15bb16ec970accda46faf3687499c51c72f0d771dc421433da
Malware Config
Signatures
-
BetaBot
Beta Bot is a Trojan that infects computers and disables Antivirus.
-
Modifies firewall policy service 2 TTPs 4 IoCs
-
Executes dropped EXE 2 IoCs
-
Sets file execution options in registry 2 TTPs 4 IoCs
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Program crash 1 IoCs
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 2 IoCs
-
Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
-
Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
-
Modifies Internet Explorer settings 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 28 IoCs
-
Suspicious use of WriteProcessMemory 11 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\55bf200391c8fba3a4b5dded96e2bde5798aa2dba263067035f2fa09ad32283f.exe"C:\Users\Admin\AppData\Local\Temp\55bf200391c8fba3a4b5dded96e2bde5798aa2dba263067035f2fa09ad32283f.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Documents\folder name\file name.exe"C:\Users\Admin\Documents\folder name\file name.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Documents\folder name\file name.exe"C:\Users\Admin\Documents\folder name\file name.exe"3⤵
- Executes dropped EXE
- Sets file execution options in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe4⤵
- Modifies firewall policy service
- Sets file execution options in registry
- Checks BIOS information in registry
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2812 -s 11365⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 200 -p 2812 -ip 28121⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Documents\folder name\file name.exeFilesize
849KB
MD50f97c0600cb950fe9430023345529356
SHA10464e631d06da0bc9a18a4b1b6252c436686914a
SHA25655bf200391c8fba3a4b5dded96e2bde5798aa2dba263067035f2fa09ad32283f
SHA512327d97ba76ee59a3ed800fe66bc13627eab90ca5dd0fac4335251b961df38cba976ac308d0933f15bb16ec970accda46faf3687499c51c72f0d771dc421433da
-
C:\Users\Admin\Documents\folder name\file name.exeFilesize
849KB
MD50f97c0600cb950fe9430023345529356
SHA10464e631d06da0bc9a18a4b1b6252c436686914a
SHA25655bf200391c8fba3a4b5dded96e2bde5798aa2dba263067035f2fa09ad32283f
SHA512327d97ba76ee59a3ed800fe66bc13627eab90ca5dd0fac4335251b961df38cba976ac308d0933f15bb16ec970accda46faf3687499c51c72f0d771dc421433da
-
C:\Users\Admin\Documents\folder name\file name.exeFilesize
849KB
MD50f97c0600cb950fe9430023345529356
SHA10464e631d06da0bc9a18a4b1b6252c436686914a
SHA25655bf200391c8fba3a4b5dded96e2bde5798aa2dba263067035f2fa09ad32283f
SHA512327d97ba76ee59a3ed800fe66bc13627eab90ca5dd0fac4335251b961df38cba976ac308d0933f15bb16ec970accda46faf3687499c51c72f0d771dc421433da
-
memory/2812-147-0x0000000000000000-mapping.dmp
-
memory/2812-154-0x0000000000AF0000-0x0000000000C2D000-memory.dmpFilesize
1.2MB
-
memory/2812-153-0x0000000000AF0000-0x0000000000C2D000-memory.dmpFilesize
1.2MB
-
memory/2812-152-0x0000000000FF0000-0x0000000000FFD000-memory.dmpFilesize
52KB
-
memory/2812-151-0x0000000000AF0000-0x0000000000C2D000-memory.dmpFilesize
1.2MB
-
memory/2812-150-0x00000000003B0000-0x00000000007E3000-memory.dmpFilesize
4.2MB
-
memory/3296-143-0x0000000002260000-0x00000000022C5000-memory.dmpFilesize
404KB
-
memory/3296-145-0x0000000002610000-0x000000000261D000-memory.dmpFilesize
52KB
-
memory/3296-146-0x00000000027D0000-0x00000000027DC000-memory.dmpFilesize
48KB
-
memory/3296-142-0x0000000002260000-0x00000000022C5000-memory.dmpFilesize
404KB
-
memory/3296-148-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/3296-149-0x0000000002260000-0x00000000022C5000-memory.dmpFilesize
404KB
-
memory/3296-140-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/3296-139-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/3296-138-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/3296-136-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/3296-135-0x0000000000000000-mapping.dmp
-
memory/4892-132-0x0000000000000000-mapping.dmp