Overview

overview

10

Static

static

5e37c410d8...ea.exe

windows7-x64

10

5e37c410d8...ea.exe

windows10-2004-x64

3

Analysis

  • max time kernel
    150s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-20220715-en
  • resource tags

    arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system
  • submitted
    31-07-2022 21:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5e37c410d8a3c7888cf430a1d5fd4605e43ee889493b4687fff193cac1e5a9ea.exe

  • Size

    497KB

  • MD5

    35cd90f09615b805acefdef9836c983f

  • SHA1

    2bb416ff8d866587504d22c5e3c74a5fc7afef1c

  • SHA256

    5e37c410d8a3c7888cf430a1d5fd4605e43ee889493b4687fff193cac1e5a9ea

  • SHA512

    a22728338da17ea992a3b16f8303768e53600c8af7194cf9ea15b5c4303d716be4beec6d7e44084b9b5fcada5992de49ddec7965666403939d03c74f0c8140e6

Score
10/10
betabotbackdoorbotnetevasionpersistencetrojan

Malware Config

Signatures

  • BetaBot

    Beta Bot is a Trojan that infects computers and disables Antivirus.

    trojanbackdoorbotnetbetabot
  • Modifies firewall policy service 2 TTPs 4 IoCs
    evasion
  • Sets file execution options in registry 2 TTPs 4 IoCs
    persistence
  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs
  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
  • Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious behavior: MapViewOfSection 4 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 28 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1208
      • C:\Users\Admin\AppData\Local\Temp\5e37c410d8a3c7888cf430a1d5fd4605e43ee889493b4687fff193cac1e5a9ea.exe
        "C:\Users\Admin\AppData\Local\Temp\5e37c410d8a3c7888cf430a1d5fd4605e43ee889493b4687fff193cac1e5a9ea.exe"
        2⤵
        • Sets file execution options in registry
        • Checks whether UAC is enabled
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Checks processor information in registry
        • Suspicious behavior: MapViewOfSection
        • Suspicious behavior: RenamesItself
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1864
        • C:\Windows\SysWOW64\explorer.exe
          C:\Windows\SysWOW64\explorer.exe
          3⤵
          • Modifies firewall policy service
          • Sets file execution options in registry
          • Checks BIOS information in registry
          • Adds Run key to start application
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Checks processor information in registry
          • Enumerates system info in registry
          • Modifies Internet Explorer Protected Mode
          • Modifies Internet Explorer Protected Mode Banner
          • Modifies Internet Explorer settings
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1276
    • C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      1⤵
        PID:1180

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Modify Existing Service

      1
      T1031

      Registry Run Keys / Startup Folder

      2
      T1060

      Privilege Escalation

      Defense Evasion

      Modify Registry

      6
      T1112

      Credential Access

      Discovery

      Query Registry

      3
      T1012

      System Information Discovery

      4
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/1208-72-0x00000000021B0000-0x00000000021B6000-memory.dmp
        Filesize

        24KB

        Download
      • memory/1276-68-0x00000000007F0000-0x00000000007FC000-memory.dmp
        Filesize

        48KB

        Download
      • memory/1276-67-0x0000000000230000-0x0000000000316000-memory.dmp
        Filesize

        920KB

        Download
      • memory/1276-71-0x0000000000230000-0x0000000000316000-memory.dmp
        Filesize

        920KB

        Download
      • memory/1276-70-0x0000000077DB0000-0x0000000077F30000-memory.dmp
        Filesize

        1.5MB

        Download
      • memory/1276-65-0x00000000752F1000-0x00000000752F3000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1276-63-0x0000000000000000-mapping.dmp
        Download
      • memory/1276-66-0x0000000077DB0000-0x0000000077F30000-memory.dmp
        Filesize

        1.5MB

        Download
      • memory/1864-62-0x00000000021B0000-0x00000000021BC000-memory.dmp
        Filesize

        48KB

        Download
      • memory/1864-60-0x0000000001EF0000-0x0000000001F56000-memory.dmp
        Filesize

        408KB

        Download
      • memory/1864-56-0x0000000001EF0000-0x0000000001F56000-memory.dmp
        Filesize

        408KB

        Download
      • memory/1864-61-0x0000000000560000-0x000000000056D000-memory.dmp
        Filesize

        52KB

        Download
      • memory/1864-54-0x0000000076C01000-0x0000000076C03000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1864-69-0x0000000001EF0000-0x0000000001F56000-memory.dmp
        Filesize

        408KB

        Download
      • memory/1864-59-0x0000000000400000-0x00000000004A0000-memory.dmp
        Filesize

        640KB

        Download
      • memory/1864-58-0x0000000000500000-0x0000000000560000-memory.dmp
        Filesize

        384KB

        Download
      • memory/1864-55-0x0000000000400000-0x00000000004A0000-memory.dmp
        Filesize

        640KB

        Download