Overview

overview

10

Static

static

1

cccb98520d...51.exe

windows7-x64

10

cccb98520d...51.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-10-2022 18:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cccb98520d7b5747bbec8af8fcc1d245eaccea92a346c30309c3333519933451.exe

  • Size

    270KB

  • MD5

    72a5fd774abbbcbdc38527826122b580

  • SHA1

    08da270a2c68a7b113aaaee8b2cbffb7665163c9

  • SHA256

    cccb98520d7b5747bbec8af8fcc1d245eaccea92a346c30309c3333519933451

  • SHA512

    51abac0551b7e97c9691b0a2f821d22a258022c25dcc7c1c7bd6e873e658ea3bf7affdae06d8b6929e2473600c55abbc7a1b1decdd17b76e376b9c54eca6218f

  • SSDEEP

    6144:LAsBZPuFKtb1svWp8uAUf2lNbhu1ZHqsM7hQzZT8PjUs:tUOb1svWpaUfgNbhu1csqu3s

Score
10/10
betabotbackdoorbotnetevasionpersistencetrojan

Malware Config

Signatures

  • BetaBot

    Beta Bot is a Trojan that infects computers and disables Antivirus.

    trojanbackdoorbotnetbetabot
  • Modifies firewall policy service 2 TTPs 4 IoCs
    evasion
  • Sets file execution options in registry 2 TTPs 4 IoCs
    persistence
  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
  • Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 28 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cccb98520d7b5747bbec8af8fcc1d245eaccea92a346c30309c3333519933451.exe
    "C:\Users\Admin\AppData\Local\Temp\cccb98520d7b5747bbec8af8fcc1d245eaccea92a346c30309c3333519933451.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:5056
    • C:\Users\Admin\AppData\Local\Temp\cccb98520d7b5747bbec8af8fcc1d245eaccea92a346c30309c3333519933451.exe
      "C:\Users\Admin\AppData\Local\Temp\cccb98520d7b5747bbec8af8fcc1d245eaccea92a346c30309c3333519933451.exe"
      2⤵
      • Sets file execution options in registry
      • Checks whether UAC is enabled
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Checks processor information in registry
      • Suspicious behavior: MapViewOfSection
      • Suspicious behavior: RenamesItself
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:744
      • C:\Windows\SysWOW64\explorer.exe
        C:\Windows\SysWOW64\explorer.exe
        3⤵
        • Modifies firewall policy service
        • Sets file execution options in registry
        • Checks BIOS information in registry
        • Adds Run key to start application
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Checks processor information in registry
        • Enumerates system info in registry
        • Modifies Internet Explorer Protected Mode
        • Modifies Internet Explorer Protected Mode Banner
        • Modifies Internet Explorer settings
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4504
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4504 -s 1120
          4⤵
          • Program crash
          PID:2968
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4504 -ip 4504
    1⤵
      PID:1420

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Modify Existing Service

    1
    T1031

    Registry Run Keys / Startup Folder

    2
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    6
    T1112

    Credential Access

    Discovery

    Query Registry

    3
    T1012

    System Information Discovery

    5
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\nseB86A.tmp\System.dll
      Filesize

      11KB

      MD5

      883eff06ac96966270731e4e22817e11

      SHA1

      523c87c98236cbc04430e87ec19b977595092ac8

      SHA256

      44e5dfd551b38e886214bd6b9c8ee913c4c4d1f085a6575d97c3e892b925da82

      SHA512

      60333253342476911c84bbc1d9bf8a29f811207787fdd6107dce8d2b6e031669303f28133ffc811971ed7792087fe90fb1faabc0af4e91c298ba51e28109a390

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\rabblements.dll
      Filesize

      74KB

      MD5

      e0291ba7745237498e06465b622cee9d

      SHA1

      f1bac955e343ea7530f63197b7c29af40ae0388a

      SHA256

      e389ea70bde9d21be265a9adda6cdfd3aae6d59b2526df2bb18ae7c7cc4aa13a

      SHA512

      87d6834e1a8c4166a0f1cdcc38908798c9a75684ea118ea4b99ee2d322c26268d0a352fa437840c1f45de0830fe2361cbc21a516ef49c88be9c3f8eb415f3dd6

      Download Submit
    • memory/744-146-0x00000000026A0000-0x00000000026AC000-memory.dmp
      Filesize

      48KB

      Download
    • memory/744-143-0x0000000000400000-0x0000000000434000-memory.dmp
      Filesize

      208KB

      Download
    • memory/744-150-0x0000000000900000-0x0000000000963000-memory.dmp
      Filesize

      396KB

      Download
    • memory/744-134-0x0000000000000000-mapping.dmp
      Download
    • memory/744-139-0x0000000000400000-0x0000000000434000-memory.dmp
      Filesize

      208KB

      Download
    • memory/744-140-0x0000000000400000-0x0000000000434000-memory.dmp
      Filesize

      208KB

      Download
    • memory/744-141-0x0000000000900000-0x0000000000963000-memory.dmp
      Filesize

      396KB

      Download
    • memory/744-135-0x0000000000400000-0x0000000000434000-memory.dmp
      Filesize

      208KB

      Download
    • memory/744-145-0x0000000000460000-0x000000000046D000-memory.dmp
      Filesize

      52KB

      Download
    • memory/744-144-0x0000000000900000-0x0000000000963000-memory.dmp
      Filesize

      396KB

      Download
    • memory/4504-147-0x0000000000000000-mapping.dmp
      Download
    • memory/4504-148-0x0000000000480000-0x00000000008B3000-memory.dmp
      Filesize

      4.2MB

      Download
    • memory/4504-149-0x00000000008F0000-0x000000000099A000-memory.dmp
      Filesize

      680KB

      Download
    • memory/4504-151-0x00000000008F0000-0x000000000099A000-memory.dmp
      Filesize

      680KB

      Download
    • memory/5056-138-0x0000000074540000-0x0000000074566000-memory.dmp
      Filesize

      152KB

      Download
    • memory/5056-136-0x0000000074540000-0x0000000074566000-memory.dmp
      Filesize

      152KB

      Download