Overview

overview

10

Static

static

1

cccb98520d...51.exe

windows7-x64

10

cccb98520d...51.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-10-2022 18:58

Sharing

Copy URL
Twitter E-mail

General

  • Target

    cccb98520d7b5747bbec8af8fcc1d245eaccea92a346c30309c3333519933451.exe

  • Size

    270KB

  • MD5

    72a5fd774abbbcbdc38527826122b580

  • SHA1

    08da270a2c68a7b113aaaee8b2cbffb7665163c9

  • SHA256

    cccb98520d7b5747bbec8af8fcc1d245eaccea92a346c30309c3333519933451

  • SHA512

    51abac0551b7e97c9691b0a2f821d22a258022c25dcc7c1c7bd6e873e658ea3bf7affdae06d8b6929e2473600c55abbc7a1b1decdd17b76e376b9c54eca6218f

  • SSDEEP

    6144:LAsBZPuFKtb1svWp8uAUf2lNbhu1ZHqsM7hQzZT8PjUs:tUOb1svWpaUfgNbhu1csqu3s

Score
10/10
betabotbackdoorbotnetevasionpersistencetrojan

Malware Config

Signatures

  • BetaBot

    Beta Bot is a Trojan that infects computers and disables Antivirus.

    trojanbackdoorbotnetbetabot
  • Modifies firewall policy service ⋅ 2 TTPs 4 IoCs
    evasion
  • Sets file execution options in registry ⋅ 2 TTPs 4 IoCs
    persistence
  • Checks BIOS information in registry ⋅ 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Loads dropped DLL ⋅ 2 IoCs
  • Adds Run key to start application ⋅ 2 TTPs 4 IoCs
    persistence
  • Checks whether UAC is enabled ⋅ 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger ⋅ 8 IoCs
  • Suspicious use of SetThreadContext ⋅ 1 IoCs
  • Enumerates physical storage devices ⋅ 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash ⋅ 1 IoCs
  • Checks processor information in registry ⋅ 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry ⋅ 2 TTPs 2 IoCs
  • Modifies Internet Explorer Protected Mode ⋅ 1 TTPs 4 IoCs
  • Modifies Internet Explorer Protected Mode Banner ⋅ 1 TTPs 1 IoCs
  • Modifies Internet Explorer settings ⋅ 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses ⋅ 4 IoCs
  • Suspicious behavior: MapViewOfSection ⋅ 2 IoCs
  • Suspicious behavior: RenamesItself ⋅ 1 IoCs
  • Suspicious use of AdjustPrivilegeToken ⋅ 28 IoCs
  • Suspicious use of WriteProcessMemory ⋅ 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cccb98520d7b5747bbec8af8fcc1d245eaccea92a346c30309c3333519933451.exe
    "C:\Users\Admin\AppData\Local\Temp\cccb98520d7b5747bbec8af8fcc1d245eaccea92a346c30309c3333519933451.exe"
    Loads dropped DLL
    Suspicious use of SetThreadContext
    Suspicious use of WriteProcessMemory
    PID:5056
    • C:\Users\Admin\AppData\Local\Temp\cccb98520d7b5747bbec8af8fcc1d245eaccea92a346c30309c3333519933451.exe
      "C:\Users\Admin\AppData\Local\Temp\cccb98520d7b5747bbec8af8fcc1d245eaccea92a346c30309c3333519933451.exe"
      Sets file execution options in registry
      Checks whether UAC is enabled
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Checks processor information in registry
      Suspicious behavior: MapViewOfSection
      Suspicious behavior: RenamesItself
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:744
      • C:\Windows\SysWOW64\explorer.exe
        C:\Windows\SysWOW64\explorer.exe
        Modifies firewall policy service
        Sets file execution options in registry
        Checks BIOS information in registry
        Adds Run key to start application
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Checks processor information in registry
        Enumerates system info in registry
        Modifies Internet Explorer Protected Mode
        Modifies Internet Explorer Protected Mode Banner
        Modifies Internet Explorer settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        PID:4504
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4504 -s 1120
          Program crash
          PID:2968
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4504 -ip 4504
    PID:1420

Network

MITRE ATT&CK Matrix

Collection

    Command and Control

      Credential Access

        Defense Evasion

        Discovery

        Execution

          Exfiltration

            Impact

              Initial Access

                Lateral Movement

                  Persistence

                  Privilege Escalation

                    Replay Monitor

                    00:00 00:00

                    Downloads

                    • C:\Users\Admin\AppData\Local\Temp\nseB86A.tmp\System.dll
                      MD5

                      883eff06ac96966270731e4e22817e11

                      SHA1

                      523c87c98236cbc04430e87ec19b977595092ac8

                      SHA256

                      44e5dfd551b38e886214bd6b9c8ee913c4c4d1f085a6575d97c3e892b925da82

                      SHA512

                      60333253342476911c84bbc1d9bf8a29f811207787fdd6107dce8d2b6e031669303f28133ffc811971ed7792087fe90fb1faabc0af4e91c298ba51e28109a390

                      Download Submit
                    • C:\Users\Admin\AppData\Local\Temp\rabblements.dll
                      MD5

                      e0291ba7745237498e06465b622cee9d

                      SHA1

                      f1bac955e343ea7530f63197b7c29af40ae0388a

                      SHA256

                      e389ea70bde9d21be265a9adda6cdfd3aae6d59b2526df2bb18ae7c7cc4aa13a

                      SHA512

                      87d6834e1a8c4166a0f1cdcc38908798c9a75684ea118ea4b99ee2d322c26268d0a352fa437840c1f45de0830fe2361cbc21a516ef49c88be9c3f8eb415f3dd6

                      Download Submit
                    • memory/744-146-0x00000000026A0000-0x00000000026AC000-memory.dmp
                      Download
                    • memory/744-143-0x0000000000400000-0x0000000000434000-memory.dmp
                      Download
                    • memory/744-150-0x0000000000900000-0x0000000000963000-memory.dmp
                      Download
                    • memory/744-134-0x0000000000000000-mapping.dmp
                      Download
                    • memory/744-139-0x0000000000400000-0x0000000000434000-memory.dmp
                      Download
                    • memory/744-140-0x0000000000400000-0x0000000000434000-memory.dmp
                      Download
                    • memory/744-141-0x0000000000900000-0x0000000000963000-memory.dmp
                      Download
                    • memory/744-135-0x0000000000400000-0x0000000000434000-memory.dmp
                      Download
                    • memory/744-145-0x0000000000460000-0x000000000046D000-memory.dmp
                      Download
                    • memory/744-144-0x0000000000900000-0x0000000000963000-memory.dmp
                      Download
                    • memory/4504-147-0x0000000000000000-mapping.dmp
                      Download
                    • memory/4504-148-0x0000000000480000-0x00000000008B3000-memory.dmp
                      Download
                    • memory/4504-149-0x00000000008F0000-0x000000000099A000-memory.dmp
                      Download
                    • memory/4504-151-0x00000000008F0000-0x000000000099A000-memory.dmp
                      Download
                    • memory/5056-138-0x0000000074540000-0x0000000074566000-memory.dmp
                      Download
                    • memory/5056-136-0x0000000074540000-0x0000000074566000-memory.dmp
                      Download