Analysis

  • max time kernel
    148s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-10-2022 18:58

General

  • Target

    cccb98520d7b5747bbec8af8fcc1d245eaccea92a346c30309c3333519933451.exe

  • Size

    270KB

  • MD5

    72a5fd774abbbcbdc38527826122b580

  • SHA1

    08da270a2c68a7b113aaaee8b2cbffb7665163c9

  • SHA256

    cccb98520d7b5747bbec8af8fcc1d245eaccea92a346c30309c3333519933451

  • SHA512

    51abac0551b7e97c9691b0a2f821d22a258022c25dcc7c1c7bd6e873e658ea3bf7affdae06d8b6929e2473600c55abbc7a1b1decdd17b76e376b9c54eca6218f

  • SSDEEP

    6144:LAsBZPuFKtb1svWp8uAUf2lNbhu1ZHqsM7hQzZT8PjUs:tUOb1svWpaUfgNbhu1csqu3s

Malware Config

Signatures

  • BetaBot

    Beta Bot is a Trojan that infects computers and disables Antivirus.

  • Modifies firewall policy service ⋅ 2 TTPs 4 IoCs
  • Sets file execution options in registry ⋅ 2 TTPs 4 IoCs
  • Checks BIOS information in registry ⋅ 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Loads dropped DLL ⋅ 2 IoCs
  • Adds Run key to start application ⋅ 2 TTPs 4 IoCs
  • Checks whether UAC is enabled ⋅ 1 TTPs 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger ⋅ 8 IoCs
  • Suspicious use of SetThreadContext ⋅ 1 IoCs
  • Enumerates physical storage devices ⋅ 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash ⋅ 1 IoCs
  • Checks processor information in registry ⋅ 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry ⋅ 2 TTPs 2 IoCs
  • Modifies Internet Explorer Protected Mode ⋅ 1 TTPs 4 IoCs
  • Modifies Internet Explorer Protected Mode Banner ⋅ 1 TTPs 1 IoCs
  • Modifies Internet Explorer settings ⋅ 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses ⋅ 4 IoCs
  • Suspicious behavior: MapViewOfSection ⋅ 2 IoCs
  • Suspicious behavior: RenamesItself ⋅ 1 IoCs
  • Suspicious use of AdjustPrivilegeToken ⋅ 28 IoCs
  • Suspicious use of WriteProcessMemory ⋅ 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cccb98520d7b5747bbec8af8fcc1d245eaccea92a346c30309c3333519933451.exe
    "C:\Users\Admin\AppData\Local\Temp\cccb98520d7b5747bbec8af8fcc1d245eaccea92a346c30309c3333519933451.exe"
    Loads dropped DLL
    Suspicious use of SetThreadContext
    Suspicious use of WriteProcessMemory
    PID:5056
    • C:\Users\Admin\AppData\Local\Temp\cccb98520d7b5747bbec8af8fcc1d245eaccea92a346c30309c3333519933451.exe
      "C:\Users\Admin\AppData\Local\Temp\cccb98520d7b5747bbec8af8fcc1d245eaccea92a346c30309c3333519933451.exe"
      Sets file execution options in registry
      Checks whether UAC is enabled
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Checks processor information in registry
      Suspicious behavior: MapViewOfSection
      Suspicious behavior: RenamesItself
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:744
      • C:\Windows\SysWOW64\explorer.exe
        C:\Windows\SysWOW64\explorer.exe
        Modifies firewall policy service
        Sets file execution options in registry
        Checks BIOS information in registry
        Adds Run key to start application
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Checks processor information in registry
        Enumerates system info in registry
        Modifies Internet Explorer Protected Mode
        Modifies Internet Explorer Protected Mode Banner
        Modifies Internet Explorer settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        PID:4504
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4504 -s 1120
          Program crash
          PID:2968
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4504 -ip 4504
    PID:1420

Network

MITRE ATT&CK Matrix

Collection

    Command and Control

      Credential Access

        Defense Evasion

        Execution

          Exfiltration

            Impact

              Initial Access

                Lateral Movement

                  Privilege Escalation

                    Replay Monitor

                    00:00 00:00

                    Downloads

                    • C:\Users\Admin\AppData\Local\Temp\nseB86A.tmp\System.dll
                      MD5

                      883eff06ac96966270731e4e22817e11

                      SHA1

                      523c87c98236cbc04430e87ec19b977595092ac8

                      SHA256

                      44e5dfd551b38e886214bd6b9c8ee913c4c4d1f085a6575d97c3e892b925da82

                      SHA512

                      60333253342476911c84bbc1d9bf8a29f811207787fdd6107dce8d2b6e031669303f28133ffc811971ed7792087fe90fb1faabc0af4e91c298ba51e28109a390

                    • C:\Users\Admin\AppData\Local\Temp\rabblements.dll
                      MD5

                      e0291ba7745237498e06465b622cee9d

                      SHA1

                      f1bac955e343ea7530f63197b7c29af40ae0388a

                      SHA256

                      e389ea70bde9d21be265a9adda6cdfd3aae6d59b2526df2bb18ae7c7cc4aa13a

                      SHA512

                      87d6834e1a8c4166a0f1cdcc38908798c9a75684ea118ea4b99ee2d322c26268d0a352fa437840c1f45de0830fe2361cbc21a516ef49c88be9c3f8eb415f3dd6

                    • memory/744-146-0x00000000026A0000-0x00000000026AC000-memory.dmp
                    • memory/744-143-0x0000000000400000-0x0000000000434000-memory.dmp
                    • memory/744-150-0x0000000000900000-0x0000000000963000-memory.dmp
                    • memory/744-134-0x0000000000000000-mapping.dmp
                    • memory/744-139-0x0000000000400000-0x0000000000434000-memory.dmp
                    • memory/744-140-0x0000000000400000-0x0000000000434000-memory.dmp
                    • memory/744-141-0x0000000000900000-0x0000000000963000-memory.dmp
                    • memory/744-135-0x0000000000400000-0x0000000000434000-memory.dmp
                    • memory/744-145-0x0000000000460000-0x000000000046D000-memory.dmp
                    • memory/744-144-0x0000000000900000-0x0000000000963000-memory.dmp
                    • memory/4504-147-0x0000000000000000-mapping.dmp
                    • memory/4504-148-0x0000000000480000-0x00000000008B3000-memory.dmp
                    • memory/4504-149-0x00000000008F0000-0x000000000099A000-memory.dmp
                    • memory/4504-151-0x00000000008F0000-0x000000000099A000-memory.dmp
                    • memory/5056-138-0x0000000074540000-0x0000000074566000-memory.dmp
                    • memory/5056-136-0x0000000074540000-0x0000000074566000-memory.dmp