Overview

overview

10

Static

static

fefa0aa821...c5.exe

windows7-x64

10

fefa0aa821...c5.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    152s
  • max time network
    190s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    26-11-2022 22:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fefa0aa8217716ecbfd713cfa47f29cee5b4a7c4e4b2968680a5faa77a2b23c5.exe

  • Size

    392KB

  • MD5

    0fbecec65bdc3e58a3604c015f24e3d1

  • SHA1

    d4a0b4b628768d2ad970c69c661bcd7f174c76b0

  • SHA256

    fefa0aa8217716ecbfd713cfa47f29cee5b4a7c4e4b2968680a5faa77a2b23c5

  • SHA512

    30397c4aa49b62905db894b2abaf911fda73391af9969e713b5bdc10a78f78591a711c2de2b6a96745ef7ae94e18020dc95c2a6b301633e58893c185949e9df0

  • SSDEEP

    12288:ZQB0GnWtil+1pcuVhbNrSqEw6tXLMRWgG:KVnWtRb/hxrQZMRW7

Score
10/10
betabotbackdoorbotnetevasionpersistencetrojan

Malware Config

Signatures

  • BetaBot

    Beta Bot is a Trojan that infects computers and disables Antivirus.

    trojanbackdoorbotnetbetabot
  • Modifies firewall policy service 2 TTPs 4 IoCs
    evasion
  • Sets file execution options in registry 2 TTPs 4 IoCs
    persistence
  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Drops desktop.ini file(s) 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs
  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
  • Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: MapViewOfSection 4 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 28 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1268
      • C:\Users\Admin\AppData\Local\Temp\fefa0aa8217716ecbfd713cfa47f29cee5b4a7c4e4b2968680a5faa77a2b23c5.exe
        "C:\Users\Admin\AppData\Local\Temp\fefa0aa8217716ecbfd713cfa47f29cee5b4a7c4e4b2968680a5faa77a2b23c5.exe"
        2⤵
        • Sets file execution options in registry
        • Checks whether UAC is enabled
        • Drops desktop.ini file(s)
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Checks processor information in registry
        • Suspicious behavior: MapViewOfSection
        • Suspicious behavior: RenamesItself
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of UnmapMainImage
        • Suspicious use of WriteProcessMemory
        PID:1228
        • C:\Windows\SysWOW64\explorer.exe
          C:\Windows\SysWOW64\explorer.exe
          3⤵
          • Modifies firewall policy service
          • Sets file execution options in registry
          • Checks BIOS information in registry
          • Adds Run key to start application
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Checks processor information in registry
          • Enumerates system info in registry
          • Modifies Internet Explorer Protected Mode
          • Modifies Internet Explorer Protected Mode Banner
          • Modifies Internet Explorer settings
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1176
    • C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      1⤵
        PID:1192

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Modify Existing Service

      1
      T1031

      Registry Run Keys / Startup Folder

      2
      T1060

      Privilege Escalation

      Defense Evasion

      Modify Registry

      6
      T1112

      Credential Access

      Discovery

      Query Registry

      3
      T1012

      System Information Discovery

      4
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/1176-71-0x00000000002A0000-0x00000000002AC000-memory.dmp
        Filesize

        48KB

        Download
      • memory/1176-70-0x0000000000130000-0x000000000013D000-memory.dmp
        Filesize

        52KB

        Download
      • memory/1176-68-0x0000000077B10000-0x0000000077C90000-memory.dmp
        Filesize

        1.5MB

        Download
      • memory/1176-69-0x00000000001A0000-0x0000000000266000-memory.dmp
        Filesize

        792KB

        Download
      • memory/1176-67-0x0000000074EA1000-0x0000000074EA3000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1176-75-0x00000000001A0000-0x0000000000266000-memory.dmp
        Filesize

        792KB

        Download
      • memory/1176-74-0x0000000077B10000-0x0000000077C90000-memory.dmp
        Filesize

        1.5MB

        Download
      • memory/1176-65-0x0000000000000000-mapping.dmp
        Download
      • memory/1228-59-0x000000000CEA0000-0x000000000CF00000-memory.dmp
        Filesize

        384KB

        Download
      • memory/1228-57-0x0000000000400000-0x0000000000432000-memory.dmp
        Filesize

        200KB

        Download
      • memory/1228-61-0x000000000CEA0000-0x000000000CF00000-memory.dmp
        Filesize

        384KB

        Download
      • memory/1228-56-0x00000000767F1000-0x00000000767F3000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1228-72-0x000000000CEA0000-0x000000000CF00000-memory.dmp
        Filesize

        384KB

        Download
      • memory/1228-73-0x0000000000400000-0x0000000000432000-memory.dmp
        Filesize

        200KB

        Download
      • memory/1228-64-0x0000000000780000-0x000000000078C000-memory.dmp
        Filesize

        48KB

        Download
      • memory/1228-63-0x0000000072940000-0x0000000072A93000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1228-62-0x0000000000400000-0x0000000000464000-memory.dmp
        Filesize

        400KB

        Download
      • memory/1268-76-0x0000000002AC0000-0x0000000002AC6000-memory.dmp
        Filesize

        24KB

        Download