Analysis
-
max time kernel
184s -
max time network
190s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
-
submitted
27-11-2022 12:59
General
-
Target
4a1da031313919a6c6553d6608869a46f45c81f68290629497f1122615d1a7cf.exe
-
Size
315KB
-
MD5
6a862dc51bdf3cb9cbcff57bb592546c
-
SHA1
51f4bce1b1196e85146bec83a6549763af3f334c
-
SHA256
4a1da031313919a6c6553d6608869a46f45c81f68290629497f1122615d1a7cf
-
SHA512
14d8ae5a44e1e1ca0c72e2cb0763f32b24698c0e1219c1e6c6d4b47874f5908678694501e3d20ba0eff149c8c0b0a79447adcddca0f8d665472947edc1f0e267
-
SSDEEP
6144:OAsBZxLA8ivLPhyqaShRf9OpRb9tDia3BjoybPDhk8Ni6F9D3qAPqUvtPTiI:SL7iTPhbAp9rznbr5i6F9TFLiI
Score
10/10
Malware Config
Signatures
-
BetaBot
Beta Bot is a Trojan that infects computers and disables Antivirus.
-
Modifies firewall policy service 2 TTPs 4 IoCs
-
Sets file execution options in registry 2 TTPs 4 IoCs
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Loads dropped DLL 1 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Drops desktop.ini file(s) 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 2 IoCs
-
Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
-
Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
-
Modifies Internet Explorer settings 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
-
Suspicious behavior: MapViewOfSection 5 IoCs
-
Suspicious behavior: RenamesItself 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 28 IoCs
-
Suspicious use of WriteProcessMemory 39 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\4a1da031313919a6c6553d6608869a46f45c81f68290629497f1122615d1a7cf.exe"C:\Users\Admin\AppData\Local\Temp\4a1da031313919a6c6553d6608869a46f45c81f68290629497f1122615d1a7cf.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\4a1da031313919a6c6553d6608869a46f45c81f68290629497f1122615d1a7cf.exe"C:\Users\Admin\AppData\Local\Temp\4a1da031313919a6c6553d6608869a46f45c81f68290629497f1122615d1a7cf.exe"3⤵
- Sets file execution options in registry
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe4⤵
- Modifies firewall policy service
- Sets file execution options in registry
- Checks BIOS information in registry
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nso2178.tmp\Maurois.dllFilesize
196KB
MD505db9e17519dbffe3c4dbb038ec686b1
SHA1be88fcf4047938903d1fa6953cf7661c7798f179
SHA256ea388ed5b8039160d784f24ef2f8d92e5cee8b9caf6de3a1c9924564550f8248
SHA51229097003d49074b07d9677d3d8d17246222f08300e8871bf3bc0b936c6f1d2dab83eff5f7df40dd68389a70b431ff7e5a8d738b780ab175d11efb94d2b37f0ac
-
memory/336-70-0x00000000003A0000-0x0000000000400000-memory.dmpFilesize
384KB
-
memory/336-59-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/336-72-0x00000000003A0000-0x0000000000400000-memory.dmpFilesize
384KB
-
memory/336-58-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/336-73-0x0000000000260000-0x000000000026D000-memory.dmpFilesize
52KB
-
memory/336-60-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/336-62-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/336-74-0x0000000001F80000-0x0000000001F8C000-memory.dmpFilesize
48KB
-
memory/336-64-0x00000000004015C6-mapping.dmp
-
memory/336-66-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/336-67-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/336-82-0x00000000003A0000-0x0000000000400000-memory.dmpFilesize
384KB
-
memory/336-57-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/336-56-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/336-63-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/336-81-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/808-77-0x0000000074F41000-0x0000000074F43000-memory.dmpFilesize
8KB
-
memory/808-78-0x00000000779F0000-0x0000000077B70000-memory.dmpFilesize
1.5MB
-
memory/808-79-0x0000000000090000-0x0000000000143000-memory.dmpFilesize
716KB
-
memory/808-80-0x00000000004D0000-0x00000000004DC000-memory.dmpFilesize
48KB
-
memory/808-75-0x0000000000000000-mapping.dmp
-
memory/808-83-0x00000000779F0000-0x0000000077B70000-memory.dmpFilesize
1.5MB
-
memory/808-84-0x0000000000090000-0x0000000000143000-memory.dmpFilesize
716KB
-
memory/1284-85-0x0000000002930000-0x0000000002936000-memory.dmpFilesize
24KB
-
memory/1668-54-0x0000000075931000-0x0000000075933000-memory.dmpFilesize
8KB