betabot | 285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536

General

Target

285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe
Size

285KB
MD5

01daf4f618eac4c7379b4d1f8046deaa
SHA1

c73db227644dc6cc6d9b7fb91468014572507b4d
SHA256

285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536
SHA512

435380deca7baf660e8a6b673d02ff6478bc6d823ca416b04a4ff758ffb7c821d5495f9870e9a8bbe513bde229ad5a114e44283160146e205e49d9489fbad465
SSDEEP

6144:JAsBZACyfs1vYtn9BqNmJ5y52jzm2YYrTASZ:YCyfsYBT5yEqM7Z

Score

10^/10

betabot backdoor botnet evasion persistence trojan

Malware Config

Signatures

BetaBot
Beta Bot is a Trojan that infects computers and disables Antivirus.
trojan backdoor botnet betabot

Modifies firewall policy service 2 TTPs 4 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	explorer.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0"	explorer.exe

Sets file execution options in registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exeexplorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\591933uu.exe	285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\591933uu.exe\DisableExceptionChainValidation	285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "kymtbjavkn.exe"	explorer.exe

Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.

Query Registry
T1012

System Information Discovery
T1082

Processes:

explorer.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe
Loads dropped DLL 1 IoCs

Processes:

285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe

pid process

528 285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorer.exe

pid	process
528	285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Windows Search 5.3.10 = "C:\\ProgramData\\Windows Search 5.3.10\\591933uu.exe"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Search 5.3.10 = "\"C:\\ProgramData\\Windows Search 5.3.10\\591933uu.exe\""	explorer.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe

Drops desktop.ini file(s) 2 IoCs

Processes:

285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe

description	ioc	process
File created	C:\ProgramData\Windows Search 5.3.10\desktop.ini	285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe
File opened for modification	C:\ProgramData\Windows Search 5.3.10\desktop.ini	285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs

Processes:

285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exeexplorer.exe

pid	process
536	285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe
4268	explorer.exe
4268	explorer.exe
4268	explorer.exe
4268	explorer.exe
4268	explorer.exe
4268	explorer.exe
4268	explorer.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe

description	pid	process	target process
PID 528 set thread context of 536	528	285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe	285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3744 4268 WerFault.exe explorer.exe

pid	pid_target	process	target process
3744	4268	WerFault.exe	explorer.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exeexplorer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	explorer.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	explorer.exe

Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3"	explorer.exe

Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1"	explorer.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

explorer.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Main explorer.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

explorer.exe

pid process

4268 explorer.exe
4268 explorer.exe
4268 explorer.exe
4268 explorer.exe
4268 explorer.exe
4268 explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Main	explorer.exe

pid	process
4268	explorer.exe
4268	explorer.exe
4268	explorer.exe
4268	explorer.exe
4268	explorer.exe
4268	explorer.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe

pid	process
536	285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe
536	285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe

pid process

536 285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

Processes:

285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exeexplorer.exe

description	pid	process
Token: SeDebugPrivilege	536	285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe
Token: SeRestorePrivilege	536	285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe
Token: SeBackupPrivilege	536	285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe
Token: SeLoadDriverPrivilege	536	285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe
Token: SeCreatePagefilePrivilege	536	285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe
Token: SeShutdownPrivilege	536	285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe
Token: SeTakeOwnershipPrivilege	536	285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe
Token: SeChangeNotifyPrivilege	536	285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe
Token: SeCreateTokenPrivilege	536	285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe
Token: SeMachineAccountPrivilege	536	285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe
Token: SeSecurityPrivilege	536	285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe
Token: SeAssignPrimaryTokenPrivilege	536	285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe
Token: SeCreateGlobalPrivilege	536	285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe
Token: 33	536	285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe
Token: SeDebugPrivilege	4268	explorer.exe
Token: SeRestorePrivilege	4268	explorer.exe
Token: SeBackupPrivilege	4268	explorer.exe
Token: SeLoadDriverPrivilege	4268	explorer.exe
Token: SeCreatePagefilePrivilege	4268	explorer.exe
Token: SeShutdownPrivilege	4268	explorer.exe
Token: SeTakeOwnershipPrivilege	4268	explorer.exe
Token: SeChangeNotifyPrivilege	4268	explorer.exe
Token: SeCreateTokenPrivilege	4268	explorer.exe
Token: SeMachineAccountPrivilege	4268	explorer.exe
Token: SeSecurityPrivilege	4268	explorer.exe
Token: SeAssignPrimaryTokenPrivilege	4268	explorer.exe
Token: SeCreateGlobalPrivilege	4268	explorer.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe

description	pid	process	target process
PID 528 wrote to memory of 536	528	285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe	285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe
PID 528 wrote to memory of 536	528	285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe	285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe
PID 528 wrote to memory of 536	528	285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe	285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe
PID 528 wrote to memory of 536	528	285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe	285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe
PID 528 wrote to memory of 536	528	285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe	285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe
PID 528 wrote to memory of 536	528	285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe	285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe
PID 528 wrote to memory of 536	528	285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe	285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe
PID 528 wrote to memory of 536	528	285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe	285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe
PID 528 wrote to memory of 536	528	285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe	285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe
PID 528 wrote to memory of 536	528	285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe	285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe
PID 536 wrote to memory of 4268	536	285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe	explorer.exe
PID 536 wrote to memory of 4268	536	285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe	explorer.exe
PID 536 wrote to memory of 4268	536	285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe
"C:\Users\Admin\AppData\Local\Temp\285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:528

C:\Users\Admin\AppData\Local\Temp\285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe
"C:\Users\Admin\AppData\Local\Temp\285126b79a1f3e3dd5a474ae648cebee8b0da388b09414f8196c9a6349cb7536.exe"
2⤵
- Sets file execution options in registry
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:536

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Modifies firewall policy service
- Sets file execution options in registry
- Checks BIOS information in registry
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4268 -s 1128
4⤵
- Program crash
PID:3744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 196 -p 4268 -ip 4268
1⤵
PID:4148

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

6

T1112

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

5

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsv1639.tmp\skiers.dll
Filesize
228KB

MD5
fc7a721c4e3c90b9598d7c81fe77e726

SHA1
fe84f4d480c5da5e55c09842b74d502b03736770

SHA256
d059347af564675db2b15bf372282457e4c4b829712ef67c1aa2864b8c706c6d

SHA512
7bcc246a883e12c4f8965e99f2288e13d8a754600159240df6f881818d54a611b6cbdbe7364aa992405388f8b6b68fa6ad369f53f2fe1bba724cec699e2a0f8a

Download Submit
memory/536-143-0x0000000002670000-0x000000000267C000-memory.dmp

Filesize
48KB

Download
memory/536-146-0x0000000002160000-0x00000000021C0000-memory.dmp

Filesize
384KB

Download
memory/536-136-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/536-137-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/536-133-0x0000000000000000-mapping.dmp

Download
memory/536-141-0x0000000002160000-0x00000000021C0000-memory.dmp

Filesize
384KB

Download
memory/536-134-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/536-142-0x0000000000970000-0x000000000097D000-memory.dmp

Filesize
52KB

Download
memory/536-139-0x0000000002160000-0x00000000021C0000-memory.dmp

Filesize
384KB

Download
memory/536-145-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4268-144-0x0000000000000000-mapping.dmp

Download
memory/4268-147-0x00000000002C0000-0x00000000006F3000-memory.dmp

Filesize
4.2MB

Download
memory/4268-148-0x0000000000A00000-0x0000000000AAB000-memory.dmp

Filesize
684KB

Download
memory/4268-149-0x0000000000E60000-0x0000000000E6D000-memory.dmp

Filesize
52KB

Download
memory/4268-150-0x0000000000A00000-0x0000000000AAB000-memory.dmp

Filesize
684KB

Download
memory/4268-151-0x0000000000A00000-0x0000000000AAB000-memory.dmp

Filesize
684KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads