Analysis
-
max time kernel
17s -
max time network
137s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
-
submitted
24-12-2023 22:35
General
-
Target
814a9e454a6bb2d8fc04560b917cbcae6860b873625507b9fa17cc817e2e95ff.exe
-
Size
360KB
-
MD5
94f379933c102d45a3bdb6d46070c3b6
-
SHA1
e4004532129c49d22279737f26cff1f00b45a092
-
SHA256
814a9e454a6bb2d8fc04560b917cbcae6860b873625507b9fa17cc817e2e95ff
-
SHA512
4847abc92cdfe5d0fe8bbd351195644ff7354cdd9e4cc6ecb5e2434bc8a43c292dc20013bdaac263319d94ca2792e54c244dbe11bcfa94f37a0e0d4c4ac66aaf
-
SSDEEP
6144:HOtCyFksgTOzEV6zs1hfk8MIcG1Zb7d+0PuSCU4CzmJkdVds:ugyFkRTOzEV6zs1hfk8oYVd+Dj4mYVds
Malware Config
Signatures
-
BetaBot
Beta Bot is a Trojan that infects computers and disables Antivirus.
-
Modifies firewall policy service 2 TTPs 4 IoCs
-
Sets file execution options in registry 2 TTPs 4 IoCs
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 10 IoCs
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 2 IoCs
-
Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
-
Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
-
Modifies Internet Explorer settings 1 TTPs 1 IoCs
-
Runs regedit.exe 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious behavior: MapViewOfSection 5 IoCs
-
Suspicious behavior: RenamesItself 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 28 IoCs
-
Suspicious use of WriteProcessMemory 25 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\814a9e454a6bb2d8fc04560b917cbcae6860b873625507b9fa17cc817e2e95ff.exe"C:\Users\Admin\AppData\Local\Temp\814a9e454a6bb2d8fc04560b917cbcae6860b873625507b9fa17cc817e2e95ff.exe"1⤵
- Sets file execution options in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
- Modifies firewall policy service
- Sets file execution options in registry
- Checks BIOS information in registry
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1137wsqmmme11_1.exe/suac3⤵
-
C:\Windows\SysWOW64\regedit.exe"C:\Windows\SysWOW64\regedit.exe"4⤵
- Runs regedit.exe
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /CREATE /SC ONLOGON /TN "Windows Update Check - 0x1BB70478" /TR "C:\PROGRA~3\JAVAUP~1\1137WS~1.EXE" /RL HIGHEST4⤵
- Creates scheduled task(s)
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
100KB
MD5a1ade8b3f2d29dd0c9c0e2010cd060bb
SHA1f9f1f3b709b12bc1e583ba131da1e21b3303cfd2
SHA25632e88cf5666cb69be1fcd55ab80b9bea5d8349fe527cab5cde06688a81d663b3
SHA5121223555fb09f5baabc1bdfe88e958d7e98c287232710a71a1e5de6de446fbe57f69111461e601b1e426ade5078c4110c6f8b5ac61ebcfc9b46c8ae2ab65d132d
-
Filesize
148KB
MD542903291fa5687b01d3589288cf47e9e
SHA127cf86af9be511be2f136b818908806a907899d4
SHA256be693ed543ce6d15b7c5c2449bd88f0e3c42898127f52108685ed839f91fff7d
SHA5127fef019ba8a5d6ecd033d02b6b9d3c25ed10dc84a2cb085f702a49a4fd977d6d5160054b6dbbec35e1ab7f319e6f54146cbb45bb90e021366e7e5705509103a9
-
Filesize
59KB
MD5ddb4e4071e9879d601261d4966e84aa8
SHA17fe6f7e5466863e2dd23f550c752ea7fea1c7623
SHA256effe192114f98cf13c13ac9db82b4ae1c9dda4cdd4d355d4f527969e80a5d7c8
SHA512a1d59ad6d37936894a6818fed75cfc1cb24f7b83d368d546552efd98df7598ba4e663f1388cfedcbef3722ee1c1d0599142f70bc84ee7b200d820604196577ca
-
Filesize
24KB
-
Filesize
4KB
-
Filesize
44KB
-
Filesize
404KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
408KB
-
Filesize
4KB
-
Filesize
408KB
-
Filesize
52KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
372KB
-
Filesize
408KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
48KB
-
Filesize
372KB
-
Filesize
24KB
-
Filesize
408KB
-
Filesize
24KB
-
Filesize
48KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
24KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
784KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
8KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
784KB
-
Filesize
784KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
24KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
48KB
-
Filesize
784KB
-
Filesize
784KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB