Analysis
-
max time kernel
15s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
-
submitted
24-12-2023 22:54
General
-
Target
f62e3df884bb3d145652dda9f81b28d10a8a5047879568ac22eba899c5ecf194.exe
-
Size
360KB
-
MD5
49c53c376d7ccb9391f4f75f20fba18a
-
SHA1
581e38a0331173c4638d2e536916a7a2805c9bc4
-
SHA256
f62e3df884bb3d145652dda9f81b28d10a8a5047879568ac22eba899c5ecf194
-
SHA512
865894203a5a70e893cae92bd40c241fd08681eb890890a4a866c6042afe67fb76755e981ebc8d8cdee91988cee33f718b662f8b554237b74d8cf0a55a6b1e84
-
SSDEEP
6144:AFlWqd4FksgTOzEV6zs1hfk8MIcG1Zb7d+0PuSCU4CzmJkdVds:clWXFkRTOzEV6zs1hfk8oYVd+Dj4mYV+
Score
10/10
Malware Config
Signatures
-
BetaBot
Beta Bot is a Trojan that infects computers and disables Antivirus.
-
Modifies firewall policy service 2 TTPs 4 IoCs
-
Sets file execution options in registry 2 TTPs 4 IoCs
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Drops desktop.ini file(s) 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 2 IoCs
-
Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
-
Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
-
Modifies Internet Explorer settings 1 TTPs 1 IoCs
-
NTFS ADS 2 IoCs
-
Runs regedit.exe 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious behavior: MapViewOfSection 6 IoCs
-
Suspicious behavior: RenamesItself 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 28 IoCs
-
Suspicious use of WriteProcessMemory 38 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\f62e3df884bb3d145652dda9f81b28d10a8a5047879568ac22eba899c5ecf194.exe"C:\Users\Admin\AppData\Local\Temp\f62e3df884bb3d145652dda9f81b28d10a8a5047879568ac22eba899c5ecf194.exe"1⤵
- Sets file execution options in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
- Modifies firewall policy service
- Sets file execution options in registry
- Checks BIOS information in registry
- Loads dropped DLL
- Adds Run key to start application
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\qu9yq9g935_1.exe/suac3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /CREATE /SC ONLOGON /TN "Windows Update Check - 0x1BB70478" /TR "C:\PROGRA~3\JAVAUP~1\QU9YQ9~1.EXE" /RL HIGHEST4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\regedit.exe"C:\Windows\SysWOW64\regedit.exe"4⤵
- Runs regedit.exe
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\qu9yq9g935_1.exeFilesize
203KB
MD550b418e50956acc2474c4b4f7485df40
SHA167eaf5cfb7a873d9a02ae1d096ceedd2d3e588df
SHA256bc4aa070c265baae2b837d538767bb9a9ac752c168f8d6743701defdc27b3cd7
SHA5120f99903c39124c380a660129dd60f818a221e3ab3411f9fde987897e34cff1073aa37f520e49c4ff92f38f7602b92cb7ca8dfe3be6cd10ea4c1d029cccba032b
-
C:\Users\Admin\AppData\Local\Temp\qu9yq9g935_1.exeFilesize
275KB
MD56d63d7102e2f9fe3ad8f0edd13486ba7
SHA11ebe8099afb52b05107b410373ad799edaa17794
SHA256fb6620920db15a2b1f64236bded76225ae0fea2813a99bde60b70f6688b5ffe0
SHA51275a2e6daf11c3a4f19614b057b5f91a727d66cc7fc237bd28fd1007163984a492cf7e6635210231a31d09cbf152e350c8fc11ac1088176bd749176ef17d31bb9
-
\Users\Admin\AppData\Local\Temp\qu9yq9g935_1.exeFilesize
231KB
MD53102b45a3e78744dbddd770c53a3eb50
SHA1a5f960d103bc7a27892e44cd539a6fae8d0230ef
SHA25668a94c733553c1b737a87e83f367394ae20f0ed184959c2637304c18fa42d684
SHA51223c2bb9172e8835a3f5a810c2677486d865dab84416078b448781506578937d7c77ae7983ea94dcac392e9fe1e91307d8578b7bc0f90e21908b319f4d4a4c600
-
memory/804-66-0x0000000077741000-0x0000000077742000-memory.dmpFilesize
4KB
-
memory/1212-47-0x0000000077741000-0x0000000077742000-memory.dmpFilesize
4KB
-
memory/1876-63-0x00000000003E0000-0x0000000000446000-memory.dmpFilesize
408KB
-
memory/1876-59-0x0000000000450000-0x0000000000456000-memory.dmpFilesize
24KB
-
memory/1876-58-0x00000000003E0000-0x0000000000446000-memory.dmpFilesize
408KB
-
memory/1876-60-0x00000000003E0000-0x0000000000446000-memory.dmpFilesize
408KB
-
memory/1876-72-0x0000000000010000-0x000000000006D000-memory.dmpFilesize
372KB
-
memory/1876-73-0x00000000003E0000-0x0000000000446000-memory.dmpFilesize
408KB
-
memory/1876-74-0x0000000000450000-0x0000000000456000-memory.dmpFilesize
24KB
-
memory/1876-61-0x0000000001EC0000-0x0000000001ECC000-memory.dmpFilesize
48KB
-
memory/1948-9-0x0000000000410000-0x0000000000476000-memory.dmpFilesize
408KB
-
memory/1948-4-0x00000000002A0000-0x00000000002AD000-memory.dmpFilesize
52KB
-
memory/1948-1-0x0000000000010000-0x000000000006D000-memory.dmpFilesize
372KB
-
memory/1948-8-0x0000000000560000-0x0000000000561000-memory.dmpFilesize
4KB
-
memory/1948-5-0x00000000778E0000-0x00000000778E1000-memory.dmpFilesize
4KB
-
memory/1948-10-0x0000000001EB0000-0x0000000001EBC000-memory.dmpFilesize
48KB
-
memory/1948-2-0x0000000000410000-0x0000000000476000-memory.dmpFilesize
408KB
-
memory/1948-29-0x0000000000290000-0x0000000000296000-memory.dmpFilesize
24KB
-
memory/1948-28-0x0000000000410000-0x0000000000476000-memory.dmpFilesize
408KB
-
memory/1948-3-0x0000000000290000-0x0000000000296000-memory.dmpFilesize
24KB
-
memory/1948-6-0x0000000000410000-0x0000000000476000-memory.dmpFilesize
408KB
-
memory/2304-18-0x00000000778D0000-0x0000000077A51000-memory.dmpFilesize
1.5MB
-
memory/2304-15-0x00000000778D0000-0x0000000077A51000-memory.dmpFilesize
1.5MB
-
memory/2304-11-0x00000000778D0000-0x0000000077A51000-memory.dmpFilesize
1.5MB
-
memory/2304-32-0x00000000778D0000-0x0000000077A51000-memory.dmpFilesize
1.5MB
-
memory/2304-31-0x00000000778D0000-0x0000000077A51000-memory.dmpFilesize
1.5MB
-
memory/2304-33-0x00000000778D0000-0x0000000077A51000-memory.dmpFilesize
1.5MB
-
memory/2304-34-0x0000000000370000-0x0000000000372000-memory.dmpFilesize
8KB
-
memory/2304-36-0x00000000778D0000-0x0000000077A51000-memory.dmpFilesize
1.5MB
-
memory/2304-37-0x00000000778D0000-0x0000000077A51000-memory.dmpFilesize
1.5MB
-
memory/2304-38-0x00000000778D0000-0x0000000077A51000-memory.dmpFilesize
1.5MB
-
memory/2304-35-0x00000000778D0000-0x0000000077A51000-memory.dmpFilesize
1.5MB
-
memory/2304-40-0x00000000000D0000-0x0000000000194000-memory.dmpFilesize
784KB
-
memory/2304-39-0x00000000778D0000-0x0000000077A51000-memory.dmpFilesize
1.5MB
-
memory/2304-41-0x00000000002A0000-0x00000000002A6000-memory.dmpFilesize
24KB
-
memory/2304-78-0x00000000778D0000-0x0000000077A51000-memory.dmpFilesize
1.5MB
-
memory/2304-43-0x00000000778D0000-0x0000000077A51000-memory.dmpFilesize
1.5MB
-
memory/2304-13-0x00000000778D0000-0x0000000077A51000-memory.dmpFilesize
1.5MB
-
memory/2304-46-0x00000000000D0000-0x0000000000194000-memory.dmpFilesize
784KB
-
memory/2304-45-0x00000000778D0000-0x0000000077A51000-memory.dmpFilesize
1.5MB
-
memory/2304-30-0x00000000778D0000-0x0000000077A51000-memory.dmpFilesize
1.5MB
-
memory/2304-25-0x0000000000310000-0x0000000000311000-memory.dmpFilesize
4KB
-
memory/2304-26-0x00000000778D0000-0x0000000077A51000-memory.dmpFilesize
1.5MB
-
memory/2304-24-0x00000000778D0000-0x0000000077A51000-memory.dmpFilesize
1.5MB
-
memory/2304-16-0x00000000002A0000-0x00000000002A6000-memory.dmpFilesize
24KB
-
memory/2304-17-0x00000000778D0000-0x0000000077A51000-memory.dmpFilesize
1.5MB
-
memory/2304-56-0x00000000778D0000-0x0000000077A51000-memory.dmpFilesize
1.5MB
-
memory/2304-19-0x00000000000D0000-0x0000000000194000-memory.dmpFilesize
784KB
-
memory/2304-21-0x00000000778D0000-0x0000000077A51000-memory.dmpFilesize
1.5MB
-
memory/2304-64-0x00000000778D0000-0x0000000077A51000-memory.dmpFilesize
1.5MB
-
memory/2304-76-0x00000000778D0000-0x0000000077A51000-memory.dmpFilesize
1.5MB
-
memory/2304-12-0x00000000778D0000-0x0000000077A51000-memory.dmpFilesize
1.5MB
-
memory/2304-14-0x00000000000D0000-0x0000000000194000-memory.dmpFilesize
784KB
-
memory/2304-22-0x0000000000320000-0x000000000032C000-memory.dmpFilesize
48KB
-
memory/2304-23-0x00000000000D0000-0x0000000000194000-memory.dmpFilesize
784KB
-
memory/2672-42-0x0000000077741000-0x0000000077742000-memory.dmpFilesize
4KB
-
memory/2976-65-0x0000000000D90000-0x0000000000DF6000-memory.dmpFilesize
408KB
-
memory/2976-69-0x0000000000D90000-0x0000000000DF5000-memory.dmpFilesize
404KB
-
memory/2976-70-0x0000000000090000-0x000000000009B000-memory.dmpFilesize
44KB
-
memory/2976-67-0x0000000000D90000-0x0000000000DF6000-memory.dmpFilesize
408KB