Analysis
-
max time kernel
297s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
-
submitted
21-01-2024 22:24
General
-
Target
814a9e454a6bb2d8fc04560b917cbcae6860b873625507b9fa17cc817e2e95ff.exe
-
Size
360KB
-
MD5
94f379933c102d45a3bdb6d46070c3b6
-
SHA1
e4004532129c49d22279737f26cff1f00b45a092
-
SHA256
814a9e454a6bb2d8fc04560b917cbcae6860b873625507b9fa17cc817e2e95ff
-
SHA512
4847abc92cdfe5d0fe8bbd351195644ff7354cdd9e4cc6ecb5e2434bc8a43c292dc20013bdaac263319d94ca2792e54c244dbe11bcfa94f37a0e0d4c4ac66aaf
-
SSDEEP
6144:HOtCyFksgTOzEV6zs1hfk8MIcG1Zb7d+0PuSCU4CzmJkdVds:ugyFkRTOzEV6zs1hfk8oYVd+Dj4mYVds
Score
10/10
Malware Config
Signatures
-
BetaBot
Beta Bot is a Trojan that infects computers and disables Antivirus.
-
Modifies firewall policy service 2 TTPs 8 IoCs
-
Modifies security service 2 TTPs 1 IoCs
-
Disables taskbar notifications via registry modification
-
Disables use of System Restore points 1 TTPs
-
Sets file execution options in registry 2 TTPs 20 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks for any installed AV software in registry 1 TTPs 2 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Drops desktop.ini file(s) 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 2 IoCs
-
Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
-
Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
-
Modifies Internet Explorer settings 1 TTPs 1 IoCs
-
NTFS ADS 2 IoCs
-
Runs regedit.exe 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 35 IoCs
-
Suspicious behavior: MapViewOfSection 8 IoCs
-
Suspicious behavior: RenamesItself 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 60 IoCs
-
Suspicious use of WriteProcessMemory 52 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\814a9e454a6bb2d8fc04560b917cbcae6860b873625507b9fa17cc817e2e95ff.exe"C:\Users\Admin\AppData\Local\Temp\814a9e454a6bb2d8fc04560b917cbcae6860b873625507b9fa17cc817e2e95ff.exe"1⤵
- Sets file execution options in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
- Modifies firewall policy service
- Sets file execution options in registry
- Checks BIOS information in registry
- Loads dropped DLL
- Adds Run key to start application
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\wk1ow7g93_1.exe/suac3⤵
- Modifies firewall policy service
- Sets file execution options in registry
- Executes dropped EXE
- Checks for any installed AV software in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regedit.exe"C:\Windows\SysWOW64\regedit.exe"4⤵
- Modifies security service
- Sets file execution options in registry
- Sets service image path in registry
- Runs regedit.exe
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /CREATE /SC ONLOGON /TN "Windows Update Check - 0x1BB70478" /TR "C:\PROGRA~3\JAVAUP~1\WK1OW7~1.EXE" /RL HIGHEST4⤵
- Creates scheduled task(s)
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
3Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
3Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\wk1ow7g93_1.exeFilesize
43KB
MD5915720ea765c6660770b42d90754372d
SHA19d6d5f822300fe9dfa2dae5616700fdd0d279e10
SHA25617b1763f39874fdbad6d66b7ba1d1bb07ac5ddb96a430170eecc3a9dace43b4a
SHA512a5a60ed1f7e8f666682a8112284f8aab0dd835258a09d4066754305c440ea39ac7efdf03e66055beccb2188540c388b531288fb77020ac854f800f25a134d94e
-
C:\Users\Admin\AppData\Local\Temp\wk1ow7g93_1.exeFilesize
68KB
MD5d269e46208530509be60620459915f05
SHA17791927d79ed5c399a3f65821896d18f0cea7f51
SHA2560db3b5124570af58349f94c8dcc73fe8fe99273cb3952c88080f697556b61b4d
SHA5120b04f57500389b22d7b221f2af239906950943eb3a4212a7141478b4ebb2bc825b31585df3d6992df7ea7bd139302e38889b11713ad2351e3a46968858d2ff71
-
\Users\Admin\AppData\Local\Temp\wk1ow7g93_1.exeFilesize
161KB
MD5fd32b3a35abda7e7cab742c689e89900
SHA137808648cb3a4c25ae70fae811378a4c0fab6403
SHA25636e976ca2d64590595c7efe235031a29b0e8033782e696f54cf847ba629b2e19
SHA512ff2cc789c2d8a037c3d069b01359216b615abacbce983dae7a203b6120bd4a433400e214d07a679fc65f7cb7b9696a434f7b73aba9f35acf38c8c31efc3136d8
-
memory/632-70-0x0000000077A71000-0x0000000077A72000-memory.dmpFilesize
4KB
-
memory/1352-50-0x0000000002AF0000-0x0000000002AF6000-memory.dmpFilesize
24KB
-
memory/1352-49-0x0000000077A71000-0x0000000077A72000-memory.dmpFilesize
4KB
-
memory/1736-37-0x0000000077C00000-0x0000000077D81000-memory.dmpFilesize
1.5MB
-
memory/1736-32-0x0000000077C00000-0x0000000077D81000-memory.dmpFilesize
1.5MB
-
memory/1736-41-0x0000000077C00000-0x0000000077D81000-memory.dmpFilesize
1.5MB
-
memory/1736-83-0x0000000077C00000-0x0000000077D81000-memory.dmpFilesize
1.5MB
-
memory/1736-39-0x0000000077C00000-0x0000000077D81000-memory.dmpFilesize
1.5MB
-
memory/1736-82-0x0000000077C00000-0x0000000077D81000-memory.dmpFilesize
1.5MB
-
memory/1736-81-0x0000000077C00000-0x0000000077D81000-memory.dmpFilesize
1.5MB
-
memory/1736-79-0x0000000077C00000-0x0000000077D81000-memory.dmpFilesize
1.5MB
-
memory/1736-22-0x0000000000470000-0x000000000047C000-memory.dmpFilesize
48KB
-
memory/1736-21-0x0000000077C00000-0x0000000077D81000-memory.dmpFilesize
1.5MB
-
memory/1736-18-0x0000000077C00000-0x0000000077D81000-memory.dmpFilesize
1.5MB
-
memory/1736-16-0x0000000077C00000-0x0000000077D81000-memory.dmpFilesize
1.5MB
-
memory/1736-15-0x00000000003A0000-0x00000000003A6000-memory.dmpFilesize
24KB
-
memory/1736-25-0x0000000077C00000-0x0000000077D81000-memory.dmpFilesize
1.5MB
-
memory/1736-26-0x0000000000460000-0x0000000000461000-memory.dmpFilesize
4KB
-
memory/1736-14-0x0000000077C00000-0x0000000077D81000-memory.dmpFilesize
1.5MB
-
memory/1736-13-0x00000000001D0000-0x0000000000294000-memory.dmpFilesize
784KB
-
memory/1736-27-0x0000000077C00000-0x0000000077D81000-memory.dmpFilesize
1.5MB
-
memory/1736-42-0x0000000077C00000-0x0000000077D81000-memory.dmpFilesize
1.5MB
-
memory/1736-19-0x00000000001D0000-0x0000000000294000-memory.dmpFilesize
784KB
-
memory/1736-30-0x0000000077C00000-0x0000000077D81000-memory.dmpFilesize
1.5MB
-
memory/1736-59-0x0000000077C00000-0x0000000077D81000-memory.dmpFilesize
1.5MB
-
memory/1736-31-0x0000000077C00000-0x0000000077D81000-memory.dmpFilesize
1.5MB
-
memory/1736-33-0x0000000077C00000-0x0000000077D81000-memory.dmpFilesize
1.5MB
-
memory/1736-35-0x0000000077C00000-0x0000000077D81000-memory.dmpFilesize
1.5MB
-
memory/1736-34-0x0000000077C00000-0x0000000077D81000-memory.dmpFilesize
1.5MB
-
memory/1736-36-0x00000000009E0000-0x00000000009E2000-memory.dmpFilesize
8KB
-
memory/1736-38-0x00000000001D0000-0x0000000000294000-memory.dmpFilesize
784KB
-
memory/1736-12-0x0000000077C00000-0x0000000077D81000-memory.dmpFilesize
1.5MB
-
memory/1736-40-0x0000000077C00000-0x0000000077D81000-memory.dmpFilesize
1.5MB
-
memory/1736-11-0x0000000077C00000-0x0000000077D81000-memory.dmpFilesize
1.5MB
-
memory/1736-23-0x00000000001D0000-0x0000000000294000-memory.dmpFilesize
784KB
-
memory/1736-17-0x0000000077C00000-0x0000000077D81000-memory.dmpFilesize
1.5MB
-
memory/1736-43-0x0000000077C00000-0x0000000077D81000-memory.dmpFilesize
1.5MB
-
memory/1736-45-0x00000000003A0000-0x00000000003A6000-memory.dmpFilesize
24KB
-
memory/1736-46-0x0000000077C00000-0x0000000077D81000-memory.dmpFilesize
1.5MB
-
memory/1736-67-0x0000000077C00000-0x0000000077D81000-memory.dmpFilesize
1.5MB
-
memory/1736-47-0x00000000001D0000-0x0000000000294000-memory.dmpFilesize
784KB
-
memory/1916-69-0x0000000000120000-0x0000000000186000-memory.dmpFilesize
408KB
-
memory/1916-73-0x0000000000120000-0x0000000000185000-memory.dmpFilesize
404KB
-
memory/1916-72-0x00000000000D0000-0x00000000000DB000-memory.dmpFilesize
44KB
-
memory/1916-68-0x0000000000120000-0x0000000000186000-memory.dmpFilesize
408KB
-
memory/1964-8-0x0000000001CD0000-0x0000000001CD1000-memory.dmpFilesize
4KB
-
memory/1964-10-0x0000000001D20000-0x0000000001D86000-memory.dmpFilesize
408KB
-
memory/1964-9-0x0000000001DF0000-0x0000000001DFC000-memory.dmpFilesize
48KB
-
memory/1964-7-0x0000000077C10000-0x0000000077C11000-memory.dmpFilesize
4KB
-
memory/1964-5-0x0000000001D20000-0x0000000001D86000-memory.dmpFilesize
408KB
-
memory/1964-2-0x0000000001D20000-0x0000000001D86000-memory.dmpFilesize
408KB
-
memory/1964-1-0x0000000000010000-0x000000000006D000-memory.dmpFilesize
372KB
-
memory/1964-4-0x0000000000320000-0x000000000032D000-memory.dmpFilesize
52KB
-
memory/1964-24-0x0000000001D20000-0x0000000001D86000-memory.dmpFilesize
408KB
-
memory/1964-3-0x0000000000290000-0x0000000000291000-memory.dmpFilesize
4KB
-
memory/1964-29-0x0000000000290000-0x0000000000291000-memory.dmpFilesize
4KB
-
memory/2492-61-0x0000000001D20000-0x0000000001D86000-memory.dmpFilesize
408KB
-
memory/2492-75-0x0000000000010000-0x000000000006D000-memory.dmpFilesize
372KB
-
memory/2492-77-0x00000000002A0000-0x00000000002A6000-memory.dmpFilesize
24KB
-
memory/2492-76-0x0000000001D20000-0x0000000001D86000-memory.dmpFilesize
408KB
-
memory/2492-63-0x00000000002A0000-0x00000000002A6000-memory.dmpFilesize
24KB
-
memory/2492-62-0x0000000001D20000-0x0000000001D86000-memory.dmpFilesize
408KB
-
memory/2492-65-0x00000000006B0000-0x00000000006BC000-memory.dmpFilesize
48KB
-
memory/2492-66-0x0000000001D20000-0x0000000001D86000-memory.dmpFilesize
408KB
-
memory/2716-48-0x0000000077A71000-0x0000000077A72000-memory.dmpFilesize
4KB