Analysis
-
max time kernel
18s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
-
submitted
28-01-2024 22:24
General
-
Target
afacb2632d8784016af274fe18140dd4edc038a89e3837b8570a73dc1a1b856e.exe
-
Size
360KB
-
MD5
43896f9d956ad83ba3773b98374142f3
-
SHA1
b084817d14218928049a8f9c5bcef646aecc8bb3
-
SHA256
afacb2632d8784016af274fe18140dd4edc038a89e3837b8570a73dc1a1b856e
-
SHA512
96a783129f44a398259fd47a38f1ce50e3ab0c62b3b3c900030a18792a02bbed27f875f7df3ccdaeab3b667f0c5c627496665da14373e1ea21d98b3d6cbc7ffd
-
SSDEEP
6144:3rk3p+t3FksgTOzEV6zs1hfk8MIcG1Zb7d+0PuSCU4CzmJkdVds:bk3pcFkRTOzEV6zs1hfk8oYVd+Dj4mYM
Malware Config
Signatures
-
BetaBot
Beta Bot is a Trojan that infects computers and disables Antivirus.
-
Modifies firewall policy service 2 TTPs 4 IoCs
-
Sets file execution options in registry 2 TTPs 12 IoCs
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks for any installed AV software in registry 1 TTPs 2 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Drops desktop.ini file(s) 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 2 IoCs
-
Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
-
Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
-
Modifies Internet Explorer settings 1 TTPs 1 IoCs
-
NTFS ADS 2 IoCs
-
Runs regedit.exe 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
-
Suspicious behavior: MapViewOfSection 8 IoCs
-
Suspicious behavior: RenamesItself 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 47 IoCs
-
Suspicious use of WriteProcessMemory 45 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\afacb2632d8784016af274fe18140dd4edc038a89e3837b8570a73dc1a1b856e.exe"C:\Users\Admin\AppData\Local\Temp\afacb2632d8784016af274fe18140dd4edc038a89e3837b8570a73dc1a1b856e.exe"1⤵
- Sets file execution options in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
- Modifies firewall policy service
- Sets file execution options in registry
- Checks BIOS information in registry
- Loads dropped DLL
- Adds Run key to start application
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\kgu1uum7_1.exe/suac3⤵
- Sets file execution options in registry
- Executes dropped EXE
- Checks for any installed AV software in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /CREATE /SC ONLOGON /TN "Windows Update Check - 0x1BB70478" /TR "C:\PROGRA~3\JAVAUP~1\kgu1uum7.exe" /RL HIGHEST4⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\regedit.exe"C:\Windows\SysWOW64\regedit.exe"4⤵
- Runs regedit.exe
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
73KB
MD5108653152534ec8d1f993f1aaf9ec871
SHA17267c8b4a59bdefb5c2b8838081b75df0d7f9f6b
SHA256e59b25620aa4bd580f12f12e9e83b748d8499a10537d2aa8b895022b6f54dd6f
SHA512bae50f00354bf8108fe324b7bfec2c961fcbb6ad3febd9f342c102fe759a9b75bddc5d62cc2567a626511c853307b70b25941417abb42dde14c3adf1d4337201
-
Filesize
101KB
MD543ae4396d844c68a97d93de18810d017
SHA1c765bdc0c1ca270064810036e3484efaa83d0522
SHA256b09367d9ce06ac385d5229e2c20031e6897e547c19cffb2159c7f7692aba52ee
SHA512e65d07e16dfd50acec3ceba75ee908aae308fb03e5d69ab6c248fecef29eb655fe08a40f5a7c9219e9cd3e8298e7ffee81c45c7f9c916c337151cd866bbcbcfc
-
Filesize
106KB
MD5bb397abaeec27cf898938dc8ac811ff8
SHA1d2a0bc77723541d8df981df5a1a6e5936ea2f045
SHA256b05d4b0b9a41cd76ee95cccb60a31ccdd9e19be09bd0480dcdf61f78855d6e7e
SHA5124011b5a2d62774dc0f00ba0f2a1480533250ec10ad26008229a37e970a8c6ef4eb43f64d8aed5bdd6af2e73fc2e7d4557cb65c668caff72de395259b3976bbac
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
24KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
52KB
-
Filesize
408KB
-
Filesize
4KB
-
Filesize
24KB
-
Filesize
408KB
-
Filesize
24KB
-
Filesize
4KB
-
Filesize
408KB
-
Filesize
48KB
-
Filesize
372KB
-
Filesize
408KB
-
Filesize
404KB
-
Filesize
44KB
-
Filesize
408KB
-
Filesize
44KB
-
Filesize
24KB
-
Filesize
408KB
-
Filesize
24KB
-
Filesize
408KB
-
Filesize
372KB
-
Filesize
408KB
-
Filesize
48KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
8KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
24KB
-
Filesize
784KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
784KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
784KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
4KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
784KB
-
Filesize
1.5MB
-
Filesize
48KB
-
Filesize
784KB
-
Filesize
1.5MB
-
Filesize
784KB
-
Filesize
24KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
4KB