Overview

overview

10

Static

static

1

69db660126...18.rtf

windows7-x64

10

69db660126...18.rtf

windows10-2004-x64

1

Analysis

  • max time kernel
    148s
  • max time network
    142s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    23-05-2024 05:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    69db660126843cc9ca7092394735c351_JaffaCakes118.rtf

  • Size

    756KB

  • MD5

    69db660126843cc9ca7092394735c351

  • SHA1

    37d4cceb2766ca0ef6d747d5188b96475892c277

  • SHA256

    70a61b9f583b7f4837211571603cf791b334e139d2138b217e2b3af33c565a43

  • SHA512

    86cce32c0fa5289783f1449fa51087297a6cd93c56aefd9e5357610bc2b48e2300f874b1e58b717ce92b29faeeb7b0d9feef852434030b7583b0ed70da0ae0f8

  • SSDEEP

    12288:X+WhWEyIuRalv7sa2beX41VWIr3cTGeIif82GgrMs7JjMt8RdZtz4lTMSQ/skLoB:XIRIGST8iX41oITACitXr7J5RdclT6di

Score
10/10
betabotbackdoorbotnetevasionpersistencetrojan

Malware Config

Signatures

  • BetaBot

    Beta Bot is a Trojan that infects computers and disables Antivirus.

    trojanbackdoorbotnetbetabot
  • Modifies firewall policy service 2 TTPs 4 IoCs
    evasion
  • Process spawned unexpected child process 2 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Sets file execution options in registry 2 TTPs 4 IoCs
    persistence
  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Kills process with taskkill 1 IoCs
    evasion
  • Launches Equation Editor 1 TTPs 2 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

    exploit
  • Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
  • Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 10 IoCs
    adwarespyware
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 31 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\Dwm.exe
    "C:\Windows\system32\Dwm.exe"
    1⤵
      PID:1340
    • C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      1⤵
        PID:1380
        • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
          "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\69db660126843cc9ca7092394735c351_JaffaCakes118.rtf"
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2888
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\TaSk.BaT
            3⤵
            • Process spawned unexpected child process
            • Suspicious use of WriteProcessMemory
            PID:2088
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\2nd.bat
              4⤵
              • Loads dropped DLL
              • Suspicious use of WriteProcessMemory
              PID:2700
              • C:\Windows\SysWOW64\timeout.exe
                TIMEOUT 1
                5⤵
                • Delays execution with timeout.exe
                PID:2104
              • C:\Users\Admin\AppData\Local\Temp\exe.exe
                C:\Users\Admin\AppData\Local\Temp\ExE.ExE
                5⤵
                • Drops startup file
                • Executes dropped EXE
                • Suspicious use of AdjustPrivilegeToken
                PID:2012
                • C:\Windows\SysWOW64\explorer.exe
                  "C:\Windows\System32\explorer.exe" /c select, C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\app.exe
                  6⤵
                    PID:1228
                • C:\Windows\SysWOW64\taskkill.exe
                  taskkill /f /im WiNwOrD.ExE
                  5⤵
                  • Kills process with taskkill
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2936
                • C:\Windows\SysWOW64\reg.exe
                  reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Word\Resiliency /f
                  5⤵
                    PID:1816
                  • C:\Windows\SysWOW64\reg.exe
                    reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Resiliency /f
                    5⤵
                      PID:1068
                    • C:\Windows\SysWOW64\reg.exe
                      reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word\Resiliency /f
                      5⤵
                        PID:1088
                      • C:\Windows\SysWOW64\reg.exe
                        reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Word\Resiliency /f
                        5⤵
                          PID:1084
                        • C:\Windows\SysWOW64\reg.exe
                          reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word\Resiliency /f
                          5⤵
                            PID:2420
                          • C:\Windows\SysWOW64\reg.exe
                            reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency /f
                            5⤵
                              PID:928
                            • C:\Windows\SysWOW64\reg.exe
                              reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Word\Resiliency /f
                              5⤵
                                PID:2536
                              • C:\Windows\SysWOW64\reg.exe
                                reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Resiliency /f
                                5⤵
                                  PID:1168
                                • C:\Windows\SysWOW64\cmd.exe
                                  C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\8.0\Word\File MRU" /v "Item 1"
                                  5⤵
                                    PID:1980
                                    • C:\Windows\SysWOW64\reg.exe
                                      REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\8.0\Word\File MRU" /v "Item 1"
                                      6⤵
                                        PID:1844
                                    • C:\Windows\SysWOW64\cmd.exe
                                      C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\9.0\Word\File MRU" /v "Item 1"
                                      5⤵
                                        PID:1136
                                        • C:\Windows\SysWOW64\reg.exe
                                          REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\9.0\Word\File MRU" /v "Item 1"
                                          6⤵
                                            PID:1112
                                        • C:\Windows\SysWOW64\cmd.exe
                                          C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\10.0\Word\File MRU" /v "Item 1"
                                          5⤵
                                            PID:764
                                            • C:\Windows\SysWOW64\reg.exe
                                              REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\10.0\Word\File MRU" /v "Item 1"
                                              6⤵
                                                PID:1320
                                            • C:\Windows\SysWOW64\cmd.exe
                                              C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\11.0\Word\File MRU" /v "Item 1"
                                              5⤵
                                                PID:2544
                                                • C:\Windows\SysWOW64\reg.exe
                                                  REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\11.0\Word\File MRU" /v "Item 1"
                                                  6⤵
                                                    PID:2564
                                                • C:\Windows\SysWOW64\cmd.exe
                                                  C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\12.0\Word\File MRU" /v "Item 1"
                                                  5⤵
                                                    PID:2784
                                                    • C:\Windows\SysWOW64\reg.exe
                                                      REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\12.0\Word\File MRU" /v "Item 1"
                                                      6⤵
                                                        PID:2684
                                                    • C:\Windows\SysWOW64\cmd.exe
                                                      C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\14.0\Word\File MRU" /v "Item 1"
                                                      5⤵
                                                        PID:2660
                                                        • C:\Windows\SysWOW64\reg.exe
                                                          REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\14.0\Word\File MRU" /v "Item 1"
                                                          6⤵
                                                            PID:2688
                                                        • C:\Windows\SysWOW64\cmd.exe
                                                          C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Word\File MRU" /v "Item 1"
                                                          5⤵
                                                            PID:1044
                                                            • C:\Windows\SysWOW64\reg.exe
                                                              REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Word\File MRU" /v "Item 1"
                                                              6⤵
                                                                PID:1692
                                                            • C:\Windows\SysWOW64\cmd.exe
                                                              C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\File MRU" /v "Item 1"
                                                              5⤵
                                                                PID:2892
                                                                • C:\Windows\SysWOW64\reg.exe
                                                                  REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\File MRU" /v "Item 1"
                                                                  6⤵
                                                                    PID:320
                                                            • C:\Windows\SysWOW64\cmd.exe
                                                              "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\TaSk.BaT
                                                              3⤵
                                                              • Process spawned unexpected child process
                                                              PID:2832
                                                        • C:\Windows\system32\DllHost.exe
                                                          C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                                                          1⤵
                                                            PID:1680
                                                          • C:\Windows\system32\conhost.exe
                                                            \??\C:\Windows\system32\conhost.exe "-11622268881751923053901378205-2100200047-1650525846-6502739131103300851313841143"
                                                            1⤵
                                                              PID:2584
                                                            • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                              "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                                                              1⤵
                                                              • Launches Equation Editor
                                                              • Suspicious use of WriteProcessMemory
                                                              PID:2732
                                                              • C:\Windows\SysWOW64\CmD.exe
                                                                CmD /C %tmp%\task.bat & UUUUUUUU c
                                                                2⤵
                                                                  PID:2496
                                                              • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                                                                1⤵
                                                                • Launches Equation Editor
                                                                PID:2748
                                                              • C:\Windows\explorer.exe
                                                                C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
                                                                1⤵
                                                                  PID:1912
                                                                  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\app.exe
                                                                    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\app.exe"
                                                                    2⤵
                                                                    • Executes dropped EXE
                                                                    • Adds Run key to start application
                                                                    • Suspicious use of SetThreadContext
                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                    PID:2372
                                                                    • C:\Windows\SysWOW64\svchost.exe
                                                                      "C:\Windows\system32\svchost.exe"
                                                                      3⤵
                                                                      • Sets file execution options in registry
                                                                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                      • Checks processor information in registry
                                                                      • Suspicious behavior: MapViewOfSection
                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                      PID:1048
                                                                      • C:\Windows\SysWOW64\explorer.exe
                                                                        C:\Windows\SysWOW64\explorer.exe
                                                                        4⤵
                                                                        • Modifies firewall policy service
                                                                        • Sets file execution options in registry
                                                                        • Checks BIOS information in registry
                                                                        • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                        • Checks processor information in registry
                                                                        • Enumerates system info in registry
                                                                        • Modifies Internet Explorer Protected Mode
                                                                        • Modifies Internet Explorer Protected Mode Banner
                                                                        • Modifies Internet Explorer settings
                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                        • Suspicious behavior: MapViewOfSection
                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                        PID:2064

                                                                Network

                                                                MITRE ATT&CK Matrix ATT&CK v13

                                                                Initial Access

                                                                Execution

                                                                Exploitation for Client Execution

                                                                1
                                                                T1203

                                                                Persistence

                                                                Create or Modify System Process

                                                                1
                                                                T1543

                                                                Windows Service

                                                                1
                                                                T1543.003

                                                                Boot or Logon Autostart Execution

                                                                2
                                                                T1547

                                                                Registry Run Keys / Startup Folder

                                                                2
                                                                T1547.001

                                                                Privilege Escalation

                                                                Create or Modify System Process

                                                                1
                                                                T1543

                                                                Windows Service

                                                                1
                                                                T1543.003

                                                                Boot or Logon Autostart Execution

                                                                2
                                                                T1547

                                                                Registry Run Keys / Startup Folder

                                                                2
                                                                T1547.001

                                                                Defense Evasion

                                                                Modify Registry

                                                                6
                                                                T1112

                                                                Credential Access

                                                                Discovery

                                                                Query Registry

                                                                3
                                                                T1012

                                                                System Information Discovery

                                                                4
                                                                T1082

                                                                Lateral Movement

                                                                Collection

                                                                Exfiltration

                                                                Command and Control

                                                                Impact

                                                                Resource Development

                                                                Reconnaissance

                                                                Replay Monitor

                                                                Loading Replay Monitor...

                                                                Downloads

                                                                • C:\Users\Admin\AppData\Local\Temp\2nd.bat
                                                                  Filesize

                                                                  2KB

                                                                  MD5

                                                                  a079014f23f6f2f169e7edfa090538eb

                                                                  SHA1

                                                                  20c83c3dbd3ffd2a78c1c8453a800c625698ebda

                                                                  SHA256

                                                                  e815df3fb218435c48a6059cd8fe5fe20e9443550f4334c623befe19d6c1a1b8

                                                                  SHA512

                                                                  2dff1f799491b364077c592fbe063b2b78c008f459d3769a96dcac046e10086ac0215d8a574201fad316d1397f0a86a52218c381042de612b4c1281942246ff7

                                                                  Download Submit
                                                                • C:\Users\Admin\AppData\Local\Temp\decoy.doc
                                                                  Filesize

                                                                  31KB

                                                                  MD5

                                                                  df778726a0f7ffeaa9fc16826f77a946

                                                                  SHA1

                                                                  3b4bac8f09cf2d9227c3143aa33ee7b6c1a2cc0c

                                                                  SHA256

                                                                  a52fad09e1fb5e5c5532b8a9130c4f99ddbebbfb15ba416e67069866e1b5b3da

                                                                  SHA512

                                                                  5d5525b61cce9fc6f806c8d666d291e74915aeac20d7fd937c6d0fab9cefc4287ccdc539dd34b017c9abc6f38c87e9244b0c85a54b3fbe83da885334b1f63215

                                                                  Download Submit
                                                                • C:\Users\Admin\AppData\Local\Temp\inteldriverupd1.sct
                                                                  Filesize

                                                                  423B

                                                                  MD5

                                                                  1b5a8273e16e717136f7fed172da847a

                                                                  SHA1

                                                                  352f0ec7fefdbf3211ffef8aed13a60bb60e6135

                                                                  SHA256

                                                                  113e8ad48f1bb20df1c8e6ddeddfb527aedbf85d18b58fcdd146ba544885de34

                                                                  SHA512

                                                                  9842bf7e53e7c02ab50182c7dc0b500c977586c5ec39cddb2869bebb40f9332b604befb4b13bcf6f5edc681d0c205bc7639743687af08efbe1e34770d7abe509

                                                                  Download Submit
                                                                • C:\Users\Admin\AppData\Local\Temp\task.bat
                                                                  Filesize

                                                                  147B

                                                                  MD5

                                                                  669f7ab1ba185d4123d391dc22bffe26

                                                                  SHA1

                                                                  cd8742755f0271723d7b8c3265e192e3e0927c39

                                                                  SHA256

                                                                  ecbb35d9ee34e1519e8a437636e173f9628787903c4916f8e107d1070902f34a

                                                                  SHA512

                                                                  93d339ee40417c768e710f1adf8ed8b593d6345b57a317f5aa73c22566df1b35977a6fe0f35335cfa29102a87ac41ce90fdd9f82dcdcb97831c660af84f8ba1e

                                                                  Download Submit
                                                                • \Users\Admin\AppData\Local\Temp\exe.exe
                                                                  Filesize

                                                                  283KB

                                                                  MD5

                                                                  ad9e9876d0a5cf8e7ca7de82de1ed01b

                                                                  SHA1

                                                                  c316e6a88e6bbf63dbb63fee0a0fc5a5795dcfc3

                                                                  SHA256

                                                                  c99f64fbc553b946613296764c74c0a62ff36ce3d97c534464fb412aea3f6b8c

                                                                  SHA512

                                                                  431a78eea327114f53231bfb9a2af44414bc3adc96035c6e5be4c21368952e453d69e613da9798f4488b21bff1ad3b19c534d0cf05b420112d4d223db8a0ce3e

                                                                  Download Submit
                                                                • memory/1048-46-0x0000000000400000-0x0000000000435000-memory.dmp
                                                                  Filesize

                                                                  212KB

                                                                  Download
                                                                • memory/1048-57-0x0000000000AE0000-0x0000000000AE8000-memory.dmp
                                                                  Filesize

                                                                  32KB

                                                                  Download
                                                                • memory/1048-48-0x0000000000380000-0x00000000003E6000-memory.dmp
                                                                  Filesize

                                                                  408KB

                                                                  Download
                                                                • memory/1048-47-0x0000000000400000-0x0000000000435000-memory.dmp
                                                                  Filesize

                                                                  212KB

                                                                  Download
                                                                • memory/1048-45-0x0000000000400000-0x0000000000435000-memory.dmp
                                                                  Filesize

                                                                  212KB

                                                                  Download
                                                                • memory/2064-59-0x0000000077B00000-0x0000000077C81000-memory.dmp
                                                                  Filesize

                                                                  1.5MB

                                                                  Download
                                                                • memory/2064-55-0x00000000000D0000-0x000000000013A000-memory.dmp
                                                                  Filesize

                                                                  424KB

                                                                  Download
                                                                • memory/2064-67-0x0000000077B00000-0x0000000077C81000-memory.dmp
                                                                  Filesize

                                                                  1.5MB

                                                                  Download
                                                                • memory/2064-50-0x0000000077B00000-0x0000000077C81000-memory.dmp
                                                                  Filesize

                                                                  1.5MB

                                                                  Download
                                                                • memory/2064-51-0x0000000077B00000-0x0000000077C81000-memory.dmp
                                                                  Filesize

                                                                  1.5MB

                                                                  Download
                                                                • memory/2064-52-0x0000000077B00000-0x0000000077C81000-memory.dmp
                                                                  Filesize

                                                                  1.5MB

                                                                  Download
                                                                • memory/2064-54-0x0000000077B00000-0x0000000077C81000-memory.dmp
                                                                  Filesize

                                                                  1.5MB

                                                                  Download
                                                                • memory/2064-63-0x0000000077B00000-0x0000000077C81000-memory.dmp
                                                                  Filesize

                                                                  1.5MB

                                                                  Download
                                                                • memory/2064-53-0x0000000077B00000-0x0000000077C81000-memory.dmp
                                                                  Filesize

                                                                  1.5MB

                                                                  Download
                                                                • memory/2064-66-0x0000000077B00000-0x0000000077C81000-memory.dmp
                                                                  Filesize

                                                                  1.5MB

                                                                  Download
                                                                • memory/2064-58-0x0000000077B00000-0x0000000077C81000-memory.dmp
                                                                  Filesize

                                                                  1.5MB

                                                                  Download
                                                                • memory/2064-65-0x0000000077B00000-0x0000000077C81000-memory.dmp
                                                                  Filesize

                                                                  1.5MB

                                                                  Download
                                                                • memory/2064-61-0x0000000077B00000-0x0000000077C81000-memory.dmp
                                                                  Filesize

                                                                  1.5MB

                                                                  Download
                                                                • memory/2064-64-0x0000000077B00000-0x0000000077C81000-memory.dmp
                                                                  Filesize

                                                                  1.5MB

                                                                  Download
                                                                • memory/2064-60-0x0000000077B00000-0x0000000077C81000-memory.dmp
                                                                  Filesize

                                                                  1.5MB

                                                                  Download
                                                                • memory/2700-62-0x0000000000170000-0x00000000001DA000-memory.dmp
                                                                  Filesize

                                                                  424KB

                                                                  Download
                                                                • memory/2888-39-0x00000000716FD000-0x0000000071708000-memory.dmp
                                                                  Filesize

                                                                  44KB

                                                                  Download
                                                                • memory/2888-0-0x000000002F701000-0x000000002F702000-memory.dmp
                                                                  Filesize

                                                                  4KB

                                                                  Download
                                                                • memory/2888-1-0x000000005FFF0000-0x0000000060000000-memory.dmp
                                                                  Filesize

                                                                  64KB

                                                                  Download
                                                                • memory/2888-2-0x00000000716FD000-0x0000000071708000-memory.dmp
                                                                  Filesize

                                                                  44KB

                                                                  Download