Analysis

  • max time kernel
    90s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-12-2024 17:46

General

  • Target

    foo/27f9116902c35a9b784c703762bbd249.exe

  • Size

    1.3MB

  • MD5

    27f9116902c35a9b784c703762bbd249

  • SHA1

    1f398a7f5bb032a30c2207e5e692524691b8a09e

  • SHA256

    548b424bedcb831086fb9ab5b6e284a7a71a53e430acad99155153a869844570

  • SHA512

    c046022a16f572eda5f60484d61190491579ee0d9d883d8f760859bbde0730dcfe4a603f847162d8901f6a87140da6a9c53134e8b7c2f9fa6192584765e94ff6

  • SSDEEP

    24576:aCdxte/80jYLT3U1jfsWarh061/ZfElRw0bMQ0j:7w80cTsjkWarx/ulA

Malware Config

Signatures

  • BetaBot

    Beta Bot is a Trojan that infects computers and disables Antivirus.

  • Betabot family
  • Modifies firewall policy service 3 TTPs 4 IoCs
  • Event Triggered Execution: Image File Execution Options Injection 1 TTPs 4 IoCs
  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Indicator Removal: Clear Persistence 1 TTPs 1 IoCs

    remove IFEO.

  • AutoIT Executable 2 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
  • Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 28 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\foo\27f9116902c35a9b784c703762bbd249.exe
    "C:\Users\Admin\AppData\Local\Temp\foo\27f9116902c35a9b784c703762bbd249.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2924
    • C:\Users\Admin\AppData\Local\Temp\foo\27f9116902c35a9b784c703762bbd249.exe
      "C:\Users\Admin\AppData\Local\Temp\foo\27f9116902c35a9b784c703762bbd249.exe"
      2⤵
      • Event Triggered Execution: Image File Execution Options Injection
      • Checks whether UAC is enabled
      • Indicator Removal: Clear Persistence
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Checks processor information in registry
      • Suspicious behavior: MapViewOfSection
      • Suspicious behavior: RenamesItself
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1932
      • C:\Windows\SysWOW64\explorer.exe
        C:\Windows\SysWOW64\explorer.exe
        3⤵
        • Modifies firewall policy service
        • Event Triggered Execution: Image File Execution Options Injection
        • Checks BIOS information in registry
        • Adds Run key to start application
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Checks processor information in registry
        • Enumerates system info in registry
        • Modifies Internet Explorer Protected Mode
        • Modifies Internet Explorer Protected Mode Banner
        • Modifies Internet Explorer settings
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4424
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4424 -s 1068
          4⤵
          • Program crash
          PID:1428
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4424 -ip 4424
    1⤵
      PID:2360

    Network

    • flag-us
      DNS
      149.220.183.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      149.220.183.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      149.220.183.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      149.220.183.52.in-addr.arpa
      IN PTR
    • flag-us
      DNS
      88.210.23.2.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      88.210.23.2.in-addr.arpa
      IN PTR
      Response
      88.210.23.2.in-addr.arpa
      IN PTR
      a2-23-210-88deploystaticakamaitechnologiescom
    • flag-us
      DNS
      17.160.190.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      17.160.190.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      95.221.229.192.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      95.221.229.192.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      196.249.167.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      196.249.167.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      154.239.44.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      154.239.44.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      56.163.245.4.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      56.163.245.4.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      18.31.95.13.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      18.31.95.13.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      21.49.80.91.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      21.49.80.91.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      209.205.72.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      209.205.72.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      172.214.232.199.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      172.214.232.199.in-addr.arpa
      IN PTR
      Response
    No results found
    • 8.8.8.8:53
      149.220.183.52.in-addr.arpa
      dns
      146 B
      147 B
      2
      1

      DNS Request

      149.220.183.52.in-addr.arpa

      DNS Request

      149.220.183.52.in-addr.arpa

    • 8.8.8.8:53
      88.210.23.2.in-addr.arpa
      dns
      70 B
      133 B
      1
      1

      DNS Request

      88.210.23.2.in-addr.arpa

    • 8.8.8.8:53
      17.160.190.20.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      17.160.190.20.in-addr.arpa

    • 8.8.8.8:53
      95.221.229.192.in-addr.arpa
      dns
      73 B
      144 B
      1
      1

      DNS Request

      95.221.229.192.in-addr.arpa

    • 8.8.8.8:53
      196.249.167.52.in-addr.arpa
      dns
      73 B
      147 B
      1
      1

      DNS Request

      196.249.167.52.in-addr.arpa

    • 8.8.8.8:53
      154.239.44.20.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      154.239.44.20.in-addr.arpa

    • 8.8.8.8:53
      56.163.245.4.in-addr.arpa
      dns
      71 B
      157 B
      1
      1

      DNS Request

      56.163.245.4.in-addr.arpa

    • 8.8.8.8:53
      18.31.95.13.in-addr.arpa
      dns
      70 B
      144 B
      1
      1

      DNS Request

      18.31.95.13.in-addr.arpa

    • 8.8.8.8:53
      21.49.80.91.in-addr.arpa
      dns
      70 B
      145 B
      1
      1

      DNS Request

      21.49.80.91.in-addr.arpa

    • 8.8.8.8:53
      209.205.72.20.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      209.205.72.20.in-addr.arpa

    • 8.8.8.8:53
      172.214.232.199.in-addr.arpa
      dns
      74 B
      128 B
      1
      1

      DNS Request

      172.214.232.199.in-addr.arpa

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1932-15-0x0000000003000000-0x0000000003066000-memory.dmp

      Filesize

      408KB

    • memory/1932-23-0x0000000000530000-0x000000000067E000-memory.dmp

      Filesize

      1.3MB

    • memory/1932-8-0x0000000000400000-0x0000000000435000-memory.dmp

      Filesize

      212KB

    • memory/1932-9-0x0000000003000000-0x0000000003066000-memory.dmp

      Filesize

      408KB

    • memory/1932-16-0x0000000003840000-0x000000000384C000-memory.dmp

      Filesize

      48KB

    • memory/1932-11-0x0000000077364000-0x0000000077365000-memory.dmp

      Filesize

      4KB

    • memory/1932-2-0x0000000000400000-0x0000000000435000-memory.dmp

      Filesize

      212KB

    • memory/1932-14-0x0000000003810000-0x0000000003811000-memory.dmp

      Filesize

      4KB

    • memory/1932-10-0x0000000001440000-0x000000000144D000-memory.dmp

      Filesize

      52KB

    • memory/1932-12-0x0000000003000000-0x0000000003066000-memory.dmp

      Filesize

      408KB

    • memory/1932-25-0x0000000003000000-0x0000000003066000-memory.dmp

      Filesize

      408KB

    • memory/2924-0-0x0000000000B90000-0x0000000000B91000-memory.dmp

      Filesize

      4KB

    • memory/4424-22-0x00000000001E0000-0x0000000000613000-memory.dmp

      Filesize

      4.2MB

    • memory/4424-20-0x0000000001000000-0x00000000011BD000-memory.dmp

      Filesize

      1.7MB

    • memory/4424-19-0x00000000001E0000-0x0000000000614000-memory.dmp

      Filesize

      4.2MB

    • memory/4424-17-0x00000000001E0000-0x0000000000614000-memory.dmp

      Filesize

      4.2MB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.