Overview

overview

10

Static

static

3

8940ee6fe6...10.exe

windows7-x64

10

8940ee6fe6...10.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    28-01-2025 13:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8940ee6fe6900beb6113cbd48e2f54f81e36b3806bbb6c73ae514982cc98a710.exe

  • Size

    1.2MB

  • MD5

    24c7a082a3712ad00cea6f1bfee81f9c

  • SHA1

    67f06a9982358afdf69163b3fd642c231fa0a9c4

  • SHA256

    8940ee6fe6900beb6113cbd48e2f54f81e36b3806bbb6c73ae514982cc98a710

  • SHA512

    ad9097c842e517fa034e5abecb07851cad0d1e5c0433cc1765bf95ee20869d445290fc71e2d20bf7121f780c3336eb0c2397c20c7e8ee541dbf946061442b783

  • SSDEEP

    24576:q7kybXvovms3JuIfILdzxtJzJOJTe87RMMeQjm:KMZJuIwLdNtJzJOJTJeQS

Score
10/10
betabotbackdoorbotnetdefense_evasiondiscoverypersistencetrojan

Malware Config

Signatures

  • BetaBot

    Beta Bot is a Trojan that infects computers and disables Antivirus.

    trojanbackdoorbotnetbetabot
  • Betabot family
    betabot
  • Modifies firewall policy service 3 TTPs 4 IoCs
    defense_evasion
  • UAC bypass 3 TTPs 2 IoCs
    defense_evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    defense_evasion
  • Disables Task Manager via registry modification
    defense_evasion
  • Event Triggered Execution: Image File Execution Options Injection 1 TTPs 4 IoCs
    persistence
  • Looks for VMWare services registry key. 1 TTPs 1 IoCs
    defense_evasion
  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 3 IoCs
    defense_evasiontrojan
  • Indicator Removal: Clear Persistence 1 TTPs 1 IoCs

    remove IFEO.

    defense_evasion
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 13 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
  • Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 22 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 30 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs
  • System policy modification 1 TTPs 2 IoCs
    defense_evasion

Processes

  • C:\Windows\system32\Dwm.exe
    "C:\Windows\system32\Dwm.exe"
    1⤵
      PID:1160
    • C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      1⤵
        PID:1188
        • C:\Users\Admin\AppData\Local\Temp\8940ee6fe6900beb6113cbd48e2f54f81e36b3806bbb6c73ae514982cc98a710.exe
          "C:\Users\Admin\AppData\Local\Temp\8940ee6fe6900beb6113cbd48e2f54f81e36b3806bbb6c73ae514982cc98a710.exe"
          2⤵
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3028
          • C:\Users\Admin\Pictures\dd.exe
            "C:\Users\Admin\Pictures\dd.exe"
            3⤵
            • UAC bypass
            • Disables RegEdit via registry modification
            • Executes dropped EXE
            • Loads dropped DLL
            • Checks whether UAC is enabled
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            • System policy modification
            PID:2676
            • C:\Users\Admin\Pictures\dd.exe
              "C:\Users\Admin\Pictures\dd.exe"
              4⤵
              • Event Triggered Execution: Image File Execution Options Injection
              • Executes dropped EXE
              • Checks whether UAC is enabled
              • Indicator Removal: Clear Persistence
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • System Location Discovery: System Language Discovery
              • Checks processor information in registry
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1840
              • C:\Windows\SysWOW64\explorer.exe
                C:\Windows\SysWOW64\explorer.exe
                5⤵
                • Modifies firewall policy service
                • Event Triggered Execution: Image File Execution Options Injection
                • Checks BIOS information in registry
                • Adds Run key to start application
                • Suspicious use of NtSetInformationThreadHideFromDebugger
                • System Location Discovery: System Language Discovery
                • Checks processor information in registry
                • Enumerates system info in registry
                • Modifies Internet Explorer Protected Mode
                • Modifies Internet Explorer Protected Mode Banner
                • Modifies Internet Explorer settings
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious behavior: MapViewOfSection
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1812
      • C:\Windows\system32\DllHost.exe
        C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
        1⤵
          PID:1524
        • C:\Windows\SysWOW64\DllHost.exe
          C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
          1⤵
          • Looks for VMWare services registry key.
          • Adds Run key to start application
          • Maps connected drives based on registry
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • System Location Discovery: System Language Discovery
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          PID:3040

        Network

        MITRE ATT&CK Enterprise v15

        Reconnaissance

        Resource Development

        Initial Access

        Execution

        Persistence

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Create or Modify System Process

        1
        T1543

        Windows Service

        1
        T1543.003

        Event Triggered Execution

        1
        T1546

        Image File Execution Options Injection

        1
        T1546.012

        Privilege Escalation

        Abuse Elevation Control Mechanism

        1
        T1548

        Bypass User Account Control

        1
        T1548.002

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Create or Modify System Process

        1
        T1543

        Windows Service

        1
        T1543.003

        Event Triggered Execution

        1
        T1546

        Image File Execution Options Injection

        1
        T1546.012

        Defense Evasion

        Abuse Elevation Control Mechanism

        1
        T1548

        Bypass User Account Control

        1
        T1548.002

        Impair Defenses

        2
        T1562

        Disable or Modify System Firewall

        1
        T1562.004

        Disable or Modify Tools

        1
        T1562.001

        Indicator Removal

        1
        T1070

        Clear Persistence

        1
        T1070.009

        Modify Registry

        7
        T1112

        Virtualization/Sandbox Evasion

        1
        T1497

        Credential Access

        Discovery

        Peripheral Device Discovery

        1
        T1120

        Query Registry

        4
        T1012

        System Information Discovery

        6
        T1082

        System Location Discovery

        1
        T1614

        System Language Discovery

        1
        T1614.001

        Virtualization/Sandbox Evasion

        1
        T1497

        Lateral Movement

        Collection

        Command and Control

        Exfiltration

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\Pictures\세이클x 번개녀 원나잇 홈런 시리즈 3탄 - 몸매 죽이는 E컵 자연산 슴가 현직 모델녀.mp4_20160810_215820.611.jpg
          Filesize

          93KB

          MD5

          992e7555ccbc6b82af6ab64cad41cdd0

          SHA1

          773616e3f157bddbcde7026b3d2d0b65f3809602

          SHA256

          8deed2818ffed9549644eea1aa5bed8807a5a1ca9e9b76b15a566d827ae25efa

          SHA512

          e28f12e19060a83a4799e0b2f72ae4c970b90b9442a0a0e28f902be5a920d8a7d08acd96d040d0ba580929401221ebfd69218f5ef13340de5a0ca253dd1eb656

          Download Submit

        • \Users\Admin\Pictures\dd.exe
          Filesize

          233KB

          MD5

          34ddf5905488a9b275df4c58aaf5d847

          SHA1

          5bb563413be0c957692aa91fdaf86a6e60cba22a

          SHA256

          d5adec27977bf202eb056c2eb8f36115d398cc0536ca38b16bf7514623a5c069

          SHA512

          b3c11b7f4046392f58802c0c0c09041a29478942064ac2834bc0f18cc564549be58101bdf499159021aed0c65e0bd7140ff43bad33520ae549076de8dea891b7

          Download Submit

        • memory/1812-63-0x0000000077570000-0x00000000776F1000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/1812-73-0x0000000077570000-0x00000000776F1000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/1812-68-0x0000000077570000-0x00000000776F1000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/1812-67-0x0000000077570000-0x00000000776F1000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/1812-66-0x0000000077570000-0x00000000776F1000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/1812-65-0x0000000077570000-0x00000000776F1000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/1812-62-0x0000000077570000-0x00000000776F1000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/1812-72-0x0000000077570000-0x00000000776F1000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/1812-46-0x0000000077570000-0x00000000776F1000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/1812-69-0x0000000077570000-0x00000000776F1000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/1812-58-0x0000000077570000-0x00000000776F1000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/1812-56-0x0000000077570000-0x00000000776F1000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/1812-55-0x0000000077570000-0x00000000776F1000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/1812-54-0x0000000077570000-0x00000000776F1000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/1812-53-0x0000000077570000-0x00000000776F1000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/1812-49-0x0000000077570000-0x00000000776F1000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/1812-50-0x0000000077570000-0x00000000776F1000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/1812-51-0x0000000000110000-0x00000000001B4000-memory.dmp

          Filesize

          656KB

          Download

        • memory/1812-48-0x0000000077570000-0x00000000776F1000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/1812-47-0x0000000077570000-0x00000000776F1000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/1840-45-0x0000000000360000-0x00000000003C6000-memory.dmp

          Filesize

          408KB

          Download

        • memory/1840-26-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

          Download

        • memory/1840-22-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

          Download

        • memory/1840-25-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

          Download

        • memory/1840-29-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

          Download

        • memory/1840-32-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

          Download

        • memory/1840-35-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

          Download

        • memory/1840-38-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

          Download

        • memory/1840-39-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1840-42-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

          Download

        • memory/1840-43-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

          Download

        • memory/3028-10-0x0000000005CB0000-0x0000000005CB2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/3028-4-0x00000000742E0000-0x000000007488B000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/3028-1-0x00000000742E0000-0x000000007488B000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/3028-2-0x00000000742E0000-0x000000007488B000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/3028-19-0x00000000742E0000-0x000000007488B000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/3028-3-0x00000000742E0000-0x000000007488B000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/3028-5-0x00000000742E0000-0x000000007488B000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/3028-0-0x00000000742E1000-0x00000000742E2000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3040-11-0x00000000001A0000-0x00000000001A2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/3040-64-0x00000000002E0000-0x00000000002E1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3040-57-0x0000000003E00000-0x0000000003EA4000-memory.dmp

          Filesize

          656KB

          Download

        • memory/3040-12-0x00000000002E0000-0x00000000002E1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3040-60-0x0000000003E00000-0x0000000003EA4000-memory.dmp

          Filesize

          656KB

          Download

        • memory/3040-59-0x0000000003E00000-0x0000000003EA4000-memory.dmp

          Filesize

          656KB

          Download