Resubmissions

25-01-2021 18:42

210125-r1hfrr5jc6 10

19-01-2021 19:41

210119-88n6rsk2w6 10

General

  • Target

    CFDI__Manager__12365.exe

  • Size

    809KB

  • Sample

    210125-r1hfrr5jc6

  • MD5

    5b7c3ff3556606c67a61527f81579eee

  • SHA1

    75299ed8a21eebe1b1969e065e80f02ad21d4267

  • SHA256

    82e756b74e20e351fe5c695768d7849ebd1cf4f852c53bfafd2388dd5a5aa17f

  • SHA512

    6484459bd38bb1e5f6a1ec32f05f71c948431f3e2e08d15a90a1c8779ec9695e0f6a0f062e9a5c26b21ec4cf387dd5e0da47e3f32a04c6b6d9df4930b62e942c

Malware Config

Targets

    • Target

      CFDI__Manager__12365.exe

    • Size

      809KB

    • MD5

      5b7c3ff3556606c67a61527f81579eee

    • SHA1

      75299ed8a21eebe1b1969e065e80f02ad21d4267

    • SHA256

      82e756b74e20e351fe5c695768d7849ebd1cf4f852c53bfafd2388dd5a5aa17f

    • SHA512

      6484459bd38bb1e5f6a1ec32f05f71c948431f3e2e08d15a90a1c8779ec9695e0f6a0f062e9a5c26b21ec4cf387dd5e0da47e3f32a04c6b6d9df4930b62e942c

    • BetaBot

      Beta Bot is a Trojan that infects computers and disables Antivirus.

    • Modifies firewall policy service

    • Executes dropped EXE

    • Sets file execution options in registry

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Loads dropped DLL

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Drops desktop.ini file(s)

    • Enumerates physical storage devices

      Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

2
T1060

Defense Evasion

Modify Registry

6
T1112

Discovery

Query Registry

3
T1012

System Information Discovery

5
T1082

Tasks