Analysis

  • max time kernel
    148s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    18-04-2021 05:50

General

  • Target

    6EC77929D5F70F9BC4724D23DDBC2653.exe

  • Size

    838KB

  • MD5

    6ec77929d5f70f9bc4724d23ddbc2653

  • SHA1

    da208bfa51ed091056f03dff8f1ba540472210d8

  • SHA256

    03e3837f16d46a1a0a13904fae467c105b1aae66b382e8313b20b90269e53ed6

  • SHA512

    370d956fb270a6f136a85983542195414790b116dd4166d448b7c55c9846e18959758117cd399196c62c51f1817a2e633e2e95d10565c4858250f7162f0ddfe6

Malware Config

Signatures

  • BetaBot

    Beta Bot is a Trojan that infects computers and disables Antivirus.

  • Modifies firewall policy service 2 TTPs 4 IoCs
  • Executes dropped EXE 5 IoCs
  • Sets file execution options in registry 2 TTPs
  • Sets file to hidden 1 TTPs

    Modifies file attributes to stop it showing in Explorer etc.

  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Loads dropped DLL 6 IoCs
  • Adds Run key to start application 2 TTPs 6 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Drops desktop.ini file(s) 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 11 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 5 IoCs
  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Kills process with taskkill 2 IoCs
  • Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
  • Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
  • NTFS ADS 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 15 IoCs
  • Suspicious behavior: MapViewOfSection 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 30 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1196
      • C:\Users\Admin\AppData\Local\Temp\6EC77929D5F70F9BC4724D23DDBC2653.exe
        "C:\Users\Admin\AppData\Local\Temp\6EC77929D5F70F9BC4724D23DDBC2653.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:296
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\booking\data\startbook.vbs" /f=CREATE_NO_WINDOW install.cmd
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1972
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c ""C:\booking\data\start1.bat" "
            4⤵
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:1692
            • C:\Windows\SysWOW64\timeout.exe
              timeout 7
              5⤵
              • Delays execution with timeout.exe
              PID:1856
            • C:\booking\data\K480101741BH.exe
              "K480101741BH.exe" e -psetup wid.rar
              5⤵
              • Executes dropped EXE
              PID:464
            • C:\Windows\SysWOW64\timeout.exe
              timeout 6
              5⤵
              • Delays execution with timeout.exe
              PID:968
            • C:\Windows\SysWOW64\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\booking\data\fbk.vbs"
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:756
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c ""C:\booking\data\445.bat" "
                6⤵
                • Loads dropped DLL
                • Suspicious use of WriteProcessMemory
                PID:860
                • C:\Windows\SysWOW64\attrib.exe
                  attrib +s +h "C:\booking"
                  7⤵
                  • Views/modifies file attributes
                  PID:812
                • C:\Windows\SysWOW64\timeout.exe
                  timeout 2
                  7⤵
                  • Delays execution with timeout.exe
                  PID:904
                • C:\booking\data\modylsid.exe
                  modylsid.exe /start
                  7⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Suspicious use of SetThreadContext
                  PID:1808
                  • C:\booking\data\modylsid.exe
                    modylsid.exe /start
                    8⤵
                    • Executes dropped EXE
                    • Checks whether UAC is enabled
                    • Suspicious use of NtSetInformationThreadHideFromDebugger
                    • Checks processor information in registry
                    • Suspicious behavior: MapViewOfSection
                    • Suspicious use of AdjustPrivilegeToken
                    PID:788
                    • C:\Windows\SysWOW64\explorer.exe
                      C:\Windows\SysWOW64\explorer.exe
                      9⤵
                      • Modifies firewall policy service
                      • Checks BIOS information in registry
                      • Loads dropped DLL
                      • Adds Run key to start application
                      • Drops desktop.ini file(s)
                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                      • Checks processor information in registry
                      • Enumerates system info in registry
                      • Modifies Internet Explorer Protected Mode
                      • Modifies Internet Explorer Protected Mode Banner
                      • Modifies Internet Explorer settings
                      • NTFS ADS
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious behavior: MapViewOfSection
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1796
                      • C:\Users\Admin\AppData\Local\Temp\yokc711s3gmuw31_1.exe
                        /suac
                        10⤵
                        • Executes dropped EXE
                        • Suspicious use of SetThreadContext
                        PID:864
                      • C:\Users\Admin\AppData\Local\Temp\7skk3s71ys7q.exe
                        "C:\Users\Admin\AppData\Local\Temp\7skk3s71ys7q.exe"
                        10⤵
                        • Executes dropped EXE
                        • Suspicious use of SetWindowsHookEx
                        PID:268
                • C:\Windows\SysWOW64\taskkill.exe
                  taskkill /f /im K480101741BH.exe
                  7⤵
                  • Kills process with taskkill
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1948
                • C:\Windows\SysWOW64\taskkill.exe
                  taskkill /f /im K480101741BH.exe
                  7⤵
                  • Kills process with taskkill
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1140
                • C:\Windows\SysWOW64\attrib.exe
                  attrib -s -h "C:\booking\data"
                  7⤵
                  • Views/modifies file attributes
                  PID:1112
                • C:\Windows\SysWOW64\timeout.exe
                  timeout 4
                  7⤵
                  • Delays execution with timeout.exe
                  PID:568
            • C:\Windows\SysWOW64\timeout.exe
              timeout 8
              5⤵
              • Delays execution with timeout.exe
              PID:872
    • C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      1⤵
        PID:1168
      • C:\Windows\system32\conhost.exe
        \??\C:\Windows\system32\conhost.exe "-2112777347119662564316717971201258821549-214332214317250074-13439356551356107061"
        1⤵
          PID:1712
        • C:\Windows\system32\DllHost.exe
          C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
          1⤵
            PID:1636

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\7skk3s71ys7q.exe

            MD5

            85f0fb9dafac47fb151d2a33f6556112

            SHA1

            0e021df3e0a91983c34bc9620bbcd6c9aa74edd7

            SHA256

            fea0fdad9f440f68feb5c3b6f4952a952375397a6220c253fe7d3eeb15523397

            SHA512

            1a11801302042dde8706cb0a0f6ad27650d74396bf270bc0a0cc3969370d2324de20f46c4a619b6f275586e87fe489b80dfe69c70712c175c881740a14bfa9b1

          • C:\Users\Admin\AppData\Local\Temp\yokc711s3gmuw31_1.exe

            MD5

            3b65b072503385254773acf8b3192a7e

            SHA1

            50b06faf9b45ca1fbb3d30d8c0974a153d17855b

            SHA256

            e28c66491d701757a7b370aae235521e5e409edc45a1a90b544b4fb704324f70

            SHA512

            8b5203cfe8b2413f5678c6ca999ae6a8f6ec5328dc74994d334e47e80cc6f51d3a4aa6efe5940b124fc5630a71ee85c15102f45f22a631a4c8deb4dc7d825b20

          • C:\Users\Admin\AppData\Local\Temp\yokc711s3gmuw31_1.exe

            MD5

            3b65b072503385254773acf8b3192a7e

            SHA1

            50b06faf9b45ca1fbb3d30d8c0974a153d17855b

            SHA256

            e28c66491d701757a7b370aae235521e5e409edc45a1a90b544b4fb704324f70

            SHA512

            8b5203cfe8b2413f5678c6ca999ae6a8f6ec5328dc74994d334e47e80cc6f51d3a4aa6efe5940b124fc5630a71ee85c15102f45f22a631a4c8deb4dc7d825b20

          • C:\booking\data\445.bat

            MD5

            3c4875cff185c701a9f28f58ead13d33

            SHA1

            7585bca806fdeb727177c3fba6c371aa8d9c2951

            SHA256

            ad8c7a4cc068b36c5227b9076fe60e0529f080a6a849f8764750e2c173a0bf96

            SHA512

            ad9404fad164a57eb9577ff2569f5e237901d2a03059267d032d5b853dd2d8f5bf50375c981baf2064ee3b0b9cb8929eccc32c920843bba43fb4f7cdde7cd972

          • C:\booking\data\K480101741BH.exe

            MD5

            061f64173293969577916832be29b90d

            SHA1

            b05b80385de20463a80b6c9c39bd1d53123aab9b

            SHA256

            34dfe4869b0a524c63cc4696fafe30c83a22dc5fe4b994b9fe777f2c986733ce

            SHA512

            66e284f7c7e40af988ab09ff48cc786d287ac906368042d98d313be764058f01ecb5c3a7ab8d4336ee6494ea4a1347e73f0f2b4f3baec25ca6bcec1d888bd3da

          • C:\booking\data\K480101741BH.exe

            MD5

            061f64173293969577916832be29b90d

            SHA1

            b05b80385de20463a80b6c9c39bd1d53123aab9b

            SHA256

            34dfe4869b0a524c63cc4696fafe30c83a22dc5fe4b994b9fe777f2c986733ce

            SHA512

            66e284f7c7e40af988ab09ff48cc786d287ac906368042d98d313be764058f01ecb5c3a7ab8d4336ee6494ea4a1347e73f0f2b4f3baec25ca6bcec1d888bd3da

          • C:\booking\data\fbk.vbs

            MD5

            12c302b2a7afa9d52bbc04875144319f

            SHA1

            5c5b5a2024a0f2838a0d94268282ad95ba388b25

            SHA256

            3e8e92c822501efaae4e4ae0c4e63d6822bc5aa5e2178ab5f5cf6bb74c77e283

            SHA512

            18b197db47f2bb2853de592a672a321f4188722eb48fd6165f9bc6d9f3dfe69dff2c0fdc49f9e5cfe939722c9ce47dd5dc31424619660c6e745122f5590a022f

          • C:\booking\data\lip

            MD5

            f75ae8515bc7bc47354f22b6b4f20046

            SHA1

            03b1dc027bac21b149337e07d2d1f4af363cb6f4

            SHA256

            2e5c9d234c85488239cc3c55ed2053ae166222bdb668defe9c3bd0d93ece632a

            SHA512

            cdd90aaed29aac6e91fcb964480379e0e114b363c5e286d51e22ea1e617364319989143b205298dd15e875d8f349f2bec54001480e31d01acbb95e4eeaaad255

          • C:\booking\data\modylsid.exe

            MD5

            3b65b072503385254773acf8b3192a7e

            SHA1

            50b06faf9b45ca1fbb3d30d8c0974a153d17855b

            SHA256

            e28c66491d701757a7b370aae235521e5e409edc45a1a90b544b4fb704324f70

            SHA512

            8b5203cfe8b2413f5678c6ca999ae6a8f6ec5328dc74994d334e47e80cc6f51d3a4aa6efe5940b124fc5630a71ee85c15102f45f22a631a4c8deb4dc7d825b20

          • C:\booking\data\modylsid.exe

            MD5

            3b65b072503385254773acf8b3192a7e

            SHA1

            50b06faf9b45ca1fbb3d30d8c0974a153d17855b

            SHA256

            e28c66491d701757a7b370aae235521e5e409edc45a1a90b544b4fb704324f70

            SHA512

            8b5203cfe8b2413f5678c6ca999ae6a8f6ec5328dc74994d334e47e80cc6f51d3a4aa6efe5940b124fc5630a71ee85c15102f45f22a631a4c8deb4dc7d825b20

          • C:\booking\data\modylsid.exe

            MD5

            3b65b072503385254773acf8b3192a7e

            SHA1

            50b06faf9b45ca1fbb3d30d8c0974a153d17855b

            SHA256

            e28c66491d701757a7b370aae235521e5e409edc45a1a90b544b4fb704324f70

            SHA512

            8b5203cfe8b2413f5678c6ca999ae6a8f6ec5328dc74994d334e47e80cc6f51d3a4aa6efe5940b124fc5630a71ee85c15102f45f22a631a4c8deb4dc7d825b20

          • C:\booking\data\start1.bat

            MD5

            0ccf45b2c7aad8f25d8a8f3a6ff7b620

            SHA1

            7785a6d2b22a8b64dd549bc0a8a08a85b6404525

            SHA256

            8df03bfad7860d4f609e48de215c6f40fbb0de78bdaeb08fdf3409e722585efb

            SHA512

            3fb8dd5fa9cdbb59d5d195e66f6108954c4a89b358a2f75bbb6e03739a67965ead3d91a24a648a4204fc32c6d753815e4cf98e17a2fdc5913704c28fdb159f6c

          • C:\booking\data\startbook.vbs

            MD5

            594e0cb7f4486880945b986f1adf9f49

            SHA1

            8155f7be615cd60017a1af07aac17801de2a64ba

            SHA256

            265d486a8fac96e0c3ce1309c50bcb88b0a37f739e533ed92483fe66b946c220

            SHA512

            3093b6e45fc17654e2419b08d6519dd891afd1672bcf6e61c77dca19258ae8bf7d46db98facb38e0a27527cae865a8d1445d8546be78af6cbc465e5fd56d87c4

          • \Users\Admin\AppData\Local\Temp\7skk3s71ys7q.exe

            MD5

            85f0fb9dafac47fb151d2a33f6556112

            SHA1

            0e021df3e0a91983c34bc9620bbcd6c9aa74edd7

            SHA256

            fea0fdad9f440f68feb5c3b6f4952a952375397a6220c253fe7d3eeb15523397

            SHA512

            1a11801302042dde8706cb0a0f6ad27650d74396bf270bc0a0cc3969370d2324de20f46c4a619b6f275586e87fe489b80dfe69c70712c175c881740a14bfa9b1

          • \Users\Admin\AppData\Local\Temp\yokc711s3gmuw31_1.exe

            MD5

            3b65b072503385254773acf8b3192a7e

            SHA1

            50b06faf9b45ca1fbb3d30d8c0974a153d17855b

            SHA256

            e28c66491d701757a7b370aae235521e5e409edc45a1a90b544b4fb704324f70

            SHA512

            8b5203cfe8b2413f5678c6ca999ae6a8f6ec5328dc74994d334e47e80cc6f51d3a4aa6efe5940b124fc5630a71ee85c15102f45f22a631a4c8deb4dc7d825b20

          • \booking\data\K480101741BH.exe

            MD5

            061f64173293969577916832be29b90d

            SHA1

            b05b80385de20463a80b6c9c39bd1d53123aab9b

            SHA256

            34dfe4869b0a524c63cc4696fafe30c83a22dc5fe4b994b9fe777f2c986733ce

            SHA512

            66e284f7c7e40af988ab09ff48cc786d287ac906368042d98d313be764058f01ecb5c3a7ab8d4336ee6494ea4a1347e73f0f2b4f3baec25ca6bcec1d888bd3da

          • \booking\data\modylsid.exe

            MD5

            3b65b072503385254773acf8b3192a7e

            SHA1

            50b06faf9b45ca1fbb3d30d8c0974a153d17855b

            SHA256

            e28c66491d701757a7b370aae235521e5e409edc45a1a90b544b4fb704324f70

            SHA512

            8b5203cfe8b2413f5678c6ca999ae6a8f6ec5328dc74994d334e47e80cc6f51d3a4aa6efe5940b124fc5630a71ee85c15102f45f22a631a4c8deb4dc7d825b20

          • \booking\data\modylsid.exe

            MD5

            3b65b072503385254773acf8b3192a7e

            SHA1

            50b06faf9b45ca1fbb3d30d8c0974a153d17855b

            SHA256

            e28c66491d701757a7b370aae235521e5e409edc45a1a90b544b4fb704324f70

            SHA512

            8b5203cfe8b2413f5678c6ca999ae6a8f6ec5328dc74994d334e47e80cc6f51d3a4aa6efe5940b124fc5630a71ee85c15102f45f22a631a4c8deb4dc7d825b20

          • \booking\data\modylsid.exe

            MD5

            3b65b072503385254773acf8b3192a7e

            SHA1

            50b06faf9b45ca1fbb3d30d8c0974a153d17855b

            SHA256

            e28c66491d701757a7b370aae235521e5e409edc45a1a90b544b4fb704324f70

            SHA512

            8b5203cfe8b2413f5678c6ca999ae6a8f6ec5328dc74994d334e47e80cc6f51d3a4aa6efe5940b124fc5630a71ee85c15102f45f22a631a4c8deb4dc7d825b20

          • memory/268-132-0x0000000000000000-mapping.dmp

          • memory/296-59-0x00000000757E1000-0x00000000757E3000-memory.dmp

            Filesize

            8KB

          • memory/464-71-0x0000000000000000-mapping.dmp

          • memory/568-105-0x0000000000000000-mapping.dmp

          • memory/756-77-0x0000000000000000-mapping.dmp

          • memory/788-112-0x0000000001EF0000-0x0000000001EFC000-memory.dmp

            Filesize

            48KB

          • memory/788-96-0x00000000004015C6-mapping.dmp

          • memory/788-95-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/788-110-0x0000000000250000-0x000000000025D000-memory.dmp

            Filesize

            52KB

          • memory/788-108-0x0000000000440000-0x00000000004A6000-memory.dmp

            Filesize

            408KB

          • memory/788-107-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/788-109-0x0000000000240000-0x0000000000241000-memory.dmp

            Filesize

            4KB

          • memory/788-111-0x0000000000510000-0x0000000000511000-memory.dmp

            Filesize

            4KB

          • memory/812-84-0x0000000000000000-mapping.dmp

          • memory/860-82-0x0000000000000000-mapping.dmp

          • memory/864-127-0x0000000000000000-mapping.dmp

          • memory/872-79-0x0000000000000000-mapping.dmp

          • memory/904-86-0x0000000000000000-mapping.dmp

          • memory/968-74-0x0000000000000000-mapping.dmp

          • memory/1112-103-0x0000000000000000-mapping.dmp

          • memory/1140-101-0x0000000000000000-mapping.dmp

          • memory/1196-136-0x0000000003BD0000-0x0000000003BD6000-memory.dmp

            Filesize

            24KB

          • memory/1636-130-0x0000000003A60000-0x0000000003A66000-memory.dmp

            Filesize

            24KB

          • memory/1692-124-0x00000000022B0000-0x00000000023D6000-memory.dmp

            Filesize

            1.1MB

          • memory/1692-64-0x0000000000000000-mapping.dmp

          • memory/1796-113-0x0000000000000000-mapping.dmp

          • memory/1796-125-0x00000000007F0000-0x0000000000870000-memory.dmp

            Filesize

            512KB

          • memory/1796-116-0x00000000770B0000-0x0000000077230000-memory.dmp

            Filesize

            1.5MB

          • memory/1796-122-0x0000000000650000-0x0000000000651000-memory.dmp

            Filesize

            4KB

          • memory/1796-121-0x0000000000660000-0x000000000066C000-memory.dmp

            Filesize

            48KB

          • memory/1796-117-0x0000000000510000-0x0000000000636000-memory.dmp

            Filesize

            1.1MB

          • memory/1796-115-0x0000000073FF1000-0x0000000073FF3000-memory.dmp

            Filesize

            8KB

          • memory/1808-91-0x0000000000000000-mapping.dmp

          • memory/1856-66-0x0000000000000000-mapping.dmp

          • memory/1948-99-0x0000000000000000-mapping.dmp

          • memory/1972-60-0x0000000000000000-mapping.dmp