Analysis

  • max time kernel
    600s
  • max time network
    594s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    19-05-2021 08:21

General

  • Target

    CFDI_Manager_54704.exe

  • Size

    3.5MB

  • MD5

    f7e4a28f1ed37123d6e0851e573cd640

  • SHA1

    8068ea253bafbdbdf2647f264d5a8d5405e8772c

  • SHA256

    3a2c441a96936c089c1444f4cd50436593fcd43a18c80a1699fc6b2d62dd6907

  • SHA512

    5a370cb4c0e592141dea9c6b2494548105ad108666353f383e06253171df988781dab6c19bebafb5d1107348ffec92cd329cad4aef02ad974eda258b0d4f531d

Malware Config

Signatures

  • BetaBot

    Beta Bot is a Trojan that infects computers and disables Antivirus.

  • Modifies firewall policy service 2 TTPs 4 IoCs
  • Executes dropped EXE 3 IoCs
  • Sets file execution options in registry 2 TTPs
  • Sets file to hidden 1 TTPs

    Modifies file attributes to stop it showing in Explorer etc.

  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Adds Run key to start application 2 TTPs 4 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 5 IoCs
  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Kills process with taskkill 2 IoCs
  • Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
  • Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Modifies registry class 2 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 30 IoCs
  • Suspicious use of WriteProcessMemory 56 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\CFDI_Manager_54704.exe
    "C:\Users\Admin\AppData\Local\Temp\CFDI_Manager_54704.exe"
    1⤵
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1040
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\site1\conf\pe.vbs"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:700
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\site1\conf\uiy.bat" "
        3⤵
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:200
        • C:\Windows\SysWOW64\timeout.exe
          timeout 0
          4⤵
          • Delays execution with timeout.exe
          PID:2316
        • C:\Windows\SysWOW64\PING.EXE
          ping dhgfg sgudy
          4⤵
          • Runs ping.exe
          PID:936
        • C:\site1\conf\csvr.exe
          "csvr.exe" e -p1vartanderkoolermaster lol.rar
          4⤵
          • Executes dropped EXE
          PID:1128
        • C:\Windows\SysWOW64\timeout.exe
          timeout 6
          4⤵
          • Delays execution with timeout.exe
          PID:2052
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\site1\conf\biling.vbs"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4072
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\site1\conf\site.bat" "
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:3356
            • C:\Windows\SysWOW64\attrib.exe
              attrib +s +h "C:\site1\conf"
              6⤵
              • Views/modifies file attributes
              PID:700
            • C:\Windows\SysWOW64\timeout.exe
              timeout 2
              6⤵
              • Delays execution with timeout.exe
              PID:1960
            • C:\site1\conf\psi.exe
              psi.exe /start
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Suspicious use of WriteProcessMemory
              PID:3792
              • C:\site1\conf\psi.exe
                psi.exe /start
                7⤵
                • Executes dropped EXE
                • Checks whether UAC is enabled
                • Suspicious use of NtSetInformationThreadHideFromDebugger
                • Checks processor information in registry
                • Suspicious behavior: MapViewOfSection
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:500
                • C:\Windows\SysWOW64\explorer.exe
                  C:\Windows\SysWOW64\explorer.exe
                  8⤵
                  • Modifies firewall policy service
                  • Checks BIOS information in registry
                  • Adds Run key to start application
                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                  • Checks processor information in registry
                  • Enumerates system info in registry
                  • Modifies Internet Explorer Protected Mode
                  • Modifies Internet Explorer Protected Mode Banner
                  • Modifies Internet Explorer settings
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2204
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /f /im csvr.exe
              6⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:3232
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /f /im csvr.exe
              6⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:2232
            • C:\Windows\SysWOW64\attrib.exe
              attrib -s -h "C:\site1\conf\psi.exe"
              6⤵
              • Views/modifies file attributes
              PID:2112
            • C:\Windows\SysWOW64\timeout.exe
              timeout 4
              6⤵
              • Delays execution with timeout.exe
              PID:1568
        • C:\Windows\SysWOW64\timeout.exe
          timeout 7
          4⤵
          • Delays execution with timeout.exe
          PID:3952

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\site1\conf\8rt.jog

    MD5

    e349fbe030e2524e041f3f60d110b7c7

    SHA1

    763bfa5803bda9d740ff2e31c350e745397308f9

    SHA256

    47a1389daec3f031b2232e7e0dcec00b84f0e4e83bff64ccdcd6b9dbd41e64d8

    SHA512

    ed583faa84bae3f70b0acf89f7b6da08b34633a0bcb766480375ce18c5a26bb15891406f3657eacbb6367d14c97a79bbbdddc39fcb6410eeec33735b34b10129

  • C:\site1\conf\biling.vbs

    MD5

    70f8a68b9e1e00708c64e1d1fec715f4

    SHA1

    63247e2afb4b30892d1d23a903393043abc5a214

    SHA256

    04cff1c0dbbc09f19df77f4b1d2481440c7f408260e95e661ec33ee542bf3cd7

    SHA512

    dd49ac3beefd21484a6e90d8a9d250e63cd2e78bd7fe3916a668316d6b84ec47bb3e6ba680e5a13200e68648d508da0fa5ee4294c425d3f041cee60e86ef4501

  • C:\site1\conf\csvr.exe

    MD5

    397a93800d56a2308bffc872d4a08032

    SHA1

    6f5334d51195a521e8a03f0e05ac777b96c77bc4

    SHA256

    efe3abcfde6e9846a99049a68e6a38d0bc42baa3ac1cf6f236c894abef0a7720

    SHA512

    7fc7b6c8ffe640295085cab4e56ba4c3eea9738a2c9fa27d1032fd60bb3a638e93cd2522058b6212dd7237366510a83c7d1d9b3cbd5f9712852c72959ace53eb

  • C:\site1\conf\csvr.exe

    MD5

    397a93800d56a2308bffc872d4a08032

    SHA1

    6f5334d51195a521e8a03f0e05ac777b96c77bc4

    SHA256

    efe3abcfde6e9846a99049a68e6a38d0bc42baa3ac1cf6f236c894abef0a7720

    SHA512

    7fc7b6c8ffe640295085cab4e56ba4c3eea9738a2c9fa27d1032fd60bb3a638e93cd2522058b6212dd7237366510a83c7d1d9b3cbd5f9712852c72959ace53eb

  • C:\site1\conf\pe.vbs

    MD5

    b022334d0c60338f90e47e2478873d7a

    SHA1

    19c094781ad40ef0efa617cb1fb92d127bdecb7b

    SHA256

    c95053b468dd6b1623432f7676b81bbb43480959537da737fe270f4a8d195ca3

    SHA512

    34e9bc989e52a53e96a6d0e9c11b5d3c8367f3c16ef73101d63dfc3a9464d559430717df109d32dd1dfcdc67763e8824699701785787cbf0a6a38fdf20a7b16c

  • C:\site1\conf\psi.exe

    MD5

    7c1588678299109e5bdf37f40102ef99

    SHA1

    f1e513bef9fc691d5f2eba139c6805e32f5268ee

    SHA256

    a760c1fe14b0202ba3ec08ea035a003600930a61672a1741210580807c7f2d78

    SHA512

    6ba93ae483503abce54c013a31624d5b96b7bbf5726cdcb9a7665736732f8f68a498e336767609025595c685b793849571030f90e5690534c7d630c7c89931c7

  • C:\site1\conf\psi.exe

    MD5

    7c1588678299109e5bdf37f40102ef99

    SHA1

    f1e513bef9fc691d5f2eba139c6805e32f5268ee

    SHA256

    a760c1fe14b0202ba3ec08ea035a003600930a61672a1741210580807c7f2d78

    SHA512

    6ba93ae483503abce54c013a31624d5b96b7bbf5726cdcb9a7665736732f8f68a498e336767609025595c685b793849571030f90e5690534c7d630c7c89931c7

  • C:\site1\conf\psi.exe

    MD5

    7c1588678299109e5bdf37f40102ef99

    SHA1

    f1e513bef9fc691d5f2eba139c6805e32f5268ee

    SHA256

    a760c1fe14b0202ba3ec08ea035a003600930a61672a1741210580807c7f2d78

    SHA512

    6ba93ae483503abce54c013a31624d5b96b7bbf5726cdcb9a7665736732f8f68a498e336767609025595c685b793849571030f90e5690534c7d630c7c89931c7

  • C:\site1\conf\site.bat

    MD5

    8b653c0a3c307777b9cdc2ec28aac98b

    SHA1

    936f2c75461b8a98b55e4d88ccc3e41088e2d584

    SHA256

    f37a565dfd33a94efbb04d04bd8dd1f60b1d42bc9427d3fff4060b51fd318e2f

    SHA512

    16ca9304fea272ec3b3539024df6496119d26774812f9b0119acef33b2837fa60a91ef0389c84718c51a3483339be671dc548904b39bc35057d868c7e0452cdf

  • C:\site1\conf\uiy.bat

    MD5

    f6eb567c6e72344762fe0f1e4223990b

    SHA1

    9a200a0c123c22cbca10e6d16f97eeb63835ab2d

    SHA256

    2ab47d3082c64105d769c62bf96a8c5d05cd19dba6d7728da291041dbeea4a65

    SHA512

    0f49fef4d52d192ece9d228df8fd3acdf9c801c9f6039c0aa6c717d8710a87c41593fbfe1aa2ce45806f5dcd4e8c12562e2a2a20734a16fab88dc661dacd4805

  • memory/200-118-0x0000000000000000-mapping.dmp

  • memory/500-153-0x0000000002650000-0x0000000002651000-memory.dmp

    Filesize

    4KB

  • memory/500-142-0x0000000002630000-0x0000000002631000-memory.dmp

    Filesize

    4KB

  • memory/500-139-0x0000000000400000-0x0000000000435000-memory.dmp

    Filesize

    212KB

  • memory/500-141-0x0000000000470000-0x000000000047D000-memory.dmp

    Filesize

    52KB

  • memory/500-143-0x0000000002660000-0x000000000266C000-memory.dmp

    Filesize

    48KB

  • memory/500-136-0x00000000004015C6-mapping.dmp

  • memory/500-135-0x0000000000400000-0x0000000000435000-memory.dmp

    Filesize

    212KB

  • memory/500-140-0x0000000002180000-0x00000000021E6000-memory.dmp

    Filesize

    408KB

  • memory/700-130-0x0000000000000000-mapping.dmp

  • memory/700-115-0x0000000000000000-mapping.dmp

  • memory/936-121-0x0000000000000000-mapping.dmp

  • memory/1040-114-0x0000000000750000-0x0000000000751000-memory.dmp

    Filesize

    4KB

  • memory/1128-122-0x0000000000000000-mapping.dmp

  • memory/1568-146-0x0000000000000000-mapping.dmp

  • memory/1960-131-0x0000000000000000-mapping.dmp

  • memory/2052-124-0x0000000000000000-mapping.dmp

  • memory/2112-145-0x0000000000000000-mapping.dmp

  • memory/2204-151-0x0000000000F40000-0x0000000000F63000-memory.dmp

    Filesize

    140KB

  • memory/2204-147-0x0000000000000000-mapping.dmp

  • memory/2204-148-0x0000000000F90000-0x00000000013CF000-memory.dmp

    Filesize

    4.2MB

  • memory/2204-150-0x0000000003680000-0x00000000037A6000-memory.dmp

    Filesize

    1.1MB

  • memory/2204-152-0x0000000000F40000-0x0000000000F63000-memory.dmp

    Filesize

    140KB

  • memory/2204-156-0x00000000063C0000-0x00000000063C2000-memory.dmp

    Filesize

    8KB

  • memory/2232-144-0x0000000000000000-mapping.dmp

  • memory/2316-120-0x0000000000000000-mapping.dmp

  • memory/3232-138-0x0000000000000000-mapping.dmp

  • memory/3356-129-0x0000000000000000-mapping.dmp

  • memory/3792-132-0x0000000000000000-mapping.dmp

  • memory/3952-127-0x0000000000000000-mapping.dmp

  • memory/4072-126-0x0000000000000000-mapping.dmp