Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    20-05-2021 21:52

General

  • Target

    15a23e5e766596dbc471b4e4afa49316c141a8ee981194c0508f73b0a7f2ccf0.exe

  • Size

    3.5MB

  • MD5

    0e767b6049616a694034d8158a1d0145

  • SHA1

    e8139d5fe7161b71da47193646e5d583f4c4bc88

  • SHA256

    15a23e5e766596dbc471b4e4afa49316c141a8ee981194c0508f73b0a7f2ccf0

  • SHA512

    31e79500ea24800c4d266aa0f1f1b0411ca2533e8e098b468a491b5d8769ae38601d45d9ec43074be689eace923ff37480dcd3691f248312eebb22e624ef9ded

Malware Config

Signatures

  • BetaBot

    Beta Bot is a Trojan that infects computers and disables Antivirus.

  • Modifies firewall policy service 2 TTPs 4 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 5 IoCs
  • Sets file execution options in registry 2 TTPs
  • Sets file to hidden 1 TTPs

    Modifies file attributes to stop it showing in Explorer etc.

  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Loads dropped DLL 5 IoCs
  • Adds Run key to start application 2 TTPs 6 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Drops desktop.ini file(s) 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 11 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 5 IoCs
  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Kills process with taskkill 2 IoCs
  • Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
  • Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
  • NTFS ADS 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious behavior: MapViewOfSection 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 30 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1272
      • C:\Users\Admin\AppData\Local\Temp\15a23e5e766596dbc471b4e4afa49316c141a8ee981194c0508f73b0a7f2ccf0.exe
        "C:\Users\Admin\AppData\Local\Temp\15a23e5e766596dbc471b4e4afa49316c141a8ee981194c0508f73b0a7f2ccf0.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2040
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\log\cnvk\ftoris.vbs"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1776
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c ""C:\log\cnvk\yioi.bat" "
            4⤵
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:1068
            • C:\Windows\SysWOW64\timeout.exe
              timeout 0
              5⤵
              • Delays execution with timeout.exe
              PID:980
            • C:\log\cnvk\sbn.exe
              "sbn.exe" e -pyu7y8y87ds8yhsd89scd99 37419879283209asda0su9jho90asdf0s9.rar
              5⤵
              • Executes dropped EXE
              PID:820
            • C:\Windows\SysWOW64\timeout.exe
              timeout 4
              5⤵
              • Delays execution with timeout.exe
              PID:864
            • C:\Windows\SysWOW64\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\log\cnvk\oll.vbs"
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:1668
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c ""C:\log\cnvk\p541seed.bat" "
                6⤵
                • Loads dropped DLL
                • Suspicious use of WriteProcessMemory
                PID:572
                • C:\Windows\SysWOW64\attrib.exe
                  attrib +s +h "C:\log\"
                  7⤵
                  • Views/modifies file attributes
                  PID:1648
                • C:\Windows\SysWOW64\timeout.exe
                  timeout 2
                  7⤵
                  • Delays execution with timeout.exe
                  PID:1260
                • C:\log\cnvk\brokerf.exe
                  brokerf.exe /start
                  7⤵
                  • Executes dropped EXE
                  • Suspicious use of SetThreadContext
                  • Suspicious use of WriteProcessMemory
                  PID:1400
                  • C:\log\cnvk\brokerf.exe
                    brokerf.exe /start
                    8⤵
                    • Executes dropped EXE
                    • Checks whether UAC is enabled
                    • Suspicious use of NtSetInformationThreadHideFromDebugger
                    • Checks processor information in registry
                    • Suspicious behavior: MapViewOfSection
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1780
                    • C:\Windows\SysWOW64\explorer.exe
                      C:\Windows\SysWOW64\explorer.exe
                      9⤵
                      • Modifies firewall policy service
                      • Checks BIOS information in registry
                      • Loads dropped DLL
                      • Adds Run key to start application
                      • Drops desktop.ini file(s)
                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                      • Checks processor information in registry
                      • Enumerates system info in registry
                      • Modifies Internet Explorer Protected Mode
                      • Modifies Internet Explorer Protected Mode Banner
                      • Modifies Internet Explorer settings
                      • NTFS ADS
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious behavior: MapViewOfSection
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1084
                      • C:\Users\Admin\AppData\Local\Temp\q315m5mq1_1.exe
                        /suac
                        10⤵
                        • Executes dropped EXE
                        • Suspicious use of SetThreadContext
                        PID:1504
                      • C:\Users\Admin\AppData\Local\Temp\geueci1ous7.exe
                        "C:\Users\Admin\AppData\Local\Temp\geueci1ous7.exe"
                        10⤵
                        • Executes dropped EXE
                        • Suspicious use of SetWindowsHookEx
                        PID:1760
                • C:\Windows\SysWOW64\taskkill.exe
                  taskkill /f /im sbn.exe
                  7⤵
                  • Kills process with taskkill
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1368
                • C:\Windows\SysWOW64\taskkill.exe
                  taskkill /f /im sbn.exe
                  7⤵
                  • Kills process with taskkill
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1688
                • C:\Windows\SysWOW64\attrib.exe
                  attrib -s -h "C:\log\cnvk\brokerf.exe"
                  7⤵
                  • Views/modifies file attributes
                  PID:400
                • C:\Windows\SysWOW64\timeout.exe
                  timeout 6
                  7⤵
                  • Delays execution with timeout.exe
                  PID:804
            • C:\Windows\SysWOW64\timeout.exe
              timeout 6
              5⤵
              • Delays execution with timeout.exe
              PID:640
    • C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      1⤵
        PID:1196
      • C:\Windows\system32\conhost.exe
        \??\C:\Windows\system32\conhost.exe "1406895149-1235333697-6211268171722296216-1992013981-17122753707052267971861869376"
        1⤵
          PID:1176
        • C:\Windows\system32\DllHost.exe
          C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
          1⤵
            PID:440

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\geueci1ous7.exe

            MD5

            07f2ddc571ace474d3d7c0e5efd051a2

            SHA1

            ddb49e4e422c5a7a6e9db9c92776c2531bf10ca8

            SHA256

            4524311e34beb91833ab812e17dc231724539c892dfeacd24ccdd8c2951a1b8f

            SHA512

            4d453dfe4d4b642a71917efd75f2f4aebf8d3e964f3be589a643694d633ed5f7934c1a392559a264ba870746da122735dc7999ad4cc40d58f19a60d04e20ae3e

          • C:\Users\Admin\AppData\Local\Temp\q315m5mq1_1.exe

            MD5

            1e7da6a53a16210ffaaf28feaa1a38ad

            SHA1

            a6559654ef5b0b5fb9b006ee7b411cf962177dba

            SHA256

            f7cceb61dd5807edcc2afe0e95d0de6149bcad1b20e3903bd2b3b8b82ae6b3a3

            SHA512

            fe8213507d7fd56c1f54d13f9054341f92e4145195acba6f764b924c090ba1b0d788f2dac9a3bac747d733d111ff1adfe37a83e194ee07cf7bffa84da0c093f3

          • C:\Users\Admin\AppData\Local\Temp\q315m5mq1_1.exe

            MD5

            1e7da6a53a16210ffaaf28feaa1a38ad

            SHA1

            a6559654ef5b0b5fb9b006ee7b411cf962177dba

            SHA256

            f7cceb61dd5807edcc2afe0e95d0de6149bcad1b20e3903bd2b3b8b82ae6b3a3

            SHA512

            fe8213507d7fd56c1f54d13f9054341f92e4145195acba6f764b924c090ba1b0d788f2dac9a3bac747d733d111ff1adfe37a83e194ee07cf7bffa84da0c093f3

          • C:\log\cnvk\brokerf.exe

            MD5

            1e7da6a53a16210ffaaf28feaa1a38ad

            SHA1

            a6559654ef5b0b5fb9b006ee7b411cf962177dba

            SHA256

            f7cceb61dd5807edcc2afe0e95d0de6149bcad1b20e3903bd2b3b8b82ae6b3a3

            SHA512

            fe8213507d7fd56c1f54d13f9054341f92e4145195acba6f764b924c090ba1b0d788f2dac9a3bac747d733d111ff1adfe37a83e194ee07cf7bffa84da0c093f3

          • C:\log\cnvk\brokerf.exe

            MD5

            1e7da6a53a16210ffaaf28feaa1a38ad

            SHA1

            a6559654ef5b0b5fb9b006ee7b411cf962177dba

            SHA256

            f7cceb61dd5807edcc2afe0e95d0de6149bcad1b20e3903bd2b3b8b82ae6b3a3

            SHA512

            fe8213507d7fd56c1f54d13f9054341f92e4145195acba6f764b924c090ba1b0d788f2dac9a3bac747d733d111ff1adfe37a83e194ee07cf7bffa84da0c093f3

          • C:\log\cnvk\brokerf.exe

            MD5

            1e7da6a53a16210ffaaf28feaa1a38ad

            SHA1

            a6559654ef5b0b5fb9b006ee7b411cf962177dba

            SHA256

            f7cceb61dd5807edcc2afe0e95d0de6149bcad1b20e3903bd2b3b8b82ae6b3a3

            SHA512

            fe8213507d7fd56c1f54d13f9054341f92e4145195acba6f764b924c090ba1b0d788f2dac9a3bac747d733d111ff1adfe37a83e194ee07cf7bffa84da0c093f3

          • C:\log\cnvk\config.pfps

            MD5

            74938c40bb1e343a5f7fee8ce12636fd

            SHA1

            102a9af450b63e4e29fcb8221b783a6f0e657fc7

            SHA256

            48649028ecc8644c77faa53e2c7eb3c84811d4ff5d76965dfc123e7031bbde7f

            SHA512

            953425cb722318119c033293a676aac4eec93d95dbdcda727366d3cbc011c3a4e81953e300340015bd7bdbba7cfabdcaf55adc5e68ff7c18f542bb42dd7ab370

          • C:\log\cnvk\ftoris.vbs

            MD5

            0bd7eb0367eea35fa03b8baf753e3dbf

            SHA1

            5d99d076b6094be05ab24b292fab8b51a81926b5

            SHA256

            b5b186b0c9d71d1dc7024cc0dedb17df1f052c93a33f6af0cd4651362245be7d

            SHA512

            1f1452a1f1ac4d1687a50f6e405fda5517f53e46fc624675320b2e2d64de6bff7b4437a5e2e081d0cd81617cec50c0c6ef1d43bdc9387154af5616dcfc2a5cb6

          • C:\log\cnvk\oll.vbs

            MD5

            aad7b3fbdc2b543dd2cc773d89d8bc17

            SHA1

            4b680e56de180c6674f86f0e228eaf7801ef182e

            SHA256

            a0e42e327432a1fa0afb90ae4407671e9f6b6611a7db64c0f7c0cbb48c73be75

            SHA512

            9eb3a9203198458a2d52ce66355446939d7bc5c6c656efe1d0e03485f1b181ce65a7ebbfceb434b2535543e61e018e83720de2f4d72303af19796f3b7c9bfdbb

          • C:\log\cnvk\p541seed.bat

            MD5

            fb6bc7bd7f1d2813765c0dd42d96d62d

            SHA1

            c6d3306967de66dcbcd4340269a5c9ff62ede54f

            SHA256

            ae0c4df3946ecbc710c852b300a4450197881d7077c62b7cf2b612eacf2bb6da

            SHA512

            572fe41b1421e16ea5a99dcf5334924c0d1bf1cf7eaf3b3961c73c906c745e144feaffb813cb26d351c3b60f32c11a6d126a066f305d792ca1808d7cd9572e7d

          • C:\log\cnvk\sbn.exe

            MD5

            7acbec84b096b08259d9bf7f358aab7e

            SHA1

            00b8e3575bb33447628a90826bdc4c6b2d7e7a19

            SHA256

            6a7215d2253a7822d5e1907345b7311d9830d19bf5e01d4f674b0086ae06df5c

            SHA512

            2fed20945ed825e77c7bcd98294640ce89747ff1b428bfe4e782b9fd61493be5d4e5fb3ec3d341e33bffeb659654d47d62d623902bd821eab3e1b9ef88c18c23

          • C:\log\cnvk\sbn.exe

            MD5

            7acbec84b096b08259d9bf7f358aab7e

            SHA1

            00b8e3575bb33447628a90826bdc4c6b2d7e7a19

            SHA256

            6a7215d2253a7822d5e1907345b7311d9830d19bf5e01d4f674b0086ae06df5c

            SHA512

            2fed20945ed825e77c7bcd98294640ce89747ff1b428bfe4e782b9fd61493be5d4e5fb3ec3d341e33bffeb659654d47d62d623902bd821eab3e1b9ef88c18c23

          • C:\log\cnvk\yioi.bat

            MD5

            b9c02e786af554bf4e548d218cb59406

            SHA1

            1afcdfc05077c6fe8367e005532af76dbe890c63

            SHA256

            9d5adff2c0c256bdfe6537b1064cfaf9be420434d295b4c4b506949fe6d8eafd

            SHA512

            6f89efa5c09ed4a44c291185b98e3c50c7bd81b2adb931daab8f526646cc59fa42b889fb870b8603f24e2ab0a46f0d6ad00bed2cc92e44827a6c854f58541243

          • \Users\Admin\AppData\Local\Temp\geueci1ous7.exe

            MD5

            07f2ddc571ace474d3d7c0e5efd051a2

            SHA1

            ddb49e4e422c5a7a6e9db9c92776c2531bf10ca8

            SHA256

            4524311e34beb91833ab812e17dc231724539c892dfeacd24ccdd8c2951a1b8f

            SHA512

            4d453dfe4d4b642a71917efd75f2f4aebf8d3e964f3be589a643694d633ed5f7934c1a392559a264ba870746da122735dc7999ad4cc40d58f19a60d04e20ae3e

          • \Users\Admin\AppData\Local\Temp\q315m5mq1_1.exe

            MD5

            1e7da6a53a16210ffaaf28feaa1a38ad

            SHA1

            a6559654ef5b0b5fb9b006ee7b411cf962177dba

            SHA256

            f7cceb61dd5807edcc2afe0e95d0de6149bcad1b20e3903bd2b3b8b82ae6b3a3

            SHA512

            fe8213507d7fd56c1f54d13f9054341f92e4145195acba6f764b924c090ba1b0d788f2dac9a3bac747d733d111ff1adfe37a83e194ee07cf7bffa84da0c093f3

          • \log\cnvk\brokerf.exe

            MD5

            1e7da6a53a16210ffaaf28feaa1a38ad

            SHA1

            a6559654ef5b0b5fb9b006ee7b411cf962177dba

            SHA256

            f7cceb61dd5807edcc2afe0e95d0de6149bcad1b20e3903bd2b3b8b82ae6b3a3

            SHA512

            fe8213507d7fd56c1f54d13f9054341f92e4145195acba6f764b924c090ba1b0d788f2dac9a3bac747d733d111ff1adfe37a83e194ee07cf7bffa84da0c093f3

          • \log\cnvk\brokerf.exe

            MD5

            1e7da6a53a16210ffaaf28feaa1a38ad

            SHA1

            a6559654ef5b0b5fb9b006ee7b411cf962177dba

            SHA256

            f7cceb61dd5807edcc2afe0e95d0de6149bcad1b20e3903bd2b3b8b82ae6b3a3

            SHA512

            fe8213507d7fd56c1f54d13f9054341f92e4145195acba6f764b924c090ba1b0d788f2dac9a3bac747d733d111ff1adfe37a83e194ee07cf7bffa84da0c093f3

          • \log\cnvk\sbn.exe

            MD5

            7acbec84b096b08259d9bf7f358aab7e

            SHA1

            00b8e3575bb33447628a90826bdc4c6b2d7e7a19

            SHA256

            6a7215d2253a7822d5e1907345b7311d9830d19bf5e01d4f674b0086ae06df5c

            SHA512

            2fed20945ed825e77c7bcd98294640ce89747ff1b428bfe4e782b9fd61493be5d4e5fb3ec3d341e33bffeb659654d47d62d623902bd821eab3e1b9ef88c18c23

          • memory/400-99-0x0000000000000000-mapping.dmp

          • memory/440-126-0x00000000025A0000-0x00000000025A6000-memory.dmp

            Filesize

            24KB

          • memory/572-81-0x0000000000000000-mapping.dmp

          • memory/572-115-0x00000000020A0000-0x00000000021ED000-memory.dmp

            Filesize

            1.3MB

          • memory/640-78-0x0000000000000000-mapping.dmp

          • memory/804-100-0x0000000000000000-mapping.dmp

          • memory/804-114-0x00000000009D0000-0x0000000000B1D000-memory.dmp

            Filesize

            1.3MB

          • memory/820-71-0x0000000000000000-mapping.dmp

          • memory/864-74-0x0000000000000000-mapping.dmp

          • memory/980-68-0x0000000000000000-mapping.dmp

          • memory/1068-66-0x0000000000000000-mapping.dmp

          • memory/1084-103-0x0000000074B51000-0x0000000074B53000-memory.dmp

            Filesize

            8KB

          • memory/1084-116-0x0000000000A20000-0x0000000000A22000-memory.dmp

            Filesize

            8KB

          • memory/1084-107-0x00000000003E0000-0x00000000003EC000-memory.dmp

            Filesize

            48KB

          • memory/1084-109-0x0000000000160000-0x00000000002AD000-memory.dmp

            Filesize

            1.3MB

          • memory/1084-108-0x0000000077AA0000-0x0000000077C20000-memory.dmp

            Filesize

            1.5MB

          • memory/1084-101-0x0000000000000000-mapping.dmp

          • memory/1260-83-0x0000000000000000-mapping.dmp

          • memory/1272-127-0x0000000002960000-0x0000000002966000-memory.dmp

            Filesize

            24KB

          • memory/1368-93-0x0000000000000000-mapping.dmp

          • memory/1400-87-0x0000000000000000-mapping.dmp

          • memory/1504-118-0x0000000000000000-mapping.dmp

          • memory/1648-82-0x0000000000000000-mapping.dmp

          • memory/1668-77-0x0000000000000000-mapping.dmp

          • memory/1688-98-0x0000000000000000-mapping.dmp

          • memory/1760-122-0x0000000000000000-mapping.dmp

          • memory/1776-62-0x0000000000000000-mapping.dmp

          • memory/1780-104-0x00000000005D0000-0x00000000005D1000-memory.dmp

            Filesize

            4KB

          • memory/1780-94-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/1780-90-0x00000000004015C6-mapping.dmp

          • memory/1780-89-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/1780-95-0x0000000001CD0000-0x0000000001D36000-memory.dmp

            Filesize

            408KB

          • memory/1780-112-0x00000000005F0000-0x00000000005F1000-memory.dmp

            Filesize

            4KB

          • memory/1780-105-0x0000000000890000-0x000000000089C000-memory.dmp

            Filesize

            48KB

          • memory/1780-96-0x0000000000340000-0x000000000034D000-memory.dmp

            Filesize

            52KB

          • memory/1780-97-0x0000000000330000-0x0000000000331000-memory.dmp

            Filesize

            4KB

          • memory/2040-60-0x0000000076281000-0x0000000076283000-memory.dmp

            Filesize

            8KB

          • memory/2040-61-0x0000000000240000-0x0000000000241000-memory.dmp

            Filesize

            4KB