Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    20-05-2021 22:03

General

  • Target

    15a23e5e766596dbc471b4e4afa49316c141a8ee981194c0508f73b0a7f2ccf0.exe

  • Size

    3.5MB

  • MD5

    0e767b6049616a694034d8158a1d0145

  • SHA1

    e8139d5fe7161b71da47193646e5d583f4c4bc88

  • SHA256

    15a23e5e766596dbc471b4e4afa49316c141a8ee981194c0508f73b0a7f2ccf0

  • SHA512

    31e79500ea24800c4d266aa0f1f1b0411ca2533e8e098b468a491b5d8769ae38601d45d9ec43074be689eace923ff37480dcd3691f248312eebb22e624ef9ded

Malware Config

Signatures

  • BetaBot

    Beta Bot is a Trojan that infects computers and disables Antivirus.

  • Modifies firewall policy service 2 TTPs 4 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 5 IoCs
  • Sets file execution options in registry 2 TTPs
  • Sets file to hidden 1 TTPs

    Modifies file attributes to stop it showing in Explorer etc.

  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Loads dropped DLL 5 IoCs
  • Adds Run key to start application 2 TTPs 6 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Drops desktop.ini file(s) 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 11 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 5 IoCs
  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Kills process with taskkill 2 IoCs
  • Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
  • Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
  • NTFS ADS 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: MapViewOfSection 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 30 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs

Processes

  • C:\Windows\system32\Dwm.exe
    "C:\Windows\system32\Dwm.exe"
    1⤵
      PID:1252
    • C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      1⤵
        PID:1288
        • C:\Users\Admin\AppData\Local\Temp\15a23e5e766596dbc471b4e4afa49316c141a8ee981194c0508f73b0a7f2ccf0.exe
          "C:\Users\Admin\AppData\Local\Temp\15a23e5e766596dbc471b4e4afa49316c141a8ee981194c0508f73b0a7f2ccf0.exe"
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:772
          • C:\Windows\SysWOW64\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\log\cnvk\ftoris.vbs"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:1200
            • C:\Windows\SysWOW64\cmd.exe
              cmd /c ""C:\log\cnvk\yioi.bat" "
              4⤵
              • Loads dropped DLL
              • Suspicious use of WriteProcessMemory
              PID:1368
              • C:\Windows\SysWOW64\timeout.exe
                timeout 0
                5⤵
                • Delays execution with timeout.exe
                PID:1720
              • C:\log\cnvk\sbn.exe
                "sbn.exe" e -pyu7y8y87ds8yhsd89scd99 37419879283209asda0su9jho90asdf0s9.rar
                5⤵
                • Executes dropped EXE
                PID:432
              • C:\Windows\SysWOW64\timeout.exe
                timeout 4
                5⤵
                • Delays execution with timeout.exe
                PID:824
              • C:\Windows\SysWOW64\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\log\cnvk\oll.vbs"
                5⤵
                • Suspicious use of WriteProcessMemory
                PID:1532
                • C:\Windows\SysWOW64\cmd.exe
                  cmd /c ""C:\log\cnvk\p541seed.bat" "
                  6⤵
                  • Loads dropped DLL
                  • Suspicious use of WriteProcessMemory
                  PID:992
                  • C:\Windows\SysWOW64\attrib.exe
                    attrib +s +h "C:\log\"
                    7⤵
                    • Views/modifies file attributes
                    PID:1068
                  • C:\Windows\SysWOW64\timeout.exe
                    timeout 2
                    7⤵
                    • Delays execution with timeout.exe
                    PID:640
                  • C:\log\cnvk\brokerf.exe
                    brokerf.exe /start
                    7⤵
                    • Executes dropped EXE
                    • Suspicious use of SetThreadContext
                    • Suspicious use of WriteProcessMemory
                    PID:672
                    • C:\log\cnvk\brokerf.exe
                      brokerf.exe /start
                      8⤵
                      • Executes dropped EXE
                      • Checks whether UAC is enabled
                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                      • Checks processor information in registry
                      • Suspicious behavior: MapViewOfSection
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1440
                      • C:\Windows\SysWOW64\explorer.exe
                        C:\Windows\SysWOW64\explorer.exe
                        9⤵
                        • Modifies firewall policy service
                        • Checks BIOS information in registry
                        • Loads dropped DLL
                        • Adds Run key to start application
                        • Drops desktop.ini file(s)
                        • Suspicious use of NtSetInformationThreadHideFromDebugger
                        • Checks processor information in registry
                        • Enumerates system info in registry
                        • Modifies Internet Explorer Protected Mode
                        • Modifies Internet Explorer Protected Mode Banner
                        • Modifies Internet Explorer settings
                        • NTFS ADS
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious behavior: MapViewOfSection
                        • Suspicious use of AdjustPrivilegeToken
                        PID:268
                        • C:\Users\Admin\AppData\Local\Temp\s75g5e1117oww_1.exe
                          /suac
                          10⤵
                          • Executes dropped EXE
                          • Suspicious use of SetThreadContext
                          PID:1712
                        • C:\Users\Admin\AppData\Local\Temp\aq3uo73eww5mk5.exe
                          "C:\Users\Admin\AppData\Local\Temp\aq3uo73eww5mk5.exe"
                          10⤵
                          • Executes dropped EXE
                          • Suspicious use of SetWindowsHookEx
                          PID:1584
                  • C:\Windows\SysWOW64\taskkill.exe
                    taskkill /f /im sbn.exe
                    7⤵
                    • Kills process with taskkill
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1920
                  • C:\Windows\SysWOW64\taskkill.exe
                    taskkill /f /im sbn.exe
                    7⤵
                    • Kills process with taskkill
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1520
                  • C:\Windows\SysWOW64\attrib.exe
                    attrib -s -h "C:\log\cnvk\brokerf.exe"
                    7⤵
                    • Views/modifies file attributes
                    PID:1540
                  • C:\Windows\SysWOW64\timeout.exe
                    timeout 6
                    7⤵
                    • Delays execution with timeout.exe
                    PID:1736
              • C:\Windows\SysWOW64\timeout.exe
                timeout 6
                5⤵
                • Delays execution with timeout.exe
                PID:1072
      • C:\Windows\system32\conhost.exe
        \??\C:\Windows\system32\conhost.exe "34292233716930543511386088397416748714-543701515-345788923769361485412797549"
        1⤵
          PID:912
        • C:\Windows\system32\DllHost.exe
          C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
          1⤵
            PID:1068

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\aq3uo73eww5mk5.exe

            MD5

            07f2ddc571ace474d3d7c0e5efd051a2

            SHA1

            ddb49e4e422c5a7a6e9db9c92776c2531bf10ca8

            SHA256

            4524311e34beb91833ab812e17dc231724539c892dfeacd24ccdd8c2951a1b8f

            SHA512

            4d453dfe4d4b642a71917efd75f2f4aebf8d3e964f3be589a643694d633ed5f7934c1a392559a264ba870746da122735dc7999ad4cc40d58f19a60d04e20ae3e

          • C:\Users\Admin\AppData\Local\Temp\s75g5e1117oww_1.exe

            MD5

            1e7da6a53a16210ffaaf28feaa1a38ad

            SHA1

            a6559654ef5b0b5fb9b006ee7b411cf962177dba

            SHA256

            f7cceb61dd5807edcc2afe0e95d0de6149bcad1b20e3903bd2b3b8b82ae6b3a3

            SHA512

            fe8213507d7fd56c1f54d13f9054341f92e4145195acba6f764b924c090ba1b0d788f2dac9a3bac747d733d111ff1adfe37a83e194ee07cf7bffa84da0c093f3

          • C:\Users\Admin\AppData\Local\Temp\s75g5e1117oww_1.exe

            MD5

            1e7da6a53a16210ffaaf28feaa1a38ad

            SHA1

            a6559654ef5b0b5fb9b006ee7b411cf962177dba

            SHA256

            f7cceb61dd5807edcc2afe0e95d0de6149bcad1b20e3903bd2b3b8b82ae6b3a3

            SHA512

            fe8213507d7fd56c1f54d13f9054341f92e4145195acba6f764b924c090ba1b0d788f2dac9a3bac747d733d111ff1adfe37a83e194ee07cf7bffa84da0c093f3

          • C:\log\cnvk\brokerf.exe

            MD5

            1e7da6a53a16210ffaaf28feaa1a38ad

            SHA1

            a6559654ef5b0b5fb9b006ee7b411cf962177dba

            SHA256

            f7cceb61dd5807edcc2afe0e95d0de6149bcad1b20e3903bd2b3b8b82ae6b3a3

            SHA512

            fe8213507d7fd56c1f54d13f9054341f92e4145195acba6f764b924c090ba1b0d788f2dac9a3bac747d733d111ff1adfe37a83e194ee07cf7bffa84da0c093f3

          • C:\log\cnvk\brokerf.exe

            MD5

            1e7da6a53a16210ffaaf28feaa1a38ad

            SHA1

            a6559654ef5b0b5fb9b006ee7b411cf962177dba

            SHA256

            f7cceb61dd5807edcc2afe0e95d0de6149bcad1b20e3903bd2b3b8b82ae6b3a3

            SHA512

            fe8213507d7fd56c1f54d13f9054341f92e4145195acba6f764b924c090ba1b0d788f2dac9a3bac747d733d111ff1adfe37a83e194ee07cf7bffa84da0c093f3

          • C:\log\cnvk\brokerf.exe

            MD5

            1e7da6a53a16210ffaaf28feaa1a38ad

            SHA1

            a6559654ef5b0b5fb9b006ee7b411cf962177dba

            SHA256

            f7cceb61dd5807edcc2afe0e95d0de6149bcad1b20e3903bd2b3b8b82ae6b3a3

            SHA512

            fe8213507d7fd56c1f54d13f9054341f92e4145195acba6f764b924c090ba1b0d788f2dac9a3bac747d733d111ff1adfe37a83e194ee07cf7bffa84da0c093f3

          • C:\log\cnvk\config.pfps

            MD5

            74938c40bb1e343a5f7fee8ce12636fd

            SHA1

            102a9af450b63e4e29fcb8221b783a6f0e657fc7

            SHA256

            48649028ecc8644c77faa53e2c7eb3c84811d4ff5d76965dfc123e7031bbde7f

            SHA512

            953425cb722318119c033293a676aac4eec93d95dbdcda727366d3cbc011c3a4e81953e300340015bd7bdbba7cfabdcaf55adc5e68ff7c18f542bb42dd7ab370

          • C:\log\cnvk\ftoris.vbs

            MD5

            0bd7eb0367eea35fa03b8baf753e3dbf

            SHA1

            5d99d076b6094be05ab24b292fab8b51a81926b5

            SHA256

            b5b186b0c9d71d1dc7024cc0dedb17df1f052c93a33f6af0cd4651362245be7d

            SHA512

            1f1452a1f1ac4d1687a50f6e405fda5517f53e46fc624675320b2e2d64de6bff7b4437a5e2e081d0cd81617cec50c0c6ef1d43bdc9387154af5616dcfc2a5cb6

          • C:\log\cnvk\oll.vbs

            MD5

            aad7b3fbdc2b543dd2cc773d89d8bc17

            SHA1

            4b680e56de180c6674f86f0e228eaf7801ef182e

            SHA256

            a0e42e327432a1fa0afb90ae4407671e9f6b6611a7db64c0f7c0cbb48c73be75

            SHA512

            9eb3a9203198458a2d52ce66355446939d7bc5c6c656efe1d0e03485f1b181ce65a7ebbfceb434b2535543e61e018e83720de2f4d72303af19796f3b7c9bfdbb

          • C:\log\cnvk\p541seed.bat

            MD5

            fb6bc7bd7f1d2813765c0dd42d96d62d

            SHA1

            c6d3306967de66dcbcd4340269a5c9ff62ede54f

            SHA256

            ae0c4df3946ecbc710c852b300a4450197881d7077c62b7cf2b612eacf2bb6da

            SHA512

            572fe41b1421e16ea5a99dcf5334924c0d1bf1cf7eaf3b3961c73c906c745e144feaffb813cb26d351c3b60f32c11a6d126a066f305d792ca1808d7cd9572e7d

          • C:\log\cnvk\sbn.exe

            MD5

            7acbec84b096b08259d9bf7f358aab7e

            SHA1

            00b8e3575bb33447628a90826bdc4c6b2d7e7a19

            SHA256

            6a7215d2253a7822d5e1907345b7311d9830d19bf5e01d4f674b0086ae06df5c

            SHA512

            2fed20945ed825e77c7bcd98294640ce89747ff1b428bfe4e782b9fd61493be5d4e5fb3ec3d341e33bffeb659654d47d62d623902bd821eab3e1b9ef88c18c23

          • C:\log\cnvk\sbn.exe

            MD5

            7acbec84b096b08259d9bf7f358aab7e

            SHA1

            00b8e3575bb33447628a90826bdc4c6b2d7e7a19

            SHA256

            6a7215d2253a7822d5e1907345b7311d9830d19bf5e01d4f674b0086ae06df5c

            SHA512

            2fed20945ed825e77c7bcd98294640ce89747ff1b428bfe4e782b9fd61493be5d4e5fb3ec3d341e33bffeb659654d47d62d623902bd821eab3e1b9ef88c18c23

          • C:\log\cnvk\yioi.bat

            MD5

            b9c02e786af554bf4e548d218cb59406

            SHA1

            1afcdfc05077c6fe8367e005532af76dbe890c63

            SHA256

            9d5adff2c0c256bdfe6537b1064cfaf9be420434d295b4c4b506949fe6d8eafd

            SHA512

            6f89efa5c09ed4a44c291185b98e3c50c7bd81b2adb931daab8f526646cc59fa42b889fb870b8603f24e2ab0a46f0d6ad00bed2cc92e44827a6c854f58541243

          • \Users\Admin\AppData\Local\Temp\aq3uo73eww5mk5.exe

            MD5

            07f2ddc571ace474d3d7c0e5efd051a2

            SHA1

            ddb49e4e422c5a7a6e9db9c92776c2531bf10ca8

            SHA256

            4524311e34beb91833ab812e17dc231724539c892dfeacd24ccdd8c2951a1b8f

            SHA512

            4d453dfe4d4b642a71917efd75f2f4aebf8d3e964f3be589a643694d633ed5f7934c1a392559a264ba870746da122735dc7999ad4cc40d58f19a60d04e20ae3e

          • \Users\Admin\AppData\Local\Temp\s75g5e1117oww_1.exe

            MD5

            1e7da6a53a16210ffaaf28feaa1a38ad

            SHA1

            a6559654ef5b0b5fb9b006ee7b411cf962177dba

            SHA256

            f7cceb61dd5807edcc2afe0e95d0de6149bcad1b20e3903bd2b3b8b82ae6b3a3

            SHA512

            fe8213507d7fd56c1f54d13f9054341f92e4145195acba6f764b924c090ba1b0d788f2dac9a3bac747d733d111ff1adfe37a83e194ee07cf7bffa84da0c093f3

          • \log\cnvk\brokerf.exe

            MD5

            1e7da6a53a16210ffaaf28feaa1a38ad

            SHA1

            a6559654ef5b0b5fb9b006ee7b411cf962177dba

            SHA256

            f7cceb61dd5807edcc2afe0e95d0de6149bcad1b20e3903bd2b3b8b82ae6b3a3

            SHA512

            fe8213507d7fd56c1f54d13f9054341f92e4145195acba6f764b924c090ba1b0d788f2dac9a3bac747d733d111ff1adfe37a83e194ee07cf7bffa84da0c093f3

          • \log\cnvk\brokerf.exe

            MD5

            1e7da6a53a16210ffaaf28feaa1a38ad

            SHA1

            a6559654ef5b0b5fb9b006ee7b411cf962177dba

            SHA256

            f7cceb61dd5807edcc2afe0e95d0de6149bcad1b20e3903bd2b3b8b82ae6b3a3

            SHA512

            fe8213507d7fd56c1f54d13f9054341f92e4145195acba6f764b924c090ba1b0d788f2dac9a3bac747d733d111ff1adfe37a83e194ee07cf7bffa84da0c093f3

          • \log\cnvk\sbn.exe

            MD5

            7acbec84b096b08259d9bf7f358aab7e

            SHA1

            00b8e3575bb33447628a90826bdc4c6b2d7e7a19

            SHA256

            6a7215d2253a7822d5e1907345b7311d9830d19bf5e01d4f674b0086ae06df5c

            SHA512

            2fed20945ed825e77c7bcd98294640ce89747ff1b428bfe4e782b9fd61493be5d4e5fb3ec3d341e33bffeb659654d47d62d623902bd821eab3e1b9ef88c18c23

          • memory/268-103-0x0000000000000000-mapping.dmp

          • memory/268-116-0x00000000009A0000-0x00000000009A2000-memory.dmp

            Filesize

            8KB

          • memory/268-105-0x0000000074981000-0x0000000074983000-memory.dmp

            Filesize

            8KB

          • memory/268-106-0x0000000077AE0000-0x0000000077C60000-memory.dmp

            Filesize

            1.5MB

          • memory/268-107-0x0000000000230000-0x000000000037D000-memory.dmp

            Filesize

            1.3MB

          • memory/268-111-0x0000000000460000-0x000000000046C000-memory.dmp

            Filesize

            48KB

          • memory/268-112-0x00000000003D0000-0x00000000003D1000-memory.dmp

            Filesize

            4KB

          • memory/432-71-0x0000000000000000-mapping.dmp

          • memory/640-83-0x0000000000000000-mapping.dmp

          • memory/672-87-0x0000000000000000-mapping.dmp

          • memory/772-61-0x0000000000240000-0x0000000000241000-memory.dmp

            Filesize

            4KB

          • memory/772-60-0x0000000075EF1000-0x0000000075EF3000-memory.dmp

            Filesize

            8KB

          • memory/824-74-0x0000000000000000-mapping.dmp

          • memory/992-115-0x0000000001F40000-0x0000000001FD4000-memory.dmp

            Filesize

            592KB

          • memory/992-81-0x0000000000000000-mapping.dmp

          • memory/1068-126-0x0000000003A60000-0x0000000003A66000-memory.dmp

            Filesize

            24KB

          • memory/1068-82-0x0000000000000000-mapping.dmp

          • memory/1072-78-0x0000000000000000-mapping.dmp

          • memory/1200-62-0x0000000000000000-mapping.dmp

          • memory/1288-127-0x00000000021D0000-0x00000000021D6000-memory.dmp

            Filesize

            24KB

          • memory/1368-66-0x0000000000000000-mapping.dmp

          • memory/1440-98-0x00000000002A0000-0x0000000000306000-memory.dmp

            Filesize

            408KB

          • memory/1440-100-0x0000000000240000-0x000000000024D000-memory.dmp

            Filesize

            52KB

          • memory/1440-97-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/1440-101-0x0000000000500000-0x0000000000501000-memory.dmp

            Filesize

            4KB

          • memory/1440-102-0x0000000001ED0000-0x0000000001EDC000-memory.dmp

            Filesize

            48KB

          • memory/1440-90-0x00000000004015C6-mapping.dmp

          • memory/1440-89-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/1440-99-0x0000000000230000-0x0000000000231000-memory.dmp

            Filesize

            4KB

          • memory/1520-94-0x0000000000000000-mapping.dmp

          • memory/1532-77-0x0000000000000000-mapping.dmp

          • memory/1540-95-0x0000000000000000-mapping.dmp

          • memory/1584-122-0x0000000000000000-mapping.dmp

          • memory/1712-118-0x0000000000000000-mapping.dmp

          • memory/1720-68-0x0000000000000000-mapping.dmp

          • memory/1736-114-0x0000000002050000-0x000000000219D000-memory.dmp

            Filesize

            1.3MB

          • memory/1736-96-0x0000000000000000-mapping.dmp

          • memory/1920-93-0x0000000000000000-mapping.dmp