Analysis

  • max time kernel
    149s
  • max time network
    158s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    20-05-2021 22:03

General

  • Target

    15a23e5e766596dbc471b4e4afa49316c141a8ee981194c0508f73b0a7f2ccf0.exe

  • Size

    3.5MB

  • MD5

    0e767b6049616a694034d8158a1d0145

  • SHA1

    e8139d5fe7161b71da47193646e5d583f4c4bc88

  • SHA256

    15a23e5e766596dbc471b4e4afa49316c141a8ee981194c0508f73b0a7f2ccf0

  • SHA512

    31e79500ea24800c4d266aa0f1f1b0411ca2533e8e098b468a491b5d8769ae38601d45d9ec43074be689eace923ff37480dcd3691f248312eebb22e624ef9ded

Malware Config

Signatures

  • BetaBot

    Beta Bot is a Trojan that infects computers and disables Antivirus.

  • Modifies firewall policy service 2 TTPs 4 IoCs
  • Executes dropped EXE 3 IoCs
  • Sets file execution options in registry 2 TTPs
  • Sets file to hidden 1 TTPs

    Modifies file attributes to stop it showing in Explorer etc.

  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Adds Run key to start application 2 TTPs 4 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 5 IoCs
  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Kills process with taskkill 2 IoCs
  • Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
  • Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 30 IoCs
  • Suspicious behavior: MapViewOfSection 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 30 IoCs
  • Suspicious use of WriteProcessMemory 57 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\15a23e5e766596dbc471b4e4afa49316c141a8ee981194c0508f73b0a7f2ccf0.exe
    "C:\Users\Admin\AppData\Local\Temp\15a23e5e766596dbc471b4e4afa49316c141a8ee981194c0508f73b0a7f2ccf0.exe"
    1⤵
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4660
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\log\cnvk\ftoris.vbs"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:756
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\log\cnvk\yioi.bat" "
        3⤵
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:3224
        • C:\Windows\SysWOW64\timeout.exe
          timeout 0
          4⤵
          • Delays execution with timeout.exe
          PID:3856
        • C:\log\cnvk\sbn.exe
          "sbn.exe" e -pyu7y8y87ds8yhsd89scd99 37419879283209asda0su9jho90asdf0s9.rar
          4⤵
          • Executes dropped EXE
          PID:3832
        • C:\Windows\SysWOW64\timeout.exe
          timeout 4
          4⤵
          • Delays execution with timeout.exe
          PID:3476
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\log\cnvk\oll.vbs"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:640
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\log\cnvk\p541seed.bat" "
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:488
            • C:\Windows\SysWOW64\attrib.exe
              attrib +s +h "C:\log\"
              6⤵
              • Views/modifies file attributes
              PID:1220
            • C:\Windows\SysWOW64\timeout.exe
              timeout 2
              6⤵
              • Delays execution with timeout.exe
              PID:1380
            • C:\log\cnvk\brokerf.exe
              brokerf.exe /start
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Suspicious use of WriteProcessMemory
              PID:1688
              • C:\log\cnvk\brokerf.exe
                brokerf.exe /start
                7⤵
                • Executes dropped EXE
                • Checks whether UAC is enabled
                • Suspicious use of NtSetInformationThreadHideFromDebugger
                • Checks processor information in registry
                • Suspicious behavior: MapViewOfSection
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1808
                • C:\Windows\SysWOW64\explorer.exe
                  C:\Windows\SysWOW64\explorer.exe
                  8⤵
                  • Modifies firewall policy service
                  • Checks BIOS information in registry
                  • Adds Run key to start application
                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                  • Checks processor information in registry
                  • Enumerates system info in registry
                  • Modifies Internet Explorer Protected Mode
                  • Modifies Internet Explorer Protected Mode Banner
                  • Modifies Internet Explorer settings
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious behavior: MapViewOfSection
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:3004
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /f /im sbn.exe
              6⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:2012
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /f /im sbn.exe
              6⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:2624
            • C:\Windows\SysWOW64\attrib.exe
              attrib -s -h "C:\log\cnvk\brokerf.exe"
              6⤵
              • Views/modifies file attributes
              PID:2812
            • C:\Windows\SysWOW64\timeout.exe
              timeout 6
              6⤵
              • Delays execution with timeout.exe
              PID:3056
        • C:\Windows\SysWOW64\timeout.exe
          timeout 6
          4⤵
          • Delays execution with timeout.exe
          PID:648

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\log\cnvk\brokerf.exe

    MD5

    1e7da6a53a16210ffaaf28feaa1a38ad

    SHA1

    a6559654ef5b0b5fb9b006ee7b411cf962177dba

    SHA256

    f7cceb61dd5807edcc2afe0e95d0de6149bcad1b20e3903bd2b3b8b82ae6b3a3

    SHA512

    fe8213507d7fd56c1f54d13f9054341f92e4145195acba6f764b924c090ba1b0d788f2dac9a3bac747d733d111ff1adfe37a83e194ee07cf7bffa84da0c093f3

  • C:\log\cnvk\brokerf.exe

    MD5

    1e7da6a53a16210ffaaf28feaa1a38ad

    SHA1

    a6559654ef5b0b5fb9b006ee7b411cf962177dba

    SHA256

    f7cceb61dd5807edcc2afe0e95d0de6149bcad1b20e3903bd2b3b8b82ae6b3a3

    SHA512

    fe8213507d7fd56c1f54d13f9054341f92e4145195acba6f764b924c090ba1b0d788f2dac9a3bac747d733d111ff1adfe37a83e194ee07cf7bffa84da0c093f3

  • C:\log\cnvk\brokerf.exe

    MD5

    1e7da6a53a16210ffaaf28feaa1a38ad

    SHA1

    a6559654ef5b0b5fb9b006ee7b411cf962177dba

    SHA256

    f7cceb61dd5807edcc2afe0e95d0de6149bcad1b20e3903bd2b3b8b82ae6b3a3

    SHA512

    fe8213507d7fd56c1f54d13f9054341f92e4145195acba6f764b924c090ba1b0d788f2dac9a3bac747d733d111ff1adfe37a83e194ee07cf7bffa84da0c093f3

  • C:\log\cnvk\config.pfps

    MD5

    74938c40bb1e343a5f7fee8ce12636fd

    SHA1

    102a9af450b63e4e29fcb8221b783a6f0e657fc7

    SHA256

    48649028ecc8644c77faa53e2c7eb3c84811d4ff5d76965dfc123e7031bbde7f

    SHA512

    953425cb722318119c033293a676aac4eec93d95dbdcda727366d3cbc011c3a4e81953e300340015bd7bdbba7cfabdcaf55adc5e68ff7c18f542bb42dd7ab370

  • C:\log\cnvk\ftoris.vbs

    MD5

    0bd7eb0367eea35fa03b8baf753e3dbf

    SHA1

    5d99d076b6094be05ab24b292fab8b51a81926b5

    SHA256

    b5b186b0c9d71d1dc7024cc0dedb17df1f052c93a33f6af0cd4651362245be7d

    SHA512

    1f1452a1f1ac4d1687a50f6e405fda5517f53e46fc624675320b2e2d64de6bff7b4437a5e2e081d0cd81617cec50c0c6ef1d43bdc9387154af5616dcfc2a5cb6

  • C:\log\cnvk\oll.vbs

    MD5

    aad7b3fbdc2b543dd2cc773d89d8bc17

    SHA1

    4b680e56de180c6674f86f0e228eaf7801ef182e

    SHA256

    a0e42e327432a1fa0afb90ae4407671e9f6b6611a7db64c0f7c0cbb48c73be75

    SHA512

    9eb3a9203198458a2d52ce66355446939d7bc5c6c656efe1d0e03485f1b181ce65a7ebbfceb434b2535543e61e018e83720de2f4d72303af19796f3b7c9bfdbb

  • C:\log\cnvk\p541seed.bat

    MD5

    fb6bc7bd7f1d2813765c0dd42d96d62d

    SHA1

    c6d3306967de66dcbcd4340269a5c9ff62ede54f

    SHA256

    ae0c4df3946ecbc710c852b300a4450197881d7077c62b7cf2b612eacf2bb6da

    SHA512

    572fe41b1421e16ea5a99dcf5334924c0d1bf1cf7eaf3b3961c73c906c745e144feaffb813cb26d351c3b60f32c11a6d126a066f305d792ca1808d7cd9572e7d

  • C:\log\cnvk\sbn.exe

    MD5

    7acbec84b096b08259d9bf7f358aab7e

    SHA1

    00b8e3575bb33447628a90826bdc4c6b2d7e7a19

    SHA256

    6a7215d2253a7822d5e1907345b7311d9830d19bf5e01d4f674b0086ae06df5c

    SHA512

    2fed20945ed825e77c7bcd98294640ce89747ff1b428bfe4e782b9fd61493be5d4e5fb3ec3d341e33bffeb659654d47d62d623902bd821eab3e1b9ef88c18c23

  • C:\log\cnvk\sbn.exe

    MD5

    7acbec84b096b08259d9bf7f358aab7e

    SHA1

    00b8e3575bb33447628a90826bdc4c6b2d7e7a19

    SHA256

    6a7215d2253a7822d5e1907345b7311d9830d19bf5e01d4f674b0086ae06df5c

    SHA512

    2fed20945ed825e77c7bcd98294640ce89747ff1b428bfe4e782b9fd61493be5d4e5fb3ec3d341e33bffeb659654d47d62d623902bd821eab3e1b9ef88c18c23

  • C:\log\cnvk\yioi.bat

    MD5

    b9c02e786af554bf4e548d218cb59406

    SHA1

    1afcdfc05077c6fe8367e005532af76dbe890c63

    SHA256

    9d5adff2c0c256bdfe6537b1064cfaf9be420434d295b4c4b506949fe6d8eafd

    SHA512

    6f89efa5c09ed4a44c291185b98e3c50c7bd81b2adb931daab8f526646cc59fa42b889fb870b8603f24e2ab0a46f0d6ad00bed2cc92e44827a6c854f58541243

  • memory/488-155-0x0000000003610000-0x000000000375D000-memory.dmp

    Filesize

    1.3MB

  • memory/488-128-0x0000000000000000-mapping.dmp

  • memory/640-125-0x0000000000000000-mapping.dmp

  • memory/648-126-0x0000000000000000-mapping.dmp

  • memory/756-115-0x0000000000000000-mapping.dmp

  • memory/1220-129-0x0000000000000000-mapping.dmp

  • memory/1380-130-0x0000000000000000-mapping.dmp

  • memory/1688-131-0x0000000000000000-mapping.dmp

  • memory/1808-134-0x0000000000400000-0x0000000000435000-memory.dmp

    Filesize

    212KB

  • memory/1808-143-0x0000000000440000-0x000000000058A000-memory.dmp

    Filesize

    1.3MB

  • memory/1808-152-0x0000000002650000-0x0000000002651000-memory.dmp

    Filesize

    4KB

  • memory/1808-135-0x00000000004015C6-mapping.dmp

  • memory/1808-145-0x0000000002660000-0x000000000266C000-memory.dmp

    Filesize

    48KB

  • memory/1808-144-0x0000000002630000-0x0000000002631000-memory.dmp

    Filesize

    4KB

  • memory/1808-138-0x0000000000400000-0x0000000000435000-memory.dmp

    Filesize

    212KB

  • memory/1808-142-0x0000000002160000-0x00000000021C6000-memory.dmp

    Filesize

    408KB

  • memory/2012-137-0x0000000000000000-mapping.dmp

  • memory/2624-139-0x0000000000000000-mapping.dmp

  • memory/2812-140-0x0000000000000000-mapping.dmp

  • memory/3004-148-0x0000000002C00000-0x0000000002D4D000-memory.dmp

    Filesize

    1.3MB

  • memory/3004-146-0x0000000000000000-mapping.dmp

  • memory/3004-147-0x0000000000100000-0x000000000053F000-memory.dmp

    Filesize

    4.2MB

  • memory/3004-149-0x0000000002890000-0x000000000289D000-memory.dmp

    Filesize

    52KB

  • memory/3004-151-0x0000000002E50000-0x0000000002F86000-memory.dmp

    Filesize

    1.2MB

  • memory/3004-153-0x0000000002E50000-0x0000000002F86000-memory.dmp

    Filesize

    1.2MB

  • memory/3004-156-0x0000000002E50000-0x0000000002F86000-memory.dmp

    Filesize

    1.2MB

  • memory/3056-141-0x0000000000000000-mapping.dmp

  • memory/3224-118-0x0000000000000000-mapping.dmp

  • memory/3476-123-0x0000000000000000-mapping.dmp

  • memory/3832-121-0x0000000000000000-mapping.dmp

  • memory/3856-120-0x0000000000000000-mapping.dmp

  • memory/4660-114-0x00000000008B0000-0x00000000008B1000-memory.dmp

    Filesize

    4KB