Analysis

  • max time kernel
    149s
  • max time network
    124s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    31-05-2021 13:47

General

  • Target

    sample.js

  • Size

    67KB

  • MD5

    3e7159f1fbfbe75bfafde72feb1bf94f

  • SHA1

    4e8a7b7c3d52b965bea11c53829334bb0dc908c3

  • SHA256

    a5122b7a02ae525036dbef78c6d6042a8c2cd4888a6451c2baca96a0a68ed259

  • SHA512

    0beb743a0a4fe2e78483a2bd580eab205a879653ec8c84db6d5ac19c61cc2302df472b9c3f06698c3f5708638b6e7b05fdde310c35bea5b38e23690f91642245

Malware Config

Signatures

  • BetaBot

    Beta Bot is a Trojan that infects computers and disables Antivirus.

  • Modifies firewall policy service 2 TTPs 4 IoCs
  • Blocklisted process makes network request 5 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 6 IoCs
  • Sets file execution options in registry 2 TTPs
  • Sets file to hidden 1 TTPs

    Modifies file attributes to stop it showing in Explorer etc.

  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Adds Run key to start application 2 TTPs 6 IoCs
  • Checks whether UAC is enabled 1 TTPs 3 IoCs
  • Drops desktop.ini file(s) 1 IoCs
  • Maps connected drives based on registry 3 TTPs 4 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 13 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 5 IoCs
  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Kills process with taskkill 2 IoCs
  • Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
  • Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
  • Modifies registry class 2 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
  • NTFS ADS 2 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 26 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 30 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\sample.js
    1⤵
    • Blocklisted process makes network request
    • Modifies system certificate store
    • Suspicious use of WriteProcessMemory
    PID:3944
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\692915.dat
      C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\692915.dat
      2⤵
      • Executes dropped EXE
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:3408
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\5jhc441685fd778294a59039\updtcp\video.vbs"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:60
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\5jhc441685fd778294a59039\updtcp\win23.bat" "
          4⤵
          • Checks whether UAC is enabled
          • Maps connected drives based on registry
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:2288
          • C:\Windows\SysWOW64\timeout.exe
            timeout 0
            5⤵
            • Delays execution with timeout.exe
            PID:1820
          • C:\Windows\SysWOW64\PING.EXE
            ping edwtq ewqdztw d8twd7
            5⤵
            • Runs ping.exe
            PID:2424
          • C:\5jhc441685fd778294a59039\updtcp\portable.exe
            "portable.exe" e -pIUASU7yyadsih8i32d8hadshias tcp.rar
            5⤵
            • Executes dropped EXE
            PID:788
          • C:\Windows\SysWOW64\timeout.exe
            timeout 6
            5⤵
            • Delays execution with timeout.exe
            PID:64
          • C:\Windows\SysWOW64\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\5jhc441685fd778294a59039\updtcp\khg389214.vbs"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2068
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\5jhc441685fd778294a59039\updtcp\wier.bat" "
              6⤵
              • Checks whether UAC is enabled
              • Maps connected drives based on registry
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Suspicious use of WriteProcessMemory
              PID:2420
              • C:\Windows\SysWOW64\attrib.exe
                attrib +s +h "C:\5jhc441685fd778294a59039"
                7⤵
                • Views/modifies file attributes
                PID:3496
              • C:\Windows\SysWOW64\timeout.exe
                timeout 2
                7⤵
                • Delays execution with timeout.exe
                PID:3400
              • C:\5jhc441685fd778294a59039\updtcp\psh.exe
                psh.exe /start
                7⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Suspicious use of WriteProcessMemory
                PID:2024
                • C:\5jhc441685fd778294a59039\updtcp\psh.exe
                  psh.exe /start
                  8⤵
                  • Executes dropped EXE
                  • Checks whether UAC is enabled
                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                  • Checks processor information in registry
                  • Suspicious behavior: MapViewOfSection
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:3568
                  • C:\Windows\SysWOW64\explorer.exe
                    C:\Windows\SysWOW64\explorer.exe
                    9⤵
                    • Modifies firewall policy service
                    • Checks BIOS information in registry
                    • Adds Run key to start application
                    • Drops desktop.ini file(s)
                    • Suspicious use of NtSetInformationThreadHideFromDebugger
                    • Checks processor information in registry
                    • Enumerates system info in registry
                    • Modifies Internet Explorer Protected Mode
                    • Modifies Internet Explorer Protected Mode Banner
                    • Modifies Internet Explorer settings
                    • NTFS ADS
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious behavior: MapViewOfSection
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:4060
                    • C:\Users\Admin\AppData\Local\Temp\7991i79wo_1.exe
                      /suac
                      10⤵
                      • Executes dropped EXE
                      • Suspicious use of SetThreadContext
                      PID:2732
                    • C:\Users\Admin\AppData\Local\Temp\3m3cu9i5s3.exe
                      "C:\Users\Admin\AppData\Local\Temp\3m3cu9i5s3.exe"
                      10⤵
                      • Executes dropped EXE
                      • Suspicious behavior: GetForegroundWindowSpam
                      • Suspicious use of FindShellTrayWindow
                      • Suspicious use of SetWindowsHookEx
                      PID:2340
              • C:\Windows\SysWOW64\taskkill.exe
                taskkill /f /im portable.exe
                7⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:3944
              • C:\Windows\SysWOW64\taskkill.exe
                taskkill /f /im portable.exe
                7⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:2696
              • C:\Windows\SysWOW64\attrib.exe
                attrib -s -h "C:\5jhc441685fd778294a59039\updtcp\psh.exe"
                7⤵
                • Views/modifies file attributes
                PID:2740
              • C:\Windows\SysWOW64\timeout.exe
                timeout 4
                7⤵
                • Delays execution with timeout.exe
                PID:3280
          • C:\Windows\SysWOW64\timeout.exe
            timeout 7
            5⤵
            • Delays execution with timeout.exe
            PID:1968

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\5jhc441685fd778294a59039\updtcp\khg389214.vbs

    MD5

    ec4694dbfd7699e4d15181d6c4fa1818

    SHA1

    3d7424eac4f9d4c199e4a10bbb664d0794301b25

    SHA256

    1e853f2a93fd8c4763b48339a0a8a154a553c5e0dad1d763d60085491986c806

    SHA512

    049c2b3390770fd5777eaba9e78239fc5e8250cfcd8f1154b0244ba00412377e6c353c7b3b600b23196bf85cc525f67ecff7da7f42a031c3bf6138bc51518d56

  • C:\5jhc441685fd778294a59039\updtcp\portable.exe

    MD5

    af8f66afc7877cfa7fd23a532916ec96

    SHA1

    df0fb0fb8c1a77872d8de28416fff394f1a6aec1

    SHA256

    b0197158ca288dae24b2335515ebfa7a3ddf78dba0ff344118fbc1cfb8b75a68

    SHA512

    508578541d239e029e6ae3faaf1ebea45292bdba6ad2262cda3dba78bd026c9d9273756f2459ae0118cac5b3690fd83935be692a48fda89539a553fe4786dcd0

  • C:\5jhc441685fd778294a59039\updtcp\portable.exe

    MD5

    af8f66afc7877cfa7fd23a532916ec96

    SHA1

    df0fb0fb8c1a77872d8de28416fff394f1a6aec1

    SHA256

    b0197158ca288dae24b2335515ebfa7a3ddf78dba0ff344118fbc1cfb8b75a68

    SHA512

    508578541d239e029e6ae3faaf1ebea45292bdba6ad2262cda3dba78bd026c9d9273756f2459ae0118cac5b3690fd83935be692a48fda89539a553fe4786dcd0

  • C:\5jhc441685fd778294a59039\updtcp\psh.exe

    MD5

    b51fde142cb8410161f4c51ed213baa3

    SHA1

    310b2e40b998157e36dc2b805d5580199bb2d467

    SHA256

    d342c9bee8477aa97acd123b15899b50bc89e1e5b3451d42f8e64785e4bbecba

    SHA512

    82568d8f34db5421a6e1756e841d1a6f765987401b4f7d3389365e11b0967e30b1380e1db028dfb267a2c341b954c2507a725afb2941b3ba51e998601b6ba076

  • C:\5jhc441685fd778294a59039\updtcp\psh.exe

    MD5

    b51fde142cb8410161f4c51ed213baa3

    SHA1

    310b2e40b998157e36dc2b805d5580199bb2d467

    SHA256

    d342c9bee8477aa97acd123b15899b50bc89e1e5b3451d42f8e64785e4bbecba

    SHA512

    82568d8f34db5421a6e1756e841d1a6f765987401b4f7d3389365e11b0967e30b1380e1db028dfb267a2c341b954c2507a725afb2941b3ba51e998601b6ba076

  • C:\5jhc441685fd778294a59039\updtcp\psh.exe

    MD5

    b51fde142cb8410161f4c51ed213baa3

    SHA1

    310b2e40b998157e36dc2b805d5580199bb2d467

    SHA256

    d342c9bee8477aa97acd123b15899b50bc89e1e5b3451d42f8e64785e4bbecba

    SHA512

    82568d8f34db5421a6e1756e841d1a6f765987401b4f7d3389365e11b0967e30b1380e1db028dfb267a2c341b954c2507a725afb2941b3ba51e998601b6ba076

  • C:\5jhc441685fd778294a59039\updtcp\tcpport21

    MD5

    af02568d8919fc4cb567a40ae21d25ec

    SHA1

    7e98bdb23e6b44332afcfe5f3a099016b7dad279

    SHA256

    a5d15ee0959085dab12cd7dd12da181444cc063e4e3e20a7d17319105097c6fd

    SHA512

    933d7a29ff7166ee9514fd3548597739ca293eb9094097ec716b51949e5f3f733d379ed03175ce29f25424ad62d794ab8df1dd5625653d4fbd2b75a8b2caa920

  • C:\5jhc441685fd778294a59039\updtcp\video.vbs

    MD5

    87b123f86cda5a902af0f3c3673ebae0

    SHA1

    a93f593da9e18343eb7cbc4a8df8eefaae31e179

    SHA256

    a5c96e4fd40ef2ae88fe66fa38178020b69059a2765614e6aa671f46057ef5c0

    SHA512

    fe5e78bb66304e1b4ed13eafd3cb93816511941756ecfa613aaaeba7a0f468aad7e2dfece27f124b5db79a8afe1fb655ef2bd3d6bbd9eb4d42e457dd42775b2f

  • C:\5jhc441685fd778294a59039\updtcp\wier.bat

    MD5

    d8cf8ebd43d707b8f7ac09dca3f69e89

    SHA1

    8425069acebb996f4517cfc62fb65de3b9315b8c

    SHA256

    c8c84a5c185cdfcecaafcee8e927fb8024d7e42a86f7b88437cf64f027a3fc7f

    SHA512

    4c4a6bbd6820ccc7ff49ca6feae3055a8357fb3747e0c116239f8cdeac1bdc679df6825c822e7be7ec286065fb21f2f33275ddbcb80bcc51a75c6f2752ba5798

  • C:\5jhc441685fd778294a59039\updtcp\win23.bat

    MD5

    e3e6e937b62671102f2d588c3b63dadd

    SHA1

    2059e852dd09a1f9dc22655c3a52ad29e4d9ce70

    SHA256

    762f9ddb99827165175408a90ab56139ed9d8c88d8c9cfec4871ec286d3b6016

    SHA512

    cc52bb6ee086f2dac9c93d101c747731c3a5bed6b4ea3c9c27796ee135bca91c89a90f41b119f137049f09f6f459193c593d3ff48343dc35ba6dfb2ef2077f05

  • C:\Users\Admin\AppData\Local\Temp\3m3cu9i5s3.exe

    MD5

    2abb9a0fbbbc79ad7813fe461d6cf84d

    SHA1

    1c0f4652edc982c1f395410a150c4a86036b3868

    SHA256

    4cbcbf9b7c7a1409be0f7829def9cbca6a703e6bde0400256ca0d038d0bf056a

    SHA512

    ca5f6e295c702684a4d83d67ee75a0b372f2c7f77277f79cb58f331d5ccfec82bda0897455c136dfbb00f3bf5a30175d5b84607f55b50259b1833e69ffb56684

  • C:\Users\Admin\AppData\Local\Temp\3m3cu9i5s3.exe

    MD5

    2abb9a0fbbbc79ad7813fe461d6cf84d

    SHA1

    1c0f4652edc982c1f395410a150c4a86036b3868

    SHA256

    4cbcbf9b7c7a1409be0f7829def9cbca6a703e6bde0400256ca0d038d0bf056a

    SHA512

    ca5f6e295c702684a4d83d67ee75a0b372f2c7f77277f79cb58f331d5ccfec82bda0897455c136dfbb00f3bf5a30175d5b84607f55b50259b1833e69ffb56684

  • C:\Users\Admin\AppData\Local\Temp\7991i79wo_1.exe

    MD5

    b51fde142cb8410161f4c51ed213baa3

    SHA1

    310b2e40b998157e36dc2b805d5580199bb2d467

    SHA256

    d342c9bee8477aa97acd123b15899b50bc89e1e5b3451d42f8e64785e4bbecba

    SHA512

    82568d8f34db5421a6e1756e841d1a6f765987401b4f7d3389365e11b0967e30b1380e1db028dfb267a2c341b954c2507a725afb2941b3ba51e998601b6ba076

  • C:\Users\Admin\AppData\Local\Temp\7991i79wo_1.exe

    MD5

    b51fde142cb8410161f4c51ed213baa3

    SHA1

    310b2e40b998157e36dc2b805d5580199bb2d467

    SHA256

    d342c9bee8477aa97acd123b15899b50bc89e1e5b3451d42f8e64785e4bbecba

    SHA512

    82568d8f34db5421a6e1756e841d1a6f765987401b4f7d3389365e11b0967e30b1380e1db028dfb267a2c341b954c2507a725afb2941b3ba51e998601b6ba076

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\692915.dat

    MD5

    6bb45c53fc7f643cb2c20a59801e9a9d

    SHA1

    7820e7a2ce24022683f15bc651d1d824ae738b7e

    SHA256

    d0e95b938160932bf633ae1d6469ad9ace641d5a54fd567c1b9462bd62934f82

    SHA512

    3f93cf01c93a5942b8df9faa8f7c44c3965d84f89f71c559698c0bf53162acc2e3a83b54e98b1cd77c5ff500f14b6e98bdc921b5dbd3ea135f7a99d1ca0a5d61

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\692915.dat

    MD5

    6bb45c53fc7f643cb2c20a59801e9a9d

    SHA1

    7820e7a2ce24022683f15bc651d1d824ae738b7e

    SHA256

    d0e95b938160932bf633ae1d6469ad9ace641d5a54fd567c1b9462bd62934f82

    SHA512

    3f93cf01c93a5942b8df9faa8f7c44c3965d84f89f71c559698c0bf53162acc2e3a83b54e98b1cd77c5ff500f14b6e98bdc921b5dbd3ea135f7a99d1ca0a5d61

  • memory/60-118-0x0000000000000000-mapping.dmp

  • memory/64-127-0x0000000000000000-mapping.dmp

  • memory/788-125-0x0000000000000000-mapping.dmp

  • memory/1820-123-0x0000000000000000-mapping.dmp

  • memory/1968-130-0x0000000000000000-mapping.dmp

  • memory/2024-135-0x0000000000000000-mapping.dmp

  • memory/2068-129-0x0000000000000000-mapping.dmp

  • memory/2288-162-0x0000000004FF0000-0x0000000004FF1000-memory.dmp

    Filesize

    4KB

  • memory/2288-121-0x0000000000000000-mapping.dmp

  • memory/2288-159-0x00000000045F0000-0x0000000004730000-memory.dmp

    Filesize

    1.2MB

  • memory/2340-178-0x0000000003007000-0x0000000003009000-memory.dmp

    Filesize

    8KB

  • memory/2340-176-0x0000000003009000-0x000000000300F000-memory.dmp

    Filesize

    24KB

  • memory/2340-177-0x0000000003005000-0x0000000003007000-memory.dmp

    Filesize

    8KB

  • memory/2340-175-0x0000000003003000-0x0000000003005000-memory.dmp

    Filesize

    8KB

  • memory/2340-174-0x0000000003000000-0x0000000003002000-memory.dmp

    Filesize

    8KB

  • memory/2340-172-0x0000000000D10000-0x0000000000D11000-memory.dmp

    Filesize

    4KB

  • memory/2340-169-0x0000000000000000-mapping.dmp

  • memory/2420-161-0x0000000003B40000-0x0000000003C80000-memory.dmp

    Filesize

    1.2MB

  • memory/2420-132-0x0000000000000000-mapping.dmp

  • memory/2424-124-0x0000000000000000-mapping.dmp

  • memory/2696-142-0x0000000000000000-mapping.dmp

  • memory/2732-166-0x0000000000000000-mapping.dmp

  • memory/2740-143-0x0000000000000000-mapping.dmp

  • memory/3280-144-0x0000000000000000-mapping.dmp

  • memory/3400-134-0x0000000000000000-mapping.dmp

  • memory/3408-117-0x0000000002590000-0x0000000002591000-memory.dmp

    Filesize

    4KB

  • memory/3408-114-0x0000000000000000-mapping.dmp

  • memory/3496-133-0x0000000000000000-mapping.dmp

  • memory/3568-146-0x0000000000790000-0x00000000007F6000-memory.dmp

    Filesize

    408KB

  • memory/3568-138-0x0000000000400000-0x0000000000435000-memory.dmp

    Filesize

    212KB

  • memory/3568-149-0x0000000002660000-0x000000000266C000-memory.dmp

    Filesize

    48KB

  • memory/3568-148-0x0000000002630000-0x0000000002631000-memory.dmp

    Filesize

    4KB

  • memory/3568-147-0x0000000000800000-0x000000000080D000-memory.dmp

    Filesize

    52KB

  • memory/3568-145-0x0000000000400000-0x0000000000435000-memory.dmp

    Filesize

    212KB

  • memory/3568-139-0x00000000004015C6-mapping.dmp

  • memory/3944-141-0x0000000000000000-mapping.dmp

  • memory/4060-156-0x0000000005700000-0x0000000005701000-memory.dmp

    Filesize

    4KB

  • memory/4060-152-0x0000000003630000-0x0000000003770000-memory.dmp

    Filesize

    1.2MB

  • memory/4060-151-0x0000000000EF0000-0x000000000132F000-memory.dmp

    Filesize

    4.2MB

  • memory/4060-150-0x0000000000000000-mapping.dmp

  • memory/4060-165-0x0000000006DE0000-0x0000000006DE2000-memory.dmp

    Filesize

    8KB