Overview

overview

10

Static

static

CFDI_826271_53535.exe

windows7_x64

10

CFDI_826271_53535.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    92s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    13-07-2022 06:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    CFDI_826271_53535.exe

  • Size

    894KB

  • MD5

    f89a4c9d373e3c928bc405d56a496850

  • SHA1

    de58bf97363c74d83249df1ec2f1e9d62a2101d9

  • SHA256

    c040a2c32938707e1579fecce89e3c4fa04d019a467f642dd2bb18bab35bf99d

  • SHA512

    eb02dcd476e67db8ec0d9bfde5698967c657bbc6cb55973445c565cd10999772b8ba18ecacd85c36bb88ac81898a0d34f2509cf6e2a954c890ffc5c07421d514

Score
10/10
betabotbackdoorbotnetevasionpersistencetrojan

Malware Config

Signatures

  • BetaBot

    Beta Bot is a Trojan that infects computers and disables Antivirus.

    trojanbackdoorbotnetbetabot
  • Modifies firewall policy service 2 TTPs 4 IoCs
    evasion
  • Executes dropped EXE 3 IoCs
  • Sets file execution options in registry 2 TTPs 4 IoCs
    persistence
  • Sets file to hidden 1 TTPs 1 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 5 IoCs
    evasion
  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Kills process with taskkill 2 IoCs
    evasion
  • Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
  • Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: MapViewOfSection 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 30 IoCs
  • Suspicious use of WriteProcessMemory 57 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\CFDI_826271_53535.exe
    "C:\Users\Admin\AppData\Local\Temp\CFDI_826271_53535.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4812
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\controllevel\foldersDef\terminalweu.vbs"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:672
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\controllevel\foldersDef\fit3274.bat" "
        3⤵
        • Checks computer location settings
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:2504
        • C:\Windows\SysWOW64\timeout.exe
          timeout 7
          4⤵
          • Delays execution with timeout.exe
          PID:736
        • C:\Users\Admin\AppData\Roaming\controllevel\foldersDef\Gozip.exe
          "Gozip.exe" e -p398FsVBddjkd8cwr nmh3745.rar
          4⤵
          • Executes dropped EXE
          PID:2400
        • C:\Windows\SysWOW64\timeout.exe
          timeout 6
          4⤵
          • Delays execution with timeout.exe
          PID:1972
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\controllevel\foldersDef\7els.vbs"
          4⤵
          • Checks computer location settings
          • Suspicious use of WriteProcessMemory
          PID:2568
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\controllevel\foldersDef\def.bat" "
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:4696
            • C:\Windows\SysWOW64\attrib.exe
              attrib +s +h "C:\Users\Admin\AppData\Roaming\controllevel"
              6⤵
              • Sets file to hidden
              • Views/modifies file attributes
              PID:1060
            • C:\Windows\SysWOW64\timeout.exe
              timeout 1
              6⤵
              • Delays execution with timeout.exe
              PID:3988
            • C:\Users\Admin\AppData\Roaming\controllevel\foldersDef\miktotik.exe
              miktotik.exe /start
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Suspicious use of WriteProcessMemory
              PID:3804
              • C:\Users\Admin\AppData\Roaming\controllevel\foldersDef\miktotik.exe
                miktotik.exe /start
                7⤵
                • Executes dropped EXE
                • Sets file execution options in registry
                • Checks whether UAC is enabled
                • Suspicious use of NtSetInformationThreadHideFromDebugger
                • Checks processor information in registry
                • Suspicious behavior: MapViewOfSection
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:4176
                • C:\Windows\SysWOW64\explorer.exe
                  C:\Windows\SysWOW64\explorer.exe
                  8⤵
                  • Modifies firewall policy service
                  • Sets file execution options in registry
                  • Checks BIOS information in registry
                  • Adds Run key to start application
                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                  • Checks processor information in registry
                  • Enumerates system info in registry
                  • Modifies Internet Explorer Protected Mode
                  • Modifies Internet Explorer Protected Mode Banner
                  • Modifies Internet Explorer settings
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious behavior: MapViewOfSection
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1540
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 1540 -s 1060
                    9⤵
                    • Program crash
                    PID:5108
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /f /im Gozip.exe
              6⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:3960
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /f /im Gozip.exe
              6⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:1244
            • C:\Windows\SysWOW64\attrib.exe
              attrib -s -h "C:\Users\Admin\AppData\Roaming\controllevel\foldersDef"
              6⤵
              • Views/modifies file attributes
              PID:4180
            • C:\Windows\SysWOW64\timeout.exe
              timeout 4
              6⤵
              • Delays execution with timeout.exe
              PID:4604
        • C:\Windows\SysWOW64\timeout.exe
          timeout 8
          4⤵
          • Delays execution with timeout.exe
          PID:1068
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1540 -ip 1540
    1⤵
      PID:2372

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Modify Existing Service

    1
    T1031

    Registry Run Keys / Startup Folder

    2
    T1060

    Hidden Files and Directories

    2
    T1158

    Privilege Escalation

    Defense Evasion

    Modify Registry

    6
    T1112

    Hidden Files and Directories

    2
    T1158

    Credential Access

    Discovery

    Query Registry

    4
    T1012

    System Information Discovery

    6
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\controllevel\foldersDef\7els.vbs
      Filesize

      114B

      MD5

      8f5293bc4ace65a9f51ba97bddcd7eee

      SHA1

      e11a5055530092c3a805d757110c4f8761976eef

      SHA256

      a48489f790e76faeaaed41f123031e708881226c224030213861cba419ca34f4

      SHA512

      c319cf12985d57b3d00737107a20e0c06a236d654064255dcc7023aa312871b52d399a9e9a55743fb3a446d2624a1049013f0ca8132ed6b6432658c396fa981d

      Download Submit
    • C:\Users\Admin\AppData\Roaming\controllevel\foldersDef\Gozip.exe
      Filesize

      551KB

      MD5

      061f64173293969577916832be29b90d

      SHA1

      b05b80385de20463a80b6c9c39bd1d53123aab9b

      SHA256

      34dfe4869b0a524c63cc4696fafe30c83a22dc5fe4b994b9fe777f2c986733ce

      SHA512

      66e284f7c7e40af988ab09ff48cc786d287ac906368042d98d313be764058f01ecb5c3a7ab8d4336ee6494ea4a1347e73f0f2b4f3baec25ca6bcec1d888bd3da

      Download Submit
    • C:\Users\Admin\AppData\Roaming\controllevel\foldersDef\Gozip.exe
      Filesize

      551KB

      MD5

      061f64173293969577916832be29b90d

      SHA1

      b05b80385de20463a80b6c9c39bd1d53123aab9b

      SHA256

      34dfe4869b0a524c63cc4696fafe30c83a22dc5fe4b994b9fe777f2c986733ce

      SHA512

      66e284f7c7e40af988ab09ff48cc786d287ac906368042d98d313be764058f01ecb5c3a7ab8d4336ee6494ea4a1347e73f0f2b4f3baec25ca6bcec1d888bd3da

      Download Submit
    • C:\Users\Admin\AppData\Roaming\controllevel\foldersDef\Preferences.dat
      Filesize

      373KB

      MD5

      b1aa11c4722efbcaaf5ebf5f17880d17

      SHA1

      b4b8578e13eb1a860524e827ac8bdd5d8ece604b

      SHA256

      2e7ba0fb3f5edd6091e13e0d3a127210813433e46cea81a61a211d6a95457e27

      SHA512

      a7668dfca645f63b571aff7ac11709b5578a4cd5947bf468fba11e4f5d455ef1b0917acc12c558e7b27d2eff1a8debb19b2c7783b7742c97c81b54fedcedd7b5

      Download Submit
    • C:\Users\Admin\AppData\Roaming\controllevel\foldersDef\def.bat
      Filesize

      1KB

      MD5

      bf223a7df3a7feecfcb49a5d01d781d9

      SHA1

      d8b2b0f48887e63928576773efe1ab5776d7dfb0

      SHA256

      494cc4d4211c1ed3f88255a46d501040b885c9b5cca26dcae5e37185d883957e

      SHA512

      e15ca76450e99b21982efeeba4c148c9f28dddd85ae0fdb43e496813a4556b83022e2bb1d553de1c851065e09c7866bc6a9829da84dc0fcf3b269a03b0857fc2

      Download Submit
    • C:\Users\Admin\AppData\Roaming\controllevel\foldersDef\fit3274.bat
      Filesize

      668B

      MD5

      814380ebb377d7ebca662c6ac563eec0

      SHA1

      3487cf2382cd0bc87a677e637de1ae40ccfbc13b

      SHA256

      b58d9796ee64ea6731a6e54fdeb997ebc4ac148e3982e9c48fdc1f79d1531136

      SHA512

      41737175039c4f62159be44fcd683aff05be9f7ea97b7061222d34528995768cf1656c617991a5d7a5595bd958687a5adbeb208fe961aa2afb4fd2bf2a8d7d66

      Download Submit
    • C:\Users\Admin\AppData\Roaming\controllevel\foldersDef\miktotik.exe
      Filesize

      947KB

      MD5

      6ed0cca96fe69be3b775499509f0b029

      SHA1

      e1c57829dd8947cc09b8b4ffcaaad07939efbb2d

      SHA256

      bcb590cab5558665d9728ce52a8ea71c3f6fd348725071cec88dfb8bfd8989ab

      SHA512

      a64e382cd0ecdc3eba26709c6b94c737349b51a4ffb4a50b5805104c87661a5cb3c6b6902af8a926de9f248e0712343d1533d8129ba401fbe7712ddbabbf37b5

      Download Submit
    • C:\Users\Admin\AppData\Roaming\controllevel\foldersDef\miktotik.exe
      Filesize

      947KB

      MD5

      6ed0cca96fe69be3b775499509f0b029

      SHA1

      e1c57829dd8947cc09b8b4ffcaaad07939efbb2d

      SHA256

      bcb590cab5558665d9728ce52a8ea71c3f6fd348725071cec88dfb8bfd8989ab

      SHA512

      a64e382cd0ecdc3eba26709c6b94c737349b51a4ffb4a50b5805104c87661a5cb3c6b6902af8a926de9f248e0712343d1533d8129ba401fbe7712ddbabbf37b5

      Download Submit
    • C:\Users\Admin\AppData\Roaming\controllevel\foldersDef\miktotik.exe
      Filesize

      947KB

      MD5

      6ed0cca96fe69be3b775499509f0b029

      SHA1

      e1c57829dd8947cc09b8b4ffcaaad07939efbb2d

      SHA256

      bcb590cab5558665d9728ce52a8ea71c3f6fd348725071cec88dfb8bfd8989ab

      SHA512

      a64e382cd0ecdc3eba26709c6b94c737349b51a4ffb4a50b5805104c87661a5cb3c6b6902af8a926de9f248e0712343d1533d8129ba401fbe7712ddbabbf37b5

      Download Submit
    • C:\Users\Admin\AppData\Roaming\controllevel\foldersDef\terminalweu.vbs
      Filesize

      85B

      MD5

      bf045999e4ca77b57de18d5ff25e1272

      SHA1

      e8dab3a106e479a53c4ea61443c2ff7873d17c67

      SHA256

      89f2f0f40f06ed45b155adf713b127931ebb41c162e08e0cda75ecb9e10fdf17

      SHA512

      e191b410d97f021d3dd55ad3565559cf0f3dd6dcc7157f7d6ff60dd610128dfe875cc00f67106653df758e07b6d845fc4e7a7ee290f8d7d8a58d58a90a018f6a

      Download Submit
    • memory/672-130-0x0000000000000000-mapping.dmp
      Download
    • memory/736-134-0x0000000000000000-mapping.dmp
      Download
    • memory/1060-144-0x0000000000000000-mapping.dmp
      Download
    • memory/1068-141-0x0000000000000000-mapping.dmp
      Download
    • memory/1244-161-0x0000000000000000-mapping.dmp
      Download
    • memory/1540-169-0x0000000000700000-0x0000000000856000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/1540-172-0x0000000000700000-0x0000000000856000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/1540-168-0x0000000000D00000-0x0000000001133000-memory.dmp
      Filesize

      4.2MB

      Download
    • memory/1540-164-0x0000000000000000-mapping.dmp
      Download
    • memory/1972-138-0x0000000000000000-mapping.dmp
      Download
    • memory/2400-136-0x0000000000000000-mapping.dmp
      Download
    • memory/2504-171-0x0000000002C20000-0x0000000002D76000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/2504-133-0x0000000000000000-mapping.dmp
      Download
    • memory/2568-140-0x0000000000000000-mapping.dmp
      Download
    • memory/3804-153-0x0000000000400000-0x000000000049B000-memory.dmp
      Filesize

      620KB

      Download
    • memory/3804-146-0x0000000000000000-mapping.dmp
      Download
    • memory/3960-155-0x0000000000000000-mapping.dmp
      Download
    • memory/3988-145-0x0000000000000000-mapping.dmp
      Download
    • memory/4176-165-0x00000000005A0000-0x00000000005AD000-memory.dmp
      Filesize

      52KB

      Download
    • memory/4176-159-0x0000000002180000-0x00000000021E6000-memory.dmp
      Filesize

      408KB

      Download
    • memory/4176-149-0x0000000000000000-mapping.dmp
      Download
    • memory/4176-156-0x0000000000400000-0x0000000000435000-memory.dmp
      Filesize

      212KB

      Download
    • memory/4176-166-0x0000000002690000-0x000000000269C000-memory.dmp
      Filesize

      48KB

      Download
    • memory/4176-167-0x0000000002180000-0x00000000021E6000-memory.dmp
      Filesize

      408KB

      Download
    • memory/4176-154-0x0000000000400000-0x0000000000435000-memory.dmp
      Filesize

      212KB

      Download
    • memory/4176-150-0x0000000000400000-0x0000000000435000-memory.dmp
      Filesize

      212KB

      Download
    • memory/4176-158-0x0000000002180000-0x00000000021E6000-memory.dmp
      Filesize

      408KB

      Download
    • memory/4176-157-0x0000000000400000-0x0000000000435000-memory.dmp
      Filesize

      212KB

      Download
    • memory/4180-162-0x0000000000000000-mapping.dmp
      Download
    • memory/4604-163-0x0000000000000000-mapping.dmp
      Download
    • memory/4696-143-0x0000000000000000-mapping.dmp
      Download