Analysis

  • max time kernel
    148s
  • max time network
    105s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    13-07-2022 06:34

General

  • Target

    CFDI_826271_53535.exe

  • Size

    894KB

  • MD5

    f89a4c9d373e3c928bc405d56a496850

  • SHA1

    de58bf97363c74d83249df1ec2f1e9d62a2101d9

  • SHA256

    c040a2c32938707e1579fecce89e3c4fa04d019a467f642dd2bb18bab35bf99d

  • SHA512

    eb02dcd476e67db8ec0d9bfde5698967c657bbc6cb55973445c565cd10999772b8ba18ecacd85c36bb88ac81898a0d34f2509cf6e2a954c890ffc5c07421d514

Malware Config

Signatures

  • BetaBot

    Beta Bot is a Trojan that infects computers and disables Antivirus.

  • Modifies firewall policy service 2 TTPs 4 IoCs
  • Executes dropped EXE 3 IoCs
  • Sets file execution options in registry 2 TTPs 4 IoCs
  • Sets file to hidden 1 TTPs 1 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 5 IoCs
  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Kills process with taskkill 2 IoCs
  • Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
  • Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 30 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1376
      • C:\Users\Admin\AppData\Local\Temp\CFDI_826271_53535.exe
        "C:\Users\Admin\AppData\Local\Temp\CFDI_826271_53535.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:656
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\controllevel\foldersDef\terminalweu.vbs"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:896
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c ""C:\Users\Admin\AppData\Roaming\controllevel\foldersDef\fit3274.bat" "
            4⤵
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:968
            • C:\Windows\SysWOW64\timeout.exe
              timeout 7
              5⤵
              • Delays execution with timeout.exe
              PID:1216
            • C:\Users\Admin\AppData\Roaming\controllevel\foldersDef\Gozip.exe
              "Gozip.exe" e -p398FsVBddjkd8cwr nmh3745.rar
              5⤵
              • Executes dropped EXE
              PID:1708
            • C:\Windows\SysWOW64\timeout.exe
              timeout 6
              5⤵
              • Delays execution with timeout.exe
              PID:328
            • C:\Windows\SysWOW64\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\controllevel\foldersDef\7els.vbs"
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:528
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c ""C:\Users\Admin\AppData\Roaming\controllevel\foldersDef\def.bat" "
                6⤵
                • Loads dropped DLL
                • Suspicious use of WriteProcessMemory
                PID:1576
                • C:\Windows\SysWOW64\attrib.exe
                  attrib +s +h "C:\Users\Admin\AppData\Roaming\controllevel"
                  7⤵
                  • Sets file to hidden
                  • Views/modifies file attributes
                  PID:696
                • C:\Windows\SysWOW64\timeout.exe
                  timeout 1
                  7⤵
                  • Delays execution with timeout.exe
                  PID:1892
                • C:\Users\Admin\AppData\Roaming\controllevel\foldersDef\miktotik.exe
                  miktotik.exe /start
                  7⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Suspicious use of SetThreadContext
                  PID:868
                  • C:\Users\Admin\AppData\Roaming\controllevel\foldersDef\miktotik.exe
                    miktotik.exe /start
                    8⤵
                    • Executes dropped EXE
                    • Sets file execution options in registry
                    • Checks whether UAC is enabled
                    • Suspicious use of NtSetInformationThreadHideFromDebugger
                    • Checks processor information in registry
                    • Suspicious behavior: MapViewOfSection
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1356
                    • C:\Windows\SysWOW64\explorer.exe
                      C:\Windows\SysWOW64\explorer.exe
                      9⤵
                      • Modifies firewall policy service
                      • Sets file execution options in registry
                      • Checks BIOS information in registry
                      • Adds Run key to start application
                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                      • Checks processor information in registry
                      • Enumerates system info in registry
                      • Modifies Internet Explorer Protected Mode
                      • Modifies Internet Explorer Protected Mode Banner
                      • Modifies Internet Explorer settings
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious behavior: MapViewOfSection
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1392
                • C:\Windows\SysWOW64\taskkill.exe
                  taskkill /f /im Gozip.exe
                  7⤵
                  • Kills process with taskkill
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1396
                • C:\Windows\SysWOW64\taskkill.exe
                  taskkill /f /im Gozip.exe
                  7⤵
                  • Kills process with taskkill
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1412
                • C:\Windows\SysWOW64\attrib.exe
                  attrib -s -h "C:\Users\Admin\AppData\Roaming\controllevel\foldersDef"
                  7⤵
                  • Views/modifies file attributes
                  PID:928
                • C:\Windows\SysWOW64\timeout.exe
                  timeout 4
                  7⤵
                  • Delays execution with timeout.exe
                  PID:1756
            • C:\Windows\SysWOW64\timeout.exe
              timeout 8
              5⤵
              • Delays execution with timeout.exe
              PID:664
    • C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      1⤵
        PID:1332
      • C:\Windows\system32\DllHost.exe
        C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
        1⤵
          PID:1656

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\controllevel\foldersDef\7els.vbs

          Filesize

          114B

          MD5

          8f5293bc4ace65a9f51ba97bddcd7eee

          SHA1

          e11a5055530092c3a805d757110c4f8761976eef

          SHA256

          a48489f790e76faeaaed41f123031e708881226c224030213861cba419ca34f4

          SHA512

          c319cf12985d57b3d00737107a20e0c06a236d654064255dcc7023aa312871b52d399a9e9a55743fb3a446d2624a1049013f0ca8132ed6b6432658c396fa981d

        • C:\Users\Admin\AppData\Roaming\controllevel\foldersDef\Gozip.exe

          Filesize

          551KB

          MD5

          061f64173293969577916832be29b90d

          SHA1

          b05b80385de20463a80b6c9c39bd1d53123aab9b

          SHA256

          34dfe4869b0a524c63cc4696fafe30c83a22dc5fe4b994b9fe777f2c986733ce

          SHA512

          66e284f7c7e40af988ab09ff48cc786d287ac906368042d98d313be764058f01ecb5c3a7ab8d4336ee6494ea4a1347e73f0f2b4f3baec25ca6bcec1d888bd3da

        • C:\Users\Admin\AppData\Roaming\controllevel\foldersDef\Gozip.exe

          Filesize

          551KB

          MD5

          061f64173293969577916832be29b90d

          SHA1

          b05b80385de20463a80b6c9c39bd1d53123aab9b

          SHA256

          34dfe4869b0a524c63cc4696fafe30c83a22dc5fe4b994b9fe777f2c986733ce

          SHA512

          66e284f7c7e40af988ab09ff48cc786d287ac906368042d98d313be764058f01ecb5c3a7ab8d4336ee6494ea4a1347e73f0f2b4f3baec25ca6bcec1d888bd3da

        • C:\Users\Admin\AppData\Roaming\controllevel\foldersDef\Preferences.dat

          Filesize

          373KB

          MD5

          b1aa11c4722efbcaaf5ebf5f17880d17

          SHA1

          b4b8578e13eb1a860524e827ac8bdd5d8ece604b

          SHA256

          2e7ba0fb3f5edd6091e13e0d3a127210813433e46cea81a61a211d6a95457e27

          SHA512

          a7668dfca645f63b571aff7ac11709b5578a4cd5947bf468fba11e4f5d455ef1b0917acc12c558e7b27d2eff1a8debb19b2c7783b7742c97c81b54fedcedd7b5

        • C:\Users\Admin\AppData\Roaming\controllevel\foldersDef\def.bat

          Filesize

          1KB

          MD5

          bf223a7df3a7feecfcb49a5d01d781d9

          SHA1

          d8b2b0f48887e63928576773efe1ab5776d7dfb0

          SHA256

          494cc4d4211c1ed3f88255a46d501040b885c9b5cca26dcae5e37185d883957e

          SHA512

          e15ca76450e99b21982efeeba4c148c9f28dddd85ae0fdb43e496813a4556b83022e2bb1d553de1c851065e09c7866bc6a9829da84dc0fcf3b269a03b0857fc2

        • C:\Users\Admin\AppData\Roaming\controllevel\foldersDef\fit3274.bat

          Filesize

          668B

          MD5

          814380ebb377d7ebca662c6ac563eec0

          SHA1

          3487cf2382cd0bc87a677e637de1ae40ccfbc13b

          SHA256

          b58d9796ee64ea6731a6e54fdeb997ebc4ac148e3982e9c48fdc1f79d1531136

          SHA512

          41737175039c4f62159be44fcd683aff05be9f7ea97b7061222d34528995768cf1656c617991a5d7a5595bd958687a5adbeb208fe961aa2afb4fd2bf2a8d7d66

        • C:\Users\Admin\AppData\Roaming\controllevel\foldersDef\miktotik.exe

          Filesize

          947KB

          MD5

          6ed0cca96fe69be3b775499509f0b029

          SHA1

          e1c57829dd8947cc09b8b4ffcaaad07939efbb2d

          SHA256

          bcb590cab5558665d9728ce52a8ea71c3f6fd348725071cec88dfb8bfd8989ab

          SHA512

          a64e382cd0ecdc3eba26709c6b94c737349b51a4ffb4a50b5805104c87661a5cb3c6b6902af8a926de9f248e0712343d1533d8129ba401fbe7712ddbabbf37b5

        • C:\Users\Admin\AppData\Roaming\controllevel\foldersDef\miktotik.exe

          Filesize

          947KB

          MD5

          6ed0cca96fe69be3b775499509f0b029

          SHA1

          e1c57829dd8947cc09b8b4ffcaaad07939efbb2d

          SHA256

          bcb590cab5558665d9728ce52a8ea71c3f6fd348725071cec88dfb8bfd8989ab

          SHA512

          a64e382cd0ecdc3eba26709c6b94c737349b51a4ffb4a50b5805104c87661a5cb3c6b6902af8a926de9f248e0712343d1533d8129ba401fbe7712ddbabbf37b5

        • C:\Users\Admin\AppData\Roaming\controllevel\foldersDef\miktotik.exe

          Filesize

          947KB

          MD5

          6ed0cca96fe69be3b775499509f0b029

          SHA1

          e1c57829dd8947cc09b8b4ffcaaad07939efbb2d

          SHA256

          bcb590cab5558665d9728ce52a8ea71c3f6fd348725071cec88dfb8bfd8989ab

          SHA512

          a64e382cd0ecdc3eba26709c6b94c737349b51a4ffb4a50b5805104c87661a5cb3c6b6902af8a926de9f248e0712343d1533d8129ba401fbe7712ddbabbf37b5

        • C:\Users\Admin\AppData\Roaming\controllevel\foldersDef\terminalweu.vbs

          Filesize

          85B

          MD5

          bf045999e4ca77b57de18d5ff25e1272

          SHA1

          e8dab3a106e479a53c4ea61443c2ff7873d17c67

          SHA256

          89f2f0f40f06ed45b155adf713b127931ebb41c162e08e0cda75ecb9e10fdf17

          SHA512

          e191b410d97f021d3dd55ad3565559cf0f3dd6dcc7157f7d6ff60dd610128dfe875cc00f67106653df758e07b6d845fc4e7a7ee290f8d7d8a58d58a90a018f6a

        • \Users\Admin\AppData\Roaming\controllevel\foldersDef\Gozip.exe

          Filesize

          551KB

          MD5

          061f64173293969577916832be29b90d

          SHA1

          b05b80385de20463a80b6c9c39bd1d53123aab9b

          SHA256

          34dfe4869b0a524c63cc4696fafe30c83a22dc5fe4b994b9fe777f2c986733ce

          SHA512

          66e284f7c7e40af988ab09ff48cc786d287ac906368042d98d313be764058f01ecb5c3a7ab8d4336ee6494ea4a1347e73f0f2b4f3baec25ca6bcec1d888bd3da

        • \Users\Admin\AppData\Roaming\controllevel\foldersDef\miktotik.exe

          Filesize

          947KB

          MD5

          6ed0cca96fe69be3b775499509f0b029

          SHA1

          e1c57829dd8947cc09b8b4ffcaaad07939efbb2d

          SHA256

          bcb590cab5558665d9728ce52a8ea71c3f6fd348725071cec88dfb8bfd8989ab

          SHA512

          a64e382cd0ecdc3eba26709c6b94c737349b51a4ffb4a50b5805104c87661a5cb3c6b6902af8a926de9f248e0712343d1533d8129ba401fbe7712ddbabbf37b5

        • \Users\Admin\AppData\Roaming\controllevel\foldersDef\miktotik.exe

          Filesize

          947KB

          MD5

          6ed0cca96fe69be3b775499509f0b029

          SHA1

          e1c57829dd8947cc09b8b4ffcaaad07939efbb2d

          SHA256

          bcb590cab5558665d9728ce52a8ea71c3f6fd348725071cec88dfb8bfd8989ab

          SHA512

          a64e382cd0ecdc3eba26709c6b94c737349b51a4ffb4a50b5805104c87661a5cb3c6b6902af8a926de9f248e0712343d1533d8129ba401fbe7712ddbabbf37b5

        • \Users\Admin\AppData\Roaming\controllevel\foldersDef\miktotik.exe

          Filesize

          947KB

          MD5

          6ed0cca96fe69be3b775499509f0b029

          SHA1

          e1c57829dd8947cc09b8b4ffcaaad07939efbb2d

          SHA256

          bcb590cab5558665d9728ce52a8ea71c3f6fd348725071cec88dfb8bfd8989ab

          SHA512

          a64e382cd0ecdc3eba26709c6b94c737349b51a4ffb4a50b5805104c87661a5cb3c6b6902af8a926de9f248e0712343d1533d8129ba401fbe7712ddbabbf37b5

        • memory/328-69-0x0000000000000000-mapping.dmp

        • memory/528-72-0x0000000000000000-mapping.dmp

        • memory/656-54-0x00000000755A1000-0x00000000755A3000-memory.dmp

          Filesize

          8KB

        • memory/664-74-0x0000000000000000-mapping.dmp

        • memory/696-79-0x0000000000000000-mapping.dmp

        • memory/868-96-0x0000000000400000-0x000000000049B000-memory.dmp

          Filesize

          620KB

        • memory/868-86-0x0000000000000000-mapping.dmp

        • memory/896-55-0x0000000000000000-mapping.dmp

        • memory/928-108-0x0000000000000000-mapping.dmp

        • memory/968-59-0x0000000000000000-mapping.dmp

        • memory/1216-61-0x0000000000000000-mapping.dmp

        • memory/1356-92-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

        • memory/1356-112-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

        • memory/1356-93-0x00000000004015C6-mapping.dmp

        • memory/1356-123-0x0000000000310000-0x0000000000376000-memory.dmp

          Filesize

          408KB

        • memory/1356-115-0x00000000003D0000-0x00000000003DC000-memory.dmp

          Filesize

          48KB

        • memory/1356-114-0x0000000000250000-0x000000000025D000-memory.dmp

          Filesize

          52KB

        • memory/1356-113-0x0000000000310000-0x0000000000376000-memory.dmp

          Filesize

          408KB

        • memory/1356-98-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

        • memory/1356-102-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

        • memory/1356-104-0x0000000000310000-0x0000000000376000-memory.dmp

          Filesize

          408KB

        • memory/1356-90-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

        • memory/1376-127-0x0000000002270000-0x0000000002276000-memory.dmp

          Filesize

          24KB

        • memory/1392-122-0x0000000000290000-0x0000000000310000-memory.dmp

          Filesize

          512KB

        • memory/1392-126-0x0000000000290000-0x0000000000310000-memory.dmp

          Filesize

          512KB

        • memory/1392-125-0x0000000000610000-0x0000000000766000-memory.dmp

          Filesize

          1.3MB

        • memory/1392-124-0x0000000077070000-0x00000000771F0000-memory.dmp

          Filesize

          1.5MB

        • memory/1392-117-0x0000000000000000-mapping.dmp

        • memory/1392-119-0x0000000074751000-0x0000000074753000-memory.dmp

          Filesize

          8KB

        • memory/1392-120-0x0000000077070000-0x00000000771F0000-memory.dmp

          Filesize

          1.5MB

        • memory/1392-121-0x0000000000610000-0x0000000000766000-memory.dmp

          Filesize

          1.3MB

        • memory/1396-99-0x0000000000000000-mapping.dmp

        • memory/1412-106-0x0000000000000000-mapping.dmp

        • memory/1576-77-0x0000000000000000-mapping.dmp

        • memory/1576-97-0x00000000006C0000-0x000000000075B000-memory.dmp

          Filesize

          620KB

        • memory/1576-116-0x00000000006C0000-0x000000000075B000-memory.dmp

          Filesize

          620KB

        • memory/1708-66-0x0000000000000000-mapping.dmp

        • memory/1756-110-0x0000000000000000-mapping.dmp

        • memory/1892-81-0x0000000000000000-mapping.dmp