Analysis Overview
SHA256
06104da8d17662bd405006269c9437f542e2291a8dfcc62b5a6821bcb3a9f645
Threat Level: Known bad
The file 06104da8d17662bd405006269c9437f542e2291a8dfcc62b5a6821bcb3a9f645 was found to be: Known bad.
Malicious Activity Summary
BetaBot
suricata: ET MALWARE Win32/Neurevt.A/Betabot Check-in 4
Modifies firewall policy service
Sets file execution options in registry
Executes dropped EXE
Checks BIOS information in registry
Loads dropped DLL
Checks whether UAC is enabled
Adds Run key to start application
Drops desktop.ini file(s)
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Modifies Internet Explorer settings
NTFS ADS
Modifies Internet Explorer Protected Mode
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Modifies Internet Explorer Protected Mode Banner
Checks processor information in registry
Suspicious behavior: RenamesItself
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-07-13 06:37
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-07-13 06:37
Reported
2022-07-13 06:39
Platform
win7-20220414-en
Max time kernel
151s
Max time network
153s
Command Line
Signatures
BetaBot
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile | C:\Windows\SysWOW64\explorer.exe | N/A |
suricata: ET MALWARE Win32/Neurevt.A/Betabot Check-in 4
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\i1csg3ks5eg_1.exe | N/A |
Sets file execution options in registry
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\i1csg3ks5eg.exe | C:\Users\Admin\AppData\Local\Temp\06104da8d17662bd405006269c9437f542e2291a8dfcc62b5a6821bcb3a9f645.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\i1csg3ks5eg.exe\DisableExceptionChainValidation | C:\Users\Admin\AppData\Local\Temp\06104da8d17662bd405006269c9437f542e2291a8dfcc62b5a6821bcb3a9f645.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "bnswthdygj.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Windows\SysWOW64\explorer.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 2.09 = "C:\\ProgramData\\Google Updater 2.09\\i1csg3ks5eg.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Updater 2.09 = "\"C:\\ProgramData\\Google Updater 2.09\\i1csg3ks5eg.exe\"" | C:\Windows\SysWOW64\explorer.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\06104da8d17662bd405006269c9437f542e2291a8dfcc62b5a6821bcb3a9f645.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\ProgramData\Google Updater 2.09\desktop.ini | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\06104da8d17662bd405006269c9437f542e2291a8dfcc62b5a6821bcb3a9f645.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 376 set thread context of 1932 | N/A | C:\Users\Admin\AppData\Local\Temp\06104da8d17662bd405006269c9437f542e2291a8dfcc62b5a6821bcb3a9f645.exe | C:\Users\Admin\AppData\Local\Temp\06104da8d17662bd405006269c9437f542e2291a8dfcc62b5a6821bcb3a9f645.exe |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\06104da8d17662bd405006269c9437f542e2291a8dfcc62b5a6821bcb3a9f645.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\06104da8d17662bd405006269c9437f542e2291a8dfcc62b5a6821bcb3a9f645.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\explorer.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Windows\SysWOW64\explorer.exe | N/A |
Modifies Internet Explorer Protected Mode
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
Modifies Internet Explorer Protected Mode Banner
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" | C:\Windows\SysWOW64\explorer.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\VersionManager\DownloadVersionList = "0" | C:\Windows\SysWOW64\explorer.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Local\Temp\i1csg3ks5eg_1.exe:14F5FC60 | C:\Windows\SysWOW64\explorer.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\Temp\i1csg3ks5eg_1.exe:14F5FC60 | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\06104da8d17662bd405006269c9437f542e2291a8dfcc62b5a6821bcb3a9f645.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\06104da8d17662bd405006269c9437f542e2291a8dfcc62b5a6821bcb3a9f645.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\06104da8d17662bd405006269c9437f542e2291a8dfcc62b5a6821bcb3a9f645.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\06104da8d17662bd405006269c9437f542e2291a8dfcc62b5a6821bcb3a9f645.exe
"C:\Users\Admin\AppData\Local\Temp\06104da8d17662bd405006269c9437f542e2291a8dfcc62b5a6821bcb3a9f645.exe"
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Users\Admin\AppData\Local\Temp\06104da8d17662bd405006269c9437f542e2291a8dfcc62b5a6821bcb3a9f645.exe
C:\Users\Admin\AppData\Local\Temp\06104da8d17662bd405006269c9437f542e2291a8dfcc62b5a6821bcb3a9f645.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Users\Admin\AppData\Local\Temp\i1csg3ks5eg_1.exe
/suac
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | microsoft.com | udp |
| US | 20.112.52.29:80 | microsoft.com | tcp |
| US | 8.8.8.8:53 | russk6.icu | udp |
| US | 8.8.8.8:53 | russk7.icu | udp |
| US | 8.8.8.8:53 | russk8.icu | udp |
| US | 8.8.8.8:53 | russk9.icu | udp |
| US | 8.8.8.8:53 | russk10.icu | udp |
| US | 8.8.8.8:53 | moscow13.at | udp |
| US | 8.8.8.8:53 | moscow13.at | udp |
| RU | 62.204.41.171:80 | moscow13.at | tcp |
Files
memory/376-54-0x00000000764C1000-0x00000000764C3000-memory.dmp
memory/376-55-0x0000000002AE0000-0x0000000002BE0000-memory.dmp
memory/1932-56-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1932-63-0x00000000004015C6-mapping.dmp
memory/1932-64-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1932-66-0x0000000000500000-0x0000000000566000-memory.dmp
memory/1932-68-0x0000000000500000-0x0000000000566000-memory.dmp
memory/1932-69-0x0000000000310000-0x000000000031D000-memory.dmp
memory/1932-70-0x00000000025B0000-0x00000000025BC000-memory.dmp
memory/1652-71-0x0000000000000000-mapping.dmp
memory/1652-73-0x00000000737A1000-0x00000000737A3000-memory.dmp
memory/1932-74-0x0000000000500000-0x0000000000566000-memory.dmp
memory/1652-75-0x00000000776A0000-0x0000000077820000-memory.dmp
memory/1652-76-0x00000000004C0000-0x0000000000619000-memory.dmp
memory/1652-77-0x0000000000640000-0x000000000064C000-memory.dmp
memory/1652-78-0x00000000776A0000-0x0000000077820000-memory.dmp
memory/1652-79-0x00000000004C0000-0x0000000000619000-memory.dmp
memory/1220-80-0x0000000002710000-0x0000000002716000-memory.dmp
\Users\Admin\AppData\Local\Temp\i1csg3ks5eg_1.exe
| MD5 | cf4e015eeabfd226f997a8aa258c3d97 |
| SHA1 | eb2c8d789ab2e2b4c12dff88f7553114ada1f054 |
| SHA256 | 06104da8d17662bd405006269c9437f542e2291a8dfcc62b5a6821bcb3a9f645 |
| SHA512 | 01283868f2887fcf2527d3cbaf2db860e010d1a77c6af7b409a7ebfc677cf3437c86b2dfeeda02ed316ef723cf3c0a3457aa977e1f3eea2f9d8f834f07dd8317 |
memory/1260-82-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\i1csg3ks5eg_1.exe
| MD5 | cf4e015eeabfd226f997a8aa258c3d97 |
| SHA1 | eb2c8d789ab2e2b4c12dff88f7553114ada1f054 |
| SHA256 | 06104da8d17662bd405006269c9437f542e2291a8dfcc62b5a6821bcb3a9f645 |
| SHA512 | 01283868f2887fcf2527d3cbaf2db860e010d1a77c6af7b409a7ebfc677cf3437c86b2dfeeda02ed316ef723cf3c0a3457aa977e1f3eea2f9d8f834f07dd8317 |
Analysis: behavioral2
Detonation Overview
Reported
0001-01-01 00:00