beapy | 28c1ae412c6434eb0407d7333cc281dabc1d461d4bbb0f9e709780cd37400951

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7v20201028
submitted
05-04-2021 17:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

28c1ae412c6434eb0407d7333cc281dabc1d461d4bbb0f9e709780cd37400951.exe
Size

6.6MB
MD5

611b27f49da01bbd6b68be24774924ec
SHA1

1e30a84b6e107f87750c996f3353e9d13ae27c62
SHA256

28c1ae412c6434eb0407d7333cc281dabc1d461d4bbb0f9e709780cd37400951
SHA512

ddb08d2b4f0ba7394469321cad4a4f11fd530e17346850808c780812af6494ecac0ecc1522d771230f27573e01c2b35009926f8c4e201ad51d03c7e783dde11f

Score

10^/10

beapy miner worm

Malware Config

Signatures

Beapy
Beapy is a python worm with crypto mining capabilities.
miner worm beapy
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Loads dropped DLL 20 IoCs

pid	Process
2004	28c1ae412c6434eb0407d7333cc281dabc1d461d4bbb0f9e709780cd37400951.exe
2004	28c1ae412c6434eb0407d7333cc281dabc1d461d4bbb0f9e709780cd37400951.exe
2004	28c1ae412c6434eb0407d7333cc281dabc1d461d4bbb0f9e709780cd37400951.exe
2004	28c1ae412c6434eb0407d7333cc281dabc1d461d4bbb0f9e709780cd37400951.exe
2004	28c1ae412c6434eb0407d7333cc281dabc1d461d4bbb0f9e709780cd37400951.exe
2004	28c1ae412c6434eb0407d7333cc281dabc1d461d4bbb0f9e709780cd37400951.exe
2004	28c1ae412c6434eb0407d7333cc281dabc1d461d4bbb0f9e709780cd37400951.exe
2004	28c1ae412c6434eb0407d7333cc281dabc1d461d4bbb0f9e709780cd37400951.exe
2004	28c1ae412c6434eb0407d7333cc281dabc1d461d4bbb0f9e709780cd37400951.exe
2004	28c1ae412c6434eb0407d7333cc281dabc1d461d4bbb0f9e709780cd37400951.exe
2004	28c1ae412c6434eb0407d7333cc281dabc1d461d4bbb0f9e709780cd37400951.exe
2004	28c1ae412c6434eb0407d7333cc281dabc1d461d4bbb0f9e709780cd37400951.exe
2004	28c1ae412c6434eb0407d7333cc281dabc1d461d4bbb0f9e709780cd37400951.exe
2004	28c1ae412c6434eb0407d7333cc281dabc1d461d4bbb0f9e709780cd37400951.exe
2004	28c1ae412c6434eb0407d7333cc281dabc1d461d4bbb0f9e709780cd37400951.exe
2004	28c1ae412c6434eb0407d7333cc281dabc1d461d4bbb0f9e709780cd37400951.exe
2004	28c1ae412c6434eb0407d7333cc281dabc1d461d4bbb0f9e709780cd37400951.exe
2004	28c1ae412c6434eb0407d7333cc281dabc1d461d4bbb0f9e709780cd37400951.exe
2004	28c1ae412c6434eb0407d7333cc281dabc1d461d4bbb0f9e709780cd37400951.exe
2004	28c1ae412c6434eb0407d7333cc281dabc1d461d4bbb0f9e709780cd37400951.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Gathers network information 2 TTPs 3 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command-Line Interface

T1059

pid	Process
900	ipconfig.exe
1528	ipconfig.exe
1680	netstat.exe

Modifies data under HKEY_USERS 8 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	cmd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings	WScript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	WScript.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	WScript.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host	WScript.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host\Settings	WScript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	cmd.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	cmd.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1520	powershell.exe
1520	powershell.exe
1520	powershell.exe
1520	powershell.exe
1520	powershell.exe
1520	powershell.exe
1520	powershell.exe
2004	28c1ae412c6434eb0407d7333cc281dabc1d461d4bbb0f9e709780cd37400951.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1636	WMIC.exe
Token: SeSecurityPrivilege	1636	WMIC.exe
Token: SeTakeOwnershipPrivilege	1636	WMIC.exe
Token: SeLoadDriverPrivilege	1636	WMIC.exe
Token: SeSystemProfilePrivilege	1636	WMIC.exe
Token: SeSystemtimePrivilege	1636	WMIC.exe
Token: SeProfSingleProcessPrivilege	1636	WMIC.exe
Token: SeIncBasePriorityPrivilege	1636	WMIC.exe
Token: SeCreatePagefilePrivilege	1636	WMIC.exe
Token: SeBackupPrivilege	1636	WMIC.exe
Token: SeRestorePrivilege	1636	WMIC.exe
Token: SeShutdownPrivilege	1636	WMIC.exe
Token: SeDebugPrivilege	1636	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1636	WMIC.exe
Token: SeRemoteShutdownPrivilege	1636	WMIC.exe
Token: SeUndockPrivilege	1636	WMIC.exe
Token: SeManageVolumePrivilege	1636	WMIC.exe
Token: 33	1636	WMIC.exe
Token: 34	1636	WMIC.exe
Token: 35	1636	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1636	WMIC.exe
Token: SeSecurityPrivilege	1636	WMIC.exe
Token: SeTakeOwnershipPrivilege	1636	WMIC.exe
Token: SeLoadDriverPrivilege	1636	WMIC.exe
Token: SeSystemProfilePrivilege	1636	WMIC.exe
Token: SeSystemtimePrivilege	1636	WMIC.exe
Token: SeProfSingleProcessPrivilege	1636	WMIC.exe
Token: SeIncBasePriorityPrivilege	1636	WMIC.exe
Token: SeCreatePagefilePrivilege	1636	WMIC.exe
Token: SeBackupPrivilege	1636	WMIC.exe
Token: SeRestorePrivilege	1636	WMIC.exe
Token: SeShutdownPrivilege	1636	WMIC.exe
Token: SeDebugPrivilege	1636	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1636	WMIC.exe
Token: SeRemoteShutdownPrivilege	1636	WMIC.exe
Token: SeUndockPrivilege	1636	WMIC.exe
Token: SeManageVolumePrivilege	1636	WMIC.exe
Token: 33	1636	WMIC.exe
Token: 34	1636	WMIC.exe
Token: 35	1636	WMIC.exe
Token: SeDebugPrivilege	1520	powershell.exe
Token: SeDebugPrivilege	1680	netstat.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1828 wrote to memory of 2004	1828	28c1ae412c6434eb0407d7333cc281dabc1d461d4bbb0f9e709780cd37400951.exe	27
PID 1828 wrote to memory of 2004	1828	28c1ae412c6434eb0407d7333cc281dabc1d461d4bbb0f9e709780cd37400951.exe	27
PID 1828 wrote to memory of 2004	1828	28c1ae412c6434eb0407d7333cc281dabc1d461d4bbb0f9e709780cd37400951.exe	27
PID 1828 wrote to memory of 2004	1828	28c1ae412c6434eb0407d7333cc281dabc1d461d4bbb0f9e709780cd37400951.exe	27
PID 2004 wrote to memory of 1484	2004	28c1ae412c6434eb0407d7333cc281dabc1d461d4bbb0f9e709780cd37400951.exe	31
PID 2004 wrote to memory of 1484	2004	28c1ae412c6434eb0407d7333cc281dabc1d461d4bbb0f9e709780cd37400951.exe	31
PID 2004 wrote to memory of 1484	2004	28c1ae412c6434eb0407d7333cc281dabc1d461d4bbb0f9e709780cd37400951.exe	31
PID 2004 wrote to memory of 1484	2004	28c1ae412c6434eb0407d7333cc281dabc1d461d4bbb0f9e709780cd37400951.exe	31
PID 1484 wrote to memory of 1636	1484	cmd.exe	32
PID 1484 wrote to memory of 1636	1484	cmd.exe	32
PID 1484 wrote to memory of 1636	1484	cmd.exe	32
PID 1484 wrote to memory of 1636	1484	cmd.exe	32
PID 2004 wrote to memory of 928	2004	28c1ae412c6434eb0407d7333cc281dabc1d461d4bbb0f9e709780cd37400951.exe	34
PID 2004 wrote to memory of 928	2004	28c1ae412c6434eb0407d7333cc281dabc1d461d4bbb0f9e709780cd37400951.exe	34
PID 2004 wrote to memory of 928	2004	28c1ae412c6434eb0407d7333cc281dabc1d461d4bbb0f9e709780cd37400951.exe	34
PID 2004 wrote to memory of 928	2004	28c1ae412c6434eb0407d7333cc281dabc1d461d4bbb0f9e709780cd37400951.exe	34
PID 928 wrote to memory of 1900	928	cmd.exe	35
PID 928 wrote to memory of 1900	928	cmd.exe	35
PID 928 wrote to memory of 1900	928	cmd.exe	35
PID 928 wrote to memory of 1900	928	cmd.exe	35
PID 1900 wrote to memory of 1276	1900	net.exe	36
PID 1900 wrote to memory of 1276	1900	net.exe	36
PID 1900 wrote to memory of 1276	1900	net.exe	36
PID 1900 wrote to memory of 1276	1900	net.exe	36
PID 2004 wrote to memory of 1792	2004	28c1ae412c6434eb0407d7333cc281dabc1d461d4bbb0f9e709780cd37400951.exe	37
PID 2004 wrote to memory of 1792	2004	28c1ae412c6434eb0407d7333cc281dabc1d461d4bbb0f9e709780cd37400951.exe	37
PID 2004 wrote to memory of 1792	2004	28c1ae412c6434eb0407d7333cc281dabc1d461d4bbb0f9e709780cd37400951.exe	37
PID 2004 wrote to memory of 1792	2004	28c1ae412c6434eb0407d7333cc281dabc1d461d4bbb0f9e709780cd37400951.exe	37
PID 1792 wrote to memory of 2032	1792	cmd.exe	38
PID 1792 wrote to memory of 2032	1792	cmd.exe	38
PID 1792 wrote to memory of 2032	1792	cmd.exe	38
PID 1792 wrote to memory of 2032	1792	cmd.exe	38
PID 2032 wrote to memory of 108	2032	net.exe	39
PID 2032 wrote to memory of 108	2032	net.exe	39
PID 2032 wrote to memory of 108	2032	net.exe	39
PID 2032 wrote to memory of 108	2032	net.exe	39
PID 2004 wrote to memory of 1520	2004	28c1ae412c6434eb0407d7333cc281dabc1d461d4bbb0f9e709780cd37400951.exe	40
PID 2004 wrote to memory of 1520	2004	28c1ae412c6434eb0407d7333cc281dabc1d461d4bbb0f9e709780cd37400951.exe	40
PID 2004 wrote to memory of 1520	2004	28c1ae412c6434eb0407d7333cc281dabc1d461d4bbb0f9e709780cd37400951.exe	40
PID 2004 wrote to memory of 1520	2004	28c1ae412c6434eb0407d7333cc281dabc1d461d4bbb0f9e709780cd37400951.exe	40
PID 2004 wrote to memory of 1896	2004	28c1ae412c6434eb0407d7333cc281dabc1d461d4bbb0f9e709780cd37400951.exe	41
PID 2004 wrote to memory of 1896	2004	28c1ae412c6434eb0407d7333cc281dabc1d461d4bbb0f9e709780cd37400951.exe	41
PID 2004 wrote to memory of 1896	2004	28c1ae412c6434eb0407d7333cc281dabc1d461d4bbb0f9e709780cd37400951.exe	41
PID 2004 wrote to memory of 1896	2004	28c1ae412c6434eb0407d7333cc281dabc1d461d4bbb0f9e709780cd37400951.exe	41
PID 1896 wrote to memory of 900	1896	cmd.exe	42
PID 1896 wrote to memory of 900	1896	cmd.exe	42
PID 1896 wrote to memory of 900	1896	cmd.exe	42
PID 1896 wrote to memory of 900	1896	cmd.exe	42
PID 2004 wrote to memory of 1528	2004	28c1ae412c6434eb0407d7333cc281dabc1d461d4bbb0f9e709780cd37400951.exe	43
PID 2004 wrote to memory of 1528	2004	28c1ae412c6434eb0407d7333cc281dabc1d461d4bbb0f9e709780cd37400951.exe	43
PID 2004 wrote to memory of 1528	2004	28c1ae412c6434eb0407d7333cc281dabc1d461d4bbb0f9e709780cd37400951.exe	43
PID 2004 wrote to memory of 1528	2004	28c1ae412c6434eb0407d7333cc281dabc1d461d4bbb0f9e709780cd37400951.exe	43
PID 2004 wrote to memory of 1680	2004	28c1ae412c6434eb0407d7333cc281dabc1d461d4bbb0f9e709780cd37400951.exe	44
PID 2004 wrote to memory of 1680	2004	28c1ae412c6434eb0407d7333cc281dabc1d461d4bbb0f9e709780cd37400951.exe	44
PID 2004 wrote to memory of 1680	2004	28c1ae412c6434eb0407d7333cc281dabc1d461d4bbb0f9e709780cd37400951.exe	44
PID 2004 wrote to memory of 1680	2004	28c1ae412c6434eb0407d7333cc281dabc1d461d4bbb0f9e709780cd37400951.exe	44
PID 2028 wrote to memory of 840	2028	hoiBPMUR.exe	46
PID 2028 wrote to memory of 840	2028	hoiBPMUR.exe	46
PID 2028 wrote to memory of 840	2028	hoiBPMUR.exe	46
PID 2028 wrote to memory of 840	2028	hoiBPMUR.exe	46
PID 840 wrote to memory of 2260	840	cmd.exe	48
PID 840 wrote to memory of 2260	840	cmd.exe	48
PID 840 wrote to memory of 2260	840	cmd.exe	48
PID 840 wrote to memory of 2260	840	cmd.exe	48

C:\Users\Admin\AppData\Local\Temp\28c1ae412c6434eb0407d7333cc281dabc1d461d4bbb0f9e709780cd37400951.exe
"C:\Users\Admin\AppData\Local\Temp\28c1ae412c6434eb0407d7333cc281dabc1d461d4bbb0f9e709780cd37400951.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1828
- C:\Users\Admin\AppData\Local\Temp\28c1ae412c6434eb0407d7333cc281dabc1d461d4bbb0f9e709780cd37400951.exe
  "C:\Users\Admin\AppData\Local\Temp\28c1ae412c6434eb0407d7333cc281dabc1d461d4bbb0f9e709780cd37400951.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2004
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c wmic ntdomain get domainname
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1484
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic ntdomain get domainname
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1636
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c net localgroup administrators
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:928
  - - C:\Windows\SysWOW64\net.exe
      net localgroup administrators
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1900
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        5⤵
        
        PID:1276
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c net group "domain admins" /domain
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1792
  - - C:\Windows\SysWOW64\net.exe
      net group "domain admins" /domain
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2032
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 group "domain admins" /domain
        5⤵
        
        PID:108
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\SysNative\WindowsPowerShell\v1.0\powershell.exe -exec bypass "import-module C:\Users\Admin\AppData\Local\Temp\m2.ps1"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1520
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ipconfig /all
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1896
  - - C:\Windows\SysWOW64\ipconfig.exe
      ipconfig /all
      4⤵
      Gathers network information
      PID:900
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig /all
    3⤵
    - Gathers network information
    PID:1528
- - C:\Windows\SysWOW64\netstat.exe
    netstat -na
    3⤵
    - Gathers network information
    - Suspicious use of AdjustPrivilegeToken
    PID:1680

C:\Windows\hoiBPMUR.exe
C:\Windows\hoiBPMUR.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Windows\SysWOW64\cmd.exe
  cmd /c call "c:\windows\temp\tmp.vbs"
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious use of WriteProcessMemory
  PID:840
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\windows\temp\tmp.vbs"
    3⤵
    - Modifies data under HKEY_USERS
    PID:2260

C:\Windows\cRrFNjUU.exe
C:\Windows\cRrFNjUU.exe
1⤵
PID:2296

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Account Manipulation

T1098

Privilege Escalation

Defense Evasion

Credential Access

Account Manipulation

T1098

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1520-62-0x000000001C4B0000-0x000000001C4B1000-memory.dmp

Filesize
4KB

Download
memory/1520-60-0x00000000025B0000-0x00000000025B1000-memory.dmp

Filesize
4KB

Download
memory/1520-64-0x0000000034720000-0x0000000034721000-memory.dmp

Filesize
4KB

Download
memory/1520-53-0x000007FEFBA41000-0x000007FEFBA43000-memory.dmp

Filesize
8KB

Download
memory/1520-54-0x000007FEF5240000-0x000007FEF5C2C000-memory.dmp

Filesize
9.9MB

Download
memory/1520-55-0x00000000022D0000-0x00000000022D1000-memory.dmp

Filesize
4KB

Download
memory/1520-56-0x000000001AC20000-0x000000001AC21000-memory.dmp

Filesize
4KB

Download
memory/1520-57-0x0000000002330000-0x0000000002331000-memory.dmp

Filesize
4KB

Download
memory/1520-58-0x000000001ABA0000-0x000000001ABA2000-memory.dmp

Filesize
8KB

Download
memory/1520-59-0x000000001ABA4000-0x000000001ABA6000-memory.dmp

Filesize
8KB

Download
memory/1520-63-0x000000001ABAA000-0x000000001ABC9000-memory.dmp

Filesize
124KB

Download
memory/2004-6-0x0000000076241000-0x0000000076243000-memory.dmp

Filesize
8KB

Download