beapy | f812134190ff1835d7fa0cc1be0413dd882a346ee593b3ecaf38befeeb2eae7b

Analysis

max time kernel
151s
max time network
152s
platform
windows7_x64
resource
win7v20210410
submitted
16-05-2021 00:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f812134190ff1835d7fa0cc1be0413dd882a346ee593b3ecaf38befeeb2eae7b.exe
Size

6.6MB
MD5

62b44b7bec4ad127738623276af34870
SHA1

767b3a0b2947c67fb846327e265c21e118512998
SHA256

f812134190ff1835d7fa0cc1be0413dd882a346ee593b3ecaf38befeeb2eae7b
SHA512

5022c2af70cfc6db7d01756bf900e88000e7851f5916e282ab8f1de624c94d385863912b9241a65ff1b50b8a3958d1f38fff293ed3b40f374e1f8b8226350db6

Score

10^/10

beapy miner worm

Malware Config

Signatures

Beapy
Beapy is a python worm with crypto mining capabilities.
miner worm beapy
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Loads dropped DLL 19 IoCs

pid	Process
2036	f812134190ff1835d7fa0cc1be0413dd882a346ee593b3ecaf38befeeb2eae7b.exe
2036	f812134190ff1835d7fa0cc1be0413dd882a346ee593b3ecaf38befeeb2eae7b.exe
2036	f812134190ff1835d7fa0cc1be0413dd882a346ee593b3ecaf38befeeb2eae7b.exe
2036	f812134190ff1835d7fa0cc1be0413dd882a346ee593b3ecaf38befeeb2eae7b.exe
2036	f812134190ff1835d7fa0cc1be0413dd882a346ee593b3ecaf38befeeb2eae7b.exe
2036	f812134190ff1835d7fa0cc1be0413dd882a346ee593b3ecaf38befeeb2eae7b.exe
2036	f812134190ff1835d7fa0cc1be0413dd882a346ee593b3ecaf38befeeb2eae7b.exe
2036	f812134190ff1835d7fa0cc1be0413dd882a346ee593b3ecaf38befeeb2eae7b.exe
2036	f812134190ff1835d7fa0cc1be0413dd882a346ee593b3ecaf38befeeb2eae7b.exe
2036	f812134190ff1835d7fa0cc1be0413dd882a346ee593b3ecaf38befeeb2eae7b.exe
2036	f812134190ff1835d7fa0cc1be0413dd882a346ee593b3ecaf38befeeb2eae7b.exe
2036	f812134190ff1835d7fa0cc1be0413dd882a346ee593b3ecaf38befeeb2eae7b.exe
2036	f812134190ff1835d7fa0cc1be0413dd882a346ee593b3ecaf38befeeb2eae7b.exe
2036	f812134190ff1835d7fa0cc1be0413dd882a346ee593b3ecaf38befeeb2eae7b.exe
2036	f812134190ff1835d7fa0cc1be0413dd882a346ee593b3ecaf38befeeb2eae7b.exe
2036	f812134190ff1835d7fa0cc1be0413dd882a346ee593b3ecaf38befeeb2eae7b.exe
2036	f812134190ff1835d7fa0cc1be0413dd882a346ee593b3ecaf38befeeb2eae7b.exe
2036	f812134190ff1835d7fa0cc1be0413dd882a346ee593b3ecaf38befeeb2eae7b.exe
2036	f812134190ff1835d7fa0cc1be0413dd882a346ee593b3ecaf38befeeb2eae7b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Gathers network information 2 TTPs 3 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command-Line Interface

T1059

pid	Process
1144	ipconfig.exe
1072	ipconfig.exe
996	netstat.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1712	powershell.exe
1712	powershell.exe
1712	powershell.exe
1712	powershell.exe
1712	powershell.exe
1712	powershell.exe
1712	powershell.exe
2036	f812134190ff1835d7fa0cc1be0413dd882a346ee593b3ecaf38befeeb2eae7b.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	928	WMIC.exe
Token: SeSecurityPrivilege	928	WMIC.exe
Token: SeTakeOwnershipPrivilege	928	WMIC.exe
Token: SeLoadDriverPrivilege	928	WMIC.exe
Token: SeSystemProfilePrivilege	928	WMIC.exe
Token: SeSystemtimePrivilege	928	WMIC.exe
Token: SeProfSingleProcessPrivilege	928	WMIC.exe
Token: SeIncBasePriorityPrivilege	928	WMIC.exe
Token: SeCreatePagefilePrivilege	928	WMIC.exe
Token: SeBackupPrivilege	928	WMIC.exe
Token: SeRestorePrivilege	928	WMIC.exe
Token: SeShutdownPrivilege	928	WMIC.exe
Token: SeDebugPrivilege	928	WMIC.exe
Token: SeSystemEnvironmentPrivilege	928	WMIC.exe
Token: SeRemoteShutdownPrivilege	928	WMIC.exe
Token: SeUndockPrivilege	928	WMIC.exe
Token: SeManageVolumePrivilege	928	WMIC.exe
Token: 33	928	WMIC.exe
Token: 34	928	WMIC.exe
Token: 35	928	WMIC.exe
Token: SeIncreaseQuotaPrivilege	928	WMIC.exe
Token: SeSecurityPrivilege	928	WMIC.exe
Token: SeTakeOwnershipPrivilege	928	WMIC.exe
Token: SeLoadDriverPrivilege	928	WMIC.exe
Token: SeSystemProfilePrivilege	928	WMIC.exe
Token: SeSystemtimePrivilege	928	WMIC.exe
Token: SeProfSingleProcessPrivilege	928	WMIC.exe
Token: SeIncBasePriorityPrivilege	928	WMIC.exe
Token: SeCreatePagefilePrivilege	928	WMIC.exe
Token: SeBackupPrivilege	928	WMIC.exe
Token: SeRestorePrivilege	928	WMIC.exe
Token: SeShutdownPrivilege	928	WMIC.exe
Token: SeDebugPrivilege	928	WMIC.exe
Token: SeSystemEnvironmentPrivilege	928	WMIC.exe
Token: SeRemoteShutdownPrivilege	928	WMIC.exe
Token: SeUndockPrivilege	928	WMIC.exe
Token: SeManageVolumePrivilege	928	WMIC.exe
Token: 33	928	WMIC.exe
Token: 34	928	WMIC.exe
Token: 35	928	WMIC.exe
Token: SeDebugPrivilege	1712	powershell.exe
Token: SeDebugPrivilege	996	netstat.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 484 wrote to memory of 2036	484	f812134190ff1835d7fa0cc1be0413dd882a346ee593b3ecaf38befeeb2eae7b.exe	27
PID 484 wrote to memory of 2036	484	f812134190ff1835d7fa0cc1be0413dd882a346ee593b3ecaf38befeeb2eae7b.exe	27
PID 484 wrote to memory of 2036	484	f812134190ff1835d7fa0cc1be0413dd882a346ee593b3ecaf38befeeb2eae7b.exe	27
PID 484 wrote to memory of 2036	484	f812134190ff1835d7fa0cc1be0413dd882a346ee593b3ecaf38befeeb2eae7b.exe	27
PID 2036 wrote to memory of 1636	2036	f812134190ff1835d7fa0cc1be0413dd882a346ee593b3ecaf38befeeb2eae7b.exe	31
PID 2036 wrote to memory of 1636	2036	f812134190ff1835d7fa0cc1be0413dd882a346ee593b3ecaf38befeeb2eae7b.exe	31
PID 2036 wrote to memory of 1636	2036	f812134190ff1835d7fa0cc1be0413dd882a346ee593b3ecaf38befeeb2eae7b.exe	31
PID 2036 wrote to memory of 1636	2036	f812134190ff1835d7fa0cc1be0413dd882a346ee593b3ecaf38befeeb2eae7b.exe	31
PID 1636 wrote to memory of 928	1636	cmd.exe	32
PID 1636 wrote to memory of 928	1636	cmd.exe	32
PID 1636 wrote to memory of 928	1636	cmd.exe	32
PID 1636 wrote to memory of 928	1636	cmd.exe	32
PID 2036 wrote to memory of 1944	2036	f812134190ff1835d7fa0cc1be0413dd882a346ee593b3ecaf38befeeb2eae7b.exe	34
PID 2036 wrote to memory of 1944	2036	f812134190ff1835d7fa0cc1be0413dd882a346ee593b3ecaf38befeeb2eae7b.exe	34
PID 2036 wrote to memory of 1944	2036	f812134190ff1835d7fa0cc1be0413dd882a346ee593b3ecaf38befeeb2eae7b.exe	34
PID 2036 wrote to memory of 1944	2036	f812134190ff1835d7fa0cc1be0413dd882a346ee593b3ecaf38befeeb2eae7b.exe	34
PID 1944 wrote to memory of 992	1944	cmd.exe	35
PID 1944 wrote to memory of 992	1944	cmd.exe	35
PID 1944 wrote to memory of 992	1944	cmd.exe	35
PID 1944 wrote to memory of 992	1944	cmd.exe	35
PID 992 wrote to memory of 548	992	net.exe	36
PID 992 wrote to memory of 548	992	net.exe	36
PID 992 wrote to memory of 548	992	net.exe	36
PID 992 wrote to memory of 548	992	net.exe	36
PID 2036 wrote to memory of 860	2036	f812134190ff1835d7fa0cc1be0413dd882a346ee593b3ecaf38befeeb2eae7b.exe	37
PID 2036 wrote to memory of 860	2036	f812134190ff1835d7fa0cc1be0413dd882a346ee593b3ecaf38befeeb2eae7b.exe	37
PID 2036 wrote to memory of 860	2036	f812134190ff1835d7fa0cc1be0413dd882a346ee593b3ecaf38befeeb2eae7b.exe	37
PID 2036 wrote to memory of 860	2036	f812134190ff1835d7fa0cc1be0413dd882a346ee593b3ecaf38befeeb2eae7b.exe	37
PID 860 wrote to memory of 1660	860	cmd.exe	38
PID 860 wrote to memory of 1660	860	cmd.exe	38
PID 860 wrote to memory of 1660	860	cmd.exe	38
PID 860 wrote to memory of 1660	860	cmd.exe	38
PID 1660 wrote to memory of 672	1660	net.exe	39
PID 1660 wrote to memory of 672	1660	net.exe	39
PID 1660 wrote to memory of 672	1660	net.exe	39
PID 1660 wrote to memory of 672	1660	net.exe	39
PID 2036 wrote to memory of 1712	2036	f812134190ff1835d7fa0cc1be0413dd882a346ee593b3ecaf38befeeb2eae7b.exe	40
PID 2036 wrote to memory of 1712	2036	f812134190ff1835d7fa0cc1be0413dd882a346ee593b3ecaf38befeeb2eae7b.exe	40
PID 2036 wrote to memory of 1712	2036	f812134190ff1835d7fa0cc1be0413dd882a346ee593b3ecaf38befeeb2eae7b.exe	40
PID 2036 wrote to memory of 1712	2036	f812134190ff1835d7fa0cc1be0413dd882a346ee593b3ecaf38befeeb2eae7b.exe	40
PID 2036 wrote to memory of 1364	2036	f812134190ff1835d7fa0cc1be0413dd882a346ee593b3ecaf38befeeb2eae7b.exe	41
PID 2036 wrote to memory of 1364	2036	f812134190ff1835d7fa0cc1be0413dd882a346ee593b3ecaf38befeeb2eae7b.exe	41
PID 2036 wrote to memory of 1364	2036	f812134190ff1835d7fa0cc1be0413dd882a346ee593b3ecaf38befeeb2eae7b.exe	41
PID 2036 wrote to memory of 1364	2036	f812134190ff1835d7fa0cc1be0413dd882a346ee593b3ecaf38befeeb2eae7b.exe	41
PID 1364 wrote to memory of 1144	1364	cmd.exe	42
PID 1364 wrote to memory of 1144	1364	cmd.exe	42
PID 1364 wrote to memory of 1144	1364	cmd.exe	42
PID 1364 wrote to memory of 1144	1364	cmd.exe	42
PID 2036 wrote to memory of 1072	2036	f812134190ff1835d7fa0cc1be0413dd882a346ee593b3ecaf38befeeb2eae7b.exe	43
PID 2036 wrote to memory of 1072	2036	f812134190ff1835d7fa0cc1be0413dd882a346ee593b3ecaf38befeeb2eae7b.exe	43
PID 2036 wrote to memory of 1072	2036	f812134190ff1835d7fa0cc1be0413dd882a346ee593b3ecaf38befeeb2eae7b.exe	43
PID 2036 wrote to memory of 1072	2036	f812134190ff1835d7fa0cc1be0413dd882a346ee593b3ecaf38befeeb2eae7b.exe	43
PID 2036 wrote to memory of 996	2036	f812134190ff1835d7fa0cc1be0413dd882a346ee593b3ecaf38befeeb2eae7b.exe	44
PID 2036 wrote to memory of 996	2036	f812134190ff1835d7fa0cc1be0413dd882a346ee593b3ecaf38befeeb2eae7b.exe	44
PID 2036 wrote to memory of 996	2036	f812134190ff1835d7fa0cc1be0413dd882a346ee593b3ecaf38befeeb2eae7b.exe	44
PID 2036 wrote to memory of 996	2036	f812134190ff1835d7fa0cc1be0413dd882a346ee593b3ecaf38befeeb2eae7b.exe	44
PID 3056 wrote to memory of 2988	3056	nmVoLXXI.exe	46
PID 3056 wrote to memory of 2988	3056	nmVoLXXI.exe	46
PID 3056 wrote to memory of 2988	3056	nmVoLXXI.exe	46
PID 3056 wrote to memory of 2988	3056	nmVoLXXI.exe	46

C:\Users\Admin\AppData\Local\Temp\f812134190ff1835d7fa0cc1be0413dd882a346ee593b3ecaf38befeeb2eae7b.exe
"C:\Users\Admin\AppData\Local\Temp\f812134190ff1835d7fa0cc1be0413dd882a346ee593b3ecaf38befeeb2eae7b.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:484
- C:\Users\Admin\AppData\Local\Temp\f812134190ff1835d7fa0cc1be0413dd882a346ee593b3ecaf38befeeb2eae7b.exe
  "C:\Users\Admin\AppData\Local\Temp\f812134190ff1835d7fa0cc1be0413dd882a346ee593b3ecaf38befeeb2eae7b.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2036
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c wmic ntdomain get domainname
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1636
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic ntdomain get domainname
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:928
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c net localgroup administrators
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1944
  - - C:\Windows\SysWOW64\net.exe
      net localgroup administrators
      4⤵
      Suspicious use of WriteProcessMemory
      PID:992
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        5⤵
        
        PID:548
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c net group "domain admins" /domain
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:860
  - - C:\Windows\SysWOW64\net.exe
      net group "domain admins" /domain
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1660
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 group "domain admins" /domain
        5⤵
        
        PID:672
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\SysNative\WindowsPowerShell\v1.0\powershell.exe -exec bypass "import-module C:\Users\Admin\AppData\Local\Temp\m2.ps1"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1712
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ipconfig /all
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1364
  - - C:\Windows\SysWOW64\ipconfig.exe
      ipconfig /all
      4⤵
      Gathers network information
      PID:1144
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig /all
    3⤵
    - Gathers network information
    PID:1072
- - C:\Windows\SysWOW64\netstat.exe
    netstat -na
    3⤵
    - Gathers network information
    - Suspicious use of AdjustPrivilegeToken
    PID:996

C:\Windows\nmVoLXXI.exe
C:\Windows\nmVoLXXI.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3056
- C:\Windows\SysWOW64\cmd.exe
  cmd /c call "c:\windows\temp\tmp.vbs"
  2⤵
  PID:2988

C:\Windows\cCQlYgRy.exe
C:\Windows\cCQlYgRy.exe
1⤵
PID:296

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Account Manipulation

T1098

Privilege Escalation

Defense Evasion

Credential Access

Account Manipulation

T1098

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1712-120-0x0000000002400000-0x0000000002401000-memory.dmp

Filesize
4KB

Download
memory/1712-122-0x000000001C550000-0x000000001C551000-memory.dmp

Filesize
4KB

Download
memory/1712-124-0x000000001BA40000-0x000000001BA41000-memory.dmp

Filesize
4KB

Download
memory/1712-114-0x000007FEFC181000-0x000007FEFC183000-memory.dmp

Filesize
8KB

Download
memory/1712-115-0x0000000002260000-0x0000000002261000-memory.dmp

Filesize
4KB

Download
memory/1712-116-0x000000001ADB0000-0x000000001ADB1000-memory.dmp

Filesize
4KB

Download
memory/1712-117-0x00000000023D0000-0x00000000023D1000-memory.dmp

Filesize
4KB

Download
memory/1712-118-0x000000001AD30000-0x000000001AD32000-memory.dmp

Filesize
8KB

Download
memory/1712-119-0x000000001AD34000-0x000000001AD36000-memory.dmp

Filesize
8KB

Download
memory/1712-123-0x000000001AD3A000-0x000000001AD59000-memory.dmp

Filesize
124KB

Download
memory/2036-63-0x0000000075EF1000-0x0000000075EF3000-memory.dmp

Filesize
8KB

Download
memory/2036-101-0x0000000002BB0000-0x0000000002BC0000-memory.dmp

Filesize
64KB

Download
memory/2036-76-0x0000000002270000-0x0000000002325000-memory.dmp

Filesize
724KB

Download
memory/2036-92-0x0000000000490000-0x00000000004A0000-memory.dmp

Filesize
64KB

Download
memory/2036-85-0x0000000002330000-0x00000000023AC000-memory.dmp

Filesize
496KB

Download
memory/2036-104-0x0000000002BC0000-0x0000000002BD5000-memory.dmp

Filesize
84KB

Download
memory/2988-133-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download