beapy | 591bf6c785a42e2ad6c91e94c544e69e68a0484acd47c1b1747b49d8fb1b3d11

Resubmissions

04-09-2021 07:37

210904-jf39zshben 10

04-09-2021 07:35

210904-jeq82aeab3 10

Analysis

max time kernel
359s
max time network
1275s
platform
windows11_x64
resource
win11
submitted
04-09-2021 07:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

svchost.bin.exe
Size

6.6MB
MD5

2787bb2d1ab223f8ac2692f3a8fd85fc
SHA1

dc34ee4e46ddea333cdc90e4aad7589cb8ee1ea0
SHA256

952e3e059251cd41e3c67006c5aa4b75fe3e6b0f18d96554b2d60d4ccfb78cb4
SHA512

d79bd7599ccb09fa72b939a506d04e28cb958e59c3987ab4d375e76337d5b1e33369d59397338aaeaf938c14ec9d93b20501d5224d151631c69c874d0657e9f3

Score

10^/10

beapy miner worm

Malware Config

Signatures

Beapy
Beapy is a python worm with crypto mining capabilities.
miner worm beapy
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Loads dropped DLL 29 IoCs

pid	Process
3364	svchost.bin.exe
3364	svchost.bin.exe
3364	svchost.bin.exe
3364	svchost.bin.exe
3364	svchost.bin.exe
3364	svchost.bin.exe
3364	svchost.bin.exe
3364	svchost.bin.exe
3364	svchost.bin.exe
3364	svchost.bin.exe
3364	svchost.bin.exe
3364	svchost.bin.exe
3364	svchost.bin.exe
3364	svchost.bin.exe
3364	svchost.bin.exe
3364	svchost.bin.exe
3364	svchost.bin.exe
3364	svchost.bin.exe
3364	svchost.bin.exe
3364	svchost.bin.exe
3364	svchost.bin.exe
3364	svchost.bin.exe
3364	svchost.bin.exe
3364	svchost.bin.exe
3364	svchost.bin.exe
3364	svchost.bin.exe
3364	svchost.bin.exe
3364	svchost.bin.exe
3364	svchost.bin.exe

Gathers network information 2 TTPs 3 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command-Line Interface

T1059

pid	Process
4188	netstat.exe
2928	ipconfig.exe
4720	ipconfig.exe

Modifies data under HKEY_USERS 58 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	sihclient.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	sihclient.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	sihclient.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache\7\52C64B7E	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	sihclient.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	sihclient.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	sihclient.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "73"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	sihclient.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268"	LogonUI.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
8	powershell.exe
8	powershell.exe
8	powershell.exe
8	powershell.exe
8	powershell.exe
8	powershell.exe
8	powershell.exe
8	powershell.exe
3364	svchost.bin.exe
3364	svchost.bin.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3532	WMIC.exe
Token: SeSecurityPrivilege	3532	WMIC.exe
Token: SeTakeOwnershipPrivilege	3532	WMIC.exe
Token: SeLoadDriverPrivilege	3532	WMIC.exe
Token: SeSystemProfilePrivilege	3532	WMIC.exe
Token: SeSystemtimePrivilege	3532	WMIC.exe
Token: SeProfSingleProcessPrivilege	3532	WMIC.exe
Token: SeIncBasePriorityPrivilege	3532	WMIC.exe
Token: SeCreatePagefilePrivilege	3532	WMIC.exe
Token: SeBackupPrivilege	3532	WMIC.exe
Token: SeRestorePrivilege	3532	WMIC.exe
Token: SeShutdownPrivilege	3532	WMIC.exe
Token: SeDebugPrivilege	3532	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3532	WMIC.exe
Token: SeRemoteShutdownPrivilege	3532	WMIC.exe
Token: SeUndockPrivilege	3532	WMIC.exe
Token: SeManageVolumePrivilege	3532	WMIC.exe
Token: 33	3532	WMIC.exe
Token: 34	3532	WMIC.exe
Token: 35	3532	WMIC.exe
Token: 36	3532	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3532	WMIC.exe
Token: SeSecurityPrivilege	3532	WMIC.exe
Token: SeTakeOwnershipPrivilege	3532	WMIC.exe
Token: SeLoadDriverPrivilege	3532	WMIC.exe
Token: SeSystemProfilePrivilege	3532	WMIC.exe
Token: SeSystemtimePrivilege	3532	WMIC.exe
Token: SeProfSingleProcessPrivilege	3532	WMIC.exe
Token: SeIncBasePriorityPrivilege	3532	WMIC.exe
Token: SeCreatePagefilePrivilege	3532	WMIC.exe
Token: SeBackupPrivilege	3532	WMIC.exe
Token: SeRestorePrivilege	3532	WMIC.exe
Token: SeShutdownPrivilege	3532	WMIC.exe
Token: SeDebugPrivilege	3532	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3532	WMIC.exe
Token: SeRemoteShutdownPrivilege	3532	WMIC.exe
Token: SeUndockPrivilege	3532	WMIC.exe
Token: SeManageVolumePrivilege	3532	WMIC.exe
Token: 33	3532	WMIC.exe
Token: 34	3532	WMIC.exe
Token: 35	3532	WMIC.exe
Token: 36	3532	WMIC.exe
Token: SeDebugPrivilege	8	powershell.exe
Token: SeDebugPrivilege	4188	netstat.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2272	LogonUI.exe

Suspicious use of WriteProcessMemory 41 IoCs

description	pid	Process	procid_target
PID 2412 wrote to memory of 3364	2412	svchost.bin.exe	78
PID 2412 wrote to memory of 3364	2412	svchost.bin.exe	78
PID 2412 wrote to memory of 3364	2412	svchost.bin.exe	78
PID 3364 wrote to memory of 4388	3364	svchost.bin.exe	82
PID 3364 wrote to memory of 4388	3364	svchost.bin.exe	82
PID 3364 wrote to memory of 4388	3364	svchost.bin.exe	82
PID 4388 wrote to memory of 3532	4388	cmd.exe	83
PID 4388 wrote to memory of 3532	4388	cmd.exe	83
PID 4388 wrote to memory of 3532	4388	cmd.exe	83
PID 3364 wrote to memory of 4528	3364	svchost.bin.exe	84
PID 3364 wrote to memory of 4528	3364	svchost.bin.exe	84
PID 3364 wrote to memory of 4528	3364	svchost.bin.exe	84
PID 4528 wrote to memory of 4540	4528	cmd.exe	85
PID 4528 wrote to memory of 4540	4528	cmd.exe	85
PID 4528 wrote to memory of 4540	4528	cmd.exe	85
PID 4540 wrote to memory of 5044	4540	net.exe	86
PID 4540 wrote to memory of 5044	4540	net.exe	86
PID 4540 wrote to memory of 5044	4540	net.exe	86
PID 3364 wrote to memory of 908	3364	svchost.bin.exe	87
PID 3364 wrote to memory of 908	3364	svchost.bin.exe	87
PID 3364 wrote to memory of 908	3364	svchost.bin.exe	87
PID 908 wrote to memory of 4944	908	cmd.exe	88
PID 908 wrote to memory of 4944	908	cmd.exe	88
PID 908 wrote to memory of 4944	908	cmd.exe	88
PID 4944 wrote to memory of 968	4944	net.exe	89
PID 4944 wrote to memory of 968	4944	net.exe	89
PID 4944 wrote to memory of 968	4944	net.exe	89
PID 3364 wrote to memory of 8	3364	svchost.bin.exe	90
PID 3364 wrote to memory of 8	3364	svchost.bin.exe	90
PID 3364 wrote to memory of 4648	3364	svchost.bin.exe	91
PID 3364 wrote to memory of 4648	3364	svchost.bin.exe	91
PID 3364 wrote to memory of 4648	3364	svchost.bin.exe	91
PID 4648 wrote to memory of 2928	4648	cmd.exe	92
PID 4648 wrote to memory of 2928	4648	cmd.exe	92
PID 4648 wrote to memory of 2928	4648	cmd.exe	92
PID 3364 wrote to memory of 4720	3364	svchost.bin.exe	93
PID 3364 wrote to memory of 4720	3364	svchost.bin.exe	93
PID 3364 wrote to memory of 4720	3364	svchost.bin.exe	93
PID 3364 wrote to memory of 4188	3364	svchost.bin.exe	94
PID 3364 wrote to memory of 4188	3364	svchost.bin.exe	94
PID 3364 wrote to memory of 4188	3364	svchost.bin.exe	94

C:\Users\Admin\AppData\Local\Temp\svchost.bin.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.bin.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2412
- C:\Users\Admin\AppData\Local\Temp\svchost.bin.exe
  "C:\Users\Admin\AppData\Local\Temp\svchost.bin.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3364
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c wmic ntdomain get domainname
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4388
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic ntdomain get domainname
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3532
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c net localgroup administrators
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4528
  - - C:\Windows\SysWOW64\net.exe
      net localgroup administrators
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4540
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        5⤵
        
        PID:5044
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c net group "domain admins" /domain
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:908
  - - C:\Windows\SysWOW64\net.exe
      net group "domain admins" /domain
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4944
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 group "domain admins" /domain
        5⤵
        
        PID:968
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\SysNative\WindowsPowerShell\v1.0\powershell.exe -exec bypass "import-module C:\Users\Admin\AppData\Local\Temp\m2.ps1"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:8
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ipconfig /all
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4648
  - - C:\Windows\SysWOW64\ipconfig.exe
      ipconfig /all
      4⤵
      Gathers network information
      PID:2928
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig /all
    3⤵
    - Gathers network information
    PID:4720
- - C:\Windows\SysWOW64\netstat.exe
    netstat -na
    3⤵
    - Gathers network information
    - Suspicious use of AdjustPrivilegeToken
    PID:4188

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv bIwyp2o330q1fggh9KFnew.0.2
1⤵
- Modifies data under HKEY_USERS
PID:3732

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
1⤵
- Modifies data under HKEY_USERS
PID:3744

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:5036

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3a68055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2272

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Account Manipulation

T1098

Privilege Escalation

Defense Evasion

Credential Access

Account Manipulation

T1098

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/8-223-0x0000026EEBCF6000-0x0000026EEBCF8000-memory.dmp

Filesize
8KB

Download
memory/8-222-0x0000026EEBCF3000-0x0000026EEBCF5000-memory.dmp

Filesize
8KB

Download
memory/8-236-0x0000026EEBCF8000-0x0000026EEBCFA000-memory.dmp

Filesize
8KB

Download
memory/8-233-0x0000026EEC030000-0x0000026EEC031000-memory.dmp

Filesize
4KB

Download
memory/8-230-0x0000026EECFE0000-0x0000026EECFE1000-memory.dmp

Filesize
4KB

Download
memory/8-225-0x0000026EEBCA0000-0x0000026EEBCA1000-memory.dmp

Filesize
4KB

Download
memory/8-221-0x0000026EEBCF0000-0x0000026EEBCF2000-memory.dmp

Filesize
8KB

Download
memory/8-218-0x0000026EEBD00000-0x0000026EEBD01000-memory.dmp

Filesize
4KB

Download
memory/8-217-0x0000026EEBC70000-0x0000026EEBC71000-memory.dmp

Filesize
4KB

Download
memory/8-216-0x0000026EEC330000-0x0000026EEC331000-memory.dmp

Filesize
4KB

Download
memory/8-215-0x0000026ED3580000-0x0000026ED3581000-memory.dmp

Filesize
4KB

Download
memory/3364-173-0x0000000002FB0000-0x000000000302C000-memory.dmp

Filesize
496KB

Download
memory/3364-197-0x0000000003040000-0x0000000003050000-memory.dmp

Filesize
64KB

Download
memory/3364-163-0x0000000002EF0000-0x0000000002FA5000-memory.dmp

Filesize
724KB

Download
memory/3364-201-0x0000000003050000-0x0000000003065000-memory.dmp

Filesize
84KB

Download
memory/3364-159-0x0000000002801000-0x0000000002806000-memory.dmp

Filesize
20KB

Download
memory/3364-184-0x0000000002820000-0x0000000002830000-memory.dmp

Filesize
64KB

Download
memory/3744-248-0x000002194D790000-0x000002194D794000-memory.dmp

Filesize
16KB

Download
memory/3744-250-0x000002194D4D0000-0x000002194D4D4000-memory.dmp

Filesize
16KB

Download
memory/3744-253-0x000002194B1A0000-0x000002194B1A1000-memory.dmp

Filesize
4KB

Download
memory/3744-252-0x000002194D4C0000-0x000002194D4C4000-memory.dmp

Filesize
16KB

Download
memory/3744-245-0x000002194AE60000-0x000002194AE70000-memory.dmp

Filesize
64KB

Download
memory/3744-246-0x000002194AEE0000-0x000002194AEF0000-memory.dmp

Filesize
64KB

Download
memory/3744-251-0x000002194D4C0000-0x000002194D4C1000-memory.dmp

Filesize
4KB

Download
memory/3744-249-0x000002194D750000-0x000002194D751000-memory.dmp

Filesize
4KB

Download