e1aab275f72aa745d1774122f851ce323963c577b93836e7f6c6005f032d0547

General

Target

e1aab275f72aa745d1774122f851ce323963c577b93836e7f6c6005f032d0547.exe
Size

135KB
MD5

5337e1c2054a4a758195237a527e29b1
SHA1

8d5b32d796d495c82ba0fb96c00606f881e26d41
SHA256

e1aab275f72aa745d1774122f851ce323963c577b93836e7f6c6005f032d0547
SHA512

0b9f95ee9a55dc0d01b86f8ece389d342c7e89a1393adcba0706ca877b025a3883d80285f8091add00e06217799fc4a3aecd30181d5ab52bceb21724468538f6
SSDEEP

3072:YtTUp6Z9UPb1WpXVxAaGBvbNvNbNJkvmhyPQbaDTUXGIDbwKDqCtrwdAxaVTtVHi:aTU6ZMoIDbByGPMsMP

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

beodi.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	beodi.exe

Executes dropped EXE 1 IoCs

Processes:

beodi.exe

pid process

2008 beodi.exe

Loads dropped DLL 2 IoCs

Processes:

e1aab275f72aa745d1774122f851ce323963c577b93836e7f6c6005f032d0547.exe

pid	process
1816	e1aab275f72aa745d1774122f851ce323963c577b93836e7f6c6005f032d0547.exe
1816	e1aab275f72aa745d1774122f851ce323963c577b93836e7f6c6005f032d0547.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

beodi.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\	beodi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\beodi = "C:\\Users\\Admin\\beodi.exe"	beodi.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

beodi.exe

pid	process
2008	beodi.exe
2008	beodi.exe
2008	beodi.exe
2008	beodi.exe
2008	beodi.exe
2008	beodi.exe
2008	beodi.exe
2008	beodi.exe
2008	beodi.exe
2008	beodi.exe
2008	beodi.exe
2008	beodi.exe
2008	beodi.exe
2008	beodi.exe
2008	beodi.exe
2008	beodi.exe
2008	beodi.exe
2008	beodi.exe
2008	beodi.exe
2008	beodi.exe
2008	beodi.exe
2008	beodi.exe
2008	beodi.exe
2008	beodi.exe
2008	beodi.exe
2008	beodi.exe
2008	beodi.exe
2008	beodi.exe
2008	beodi.exe
2008	beodi.exe
2008	beodi.exe
2008	beodi.exe
2008	beodi.exe
2008	beodi.exe
2008	beodi.exe
2008	beodi.exe
2008	beodi.exe
2008	beodi.exe
2008	beodi.exe
2008	beodi.exe
2008	beodi.exe
2008	beodi.exe
2008	beodi.exe
2008	beodi.exe
2008	beodi.exe
2008	beodi.exe
2008	beodi.exe
2008	beodi.exe
2008	beodi.exe
2008	beodi.exe
2008	beodi.exe
2008	beodi.exe
2008	beodi.exe
2008	beodi.exe
2008	beodi.exe
2008	beodi.exe
2008	beodi.exe
2008	beodi.exe
2008	beodi.exe
2008	beodi.exe
2008	beodi.exe
2008	beodi.exe
2008	beodi.exe
2008	beodi.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

e1aab275f72aa745d1774122f851ce323963c577b93836e7f6c6005f032d0547.exebeodi.exe

pid process

1816 e1aab275f72aa745d1774122f851ce323963c577b93836e7f6c6005f032d0547.exe
2008 beodi.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

e1aab275f72aa745d1774122f851ce323963c577b93836e7f6c6005f032d0547.exebeodi.exe

description	pid	process	target process
PID 1816 wrote to memory of 2008	1816	e1aab275f72aa745d1774122f851ce323963c577b93836e7f6c6005f032d0547.exe	beodi.exe
PID 1816 wrote to memory of 2008	1816	e1aab275f72aa745d1774122f851ce323963c577b93836e7f6c6005f032d0547.exe	beodi.exe
PID 1816 wrote to memory of 2008	1816	e1aab275f72aa745d1774122f851ce323963c577b93836e7f6c6005f032d0547.exe	beodi.exe
PID 1816 wrote to memory of 2008	1816	e1aab275f72aa745d1774122f851ce323963c577b93836e7f6c6005f032d0547.exe	beodi.exe
PID 2008 wrote to memory of 1816	2008	beodi.exe	e1aab275f72aa745d1774122f851ce323963c577b93836e7f6c6005f032d0547.exe
PID 2008 wrote to memory of 1816	2008	beodi.exe	e1aab275f72aa745d1774122f851ce323963c577b93836e7f6c6005f032d0547.exe
PID 2008 wrote to memory of 1816	2008	beodi.exe	e1aab275f72aa745d1774122f851ce323963c577b93836e7f6c6005f032d0547.exe
PID 2008 wrote to memory of 1816	2008	beodi.exe	e1aab275f72aa745d1774122f851ce323963c577b93836e7f6c6005f032d0547.exe
PID 2008 wrote to memory of 1816	2008	beodi.exe	e1aab275f72aa745d1774122f851ce323963c577b93836e7f6c6005f032d0547.exe
PID 2008 wrote to memory of 1816	2008	beodi.exe	e1aab275f72aa745d1774122f851ce323963c577b93836e7f6c6005f032d0547.exe
PID 2008 wrote to memory of 1816	2008	beodi.exe	e1aab275f72aa745d1774122f851ce323963c577b93836e7f6c6005f032d0547.exe
PID 2008 wrote to memory of 1816	2008	beodi.exe	e1aab275f72aa745d1774122f851ce323963c577b93836e7f6c6005f032d0547.exe
PID 2008 wrote to memory of 1816	2008	beodi.exe	e1aab275f72aa745d1774122f851ce323963c577b93836e7f6c6005f032d0547.exe
PID 2008 wrote to memory of 1816	2008	beodi.exe	e1aab275f72aa745d1774122f851ce323963c577b93836e7f6c6005f032d0547.exe
PID 2008 wrote to memory of 1816	2008	beodi.exe	e1aab275f72aa745d1774122f851ce323963c577b93836e7f6c6005f032d0547.exe
PID 2008 wrote to memory of 1816	2008	beodi.exe	e1aab275f72aa745d1774122f851ce323963c577b93836e7f6c6005f032d0547.exe
PID 2008 wrote to memory of 1816	2008	beodi.exe	e1aab275f72aa745d1774122f851ce323963c577b93836e7f6c6005f032d0547.exe
PID 2008 wrote to memory of 1816	2008	beodi.exe	e1aab275f72aa745d1774122f851ce323963c577b93836e7f6c6005f032d0547.exe
PID 2008 wrote to memory of 1816	2008	beodi.exe	e1aab275f72aa745d1774122f851ce323963c577b93836e7f6c6005f032d0547.exe
PID 2008 wrote to memory of 1816	2008	beodi.exe	e1aab275f72aa745d1774122f851ce323963c577b93836e7f6c6005f032d0547.exe
PID 2008 wrote to memory of 1816	2008	beodi.exe	e1aab275f72aa745d1774122f851ce323963c577b93836e7f6c6005f032d0547.exe
PID 2008 wrote to memory of 1816	2008	beodi.exe	e1aab275f72aa745d1774122f851ce323963c577b93836e7f6c6005f032d0547.exe
PID 2008 wrote to memory of 1816	2008	beodi.exe	e1aab275f72aa745d1774122f851ce323963c577b93836e7f6c6005f032d0547.exe
PID 2008 wrote to memory of 1816	2008	beodi.exe	e1aab275f72aa745d1774122f851ce323963c577b93836e7f6c6005f032d0547.exe
PID 2008 wrote to memory of 1816	2008	beodi.exe	e1aab275f72aa745d1774122f851ce323963c577b93836e7f6c6005f032d0547.exe
PID 2008 wrote to memory of 1816	2008	beodi.exe	e1aab275f72aa745d1774122f851ce323963c577b93836e7f6c6005f032d0547.exe
PID 2008 wrote to memory of 1816	2008	beodi.exe	e1aab275f72aa745d1774122f851ce323963c577b93836e7f6c6005f032d0547.exe
PID 2008 wrote to memory of 1816	2008	beodi.exe	e1aab275f72aa745d1774122f851ce323963c577b93836e7f6c6005f032d0547.exe
PID 2008 wrote to memory of 1816	2008	beodi.exe	e1aab275f72aa745d1774122f851ce323963c577b93836e7f6c6005f032d0547.exe
PID 2008 wrote to memory of 1816	2008	beodi.exe	e1aab275f72aa745d1774122f851ce323963c577b93836e7f6c6005f032d0547.exe
PID 2008 wrote to memory of 1816	2008	beodi.exe	e1aab275f72aa745d1774122f851ce323963c577b93836e7f6c6005f032d0547.exe
PID 2008 wrote to memory of 1816	2008	beodi.exe	e1aab275f72aa745d1774122f851ce323963c577b93836e7f6c6005f032d0547.exe
PID 2008 wrote to memory of 1816	2008	beodi.exe	e1aab275f72aa745d1774122f851ce323963c577b93836e7f6c6005f032d0547.exe
PID 2008 wrote to memory of 1816	2008	beodi.exe	e1aab275f72aa745d1774122f851ce323963c577b93836e7f6c6005f032d0547.exe
PID 2008 wrote to memory of 1816	2008	beodi.exe	e1aab275f72aa745d1774122f851ce323963c577b93836e7f6c6005f032d0547.exe
PID 2008 wrote to memory of 1816	2008	beodi.exe	e1aab275f72aa745d1774122f851ce323963c577b93836e7f6c6005f032d0547.exe
PID 2008 wrote to memory of 1816	2008	beodi.exe	e1aab275f72aa745d1774122f851ce323963c577b93836e7f6c6005f032d0547.exe
PID 2008 wrote to memory of 1816	2008	beodi.exe	e1aab275f72aa745d1774122f851ce323963c577b93836e7f6c6005f032d0547.exe
PID 2008 wrote to memory of 1816	2008	beodi.exe	e1aab275f72aa745d1774122f851ce323963c577b93836e7f6c6005f032d0547.exe
PID 2008 wrote to memory of 1816	2008	beodi.exe	e1aab275f72aa745d1774122f851ce323963c577b93836e7f6c6005f032d0547.exe
PID 2008 wrote to memory of 1816	2008	beodi.exe	e1aab275f72aa745d1774122f851ce323963c577b93836e7f6c6005f032d0547.exe
PID 2008 wrote to memory of 1816	2008	beodi.exe	e1aab275f72aa745d1774122f851ce323963c577b93836e7f6c6005f032d0547.exe
PID 2008 wrote to memory of 1816	2008	beodi.exe	e1aab275f72aa745d1774122f851ce323963c577b93836e7f6c6005f032d0547.exe
PID 2008 wrote to memory of 1816	2008	beodi.exe	e1aab275f72aa745d1774122f851ce323963c577b93836e7f6c6005f032d0547.exe
PID 2008 wrote to memory of 1816	2008	beodi.exe	e1aab275f72aa745d1774122f851ce323963c577b93836e7f6c6005f032d0547.exe
PID 2008 wrote to memory of 1816	2008	beodi.exe	e1aab275f72aa745d1774122f851ce323963c577b93836e7f6c6005f032d0547.exe
PID 2008 wrote to memory of 1816	2008	beodi.exe	e1aab275f72aa745d1774122f851ce323963c577b93836e7f6c6005f032d0547.exe
PID 2008 wrote to memory of 1816	2008	beodi.exe	e1aab275f72aa745d1774122f851ce323963c577b93836e7f6c6005f032d0547.exe
PID 2008 wrote to memory of 1816	2008	beodi.exe	e1aab275f72aa745d1774122f851ce323963c577b93836e7f6c6005f032d0547.exe
PID 2008 wrote to memory of 1816	2008	beodi.exe	e1aab275f72aa745d1774122f851ce323963c577b93836e7f6c6005f032d0547.exe
PID 2008 wrote to memory of 1816	2008	beodi.exe	e1aab275f72aa745d1774122f851ce323963c577b93836e7f6c6005f032d0547.exe
PID 2008 wrote to memory of 1816	2008	beodi.exe	e1aab275f72aa745d1774122f851ce323963c577b93836e7f6c6005f032d0547.exe
PID 2008 wrote to memory of 1816	2008	beodi.exe	e1aab275f72aa745d1774122f851ce323963c577b93836e7f6c6005f032d0547.exe
PID 2008 wrote to memory of 1816	2008	beodi.exe	e1aab275f72aa745d1774122f851ce323963c577b93836e7f6c6005f032d0547.exe
PID 2008 wrote to memory of 1816	2008	beodi.exe	e1aab275f72aa745d1774122f851ce323963c577b93836e7f6c6005f032d0547.exe
PID 2008 wrote to memory of 1816	2008	beodi.exe	e1aab275f72aa745d1774122f851ce323963c577b93836e7f6c6005f032d0547.exe
PID 2008 wrote to memory of 1816	2008	beodi.exe	e1aab275f72aa745d1774122f851ce323963c577b93836e7f6c6005f032d0547.exe
PID 2008 wrote to memory of 1816	2008	beodi.exe	e1aab275f72aa745d1774122f851ce323963c577b93836e7f6c6005f032d0547.exe
PID 2008 wrote to memory of 1816	2008	beodi.exe	e1aab275f72aa745d1774122f851ce323963c577b93836e7f6c6005f032d0547.exe
PID 2008 wrote to memory of 1816	2008	beodi.exe	e1aab275f72aa745d1774122f851ce323963c577b93836e7f6c6005f032d0547.exe
PID 2008 wrote to memory of 1816	2008	beodi.exe	e1aab275f72aa745d1774122f851ce323963c577b93836e7f6c6005f032d0547.exe
PID 2008 wrote to memory of 1816	2008	beodi.exe	e1aab275f72aa745d1774122f851ce323963c577b93836e7f6c6005f032d0547.exe
PID 2008 wrote to memory of 1816	2008	beodi.exe	e1aab275f72aa745d1774122f851ce323963c577b93836e7f6c6005f032d0547.exe
PID 2008 wrote to memory of 1816	2008	beodi.exe	e1aab275f72aa745d1774122f851ce323963c577b93836e7f6c6005f032d0547.exe

C:\Users\Admin\AppData\Local\Temp\e1aab275f72aa745d1774122f851ce323963c577b93836e7f6c6005f032d0547.exe
"C:\Users\Admin\AppData\Local\Temp\e1aab275f72aa745d1774122f851ce323963c577b93836e7f6c6005f032d0547.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1816

C:\Users\Admin\beodi.exe
"C:\Users\Admin\beodi.exe"
2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2008

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

1

T1158

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

1

T1158

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\beodi.exe
Filesize
135KB

MD5
5d3452e169249c40f04c1ca452d6507b

SHA1
cb389c64fe69f05061ba0947c1a074985d8942bc

SHA256
c813c78257af6108a4d9fb80302523d9b5220a2b0e6c270e6bed304a98fef635

SHA512
326c235cb14e2cded68589cd4e902ddd26f6c85b21e4a81bee9585ff120cdf9244a4b0e95d00806e32ec549e27ebbf14ed5e875258af8f33f478c8005faf7ab2

Download Submit
C:\Users\Admin\beodi.exe
Filesize
135KB

MD5
5d3452e169249c40f04c1ca452d6507b

SHA1
cb389c64fe69f05061ba0947c1a074985d8942bc

SHA256
c813c78257af6108a4d9fb80302523d9b5220a2b0e6c270e6bed304a98fef635

SHA512
326c235cb14e2cded68589cd4e902ddd26f6c85b21e4a81bee9585ff120cdf9244a4b0e95d00806e32ec549e27ebbf14ed5e875258af8f33f478c8005faf7ab2

Download Submit
\Users\Admin\beodi.exe
Filesize
135KB

MD5
5d3452e169249c40f04c1ca452d6507b

SHA1
cb389c64fe69f05061ba0947c1a074985d8942bc

SHA256
c813c78257af6108a4d9fb80302523d9b5220a2b0e6c270e6bed304a98fef635

SHA512
326c235cb14e2cded68589cd4e902ddd26f6c85b21e4a81bee9585ff120cdf9244a4b0e95d00806e32ec549e27ebbf14ed5e875258af8f33f478c8005faf7ab2

Download Submit
\Users\Admin\beodi.exe
Filesize
135KB

MD5
5d3452e169249c40f04c1ca452d6507b

SHA1
cb389c64fe69f05061ba0947c1a074985d8942bc

SHA256
c813c78257af6108a4d9fb80302523d9b5220a2b0e6c270e6bed304a98fef635

SHA512
326c235cb14e2cded68589cd4e902ddd26f6c85b21e4a81bee9585ff120cdf9244a4b0e95d00806e32ec549e27ebbf14ed5e875258af8f33f478c8005faf7ab2

Download Submit
memory/1816-56-0x0000000075AC1000-0x0000000075AC3000-memory.dmp

Filesize
8KB

Download
memory/2008-59-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads