950556b8e48041ec29933676eae7488fdb3982a5a355e112679da37dfab99418

General

Target

950556b8e48041ec29933676eae7488fdb3982a5a355e112679da37dfab99418.exe
Size

4.7MB
MD5

59cb61e2c01180dbac1bcac942030a1e
SHA1

6c2b5a30b4c8493ca21771cb69a6750b128c621d
SHA256

950556b8e48041ec29933676eae7488fdb3982a5a355e112679da37dfab99418
SHA512

15d49dae4d2bbca5a6fe6be37ba3f11c3f6fc3f71bc7e667f1a7c202bc122f0de08d224be81e619beaac9e7ce4ce29e08a240dfb9b8945fc4c51b00a1ba547e7
SSDEEP

98304:AD6X7pce5jwzDndf9PnvGe3kYGAdHsjRL4wYuJ4+BM1XZOCpdoVP:J7pceVyD7PvhyAdM9TYu5iJ9dod

Score

8^/10

upx

Malware Config

Signatures

Downloads MZ/PE file

Deletes itself 1 IoCs

pid	Process
2440	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1692	BeeMail4.0.6.5.exe

Loads dropped DLL 2 IoCs

pid	Process
2848	950556b8e48041ec29933676eae7488fdb3982a5a355e112679da37dfab99418.exe
2848	950556b8e48041ec29933676eae7488fdb3982a5a355e112679da37dfab99418.exe

UPX packed file 21 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2848-0-0x0000000000400000-0x0000000001060000-memory.dmp	upx
behavioral1/memory/2848-12-0x0000000000400000-0x0000000001060000-memory.dmp	upx
behavioral1/memory/2848-13-0x0000000000400000-0x0000000001060000-memory.dmp	upx
behavioral1/memory/2848-14-0x0000000000400000-0x0000000001060000-memory.dmp	upx
behavioral1/memory/2848-15-0x0000000000400000-0x0000000001060000-memory.dmp	upx
behavioral1/memory/2848-16-0x0000000000400000-0x0000000001060000-memory.dmp	upx
behavioral1/memory/2848-17-0x0000000000400000-0x0000000001060000-memory.dmp	upx
behavioral1/files/0x0009000000014c45-18.dat	upx
behavioral1/files/0x0009000000014c45-19.dat	upx
behavioral1/files/0x0009000000014c45-20.dat	upx
behavioral1/memory/2848-22-0x00000000065C0000-0x0000000007222000-memory.dmp	upx
behavioral1/memory/2848-21-0x0000000000400000-0x0000000001060000-memory.dmp	upx
behavioral1/memory/1692-25-0x0000000000400000-0x0000000001062000-memory.dmp	upx
behavioral1/memory/1692-31-0x0000000000400000-0x0000000001062000-memory.dmp	upx
behavioral1/memory/1692-32-0x0000000000400000-0x0000000001062000-memory.dmp	upx
behavioral1/memory/1692-33-0x0000000000400000-0x0000000001062000-memory.dmp	upx
behavioral1/memory/1692-34-0x0000000000400000-0x0000000001062000-memory.dmp	upx
behavioral1/memory/1692-35-0x0000000000400000-0x0000000001062000-memory.dmp	upx
behavioral1/memory/1692-36-0x0000000000400000-0x0000000001062000-memory.dmp	upx
behavioral1/memory/1692-37-0x0000000000400000-0x0000000001062000-memory.dmp	upx
behavioral1/memory/1692-38-0x0000000000400000-0x0000000001062000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
836	PING.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2848	950556b8e48041ec29933676eae7488fdb3982a5a355e112679da37dfab99418.exe
2848	950556b8e48041ec29933676eae7488fdb3982a5a355e112679da37dfab99418.exe
2848	950556b8e48041ec29933676eae7488fdb3982a5a355e112679da37dfab99418.exe
1692	BeeMail4.0.6.5.exe
1692	BeeMail4.0.6.5.exe
1692	BeeMail4.0.6.5.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2848 wrote to memory of 1692	2848	950556b8e48041ec29933676eae7488fdb3982a5a355e112679da37dfab99418.exe	31
PID 2848 wrote to memory of 1692	2848	950556b8e48041ec29933676eae7488fdb3982a5a355e112679da37dfab99418.exe	31
PID 2848 wrote to memory of 1692	2848	950556b8e48041ec29933676eae7488fdb3982a5a355e112679da37dfab99418.exe	31
PID 2848 wrote to memory of 1692	2848	950556b8e48041ec29933676eae7488fdb3982a5a355e112679da37dfab99418.exe	31
PID 2848 wrote to memory of 2440	2848	950556b8e48041ec29933676eae7488fdb3982a5a355e112679da37dfab99418.exe	32
PID 2848 wrote to memory of 2440	2848	950556b8e48041ec29933676eae7488fdb3982a5a355e112679da37dfab99418.exe	32
PID 2848 wrote to memory of 2440	2848	950556b8e48041ec29933676eae7488fdb3982a5a355e112679da37dfab99418.exe	32
PID 2848 wrote to memory of 2440	2848	950556b8e48041ec29933676eae7488fdb3982a5a355e112679da37dfab99418.exe	32
PID 2440 wrote to memory of 836	2440	cmd.exe	34
PID 2440 wrote to memory of 836	2440	cmd.exe	34
PID 2440 wrote to memory of 836	2440	cmd.exe	34
PID 2440 wrote to memory of 836	2440	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\950556b8e48041ec29933676eae7488fdb3982a5a355e112679da37dfab99418.exe
"C:\Users\Admin\AppData\Local\Temp\950556b8e48041ec29933676eae7488fdb3982a5a355e112679da37dfab99418.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2848
- C:\Users\Admin\AppData\Local\Temp\BeeMail4.0.6.5.exe
  "C:\Users\Admin\AppData\Local\Temp\BeeMail4.0.6.5.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1692
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ping 1.1.1.1 -n 1 -w 1000 & del "C:\Users\Admin\AppData\Local\Temp\950556b8e48041ec29933676eae7488fdb3982a5a355e112679da37dfab99418.exe"
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2440
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 1000
    3⤵
    - Runs ping.exe
    PID:836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BeeMail4.0.6.5.exe

Filesize
4.7MB

MD5
6c5865e696091525b4566bdeeb10c277

SHA1
55dcceef1c6445d9ffe02623cd3cb4ad3087db91

SHA256
359f3e20e0779f115ff9384d3265c1a150a66307596a5988a36e32abc358284e

SHA512
e8965a9f43fec6484939cd0706fb2fcf4480194fa914ea5d85fdfeb9cd8f65199268f33d6b5a5a013904d8f991159f845c7a7bcbd8a8f2fce54c35bfbcf66648

Download Submit
C:\Users\Admin\AppData\Local\Temp\configs\User.ini

Filesize
47B

MD5
6eeea514f9da9e9799a7352149df9bf9

SHA1
3cf8ff9d0792cf3f8e9e93e4333edce289145a84

SHA256
e2436368536a6919b626e781507cd8498f90a204f894f58a958ee1513d351fd0

SHA512
f813ea355b4685c02e6b7c75e0e95b18d643d09dd2e6263384e98536a90d7c01dc661fe2e36d57c8819f5cf42ca93436486d74cd5e33334e0e3a808f5bb33d4a

Download Submit
\Users\Admin\AppData\Local\Temp\BeeMail4.0.6.5.exe

Filesize
4.7MB

MD5
6c5865e696091525b4566bdeeb10c277

SHA1
55dcceef1c6445d9ffe02623cd3cb4ad3087db91

SHA256
359f3e20e0779f115ff9384d3265c1a150a66307596a5988a36e32abc358284e

SHA512
e8965a9f43fec6484939cd0706fb2fcf4480194fa914ea5d85fdfeb9cd8f65199268f33d6b5a5a013904d8f991159f845c7a7bcbd8a8f2fce54c35bfbcf66648

Download Submit
\Users\Admin\AppData\Local\Temp\BeeMail4.0.6.5.exe

Filesize
4.7MB

MD5
6c5865e696091525b4566bdeeb10c277

SHA1
55dcceef1c6445d9ffe02623cd3cb4ad3087db91

SHA256
359f3e20e0779f115ff9384d3265c1a150a66307596a5988a36e32abc358284e

SHA512
e8965a9f43fec6484939cd0706fb2fcf4480194fa914ea5d85fdfeb9cd8f65199268f33d6b5a5a013904d8f991159f845c7a7bcbd8a8f2fce54c35bfbcf66648

Download Submit
memory/1692-36-0x0000000000400000-0x0000000001062000-memory.dmp

Filesize
12.4MB

Download
memory/1692-34-0x0000000000400000-0x0000000001062000-memory.dmp

Filesize
12.4MB

Download
memory/1692-33-0x0000000000400000-0x0000000001062000-memory.dmp

Filesize
12.4MB

Download
memory/1692-35-0x0000000000400000-0x0000000001062000-memory.dmp

Filesize
12.4MB

Download
memory/1692-25-0x0000000000400000-0x0000000001062000-memory.dmp

Filesize
12.4MB

Download
memory/1692-37-0x0000000000400000-0x0000000001062000-memory.dmp

Filesize
12.4MB

Download
memory/1692-32-0x0000000000400000-0x0000000001062000-memory.dmp

Filesize
12.4MB

Download
memory/1692-31-0x0000000000400000-0x0000000001062000-memory.dmp

Filesize
12.4MB

Download
memory/1692-38-0x0000000000400000-0x0000000001062000-memory.dmp

Filesize
12.4MB

Download
memory/2848-16-0x0000000000400000-0x0000000001060000-memory.dmp

Filesize
12.4MB

Download
memory/2848-21-0x0000000000400000-0x0000000001060000-memory.dmp

Filesize
12.4MB

Download
memory/2848-23-0x00000000065C0000-0x0000000007222000-memory.dmp

Filesize
12.4MB

Download
memory/2848-22-0x00000000065C0000-0x0000000007222000-memory.dmp

Filesize
12.4MB

Download
memory/2848-17-0x0000000000400000-0x0000000001060000-memory.dmp

Filesize
12.4MB

Download
memory/2848-0-0x0000000000400000-0x0000000001060000-memory.dmp

Filesize
12.4MB

Download
memory/2848-15-0x0000000000400000-0x0000000001060000-memory.dmp

Filesize
12.4MB

Download
memory/2848-14-0x0000000000400000-0x0000000001060000-memory.dmp

Filesize
12.4MB

Download
memory/2848-13-0x0000000000400000-0x0000000001060000-memory.dmp

Filesize
12.4MB

Download
memory/2848-12-0x0000000000400000-0x0000000001060000-memory.dmp

Filesize
12.4MB

Download

Analysis

Sharing