950556b8e48041ec29933676eae7488fdb3982a5a355e112679da37dfab99418

General

Target

950556b8e48041ec29933676eae7488fdb3982a5a355e112679da37dfab99418.exe
Size

4.7MB
MD5

59cb61e2c01180dbac1bcac942030a1e
SHA1

6c2b5a30b4c8493ca21771cb69a6750b128c621d
SHA256

950556b8e48041ec29933676eae7488fdb3982a5a355e112679da37dfab99418
SHA512

15d49dae4d2bbca5a6fe6be37ba3f11c3f6fc3f71bc7e667f1a7c202bc122f0de08d224be81e619beaac9e7ce4ce29e08a240dfb9b8945fc4c51b00a1ba547e7
SSDEEP

98304:AD6X7pce5jwzDndf9PnvGe3kYGAdHsjRL4wYuJ4+BM1XZOCpdoVP:J7pceVyD7PvhyAdM9TYu5iJ9dod

Score

8^/10

upx

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation	950556b8e48041ec29933676eae7488fdb3982a5a355e112679da37dfab99418.exe

Executes dropped EXE 1 IoCs

pid	Process
2832	BeeMail4.0.6.5.exe

UPX packed file 19 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2196-0-0x0000000000400000-0x0000000001060000-memory.dmp	upx
behavioral2/memory/2196-12-0x0000000000400000-0x0000000001060000-memory.dmp	upx
behavioral2/memory/2196-13-0x0000000000400000-0x0000000001060000-memory.dmp	upx
behavioral2/memory/2196-14-0x0000000000400000-0x0000000001060000-memory.dmp	upx
behavioral2/memory/2196-15-0x0000000000400000-0x0000000001060000-memory.dmp	upx
behavioral2/memory/2196-16-0x0000000000400000-0x0000000001060000-memory.dmp	upx
behavioral2/memory/2196-17-0x0000000000400000-0x0000000001060000-memory.dmp	upx
behavioral2/files/0x000400000002236e-18.dat	upx
behavioral2/memory/2832-19-0x0000000000400000-0x0000000001062000-memory.dmp	upx
behavioral2/memory/2196-20-0x0000000000400000-0x0000000001060000-memory.dmp	upx
behavioral2/memory/2832-26-0x0000000000400000-0x0000000001062000-memory.dmp	upx
behavioral2/memory/2832-27-0x0000000000400000-0x0000000001062000-memory.dmp	upx
behavioral2/memory/2832-28-0x0000000000400000-0x0000000001062000-memory.dmp	upx
behavioral2/memory/2832-29-0x0000000000400000-0x0000000001062000-memory.dmp	upx
behavioral2/memory/2832-30-0x0000000000400000-0x0000000001062000-memory.dmp	upx
behavioral2/memory/2832-31-0x0000000000400000-0x0000000001062000-memory.dmp	upx
behavioral2/memory/2832-32-0x0000000000400000-0x0000000001062000-memory.dmp	upx
behavioral2/memory/2832-33-0x0000000000400000-0x0000000001062000-memory.dmp	upx
behavioral2/memory/2832-34-0x0000000000400000-0x0000000001062000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
368	PING.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2196	950556b8e48041ec29933676eae7488fdb3982a5a355e112679da37dfab99418.exe
2196	950556b8e48041ec29933676eae7488fdb3982a5a355e112679da37dfab99418.exe
2196	950556b8e48041ec29933676eae7488fdb3982a5a355e112679da37dfab99418.exe
2832	BeeMail4.0.6.5.exe
2832	BeeMail4.0.6.5.exe
2832	BeeMail4.0.6.5.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2196 wrote to memory of 2832	2196	950556b8e48041ec29933676eae7488fdb3982a5a355e112679da37dfab99418.exe	108
PID 2196 wrote to memory of 2832	2196	950556b8e48041ec29933676eae7488fdb3982a5a355e112679da37dfab99418.exe	108
PID 2196 wrote to memory of 2832	2196	950556b8e48041ec29933676eae7488fdb3982a5a355e112679da37dfab99418.exe	108
PID 2196 wrote to memory of 1396	2196	950556b8e48041ec29933676eae7488fdb3982a5a355e112679da37dfab99418.exe	109
PID 2196 wrote to memory of 1396	2196	950556b8e48041ec29933676eae7488fdb3982a5a355e112679da37dfab99418.exe	109
PID 2196 wrote to memory of 1396	2196	950556b8e48041ec29933676eae7488fdb3982a5a355e112679da37dfab99418.exe	109
PID 1396 wrote to memory of 368	1396	cmd.exe	111
PID 1396 wrote to memory of 368	1396	cmd.exe	111
PID 1396 wrote to memory of 368	1396	cmd.exe	111

C:\Users\Admin\AppData\Local\Temp\950556b8e48041ec29933676eae7488fdb3982a5a355e112679da37dfab99418.exe
"C:\Users\Admin\AppData\Local\Temp\950556b8e48041ec29933676eae7488fdb3982a5a355e112679da37dfab99418.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2196
- C:\Users\Admin\AppData\Local\Temp\BeeMail4.0.6.5.exe
  "C:\Users\Admin\AppData\Local\Temp\BeeMail4.0.6.5.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2832
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ping 1.1.1.1 -n 1 -w 1000 & del "C:\Users\Admin\AppData\Local\Temp\950556b8e48041ec29933676eae7488fdb3982a5a355e112679da37dfab99418.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1396
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 1000
    3⤵
    - Runs ping.exe
    PID:368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BeeMail4.0.6.5.exe

Filesize
4.7MB

MD5
6c5865e696091525b4566bdeeb10c277

SHA1
55dcceef1c6445d9ffe02623cd3cb4ad3087db91

SHA256
359f3e20e0779f115ff9384d3265c1a150a66307596a5988a36e32abc358284e

SHA512
e8965a9f43fec6484939cd0706fb2fcf4480194fa914ea5d85fdfeb9cd8f65199268f33d6b5a5a013904d8f991159f845c7a7bcbd8a8f2fce54c35bfbcf66648

Download Submit
C:\Users\Admin\AppData\Local\Temp\configs\User.ini

Filesize
47B

MD5
6eeea514f9da9e9799a7352149df9bf9

SHA1
3cf8ff9d0792cf3f8e9e93e4333edce289145a84

SHA256
e2436368536a6919b626e781507cd8498f90a204f894f58a958ee1513d351fd0

SHA512
f813ea355b4685c02e6b7c75e0e95b18d643d09dd2e6263384e98536a90d7c01dc661fe2e36d57c8819f5cf42ca93436486d74cd5e33334e0e3a808f5bb33d4a

Download Submit
memory/2196-16-0x0000000000400000-0x0000000001060000-memory.dmp

Filesize
12.4MB

Download
memory/2196-12-0x0000000000400000-0x0000000001060000-memory.dmp

Filesize
12.4MB

Download
memory/2196-15-0x0000000000400000-0x0000000001060000-memory.dmp

Filesize
12.4MB

Download
memory/2196-0-0x0000000000400000-0x0000000001060000-memory.dmp

Filesize
12.4MB

Download
memory/2196-17-0x0000000000400000-0x0000000001060000-memory.dmp

Filesize
12.4MB

Download
memory/2196-13-0x0000000000400000-0x0000000001060000-memory.dmp

Filesize
12.4MB

Download
memory/2196-14-0x0000000000400000-0x0000000001060000-memory.dmp

Filesize
12.4MB

Download
memory/2196-20-0x0000000000400000-0x0000000001060000-memory.dmp

Filesize
12.4MB

Download
memory/2832-26-0x0000000000400000-0x0000000001062000-memory.dmp

Filesize
12.4MB

Download
memory/2832-19-0x0000000000400000-0x0000000001062000-memory.dmp

Filesize
12.4MB

Download
memory/2832-27-0x0000000000400000-0x0000000001062000-memory.dmp

Filesize
12.4MB

Download
memory/2832-28-0x0000000000400000-0x0000000001062000-memory.dmp

Filesize
12.4MB

Download
memory/2832-29-0x0000000000400000-0x0000000001062000-memory.dmp

Filesize
12.4MB

Download
memory/2832-30-0x0000000000400000-0x0000000001062000-memory.dmp

Filesize
12.4MB

Download
memory/2832-31-0x0000000000400000-0x0000000001062000-memory.dmp

Filesize
12.4MB

Download
memory/2832-32-0x0000000000400000-0x0000000001062000-memory.dmp

Filesize
12.4MB

Download
memory/2832-33-0x0000000000400000-0x0000000001062000-memory.dmp

Filesize
12.4MB

Download
memory/2832-34-0x0000000000400000-0x0000000001062000-memory.dmp

Filesize
12.4MB

Download

Analysis

Sharing