5c690a0e0a6cf4d838cd821657b95e6df22bf53296dff71f4a3afdaf485713e8

Analysis

max time kernel
159s
max time network
164s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
26-12-2023 02:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4bda59aef3da2139427ffa977b8fe986.exe
Size

432KB
MD5

4bda59aef3da2139427ffa977b8fe986
SHA1

533c9bfc11b69b0ec0b93ea4546562d78750636c
SHA256

5c690a0e0a6cf4d838cd821657b95e6df22bf53296dff71f4a3afdaf485713e8
SHA512

bb01f58fc7ccada0a60a01ed23895e20f6dd7dd27236c13bac63dc7ad9c487bf417e57e9940b0439257d8bafe25621c97ce8dc9183ee6ed4651c5474edd2eb9b
SSDEEP

6144:a1VkdIgi71nAv/szQRzf4Zj3JVyN/Y53fZ6ZsVb78:YVkdInSssRWjPy9Y53B6A78

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	4bda59aef3da2139427ffa977b8fe986.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	beaze.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	4bda59aef3da2139427ffa977b8fe986.exe

Executes dropped EXE 1 IoCs

pid	Process
3420	beaze.exe

Adds Run key to start application 2 TTPs 27 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\beaze = "C:\\Users\\Admin\\beaze.exe /j"	beaze.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\beaze = "C:\\Users\\Admin\\beaze.exe /g"	beaze.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\beaze = "C:\\Users\\Admin\\beaze.exe /k"	beaze.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\beaze = "C:\\Users\\Admin\\beaze.exe /i"	beaze.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\beaze = "C:\\Users\\Admin\\beaze.exe /v"	beaze.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\beaze = "C:\\Users\\Admin\\beaze.exe /f"	beaze.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\beaze = "C:\\Users\\Admin\\beaze.exe /q"	beaze.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\beaze = "C:\\Users\\Admin\\beaze.exe /x"	beaze.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\beaze = "C:\\Users\\Admin\\beaze.exe /y"	beaze.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\beaze = "C:\\Users\\Admin\\beaze.exe /n"	beaze.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\beaze = "C:\\Users\\Admin\\beaze.exe /c"	beaze.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\beaze = "C:\\Users\\Admin\\beaze.exe /w"	beaze.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\beaze = "C:\\Users\\Admin\\beaze.exe /p"	beaze.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\beaze = "C:\\Users\\Admin\\beaze.exe /e"	beaze.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\beaze = "C:\\Users\\Admin\\beaze.exe /o"	beaze.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\beaze = "C:\\Users\\Admin\\beaze.exe /a"	beaze.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\beaze = "C:\\Users\\Admin\\beaze.exe /s"	beaze.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\beaze = "C:\\Users\\Admin\\beaze.exe /h"	beaze.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\beaze = "C:\\Users\\Admin\\beaze.exe /t"	beaze.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\beaze = "C:\\Users\\Admin\\beaze.exe /l"	beaze.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\beaze = "C:\\Users\\Admin\\beaze.exe /b"	beaze.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\beaze = "C:\\Users\\Admin\\beaze.exe /u"	beaze.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\beaze = "C:\\Users\\Admin\\beaze.exe /d"	beaze.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\beaze = "C:\\Users\\Admin\\beaze.exe /m"	beaze.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\beaze = "C:\\Users\\Admin\\beaze.exe /d"	4bda59aef3da2139427ffa977b8fe986.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\beaze = "C:\\Users\\Admin\\beaze.exe /z"	beaze.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\beaze = "C:\\Users\\Admin\\beaze.exe /r"	beaze.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3356	4bda59aef3da2139427ffa977b8fe986.exe
3356	4bda59aef3da2139427ffa977b8fe986.exe
3420	beaze.exe
3420	beaze.exe
3420	beaze.exe
3420	beaze.exe
3420	beaze.exe
3420	beaze.exe
3420	beaze.exe
3420	beaze.exe
3420	beaze.exe
3420	beaze.exe
3420	beaze.exe
3420	beaze.exe
3420	beaze.exe
3420	beaze.exe
3420	beaze.exe
3420	beaze.exe
3420	beaze.exe
3420	beaze.exe
3420	beaze.exe
3420	beaze.exe
3420	beaze.exe
3420	beaze.exe
3420	beaze.exe
3420	beaze.exe
3420	beaze.exe
3420	beaze.exe
3420	beaze.exe
3420	beaze.exe
3420	beaze.exe
3420	beaze.exe
3420	beaze.exe
3420	beaze.exe
3420	beaze.exe
3420	beaze.exe
3420	beaze.exe
3420	beaze.exe
3420	beaze.exe
3420	beaze.exe
3420	beaze.exe
3420	beaze.exe
3420	beaze.exe
3420	beaze.exe
3420	beaze.exe
3420	beaze.exe
3420	beaze.exe
3420	beaze.exe
3420	beaze.exe
3420	beaze.exe
3420	beaze.exe
3420	beaze.exe
3420	beaze.exe
3420	beaze.exe
3420	beaze.exe
3420	beaze.exe
3420	beaze.exe
3420	beaze.exe
3420	beaze.exe
3420	beaze.exe
3420	beaze.exe
3420	beaze.exe
3420	beaze.exe
3420	beaze.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3356	4bda59aef3da2139427ffa977b8fe986.exe
3420	beaze.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3356 wrote to memory of 3420	3356	4bda59aef3da2139427ffa977b8fe986.exe	95
PID 3356 wrote to memory of 3420	3356	4bda59aef3da2139427ffa977b8fe986.exe	95
PID 3356 wrote to memory of 3420	3356	4bda59aef3da2139427ffa977b8fe986.exe	95

C:\Users\Admin\AppData\Local\Temp\4bda59aef3da2139427ffa977b8fe986.exe
"C:\Users\Admin\AppData\Local\Temp\4bda59aef3da2139427ffa977b8fe986.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3356
- C:\Users\Admin\beaze.exe
  "C:\Users\Admin\beaze.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:3420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\beaze.exe

Filesize
432KB

MD5
1977706389320d72aa8e7591665f729d

SHA1
174c335fd5d4074cbd581eef724489ec4daec820

SHA256
d72d68ddf91f9514fe3c819cad5aec74f0e4e34c04af263ffb8a932630330d26

SHA512
2a68ce35a6ecd0f29821310f5acc46be975f3cda78f73561bda6750ea53921d10e7da36581683455e4b877ae05bffa6c0bbe27281f4ff9e0432fcdc46a2079da

Download Submit