40a0bf6f61cd510fc102dede2993c05d94b701e6e53ae31d0906acfb851fe236

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26/01/2024, 10:58

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

772d1e30be68517c67a30704eccd9e0f.exe
Size

240KB
MD5

772d1e30be68517c67a30704eccd9e0f
SHA1

d5ed02adc23f9e1601d98089ec12002eef64b5bb
SHA256

40a0bf6f61cd510fc102dede2993c05d94b701e6e53ae31d0906acfb851fe236
SHA512

eb0f1ccf0ce4353a38e516e6cc0e4f5b20b37ad94e800d43e247a1f9a8d1d199a13d0a23dce0d6a8fe5adc953632c57fbf8bf0e4e4270842c4e715987fa82c85
SSDEEP

6144:tPe3dwqsNTNEXGlQR58EqxF6snji81RUinKq3aEESliDo:tUdQKjeaEEp

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	772d1e30be68517c67a30704eccd9e0f.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	beyur.exe

Executes dropped EXE 1 IoCs

pid	Process
2324	beyur.exe

Loads dropped DLL 2 IoCs

pid	Process
1248	772d1e30be68517c67a30704eccd9e0f.exe
1248	772d1e30be68517c67a30704eccd9e0f.exe

Adds Run key to start application 2 TTPs 27 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\beyur = "C:\\Users\\Admin\\beyur.exe /s"	beyur.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\beyur = "C:\\Users\\Admin\\beyur.exe /t"	beyur.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\beyur = "C:\\Users\\Admin\\beyur.exe /c"	beyur.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\beyur = "C:\\Users\\Admin\\beyur.exe /d"	beyur.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\beyur = "C:\\Users\\Admin\\beyur.exe /g"	beyur.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\beyur = "C:\\Users\\Admin\\beyur.exe /p"	beyur.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\beyur = "C:\\Users\\Admin\\beyur.exe /a"	beyur.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\beyur = "C:\\Users\\Admin\\beyur.exe /n"	beyur.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\beyur = "C:\\Users\\Admin\\beyur.exe /z"	772d1e30be68517c67a30704eccd9e0f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\beyur = "C:\\Users\\Admin\\beyur.exe /b"	beyur.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\beyur = "C:\\Users\\Admin\\beyur.exe /x"	beyur.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\beyur = "C:\\Users\\Admin\\beyur.exe /u"	beyur.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\beyur = "C:\\Users\\Admin\\beyur.exe /f"	beyur.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\beyur = "C:\\Users\\Admin\\beyur.exe /h"	beyur.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\beyur = "C:\\Users\\Admin\\beyur.exe /m"	beyur.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\beyur = "C:\\Users\\Admin\\beyur.exe /o"	beyur.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\beyur = "C:\\Users\\Admin\\beyur.exe /q"	beyur.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\beyur = "C:\\Users\\Admin\\beyur.exe /w"	beyur.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\beyur = "C:\\Users\\Admin\\beyur.exe /z"	beyur.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\beyur = "C:\\Users\\Admin\\beyur.exe /v"	beyur.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\beyur = "C:\\Users\\Admin\\beyur.exe /i"	beyur.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\beyur = "C:\\Users\\Admin\\beyur.exe /y"	beyur.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\beyur = "C:\\Users\\Admin\\beyur.exe /r"	beyur.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\beyur = "C:\\Users\\Admin\\beyur.exe /e"	beyur.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\beyur = "C:\\Users\\Admin\\beyur.exe /l"	beyur.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\beyur = "C:\\Users\\Admin\\beyur.exe /k"	beyur.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\beyur = "C:\\Users\\Admin\\beyur.exe /j"	beyur.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1248	772d1e30be68517c67a30704eccd9e0f.exe
2324	beyur.exe
2324	beyur.exe
2324	beyur.exe
2324	beyur.exe
2324	beyur.exe
2324	beyur.exe
2324	beyur.exe
2324	beyur.exe
2324	beyur.exe
2324	beyur.exe
2324	beyur.exe
2324	beyur.exe
2324	beyur.exe
2324	beyur.exe
2324	beyur.exe
2324	beyur.exe
2324	beyur.exe
2324	beyur.exe
2324	beyur.exe
2324	beyur.exe
2324	beyur.exe
2324	beyur.exe
2324	beyur.exe
2324	beyur.exe
2324	beyur.exe
2324	beyur.exe
2324	beyur.exe
2324	beyur.exe
2324	beyur.exe
2324	beyur.exe
2324	beyur.exe
2324	beyur.exe
2324	beyur.exe
2324	beyur.exe
2324	beyur.exe
2324	beyur.exe
2324	beyur.exe
2324	beyur.exe
2324	beyur.exe
2324	beyur.exe
2324	beyur.exe
2324	beyur.exe
2324	beyur.exe
2324	beyur.exe
2324	beyur.exe
2324	beyur.exe
2324	beyur.exe
2324	beyur.exe
2324	beyur.exe
2324	beyur.exe
2324	beyur.exe
2324	beyur.exe
2324	beyur.exe
2324	beyur.exe
2324	beyur.exe
2324	beyur.exe
2324	beyur.exe
2324	beyur.exe
2324	beyur.exe
2324	beyur.exe
2324	beyur.exe
2324	beyur.exe
2324	beyur.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1248	772d1e30be68517c67a30704eccd9e0f.exe
2324	beyur.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1248 wrote to memory of 2324	1248	772d1e30be68517c67a30704eccd9e0f.exe	28
PID 1248 wrote to memory of 2324	1248	772d1e30be68517c67a30704eccd9e0f.exe	28
PID 1248 wrote to memory of 2324	1248	772d1e30be68517c67a30704eccd9e0f.exe	28
PID 1248 wrote to memory of 2324	1248	772d1e30be68517c67a30704eccd9e0f.exe	28

C:\Users\Admin\AppData\Local\Temp\772d1e30be68517c67a30704eccd9e0f.exe
"C:\Users\Admin\AppData\Local\Temp\772d1e30be68517c67a30704eccd9e0f.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1248
- C:\Users\Admin\beyur.exe
  "C:\Users\Admin\beyur.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\beyur.exe

Filesize
240KB

MD5
4ad4f6c9896b1bae4e3b0ec31a64c695

SHA1
0cc55876126eadd39521875e0379c5e0a895e095

SHA256
3bc5b9a9636eca02ea6c18aeba64002b1a7cb424be1554eddc09efc50936dc7b

SHA512
c1ed6911148807d46ccf88b23d4cb8471d3dba13c5d76c87bb61e256ca3ca6b3a5a497f124ef940e9fc87132ecb38168be032421fff08838333d59954de7df06

Download Submit