Analysis
-
max time kernel
1736s -
max time network
1165s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-de -
resource tags
arch:x64arch:x86image:win10v2004-20240426-delocale:de-deos:windows10-2004-x64systemwindows -
submitted
20-05-2024 12:35
Behavioral task
behavioral1
Sample
Beatware Internal v1.8.exe
Resource
win10v2004-20240426-de
General
-
Target
Beatware Internal v1.8.exe
-
Size
7.4MB
-
MD5
c3347bb80d40975abea0fb9392ff730c
-
SHA1
551f40a65f2380e93fc0e5e466c052486b69674b
-
SHA256
09056146a9fc630956948e30d8d9c58272a887fa0c4fc3e839cf21ab740f1a8e
-
SHA512
038d7f67729b9674ce59088450d6ee7d4904e7ca843c9cb737b7fb539b5a8c9e97a9456f83e694010eba6a842ccd63f688ac281806cc279832030fec63d0aac2
-
SSDEEP
98304:3vP93uKPFjSHD5Fy3+1ZILwKcATnBRHusa4m7BS3:3vP93uKdjSHtFLmwK1rB2
Malware Config
Signatures
-
resource yara_rule behavioral1/memory/3240-2-0x00007FF73D220000-0x00007FF73DB9A000-memory.dmp vmprotect behavioral1/memory/3240-121-0x00007FF73D220000-0x00007FF73DB9A000-memory.dmp vmprotect -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 43 discord.com 44 discord.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs
pid Process 3240 Beatware Internal v1.8.exe 3240 Beatware Internal v1.8.exe 3240 Beatware Internal v1.8.exe 3240 Beatware Internal v1.8.exe 3240 Beatware Internal v1.8.exe 3240 Beatware Internal v1.8.exe 3240 Beatware Internal v1.8.exe 3240 Beatware Internal v1.8.exe 3240 Beatware Internal v1.8.exe 3240 Beatware Internal v1.8.exe 3240 Beatware Internal v1.8.exe 3240 Beatware Internal v1.8.exe 3240 Beatware Internal v1.8.exe 3240 Beatware Internal v1.8.exe 3240 Beatware Internal v1.8.exe 3240 Beatware Internal v1.8.exe 3240 Beatware Internal v1.8.exe 3240 Beatware Internal v1.8.exe 3240 Beatware Internal v1.8.exe 3240 Beatware Internal v1.8.exe 3240 Beatware Internal v1.8.exe 3240 Beatware Internal v1.8.exe 3240 Beatware Internal v1.8.exe 3240 Beatware Internal v1.8.exe 3240 Beatware Internal v1.8.exe 3240 Beatware Internal v1.8.exe 3240 Beatware Internal v1.8.exe 3240 Beatware Internal v1.8.exe 3240 Beatware Internal v1.8.exe 3240 Beatware Internal v1.8.exe 3240 Beatware Internal v1.8.exe 3240 Beatware Internal v1.8.exe 3240 Beatware Internal v1.8.exe 3240 Beatware Internal v1.8.exe 3240 Beatware Internal v1.8.exe 3240 Beatware Internal v1.8.exe 3240 Beatware Internal v1.8.exe 3240 Beatware Internal v1.8.exe 3240 Beatware Internal v1.8.exe 3240 Beatware Internal v1.8.exe 3240 Beatware Internal v1.8.exe 3240 Beatware Internal v1.8.exe 3240 Beatware Internal v1.8.exe 3240 Beatware Internal v1.8.exe 3240 Beatware Internal v1.8.exe 3240 Beatware Internal v1.8.exe 3240 Beatware Internal v1.8.exe 3240 Beatware Internal v1.8.exe 3240 Beatware Internal v1.8.exe 3240 Beatware Internal v1.8.exe 3240 Beatware Internal v1.8.exe 3240 Beatware Internal v1.8.exe 3240 Beatware Internal v1.8.exe 3240 Beatware Internal v1.8.exe 3240 Beatware Internal v1.8.exe 3240 Beatware Internal v1.8.exe 3240 Beatware Internal v1.8.exe 3240 Beatware Internal v1.8.exe 3240 Beatware Internal v1.8.exe 3240 Beatware Internal v1.8.exe 3240 Beatware Internal v1.8.exe 3240 Beatware Internal v1.8.exe 3240 Beatware Internal v1.8.exe 3240 Beatware Internal v1.8.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 3240 Beatware Internal v1.8.exe 3240 Beatware Internal v1.8.exe 1332 msedge.exe 1332 msedge.exe 4116 msedge.exe 4116 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
pid Process 4116 msedge.exe 4116 msedge.exe 4116 msedge.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
pid Process 4116 msedge.exe 4116 msedge.exe 4116 msedge.exe 4116 msedge.exe 4116 msedge.exe 4116 msedge.exe 4116 msedge.exe 4116 msedge.exe 4116 msedge.exe 4116 msedge.exe 4116 msedge.exe 4116 msedge.exe 4116 msedge.exe 4116 msedge.exe 4116 msedge.exe 4116 msedge.exe 4116 msedge.exe 4116 msedge.exe 4116 msedge.exe 4116 msedge.exe 4116 msedge.exe 4116 msedge.exe 4116 msedge.exe 4116 msedge.exe 4116 msedge.exe 4116 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 4116 msedge.exe 4116 msedge.exe 4116 msedge.exe 4116 msedge.exe 4116 msedge.exe 4116 msedge.exe 4116 msedge.exe 4116 msedge.exe 4116 msedge.exe 4116 msedge.exe 4116 msedge.exe 4116 msedge.exe 4116 msedge.exe 4116 msedge.exe 4116 msedge.exe 4116 msedge.exe 4116 msedge.exe 4116 msedge.exe 4116 msedge.exe 4116 msedge.exe 4116 msedge.exe 4116 msedge.exe 4116 msedge.exe 4116 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3240 wrote to memory of 2792 3240 Beatware Internal v1.8.exe 83 PID 3240 wrote to memory of 2792 3240 Beatware Internal v1.8.exe 83 PID 3240 wrote to memory of 4736 3240 Beatware Internal v1.8.exe 85 PID 3240 wrote to memory of 4736 3240 Beatware Internal v1.8.exe 85 PID 4736 wrote to memory of 4400 4736 cmd.exe 86 PID 4736 wrote to memory of 4400 4736 cmd.exe 86 PID 4736 wrote to memory of 4604 4736 cmd.exe 87 PID 4736 wrote to memory of 4604 4736 cmd.exe 87 PID 4736 wrote to memory of 3980 4736 cmd.exe 88 PID 4736 wrote to memory of 3980 4736 cmd.exe 88 PID 3240 wrote to memory of 3848 3240 Beatware Internal v1.8.exe 92 PID 3240 wrote to memory of 3848 3240 Beatware Internal v1.8.exe 92 PID 3240 wrote to memory of 4116 3240 Beatware Internal v1.8.exe 93 PID 3240 wrote to memory of 4116 3240 Beatware Internal v1.8.exe 93 PID 3240 wrote to memory of 448 3240 Beatware Internal v1.8.exe 94 PID 3240 wrote to memory of 448 3240 Beatware Internal v1.8.exe 94 PID 4116 wrote to memory of 4100 4116 msedge.exe 95 PID 4116 wrote to memory of 4100 4116 msedge.exe 95 PID 4116 wrote to memory of 1436 4116 msedge.exe 97 PID 4116 wrote to memory of 1436 4116 msedge.exe 97 PID 4116 wrote to memory of 1436 4116 msedge.exe 97 PID 4116 wrote to memory of 1436 4116 msedge.exe 97 PID 4116 wrote to memory of 1436 4116 msedge.exe 97 PID 4116 wrote to memory of 1436 4116 msedge.exe 97 PID 4116 wrote to memory of 1436 4116 msedge.exe 97 PID 4116 wrote to memory of 1436 4116 msedge.exe 97 PID 4116 wrote to memory of 1436 4116 msedge.exe 97 PID 4116 wrote to memory of 1436 4116 msedge.exe 97 PID 4116 wrote to memory of 1436 4116 msedge.exe 97 PID 4116 wrote to memory of 1436 4116 msedge.exe 97 PID 4116 wrote to memory of 1436 4116 msedge.exe 97 PID 4116 wrote to memory of 1436 4116 msedge.exe 97 PID 4116 wrote to memory of 1436 4116 msedge.exe 97 PID 4116 wrote to memory of 1436 4116 msedge.exe 97 PID 4116 wrote to memory of 1436 4116 msedge.exe 97 PID 4116 wrote to memory of 1436 4116 msedge.exe 97 PID 4116 wrote to memory of 1436 4116 msedge.exe 97 PID 4116 wrote to memory of 1436 4116 msedge.exe 97 PID 4116 wrote to memory of 1436 4116 msedge.exe 97 PID 4116 wrote to memory of 1436 4116 msedge.exe 97 PID 4116 wrote to memory of 1436 4116 msedge.exe 97 PID 4116 wrote to memory of 1436 4116 msedge.exe 97 PID 4116 wrote to memory of 1436 4116 msedge.exe 97 PID 4116 wrote to memory of 1436 4116 msedge.exe 97 PID 4116 wrote to memory of 1436 4116 msedge.exe 97 PID 4116 wrote to memory of 1436 4116 msedge.exe 97 PID 4116 wrote to memory of 1436 4116 msedge.exe 97 PID 4116 wrote to memory of 1436 4116 msedge.exe 97 PID 4116 wrote to memory of 1436 4116 msedge.exe 97 PID 4116 wrote to memory of 1436 4116 msedge.exe 97 PID 4116 wrote to memory of 1436 4116 msedge.exe 97 PID 4116 wrote to memory of 1436 4116 msedge.exe 97 PID 4116 wrote to memory of 1436 4116 msedge.exe 97 PID 4116 wrote to memory of 1436 4116 msedge.exe 97 PID 4116 wrote to memory of 1436 4116 msedge.exe 97 PID 4116 wrote to memory of 1436 4116 msedge.exe 97 PID 4116 wrote to memory of 1436 4116 msedge.exe 97 PID 4116 wrote to memory of 1436 4116 msedge.exe 97 PID 4116 wrote to memory of 1332 4116 msedge.exe 98 PID 4116 wrote to memory of 1332 4116 msedge.exe 98 PID 4116 wrote to memory of 2848 4116 msedge.exe 99 PID 4116 wrote to memory of 2848 4116 msedge.exe 99 PID 4116 wrote to memory of 2848 4116 msedge.exe 99 PID 4116 wrote to memory of 2848 4116 msedge.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.8.exe"C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.8.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3240 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:2792
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.8.exe" MD5 | find /i /v "md5" | find /i /v "certutil"2⤵
- Suspicious use of WriteProcessMemory
PID:4736 -
C:\Windows\system32\certutil.execertutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.8.exe" MD53⤵PID:4400
-
-
C:\Windows\system32\find.exefind /i /v "md5"3⤵PID:4604
-
-
C:\Windows\system32\find.exefind /i /v "certutil"3⤵PID:3980
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:3848
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://beatware.xyz/discord2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4116 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff64f646f8,0x7fff64f64708,0x7fff64f647183⤵PID:4100
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,5573018397690273113,6024873919223509426,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:23⤵PID:1436
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,5573018397690273113,6024873919223509426,131072 --lang=de --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
PID:1332
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,5573018397690273113,6024873919223509426,131072 --lang=de --service-sandbox-type=utility --mojo-platform-channel-handle=2504 /prefetch:83⤵PID:2848
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,5573018397690273113,6024873919223509426,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:13⤵PID:4648
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,5573018397690273113,6024873919223509426,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3480 /prefetch:13⤵PID:3304
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,5573018397690273113,6024873919223509426,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4620 /prefetch:13⤵PID:1588
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:448
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:4516
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:2556
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4748
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3588
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2992
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD54dc6fc5e708279a3310fe55d9c44743d
SHA1a42e8bdf9d1c25ef3e223d59f6b1d16b095f46d2
SHA256a1c5f48659d4b3af960971b3a0f433a95fee5bfafe5680a34110c68b342377d8
SHA5125874b2310187f242b852fa6dcded244cc860abb2be4f6f5a6a1db8322e12e1fef8f825edc0aae75adbb7284a2cd64730650d0643b1e2bb7ead9350e50e1d8c13
-
Filesize
152B
MD5c9c4c494f8fba32d95ba2125f00586a3
SHA18a600205528aef7953144f1cf6f7a5115e3611de
SHA256a0ca609205813c307df9122c0c5b0967c5472755700f615b0033129cf7d6b35b
SHA5129d30cea6cfc259e97b0305f8b5cd19774044fb78feedfcef2014b2947f2e6a101273bc4ad30db9cc1724e62eb441266d7df376e28ac58693f128b9cce2c7d20d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\6d3ef498-d32e-4b9f-9de7-efad20942e9d.tmp
Filesize5KB
MD5cb1b3a9e09b36103765a491ec1d9fb39
SHA1d7e2d6f4a36df05a656953b8ace30675009ae586
SHA256d22fb33da39dc5eb388e7ca261d68c98e4dc81f5e34ae33e0d4eaacf58515a15
SHA5126e8496c9db232251ef7cb02fa8f2acec0b505e55c74aae135c579bd207ef5a748f9a722ff86622704525d844fbd4c92fc12676b2b85889085baf257cfd626bd9
-
Filesize
397B
MD52decdc7aa2ceb52adc402e9cc1d2aeea
SHA1749c25fbf45753378ccc721f83feef17b862daa1
SHA25626913a7f84cf46417d06baa147cc69b8f5b7d18177e014abe3b97c995d7a222a
SHA5127123e836e7fa42e5ca376a248e0614edda216a849e91f53a2011cfdc26cca1a1b83f6a82ed5cd1f0172b7478230987348b4387b0ff9e85466beb1e08020d6189
-
Filesize
6KB
MD5acfd1da3162731ac21b50012975d29b2
SHA1c4ef8a72d5ec3dce60ed00748d80bbe3cbe5f90e
SHA2568c24533ee920d6687a3550d8ef4dd5ef37870b7b6fdcf2ed49d31749d3f8465c
SHA512f31229f2b5a48e1ab9dc59b06bd6ab7ab88cdc1ad26bb1c16abe8f25d3cd385048fb65d49bba80c5b2bba8f4d03a6d4a55d04abfa3068689f028cfe5caea52b1
-
Filesize
11KB
MD5ac81582cd036cc7f450bb6d848f03b7f
SHA1a836d13afcd442817a0ef6c7b58102aaa0a5b05a
SHA25645656956809e320259dac133042506e8125e2712f5757c565cc94af48f26d104
SHA512257591b9acc33898413b1bbec112f3acb73905da8e06b13b153405d193c617139c0e4a368a5e5912fc754951b022e246d25c9ceade9d18bef7480258fcdf41dc