hxxp://www[.]beekai[.]com

Analysis

max time kernel
78s
max time network
66s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
31/05/2024, 03:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://www.beekai.com

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133616008643049705"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3024	chrome.exe
3024	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeCreatePagefilePrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeCreatePagefilePrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeCreatePagefilePrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeCreatePagefilePrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeCreatePagefilePrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeCreatePagefilePrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeCreatePagefilePrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeCreatePagefilePrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeCreatePagefilePrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeCreatePagefilePrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeCreatePagefilePrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeCreatePagefilePrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeCreatePagefilePrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeCreatePagefilePrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeCreatePagefilePrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeCreatePagefilePrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeCreatePagefilePrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeCreatePagefilePrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeCreatePagefilePrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeCreatePagefilePrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeCreatePagefilePrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeCreatePagefilePrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeCreatePagefilePrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeCreatePagefilePrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeCreatePagefilePrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeCreatePagefilePrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeCreatePagefilePrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeCreatePagefilePrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeCreatePagefilePrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeCreatePagefilePrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeCreatePagefilePrivilege	3024	chrome.exe
Token: SeShutdownPrivilege	3024	chrome.exe
Token: SeCreatePagefilePrivilege	3024	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe
3024	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3024 wrote to memory of 2480	3024	chrome.exe	82
PID 3024 wrote to memory of 2480	3024	chrome.exe	82
PID 3024 wrote to memory of 4324	3024	chrome.exe	84
PID 3024 wrote to memory of 4324	3024	chrome.exe	84
PID 3024 wrote to memory of 4324	3024	chrome.exe	84
PID 3024 wrote to memory of 4324	3024	chrome.exe	84
PID 3024 wrote to memory of 4324	3024	chrome.exe	84
PID 3024 wrote to memory of 4324	3024	chrome.exe	84
PID 3024 wrote to memory of 4324	3024	chrome.exe	84
PID 3024 wrote to memory of 4324	3024	chrome.exe	84
PID 3024 wrote to memory of 4324	3024	chrome.exe	84
PID 3024 wrote to memory of 4324	3024	chrome.exe	84
PID 3024 wrote to memory of 4324	3024	chrome.exe	84
PID 3024 wrote to memory of 4324	3024	chrome.exe	84
PID 3024 wrote to memory of 4324	3024	chrome.exe	84
PID 3024 wrote to memory of 4324	3024	chrome.exe	84
PID 3024 wrote to memory of 4324	3024	chrome.exe	84
PID 3024 wrote to memory of 4324	3024	chrome.exe	84
PID 3024 wrote to memory of 4324	3024	chrome.exe	84
PID 3024 wrote to memory of 4324	3024	chrome.exe	84
PID 3024 wrote to memory of 4324	3024	chrome.exe	84
PID 3024 wrote to memory of 4324	3024	chrome.exe	84
PID 3024 wrote to memory of 4324	3024	chrome.exe	84
PID 3024 wrote to memory of 4324	3024	chrome.exe	84
PID 3024 wrote to memory of 4324	3024	chrome.exe	84
PID 3024 wrote to memory of 4324	3024	chrome.exe	84
PID 3024 wrote to memory of 4324	3024	chrome.exe	84
PID 3024 wrote to memory of 4324	3024	chrome.exe	84
PID 3024 wrote to memory of 4324	3024	chrome.exe	84
PID 3024 wrote to memory of 4324	3024	chrome.exe	84
PID 3024 wrote to memory of 4324	3024	chrome.exe	84
PID 3024 wrote to memory of 4324	3024	chrome.exe	84
PID 3024 wrote to memory of 4324	3024	chrome.exe	84
PID 3024 wrote to memory of 716	3024	chrome.exe	85
PID 3024 wrote to memory of 716	3024	chrome.exe	85
PID 3024 wrote to memory of 876	3024	chrome.exe	86
PID 3024 wrote to memory of 876	3024	chrome.exe	86
PID 3024 wrote to memory of 876	3024	chrome.exe	86
PID 3024 wrote to memory of 876	3024	chrome.exe	86
PID 3024 wrote to memory of 876	3024	chrome.exe	86
PID 3024 wrote to memory of 876	3024	chrome.exe	86
PID 3024 wrote to memory of 876	3024	chrome.exe	86
PID 3024 wrote to memory of 876	3024	chrome.exe	86
PID 3024 wrote to memory of 876	3024	chrome.exe	86
PID 3024 wrote to memory of 876	3024	chrome.exe	86
PID 3024 wrote to memory of 876	3024	chrome.exe	86
PID 3024 wrote to memory of 876	3024	chrome.exe	86
PID 3024 wrote to memory of 876	3024	chrome.exe	86
PID 3024 wrote to memory of 876	3024	chrome.exe	86
PID 3024 wrote to memory of 876	3024	chrome.exe	86
PID 3024 wrote to memory of 876	3024	chrome.exe	86
PID 3024 wrote to memory of 876	3024	chrome.exe	86
PID 3024 wrote to memory of 876	3024	chrome.exe	86
PID 3024 wrote to memory of 876	3024	chrome.exe	86
PID 3024 wrote to memory of 876	3024	chrome.exe	86
PID 3024 wrote to memory of 876	3024	chrome.exe	86
PID 3024 wrote to memory of 876	3024	chrome.exe	86
PID 3024 wrote to memory of 876	3024	chrome.exe	86
PID 3024 wrote to memory of 876	3024	chrome.exe	86
PID 3024 wrote to memory of 876	3024	chrome.exe	86
PID 3024 wrote to memory of 876	3024	chrome.exe	86
PID 3024 wrote to memory of 876	3024	chrome.exe	86
PID 3024 wrote to memory of 876	3024	chrome.exe	86
PID 3024 wrote to memory of 876	3024	chrome.exe	86

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://www.beekai.com
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbf32eab58,0x7ffbf32eab68,0x7ffbf32eab78
  2⤵
  PID:2480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1684 --field-trial-handle=1932,i,14083916285598718568,12407566997416352209,131072 /prefetch:2
  2⤵
  PID:4324
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2064 --field-trial-handle=1932,i,14083916285598718568,12407566997416352209,131072 /prefetch:8
  2⤵
  PID:716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2268 --field-trial-handle=1932,i,14083916285598718568,12407566997416352209,131072 /prefetch:8
  2⤵
  PID:876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2816 --field-trial-handle=1932,i,14083916285598718568,12407566997416352209,131072 /prefetch:1
  2⤵
  PID:3724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2824 --field-trial-handle=1932,i,14083916285598718568,12407566997416352209,131072 /prefetch:1
  2⤵
  PID:5808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3840 --field-trial-handle=1932,i,14083916285598718568,12407566997416352209,131072 /prefetch:1
  2⤵
  PID:3408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4652 --field-trial-handle=1932,i,14083916285598718568,12407566997416352209,131072 /prefetch:8
  2⤵
  PID:3932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4624 --field-trial-handle=1932,i,14083916285598718568,12407566997416352209,131072 /prefetch:8
  2⤵
  PID:1264

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:64

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
ddfdd5b4d4dddb677bbda2557630ac99

SHA1
c873d5ef519fbe4a2aa3237d2e751b5d10b6702c

SHA256
c279388c0cab9cc284486dd634ac6a9e2e6ec289174e0b93cdc648c6621e3c7e

SHA512
c8687dc77196c955df6a096e62e9da04ec5a2a3b3f6748cef0be743808c651f4a9a68958d2e0d2bd09d46019de7d12ce7f74d6d73839aa2e0e672677a83ada5d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
524B

MD5
753c211a616d29c2f244dfd264b223ad

SHA1
25e7363d06019f527584c1124128ccf96d9de783

SHA256
05cc5df6ba254b63437c69ccdcbe0c7ee287161e60f31ab78f66e7a36ea34e78

SHA512
7c76467611a0d587d09a72f140a69611ee5888c9141f77079536add29495977067d021fd95b2184b1fde1b72d65225490b53a7398bcd10ce4e753f63f5e575b5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
dc0184345bf6b865bc603d44b62033db

SHA1
1d7512f3ab964e482a6aafc7dfd7813cca92aa36

SHA256
27748d11a9d529fa8cff4ce26e55faabd0d2d6f306216f544e9cdf007b34eb41

SHA512
89ccf3c566150816b70ba9f12e47f5068ce5abf935fb5be2e19e2235108f992d0ef6a93181624f806b89f71712ade6e81f55f4b31c20e8866113380d7f42432f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
826430d3a77f98adef82cb316cb83bf3

SHA1
3c1c3d0f83aad10b6a50a7a6390c043cf6483b91

SHA256
9d0b0bad0690a1c51f7b9b4bc8e853cc2a0c41cb4972648e50661b1676bc152c

SHA512
19da0f5c15f28aeb8875a3e3f3991d89065f307f2d8654cec75dc558654366cd9c10b134e7899a62d269b90bf18f93b389a6a919e05d2e6b0da06da4b760f61f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
130KB

MD5
182260fba8a6e28218f9396bc67f91b6

SHA1
261de195ef7e5b9de8fa1e8fdebeccf731b857d6

SHA256
ad955134e46c416dcb225fd911cab8912c9b69a88143bc47bda55ab38d6b9d5b

SHA512
ea28e573433d264f35da40c2b63207a5e27735acff05970c736402b6288c35395b9327ddfba63b87b6966a4e570a95d2fd277d27572619798d3b9a40c2df989f

Download Submit