407640d8df3b475239ca21733cfe450ce50ca3be2f60b71201e4f1b03a3b47fb

Analysis

max time kernel
119s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20/09/2024, 07:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

407640d8df3b475239ca21733cfe450ce50ca3be2f60b71201e4f1b03a3b47fbN.exe
Size

232KB
MD5

e5e8582082d3937b273cabea84b47b20
SHA1

16a5a4625db5ddff1ce94d0d5f698be7044cd55c
SHA256

407640d8df3b475239ca21733cfe450ce50ca3be2f60b71201e4f1b03a3b47fb
SHA512

6301c8b2c2952869b115dcc64760c0dea325c673cc3bf084402ad06615cdbfaf259b88e91ebc8ad9c7085d7fccf88056fe74c3fe1bf6462b96527e4d611e8416
SSDEEP

6144:wW3PFKs78g2KyEOaWEqxF6snji81RUinKdNO2:ZPh+mF3

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	beifaa.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	407640d8df3b475239ca21733cfe450ce50ca3be2f60b71201e4f1b03a3b47fbN.exe

Executes dropped EXE 1 IoCs

pid	Process
2840	beifaa.exe

Loads dropped DLL 2 IoCs

pid	Process
2764	407640d8df3b475239ca21733cfe450ce50ca3be2f60b71201e4f1b03a3b47fbN.exe
2764	407640d8df3b475239ca21733cfe450ce50ca3be2f60b71201e4f1b03a3b47fbN.exe

Adds Run key to start application 2 TTPs 27 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\beifaa = "C:\\Users\\Admin\\beifaa.exe /h"	beifaa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\beifaa = "C:\\Users\\Admin\\beifaa.exe /g"	beifaa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\beifaa = "C:\\Users\\Admin\\beifaa.exe /f"	beifaa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\beifaa = "C:\\Users\\Admin\\beifaa.exe /z"	beifaa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\beifaa = "C:\\Users\\Admin\\beifaa.exe /w"	beifaa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\beifaa = "C:\\Users\\Admin\\beifaa.exe /u"	beifaa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\beifaa = "C:\\Users\\Admin\\beifaa.exe /b"	beifaa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\beifaa = "C:\\Users\\Admin\\beifaa.exe /e"	beifaa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\beifaa = "C:\\Users\\Admin\\beifaa.exe /x"	beifaa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\beifaa = "C:\\Users\\Admin\\beifaa.exe /k"	beifaa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\beifaa = "C:\\Users\\Admin\\beifaa.exe /y"	beifaa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\beifaa = "C:\\Users\\Admin\\beifaa.exe /t"	beifaa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\beifaa = "C:\\Users\\Admin\\beifaa.exe /c"	beifaa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\beifaa = "C:\\Users\\Admin\\beifaa.exe /v"	beifaa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\beifaa = "C:\\Users\\Admin\\beifaa.exe /j"	beifaa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\beifaa = "C:\\Users\\Admin\\beifaa.exe /n"	beifaa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\beifaa = "C:\\Users\\Admin\\beifaa.exe /p"	beifaa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\beifaa = "C:\\Users\\Admin\\beifaa.exe /s"	beifaa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\beifaa = "C:\\Users\\Admin\\beifaa.exe /m"	beifaa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\beifaa = "C:\\Users\\Admin\\beifaa.exe /i"	beifaa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\beifaa = "C:\\Users\\Admin\\beifaa.exe /l"	beifaa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\beifaa = "C:\\Users\\Admin\\beifaa.exe /a"	beifaa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\beifaa = "C:\\Users\\Admin\\beifaa.exe /o"	beifaa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\beifaa = "C:\\Users\\Admin\\beifaa.exe /t"	407640d8df3b475239ca21733cfe450ce50ca3be2f60b71201e4f1b03a3b47fbN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\beifaa = "C:\\Users\\Admin\\beifaa.exe /q"	beifaa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\beifaa = "C:\\Users\\Admin\\beifaa.exe /d"	beifaa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\beifaa = "C:\\Users\\Admin\\beifaa.exe /r"	beifaa.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	407640d8df3b475239ca21733cfe450ce50ca3be2f60b71201e4f1b03a3b47fbN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	beifaa.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2764	407640d8df3b475239ca21733cfe450ce50ca3be2f60b71201e4f1b03a3b47fbN.exe
2840	beifaa.exe
2840	beifaa.exe
2840	beifaa.exe
2840	beifaa.exe
2840	beifaa.exe
2840	beifaa.exe
2840	beifaa.exe
2840	beifaa.exe
2840	beifaa.exe
2840	beifaa.exe
2840	beifaa.exe
2840	beifaa.exe
2840	beifaa.exe
2840	beifaa.exe
2840	beifaa.exe
2840	beifaa.exe
2840	beifaa.exe
2840	beifaa.exe
2840	beifaa.exe
2840	beifaa.exe
2840	beifaa.exe
2840	beifaa.exe
2840	beifaa.exe
2840	beifaa.exe
2840	beifaa.exe
2840	beifaa.exe
2840	beifaa.exe
2840	beifaa.exe
2840	beifaa.exe
2840	beifaa.exe
2840	beifaa.exe
2840	beifaa.exe
2840	beifaa.exe
2840	beifaa.exe
2840	beifaa.exe
2840	beifaa.exe
2840	beifaa.exe
2840	beifaa.exe
2840	beifaa.exe
2840	beifaa.exe
2840	beifaa.exe
2840	beifaa.exe
2840	beifaa.exe
2840	beifaa.exe
2840	beifaa.exe
2840	beifaa.exe
2840	beifaa.exe
2840	beifaa.exe
2840	beifaa.exe
2840	beifaa.exe
2840	beifaa.exe
2840	beifaa.exe
2840	beifaa.exe
2840	beifaa.exe
2840	beifaa.exe
2840	beifaa.exe
2840	beifaa.exe
2840	beifaa.exe
2840	beifaa.exe
2840	beifaa.exe
2840	beifaa.exe
2840	beifaa.exe
2840	beifaa.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2764	407640d8df3b475239ca21733cfe450ce50ca3be2f60b71201e4f1b03a3b47fbN.exe
2840	beifaa.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2764 wrote to memory of 2840	2764	407640d8df3b475239ca21733cfe450ce50ca3be2f60b71201e4f1b03a3b47fbN.exe	31
PID 2764 wrote to memory of 2840	2764	407640d8df3b475239ca21733cfe450ce50ca3be2f60b71201e4f1b03a3b47fbN.exe	31
PID 2764 wrote to memory of 2840	2764	407640d8df3b475239ca21733cfe450ce50ca3be2f60b71201e4f1b03a3b47fbN.exe	31
PID 2764 wrote to memory of 2840	2764	407640d8df3b475239ca21733cfe450ce50ca3be2f60b71201e4f1b03a3b47fbN.exe	31

C:\Users\Admin\AppData\Local\Temp\407640d8df3b475239ca21733cfe450ce50ca3be2f60b71201e4f1b03a3b47fbN.exe
"C:\Users\Admin\AppData\Local\Temp\407640d8df3b475239ca21733cfe450ce50ca3be2f60b71201e4f1b03a3b47fbN.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2764
- C:\Users\Admin\beifaa.exe
  "C:\Users\Admin\beifaa.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\beifaa.exe

Filesize
232KB

MD5
d6edc1a86b8f82a1e5bd342f680b480b

SHA1
89ba13ceee77c3ee1850e3a9b0135500ec45bb41

SHA256
348ed67d47b59143691606c3e024998b1afbb72a5bc1fcfce9b9a9f959fd0a68

SHA512
9ee04bf3003df15edbc8543a53fb2424047aa1251fa1b95e01db4af44da0a67f4694345acb057a00221d4e7b3ba82be042e73036c61ee97f1712fd6bf9138938

Download Submit