File name:

beacon.exe

Full analysis: https://app.any.run/tasks/9147aa87-3970-4d95-96cd-cf85c81a3928
Verdict: Malicious activity
Threats:

A backdoor is a type of cybersecurity threat that allows attackers to secretly compromise a system and conduct malicious activities, such as stealing data and modifying files. Backdoors can be difficult to detect, as they often use legitimate system applications to evade defense mechanisms. Threat actors often utilize special malware, such as PlugX, to establish backdoors on target devices.

Malware Trends Tracker     >>>
Analysis date: January 07, 2025, 18:09:20
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
cobaltstrike
backdoor
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows, 9 sections
MD5:

4EA831CC1EF7A3CAE1538DEDF5AB308E

SHA1:

CE96061D313835DF5BFB68467D63B6F52243A030

SHA256:

A3259895B2669995737C8B080E7F5A563EAE843705A07272C63D905294783EB9

SSDEEP:

6144:W/r9kmD2Lk/8rvKC05UpQWH8wzIHYByFHZ3xZBQHN+KX8EcA:mKrvKiQWFIPFHRxZBQHNKEcA

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • COBALTSTRIKE has been detected (YARA)

      • beacon.exe (PID: 2232)

    • COBALTSTRIKE has been detected (SURICATA)

      • beacon.exe (PID: 2232)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • beacon.exe (PID: 2232)

  • INFO

    • Checks supported languages

      • beacon.exe (PID: 2232)

    • Reads the computer name

      • beacon.exe (PID: 2232)

    • Reads the machine GUID from the registry

      • beacon.exe (PID: 2232)

    • Checks proxy server information

      • beacon.exe (PID: 2232)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

CobalStrike

(PID) Process(2232) beacon.exe
C2 (1)192.168.1.175/ga.js
BeaconTypeHTTP
Port80
SleepTime60000
MaxGetSize1048576
Jitter0
PublicKey-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCFLEfmO7OqfUUAgxt0dbsQM/Ty e2ayO3rOSRnxl1eNPcYz01DzVrIaLpnxv+loUdIfiSX5MODydXczVNqO6ILmYU/D qZyIFaRyv6vkPNTcSCeVSVGoN/eyc5QfcYqKMbMUqH2b3sXfr+uggt/wSrfhO5nu aQhGxXnjaRpKB7G2gQIDAQAB -----END PUBLIC KEY-----
DNS_strategyround-robin
DNS_strategy_rotate_seconds-1
DNS_strategy_fail_x-1
DNS_strategy_fail_seconds-1
SpawnTo00000000000000000000000000000000
Spawnto_x86%windir%\syswow64\rundll32.exe
Spawnto_x64%windir%\sysnative\rundll32.exe
CryptoScheme0
HttpGet_VerbGET
HttpPost_VerbPOST
HttpPostChunk0
Watermark987654321
bStageCleanupFalse
bCFGCautionFalse
UserAgentMozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727)
HttpPostUri/submit.php
HttpGet_Metadata
SessionId (2)base64
header: Cookie
HttpPost_Metadata
ConstHeaders (1)Content-Type: application/octet-stream
SessionId (1)parameter: id
Output (1)print
bUsesCookies0001
Proxy_BehaviorUse IE settings
tcpFrameHeader0004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
smbFrameHeader0004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
KillDate0-0-0
bProcInject_StartRWXTrue
bProcInject_UseRWXTrue
bProcInject_MinAllocSize0
ProcInject_PrependAppend_x86000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000...
ProcInject_PrependAppend_x64000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000...
ProcInject_Stub00000000000000000000000000000000
ProcInject_AllocationMethodVirtualAllocEx
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.2)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 0000:00:00 00:00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Large address aware, No debug
PEType: PE32+
LinkerVersion: 2.34
CodeSize: 8704
InitializedDataSize: 294912
UninitializedDataSize: 2560
EntryPoint: 0x14c0
OSVersion: 4
ImageVersion: -
SubsystemVersion: 5.2
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
124
Monitored processes
1
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #COBALTSTRIKE beacon.exe

Process information

PID
CMD
Path
Indicators
Parent process
2232"C:\Users\admin\AppData\Local\Temp\beacon.exe" C:\Users\admin\AppData\Local\Temp\beacon.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\appdata\local\temp\beacon.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
CobalStrike
(PID) Process(2232) beacon.exe
C2 (1)192.168.1.175/ga.js
BeaconTypeHTTP
Port80
SleepTime60000
MaxGetSize1048576
Jitter0
PublicKey-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCFLEfmO7OqfUUAgxt0dbsQM/Ty e2ayO3rOSRnxl1eNPcYz01DzVrIaLpnxv+loUdIfiSX5MODydXczVNqO6ILmYU/D qZyIFaRyv6vkPNTcSCeVSVGoN/eyc5QfcYqKMbMUqH2b3sXfr+uggt/wSrfhO5nu aQhGxXnjaRpKB7G2gQIDAQAB -----END PUBLIC KEY-----
DNS_strategyround-robin
DNS_strategy_rotate_seconds-1
DNS_strategy_fail_x-1
DNS_strategy_fail_seconds-1
SpawnTo00000000000000000000000000000000
Spawnto_x86%windir%\syswow64\rundll32.exe
Spawnto_x64%windir%\sysnative\rundll32.exe
CryptoScheme0
HttpGet_VerbGET
HttpPost_VerbPOST
HttpPostChunk0
Watermark987654321
bStageCleanupFalse
bCFGCautionFalse
UserAgentMozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727)
HttpPostUri/submit.php
HttpGet_Metadata
SessionId (2)base64
header: Cookie
HttpPost_Metadata
ConstHeaders (1)Content-Type: application/octet-stream
SessionId (1)parameter: id
Output (1)print
bUsesCookies0001
Proxy_BehaviorUse IE settings
tcpFrameHeader0004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
smbFrameHeader0004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
KillDate0-0-0
bProcInject_StartRWXTrue
bProcInject_UseRWXTrue
bProcInject_MinAllocSize0
ProcInject_PrependAppend_x86000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000...
ProcInject_PrependAppend_x64000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000...
ProcInject_Stub00000000000000000000000000000000
ProcInject_AllocationMethodVirtualAllocEx
Total events
370
Read events
367
Write events
3
Delete events
0

Modification events

(PID) Process:(2232) beacon.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(2232) beacon.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(2232) beacon.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

No data
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
47
DNS requests
15
Threats
4

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4712
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
192.168.100.214:49684
unknown
2164
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3976
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5064
SearchApp.exe
2.23.227.215:443
www.bing.com
Ooredoo Q.S.C.
QA
whitelisted
1176
svchost.exe
20.190.159.0:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 216.58.206.78
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
www.bing.com
  • 2.23.227.215
  • 2.23.227.208
whitelisted
login.live.com
  • 20.190.159.0
  • 20.190.159.64
  • 20.190.159.4
  • 40.126.31.69
  • 20.190.159.68
  • 20.190.159.73
  • 40.126.31.67
  • 20.190.159.2
whitelisted
go.microsoft.com
  • 184.28.89.167
whitelisted
slscr.update.microsoft.com
  • 4.245.163.56
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 40.69.42.241
  • 2a01:111:f100:9001::1761:914d
whitelisted
241.42.69.40.in-addr.arpa
unknown
d.4.1.9.1.6.7.1.0.0.0.0.0.0.0.0.1.0.0.9.0.0.1.f.1.1.1.0.1.0.a.2.ip6.arpa
unknown
arc.msn.com
  • 20.223.36.55
whitelisted

Threats

PID
Process
Class
Message
2232
beacon.exe
Targeted Malicious Activity was Detected
ET MALWARE Cobalt Strike Beacon Observed
2232
beacon.exe
A Network Trojan was detected
BACKDOOR [ANY.RUN] Possible Cobalt Strike Beacon
2232
beacon.exe
Targeted Malicious Activity was Detected
ET MALWARE Cobalt Strike Beacon Observed
2232
beacon.exe
A Network Trojan was detected
BACKDOOR [ANY.RUN] Possible Cobalt Strike Beacon
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
beacon.exe