8103e34bccf94c1171907b88cb5a257d015e6a6a15ffe6b341c4fe8301ee60f6

Analysis

max time kernel
150s
max time network
148s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
30/10/2022, 12:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8103e34bccf94c1171907b88cb5a257d015e6a6a15ffe6b341c4fe8301ee60f6.exe
Size

311KB
MD5

a3962bf2a21f34818449e04019363650
SHA1

f39694542a2074d66b271fcc12fd6195aba513a7
SHA256

8103e34bccf94c1171907b88cb5a257d015e6a6a15ffe6b341c4fe8301ee60f6
SHA512

53128eb391e59cadaa0105ec8cc665d5dea54874085a9f342803fd3927f7db1313b91b9c8013e8512d91e02d8db177d588f722c662edff5be69fc28f79701e95
SSDEEP

6144:e9YMRrQyO3CvUD0nV+10e+cDCRpuASljKWT8d8ctrIN3CW:OZa3w5eXORkjKWwamU

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1220	peyr.exe

Deletes itself 1 IoCs

pid	Process
648	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
864	8103e34bccf94c1171907b88cb5a257d015e6a6a15ffe6b341c4fe8301ee60f6.exe
864	8103e34bccf94c1171907b88cb5a257d015e6a6a15ffe6b341c4fe8301ee60f6.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run	peyr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\{7B4F18C8-4FEF-AD4D-3A07-B8B71A0C9BAA} = "C:\\Users\\Admin\\AppData\\Roaming\\Ibciew\\peyr.exe"	peyr.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 864 set thread context of 648	864	8103e34bccf94c1171907b88cb5a257d015e6a6a15ffe6b341c4fe8301ee60f6.exe	28

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
1220	peyr.exe
1220	peyr.exe
1220	peyr.exe
1220	peyr.exe
1220	peyr.exe
1220	peyr.exe
1220	peyr.exe
1220	peyr.exe
1220	peyr.exe
1220	peyr.exe
1220	peyr.exe
1220	peyr.exe
1220	peyr.exe
1220	peyr.exe
1220	peyr.exe
1220	peyr.exe
1220	peyr.exe
1220	peyr.exe
1220	peyr.exe
1220	peyr.exe
1220	peyr.exe
1220	peyr.exe
1220	peyr.exe
1220	peyr.exe
1220	peyr.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 864 wrote to memory of 1220	864	8103e34bccf94c1171907b88cb5a257d015e6a6a15ffe6b341c4fe8301ee60f6.exe	27
PID 864 wrote to memory of 1220	864	8103e34bccf94c1171907b88cb5a257d015e6a6a15ffe6b341c4fe8301ee60f6.exe	27
PID 864 wrote to memory of 1220	864	8103e34bccf94c1171907b88cb5a257d015e6a6a15ffe6b341c4fe8301ee60f6.exe	27
PID 864 wrote to memory of 1220	864	8103e34bccf94c1171907b88cb5a257d015e6a6a15ffe6b341c4fe8301ee60f6.exe	27
PID 1220 wrote to memory of 1140	1220	peyr.exe	14
PID 1220 wrote to memory of 1140	1220	peyr.exe	14
PID 1220 wrote to memory of 1140	1220	peyr.exe	14
PID 1220 wrote to memory of 1140	1220	peyr.exe	14
PID 1220 wrote to memory of 1140	1220	peyr.exe	14
PID 1220 wrote to memory of 1240	1220	peyr.exe	13
PID 1220 wrote to memory of 1240	1220	peyr.exe	13
PID 1220 wrote to memory of 1240	1220	peyr.exe	13
PID 1220 wrote to memory of 1240	1220	peyr.exe	13
PID 1220 wrote to memory of 1240	1220	peyr.exe	13
PID 1220 wrote to memory of 1296	1220	peyr.exe	12
PID 1220 wrote to memory of 1296	1220	peyr.exe	12
PID 1220 wrote to memory of 1296	1220	peyr.exe	12
PID 1220 wrote to memory of 1296	1220	peyr.exe	12
PID 1220 wrote to memory of 1296	1220	peyr.exe	12
PID 1220 wrote to memory of 864	1220	peyr.exe	26
PID 1220 wrote to memory of 864	1220	peyr.exe	26
PID 1220 wrote to memory of 864	1220	peyr.exe	26
PID 1220 wrote to memory of 864	1220	peyr.exe	26
PID 1220 wrote to memory of 864	1220	peyr.exe	26
PID 864 wrote to memory of 648	864	8103e34bccf94c1171907b88cb5a257d015e6a6a15ffe6b341c4fe8301ee60f6.exe	28
PID 864 wrote to memory of 648	864	8103e34bccf94c1171907b88cb5a257d015e6a6a15ffe6b341c4fe8301ee60f6.exe	28
PID 864 wrote to memory of 648	864	8103e34bccf94c1171907b88cb5a257d015e6a6a15ffe6b341c4fe8301ee60f6.exe	28
PID 864 wrote to memory of 648	864	8103e34bccf94c1171907b88cb5a257d015e6a6a15ffe6b341c4fe8301ee60f6.exe	28
PID 864 wrote to memory of 648	864	8103e34bccf94c1171907b88cb5a257d015e6a6a15ffe6b341c4fe8301ee60f6.exe	28
PID 864 wrote to memory of 648	864	8103e34bccf94c1171907b88cb5a257d015e6a6a15ffe6b341c4fe8301ee60f6.exe	28
PID 864 wrote to memory of 648	864	8103e34bccf94c1171907b88cb5a257d015e6a6a15ffe6b341c4fe8301ee60f6.exe	28
PID 864 wrote to memory of 648	864	8103e34bccf94c1171907b88cb5a257d015e6a6a15ffe6b341c4fe8301ee60f6.exe	28
PID 864 wrote to memory of 648	864	8103e34bccf94c1171907b88cb5a257d015e6a6a15ffe6b341c4fe8301ee60f6.exe	28

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1296
- C:\Users\Admin\AppData\Local\Temp\8103e34bccf94c1171907b88cb5a257d015e6a6a15ffe6b341c4fe8301ee60f6.exe
  "C:\Users\Admin\AppData\Local\Temp\8103e34bccf94c1171907b88cb5a257d015e6a6a15ffe6b341c4fe8301ee60f6.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:864
- - C:\Users\Admin\AppData\Roaming\Ibciew\peyr.exe
    "C:\Users\Admin\AppData\Roaming\Ibciew\peyr.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1220
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpc29eb04c.bat"
    3⤵
    - Deletes itself
    PID:648

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1240

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1140

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpc29eb04c.bat

Filesize
307B

MD5
2e34601f7aa5218aa5414a78d1f5fdfd

SHA1
86da641b85a177998e57d30b4f6744dc8b1068dd

SHA256
0f819f2dea058f52db23f32afe73cb9eeae89b0ed4bf42b6a3b16eb147fb8804

SHA512
ccdf33576dfbfc4f6681cfa384243acd258d23de080b56dbcce286c2cd1881687e680919ef4ea1292fec7b3102ccbdbd1650687d5605779baf7b8b1181acb302

Download Submit
C:\Users\Admin\AppData\Roaming\Ibciew\peyr.exe

Filesize
311KB

MD5
a32d46a348b25aa6a2de7d6cf0ee1b23

SHA1
606eccb8fa4a1c9f4283510ef624cfb822699def

SHA256
f22971846a26652051408fea49af84f4e63d6758eb7efa57a8183df7c7f4ea75

SHA512
4246a5b4e2eb4027574a5bc2f40b32c47252ddd85b96f390d700e947fe93716813d4de2af2fa48dc3eff40d83e336a68ec70a63b13ea56c345eaf408ca0b6175

Download Submit
C:\Users\Admin\AppData\Roaming\Ibciew\peyr.exe

Filesize
311KB

MD5
a32d46a348b25aa6a2de7d6cf0ee1b23

SHA1
606eccb8fa4a1c9f4283510ef624cfb822699def

SHA256
f22971846a26652051408fea49af84f4e63d6758eb7efa57a8183df7c7f4ea75

SHA512
4246a5b4e2eb4027574a5bc2f40b32c47252ddd85b96f390d700e947fe93716813d4de2af2fa48dc3eff40d83e336a68ec70a63b13ea56c345eaf408ca0b6175

Download Submit
\Users\Admin\AppData\Roaming\Ibciew\peyr.exe

Filesize
311KB

MD5
a32d46a348b25aa6a2de7d6cf0ee1b23

SHA1
606eccb8fa4a1c9f4283510ef624cfb822699def

SHA256
f22971846a26652051408fea49af84f4e63d6758eb7efa57a8183df7c7f4ea75

SHA512
4246a5b4e2eb4027574a5bc2f40b32c47252ddd85b96f390d700e947fe93716813d4de2af2fa48dc3eff40d83e336a68ec70a63b13ea56c345eaf408ca0b6175

Download Submit
\Users\Admin\AppData\Roaming\Ibciew\peyr.exe

Filesize
311KB

MD5
a32d46a348b25aa6a2de7d6cf0ee1b23

SHA1
606eccb8fa4a1c9f4283510ef624cfb822699def

SHA256
f22971846a26652051408fea49af84f4e63d6758eb7efa57a8183df7c7f4ea75

SHA512
4246a5b4e2eb4027574a5bc2f40b32c47252ddd85b96f390d700e947fe93716813d4de2af2fa48dc3eff40d83e336a68ec70a63b13ea56c345eaf408ca0b6175

Download Submit
memory/648-110-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/648-111-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/648-113-0x00000000000D0000-0x0000000000118000-memory.dmp

Filesize
288KB

Download
memory/648-97-0x00000000000D0000-0x0000000000118000-memory.dmp

Filesize
288KB

Download
memory/648-109-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/648-108-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/648-107-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/648-106-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/648-105-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/648-101-0x00000000000D0000-0x0000000000118000-memory.dmp

Filesize
288KB

Download
memory/648-100-0x00000000000D0000-0x0000000000118000-memory.dmp

Filesize
288KB

Download
memory/648-99-0x00000000000D0000-0x0000000000118000-memory.dmp

Filesize
288KB

Download
memory/864-86-0x0000000001C20000-0x0000000001C68000-memory.dmp

Filesize
288KB

Download
memory/864-90-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/864-56-0x0000000000401000-0x0000000000441000-memory.dmp

Filesize
256KB

Download
memory/864-85-0x0000000001C20000-0x0000000001C68000-memory.dmp

Filesize
288KB

Download
memory/864-54-0x0000000075141000-0x0000000075143000-memory.dmp

Filesize
8KB

Download
memory/864-88-0x0000000001C20000-0x0000000001C68000-memory.dmp

Filesize
288KB

Download
memory/864-87-0x0000000001C20000-0x0000000001C68000-memory.dmp

Filesize
288KB

Download
memory/864-89-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/864-91-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/864-103-0x0000000001C20000-0x0000000001C68000-memory.dmp

Filesize
288KB

Download
memory/864-92-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/864-93-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/864-94-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/864-55-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1140-65-0x0000000000410000-0x0000000000458000-memory.dmp

Filesize
288KB

Download
memory/1140-67-0x0000000000410000-0x0000000000458000-memory.dmp

Filesize
288KB

Download
memory/1140-68-0x0000000000410000-0x0000000000458000-memory.dmp

Filesize
288KB

Download
memory/1140-70-0x0000000000410000-0x0000000000458000-memory.dmp

Filesize
288KB

Download
memory/1140-69-0x0000000000410000-0x0000000000458000-memory.dmp

Filesize
288KB

Download
memory/1240-73-0x0000000001CE0000-0x0000000001D28000-memory.dmp

Filesize
288KB

Download
memory/1240-74-0x0000000001CE0000-0x0000000001D28000-memory.dmp

Filesize
288KB

Download
memory/1240-75-0x0000000001CE0000-0x0000000001D28000-memory.dmp

Filesize
288KB

Download
memory/1240-76-0x0000000001CE0000-0x0000000001D28000-memory.dmp

Filesize
288KB

Download
memory/1296-81-0x00000000029D0000-0x0000000002A18000-memory.dmp

Filesize
288KB

Download
memory/1296-79-0x00000000029D0000-0x0000000002A18000-memory.dmp

Filesize
288KB

Download
memory/1296-80-0x00000000029D0000-0x0000000002A18000-memory.dmp

Filesize
288KB

Download
memory/1296-82-0x00000000029D0000-0x0000000002A18000-memory.dmp

Filesize
288KB

Download