56cba8c193bc2b58f511d65901390a8fdd6ca36127afc138a8cc6140c2bd73e5

General

Target

56cba8c193bc2b58f511d65901390a8fdd6ca36127afc138a8cc6140c2bd73e5.exe
Size

298KB
MD5

983d2362a85f7746fdb4288a48359b38
SHA1

fa0b17cadc99cd18566b406dc209c7c9df5108e3
SHA256

56cba8c193bc2b58f511d65901390a8fdd6ca36127afc138a8cc6140c2bd73e5
SHA512

116d863e1c82a6beefb05fc2ed9d613a2e3d18d96e8c62b51eda8408b04fee33b405425bcb8d29f8c818733c47145fa7075ba00b2a7acaae5cdc200ec938e946
SSDEEP

6144:TgDPnPsHhCU9lLtfXOiHYtr2R15iw8+UislkfcXrse60Sz:TCPnPI9vPOWYtr2RjidWwkf+6

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

peype.exe

pid process

2040 peype.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1652 cmd.exe

pid	process
1652	cmd.exe

Loads dropped DLL 2 IoCs

Processes:

56cba8c193bc2b58f511d65901390a8fdd6ca36127afc138a8cc6140c2bd73e5.exe

pid	process
908	56cba8c193bc2b58f511d65901390a8fdd6ca36127afc138a8cc6140c2bd73e5.exe
908	56cba8c193bc2b58f511d65901390a8fdd6ca36127afc138a8cc6140c2bd73e5.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

peype.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run	peype.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Peype = "C:\\Users\\Admin\\AppData\\Roaming\\Itsyav\\peype.exe"	peype.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

56cba8c193bc2b58f511d65901390a8fdd6ca36127afc138a8cc6140c2bd73e5.exe

description pid process target process

PID 908 set thread context of 1652 908 56cba8c193bc2b58f511d65901390a8fdd6ca36127afc138a8cc6140c2bd73e5.exe cmd.exe

description	pid	process	target process
PID 908 set thread context of 1652	908	56cba8c193bc2b58f511d65901390a8fdd6ca36127afc138a8cc6140c2bd73e5.exe	cmd.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

peype.exe

pid	process
2040	peype.exe
2040	peype.exe
2040	peype.exe
2040	peype.exe
2040	peype.exe
2040	peype.exe
2040	peype.exe
2040	peype.exe
2040	peype.exe
2040	peype.exe
2040	peype.exe
2040	peype.exe
2040	peype.exe
2040	peype.exe
2040	peype.exe
2040	peype.exe
2040	peype.exe
2040	peype.exe
2040	peype.exe
2040	peype.exe
2040	peype.exe
2040	peype.exe
2040	peype.exe
2040	peype.exe
2040	peype.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

56cba8c193bc2b58f511d65901390a8fdd6ca36127afc138a8cc6140c2bd73e5.exepeype.exe

description	pid	process	target process
PID 908 wrote to memory of 2040	908	56cba8c193bc2b58f511d65901390a8fdd6ca36127afc138a8cc6140c2bd73e5.exe	peype.exe
PID 908 wrote to memory of 2040	908	56cba8c193bc2b58f511d65901390a8fdd6ca36127afc138a8cc6140c2bd73e5.exe	peype.exe
PID 908 wrote to memory of 2040	908	56cba8c193bc2b58f511d65901390a8fdd6ca36127afc138a8cc6140c2bd73e5.exe	peype.exe
PID 908 wrote to memory of 2040	908	56cba8c193bc2b58f511d65901390a8fdd6ca36127afc138a8cc6140c2bd73e5.exe	peype.exe
PID 2040 wrote to memory of 1132	2040	peype.exe	taskhost.exe
PID 2040 wrote to memory of 1132	2040	peype.exe	taskhost.exe
PID 2040 wrote to memory of 1132	2040	peype.exe	taskhost.exe
PID 2040 wrote to memory of 1132	2040	peype.exe	taskhost.exe
PID 2040 wrote to memory of 1132	2040	peype.exe	taskhost.exe
PID 2040 wrote to memory of 1244	2040	peype.exe	Dwm.exe
PID 2040 wrote to memory of 1244	2040	peype.exe	Dwm.exe
PID 2040 wrote to memory of 1244	2040	peype.exe	Dwm.exe
PID 2040 wrote to memory of 1244	2040	peype.exe	Dwm.exe
PID 2040 wrote to memory of 1244	2040	peype.exe	Dwm.exe
PID 2040 wrote to memory of 1300	2040	peype.exe	Explorer.EXE
PID 2040 wrote to memory of 1300	2040	peype.exe	Explorer.EXE
PID 2040 wrote to memory of 1300	2040	peype.exe	Explorer.EXE
PID 2040 wrote to memory of 1300	2040	peype.exe	Explorer.EXE
PID 2040 wrote to memory of 1300	2040	peype.exe	Explorer.EXE
PID 2040 wrote to memory of 908	2040	peype.exe	56cba8c193bc2b58f511d65901390a8fdd6ca36127afc138a8cc6140c2bd73e5.exe
PID 2040 wrote to memory of 908	2040	peype.exe	56cba8c193bc2b58f511d65901390a8fdd6ca36127afc138a8cc6140c2bd73e5.exe
PID 2040 wrote to memory of 908	2040	peype.exe	56cba8c193bc2b58f511d65901390a8fdd6ca36127afc138a8cc6140c2bd73e5.exe
PID 2040 wrote to memory of 908	2040	peype.exe	56cba8c193bc2b58f511d65901390a8fdd6ca36127afc138a8cc6140c2bd73e5.exe
PID 2040 wrote to memory of 908	2040	peype.exe	56cba8c193bc2b58f511d65901390a8fdd6ca36127afc138a8cc6140c2bd73e5.exe
PID 908 wrote to memory of 1652	908	56cba8c193bc2b58f511d65901390a8fdd6ca36127afc138a8cc6140c2bd73e5.exe	cmd.exe
PID 908 wrote to memory of 1652	908	56cba8c193bc2b58f511d65901390a8fdd6ca36127afc138a8cc6140c2bd73e5.exe	cmd.exe
PID 908 wrote to memory of 1652	908	56cba8c193bc2b58f511d65901390a8fdd6ca36127afc138a8cc6140c2bd73e5.exe	cmd.exe
PID 908 wrote to memory of 1652	908	56cba8c193bc2b58f511d65901390a8fdd6ca36127afc138a8cc6140c2bd73e5.exe	cmd.exe
PID 908 wrote to memory of 1652	908	56cba8c193bc2b58f511d65901390a8fdd6ca36127afc138a8cc6140c2bd73e5.exe	cmd.exe
PID 908 wrote to memory of 1652	908	56cba8c193bc2b58f511d65901390a8fdd6ca36127afc138a8cc6140c2bd73e5.exe	cmd.exe
PID 908 wrote to memory of 1652	908	56cba8c193bc2b58f511d65901390a8fdd6ca36127afc138a8cc6140c2bd73e5.exe	cmd.exe
PID 908 wrote to memory of 1652	908	56cba8c193bc2b58f511d65901390a8fdd6ca36127afc138a8cc6140c2bd73e5.exe	cmd.exe
PID 908 wrote to memory of 1652	908	56cba8c193bc2b58f511d65901390a8fdd6ca36127afc138a8cc6140c2bd73e5.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1300

C:\Users\Admin\AppData\Local\Temp\56cba8c193bc2b58f511d65901390a8fdd6ca36127afc138a8cc6140c2bd73e5.exe
"C:\Users\Admin\AppData\Local\Temp\56cba8c193bc2b58f511d65901390a8fdd6ca36127afc138a8cc6140c2bd73e5.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:908

C:\Users\Admin\AppData\Roaming\Itsyav\peype.exe
"C:\Users\Admin\AppData\Roaming\Itsyav\peype.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2040

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\DJD768F.bat"
3⤵
- Deletes itself
PID:1652

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1244

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1132

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DJD768F.bat
Filesize
303B

MD5
9abf212a256a802d4bccf9695f07ace2

SHA1
14ab2913b4e2a49ec9a13f7d373f127f19260dc9

SHA256
aed99822d7f1404b366c631dcc2d42ec664cc9a67890ddee9ca5343149ed2601

SHA512
038032547e7b1c6f6cbafe272e2bd4089f7ee243a9fcd0e80183e507d03967b5d1c805e8221d910c22b3e47b51fe73f24afc028bd46a74d4fe751e74c8de4734

Download Submit
C:\Users\Admin\AppData\Roaming\Itsyav\peype.exe
Filesize
298KB

MD5
5c5b30dfada550980788a14f30747d1e

SHA1
96224fd5745d29b06a5bc417652b0fd92acc765c

SHA256
03f8d17d4025349a20fa11ba265e8cb60f13c0e630936b5e7068131a736bc18e

SHA512
91739638c22965d06f8e3578707821228dcf1df897fdf26aaf312828b75cb4755c0d6f08048bb047761978a92e9ecb0d12f01817558887df92f8c69e469779e8

Download Submit
C:\Users\Admin\AppData\Roaming\Itsyav\peype.exe
Filesize
298KB

MD5
5c5b30dfada550980788a14f30747d1e

SHA1
96224fd5745d29b06a5bc417652b0fd92acc765c

SHA256
03f8d17d4025349a20fa11ba265e8cb60f13c0e630936b5e7068131a736bc18e

SHA512
91739638c22965d06f8e3578707821228dcf1df897fdf26aaf312828b75cb4755c0d6f08048bb047761978a92e9ecb0d12f01817558887df92f8c69e469779e8

Download Submit
\Users\Admin\AppData\Roaming\Itsyav\peype.exe
Filesize
298KB

MD5
5c5b30dfada550980788a14f30747d1e

SHA1
96224fd5745d29b06a5bc417652b0fd92acc765c

SHA256
03f8d17d4025349a20fa11ba265e8cb60f13c0e630936b5e7068131a736bc18e

SHA512
91739638c22965d06f8e3578707821228dcf1df897fdf26aaf312828b75cb4755c0d6f08048bb047761978a92e9ecb0d12f01817558887df92f8c69e469779e8

Download Submit
\Users\Admin\AppData\Roaming\Itsyav\peype.exe
Filesize
298KB

MD5
5c5b30dfada550980788a14f30747d1e

SHA1
96224fd5745d29b06a5bc417652b0fd92acc765c

SHA256
03f8d17d4025349a20fa11ba265e8cb60f13c0e630936b5e7068131a736bc18e

SHA512
91739638c22965d06f8e3578707821228dcf1df897fdf26aaf312828b75cb4755c0d6f08048bb047761978a92e9ecb0d12f01817558887df92f8c69e469779e8

Download Submit
memory/908-103-0x0000000001BF0000-0x0000000001C39000-memory.dmp

Filesize
292KB

Download
memory/908-92-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/908-56-0x0000000000401000-0x0000000000442000-memory.dmp

Filesize
260KB

Download
memory/908-85-0x0000000001BF0000-0x0000000001C39000-memory.dmp

Filesize
292KB

Download
memory/908-94-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/908-93-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/908-54-0x0000000075131000-0x0000000075133000-memory.dmp

Filesize
8KB

Download
memory/908-55-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/908-91-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/908-90-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/908-89-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/908-88-0x0000000001BF0000-0x0000000001C39000-memory.dmp

Filesize
292KB

Download
memory/908-87-0x0000000001BF0000-0x0000000001C39000-memory.dmp

Filesize
292KB

Download
memory/908-86-0x0000000001BF0000-0x0000000001C39000-memory.dmp

Filesize
292KB

Download
memory/1132-69-0x0000000001B70000-0x0000000001BB9000-memory.dmp

Filesize
292KB

Download
memory/1132-70-0x0000000001B70000-0x0000000001BB9000-memory.dmp

Filesize
292KB

Download
memory/1132-68-0x0000000001B70000-0x0000000001BB9000-memory.dmp

Filesize
292KB

Download
memory/1132-67-0x0000000001B70000-0x0000000001BB9000-memory.dmp

Filesize
292KB

Download
memory/1132-65-0x0000000001B70000-0x0000000001BB9000-memory.dmp

Filesize
292KB

Download
memory/1244-76-0x00000000003B0000-0x00000000003F9000-memory.dmp

Filesize
292KB

Download
memory/1244-75-0x00000000003B0000-0x00000000003F9000-memory.dmp

Filesize
292KB

Download
memory/1244-74-0x00000000003B0000-0x00000000003F9000-memory.dmp

Filesize
292KB

Download
memory/1244-73-0x00000000003B0000-0x00000000003F9000-memory.dmp

Filesize
292KB

Download
memory/1300-82-0x0000000002650000-0x0000000002699000-memory.dmp

Filesize
292KB

Download
memory/1300-81-0x0000000002650000-0x0000000002699000-memory.dmp

Filesize
292KB

Download
memory/1300-80-0x0000000002650000-0x0000000002699000-memory.dmp

Filesize
292KB

Download
memory/1300-79-0x0000000002650000-0x0000000002699000-memory.dmp

Filesize
292KB

Download
memory/1652-97-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download
memory/1652-108-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1652-101-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download
memory/1652-102-0x0000000000083B6A-mapping.dmp

Download
memory/1652-99-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download
memory/1652-106-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1652-107-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1652-100-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download
memory/1652-109-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1652-105-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1652-111-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1652-110-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1652-113-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download
memory/2040-59-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads