e3aef0f0fa53bcd17829119dd122372d50ffdd47a7982aadc6f0260418c767bd

General

Target

e3aef0f0fa53bcd17829119dd122372d50ffdd47a7982aadc6f0260418c767bd.exe
Size

300KB
MD5

cd54cb1f4864bce38f8d0119c24b2222
SHA1

e67b482d112804fc244d2ec34b235c577d9d7d79
SHA256

e3aef0f0fa53bcd17829119dd122372d50ffdd47a7982aadc6f0260418c767bd
SHA512

73409373004ed8b0c6db1e519b3e2b34883f80bc628121db56e96a4a504d5f4336406e7d3bee53c6a4c7380fe27f390c23884254448cb376479ae81c9ec2b0e9
SSDEEP

6144:D6XgdcbBWNIgx+l4Am5Q7kHdZisdYS8Byw9zqzeHruHXaRr7Z+uZA4MAyWX:+QdcbBRgIlM50kHdZiIzw9zoeHruHXaW

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

epzyte.exe

pid process

820 epzyte.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

536 cmd.exe

pid	process
536	cmd.exe

Loads dropped DLL 2 IoCs

Processes:

e3aef0f0fa53bcd17829119dd122372d50ffdd47a7982aadc6f0260418c767bd.exe

pid	process
1724	e3aef0f0fa53bcd17829119dd122372d50ffdd47a7982aadc6f0260418c767bd.exe
1724	e3aef0f0fa53bcd17829119dd122372d50ffdd47a7982aadc6f0260418c767bd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

epzyte.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run	epzyte.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Epzyte = "C:\\Users\\Admin\\AppData\\Roaming\\Petiyj\\epzyte.exe"	epzyte.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

e3aef0f0fa53bcd17829119dd122372d50ffdd47a7982aadc6f0260418c767bd.exe

description pid process target process

PID 1724 set thread context of 536 1724 e3aef0f0fa53bcd17829119dd122372d50ffdd47a7982aadc6f0260418c767bd.exe cmd.exe

description	pid	process	target process
PID 1724 set thread context of 536	1724	e3aef0f0fa53bcd17829119dd122372d50ffdd47a7982aadc6f0260418c767bd.exe	cmd.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

epzyte.exe

pid	process
820	epzyte.exe
820	epzyte.exe
820	epzyte.exe
820	epzyte.exe
820	epzyte.exe
820	epzyte.exe
820	epzyte.exe
820	epzyte.exe
820	epzyte.exe
820	epzyte.exe
820	epzyte.exe
820	epzyte.exe
820	epzyte.exe
820	epzyte.exe
820	epzyte.exe
820	epzyte.exe
820	epzyte.exe
820	epzyte.exe
820	epzyte.exe
820	epzyte.exe
820	epzyte.exe
820	epzyte.exe
820	epzyte.exe
820	epzyte.exe
820	epzyte.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

e3aef0f0fa53bcd17829119dd122372d50ffdd47a7982aadc6f0260418c767bd.exeepzyte.exe

description	pid	process	target process
PID 1724 wrote to memory of 820	1724	e3aef0f0fa53bcd17829119dd122372d50ffdd47a7982aadc6f0260418c767bd.exe	epzyte.exe
PID 1724 wrote to memory of 820	1724	e3aef0f0fa53bcd17829119dd122372d50ffdd47a7982aadc6f0260418c767bd.exe	epzyte.exe
PID 1724 wrote to memory of 820	1724	e3aef0f0fa53bcd17829119dd122372d50ffdd47a7982aadc6f0260418c767bd.exe	epzyte.exe
PID 1724 wrote to memory of 820	1724	e3aef0f0fa53bcd17829119dd122372d50ffdd47a7982aadc6f0260418c767bd.exe	epzyte.exe
PID 820 wrote to memory of 1200	820	epzyte.exe	taskhost.exe
PID 820 wrote to memory of 1200	820	epzyte.exe	taskhost.exe
PID 820 wrote to memory of 1200	820	epzyte.exe	taskhost.exe
PID 820 wrote to memory of 1200	820	epzyte.exe	taskhost.exe
PID 820 wrote to memory of 1200	820	epzyte.exe	taskhost.exe
PID 820 wrote to memory of 1308	820	epzyte.exe	Dwm.exe
PID 820 wrote to memory of 1308	820	epzyte.exe	Dwm.exe
PID 820 wrote to memory of 1308	820	epzyte.exe	Dwm.exe
PID 820 wrote to memory of 1308	820	epzyte.exe	Dwm.exe
PID 820 wrote to memory of 1308	820	epzyte.exe	Dwm.exe
PID 820 wrote to memory of 1348	820	epzyte.exe	Explorer.EXE
PID 820 wrote to memory of 1348	820	epzyte.exe	Explorer.EXE
PID 820 wrote to memory of 1348	820	epzyte.exe	Explorer.EXE
PID 820 wrote to memory of 1348	820	epzyte.exe	Explorer.EXE
PID 820 wrote to memory of 1348	820	epzyte.exe	Explorer.EXE
PID 820 wrote to memory of 1724	820	epzyte.exe	e3aef0f0fa53bcd17829119dd122372d50ffdd47a7982aadc6f0260418c767bd.exe
PID 820 wrote to memory of 1724	820	epzyte.exe	e3aef0f0fa53bcd17829119dd122372d50ffdd47a7982aadc6f0260418c767bd.exe
PID 820 wrote to memory of 1724	820	epzyte.exe	e3aef0f0fa53bcd17829119dd122372d50ffdd47a7982aadc6f0260418c767bd.exe
PID 820 wrote to memory of 1724	820	epzyte.exe	e3aef0f0fa53bcd17829119dd122372d50ffdd47a7982aadc6f0260418c767bd.exe
PID 820 wrote to memory of 1724	820	epzyte.exe	e3aef0f0fa53bcd17829119dd122372d50ffdd47a7982aadc6f0260418c767bd.exe
PID 1724 wrote to memory of 536	1724	e3aef0f0fa53bcd17829119dd122372d50ffdd47a7982aadc6f0260418c767bd.exe	cmd.exe
PID 1724 wrote to memory of 536	1724	e3aef0f0fa53bcd17829119dd122372d50ffdd47a7982aadc6f0260418c767bd.exe	cmd.exe
PID 1724 wrote to memory of 536	1724	e3aef0f0fa53bcd17829119dd122372d50ffdd47a7982aadc6f0260418c767bd.exe	cmd.exe
PID 1724 wrote to memory of 536	1724	e3aef0f0fa53bcd17829119dd122372d50ffdd47a7982aadc6f0260418c767bd.exe	cmd.exe
PID 1724 wrote to memory of 536	1724	e3aef0f0fa53bcd17829119dd122372d50ffdd47a7982aadc6f0260418c767bd.exe	cmd.exe
PID 1724 wrote to memory of 536	1724	e3aef0f0fa53bcd17829119dd122372d50ffdd47a7982aadc6f0260418c767bd.exe	cmd.exe
PID 1724 wrote to memory of 536	1724	e3aef0f0fa53bcd17829119dd122372d50ffdd47a7982aadc6f0260418c767bd.exe	cmd.exe
PID 1724 wrote to memory of 536	1724	e3aef0f0fa53bcd17829119dd122372d50ffdd47a7982aadc6f0260418c767bd.exe	cmd.exe
PID 1724 wrote to memory of 536	1724	e3aef0f0fa53bcd17829119dd122372d50ffdd47a7982aadc6f0260418c767bd.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1348

C:\Users\Admin\AppData\Local\Temp\e3aef0f0fa53bcd17829119dd122372d50ffdd47a7982aadc6f0260418c767bd.exe
"C:\Users\Admin\AppData\Local\Temp\e3aef0f0fa53bcd17829119dd122372d50ffdd47a7982aadc6f0260418c767bd.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1724

C:\Users\Admin\AppData\Roaming\Petiyj\epzyte.exe
"C:\Users\Admin\AppData\Roaming\Petiyj\epzyte.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:820

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\PKN5909.bat"
3⤵
- Deletes itself
PID:536

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1308

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1200

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\PKN5909.bat
Filesize
303B

MD5
94e17518d0a87dab03a221821e6214f9

SHA1
38a531ea9dcb4008baed7ed914f92d5705cbdca6

SHA256
62f03f237972cc3f7b05a7f158eb4a6b6e98a7c1224c177bff04d01cc7cbd26d

SHA512
f3b43e3c5fa543bf57c265c53bcad9c6ec82809876effd5b9a5bbf2e41d58fb235d805e548b4c97f6ade22c16ac78ed37f6e82644504f0ec47a8187385f8baab

Download Submit
C:\Users\Admin\AppData\Roaming\Petiyj\epzyte.exe
Filesize
300KB

MD5
0a0cd1fd74ea907923cf0ab1db2d5a96

SHA1
c2eb1bf4b15537b0b8f01a13043cfee65938ee48

SHA256
98cd0ec447d12e5d4503bf64b7181b0cf7c08901a4af55d339a7a44253d68293

SHA512
92a12d38ea63f6f30f1c2898e89460edc9cf9d1208ef0622e36b089541a3ae22f8efb15c8f67e52a363cab6ef74110f712a546b5a8f626331c48ff31d2749e33

Download Submit
C:\Users\Admin\AppData\Roaming\Petiyj\epzyte.exe
Filesize
300KB

MD5
0a0cd1fd74ea907923cf0ab1db2d5a96

SHA1
c2eb1bf4b15537b0b8f01a13043cfee65938ee48

SHA256
98cd0ec447d12e5d4503bf64b7181b0cf7c08901a4af55d339a7a44253d68293

SHA512
92a12d38ea63f6f30f1c2898e89460edc9cf9d1208ef0622e36b089541a3ae22f8efb15c8f67e52a363cab6ef74110f712a546b5a8f626331c48ff31d2749e33

Download Submit
\Users\Admin\AppData\Roaming\Petiyj\epzyte.exe
Filesize
300KB

MD5
0a0cd1fd74ea907923cf0ab1db2d5a96

SHA1
c2eb1bf4b15537b0b8f01a13043cfee65938ee48

SHA256
98cd0ec447d12e5d4503bf64b7181b0cf7c08901a4af55d339a7a44253d68293

SHA512
92a12d38ea63f6f30f1c2898e89460edc9cf9d1208ef0622e36b089541a3ae22f8efb15c8f67e52a363cab6ef74110f712a546b5a8f626331c48ff31d2749e33

Download Submit
\Users\Admin\AppData\Roaming\Petiyj\epzyte.exe
Filesize
300KB

MD5
0a0cd1fd74ea907923cf0ab1db2d5a96

SHA1
c2eb1bf4b15537b0b8f01a13043cfee65938ee48

SHA256
98cd0ec447d12e5d4503bf64b7181b0cf7c08901a4af55d339a7a44253d68293

SHA512
92a12d38ea63f6f30f1c2898e89460edc9cf9d1208ef0622e36b089541a3ae22f8efb15c8f67e52a363cab6ef74110f712a546b5a8f626331c48ff31d2749e33

Download Submit
memory/536-105-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/536-108-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/536-113-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download
memory/536-97-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download
memory/536-111-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/536-110-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/536-109-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/536-101-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download
memory/536-107-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/536-106-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/536-100-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download
memory/536-103-0x0000000000074F98-mapping.dmp

Download
memory/536-102-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download
memory/820-59-0x0000000000000000-mapping.dmp

Download
memory/820-63-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1200-69-0x0000000001F50000-0x0000000001F99000-memory.dmp

Filesize
292KB

Download
memory/1200-65-0x0000000001F50000-0x0000000001F99000-memory.dmp

Filesize
292KB

Download
memory/1200-67-0x0000000001F50000-0x0000000001F99000-memory.dmp

Filesize
292KB

Download
memory/1200-68-0x0000000001F50000-0x0000000001F99000-memory.dmp

Filesize
292KB

Download
memory/1200-70-0x0000000001F50000-0x0000000001F99000-memory.dmp

Filesize
292KB

Download
memory/1308-76-0x00000000001A0000-0x00000000001E9000-memory.dmp

Filesize
292KB

Download
memory/1308-73-0x00000000001A0000-0x00000000001E9000-memory.dmp

Filesize
292KB

Download
memory/1308-74-0x00000000001A0000-0x00000000001E9000-memory.dmp

Filesize
292KB

Download
memory/1308-75-0x00000000001A0000-0x00000000001E9000-memory.dmp

Filesize
292KB

Download
memory/1348-81-0x0000000002630000-0x0000000002679000-memory.dmp

Filesize
292KB

Download
memory/1348-80-0x0000000002630000-0x0000000002679000-memory.dmp

Filesize
292KB

Download
memory/1348-82-0x0000000002630000-0x0000000002679000-memory.dmp

Filesize
292KB

Download
memory/1348-79-0x0000000002630000-0x0000000002679000-memory.dmp

Filesize
292KB

Download
memory/1724-94-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1724-88-0x0000000001EB0000-0x0000000001EF9000-memory.dmp

Filesize
292KB

Download
memory/1724-98-0x0000000001DB0000-0x00000000029FA000-memory.dmp

Filesize
12.3MB

Download
memory/1724-92-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1724-93-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1724-91-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1724-90-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1724-86-0x0000000001EB0000-0x0000000001EF9000-memory.dmp

Filesize
292KB

Download
memory/1724-87-0x0000000001EB0000-0x0000000001EF9000-memory.dmp

Filesize
292KB

Download
memory/1724-54-0x0000000074B51000-0x0000000074B53000-memory.dmp

Filesize
8KB

Download
memory/1724-89-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1724-85-0x0000000001EB0000-0x0000000001EF9000-memory.dmp

Filesize
292KB

Download
memory/1724-55-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1724-56-0x0000000000401000-0x0000000000442000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads