9680c5a21334779e858c88dd01d35fafedd2d359080f813771f8de8c55dca811

General

Target

9680c5a21334779e858c88dd01d35fafedd2d359080f813771f8de8c55dca811.exe
Size

284KB
MD5

d4bada7dc36cecb9103aa0c4c3da86ec
SHA1

5b79c30842bdbddbea7c06b224c4f56cc49cd904
SHA256

9680c5a21334779e858c88dd01d35fafedd2d359080f813771f8de8c55dca811
SHA512

927e0659d12df7cf28bf491649df69fae5245f4a642c44e932646e5a7f1d2d07eb398946c2b1ab964cf92de5418c8b9b7e4ec207414db6e50f819c042f8ec9bf
SSDEEP

6144:nrGy4dp5EUQmsBglXEOPdn/oocj+bjmmYVSx6Le46u+LqduD:nx4dp5Fyq39QryYMx6LyKw

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

peso.exe

pid process

1484 peso.exe

pid	process
1484	peso.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

9680c5a21334779e858c88dd01d35fafedd2d359080f813771f8de8c55dca811.exe

description	pid	process	target process
PID 1028 set thread context of 2236	1028	9680c5a21334779e858c88dd01d35fafedd2d359080f813771f8de8c55dca811.exe	cmd.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

peso.exe

pid process

1484 peso.exe
1484 peso.exe
Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

9680c5a21334779e858c88dd01d35fafedd2d359080f813771f8de8c55dca811.exepeso.exe

pid process

1028 9680c5a21334779e858c88dd01d35fafedd2d359080f813771f8de8c55dca811.exe
1484 peso.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

9680c5a21334779e858c88dd01d35fafedd2d359080f813771f8de8c55dca811.exe

description pid process

Token: SeSecurityPrivilege 1028 9680c5a21334779e858c88dd01d35fafedd2d359080f813771f8de8c55dca811.exe

pid	process
1484	peso.exe
1484	peso.exe

pid	process
1028	9680c5a21334779e858c88dd01d35fafedd2d359080f813771f8de8c55dca811.exe
1484	peso.exe

description	pid	process
Token: SeSecurityPrivilege	1028	9680c5a21334779e858c88dd01d35fafedd2d359080f813771f8de8c55dca811.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

9680c5a21334779e858c88dd01d35fafedd2d359080f813771f8de8c55dca811.exepeso.exe

description	pid	process	target process
PID 1028 wrote to memory of 1484	1028	9680c5a21334779e858c88dd01d35fafedd2d359080f813771f8de8c55dca811.exe	peso.exe
PID 1028 wrote to memory of 1484	1028	9680c5a21334779e858c88dd01d35fafedd2d359080f813771f8de8c55dca811.exe	peso.exe
PID 1028 wrote to memory of 1484	1028	9680c5a21334779e858c88dd01d35fafedd2d359080f813771f8de8c55dca811.exe	peso.exe
PID 1484 wrote to memory of 5036	1484	peso.exe	explorer.exe
PID 1484 wrote to memory of 5036	1484	peso.exe	explorer.exe
PID 1484 wrote to memory of 5036	1484	peso.exe	explorer.exe
PID 1484 wrote to memory of 5036	1484	peso.exe	explorer.exe
PID 1484 wrote to memory of 5036	1484	peso.exe	explorer.exe
PID 1484 wrote to memory of 5036	1484	peso.exe	explorer.exe
PID 1484 wrote to memory of 5036	1484	peso.exe	explorer.exe
PID 1484 wrote to memory of 5036	1484	peso.exe	explorer.exe
PID 1484 wrote to memory of 5036	1484	peso.exe	explorer.exe
PID 1484 wrote to memory of 5036	1484	peso.exe	explorer.exe
PID 1484 wrote to memory of 1028	1484	peso.exe	9680c5a21334779e858c88dd01d35fafedd2d359080f813771f8de8c55dca811.exe
PID 1484 wrote to memory of 1028	1484	peso.exe	9680c5a21334779e858c88dd01d35fafedd2d359080f813771f8de8c55dca811.exe
PID 1484 wrote to memory of 1028	1484	peso.exe	9680c5a21334779e858c88dd01d35fafedd2d359080f813771f8de8c55dca811.exe
PID 1484 wrote to memory of 1028	1484	peso.exe	9680c5a21334779e858c88dd01d35fafedd2d359080f813771f8de8c55dca811.exe
PID 1484 wrote to memory of 1028	1484	peso.exe	9680c5a21334779e858c88dd01d35fafedd2d359080f813771f8de8c55dca811.exe
PID 1484 wrote to memory of 1028	1484	peso.exe	9680c5a21334779e858c88dd01d35fafedd2d359080f813771f8de8c55dca811.exe
PID 1484 wrote to memory of 1028	1484	peso.exe	9680c5a21334779e858c88dd01d35fafedd2d359080f813771f8de8c55dca811.exe
PID 1028 wrote to memory of 2236	1028	9680c5a21334779e858c88dd01d35fafedd2d359080f813771f8de8c55dca811.exe	cmd.exe
PID 1028 wrote to memory of 2236	1028	9680c5a21334779e858c88dd01d35fafedd2d359080f813771f8de8c55dca811.exe	cmd.exe
PID 1028 wrote to memory of 2236	1028	9680c5a21334779e858c88dd01d35fafedd2d359080f813771f8de8c55dca811.exe	cmd.exe
PID 1028 wrote to memory of 2236	1028	9680c5a21334779e858c88dd01d35fafedd2d359080f813771f8de8c55dca811.exe	cmd.exe
PID 1028 wrote to memory of 2236	1028	9680c5a21334779e858c88dd01d35fafedd2d359080f813771f8de8c55dca811.exe	cmd.exe
PID 1028 wrote to memory of 2236	1028	9680c5a21334779e858c88dd01d35fafedd2d359080f813771f8de8c55dca811.exe	cmd.exe
PID 1028 wrote to memory of 2236	1028	9680c5a21334779e858c88dd01d35fafedd2d359080f813771f8de8c55dca811.exe	cmd.exe
PID 1028 wrote to memory of 2236	1028	9680c5a21334779e858c88dd01d35fafedd2d359080f813771f8de8c55dca811.exe	cmd.exe
PID 1028 wrote to memory of 2236	1028	9680c5a21334779e858c88dd01d35fafedd2d359080f813771f8de8c55dca811.exe	cmd.exe
PID 1028 wrote to memory of 2236	1028	9680c5a21334779e858c88dd01d35fafedd2d359080f813771f8de8c55dca811.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\9680c5a21334779e858c88dd01d35fafedd2d359080f813771f8de8c55dca811.exe
"C:\Users\Admin\AppData\Local\Temp\9680c5a21334779e858c88dd01d35fafedd2d359080f813771f8de8c55dca811.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1028

C:\Users\Admin\AppData\Roaming\Yfzu\peso.exe
"C:\Users\Admin\AppData\Roaming\Yfzu\peso.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1484

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\SysWOW64\explorer.exe"
3⤵
PID:5036

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp021b7bff.bat"
2⤵
PID:2236

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Yfzu\peso.exe

Filesize
284KB

MD5
dba4ba9b97095d5b9ef29ff2775afd9e

SHA1
1f6ef61f6015755ef03e83bd22b545dbbadecd74

SHA256
0687ac71fab8ea9a2d8b06acfbda3b13b183e289adaad1923f91947b05bacaff

SHA512
34348ce52701b2072e47bfccfb0403255af5822b581b625afd22e28dd35a7ba56c5216281cff1d7a7ce3bbdac47156524eaad7fccfefdc07e3e24af892eaae5b

Download Submit
C:\Users\Admin\AppData\Roaming\Yfzu\peso.exe

Filesize
284KB

MD5
dba4ba9b97095d5b9ef29ff2775afd9e

SHA1
1f6ef61f6015755ef03e83bd22b545dbbadecd74

SHA256
0687ac71fab8ea9a2d8b06acfbda3b13b183e289adaad1923f91947b05bacaff

SHA512
34348ce52701b2072e47bfccfb0403255af5822b581b625afd22e28dd35a7ba56c5216281cff1d7a7ce3bbdac47156524eaad7fccfefdc07e3e24af892eaae5b

Download Submit
memory/1028-143-0x0000000000520000-0x000000000054C000-memory.dmp

Filesize
176KB

Download
memory/1028-133-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1028-132-0x0000000002B10000-0x0000000002BA5000-memory.dmp

Filesize
596KB

Download
memory/1028-146-0x0000000000520000-0x000000000054C000-memory.dmp

Filesize
176KB

Download
memory/1484-135-0x0000000000000000-mapping.dmp

Download
memory/1484-138-0x0000000002A70000-0x0000000002B05000-memory.dmp

Filesize
596KB

Download
memory/1484-139-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2236-144-0x0000000000000000-mapping.dmp

Download
memory/2236-145-0x00000000001D0000-0x00000000001FC000-memory.dmp

Filesize
176KB

Download
memory/2236-147-0x00000000001D0000-0x00000000001FC000-memory.dmp

Filesize
176KB

Download
memory/5036-141-0x0000000000000000-mapping.dmp

Download
memory/5036-142-0x00000000009C0000-0x00000000009EC000-memory.dmp

Filesize
176KB

Download

Analysis

Sharing