5eeeff350333bae8cc0e8a0fb2117e366e65f513e2b21144a52f70e98474f04a

General

Target

5eeeff350333bae8cc0e8a0fb2117e366e65f513e2b21144a52f70e98474f04a.exe
Size

327KB
MD5

af5802e08b93be5ba00e7f52e7012807
SHA1

b493160c357482e4dbec84e750e1d21d9fdafc15
SHA256

5eeeff350333bae8cc0e8a0fb2117e366e65f513e2b21144a52f70e98474f04a
SHA512

ceb82c4cb2e24911ae0e5ee3696761b1b7f5e40291da1c33f6beb6e412bbf17ebd80cfff048867fe2a08e1debbb637c2a5501d53a6aef1cd8401801ee82d8b4e
SSDEEP

6144:FJCvfb//eyEFyOStCMWQUt67Q4yP0hTTyN/+CrU+O+LqO:FJKb//evFyOStoy7yP0VbCA+qO

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

piez.exe

pid process

756 piez.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

5eeeff350333bae8cc0e8a0fb2117e366e65f513e2b21144a52f70e98474f04a.exe

description pid process target process

PID 904 set thread context of 5028 904 5eeeff350333bae8cc0e8a0fb2117e366e65f513e2b21144a52f70e98474f04a.exe cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

piez.exe

pid process

756 piez.exe
756 piez.exe
Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

5eeeff350333bae8cc0e8a0fb2117e366e65f513e2b21144a52f70e98474f04a.exepiez.exe

pid process

904 5eeeff350333bae8cc0e8a0fb2117e366e65f513e2b21144a52f70e98474f04a.exe
756 piez.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

5eeeff350333bae8cc0e8a0fb2117e366e65f513e2b21144a52f70e98474f04a.exe

description pid process

Token: SeSecurityPrivilege 904 5eeeff350333bae8cc0e8a0fb2117e366e65f513e2b21144a52f70e98474f04a.exe

pid	process
756	piez.exe

description	pid	process	target process
PID 904 set thread context of 5028	904	5eeeff350333bae8cc0e8a0fb2117e366e65f513e2b21144a52f70e98474f04a.exe	cmd.exe

pid	process
756	piez.exe
756	piez.exe

pid	process
904	5eeeff350333bae8cc0e8a0fb2117e366e65f513e2b21144a52f70e98474f04a.exe
756	piez.exe

description	pid	process
Token: SeSecurityPrivilege	904	5eeeff350333bae8cc0e8a0fb2117e366e65f513e2b21144a52f70e98474f04a.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

5eeeff350333bae8cc0e8a0fb2117e366e65f513e2b21144a52f70e98474f04a.exepiez.exe

description	pid	process	target process
PID 904 wrote to memory of 756	904	5eeeff350333bae8cc0e8a0fb2117e366e65f513e2b21144a52f70e98474f04a.exe	piez.exe
PID 904 wrote to memory of 756	904	5eeeff350333bae8cc0e8a0fb2117e366e65f513e2b21144a52f70e98474f04a.exe	piez.exe
PID 904 wrote to memory of 756	904	5eeeff350333bae8cc0e8a0fb2117e366e65f513e2b21144a52f70e98474f04a.exe	piez.exe
PID 756 wrote to memory of 1568	756	piez.exe	explorer.exe
PID 756 wrote to memory of 1568	756	piez.exe	explorer.exe
PID 756 wrote to memory of 1568	756	piez.exe	explorer.exe
PID 756 wrote to memory of 1568	756	piez.exe	explorer.exe
PID 756 wrote to memory of 1568	756	piez.exe	explorer.exe
PID 756 wrote to memory of 1568	756	piez.exe	explorer.exe
PID 756 wrote to memory of 1568	756	piez.exe	explorer.exe
PID 756 wrote to memory of 1568	756	piez.exe	explorer.exe
PID 756 wrote to memory of 1568	756	piez.exe	explorer.exe
PID 756 wrote to memory of 1568	756	piez.exe	explorer.exe
PID 756 wrote to memory of 904	756	piez.exe	5eeeff350333bae8cc0e8a0fb2117e366e65f513e2b21144a52f70e98474f04a.exe
PID 756 wrote to memory of 904	756	piez.exe	5eeeff350333bae8cc0e8a0fb2117e366e65f513e2b21144a52f70e98474f04a.exe
PID 756 wrote to memory of 904	756	piez.exe	5eeeff350333bae8cc0e8a0fb2117e366e65f513e2b21144a52f70e98474f04a.exe
PID 756 wrote to memory of 904	756	piez.exe	5eeeff350333bae8cc0e8a0fb2117e366e65f513e2b21144a52f70e98474f04a.exe
PID 756 wrote to memory of 904	756	piez.exe	5eeeff350333bae8cc0e8a0fb2117e366e65f513e2b21144a52f70e98474f04a.exe
PID 756 wrote to memory of 904	756	piez.exe	5eeeff350333bae8cc0e8a0fb2117e366e65f513e2b21144a52f70e98474f04a.exe
PID 756 wrote to memory of 904	756	piez.exe	5eeeff350333bae8cc0e8a0fb2117e366e65f513e2b21144a52f70e98474f04a.exe
PID 904 wrote to memory of 5028	904	5eeeff350333bae8cc0e8a0fb2117e366e65f513e2b21144a52f70e98474f04a.exe	cmd.exe
PID 904 wrote to memory of 5028	904	5eeeff350333bae8cc0e8a0fb2117e366e65f513e2b21144a52f70e98474f04a.exe	cmd.exe
PID 904 wrote to memory of 5028	904	5eeeff350333bae8cc0e8a0fb2117e366e65f513e2b21144a52f70e98474f04a.exe	cmd.exe
PID 904 wrote to memory of 5028	904	5eeeff350333bae8cc0e8a0fb2117e366e65f513e2b21144a52f70e98474f04a.exe	cmd.exe
PID 904 wrote to memory of 5028	904	5eeeff350333bae8cc0e8a0fb2117e366e65f513e2b21144a52f70e98474f04a.exe	cmd.exe
PID 904 wrote to memory of 5028	904	5eeeff350333bae8cc0e8a0fb2117e366e65f513e2b21144a52f70e98474f04a.exe	cmd.exe
PID 904 wrote to memory of 5028	904	5eeeff350333bae8cc0e8a0fb2117e366e65f513e2b21144a52f70e98474f04a.exe	cmd.exe
PID 904 wrote to memory of 5028	904	5eeeff350333bae8cc0e8a0fb2117e366e65f513e2b21144a52f70e98474f04a.exe	cmd.exe
PID 904 wrote to memory of 5028	904	5eeeff350333bae8cc0e8a0fb2117e366e65f513e2b21144a52f70e98474f04a.exe	cmd.exe
PID 904 wrote to memory of 5028	904	5eeeff350333bae8cc0e8a0fb2117e366e65f513e2b21144a52f70e98474f04a.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\5eeeff350333bae8cc0e8a0fb2117e366e65f513e2b21144a52f70e98474f04a.exe
"C:\Users\Admin\AppData\Local\Temp\5eeeff350333bae8cc0e8a0fb2117e366e65f513e2b21144a52f70e98474f04a.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:904
- C:\Users\Admin\AppData\Roaming\Yvadt\piez.exe
  "C:\Users\Admin\AppData\Roaming\Yvadt\piez.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of WriteProcessMemory
  PID:756
- - C:\Windows\SysWOW64\explorer.exe
    "C:\Windows\SysWOW64\explorer.exe"
    3⤵
    PID:1568
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpa12869f1.bat"
  2⤵
  PID:5028

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Yvadt\piez.exe

Filesize
327KB

MD5
7dc1d7427f0e18db4ce9ad67690e5ae9

SHA1
537c6f3dfde0f5c5f1cad8b00f21890c9efc9ec2

SHA256
a55bc6df8c7bdae085ac19ba971114af831548216a3e7ef118c585176dc12f2c

SHA512
a9351b823f5e962b2dc881e6f14160ef0fdfa208c832a6b546f0e8bc5c188bbeb8f709032bcb5961a51a305417df1361d5e70292b23fd7183e2f78211b5fdc97

Download Submit
C:\Users\Admin\AppData\Roaming\Yvadt\piez.exe

Filesize
327KB

MD5
7dc1d7427f0e18db4ce9ad67690e5ae9

SHA1
537c6f3dfde0f5c5f1cad8b00f21890c9efc9ec2

SHA256
a55bc6df8c7bdae085ac19ba971114af831548216a3e7ef118c585176dc12f2c

SHA512
a9351b823f5e962b2dc881e6f14160ef0fdfa208c832a6b546f0e8bc5c188bbeb8f709032bcb5961a51a305417df1361d5e70292b23fd7183e2f78211b5fdc97

Download Submit
memory/756-138-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/756-141-0x0000000002230000-0x00000000022C5000-memory.dmp

Filesize
596KB

Download
memory/756-135-0x0000000000000000-mapping.dmp

Download
memory/904-143-0x0000000000530000-0x000000000055C000-memory.dmp

Filesize
176KB

Download
memory/904-133-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/904-132-0x00000000025A0000-0x0000000002635000-memory.dmp

Filesize
596KB

Download
memory/904-146-0x0000000000530000-0x000000000055C000-memory.dmp

Filesize
176KB

Download
memory/1568-140-0x0000000000000000-mapping.dmp

Download
memory/1568-142-0x0000000000810000-0x000000000083C000-memory.dmp

Filesize
176KB

Download
memory/5028-144-0x0000000000000000-mapping.dmp

Download
memory/5028-145-0x0000000000E10000-0x0000000000E3C000-memory.dmp

Filesize
176KB

Download
memory/5028-147-0x0000000000E10000-0x0000000000E3C000-memory.dmp

Filesize
176KB

Download

Analysis

Sharing