1e2c5efda2b56843cf1850540ea1512701a9e2f24b0c1db6071a525ad75fe225

Analysis

max time kernel
25s
max time network
33s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
30/08/2023, 02:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PeaceSetup.exe
Size

28.0MB
MD5

f5989ab2c0915ba65bcdb434ba002f79
SHA1

d2995453cc3d72920b65c8c7b238ede93373f77f
SHA256

1e2c5efda2b56843cf1850540ea1512701a9e2f24b0c1db6071a525ad75fe225
SHA512

d115245d32d363a888dffe26b7294a223cd5661221979e4ec85683133f644372d892d4c9a31c1fca7f6a4077d33b91c4c338ce003575e0aa9f1a0aee91fb0ab4
SSDEEP

786432:hR5Q2OenGaHyaXwF98Dw2SO7C1rUDHf4Fr7Y:hs25SDv8E2SOe1rXFrc

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4148	msedge.exe
4148	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3452	PeaceSetup.exe

Suspicious use of FindShellTrayWindow 17 IoCs

pid	Process
2168	msedge.exe
2168	msedge.exe
2168	msedge.exe
2168	msedge.exe
2168	msedge.exe
2168	msedge.exe
2168	msedge.exe
2168	msedge.exe
2168	msedge.exe
2168	msedge.exe
2168	msedge.exe
2168	msedge.exe
2168	msedge.exe
2168	msedge.exe
2168	msedge.exe
2168	msedge.exe
2168	msedge.exe

Suspicious use of SendNotifyMessage 16 IoCs

pid	Process
2168	msedge.exe
2168	msedge.exe
2168	msedge.exe
2168	msedge.exe
2168	msedge.exe
2168	msedge.exe
2168	msedge.exe
2168	msedge.exe
2168	msedge.exe
2168	msedge.exe
2168	msedge.exe
2168	msedge.exe
2168	msedge.exe
2168	msedge.exe
2168	msedge.exe
2168	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3452 wrote to memory of 2168	3452	PeaceSetup.exe	89
PID 3452 wrote to memory of 2168	3452	PeaceSetup.exe	89
PID 2168 wrote to memory of 2372	2168	msedge.exe	91
PID 2168 wrote to memory of 2372	2168	msedge.exe	91
PID 2168 wrote to memory of 3652	2168	msedge.exe	93
PID 2168 wrote to memory of 3652	2168	msedge.exe	93
PID 2168 wrote to memory of 3652	2168	msedge.exe	93
PID 2168 wrote to memory of 3652	2168	msedge.exe	93
PID 2168 wrote to memory of 3652	2168	msedge.exe	93
PID 2168 wrote to memory of 3652	2168	msedge.exe	93
PID 2168 wrote to memory of 3652	2168	msedge.exe	93
PID 2168 wrote to memory of 3652	2168	msedge.exe	93
PID 2168 wrote to memory of 3652	2168	msedge.exe	93
PID 2168 wrote to memory of 3652	2168	msedge.exe	93
PID 2168 wrote to memory of 3652	2168	msedge.exe	93
PID 2168 wrote to memory of 3652	2168	msedge.exe	93
PID 2168 wrote to memory of 3652	2168	msedge.exe	93
PID 2168 wrote to memory of 3652	2168	msedge.exe	93
PID 2168 wrote to memory of 3652	2168	msedge.exe	93
PID 2168 wrote to memory of 3652	2168	msedge.exe	93
PID 2168 wrote to memory of 3652	2168	msedge.exe	93
PID 2168 wrote to memory of 3652	2168	msedge.exe	93
PID 2168 wrote to memory of 3652	2168	msedge.exe	93
PID 2168 wrote to memory of 3652	2168	msedge.exe	93
PID 2168 wrote to memory of 3652	2168	msedge.exe	93
PID 2168 wrote to memory of 3652	2168	msedge.exe	93
PID 2168 wrote to memory of 3652	2168	msedge.exe	93
PID 2168 wrote to memory of 3652	2168	msedge.exe	93
PID 2168 wrote to memory of 3652	2168	msedge.exe	93
PID 2168 wrote to memory of 3652	2168	msedge.exe	93
PID 2168 wrote to memory of 3652	2168	msedge.exe	93
PID 2168 wrote to memory of 3652	2168	msedge.exe	93
PID 2168 wrote to memory of 3652	2168	msedge.exe	93
PID 2168 wrote to memory of 3652	2168	msedge.exe	93
PID 2168 wrote to memory of 3652	2168	msedge.exe	93
PID 2168 wrote to memory of 3652	2168	msedge.exe	93
PID 2168 wrote to memory of 3652	2168	msedge.exe	93
PID 2168 wrote to memory of 3652	2168	msedge.exe	93
PID 2168 wrote to memory of 3652	2168	msedge.exe	93
PID 2168 wrote to memory of 3652	2168	msedge.exe	93
PID 2168 wrote to memory of 3652	2168	msedge.exe	93
PID 2168 wrote to memory of 3652	2168	msedge.exe	93
PID 2168 wrote to memory of 3652	2168	msedge.exe	93
PID 2168 wrote to memory of 3652	2168	msedge.exe	93
PID 2168 wrote to memory of 4148	2168	msedge.exe	92
PID 2168 wrote to memory of 4148	2168	msedge.exe	92
PID 2168 wrote to memory of 2636	2168	msedge.exe	94
PID 2168 wrote to memory of 2636	2168	msedge.exe	94
PID 2168 wrote to memory of 2636	2168	msedge.exe	94
PID 2168 wrote to memory of 2636	2168	msedge.exe	94
PID 2168 wrote to memory of 2636	2168	msedge.exe	94
PID 2168 wrote to memory of 2636	2168	msedge.exe	94
PID 2168 wrote to memory of 2636	2168	msedge.exe	94
PID 2168 wrote to memory of 2636	2168	msedge.exe	94
PID 2168 wrote to memory of 2636	2168	msedge.exe	94
PID 2168 wrote to memory of 2636	2168	msedge.exe	94
PID 2168 wrote to memory of 2636	2168	msedge.exe	94
PID 2168 wrote to memory of 2636	2168	msedge.exe	94
PID 2168 wrote to memory of 2636	2168	msedge.exe	94
PID 2168 wrote to memory of 2636	2168	msedge.exe	94
PID 2168 wrote to memory of 2636	2168	msedge.exe	94
PID 2168 wrote to memory of 2636	2168	msedge.exe	94
PID 2168 wrote to memory of 2636	2168	msedge.exe	94
PID 2168 wrote to memory of 2636	2168	msedge.exe	94

C:\Users\Admin\AppData\Local\Temp\PeaceSetup.exe
"C:\Users\Admin\AppData\Local\Temp\PeaceSetup.exe"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://sourceforge.net/projects/equalizerapo
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2168
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffcb6f146f8,0x7ffcb6f14708,0x7ffcb6f14718
    3⤵
    PID:2372
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,18436569035407956788,4808754351346089666,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2272 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4148
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,18436569035407956788,4808754351346089666,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2
    3⤵
    PID:3652
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2076,18436569035407956788,4808754351346089666,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2696 /prefetch:8
    3⤵
    PID:2636
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,18436569035407956788,4808754351346089666,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
    3⤵
    PID:3704
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,18436569035407956788,4808754351346089666,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
    3⤵
    PID:4864
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,18436569035407956788,4808754351346089666,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4560 /prefetch:1
    3⤵
    PID:2876
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,18436569035407956788,4808754351346089666,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5348 /prefetch:1
    3⤵
    PID:3440
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,18436569035407956788,4808754351346089666,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5340 /prefetch:1
    3⤵
    PID:4300

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2136

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

Filesize
717B

MD5
60fe01df86be2e5331b0cdbe86165686

SHA1
2a79f9713c3f192862ff80508062e64e8e0b29bd

SHA256
c08ccbc876cd5a7cdfa9670f9637da57f6a1282198a9bc71fc7d7247a6e5b7a8

SHA512
ef9f9a4dedcbfe339f4f3d07fb614645596c6f2b15608bdccdad492578b735f7cb075bdaa07178c764582ee345857ec4665f90342694e6a60786bb3d9b3a3d23

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

Filesize
1KB

MD5
3acec0a937390bb393bf20339297512f

SHA1
84c22a9d003a629531433e41eb85a25cdff16cbc

SHA256
d45eb868cc043bca234a061d5b9f0fc00c34c0126a64a805a0abdf212aa591d2

SHA512
602826a438b250289615f63e5bf164589acf8e5905f9eca797fa1b6ffd2d7adf6f496ee5f5c6fdf2d94b1ab11c0f9eb50f308d384b44eeb3fa63a3a5effe0c24

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

Filesize
192B

MD5
4b18bddee15117e13026cdf535e1ebf0

SHA1
d5d1f53fd25868567ae5c1cc1619d2b8663238c6

SHA256
2193f054fc6a850583fae7b85991f64da98c06f9c1a976affdfb10f014252477

SHA512
e98137bf32198f8301aaad1fcd21f0992612f128d6965080ef9fe866e8af57760545abe772bfd0846e895a3dfe3b3ec980d5e72b3e6b0e87f621c29629b8890d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

Filesize
408B

MD5
97bd0fc6221562ef481ffec7a22612c6

SHA1
cbf422de8c74ab7b0d13fd85339d488ed5840d25

SHA256
3d1dc7273dc308da91e154b78e5c6a47ae8b03c27f2570649d43f6b3ba218dd5

SHA512
82d5f9d65c19e1068eaede742ea66ae9e36cefc80a9b956e5c667dd8901d8a05f750614fe5ebceea8993fed925957281727c9779b37b8eebb030f17cf11d9d46

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b5f5369274e3bfbc449588bbb57bd383

SHA1
58bb46d57bd70c1c0bcbad619353cbe185f34c3b

SHA256
4190bd2ec2c0c65a2b8b97782cd3ae1d6cead80242f3595f06ebc6648c3e3464

SHA512
04a3816af6c5a335cde99d97019a3f68ade65eba70e4667c4d7dd78f78910481549f1dad23a46ccf9efa2e25c6e7a7c78c592b6ace951e1aab106ba06a10fcd6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
d046b18a11e09d5ef412de6ce7add262

SHA1
32c06b884d9eb9ecf365810e2720f7f13081e8d4

SHA256
bea8c9fee7c649c4d44d73478c25d2c1226d120ffb5c0023026252839359bdfd

SHA512
f60352cfbeb8e4ce406d54947a8932c419592b9c51ebf74e1a222acdf734d57329c55097f7e035492b438abf65f70a025b88f5781d3a9cceea88a697c0658c96

Download Submit
C:\Users\Admin\AppData\Local\Temp\YouTube.png

Filesize
1KB

MD5
e475abb25afd7b4b9fff2b0a40a7dab1

SHA1
70ecf5241076808be3241f24b58b927fdc8cb468

SHA256
a93a425b641c1dfbf83addfeaf1e7438d571cb49ce617ba863c1c9b1b8b36c27

SHA512
3b717580a89cba780c8172af28faece249500450680000159983f81a38cbc72e2d1b89663551c70d6adc2433b22fba33725aeeec5b27c8d54c43bfa0347bba57

Download Submit
C:\Users\Admin\AppData\Local\Temp\arrow.png

Filesize
574B

MD5
735f5e92b74c67eda5184bbc44879cc3

SHA1
4a2ae1a7b39335c4bdcd133611e964b214ccbc18

SHA256
3e4a7dab25f24d23f3cbbfa55d2d033d4f92cfb8ff911fb9bb1aa6e12c16e69c

SHA512
5f2baceb0e3a02f22b08fd2bd7446f439672080ef85136e5ac23cd5718f683304b12a38320c196c0209faec4c0e4f6c8e427e775aabfa5fa7fb78b5506e9fe58

Download Submit
C:\Users\Admin\AppData\Local\Temp\autB48C.tmp

Filesize
591KB

MD5
2771b8caf867bee720ca689464d15d5d

SHA1
bc3579825fd4468d6c20ea737f9b0917497b4c08

SHA256
ac437bf2e3d3a9567e00ad3804970a9b26adf91ed9a2353468481e1babcdb695

SHA512
efd84d1d78a32c908ea98d524fe5fa316e7b958e9b986e367a932e40cc6a9206576d6e654e0f1496e71ae157ae841b77e7e96896d0f16fe0a4b19cb6db169c63

Download Submit
C:\Users\Admin\AppData\Local\Temp\download.png

Filesize
459B

MD5
f355635b69fd5227ff80925ac6c6bd60

SHA1
42f2757798093ae40ef4392798589c0eafe93e6d

SHA256
b1940b89f14666a26330f483b8af2a549b3d5d313c6edc2bd38e8f3f1bf47481

SHA512
187b701c112c69ec3ab1fc0bc330d3b6c71bdc34c829ed749d209b153935c15746b2aba7c6ebf900154b275d1c6441a33d6a00e53e597eca673a8aefde185964

Download Submit
C:\Users\Admin\AppData\Local\Temp\icon.png

Filesize
1KB

MD5
f25f6987af090a2ee15a588e5a038fec

SHA1
7f6db7d8b50ecf1629d5945b1032abbe5618c7a0

SHA256
13fe33490556ee3474755f66c56bac856a5713bc496f8dd21b42ea9c06655cdf

SHA512
eeb2113ad5957ffa2cc0cb23d06d23ad62851a8fceaf185f3875cebda009df10f57d68c86af373b41609f6d02445d643d020aee40d447cb219e5118e00f4deaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\icontiny.png

Filesize
833B

MD5
f1fd349b745a1c957430d12dacdac561

SHA1
a8e9cf6e7c5cb6c0e8f51f8ce8bb9e92c77d2732

SHA256
e68391f5fa3ca80194e4927c1e6cae96770b57483073298dc84dfe3078657773

SHA512
8e935cb92e2186231ecc312430e176bc76e72c37d080db10d51aa873afdc7780abbb5e96a047b088f0cb203ce3531d94a0d95cb9ccbcc207988be6ca3c4e4cbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\questionmark.png

Filesize
522B

MD5
7be8946e99ece93018a7cfa891a77e1c

SHA1
a0b91fd784827a8288f20d5140daaaecb1552d81

SHA256
ecd3aaf4960e067f0cc07b4783eb9257218e5f780eea59fa08951f14dda00b34

SHA512
c953ae0cfe20ed82cb25047266dc355903b80622eef1e91d24ff0fd931f0e325131539d107c0896e6ff10963d9eb8251f99c4d4656d94a1c391df24a2571d10c

Download Submit