c9d5c2b9d43e4b202cbf66559e5e898381e116344e9fda381bcc320c292d7928

General

Target

be8b267b465f1a904e802653ee33dec2.exe
Size

214KB
MD5

be8b267b465f1a904e802653ee33dec2
SHA1

23dd62a541260a09cb60ad22a4581d5b6864ff91
SHA256

c9d5c2b9d43e4b202cbf66559e5e898381e116344e9fda381bcc320c292d7928
SHA512

1b0db5f39d9d0276f568490ed5e860c4c45278d5c425d94df66c25baf31cde7a23d0f51f454cab81d9bdd37ef647fef7f0905982c9a833d4264be870b54cb242
SSDEEP

6144:8PLpKtP/45Z9YwXcaieEMGp0rejOglSTMKqLVR3UZU:mAlcYwXDi3Tp0rnPWR3UZU

Score

7^/10

persistence upx

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2636 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

pera.exepera.exe

pid process

2652 pera.exe
2912 pera.exe
Loads dropped DLL 2 IoCs

Processes:

be8b267b465f1a904e802653ee33dec2.exe

pid process

1408 be8b267b465f1a904e802653ee33dec2.exe
1408 be8b267b465f1a904e802653ee33dec2.exe

pid	process
2636	cmd.exe

pid	process
2652	pera.exe
2912	pera.exe

pid	process
1408	be8b267b465f1a904e802653ee33dec2.exe
1408	be8b267b465f1a904e802653ee33dec2.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1648-0-0x0000000000400000-0x00000000004AC000-memory.dmp	upx
behavioral1/memory/1648-5-0x0000000000400000-0x00000000004AC000-memory.dmp	upx
\Users\Admin\AppData\Roaming\Ohad\pera.exe	upx
behavioral1/memory/1408-19-0x00000000022C0000-0x000000000236C000-memory.dmp	upx
behavioral1/memory/2652-21-0x0000000000400000-0x00000000004AC000-memory.dmp	upx
behavioral1/memory/2652-28-0x0000000000400000-0x00000000004AC000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

pera.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\{4B975191-FA3E-4258-B848-26A069146292} = "C:\\Users\\Admin\\AppData\\Roaming\\Ohad\\pera.exe"	pera.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

be8b267b465f1a904e802653ee33dec2.exepera.exe

description	pid	process	target process
PID 1648 set thread context of 1408	1648	be8b267b465f1a904e802653ee33dec2.exe	be8b267b465f1a904e802653ee33dec2.exe
PID 2652 set thread context of 2912	2652	pera.exe	pera.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

be8b267b465f1a904e802653ee33dec2.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Privacy	be8b267b465f1a904e802653ee33dec2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	be8b267b465f1a904e802653ee33dec2.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

Processes:

pera.exe

pid	process
2912	pera.exe
2912	pera.exe
2912	pera.exe
2912	pera.exe
2912	pera.exe
2912	pera.exe
2912	pera.exe
2912	pera.exe
2912	pera.exe
2912	pera.exe
2912	pera.exe
2912	pera.exe
2912	pera.exe
2912	pera.exe
2912	pera.exe
2912	pera.exe
2912	pera.exe
2912	pera.exe
2912	pera.exe
2912	pera.exe
2912	pera.exe
2912	pera.exe
2912	pera.exe
2912	pera.exe
2912	pera.exe
2912	pera.exe
2912	pera.exe
2912	pera.exe
2912	pera.exe
2912	pera.exe
2912	pera.exe
2912	pera.exe
2912	pera.exe
2912	pera.exe
2912	pera.exe
2912	pera.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

be8b267b465f1a904e802653ee33dec2.exe

description	pid	process
Token: SeSecurityPrivilege	1408	be8b267b465f1a904e802653ee33dec2.exe
Token: SeSecurityPrivilege	1408	be8b267b465f1a904e802653ee33dec2.exe
Token: SeSecurityPrivilege	1408	be8b267b465f1a904e802653ee33dec2.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

be8b267b465f1a904e802653ee33dec2.exepera.exe

pid process

1648 be8b267b465f1a904e802653ee33dec2.exe
2652 pera.exe

pid	process
1648	be8b267b465f1a904e802653ee33dec2.exe
2652	pera.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

be8b267b465f1a904e802653ee33dec2.exebe8b267b465f1a904e802653ee33dec2.exepera.exepera.exe

description	pid	process	target process
PID 1648 wrote to memory of 1408	1648	be8b267b465f1a904e802653ee33dec2.exe	be8b267b465f1a904e802653ee33dec2.exe
PID 1648 wrote to memory of 1408	1648	be8b267b465f1a904e802653ee33dec2.exe	be8b267b465f1a904e802653ee33dec2.exe
PID 1648 wrote to memory of 1408	1648	be8b267b465f1a904e802653ee33dec2.exe	be8b267b465f1a904e802653ee33dec2.exe
PID 1648 wrote to memory of 1408	1648	be8b267b465f1a904e802653ee33dec2.exe	be8b267b465f1a904e802653ee33dec2.exe
PID 1648 wrote to memory of 1408	1648	be8b267b465f1a904e802653ee33dec2.exe	be8b267b465f1a904e802653ee33dec2.exe
PID 1648 wrote to memory of 1408	1648	be8b267b465f1a904e802653ee33dec2.exe	be8b267b465f1a904e802653ee33dec2.exe
PID 1648 wrote to memory of 1408	1648	be8b267b465f1a904e802653ee33dec2.exe	be8b267b465f1a904e802653ee33dec2.exe
PID 1648 wrote to memory of 1408	1648	be8b267b465f1a904e802653ee33dec2.exe	be8b267b465f1a904e802653ee33dec2.exe
PID 1648 wrote to memory of 1408	1648	be8b267b465f1a904e802653ee33dec2.exe	be8b267b465f1a904e802653ee33dec2.exe
PID 1408 wrote to memory of 2652	1408	be8b267b465f1a904e802653ee33dec2.exe	pera.exe
PID 1408 wrote to memory of 2652	1408	be8b267b465f1a904e802653ee33dec2.exe	pera.exe
PID 1408 wrote to memory of 2652	1408	be8b267b465f1a904e802653ee33dec2.exe	pera.exe
PID 1408 wrote to memory of 2652	1408	be8b267b465f1a904e802653ee33dec2.exe	pera.exe
PID 2652 wrote to memory of 2912	2652	pera.exe	pera.exe
PID 2652 wrote to memory of 2912	2652	pera.exe	pera.exe
PID 2652 wrote to memory of 2912	2652	pera.exe	pera.exe
PID 2652 wrote to memory of 2912	2652	pera.exe	pera.exe
PID 2652 wrote to memory of 2912	2652	pera.exe	pera.exe
PID 2652 wrote to memory of 2912	2652	pera.exe	pera.exe
PID 2652 wrote to memory of 2912	2652	pera.exe	pera.exe
PID 2652 wrote to memory of 2912	2652	pera.exe	pera.exe
PID 2652 wrote to memory of 2912	2652	pera.exe	pera.exe
PID 2912 wrote to memory of 1272	2912	pera.exe	taskhost.exe
PID 2912 wrote to memory of 1272	2912	pera.exe	taskhost.exe
PID 2912 wrote to memory of 1272	2912	pera.exe	taskhost.exe
PID 2912 wrote to memory of 1272	2912	pera.exe	taskhost.exe
PID 2912 wrote to memory of 1272	2912	pera.exe	taskhost.exe
PID 2912 wrote to memory of 1344	2912	pera.exe	Dwm.exe
PID 2912 wrote to memory of 1344	2912	pera.exe	Dwm.exe
PID 2912 wrote to memory of 1344	2912	pera.exe	Dwm.exe
PID 2912 wrote to memory of 1344	2912	pera.exe	Dwm.exe
PID 2912 wrote to memory of 1344	2912	pera.exe	Dwm.exe
PID 2912 wrote to memory of 1392	2912	pera.exe	Explorer.EXE
PID 2912 wrote to memory of 1392	2912	pera.exe	Explorer.EXE
PID 2912 wrote to memory of 1392	2912	pera.exe	Explorer.EXE
PID 2912 wrote to memory of 1392	2912	pera.exe	Explorer.EXE
PID 2912 wrote to memory of 1392	2912	pera.exe	Explorer.EXE
PID 2912 wrote to memory of 2192	2912	pera.exe	DllHost.exe
PID 2912 wrote to memory of 2192	2912	pera.exe	DllHost.exe
PID 2912 wrote to memory of 2192	2912	pera.exe	DllHost.exe
PID 2912 wrote to memory of 2192	2912	pera.exe	DllHost.exe
PID 2912 wrote to memory of 2192	2912	pera.exe	DllHost.exe
PID 2912 wrote to memory of 1408	2912	pera.exe	be8b267b465f1a904e802653ee33dec2.exe
PID 2912 wrote to memory of 1408	2912	pera.exe	be8b267b465f1a904e802653ee33dec2.exe
PID 2912 wrote to memory of 1408	2912	pera.exe	be8b267b465f1a904e802653ee33dec2.exe
PID 2912 wrote to memory of 1408	2912	pera.exe	be8b267b465f1a904e802653ee33dec2.exe
PID 2912 wrote to memory of 1408	2912	pera.exe	be8b267b465f1a904e802653ee33dec2.exe
PID 1408 wrote to memory of 2636	1408	be8b267b465f1a904e802653ee33dec2.exe	cmd.exe
PID 1408 wrote to memory of 2636	1408	be8b267b465f1a904e802653ee33dec2.exe	cmd.exe
PID 1408 wrote to memory of 2636	1408	be8b267b465f1a904e802653ee33dec2.exe	cmd.exe
PID 1408 wrote to memory of 2636	1408	be8b267b465f1a904e802653ee33dec2.exe	cmd.exe
PID 2912 wrote to memory of 2636	2912	pera.exe	cmd.exe
PID 2912 wrote to memory of 1660	2912	pera.exe	DllHost.exe
PID 2912 wrote to memory of 1660	2912	pera.exe	DllHost.exe
PID 2912 wrote to memory of 1660	2912	pera.exe	DllHost.exe
PID 2912 wrote to memory of 1660	2912	pera.exe	DllHost.exe
PID 2912 wrote to memory of 1660	2912	pera.exe	DllHost.exe
PID 2912 wrote to memory of 1736	2912	pera.exe	DllHost.exe
PID 2912 wrote to memory of 1736	2912	pera.exe	DllHost.exe
PID 2912 wrote to memory of 1736	2912	pera.exe	DllHost.exe
PID 2912 wrote to memory of 1736	2912	pera.exe	DllHost.exe
PID 2912 wrote to memory of 1736	2912	pera.exe	DllHost.exe
PID 2912 wrote to memory of 2916	2912	pera.exe	DllHost.exe
PID 2912 wrote to memory of 2916	2912	pera.exe	DllHost.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1272

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1344

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1392

C:\Users\Admin\AppData\Local\Temp\be8b267b465f1a904e802653ee33dec2.exe
"C:\Users\Admin\AppData\Local\Temp\be8b267b465f1a904e802653ee33dec2.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1648

C:\Users\Admin\AppData\Local\Temp\be8b267b465f1a904e802653ee33dec2.exe
C:\Users\Admin\AppData\Local\Temp\be8b267b465f1a904e802653ee33dec2.exe
3⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1408

C:\Users\Admin\AppData\Roaming\Ohad\pera.exe
"C:\Users\Admin\AppData\Roaming\Ohad\pera.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2652

C:\Users\Admin\AppData\Roaming\Ohad\pera.exe
C:\Users\Admin\AppData\Roaming\Ohad\pera.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2912

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp73145964.bat"
4⤵
- Deletes itself
PID:2636

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2192

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1660

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1736

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2916

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2648

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp73145964.bat
Filesize
243B

MD5
0df16c683b139db3b689b029e718b19e

SHA1
231deca79a2a96aa9d10ca30e211bfe8961a0b62

SHA256
84b59cecf29029cee4678a535d43bffc97fee0ba5d514d39c3030dab53c06a7b

SHA512
c6b2c78e3b5e4f52cec8f1cd12dabb043f5706e170b0d990e4ffde18b675af980b41836da7c5128d80e0e313bae89f9c3231a4496021943f1a366e83426a0c75

Download Submit
C:\Users\Admin\AppData\Roaming\Omento\ryto.vee
Filesize
366B

MD5
4e54cec06c816c3fa2bc2ce1c8542143

SHA1
474e6e4b979f7db85029f3fb921762148c1aa25d

SHA256
9e7c7d7e13c42a5ce29eb1a805859b8936046e524c61b086a2520e793f014227

SHA512
1a7bf907fe7adb7ee5ac42d51a2ccc91f21c752201b9edb8db0f09cceef84ff3f2b907f3c8907d2fae9699a6cbd18e6271f9c914cb5d7e6c649c9a4b272c85ab

Download Submit
\Users\Admin\AppData\Roaming\Ohad\pera.exe
Filesize
214KB

MD5
e676a0eaab70f954eec7866ae28effdd

SHA1
c7285a60eb1b46a603a34b8ea97f1636d4593260

SHA256
44fcf3e2c11ccde04d1a42969036cbbec8f82dbdf873d991dcd8fb14983c34ea

SHA512
f9a9d07927c434abe29c8284e9f10264449691a3b0655f02f5703e89cd323032bd7f782742301abd86229e0f006734126d471986217f955261dce4641e63a210

Download Submit
memory/1272-35-0x0000000000260000-0x0000000000287000-memory.dmp

Filesize
156KB

Download
memory/1272-37-0x0000000000260000-0x0000000000287000-memory.dmp

Filesize
156KB

Download
memory/1272-33-0x0000000000260000-0x0000000000287000-memory.dmp

Filesize
156KB

Download
memory/1272-36-0x0000000000260000-0x0000000000287000-memory.dmp

Filesize
156KB

Download
memory/1272-38-0x0000000000260000-0x0000000000287000-memory.dmp

Filesize
156KB

Download
memory/1344-40-0x0000000001BC0000-0x0000000001BE7000-memory.dmp

Filesize
156KB

Download
memory/1344-41-0x0000000001BC0000-0x0000000001BE7000-memory.dmp

Filesize
156KB

Download
memory/1344-42-0x0000000001BC0000-0x0000000001BE7000-memory.dmp

Filesize
156KB

Download
memory/1344-43-0x0000000001BC0000-0x0000000001BE7000-memory.dmp

Filesize
156KB

Download
memory/1392-45-0x0000000003950000-0x0000000003977000-memory.dmp

Filesize
156KB

Download
memory/1392-47-0x0000000003950000-0x0000000003977000-memory.dmp

Filesize
156KB

Download
memory/1392-48-0x0000000003950000-0x0000000003977000-memory.dmp

Filesize
156KB

Download
memory/1392-46-0x0000000003950000-0x0000000003977000-memory.dmp

Filesize
156KB

Download
memory/1408-65-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1408-83-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1408-3-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1408-23-0x00000000022C0000-0x000000000236C000-memory.dmp

Filesize
688KB

Download
memory/1408-159-0x00000000002C0000-0x00000000002E7000-memory.dmp

Filesize
156KB

Download
memory/1408-158-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1408-59-0x00000000002C0000-0x00000000002E7000-memory.dmp

Filesize
156KB

Download
memory/1408-58-0x00000000002C0000-0x00000000002E7000-memory.dmp

Filesize
156KB

Download
memory/1408-60-0x00000000002C0000-0x00000000002E7000-memory.dmp

Filesize
156KB

Download
memory/1408-57-0x00000000002C0000-0x00000000002E7000-memory.dmp

Filesize
156KB

Download
memory/1408-56-0x00000000002C0000-0x00000000002E7000-memory.dmp

Filesize
156KB

Download
memory/1408-153-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1408-152-0x0000000077E50000-0x0000000077E51000-memory.dmp

Filesize
4KB

Download
memory/1408-151-0x00000000002C0000-0x00000000002E7000-memory.dmp

Filesize
156KB

Download
memory/1408-19-0x00000000022C0000-0x000000000236C000-memory.dmp

Filesize
688KB

Download
memory/1408-10-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1408-9-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1408-8-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1408-7-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1408-6-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1408-69-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1408-75-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1408-73-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1408-77-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1408-71-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1408-67-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1408-79-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1408-63-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1408-61-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1408-81-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1408-85-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1648-0-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/1648-5-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/2192-50-0x0000000001BB0000-0x0000000001BD7000-memory.dmp

Filesize
156KB

Download
memory/2192-52-0x0000000001BB0000-0x0000000001BD7000-memory.dmp

Filesize
156KB

Download
memory/2192-53-0x0000000001BB0000-0x0000000001BD7000-memory.dmp

Filesize
156KB

Download
memory/2192-51-0x0000000001BB0000-0x0000000001BD7000-memory.dmp

Filesize
156KB

Download
memory/2652-21-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/2652-28-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/2912-32-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2912-176-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads