9720d0d34f9fcfa8c9e545e3e0955b31bbd445aa090de66c5a7c311b1eb703ac

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
05/07/2024, 13:16

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

PeaceSetup (1).exe
Size

27.8MB
MD5

fb112a6877b0fbc83cafd9aa8e4756dd
SHA1

13ef04db679020fb6cf88c24d75cd4196d80019d
SHA256

9720d0d34f9fcfa8c9e545e3e0955b31bbd445aa090de66c5a7c311b1eb703ac
SHA512

d89de938183d5ef2354fd5fd51916fdaf39e7d67c5dd8dc20d0fd9d98d4bf048321203b38aded3d3d464cc2058efc341dc022fe93960c0018e3a1ecb8409bc08
SSDEEP

786432:DXAjhH8t+KcYa1y6LNWmCgSYg1sSDOzr71ff4Fr7R:DXAjKSZ9WISH1muFrN

Score

5^/10

Malware Config

Signatures

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x0031000000014665-407.dat	autoit_exe

Loads dropped DLL 2 IoCs

pid	Process
2388	PeaceSetup (1).exe
2388	PeaceSetup (1).exe

Modifies system certificate store 2 TTPs 5 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	PeaceSetup (1).exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	PeaceSetup (1).exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	PeaceSetup (1).exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	PeaceSetup (1).exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	PeaceSetup (1).exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2388	PeaceSetup (1).exe

C:\Users\Admin\AppData\Local\Temp\PeaceSetup (1).exe
"C:\Users\Admin\AppData\Local\Temp\PeaceSetup (1).exe"
1⤵
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: GetForegroundWindowSpam
PID:2388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Peace.chm

Filesize
614KB

MD5
a9ce5d70d57c920eb0d78193e132615e

SHA1
4e994f7d8685aca494ef4756a4a863d101b4dff5

SHA256
c5e3be2e45d7a9ab6d6e34d82c823c16b326e0b2e04f335457670f24a7863b2f

SHA512
b54088d99f3e73c9ce80f330e7b29102048ec17ab46896ac509c3b668c5f486704b11862ed38783aa154b6ff28647b621f30b74e03a184d52e4ebe82605e3d12

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2372.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\YouTube.png

Filesize
1KB

MD5
e475abb25afd7b4b9fff2b0a40a7dab1

SHA1
70ecf5241076808be3241f24b58b927fdc8cb468

SHA256
a93a425b641c1dfbf83addfeaf1e7438d571cb49ce617ba863c1c9b1b8b36c27

SHA512
3b717580a89cba780c8172af28faece249500450680000159983f81a38cbc72e2d1b89663551c70d6adc2433b22fba33725aeeec5b27c8d54c43bfa0347bba57

Download Submit
C:\Users\Admin\AppData\Local\Temp\arrow.png

Filesize
574B

MD5
735f5e92b74c67eda5184bbc44879cc3

SHA1
4a2ae1a7b39335c4bdcd133611e964b214ccbc18

SHA256
3e4a7dab25f24d23f3cbbfa55d2d033d4f92cfb8ff911fb9bb1aa6e12c16e69c

SHA512
5f2baceb0e3a02f22b08fd2bd7446f439672080ef85136e5ac23cd5718f683304b12a38320c196c0209faec4c0e4f6c8e427e775aabfa5fa7fb78b5506e9fe58

Download Submit
C:\Users\Admin\AppData\Local\Temp\download.png

Filesize
459B

MD5
f355635b69fd5227ff80925ac6c6bd60

SHA1
42f2757798093ae40ef4392798589c0eafe93e6d

SHA256
b1940b89f14666a26330f483b8af2a549b3d5d313c6edc2bd38e8f3f1bf47481

SHA512
187b701c112c69ec3ab1fc0bc330d3b6c71bdc34c829ed749d209b153935c15746b2aba7c6ebf900154b275d1c6441a33d6a00e53e597eca673a8aefde185964

Download Submit
C:\Users\Admin\AppData\Local\Temp\icon.png

Filesize
1KB

MD5
f25f6987af090a2ee15a588e5a038fec

SHA1
7f6db7d8b50ecf1629d5945b1032abbe5618c7a0

SHA256
13fe33490556ee3474755f66c56bac856a5713bc496f8dd21b42ea9c06655cdf

SHA512
eeb2113ad5957ffa2cc0cb23d06d23ad62851a8fceaf185f3875cebda009df10f57d68c86af373b41609f6d02445d643d020aee40d447cb219e5118e00f4deaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\icontiny.png

Filesize
833B

MD5
f1fd349b745a1c957430d12dacdac561

SHA1
a8e9cf6e7c5cb6c0e8f51f8ce8bb9e92c77d2732

SHA256
e68391f5fa3ca80194e4927c1e6cae96770b57483073298dc84dfe3078657773

SHA512
8e935cb92e2186231ecc312430e176bc76e72c37d080db10d51aa873afdc7780abbb5e96a047b088f0cb203ce3531d94a0d95cb9ccbcc207988be6ca3c4e4cbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\questionmark.png

Filesize
522B

MD5
7be8946e99ece93018a7cfa891a77e1c

SHA1
a0b91fd784827a8288f20d5140daaaecb1552d81

SHA256
ecd3aaf4960e067f0cc07b4783eb9257218e5f780eea59fa08951f14dda00b34

SHA512
c953ae0cfe20ed82cb25047266dc355903b80622eef1e91d24ff0fd931f0e325131539d107c0896e6ff10963d9eb8251f99c4d4656d94a1c391df24a2571d10c

Download Submit
\Users\Admin\AppData\Local\Temp\CurrentPeace.exe

Filesize
12.0MB

MD5
177949d6efa759ec93680a369d3d21cd

SHA1
c37fb401cd8d737ff37a1116728628b2c3700444

SHA256
969d0bcb66e75e062af23425beffe3dcd106716157968bb38837182e3394a4a1

SHA512
63564d48c5ae4853f091335b3dd2448153016d73e2c4dfd50ab2e1d31e67379efe4057076fafb95081188ddb54bf5ea4159446052eef9280246a1e433caa4382

Download Submit