Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
01-07-2022 04:21
Static task
static1
Behavioral task
behavioral1
Sample
3b8c6f0033980eed8f86a029be14ff32c32f535c4bdaeb5c5f857236722ac9c8.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
3b8c6f0033980eed8f86a029be14ff32c32f535c4bdaeb5c5f857236722ac9c8.exe
Resource
win10v2004-20220414-en
General
-
Target
3b8c6f0033980eed8f86a029be14ff32c32f535c4bdaeb5c5f857236722ac9c8.exe
-
Size
47KB
-
MD5
541dce93da456fd7830cda46a9d07941
-
SHA1
b08b3bfd5556f18b8c696925146985a86ee72fdd
-
SHA256
3b8c6f0033980eed8f86a029be14ff32c32f535c4bdaeb5c5f857236722ac9c8
-
SHA512
6d2164e340691b2ba8cba81979d7fe403739290a583fdeaee7ead5c9b94bc5e0d025d1943df559e1a01ea2e700aa2513c7ad8bd742524d2370c54d644769a3e2
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
fontdrvhost.exepid process 1304 fontdrvhost.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Drops startup file 2 IoCs
Processes:
fontdrvhost.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2a55ad550e466e179f88a710a29a16af.exe fontdrvhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2a55ad550e466e179f88a710a29a16af.exe fontdrvhost.exe -
Loads dropped DLL 1 IoCs
Processes:
3b8c6f0033980eed8f86a029be14ff32c32f535c4bdaeb5c5f857236722ac9c8.exepid process 1684 3b8c6f0033980eed8f86a029be14ff32c32f535c4bdaeb5c5f857236722ac9c8.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
fontdrvhost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\2a55ad550e466e179f88a710a29a16af = "\"C:\\Users\\Admin\\AppData\\Roaming\\fontdrvhost.exe\" .." fontdrvhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\2a55ad550e466e179f88a710a29a16af = "\"C:\\Users\\Admin\\AppData\\Roaming\\fontdrvhost.exe\" .." fontdrvhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 19 IoCs
Processes:
fontdrvhost.exedescription pid process Token: SeDebugPrivilege 1304 fontdrvhost.exe Token: 33 1304 fontdrvhost.exe Token: SeIncBasePriorityPrivilege 1304 fontdrvhost.exe Token: 33 1304 fontdrvhost.exe Token: SeIncBasePriorityPrivilege 1304 fontdrvhost.exe Token: 33 1304 fontdrvhost.exe Token: SeIncBasePriorityPrivilege 1304 fontdrvhost.exe Token: 33 1304 fontdrvhost.exe Token: SeIncBasePriorityPrivilege 1304 fontdrvhost.exe Token: 33 1304 fontdrvhost.exe Token: SeIncBasePriorityPrivilege 1304 fontdrvhost.exe Token: 33 1304 fontdrvhost.exe Token: SeIncBasePriorityPrivilege 1304 fontdrvhost.exe Token: 33 1304 fontdrvhost.exe Token: SeIncBasePriorityPrivilege 1304 fontdrvhost.exe Token: 33 1304 fontdrvhost.exe Token: SeIncBasePriorityPrivilege 1304 fontdrvhost.exe Token: 33 1304 fontdrvhost.exe Token: SeIncBasePriorityPrivilege 1304 fontdrvhost.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
3b8c6f0033980eed8f86a029be14ff32c32f535c4bdaeb5c5f857236722ac9c8.exefontdrvhost.exedescription pid process target process PID 1684 wrote to memory of 1304 1684 3b8c6f0033980eed8f86a029be14ff32c32f535c4bdaeb5c5f857236722ac9c8.exe fontdrvhost.exe PID 1684 wrote to memory of 1304 1684 3b8c6f0033980eed8f86a029be14ff32c32f535c4bdaeb5c5f857236722ac9c8.exe fontdrvhost.exe PID 1684 wrote to memory of 1304 1684 3b8c6f0033980eed8f86a029be14ff32c32f535c4bdaeb5c5f857236722ac9c8.exe fontdrvhost.exe PID 1684 wrote to memory of 1304 1684 3b8c6f0033980eed8f86a029be14ff32c32f535c4bdaeb5c5f857236722ac9c8.exe fontdrvhost.exe PID 1304 wrote to memory of 1452 1304 fontdrvhost.exe netsh.exe PID 1304 wrote to memory of 1452 1304 fontdrvhost.exe netsh.exe PID 1304 wrote to memory of 1452 1304 fontdrvhost.exe netsh.exe PID 1304 wrote to memory of 1452 1304 fontdrvhost.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3b8c6f0033980eed8f86a029be14ff32c32f535c4bdaeb5c5f857236722ac9c8.exe"C:\Users\Admin\AppData\Local\Temp\3b8c6f0033980eed8f86a029be14ff32c32f535c4bdaeb5c5f857236722ac9c8.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\fontdrvhost.exe"C:\Users\Admin\AppData\Roaming\fontdrvhost.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\fontdrvhost.exe" "fontdrvhost.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\fontdrvhost.exeFilesize
47KB
MD5541dce93da456fd7830cda46a9d07941
SHA1b08b3bfd5556f18b8c696925146985a86ee72fdd
SHA2563b8c6f0033980eed8f86a029be14ff32c32f535c4bdaeb5c5f857236722ac9c8
SHA5126d2164e340691b2ba8cba81979d7fe403739290a583fdeaee7ead5c9b94bc5e0d025d1943df559e1a01ea2e700aa2513c7ad8bd742524d2370c54d644769a3e2
-
C:\Users\Admin\AppData\Roaming\fontdrvhost.exeFilesize
47KB
MD5541dce93da456fd7830cda46a9d07941
SHA1b08b3bfd5556f18b8c696925146985a86ee72fdd
SHA2563b8c6f0033980eed8f86a029be14ff32c32f535c4bdaeb5c5f857236722ac9c8
SHA5126d2164e340691b2ba8cba81979d7fe403739290a583fdeaee7ead5c9b94bc5e0d025d1943df559e1a01ea2e700aa2513c7ad8bd742524d2370c54d644769a3e2
-
\Users\Admin\AppData\Roaming\fontdrvhost.exeFilesize
47KB
MD5541dce93da456fd7830cda46a9d07941
SHA1b08b3bfd5556f18b8c696925146985a86ee72fdd
SHA2563b8c6f0033980eed8f86a029be14ff32c32f535c4bdaeb5c5f857236722ac9c8
SHA5126d2164e340691b2ba8cba81979d7fe403739290a583fdeaee7ead5c9b94bc5e0d025d1943df559e1a01ea2e700aa2513c7ad8bd742524d2370c54d644769a3e2
-
memory/1304-57-0x0000000000000000-mapping.dmp
-
memory/1304-62-0x00000000744F0000-0x0000000074A9B000-memory.dmpFilesize
5.7MB
-
memory/1304-65-0x00000000744F0000-0x0000000074A9B000-memory.dmpFilesize
5.7MB
-
memory/1452-63-0x0000000000000000-mapping.dmp
-
memory/1684-54-0x00000000752D1000-0x00000000752D3000-memory.dmpFilesize
8KB
-
memory/1684-55-0x00000000744F0000-0x0000000074A9B000-memory.dmpFilesize
5.7MB
-
memory/1684-61-0x00000000744F0000-0x0000000074A9B000-memory.dmpFilesize
5.7MB