855f5349944fe942a56cb7a360e7b948a6ee203334e2ff43a09eb2ed669a8f7a

Analysis

max time kernel
147s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11-10-2023 18:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

855f5349944fe942a56cb7a360e7b948a6ee203334e2ff43a09eb2ed669a8f7a.exe
Size

14.9MB
MD5

eea0369bef25e7cd0d4b279120288304
SHA1

66bc8213d21468521e080e1cd6bb2a3d46305d81
SHA256

855f5349944fe942a56cb7a360e7b948a6ee203334e2ff43a09eb2ed669a8f7a
SHA512

e1ca7abc801ef4e001d48dca5f84cdc6124b28adc3aefd6500233b7283c5211c37f428939ffbf32abec37b4547731601bcc83fee1778c27ff57c7e05dd681dd9
SSDEEP

196608:DzwoVmUuCvh7pQoXhQET1AIx53YJbaogxWVmT7smxHymxg/H:nVmUuy7p7XhN5VIHgkVmDS/

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 4 IoCs

pid	Process
4428	855f5349944fe942a56cb7a360e7b948a6ee203334e2ff43a09eb2ed669a8f7a.exe
4428	855f5349944fe942a56cb7a360e7b948a6ee203334e2ff43a09eb2ed669a8f7a.exe
372	855f5349944fe942a56cb7a360e7b948a6ee203334e2ff43a09eb2ed669a8f7a.exe
372	855f5349944fe942a56cb7a360e7b948a6ee203334e2ff43a09eb2ed669a8f7a.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Fonts\font_temp.ttf	855f5349944fe942a56cb7a360e7b948a6ee203334e2ff43a09eb2ed669a8f7a.exe
File opened for modification	C:\Windows\Fonts\font_temp.ttf	855f5349944fe942a56cb7a360e7b948a6ee203334e2ff43a09eb2ed669a8f7a.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4628	PING.EXE

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4428	855f5349944fe942a56cb7a360e7b948a6ee203334e2ff43a09eb2ed669a8f7a.exe
4428	855f5349944fe942a56cb7a360e7b948a6ee203334e2ff43a09eb2ed669a8f7a.exe
372	855f5349944fe942a56cb7a360e7b948a6ee203334e2ff43a09eb2ed669a8f7a.exe
372	855f5349944fe942a56cb7a360e7b948a6ee203334e2ff43a09eb2ed669a8f7a.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4428 wrote to memory of 2704	4428	855f5349944fe942a56cb7a360e7b948a6ee203334e2ff43a09eb2ed669a8f7a.exe	86
PID 4428 wrote to memory of 2704	4428	855f5349944fe942a56cb7a360e7b948a6ee203334e2ff43a09eb2ed669a8f7a.exe	86
PID 4428 wrote to memory of 2704	4428	855f5349944fe942a56cb7a360e7b948a6ee203334e2ff43a09eb2ed669a8f7a.exe	86
PID 2704 wrote to memory of 4628	2704	cmd.exe	89
PID 2704 wrote to memory of 4628	2704	cmd.exe	89
PID 2704 wrote to memory of 4628	2704	cmd.exe	89
PID 2704 wrote to memory of 372	2704	cmd.exe	92
PID 2704 wrote to memory of 372	2704	cmd.exe	92
PID 2704 wrote to memory of 372	2704	cmd.exe	92

C:\Users\Admin\AppData\Local\Temp\855f5349944fe942a56cb7a360e7b948a6ee203334e2ff43a09eb2ed669a8f7a.exe
"C:\Users\Admin\AppData\Local\Temp\855f5349944fe942a56cb7a360e7b948a6ee203334e2ff43a09eb2ed669a8f7a.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4428
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\Restart.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2704
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 2
    3⤵
    - Runs ping.exe
    PID:4628
- - C:\Users\Admin\AppData\Local\Temp\855f5349944fe942a56cb7a360e7b948a6ee203334e2ff43a09eb2ed669a8f7a.exe
    "C:\Users\Admin\AppData\Local\Temp\855F53~1.EXE"
    3⤵
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\USERS\ADMIN\APPDATA\LOCAL\MICROSOFT\WINDOWS\FONTS\FONT_TEMP.TTF

Filesize
8.0MB

MD5
092a99ee52bbaef7481cc96c5b85b992

SHA1
06b8475f99605af9ff9ff3ed1d0eb907fd57c06b

SHA256
b3f675ccfc65edd6f27432dec6639b1414e9dc627831791263a99e2d711d215d

SHA512
3538cebe1c0e2439c7ba289c4420627d59b4922e26242408f114aa01d342734b057d92edac35bee7c47cb926091695efc6c560802db0cd342f75cee1f8b96baf

Download Submit
C:\Users\Admin\AppData\Local\Temp\ExuiKrnln_Win32_20230725.lib

Filesize
1.6MB

MD5
a081782e61d769dcd299bb7672aed743

SHA1
78d4795bb43ad2b949192b09987b17eba156dced

SHA256
34ece32d4bf3dab02772326afd2e5d8d1f28d7c5be6379c3d40875a03345bafa

SHA512
e7384eab27e866284071709f90097db8a6bc630d5dee8b102a0f4a6b9af9a70797209bd50d00ed28899ee4628b937f44cf2eb8d5518562b3c37925ad53704ab0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ExuiKrnln_Win32_20230725.lib

Filesize
1.6MB

MD5
a081782e61d769dcd299bb7672aed743

SHA1
78d4795bb43ad2b949192b09987b17eba156dced

SHA256
34ece32d4bf3dab02772326afd2e5d8d1f28d7c5be6379c3d40875a03345bafa

SHA512
e7384eab27e866284071709f90097db8a6bc630d5dee8b102a0f4a6b9af9a70797209bd50d00ed28899ee4628b937f44cf2eb8d5518562b3c37925ad53704ab0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ExuiKrnln_Win32_20230725.lib

Filesize
1.6MB

MD5
a081782e61d769dcd299bb7672aed743

SHA1
78d4795bb43ad2b949192b09987b17eba156dced

SHA256
34ece32d4bf3dab02772326afd2e5d8d1f28d7c5be6379c3d40875a03345bafa

SHA512
e7384eab27e866284071709f90097db8a6bc630d5dee8b102a0f4a6b9af9a70797209bd50d00ed28899ee4628b937f44cf2eb8d5518562b3c37925ad53704ab0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Restart.bat

Filesize
113B

MD5
9b263161e71f6ad5c31f3ad7345a1d96

SHA1
401449014740c93b8d7e5be89ee2ebee6394f2c7

SHA256
5a7b5a7fb74399e9464119a80a66a9811d345315b398bd802117ead7745b7fb2

SHA512
d3e9e22a7d39af4409b7cbe6baf91ca9b2d6e05038e18c7265aecc4f51a5e2ed99ebaa42ef040f86cb8b87abe1901f430977d714b3ab9733cbd42dd52e1162ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\e57802c.tmp

Filesize
333KB

MD5
56a2bcecbd3cddd6f4a35361bf4920d6

SHA1
992e63be423f0e61093ba183f49fc0cbec790488

SHA256
5fcfac18758a12e0e717a5189f379922a32b5ac12f26491e638d70b54ae1dcab

SHA512
473cbdf760242db1f0f1d0c27046c0564998f2bf931ad03feb28af3c7bd253d00e6f0836dadf37f29e0db4171eb64e6a15ed4cb9a9d28b48fb0aab601573f551

Download Submit
C:\Users\Admin\AppData\Local\Temp\e580441.tmp

Filesize
333KB

MD5
56a2bcecbd3cddd6f4a35361bf4920d6

SHA1
992e63be423f0e61093ba183f49fc0cbec790488

SHA256
5fcfac18758a12e0e717a5189f379922a32b5ac12f26491e638d70b54ae1dcab

SHA512
473cbdf760242db1f0f1d0c27046c0564998f2bf931ad03feb28af3c7bd253d00e6f0836dadf37f29e0db4171eb64e6a15ed4cb9a9d28b48fb0aab601573f551

Download Submit
C:\Users\Admin\AppData\Local\Temp\e580441.tmp

Filesize
333KB

MD5
56a2bcecbd3cddd6f4a35361bf4920d6

SHA1
992e63be423f0e61093ba183f49fc0cbec790488

SHA256
5fcfac18758a12e0e717a5189f379922a32b5ac12f26491e638d70b54ae1dcab

SHA512
473cbdf760242db1f0f1d0c27046c0564998f2bf931ad03feb28af3c7bd253d00e6f0836dadf37f29e0db4171eb64e6a15ed4cb9a9d28b48fb0aab601573f551

Download Submit
C:\Users\Admin\AppData\Local\Temp\font_temp.ttf

Filesize
8.0MB

MD5
092a99ee52bbaef7481cc96c5b85b992

SHA1
06b8475f99605af9ff9ff3ed1d0eb907fd57c06b

SHA256
b3f675ccfc65edd6f27432dec6639b1414e9dc627831791263a99e2d711d215d

SHA512
3538cebe1c0e2439c7ba289c4420627d59b4922e26242408f114aa01d342734b057d92edac35bee7c47cb926091695efc6c560802db0cd342f75cee1f8b96baf

Download Submit
C:\Users\Admin\AppData\Local\Temp\font_temp.ttf

Filesize
8.0MB

MD5
092a99ee52bbaef7481cc96c5b85b992

SHA1
06b8475f99605af9ff9ff3ed1d0eb907fd57c06b

SHA256
b3f675ccfc65edd6f27432dec6639b1414e9dc627831791263a99e2d711d215d

SHA512
3538cebe1c0e2439c7ba289c4420627d59b4922e26242408f114aa01d342734b057d92edac35bee7c47cb926091695efc6c560802db0cd342f75cee1f8b96baf

Download Submit
C:\WINDOWS\FONTS\FONT_TEMP.TTF

Filesize
8.0MB

MD5
092a99ee52bbaef7481cc96c5b85b992

SHA1
06b8475f99605af9ff9ff3ed1d0eb907fd57c06b

SHA256
b3f675ccfc65edd6f27432dec6639b1414e9dc627831791263a99e2d711d215d

SHA512
3538cebe1c0e2439c7ba289c4420627d59b4922e26242408f114aa01d342734b057d92edac35bee7c47cb926091695efc6c560802db0cd342f75cee1f8b96baf

Download Submit
memory/372-33-0x0000000061080000-0x0000000061119000-memory.dmp

Filesize
612KB

Download