e0f6dd6b38bd10795ef8e02d68b60efff340f7f2e0db42d3a92418f698861622

Analysis

max time kernel
152s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
12/11/2023, 12:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e0f6dd6b38bd10795ef8e02d68b60efff340f7f2e0db42d3a92418f698861622.exe
Size

223KB
MD5

ec73dbb23e5a3111a11b32055688a749
SHA1

18c3e84e7060927d922ba66e81dee61b87f7ac76
SHA256

e0f6dd6b38bd10795ef8e02d68b60efff340f7f2e0db42d3a92418f698861622
SHA512

91ea5d1fcf956b6f50d3ee4dfa2e7d8b7429018b2d0203f5b6330d347a8306002c861345d84fdc03db9df212c3f5cb88e682890fffa552b8d1bb1c724c9558a0
SSDEEP

6144:mwPSUONLNsuWA7koN+boRhZ2VUUaSaE0A6Xvd2:mOuW5o/oVU1r5w

Score

10^/10

upx

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 3364 created 616	3364	Explorer.EXE	3

Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\Xs3wnTgu.sys	fontview.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	e0f6dd6b38bd10795ef8e02d68b60efff340f7f2e0db42d3a92418f698861622.exe

Executes dropped EXE 1 IoCs

pid	Process
2752	fontview.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4816-0-0x00000000009C0000-0x0000000000A2E000-memory.dmp	upx
behavioral2/memory/4816-18-0x00000000009C0000-0x0000000000A2E000-memory.dmp	upx
behavioral2/memory/4816-32-0x00000000009C0000-0x0000000000A2E000-memory.dmp	upx
behavioral2/memory/4816-53-0x00000000009C0000-0x0000000000A2E000-memory.dmp	upx
behavioral2/files/0x0006000000022cfc-72.dat	upx

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	114.114.114.114

Drops file in System32 directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C	fontview.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C	fontview.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AD5F118F7897046E8CA970AE6A6AB70B_ADB601E2C381343DA1163E5F08582475	fontview.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81B	fontview.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B039FEA45CB4CC4BBACFC013C7C55604_50D7940D5D3FEDD8634D83074C7A46A3	fontview.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\349D186F1CB5682FA0194D4F3754EF36_CE21678B3713ACF5F5ED4AAA700C6173	fontview.exe
File created	C:\Windows\system32\ \Windows\System32\xH8Ykh.sys	fontview.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AD5F118F7897046E8CA970AE6A6AB70B_ADB601E2C381343DA1163E5F08582475	fontview.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81B	fontview.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B039FEA45CB4CC4BBACFC013C7C55604_50D7940D5D3FEDD8634D83074C7A46A3	fontview.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\349D186F1CB5682FA0194D4F3754EF36_CE21678B3713ACF5F5ED4AAA700C6173	fontview.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\i2VpxX.sys	fontview.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	fontview.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	fontview.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	fontview.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2876	timeout.exe

Modifies data under HKEY_USERS 9 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	fontview.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	fontview.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	fontview.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	fontview.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	fontview.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	fontview.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	fontview.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	fontview.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	fontview.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4816	e0f6dd6b38bd10795ef8e02d68b60efff340f7f2e0db42d3a92418f698861622.exe
4816	e0f6dd6b38bd10795ef8e02d68b60efff340f7f2e0db42d3a92418f698861622.exe
4816	e0f6dd6b38bd10795ef8e02d68b60efff340f7f2e0db42d3a92418f698861622.exe
4816	e0f6dd6b38bd10795ef8e02d68b60efff340f7f2e0db42d3a92418f698861622.exe
4816	e0f6dd6b38bd10795ef8e02d68b60efff340f7f2e0db42d3a92418f698861622.exe
4816	e0f6dd6b38bd10795ef8e02d68b60efff340f7f2e0db42d3a92418f698861622.exe
4816	e0f6dd6b38bd10795ef8e02d68b60efff340f7f2e0db42d3a92418f698861622.exe
4816	e0f6dd6b38bd10795ef8e02d68b60efff340f7f2e0db42d3a92418f698861622.exe
3364	Explorer.EXE
3364	Explorer.EXE
3364	Explorer.EXE
3364	Explorer.EXE
4816	e0f6dd6b38bd10795ef8e02d68b60efff340f7f2e0db42d3a92418f698861622.exe
4816	e0f6dd6b38bd10795ef8e02d68b60efff340f7f2e0db42d3a92418f698861622.exe
2752	fontview.exe
2752	fontview.exe
2752	fontview.exe
2752	fontview.exe
2752	fontview.exe
2752	fontview.exe
2752	fontview.exe
2752	fontview.exe
2752	fontview.exe
2752	fontview.exe
2752	fontview.exe
2752	fontview.exe
2752	fontview.exe
2752	fontview.exe
2752	fontview.exe
2752	fontview.exe
2752	fontview.exe
2752	fontview.exe
2752	fontview.exe
2752	fontview.exe
2752	fontview.exe
2752	fontview.exe
2752	fontview.exe
2752	fontview.exe
2752	fontview.exe
2752	fontview.exe
2752	fontview.exe
2752	fontview.exe
2752	fontview.exe
2752	fontview.exe
2752	fontview.exe
2752	fontview.exe
2752	fontview.exe
2752	fontview.exe
2752	fontview.exe
2752	fontview.exe
2752	fontview.exe
2752	fontview.exe
2752	fontview.exe
2752	fontview.exe
2752	fontview.exe
2752	fontview.exe
2752	fontview.exe
2752	fontview.exe
2752	fontview.exe
2752	fontview.exe
2752	fontview.exe
2752	fontview.exe
2752	fontview.exe
2752	fontview.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3364	Explorer.EXE

Suspicious behavior: LoadsDriver 3 IoCs

pid	Process
660	Process not Found
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	4816	e0f6dd6b38bd10795ef8e02d68b60efff340f7f2e0db42d3a92418f698861622.exe
Token: SeTcbPrivilege	4816	e0f6dd6b38bd10795ef8e02d68b60efff340f7f2e0db42d3a92418f698861622.exe
Token: SeDebugPrivilege	4816	e0f6dd6b38bd10795ef8e02d68b60efff340f7f2e0db42d3a92418f698861622.exe
Token: SeDebugPrivilege	3364	Explorer.EXE
Token: SeDebugPrivilege	3364	Explorer.EXE
Token: SeDebugPrivilege	4816	e0f6dd6b38bd10795ef8e02d68b60efff340f7f2e0db42d3a92418f698861622.exe
Token: SeDebugPrivilege	2752	fontview.exe
Token: SeDebugPrivilege	2752	fontview.exe
Token: SeDebugPrivilege	2752	fontview.exe
Token: SeIncBasePriorityPrivilege	4816	e0f6dd6b38bd10795ef8e02d68b60efff340f7f2e0db42d3a92418f698861622.exe
Token: SeShutdownPrivilege	3364	Explorer.EXE
Token: SeCreatePagefilePrivilege	3364	Explorer.EXE

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3364	Explorer.EXE

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 4816 wrote to memory of 3364	4816	e0f6dd6b38bd10795ef8e02d68b60efff340f7f2e0db42d3a92418f698861622.exe	56
PID 4816 wrote to memory of 3364	4816	e0f6dd6b38bd10795ef8e02d68b60efff340f7f2e0db42d3a92418f698861622.exe	56
PID 4816 wrote to memory of 3364	4816	e0f6dd6b38bd10795ef8e02d68b60efff340f7f2e0db42d3a92418f698861622.exe	56
PID 4816 wrote to memory of 3364	4816	e0f6dd6b38bd10795ef8e02d68b60efff340f7f2e0db42d3a92418f698861622.exe	56
PID 4816 wrote to memory of 3364	4816	e0f6dd6b38bd10795ef8e02d68b60efff340f7f2e0db42d3a92418f698861622.exe	56
PID 3364 wrote to memory of 2752	3364	Explorer.EXE	91
PID 3364 wrote to memory of 2752	3364	Explorer.EXE	91
PID 3364 wrote to memory of 2752	3364	Explorer.EXE	91
PID 3364 wrote to memory of 2752	3364	Explorer.EXE	91
PID 3364 wrote to memory of 2752	3364	Explorer.EXE	91
PID 3364 wrote to memory of 2752	3364	Explorer.EXE	91
PID 3364 wrote to memory of 2752	3364	Explorer.EXE	91
PID 4816 wrote to memory of 616	4816	e0f6dd6b38bd10795ef8e02d68b60efff340f7f2e0db42d3a92418f698861622.exe	3
PID 4816 wrote to memory of 616	4816	e0f6dd6b38bd10795ef8e02d68b60efff340f7f2e0db42d3a92418f698861622.exe	3
PID 4816 wrote to memory of 616	4816	e0f6dd6b38bd10795ef8e02d68b60efff340f7f2e0db42d3a92418f698861622.exe	3
PID 4816 wrote to memory of 616	4816	e0f6dd6b38bd10795ef8e02d68b60efff340f7f2e0db42d3a92418f698861622.exe	3
PID 4816 wrote to memory of 616	4816	e0f6dd6b38bd10795ef8e02d68b60efff340f7f2e0db42d3a92418f698861622.exe	3
PID 4816 wrote to memory of 4124	4816	e0f6dd6b38bd10795ef8e02d68b60efff340f7f2e0db42d3a92418f698861622.exe	96
PID 4816 wrote to memory of 4124	4816	e0f6dd6b38bd10795ef8e02d68b60efff340f7f2e0db42d3a92418f698861622.exe	96
PID 4816 wrote to memory of 4124	4816	e0f6dd6b38bd10795ef8e02d68b60efff340f7f2e0db42d3a92418f698861622.exe	96
PID 4124 wrote to memory of 2876	4124	cmd.exe	98
PID 4124 wrote to memory of 2876	4124	cmd.exe	98
PID 4124 wrote to memory of 2876	4124	cmd.exe	98

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:616
- C:\ProgramData\Microsoft\fontview.exe
  "C:\ProgramData\Microsoft\fontview.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2752

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3364
- C:\Users\Admin\AppData\Local\Temp\e0f6dd6b38bd10795ef8e02d68b60efff340f7f2e0db42d3a92418f698861622.exe
  "C:\Users\Admin\AppData\Local\Temp\e0f6dd6b38bd10795ef8e02d68b60efff340f7f2e0db42d3a92418f698861622.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4816
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Users\Admin\AppData\Local\Temp\e0f6dd6b38bd10795ef8e02d68b60efff340f7f2e0db42d3a92418f698861622.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4124
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 1
      4⤵
      Delays execution with timeout.exe
      PID:2876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\fontview.exe

Filesize
120KB

MD5
c07c4f59ea1a3795cec526582a5dd7c2

SHA1
6d2ef5fed901af5761a92e1359461b975a1399dd

SHA256
551d7d1047ab302edf713deb2ac82afa9ca89aaa41a6557721d23721c873bc55

SHA512
0c6125204d9de0346307c80e11b9917d9a548a998cd0e426c0bc553e23542605acdba70951ecd4cd147a5d7972834fad545131de1dfd15c8005c0a00e609f95d

Download Submit
C:\ProgramData\Microsoft\fontview.exe

Filesize
120KB

MD5
c07c4f59ea1a3795cec526582a5dd7c2

SHA1
6d2ef5fed901af5761a92e1359461b975a1399dd

SHA256
551d7d1047ab302edf713deb2ac82afa9ca89aaa41a6557721d23721c873bc55

SHA512
0c6125204d9de0346307c80e11b9917d9a548a998cd0e426c0bc553e23542605acdba70951ecd4cd147a5d7972834fad545131de1dfd15c8005c0a00e609f95d

Download Submit
C:\Users\Admin\AppData\Local\Temp\834c3392.tmp

Filesize
14.1MB

MD5
a7ef23896bd75e4cf69595d10cac31ac

SHA1
6882cc47f35317decd34213a550473c6aa83a908

SHA256
3148f6ce8f8cd6246cb222715925a6a6066d573e92bf5441a8f191884870810c

SHA512
1f8efa9855b5f9b768a2cd445986de7f5c4a2adec31afa5b92530651a8f99fcb43f25eaa2469c5ea7c1e7e04b3a5fd41f61bc1b322d9489ad11494ad4164f08c

Download Submit
memory/616-62-0x000002BC3B420000-0x000002BC3B448000-memory.dmp

Filesize
160KB

Download
memory/616-19-0x000002BC3B460000-0x000002BC3B461000-memory.dmp

Filesize
4KB

Download
memory/616-17-0x000002BC3B420000-0x000002BC3B448000-memory.dmp

Filesize
160KB

Download
memory/2752-63-0x000002C97E310000-0x000002C97E4D5000-memory.dmp

Filesize
1.8MB

Download
memory/2752-59-0x000002C97D980000-0x000002C97D981000-memory.dmp

Filesize
4KB

Download
memory/2752-13-0x000002C97D250000-0x000002C97D31B000-memory.dmp

Filesize
812KB

Download
memory/2752-12-0x00007FFBA6EC0000-0x00007FFBA6ED0000-memory.dmp

Filesize
64KB

Download
memory/2752-14-0x000002C97B830000-0x000002C97B831000-memory.dmp

Filesize
4KB

Download
memory/2752-82-0x000002C97D520000-0x000002C97D522000-memory.dmp

Filesize
8KB

Download
memory/2752-81-0x000002C97E310000-0x000002C97E4D5000-memory.dmp

Filesize
1.8MB

Download
memory/2752-80-0x000002C97D990000-0x000002C97D991000-memory.dmp

Filesize
4KB

Download
memory/2752-79-0x000002C97D980000-0x000002C97D981000-memory.dmp

Filesize
4KB

Download
memory/2752-48-0x00007FFBA6EC0000-0x00007FFBA6ED0000-memory.dmp

Filesize
64KB

Download
memory/2752-49-0x000002C97D510000-0x000002C97D511000-memory.dmp

Filesize
4KB

Download
memory/2752-78-0x000002C97D520000-0x000002C97D521000-memory.dmp

Filesize
4KB

Download
memory/2752-74-0x000002C97E310000-0x000002C97E4D5000-memory.dmp

Filesize
1.8MB

Download
memory/2752-67-0x000002C97D510000-0x000002C97D511000-memory.dmp

Filesize
4KB

Download
memory/2752-56-0x000002C97D520000-0x000002C97D521000-memory.dmp

Filesize
4KB

Download
memory/2752-57-0x000002C97D980000-0x000002C97D981000-memory.dmp

Filesize
4KB

Download
memory/2752-58-0x000002C97D520000-0x000002C97D521000-memory.dmp

Filesize
4KB

Download
memory/2752-10-0x000002C97D250000-0x000002C97D31B000-memory.dmp

Filesize
812KB

Download
memory/2752-61-0x000002C97B830000-0x000002C97B831000-memory.dmp

Filesize
4KB

Download
memory/2752-60-0x000002C97D250000-0x000002C97D31B000-memory.dmp

Filesize
812KB

Download
memory/2752-65-0x000002C97E260000-0x000002C97E261000-memory.dmp

Filesize
4KB

Download
memory/2752-64-0x000002C97D520000-0x000002C97D522000-memory.dmp

Filesize
8KB

Download
memory/3364-4-0x0000000002D50000-0x0000000002D51000-memory.dmp

Filesize
4KB

Download
memory/3364-2-0x0000000002D30000-0x0000000002D33000-memory.dmp

Filesize
12KB

Download
memory/3364-55-0x00000000086A0000-0x0000000008799000-memory.dmp

Filesize
996KB

Download
memory/3364-1-0x0000000002D30000-0x0000000002D33000-memory.dmp

Filesize
12KB

Download
memory/3364-54-0x0000000002D50000-0x0000000002D51000-memory.dmp

Filesize
4KB

Download
memory/3364-3-0x0000000002D30000-0x0000000002D33000-memory.dmp

Filesize
12KB

Download
memory/3364-5-0x00000000086A0000-0x0000000008799000-memory.dmp

Filesize
996KB

Download
memory/4816-0-0x00000000009C0000-0x0000000000A2E000-memory.dmp

Filesize
440KB

Download
memory/4816-53-0x00000000009C0000-0x0000000000A2E000-memory.dmp

Filesize
440KB

Download
memory/4816-32-0x00000000009C0000-0x0000000000A2E000-memory.dmp

Filesize
440KB

Download
memory/4816-18-0x00000000009C0000-0x0000000000A2E000-memory.dmp

Filesize
440KB

Download