34fe63cccc54db3dece2671659f93e17bfebc628d48392e37b9d4b5aa1d4d65d

Analysis

max time kernel
152s
max time network
122s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
15/11/2023, 04:44

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

34fe63cccc54db3dece2671659f93e17bfebc628d48392e37b9d4b5aa1d4d65d.exe
Size

13.3MB
MD5

9b88693119d9dfd836c9ca831ef2f664
SHA1

7e28e9c38c67a712573b4c347378ae29f0d5cfb1
SHA256

34fe63cccc54db3dece2671659f93e17bfebc628d48392e37b9d4b5aa1d4d65d
SHA512

625f79f6b0ffb4d738a2b0dfedd68fd99245ac6849fb7d177ba9d93b1463917668d8ab34d78138a5a1bb0d803d34ecd99fe26d239df0fbff228215786fb6d8d9
SSDEEP

196608:k89duCvh7pQoXhQET1AIxGJYJbaogx2gIh0bz:Tuy7p7XhN5aaHgYgIuz

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 4 IoCs

pid	Process
1740	34fe63cccc54db3dece2671659f93e17bfebc628d48392e37b9d4b5aa1d4d65d.exe
1740	34fe63cccc54db3dece2671659f93e17bfebc628d48392e37b9d4b5aa1d4d65d.exe
2668	34fe63cccc54db3dece2671659f93e17bfebc628d48392e37b9d4b5aa1d4d65d.exe
2668	34fe63cccc54db3dece2671659f93e17bfebc628d48392e37b9d4b5aa1d4d65d.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Fonts\font_temp.ttf	34fe63cccc54db3dece2671659f93e17bfebc628d48392e37b9d4b5aa1d4d65d.exe
File opened for modification	C:\Windows\Fonts\font_temp.ttf	34fe63cccc54db3dece2671659f93e17bfebc628d48392e37b9d4b5aa1d4d65d.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2660	PING.EXE

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1740	34fe63cccc54db3dece2671659f93e17bfebc628d48392e37b9d4b5aa1d4d65d.exe
1740	34fe63cccc54db3dece2671659f93e17bfebc628d48392e37b9d4b5aa1d4d65d.exe
2668	34fe63cccc54db3dece2671659f93e17bfebc628d48392e37b9d4b5aa1d4d65d.exe
2668	34fe63cccc54db3dece2671659f93e17bfebc628d48392e37b9d4b5aa1d4d65d.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1740 wrote to memory of 2824	1740	34fe63cccc54db3dece2671659f93e17bfebc628d48392e37b9d4b5aa1d4d65d.exe	28
PID 1740 wrote to memory of 2824	1740	34fe63cccc54db3dece2671659f93e17bfebc628d48392e37b9d4b5aa1d4d65d.exe	28
PID 1740 wrote to memory of 2824	1740	34fe63cccc54db3dece2671659f93e17bfebc628d48392e37b9d4b5aa1d4d65d.exe	28
PID 1740 wrote to memory of 2824	1740	34fe63cccc54db3dece2671659f93e17bfebc628d48392e37b9d4b5aa1d4d65d.exe	28
PID 2824 wrote to memory of 2660	2824	cmd.exe	30
PID 2824 wrote to memory of 2660	2824	cmd.exe	30
PID 2824 wrote to memory of 2660	2824	cmd.exe	30
PID 2824 wrote to memory of 2660	2824	cmd.exe	30
PID 2824 wrote to memory of 2668	2824	cmd.exe	31
PID 2824 wrote to memory of 2668	2824	cmd.exe	31
PID 2824 wrote to memory of 2668	2824	cmd.exe	31
PID 2824 wrote to memory of 2668	2824	cmd.exe	31
PID 2824 wrote to memory of 2668	2824	cmd.exe	31
PID 2824 wrote to memory of 2668	2824	cmd.exe	31
PID 2824 wrote to memory of 2668	2824	cmd.exe	31

C:\Users\Admin\AppData\Local\Temp\34fe63cccc54db3dece2671659f93e17bfebc628d48392e37b9d4b5aa1d4d65d.exe
"C:\Users\Admin\AppData\Local\Temp\34fe63cccc54db3dece2671659f93e17bfebc628d48392e37b9d4b5aa1d4d65d.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1740
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\Restart.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2824
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 2
    3⤵
    - Runs ping.exe
    PID:2660
- - C:\Users\Admin\AppData\Local\Temp\34fe63cccc54db3dece2671659f93e17bfebc628d48392e37b9d4b5aa1d4d65d.exe
    "C:\Users\Admin\AppData\Local\Temp\34FE63~1.EXE"
    3⤵
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:2668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ExuiKrnln_Win32_20230819.lib

Filesize
1.6MB

MD5
a1df3b7884c175c967505a589ba51da2

SHA1
7aaf570e41a00149134973d00f4efc09c4b650c2

SHA256
c16014329cf6f242a525f6782dd10f6a4d0ff6f97239710fdc45522f5c6da525

SHA512
12b8bd05fd9bec79d643edb503634b8b5238c67c77ddd8d2c3220406c08b1e6197e8aff02c709e353bc4ce9353a6709837b81ca443660250d94e73c00d66f451

Download Submit
C:\Users\Admin\AppData\Local\Temp\Restart.bat

Filesize
113B

MD5
73c9836e2ca765cb637b4219b2c9b8a0

SHA1
c93ee90ba8c122f327199ab512f0569bbfab7ff4

SHA256
556c23a4feea781d5d283c3c820bc54d07b9790b7159a2d7568876df089ee29a

SHA512
e70f253f502332dd575ae96d24fc08893cb7bc9d24fc15ded0d20d3f60c885794454dc1ca9705baae82a3993f3d90df3f96c5d627005b338b715f51e04146dc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Restart.bat

Filesize
113B

MD5
73c9836e2ca765cb637b4219b2c9b8a0

SHA1
c93ee90ba8c122f327199ab512f0569bbfab7ff4

SHA256
556c23a4feea781d5d283c3c820bc54d07b9790b7159a2d7568876df089ee29a

SHA512
e70f253f502332dd575ae96d24fc08893cb7bc9d24fc15ded0d20d3f60c885794454dc1ca9705baae82a3993f3d90df3f96c5d627005b338b715f51e04146dc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\font_temp.ttf

Filesize
8.0MB

MD5
092a99ee52bbaef7481cc96c5b85b992

SHA1
06b8475f99605af9ff9ff3ed1d0eb907fd57c06b

SHA256
b3f675ccfc65edd6f27432dec6639b1414e9dc627831791263a99e2d711d215d

SHA512
3538cebe1c0e2439c7ba289c4420627d59b4922e26242408f114aa01d342734b057d92edac35bee7c47cb926091695efc6c560802db0cd342f75cee1f8b96baf

Download Submit
C:\Users\Admin\AppData\Local\Temp\font_temp.ttf

Filesize
8.0MB

MD5
092a99ee52bbaef7481cc96c5b85b992

SHA1
06b8475f99605af9ff9ff3ed1d0eb907fd57c06b

SHA256
b3f675ccfc65edd6f27432dec6639b1414e9dc627831791263a99e2d711d215d

SHA512
3538cebe1c0e2439c7ba289c4420627d59b4922e26242408f114aa01d342734b057d92edac35bee7c47cb926091695efc6c560802db0cd342f75cee1f8b96baf

Download Submit
C:\WINDOWS\FONTS\FONT_TEMP.TTF

Filesize
8.0MB

MD5
092a99ee52bbaef7481cc96c5b85b992

SHA1
06b8475f99605af9ff9ff3ed1d0eb907fd57c06b

SHA256
b3f675ccfc65edd6f27432dec6639b1414e9dc627831791263a99e2d711d215d

SHA512
3538cebe1c0e2439c7ba289c4420627d59b4922e26242408f114aa01d342734b057d92edac35bee7c47cb926091695efc6c560802db0cd342f75cee1f8b96baf

Download Submit
\Users\Admin\AppData\Local\Temp\ExuiKrnln_Win32_20230819.lib

Filesize
1.6MB

MD5
a1df3b7884c175c967505a589ba51da2

SHA1
7aaf570e41a00149134973d00f4efc09c4b650c2

SHA256
c16014329cf6f242a525f6782dd10f6a4d0ff6f97239710fdc45522f5c6da525

SHA512
12b8bd05fd9bec79d643edb503634b8b5238c67c77ddd8d2c3220406c08b1e6197e8aff02c709e353bc4ce9353a6709837b81ca443660250d94e73c00d66f451

Download Submit
\Users\Admin\AppData\Local\Temp\ExuiKrnln_Win32_20230819.lib

Filesize
1.6MB

MD5
a1df3b7884c175c967505a589ba51da2

SHA1
7aaf570e41a00149134973d00f4efc09c4b650c2

SHA256
c16014329cf6f242a525f6782dd10f6a4d0ff6f97239710fdc45522f5c6da525

SHA512
12b8bd05fd9bec79d643edb503634b8b5238c67c77ddd8d2c3220406c08b1e6197e8aff02c709e353bc4ce9353a6709837b81ca443660250d94e73c00d66f451

Download Submit
\Users\Admin\AppData\Local\Temp\f766dc1.tmp

Filesize
333KB

MD5
56a2bcecbd3cddd6f4a35361bf4920d6

SHA1
992e63be423f0e61093ba183f49fc0cbec790488

SHA256
5fcfac18758a12e0e717a5189f379922a32b5ac12f26491e638d70b54ae1dcab

SHA512
473cbdf760242db1f0f1d0c27046c0564998f2bf931ad03feb28af3c7bd253d00e6f0836dadf37f29e0db4171eb64e6a15ed4cb9a9d28b48fb0aab601573f551

Download Submit
\Users\Admin\AppData\Local\Temp\f767658.tmp

Filesize
333KB

MD5
56a2bcecbd3cddd6f4a35361bf4920d6

SHA1
992e63be423f0e61093ba183f49fc0cbec790488

SHA256
5fcfac18758a12e0e717a5189f379922a32b5ac12f26491e638d70b54ae1dcab

SHA512
473cbdf760242db1f0f1d0c27046c0564998f2bf931ad03feb28af3c7bd253d00e6f0836dadf37f29e0db4171eb64e6a15ed4cb9a9d28b48fb0aab601573f551

Download Submit
memory/2668-35-0x0000000061080000-0x0000000061119000-memory.dmp

Filesize
612KB

Download