3f441b28fba8843a8aa7f2e34b233fb15e8567935ae1de2e74291b71d67ad165

Analysis

max time kernel
138s
max time network
163s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
28/05/2024, 20:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3f441b28fba8843a8aa7f2e34b233fb15e8567935ae1de2e74291b71d67ad165.exe
Size

4.6MB
MD5

b8ac49667464ad404f0ae0fc225e7c2f
SHA1

0a899fb874cb4569187d860fe2cb12995e859f57
SHA256

3f441b28fba8843a8aa7f2e34b233fb15e8567935ae1de2e74291b71d67ad165
SHA512

eb8478650891c54d498f39eecac5a9c65edb644e00d87961096d3fa1a581b5337e89debd761e9990a4d5ea10156d8487ab9b6f66eac82a67301f1ef1c258941c
SSDEEP

98304:JlU6DzSBVDfy19E78A8ULgsKPYHx6CHfya2KyyIiywFu0UfYFkxF/Xa05EVc:rHDza9/PwPk6CKa2Ky6Fi8kxhKoG

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
4780	3f441b28fba8843a8aa7f2e34b233fb15e8567935ae1de2e74291b71d67ad165.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2880	PING.EXE

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3232	3f441b28fba8843a8aa7f2e34b233fb15e8567935ae1de2e74291b71d67ad165.exe
3232	3f441b28fba8843a8aa7f2e34b233fb15e8567935ae1de2e74291b71d67ad165.exe
4780	3f441b28fba8843a8aa7f2e34b233fb15e8567935ae1de2e74291b71d67ad165.exe
4780	3f441b28fba8843a8aa7f2e34b233fb15e8567935ae1de2e74291b71d67ad165.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3232 wrote to memory of 3472	3232	3f441b28fba8843a8aa7f2e34b233fb15e8567935ae1de2e74291b71d67ad165.exe	91
PID 3232 wrote to memory of 3472	3232	3f441b28fba8843a8aa7f2e34b233fb15e8567935ae1de2e74291b71d67ad165.exe	91
PID 3232 wrote to memory of 3472	3232	3f441b28fba8843a8aa7f2e34b233fb15e8567935ae1de2e74291b71d67ad165.exe	91
PID 3472 wrote to memory of 2880	3472	cmd.exe	93
PID 3472 wrote to memory of 2880	3472	cmd.exe	93
PID 3472 wrote to memory of 2880	3472	cmd.exe	93
PID 3472 wrote to memory of 4780	3472	cmd.exe	94
PID 3472 wrote to memory of 4780	3472	cmd.exe	94
PID 3472 wrote to memory of 4780	3472	cmd.exe	94

C:\Users\Admin\AppData\Local\Temp\3f441b28fba8843a8aa7f2e34b233fb15e8567935ae1de2e74291b71d67ad165.exe
"C:\Users\Admin\AppData\Local\Temp\3f441b28fba8843a8aa7f2e34b233fb15e8567935ae1de2e74291b71d67ad165.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3232
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\Restart.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3472
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 2
    3⤵
    - Runs ping.exe
    PID:2880
- - C:\Users\Admin\AppData\Local\Temp\3f441b28fba8843a8aa7f2e34b233fb15e8567935ae1de2e74291b71d67ad165.exe
    "C:\Users\Admin\AppData\Local\Temp\3F441B~1.EXE"
    3⤵
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:4780

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1420 --field-trial-handle=2272,i,4858140932023865871,5726683989663339295,262144 --variations-seed-version /prefetch:8
1⤵
PID:4968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ExuiKrnln_Win32.lib

Filesize
1.5MB

MD5
403a186621b089375b38612479d1a17b

SHA1
8406bf8f120315960501279c84157b5893d7048e

SHA256
2999476ed2a1567f4b21b1d84f0d2911d3c57c289e52eebfc8e9fcc6d81a6a6c

SHA512
b315caed536db7254042ca55e31290255d2c185c824ec0caf9d5b82367a0d69ac05a04f545a6c003eab476d589d2bbe715c864f4cbec3a296275031ee93f4710

Download Submit
C:\Users\Admin\AppData\Local\Temp\Restart.bat

Filesize
113B

MD5
9c058b6a422f40b397e54221776d22c8

SHA1
478da247928431de4a9ce0af06f7b23c0ec0ee8c

SHA256
b7f500e1beca9810f0de92db6fc24dcece4c50a383f93771599303b08964c7c2

SHA512
ecdaa5a039474a62f04b2f1b35a1bb77d1d0a0a9bf2783605f30af9e43ae56c11cd530065286efa16626780e69073c478d80f0e0cad59070e15a34ee837e2eb2

Download Submit
memory/3232-1-0x0000000000400000-0x0000000000D9E000-memory.dmp

Filesize
9.6MB

Download
memory/4780-10-0x0000000000400000-0x0000000000D9E000-memory.dmp

Filesize
9.6MB

Download