720254610a9d4be3b904b54691e4c2d97a4a2aa4638b8acc443417f444639c6a

General

Target

720254610a9d4be3b904b54691e4c2d97a4a2aa4638b8acc443417f444639c6a.exe
Size

13.2MB
MD5

6de2b5d5555476a25053d065baf4658e
SHA1

5c5b4b013ee9ef3a4f24fdda583f10d5c4bd875a
SHA256

720254610a9d4be3b904b54691e4c2d97a4a2aa4638b8acc443417f444639c6a
SHA512

366edbf27f300d3dfa74c9c155a0cd2d573e4efa0bf23a4b7af4d115db2db7d190f09b7efd16ddf82450322ff1005986ee8b60d87169ba1421a9788aa6617e6c
SSDEEP

196608:d89duCvh7pQoXhQET1AIxGJYJbaogx2gshbfoj9e:Quy7p7XhN5aaHgYgsk9e

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 4 IoCs

pid	Process
2172	720254610a9d4be3b904b54691e4c2d97a4a2aa4638b8acc443417f444639c6a.exe
2172	720254610a9d4be3b904b54691e4c2d97a4a2aa4638b8acc443417f444639c6a.exe
2592	720254610a9d4be3b904b54691e4c2d97a4a2aa4638b8acc443417f444639c6a.exe
2592	720254610a9d4be3b904b54691e4c2d97a4a2aa4638b8acc443417f444639c6a.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Fonts\font_temp.ttf	720254610a9d4be3b904b54691e4c2d97a4a2aa4638b8acc443417f444639c6a.exe
File opened for modification	C:\Windows\Fonts\font_temp.ttf	720254610a9d4be3b904b54691e4c2d97a4a2aa4638b8acc443417f444639c6a.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2620	PING.EXE

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2172	720254610a9d4be3b904b54691e4c2d97a4a2aa4638b8acc443417f444639c6a.exe
2172	720254610a9d4be3b904b54691e4c2d97a4a2aa4638b8acc443417f444639c6a.exe
2592	720254610a9d4be3b904b54691e4c2d97a4a2aa4638b8acc443417f444639c6a.exe
2592	720254610a9d4be3b904b54691e4c2d97a4a2aa4638b8acc443417f444639c6a.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2172 wrote to memory of 2636	2172	720254610a9d4be3b904b54691e4c2d97a4a2aa4638b8acc443417f444639c6a.exe	28
PID 2172 wrote to memory of 2636	2172	720254610a9d4be3b904b54691e4c2d97a4a2aa4638b8acc443417f444639c6a.exe	28
PID 2172 wrote to memory of 2636	2172	720254610a9d4be3b904b54691e4c2d97a4a2aa4638b8acc443417f444639c6a.exe	28
PID 2172 wrote to memory of 2636	2172	720254610a9d4be3b904b54691e4c2d97a4a2aa4638b8acc443417f444639c6a.exe	28
PID 2636 wrote to memory of 2620	2636	cmd.exe	30
PID 2636 wrote to memory of 2620	2636	cmd.exe	30
PID 2636 wrote to memory of 2620	2636	cmd.exe	30
PID 2636 wrote to memory of 2620	2636	cmd.exe	30
PID 2636 wrote to memory of 2592	2636	cmd.exe	31
PID 2636 wrote to memory of 2592	2636	cmd.exe	31
PID 2636 wrote to memory of 2592	2636	cmd.exe	31
PID 2636 wrote to memory of 2592	2636	cmd.exe	31
PID 2636 wrote to memory of 2592	2636	cmd.exe	31
PID 2636 wrote to memory of 2592	2636	cmd.exe	31
PID 2636 wrote to memory of 2592	2636	cmd.exe	31

C:\Users\Admin\AppData\Local\Temp\720254610a9d4be3b904b54691e4c2d97a4a2aa4638b8acc443417f444639c6a.exe
"C:\Users\Admin\AppData\Local\Temp\720254610a9d4be3b904b54691e4c2d97a4a2aa4638b8acc443417f444639c6a.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\Restart.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2636
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 2
    3⤵
    - Runs ping.exe
    PID:2620
- - C:\Users\Admin\AppData\Local\Temp\720254610a9d4be3b904b54691e4c2d97a4a2aa4638b8acc443417f444639c6a.exe
    "C:\Users\Admin\AppData\Local\Temp\720254~1.EXE"
    3⤵
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:2592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Restart.bat

Filesize
113B

MD5
d2a87cea1c7800bb23fb84fb3ff24fad

SHA1
8f26cfd6b84de8952d55991f80ac29a3bb0de3f3

SHA256
9860da4f43dc0c71c7f4504c325cf5a954eb031340dbf30d895d587eacf68c85

SHA512
05138d41bb61a24b1c0c9f3d7d5123a50608398c2d843e36ddcf5a74b4551f85f21028b6ec0c50ebb445fb2a2fba117b4374576b81d2bec553708bfef82a8ca8

Download Submit
C:\Users\Admin\AppData\Local\Temp\font_temp.ttf

Filesize
8.0MB

MD5
092a99ee52bbaef7481cc96c5b85b992

SHA1
06b8475f99605af9ff9ff3ed1d0eb907fd57c06b

SHA256
b3f675ccfc65edd6f27432dec6639b1414e9dc627831791263a99e2d711d215d

SHA512
3538cebe1c0e2439c7ba289c4420627d59b4922e26242408f114aa01d342734b057d92edac35bee7c47cb926091695efc6c560802db0cd342f75cee1f8b96baf

Download Submit
\Users\Admin\AppData\Local\Temp\ExuiKrnln_Win32_20230819.lib

Filesize
1.6MB

MD5
a1df3b7884c175c967505a589ba51da2

SHA1
7aaf570e41a00149134973d00f4efc09c4b650c2

SHA256
c16014329cf6f242a525f6782dd10f6a4d0ff6f97239710fdc45522f5c6da525

SHA512
12b8bd05fd9bec79d643edb503634b8b5238c67c77ddd8d2c3220406c08b1e6197e8aff02c709e353bc4ce9353a6709837b81ca443660250d94e73c00d66f451

Download Submit
\Users\Admin\AppData\Local\Temp\f76163f.tmp

Filesize
333KB

MD5
56a2bcecbd3cddd6f4a35361bf4920d6

SHA1
992e63be423f0e61093ba183f49fc0cbec790488

SHA256
5fcfac18758a12e0e717a5189f379922a32b5ac12f26491e638d70b54ae1dcab

SHA512
473cbdf760242db1f0f1d0c27046c0564998f2bf931ad03feb28af3c7bd253d00e6f0836dadf37f29e0db4171eb64e6a15ed4cb9a9d28b48fb0aab601573f551

Download Submit
memory/2592-35-0x0000000061080000-0x0000000061119000-memory.dmp

Filesize
612KB

Download

Analysis

Sharing