99262cd7473b43a29f8f487cae4232ba864130c89ad4555a3a2d5609ee772837

Analysis

max time kernel
143s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 03:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

99262cd7473b43a29f8f487cae4232ba864130c89ad4555a3a2d5609ee772837.exe
Size

13.3MB
MD5

f94d7078d1ec1209770f75bb799e58f2
SHA1

85467027bf8225e4dca9cb005b8f83b0b4488a8a
SHA256

99262cd7473b43a29f8f487cae4232ba864130c89ad4555a3a2d5609ee772837
SHA512

d93d2f90a73d1860e2989117d8179f8bd684ff757e82eff51a5f2c1650ea0f46e8dac1e9ec41133a1454473575fe4e3c109cf5a792ab8a5f3dea4720da400078
SSDEEP

196608:989duCvh7pQoXhQET1AIxGJYJbaogx2gEgvOE:wuy7p7XhN5aaHgYgME

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 4 IoCs

pid	Process
4316	99262cd7473b43a29f8f487cae4232ba864130c89ad4555a3a2d5609ee772837.exe
4316	99262cd7473b43a29f8f487cae4232ba864130c89ad4555a3a2d5609ee772837.exe
2140	99262cd7473b43a29f8f487cae4232ba864130c89ad4555a3a2d5609ee772837.exe
2140	99262cd7473b43a29f8f487cae4232ba864130c89ad4555a3a2d5609ee772837.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Fonts\font_temp.ttf	99262cd7473b43a29f8f487cae4232ba864130c89ad4555a3a2d5609ee772837.exe
File opened for modification	C:\Windows\Fonts\font_temp.ttf	99262cd7473b43a29f8f487cae4232ba864130c89ad4555a3a2d5609ee772837.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4796	PING.EXE

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4316	99262cd7473b43a29f8f487cae4232ba864130c89ad4555a3a2d5609ee772837.exe
4316	99262cd7473b43a29f8f487cae4232ba864130c89ad4555a3a2d5609ee772837.exe
2140	99262cd7473b43a29f8f487cae4232ba864130c89ad4555a3a2d5609ee772837.exe
2140	99262cd7473b43a29f8f487cae4232ba864130c89ad4555a3a2d5609ee772837.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4316 wrote to memory of 3620	4316	99262cd7473b43a29f8f487cae4232ba864130c89ad4555a3a2d5609ee772837.exe	89
PID 4316 wrote to memory of 3620	4316	99262cd7473b43a29f8f487cae4232ba864130c89ad4555a3a2d5609ee772837.exe	89
PID 4316 wrote to memory of 3620	4316	99262cd7473b43a29f8f487cae4232ba864130c89ad4555a3a2d5609ee772837.exe	89
PID 3620 wrote to memory of 4796	3620	cmd.exe	91
PID 3620 wrote to memory of 4796	3620	cmd.exe	91
PID 3620 wrote to memory of 4796	3620	cmd.exe	91
PID 3620 wrote to memory of 2140	3620	cmd.exe	92
PID 3620 wrote to memory of 2140	3620	cmd.exe	92
PID 3620 wrote to memory of 2140	3620	cmd.exe	92

C:\Users\Admin\AppData\Local\Temp\99262cd7473b43a29f8f487cae4232ba864130c89ad4555a3a2d5609ee772837.exe
"C:\Users\Admin\AppData\Local\Temp\99262cd7473b43a29f8f487cae4232ba864130c89ad4555a3a2d5609ee772837.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4316
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\Restart.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3620
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 2
    3⤵
    - Runs ping.exe
    PID:4796
- - C:\Users\Admin\AppData\Local\Temp\99262cd7473b43a29f8f487cae4232ba864130c89ad4555a3a2d5609ee772837.exe
    "C:\Users\Admin\AppData\Local\Temp\99262C~1.EXE"
    3⤵
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:2140

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3924,i,13640054265074968359,8146127767143474550,262144 --variations-seed-version --mojo-platform-channel-handle=3836 /prefetch:8
1⤵
PID:2104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ExuiKrnln_Win32_20230819.lib

Filesize
1.6MB

MD5
a1df3b7884c175c967505a589ba51da2

SHA1
7aaf570e41a00149134973d00f4efc09c4b650c2

SHA256
c16014329cf6f242a525f6782dd10f6a4d0ff6f97239710fdc45522f5c6da525

SHA512
12b8bd05fd9bec79d643edb503634b8b5238c67c77ddd8d2c3220406c08b1e6197e8aff02c709e353bc4ce9353a6709837b81ca443660250d94e73c00d66f451

Download Submit
C:\Users\Admin\AppData\Local\Temp\Restart.bat

Filesize
113B

MD5
60c661d9bd85c2bee61cb741674f1727

SHA1
93d6ce537704acdc84960e6f9e90b2cb71fb8de8

SHA256
c3bd534c4ec4521cb27172fed93151d11f124bff50d9918e57f542e20f51eff4

SHA512
505cbe0f2c51aa6f796bcfc861ad3499409f2a03ac02753a47425dbbc4fdd4b0e94fb488229539224996f7bbff1a37107b1e74321231640bce1cb6ce74367c53

Download Submit
C:\Users\Admin\AppData\Local\Temp\e57ed2f.tmp

Filesize
333KB

MD5
56a2bcecbd3cddd6f4a35361bf4920d6

SHA1
992e63be423f0e61093ba183f49fc0cbec790488

SHA256
5fcfac18758a12e0e717a5189f379922a32b5ac12f26491e638d70b54ae1dcab

SHA512
473cbdf760242db1f0f1d0c27046c0564998f2bf931ad03feb28af3c7bd253d00e6f0836dadf37f29e0db4171eb64e6a15ed4cb9a9d28b48fb0aab601573f551

Download Submit
C:\Users\Admin\AppData\Local\Temp\font_temp.ttf

Filesize
8.0MB

MD5
092a99ee52bbaef7481cc96c5b85b992

SHA1
06b8475f99605af9ff9ff3ed1d0eb907fd57c06b

SHA256
b3f675ccfc65edd6f27432dec6639b1414e9dc627831791263a99e2d711d215d

SHA512
3538cebe1c0e2439c7ba289c4420627d59b4922e26242408f114aa01d342734b057d92edac35bee7c47cb926091695efc6c560802db0cd342f75cee1f8b96baf

Download Submit
memory/2140-35-0x0000000061080000-0x0000000061119000-memory.dmp

Filesize
612KB

Download