Malware Analysis Report

2025-04-13 21:39

Sample ID 240825-lkdk8syglj
Target ccf774e353d4b62a4c8b50b19317af27e6d29a4d3b4011f84f2878793165d497
SHA256 ccf774e353d4b62a4c8b50b19317af27e6d29a4d3b4011f84f2878793165d497
Tags
discovery
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

ccf774e353d4b62a4c8b50b19317af27e6d29a4d3b4011f84f2878793165d497

Threat Level: Shows suspicious behavior

The file ccf774e353d4b62a4c8b50b19317af27e6d29a4d3b4011f84f2878793165d497 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

System Location Discovery: System Language Discovery

System Network Configuration Discovery: Internet Connection Discovery

Runs ping.exe

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-25 09:35

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-25 09:35

Reported

2024-08-25 09:37

Platform

win7-20240704-en

Max time kernel

142s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ccf774e353d4b62a4c8b50b19317af27e6d29a4d3b4011f84f2878793165d497.exe"

Signatures

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Fonts\font_temp.ttf C:\Users\Admin\AppData\Local\Temp\ccf774e353d4b62a4c8b50b19317af27e6d29a4d3b4011f84f2878793165d497.exe N/A
File created C:\Windows\Fonts\font_temp.ttf C:\Users\Admin\AppData\Local\Temp\ccf774e353d4b62a4c8b50b19317af27e6d29a4d3b4011f84f2878793165d497.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ccf774e353d4b62a4c8b50b19317af27e6d29a4d3b4011f84f2878793165d497.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ccf774e353d4b62a4c8b50b19317af27e6d29a4d3b4011f84f2878793165d497.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2540 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\ccf774e353d4b62a4c8b50b19317af27e6d29a4d3b4011f84f2878793165d497.exe C:\Windows\SysWOW64\cmd.exe
PID 2540 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\ccf774e353d4b62a4c8b50b19317af27e6d29a4d3b4011f84f2878793165d497.exe C:\Windows\SysWOW64\cmd.exe
PID 2540 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\ccf774e353d4b62a4c8b50b19317af27e6d29a4d3b4011f84f2878793165d497.exe C:\Windows\SysWOW64\cmd.exe
PID 2540 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\ccf774e353d4b62a4c8b50b19317af27e6d29a4d3b4011f84f2878793165d497.exe C:\Windows\SysWOW64\cmd.exe
PID 2292 wrote to memory of 2744 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2292 wrote to memory of 2744 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2292 wrote to memory of 2744 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2292 wrote to memory of 2744 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2292 wrote to memory of 2768 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ccf774e353d4b62a4c8b50b19317af27e6d29a4d3b4011f84f2878793165d497.exe
PID 2292 wrote to memory of 2768 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ccf774e353d4b62a4c8b50b19317af27e6d29a4d3b4011f84f2878793165d497.exe
PID 2292 wrote to memory of 2768 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ccf774e353d4b62a4c8b50b19317af27e6d29a4d3b4011f84f2878793165d497.exe
PID 2292 wrote to memory of 2768 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ccf774e353d4b62a4c8b50b19317af27e6d29a4d3b4011f84f2878793165d497.exe
PID 2292 wrote to memory of 2768 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ccf774e353d4b62a4c8b50b19317af27e6d29a4d3b4011f84f2878793165d497.exe
PID 2292 wrote to memory of 2768 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ccf774e353d4b62a4c8b50b19317af27e6d29a4d3b4011f84f2878793165d497.exe
PID 2292 wrote to memory of 2768 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ccf774e353d4b62a4c8b50b19317af27e6d29a4d3b4011f84f2878793165d497.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ccf774e353d4b62a4c8b50b19317af27e6d29a4d3b4011f84f2878793165d497.exe

"C:\Users\Admin\AppData\Local\Temp\ccf774e353d4b62a4c8b50b19317af27e6d29a4d3b4011f84f2878793165d497.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Restart.bat

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Users\Admin\AppData\Local\Temp\ccf774e353d4b62a4c8b50b19317af27e6d29a4d3b4011f84f2878793165d497.exe

"C:\Users\Admin\AppData\Local\Temp\CCF774~1.EXE"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\ExuiKrnln_Win32_20230819.lib

MD5 a1df3b7884c175c967505a589ba51da2
SHA1 7aaf570e41a00149134973d00f4efc09c4b650c2
SHA256 c16014329cf6f242a525f6782dd10f6a4d0ff6f97239710fdc45522f5c6da525
SHA512 12b8bd05fd9bec79d643edb503634b8b5238c67c77ddd8d2c3220406c08b1e6197e8aff02c709e353bc4ce9353a6709837b81ca443660250d94e73c00d66f451

\Users\Admin\AppData\Local\Temp\f769e61.tmp

MD5 56a2bcecbd3cddd6f4a35361bf4920d6
SHA1 992e63be423f0e61093ba183f49fc0cbec790488
SHA256 5fcfac18758a12e0e717a5189f379922a32b5ac12f26491e638d70b54ae1dcab
SHA512 473cbdf760242db1f0f1d0c27046c0564998f2bf931ad03feb28af3c7bd253d00e6f0836dadf37f29e0db4171eb64e6a15ed4cb9a9d28b48fb0aab601573f551

C:\Users\Admin\AppData\Local\Temp\font_temp.ttf

MD5 092a99ee52bbaef7481cc96c5b85b992
SHA1 06b8475f99605af9ff9ff3ed1d0eb907fd57c06b
SHA256 b3f675ccfc65edd6f27432dec6639b1414e9dc627831791263a99e2d711d215d
SHA512 3538cebe1c0e2439c7ba289c4420627d59b4922e26242408f114aa01d342734b057d92edac35bee7c47cb926091695efc6c560802db0cd342f75cee1f8b96baf

C:\Users\Admin\AppData\Local\Temp\Restart.bat

MD5 031de4a2bc4df456bb84ccc9dc56069e
SHA1 e76c465636c3222fb4b496262e1aaf7f07372852
SHA256 e2c526a38bcb3974eff6e1f8e662541895b4228561e0930bfae374f76846d290
SHA512 2bc90aabeeb172798ee7942a42b076e3645ae134b8030c7720c8c37ea6f1fdb03dafc57ab8cb56757fd88cb4106c3117bfc4a63f4169f7c30ec1921a26b704aa

memory/2768-35-0x0000000061080000-0x0000000061119000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-25 09:35

Reported

2024-08-25 09:37

Platform

win10v2004-20240802-en

Max time kernel

142s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ccf774e353d4b62a4c8b50b19317af27e6d29a4d3b4011f84f2878793165d497.exe"

Signatures

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Fonts\font_temp.ttf C:\Users\Admin\AppData\Local\Temp\ccf774e353d4b62a4c8b50b19317af27e6d29a4d3b4011f84f2878793165d497.exe N/A
File opened for modification C:\Windows\Fonts\font_temp.ttf C:\Users\Admin\AppData\Local\Temp\ccf774e353d4b62a4c8b50b19317af27e6d29a4d3b4011f84f2878793165d497.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ccf774e353d4b62a4c8b50b19317af27e6d29a4d3b4011f84f2878793165d497.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ccf774e353d4b62a4c8b50b19317af27e6d29a4d3b4011f84f2878793165d497.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ccf774e353d4b62a4c8b50b19317af27e6d29a4d3b4011f84f2878793165d497.exe

"C:\Users\Admin\AppData\Local\Temp\ccf774e353d4b62a4c8b50b19317af27e6d29a4d3b4011f84f2878793165d497.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\Restart.bat

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Users\Admin\AppData\Local\Temp\ccf774e353d4b62a4c8b50b19317af27e6d29a4d3b4011f84f2878793165d497.exe

"C:\Users\Admin\AppData\Local\Temp\CCF774~1.EXE"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\ExuiKrnln_Win32_20230819.lib

MD5 a1df3b7884c175c967505a589ba51da2
SHA1 7aaf570e41a00149134973d00f4efc09c4b650c2
SHA256 c16014329cf6f242a525f6782dd10f6a4d0ff6f97239710fdc45522f5c6da525
SHA512 12b8bd05fd9bec79d643edb503634b8b5238c67c77ddd8d2c3220406c08b1e6197e8aff02c709e353bc4ce9353a6709837b81ca443660250d94e73c00d66f451

C:\Users\Admin\AppData\Local\Temp\e57a22b.tmp

MD5 56a2bcecbd3cddd6f4a35361bf4920d6
SHA1 992e63be423f0e61093ba183f49fc0cbec790488
SHA256 5fcfac18758a12e0e717a5189f379922a32b5ac12f26491e638d70b54ae1dcab
SHA512 473cbdf760242db1f0f1d0c27046c0564998f2bf931ad03feb28af3c7bd253d00e6f0836dadf37f29e0db4171eb64e6a15ed4cb9a9d28b48fb0aab601573f551

C:\Users\Admin\AppData\Local\Temp\font_temp.ttf

MD5 092a99ee52bbaef7481cc96c5b85b992
SHA1 06b8475f99605af9ff9ff3ed1d0eb907fd57c06b
SHA256 b3f675ccfc65edd6f27432dec6639b1414e9dc627831791263a99e2d711d215d
SHA512 3538cebe1c0e2439c7ba289c4420627d59b4922e26242408f114aa01d342734b057d92edac35bee7c47cb926091695efc6c560802db0cd342f75cee1f8b96baf

C:\Users\Admin\AppData\Local\Temp\Restart.bat

MD5 031de4a2bc4df456bb84ccc9dc56069e
SHA1 e76c465636c3222fb4b496262e1aaf7f07372852
SHA256 e2c526a38bcb3974eff6e1f8e662541895b4228561e0930bfae374f76846d290
SHA512 2bc90aabeeb172798ee7942a42b076e3645ae134b8030c7720c8c37ea6f1fdb03dafc57ab8cb56757fd88cb4106c3117bfc4a63f4169f7c30ec1921a26b704aa

memory/2960-35-0x0000000061080000-0x0000000061119000-memory.dmp