Analysis Overview
SHA256
ccf774e353d4b62a4c8b50b19317af27e6d29a4d3b4011f84f2878793165d497
Threat Level: Shows suspicious behavior
The file ccf774e353d4b62a4c8b50b19317af27e6d29a4d3b4011f84f2878793165d497 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Runs ping.exe
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-25 09:35
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-25 09:35
Reported
2024-08-25 09:37
Platform
win7-20240704-en
Max time kernel
142s
Max time network
126s
Command Line
Signatures
Loads dropped DLL
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Fonts\font_temp.ttf | C:\Users\Admin\AppData\Local\Temp\ccf774e353d4b62a4c8b50b19317af27e6d29a4d3b4011f84f2878793165d497.exe | N/A |
| File created | C:\Windows\Fonts\font_temp.ttf | C:\Users\Admin\AppData\Local\Temp\ccf774e353d4b62a4c8b50b19317af27e6d29a4d3b4011f84f2878793165d497.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ccf774e353d4b62a4c8b50b19317af27e6d29a4d3b4011f84f2878793165d497.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\PING.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ccf774e353d4b62a4c8b50b19317af27e6d29a4d3b4011f84f2878793165d497.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ccf774e353d4b62a4c8b50b19317af27e6d29a4d3b4011f84f2878793165d497.exe
"C:\Users\Admin\AppData\Local\Temp\ccf774e353d4b62a4c8b50b19317af27e6d29a4d3b4011f84f2878793165d497.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Restart.bat
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 2
C:\Users\Admin\AppData\Local\Temp\ccf774e353d4b62a4c8b50b19317af27e6d29a4d3b4011f84f2878793165d497.exe
"C:\Users\Admin\AppData\Local\Temp\CCF774~1.EXE"
Network
Files
\Users\Admin\AppData\Local\Temp\ExuiKrnln_Win32_20230819.lib
| MD5 | a1df3b7884c175c967505a589ba51da2 |
| SHA1 | 7aaf570e41a00149134973d00f4efc09c4b650c2 |
| SHA256 | c16014329cf6f242a525f6782dd10f6a4d0ff6f97239710fdc45522f5c6da525 |
| SHA512 | 12b8bd05fd9bec79d643edb503634b8b5238c67c77ddd8d2c3220406c08b1e6197e8aff02c709e353bc4ce9353a6709837b81ca443660250d94e73c00d66f451 |
\Users\Admin\AppData\Local\Temp\f769e61.tmp
| MD5 | 56a2bcecbd3cddd6f4a35361bf4920d6 |
| SHA1 | 992e63be423f0e61093ba183f49fc0cbec790488 |
| SHA256 | 5fcfac18758a12e0e717a5189f379922a32b5ac12f26491e638d70b54ae1dcab |
| SHA512 | 473cbdf760242db1f0f1d0c27046c0564998f2bf931ad03feb28af3c7bd253d00e6f0836dadf37f29e0db4171eb64e6a15ed4cb9a9d28b48fb0aab601573f551 |
C:\Users\Admin\AppData\Local\Temp\font_temp.ttf
| MD5 | 092a99ee52bbaef7481cc96c5b85b992 |
| SHA1 | 06b8475f99605af9ff9ff3ed1d0eb907fd57c06b |
| SHA256 | b3f675ccfc65edd6f27432dec6639b1414e9dc627831791263a99e2d711d215d |
| SHA512 | 3538cebe1c0e2439c7ba289c4420627d59b4922e26242408f114aa01d342734b057d92edac35bee7c47cb926091695efc6c560802db0cd342f75cee1f8b96baf |
C:\Users\Admin\AppData\Local\Temp\Restart.bat
| MD5 | 031de4a2bc4df456bb84ccc9dc56069e |
| SHA1 | e76c465636c3222fb4b496262e1aaf7f07372852 |
| SHA256 | e2c526a38bcb3974eff6e1f8e662541895b4228561e0930bfae374f76846d290 |
| SHA512 | 2bc90aabeeb172798ee7942a42b076e3645ae134b8030c7720c8c37ea6f1fdb03dafc57ab8cb56757fd88cb4106c3117bfc4a63f4169f7c30ec1921a26b704aa |
memory/2768-35-0x0000000061080000-0x0000000061119000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-25 09:35
Reported
2024-08-25 09:37
Platform
win10v2004-20240802-en
Max time kernel
142s
Max time network
124s
Command Line
Signatures
Loads dropped DLL
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Fonts\font_temp.ttf | C:\Users\Admin\AppData\Local\Temp\ccf774e353d4b62a4c8b50b19317af27e6d29a4d3b4011f84f2878793165d497.exe | N/A |
| File opened for modification | C:\Windows\Fonts\font_temp.ttf | C:\Users\Admin\AppData\Local\Temp\ccf774e353d4b62a4c8b50b19317af27e6d29a4d3b4011f84f2878793165d497.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ccf774e353d4b62a4c8b50b19317af27e6d29a4d3b4011f84f2878793165d497.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\PING.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ccf774e353d4b62a4c8b50b19317af27e6d29a4d3b4011f84f2878793165d497.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ccf774e353d4b62a4c8b50b19317af27e6d29a4d3b4011f84f2878793165d497.exe
"C:\Users\Admin\AppData\Local\Temp\ccf774e353d4b62a4c8b50b19317af27e6d29a4d3b4011f84f2878793165d497.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\Restart.bat
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 2
C:\Users\Admin\AppData\Local\Temp\ccf774e353d4b62a4c8b50b19317af27e6d29a4d3b4011f84f2878793165d497.exe
"C:\Users\Admin\AppData\Local\Temp\CCF774~1.EXE"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\ExuiKrnln_Win32_20230819.lib
| MD5 | a1df3b7884c175c967505a589ba51da2 |
| SHA1 | 7aaf570e41a00149134973d00f4efc09c4b650c2 |
| SHA256 | c16014329cf6f242a525f6782dd10f6a4d0ff6f97239710fdc45522f5c6da525 |
| SHA512 | 12b8bd05fd9bec79d643edb503634b8b5238c67c77ddd8d2c3220406c08b1e6197e8aff02c709e353bc4ce9353a6709837b81ca443660250d94e73c00d66f451 |
C:\Users\Admin\AppData\Local\Temp\e57a22b.tmp
| MD5 | 56a2bcecbd3cddd6f4a35361bf4920d6 |
| SHA1 | 992e63be423f0e61093ba183f49fc0cbec790488 |
| SHA256 | 5fcfac18758a12e0e717a5189f379922a32b5ac12f26491e638d70b54ae1dcab |
| SHA512 | 473cbdf760242db1f0f1d0c27046c0564998f2bf931ad03feb28af3c7bd253d00e6f0836dadf37f29e0db4171eb64e6a15ed4cb9a9d28b48fb0aab601573f551 |
C:\Users\Admin\AppData\Local\Temp\font_temp.ttf
| MD5 | 092a99ee52bbaef7481cc96c5b85b992 |
| SHA1 | 06b8475f99605af9ff9ff3ed1d0eb907fd57c06b |
| SHA256 | b3f675ccfc65edd6f27432dec6639b1414e9dc627831791263a99e2d711d215d |
| SHA512 | 3538cebe1c0e2439c7ba289c4420627d59b4922e26242408f114aa01d342734b057d92edac35bee7c47cb926091695efc6c560802db0cd342f75cee1f8b96baf |
C:\Users\Admin\AppData\Local\Temp\Restart.bat
| MD5 | 031de4a2bc4df456bb84ccc9dc56069e |
| SHA1 | e76c465636c3222fb4b496262e1aaf7f07372852 |
| SHA256 | e2c526a38bcb3974eff6e1f8e662541895b4228561e0930bfae374f76846d290 |
| SHA512 | 2bc90aabeeb172798ee7942a42b076e3645ae134b8030c7720c8c37ea6f1fdb03dafc57ab8cb56757fd88cb4106c3117bfc4a63f4169f7c30ec1921a26b704aa |
memory/2960-35-0x0000000061080000-0x0000000061119000-memory.dmp