d3b9808583d07f78158735c7bb2f6ddef39f182fd7426ae1dcea3b55179ffb06

General

Target

d3b9808583d07f78158735c7bb2f6ddef39f182fd7426ae1dcea3b55179ffb06.exe
Size

13.4MB
MD5

61e6d5765237248a8b49b35b28708dd3
SHA1

9f84e08123cee27d499cc96bbca0fdf4cf2a0d5b
SHA256

d3b9808583d07f78158735c7bb2f6ddef39f182fd7426ae1dcea3b55179ffb06
SHA512

1f1caeb402c0286eae219b34f8f1735a82b34c46ce5765145506e908ebd309a33549a3f8eae08b4afc0e7a8a02f905e1afc4c0d36e4efa019ad94e3bf632fdc2
SSDEEP

196608:P89duCvh7pQoXhQET1AIxGJYJbaogx2gHODB0:Cuy7p7XhN5aaHgYgHOO

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 4 IoCs

pid	Process
2276	d3b9808583d07f78158735c7bb2f6ddef39f182fd7426ae1dcea3b55179ffb06.exe
2276	d3b9808583d07f78158735c7bb2f6ddef39f182fd7426ae1dcea3b55179ffb06.exe
2652	d3b9808583d07f78158735c7bb2f6ddef39f182fd7426ae1dcea3b55179ffb06.exe
2652	d3b9808583d07f78158735c7bb2f6ddef39f182fd7426ae1dcea3b55179ffb06.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Fonts\font_temp.ttf	d3b9808583d07f78158735c7bb2f6ddef39f182fd7426ae1dcea3b55179ffb06.exe
File opened for modification	C:\Windows\Fonts\font_temp.ttf	d3b9808583d07f78158735c7bb2f6ddef39f182fd7426ae1dcea3b55179ffb06.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d3b9808583d07f78158735c7bb2f6ddef39f182fd7426ae1dcea3b55179ffb06.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d3b9808583d07f78158735c7bb2f6ddef39f182fd7426ae1dcea3b55179ffb06.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2624	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2624	PING.EXE

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2276	d3b9808583d07f78158735c7bb2f6ddef39f182fd7426ae1dcea3b55179ffb06.exe
2276	d3b9808583d07f78158735c7bb2f6ddef39f182fd7426ae1dcea3b55179ffb06.exe
2652	d3b9808583d07f78158735c7bb2f6ddef39f182fd7426ae1dcea3b55179ffb06.exe
2652	d3b9808583d07f78158735c7bb2f6ddef39f182fd7426ae1dcea3b55179ffb06.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2276 wrote to memory of 2820	2276	d3b9808583d07f78158735c7bb2f6ddef39f182fd7426ae1dcea3b55179ffb06.exe	30
PID 2276 wrote to memory of 2820	2276	d3b9808583d07f78158735c7bb2f6ddef39f182fd7426ae1dcea3b55179ffb06.exe	30
PID 2276 wrote to memory of 2820	2276	d3b9808583d07f78158735c7bb2f6ddef39f182fd7426ae1dcea3b55179ffb06.exe	30
PID 2276 wrote to memory of 2820	2276	d3b9808583d07f78158735c7bb2f6ddef39f182fd7426ae1dcea3b55179ffb06.exe	30
PID 2820 wrote to memory of 2624	2820	cmd.exe	32
PID 2820 wrote to memory of 2624	2820	cmd.exe	32
PID 2820 wrote to memory of 2624	2820	cmd.exe	32
PID 2820 wrote to memory of 2624	2820	cmd.exe	32
PID 2820 wrote to memory of 2652	2820	cmd.exe	33
PID 2820 wrote to memory of 2652	2820	cmd.exe	33
PID 2820 wrote to memory of 2652	2820	cmd.exe	33
PID 2820 wrote to memory of 2652	2820	cmd.exe	33
PID 2820 wrote to memory of 2652	2820	cmd.exe	33
PID 2820 wrote to memory of 2652	2820	cmd.exe	33
PID 2820 wrote to memory of 2652	2820	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\d3b9808583d07f78158735c7bb2f6ddef39f182fd7426ae1dcea3b55179ffb06.exe
"C:\Users\Admin\AppData\Local\Temp\d3b9808583d07f78158735c7bb2f6ddef39f182fd7426ae1dcea3b55179ffb06.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2276
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\Restart.bat
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2820
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 2
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2624
- - C:\Users\Admin\AppData\Local\Temp\d3b9808583d07f78158735c7bb2f6ddef39f182fd7426ae1dcea3b55179ffb06.exe
    "C:\Users\Admin\AppData\Local\Temp\D3B980~1.EXE"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Restart.bat

Filesize
113B

MD5
a706d88629c48cdf0f15288ad2776dff

SHA1
65c8f0285f72f2cd8d3c573dc6d380dc87093047

SHA256
4322a8f70a2295c600c6972ea970345e4e021b5b20e4514ec8c8b2c13d043141

SHA512
71523447e54623dc264f9b8aecf9557f2f3bcf37117c84010982a20947021d5175ac77d88c6d400289efa57b67cd2077fe8b2a72a1a7d3b0e110beea8a3e388d

Download Submit
C:\Users\Admin\AppData\Local\Temp\font_temp.ttf

Filesize
8.0MB

MD5
092a99ee52bbaef7481cc96c5b85b992

SHA1
06b8475f99605af9ff9ff3ed1d0eb907fd57c06b

SHA256
b3f675ccfc65edd6f27432dec6639b1414e9dc627831791263a99e2d711d215d

SHA512
3538cebe1c0e2439c7ba289c4420627d59b4922e26242408f114aa01d342734b057d92edac35bee7c47cb926091695efc6c560802db0cd342f75cee1f8b96baf

Download Submit
\Users\Admin\AppData\Local\Temp\ExuiKrnln_Win32_20230819.lib

Filesize
1.6MB

MD5
a1df3b7884c175c967505a589ba51da2

SHA1
7aaf570e41a00149134973d00f4efc09c4b650c2

SHA256
c16014329cf6f242a525f6782dd10f6a4d0ff6f97239710fdc45522f5c6da525

SHA512
12b8bd05fd9bec79d643edb503634b8b5238c67c77ddd8d2c3220406c08b1e6197e8aff02c709e353bc4ce9353a6709837b81ca443660250d94e73c00d66f451

Download Submit
\Users\Admin\AppData\Local\Temp\f76840e.tmp

Filesize
333KB

MD5
56a2bcecbd3cddd6f4a35361bf4920d6

SHA1
992e63be423f0e61093ba183f49fc0cbec790488

SHA256
5fcfac18758a12e0e717a5189f379922a32b5ac12f26491e638d70b54ae1dcab

SHA512
473cbdf760242db1f0f1d0c27046c0564998f2bf931ad03feb28af3c7bd253d00e6f0836dadf37f29e0db4171eb64e6a15ed4cb9a9d28b48fb0aab601573f551

Download Submit
memory/2652-35-0x0000000061080000-0x0000000061119000-memory.dmp

Filesize
612KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads