e5bcd7b5a1b2fa6caf71df71db93c5f8f6493039347ecc662c921b8882ca4825

General

Target

e5bcd7b5a1b2fa6caf71df71db93c5f8f6493039347ecc662c921b8882ca4825.exe
Size

13.2MB
MD5

fe54ab914e5ae87082b517a27be6b431
SHA1

f5de0a7dc82b95f96595c0a1f91b39562ab35121
SHA256

e5bcd7b5a1b2fa6caf71df71db93c5f8f6493039347ecc662c921b8882ca4825
SHA512

3b8d1a3d0b2b88e52460eeedfea988346d5a30dd9f99b56b5a133b1adb137cbd612ac5d4224fc5537492aa8f637aa29adcc2f00869c3733f70683b9c78948aca
SSDEEP

196608:m89duCvh7pQoXhQET1AIxGJYJbaogx2gfa92:Vuy7p7XhN5aaHgYgf

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 4 IoCs

pid	Process
2372	e5bcd7b5a1b2fa6caf71df71db93c5f8f6493039347ecc662c921b8882ca4825.exe
2372	e5bcd7b5a1b2fa6caf71df71db93c5f8f6493039347ecc662c921b8882ca4825.exe
112	e5bcd7b5a1b2fa6caf71df71db93c5f8f6493039347ecc662c921b8882ca4825.exe
112	e5bcd7b5a1b2fa6caf71df71db93c5f8f6493039347ecc662c921b8882ca4825.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Fonts\font_temp.ttf	e5bcd7b5a1b2fa6caf71df71db93c5f8f6493039347ecc662c921b8882ca4825.exe
File opened for modification	C:\Windows\Fonts\font_temp.ttf	e5bcd7b5a1b2fa6caf71df71db93c5f8f6493039347ecc662c921b8882ca4825.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e5bcd7b5a1b2fa6caf71df71db93c5f8f6493039347ecc662c921b8882ca4825.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e5bcd7b5a1b2fa6caf71df71db93c5f8f6493039347ecc662c921b8882ca4825.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2268	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2268	PING.EXE

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2372	e5bcd7b5a1b2fa6caf71df71db93c5f8f6493039347ecc662c921b8882ca4825.exe
2372	e5bcd7b5a1b2fa6caf71df71db93c5f8f6493039347ecc662c921b8882ca4825.exe
112	e5bcd7b5a1b2fa6caf71df71db93c5f8f6493039347ecc662c921b8882ca4825.exe
112	e5bcd7b5a1b2fa6caf71df71db93c5f8f6493039347ecc662c921b8882ca4825.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2372 wrote to memory of 2176	2372	e5bcd7b5a1b2fa6caf71df71db93c5f8f6493039347ecc662c921b8882ca4825.exe	86
PID 2372 wrote to memory of 2176	2372	e5bcd7b5a1b2fa6caf71df71db93c5f8f6493039347ecc662c921b8882ca4825.exe	86
PID 2372 wrote to memory of 2176	2372	e5bcd7b5a1b2fa6caf71df71db93c5f8f6493039347ecc662c921b8882ca4825.exe	86
PID 2176 wrote to memory of 2268	2176	cmd.exe	88
PID 2176 wrote to memory of 2268	2176	cmd.exe	88
PID 2176 wrote to memory of 2268	2176	cmd.exe	88
PID 2176 wrote to memory of 112	2176	cmd.exe	89
PID 2176 wrote to memory of 112	2176	cmd.exe	89
PID 2176 wrote to memory of 112	2176	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\e5bcd7b5a1b2fa6caf71df71db93c5f8f6493039347ecc662c921b8882ca4825.exe
"C:\Users\Admin\AppData\Local\Temp\e5bcd7b5a1b2fa6caf71df71db93c5f8f6493039347ecc662c921b8882ca4825.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2372
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\Restart.bat
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2176
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 2
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2268
- - C:\Users\Admin\AppData\Local\Temp\e5bcd7b5a1b2fa6caf71df71db93c5f8f6493039347ecc662c921b8882ca4825.exe
    "C:\Users\Admin\AppData\Local\Temp\E5BCD7~1.EXE"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ExuiKrnln_Win32_20230819.lib

Filesize
1.6MB

MD5
a1df3b7884c175c967505a589ba51da2

SHA1
7aaf570e41a00149134973d00f4efc09c4b650c2

SHA256
c16014329cf6f242a525f6782dd10f6a4d0ff6f97239710fdc45522f5c6da525

SHA512
12b8bd05fd9bec79d643edb503634b8b5238c67c77ddd8d2c3220406c08b1e6197e8aff02c709e353bc4ce9353a6709837b81ca443660250d94e73c00d66f451

Download Submit
C:\Users\Admin\AppData\Local\Temp\Restart.bat

Filesize
113B

MD5
12dab9192526fbd40ee4b189d7a62e79

SHA1
46e6436092b59df8a9f7952e9539cfd4d520521b

SHA256
5d9a4994974caadef164af5913f2c980c03f4e9748d1792b0caaa2f07d23ae2b

SHA512
42cfb1b5e79fc31cc3720625e6e260cb81c66574ef2821ab10fc15ce3a608976504239276c2315484b8493e308696fa8ff4c1c7e8c8769d2df6aafef20d8cc0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\e5788c7.tmp

Filesize
333KB

MD5
56a2bcecbd3cddd6f4a35361bf4920d6

SHA1
992e63be423f0e61093ba183f49fc0cbec790488

SHA256
5fcfac18758a12e0e717a5189f379922a32b5ac12f26491e638d70b54ae1dcab

SHA512
473cbdf760242db1f0f1d0c27046c0564998f2bf931ad03feb28af3c7bd253d00e6f0836dadf37f29e0db4171eb64e6a15ed4cb9a9d28b48fb0aab601573f551

Download Submit
C:\Users\Admin\AppData\Local\Temp\font_temp.ttf

Filesize
8.0MB

MD5
092a99ee52bbaef7481cc96c5b85b992

SHA1
06b8475f99605af9ff9ff3ed1d0eb907fd57c06b

SHA256
b3f675ccfc65edd6f27432dec6639b1414e9dc627831791263a99e2d711d215d

SHA512
3538cebe1c0e2439c7ba289c4420627d59b4922e26242408f114aa01d342734b057d92edac35bee7c47cb926091695efc6c560802db0cd342f75cee1f8b96baf

Download Submit
memory/112-35-0x0000000061080000-0x0000000061119000-memory.dmp

Filesize
612KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads