68648c7c668c22bc0c2c694ac6aa2fe9cad35e92707188deb4e7c35273072b4e

Analysis

max time kernel
156s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
03/10/2022, 16:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

68648c7c668c22bc0c2c694ac6aa2fe9cad35e92707188deb4e7c35273072b4e.exe
Size

1.1MB
MD5

04406580f7a56a97734a4e98222e9361
SHA1

486c6f5cbc0e63ff623aae5508e047b2ed99b1ed
SHA256

68648c7c668c22bc0c2c694ac6aa2fe9cad35e92707188deb4e7c35273072b4e
SHA512

69248fb6ac33541cbf0b30bf3db7fc78a97bb6faf401620b40c99b3de0385f714c2a17b007b8d841baa0c7a984432b3c3dde0befcef6434a170a2a7084997d25
SSDEEP

12288:L3N4qOPajQUXXP8QvLWFx6Mo5rippDC7ee1hpls4Ey+g:L3N4najQEPnvg6PhWDC750g

Score

8^/10

spyware stealer

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	68648c7c668c22bc0c2c694ac6aa2fe9cad35e92707188deb4e7c35273072b4e.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	Logo1_.exe

Executes dropped EXE 2 IoCs

pid	Process
3432	Logo1_.exe
1840	68648c7c668c22bc0c2c694ac6aa2fe9cad35e92707188deb4e7c35273072b4e.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\F:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\dc-annotations\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\da-dk\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\pt-br\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\1.1.1\Diagnostics\Simple\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\themes\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\hu-hu\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\java.exe	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_splitter\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\nb-no\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PROFILE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Resources\1033\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\demux\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\db\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\hu-hu\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\pt-br\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-gb\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\tr-tr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\nl-nl\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\bn\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\en-ae\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\eu-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ast\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\en-ae\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\pl-pl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\klist.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\hu-hu\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\nb-no\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\sl-sl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\ro-ro\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\hr-hr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\ModuleAutoDeps\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ru-ru\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\ja-jp\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\uk-ua\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\Office16\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ro-ro\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\ru-ru\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\tr-tr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.167.21\MicrosoftEdgeUpdateSetup.exe	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\META-INF\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\en-gb\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\sv-se\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\de-de\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\hu-hu\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Portal\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\kn\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\hu-hu\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	68648c7c668c22bc0c2c694ac6aa2fe9cad35e92707188deb4e7c35273072b4e.exe
File created	C:\Windows\Logo1_.exe	68648c7c668c22bc0c2c694ac6aa2fe9cad35e92707188deb4e7c35273072b4e.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\Dll.dll	Logo1_.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4952	1840	WerFault.exe	92

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4652	68648c7c668c22bc0c2c694ac6aa2fe9cad35e92707188deb4e7c35273072b4e.exe
4652	68648c7c668c22bc0c2c694ac6aa2fe9cad35e92707188deb4e7c35273072b4e.exe
4652	68648c7c668c22bc0c2c694ac6aa2fe9cad35e92707188deb4e7c35273072b4e.exe
4652	68648c7c668c22bc0c2c694ac6aa2fe9cad35e92707188deb4e7c35273072b4e.exe
4652	68648c7c668c22bc0c2c694ac6aa2fe9cad35e92707188deb4e7c35273072b4e.exe
4652	68648c7c668c22bc0c2c694ac6aa2fe9cad35e92707188deb4e7c35273072b4e.exe
4652	68648c7c668c22bc0c2c694ac6aa2fe9cad35e92707188deb4e7c35273072b4e.exe
4652	68648c7c668c22bc0c2c694ac6aa2fe9cad35e92707188deb4e7c35273072b4e.exe
4652	68648c7c668c22bc0c2c694ac6aa2fe9cad35e92707188deb4e7c35273072b4e.exe
4652	68648c7c668c22bc0c2c694ac6aa2fe9cad35e92707188deb4e7c35273072b4e.exe
4652	68648c7c668c22bc0c2c694ac6aa2fe9cad35e92707188deb4e7c35273072b4e.exe
4652	68648c7c668c22bc0c2c694ac6aa2fe9cad35e92707188deb4e7c35273072b4e.exe
4652	68648c7c668c22bc0c2c694ac6aa2fe9cad35e92707188deb4e7c35273072b4e.exe
4652	68648c7c668c22bc0c2c694ac6aa2fe9cad35e92707188deb4e7c35273072b4e.exe
4652	68648c7c668c22bc0c2c694ac6aa2fe9cad35e92707188deb4e7c35273072b4e.exe
4652	68648c7c668c22bc0c2c694ac6aa2fe9cad35e92707188deb4e7c35273072b4e.exe
4652	68648c7c668c22bc0c2c694ac6aa2fe9cad35e92707188deb4e7c35273072b4e.exe
4652	68648c7c668c22bc0c2c694ac6aa2fe9cad35e92707188deb4e7c35273072b4e.exe
4652	68648c7c668c22bc0c2c694ac6aa2fe9cad35e92707188deb4e7c35273072b4e.exe
4652	68648c7c668c22bc0c2c694ac6aa2fe9cad35e92707188deb4e7c35273072b4e.exe
4652	68648c7c668c22bc0c2c694ac6aa2fe9cad35e92707188deb4e7c35273072b4e.exe
4652	68648c7c668c22bc0c2c694ac6aa2fe9cad35e92707188deb4e7c35273072b4e.exe
4652	68648c7c668c22bc0c2c694ac6aa2fe9cad35e92707188deb4e7c35273072b4e.exe
4652	68648c7c668c22bc0c2c694ac6aa2fe9cad35e92707188deb4e7c35273072b4e.exe
4652	68648c7c668c22bc0c2c694ac6aa2fe9cad35e92707188deb4e7c35273072b4e.exe
4652	68648c7c668c22bc0c2c694ac6aa2fe9cad35e92707188deb4e7c35273072b4e.exe
3432	Logo1_.exe
3432	Logo1_.exe
3432	Logo1_.exe
3432	Logo1_.exe
3432	Logo1_.exe
3432	Logo1_.exe
3432	Logo1_.exe
3432	Logo1_.exe
3432	Logo1_.exe
3432	Logo1_.exe
3432	Logo1_.exe
3432	Logo1_.exe
3432	Logo1_.exe
3432	Logo1_.exe
3432	Logo1_.exe
3432	Logo1_.exe
3432	Logo1_.exe
3432	Logo1_.exe
3432	Logo1_.exe
3432	Logo1_.exe
3432	Logo1_.exe
3432	Logo1_.exe
3432	Logo1_.exe
3432	Logo1_.exe
3432	Logo1_.exe
3432	Logo1_.exe
3432	Logo1_.exe
3432	Logo1_.exe
3432	Logo1_.exe
3432	Logo1_.exe
3432	Logo1_.exe
3432	Logo1_.exe
3432	Logo1_.exe
3432	Logo1_.exe
3432	Logo1_.exe
3432	Logo1_.exe
3432	Logo1_.exe
3432	Logo1_.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1840	68648c7c668c22bc0c2c694ac6aa2fe9cad35e92707188deb4e7c35273072b4e.exe
1840	68648c7c668c22bc0c2c694ac6aa2fe9cad35e92707188deb4e7c35273072b4e.exe
1840	68648c7c668c22bc0c2c694ac6aa2fe9cad35e92707188deb4e7c35273072b4e.exe
1840	68648c7c668c22bc0c2c694ac6aa2fe9cad35e92707188deb4e7c35273072b4e.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 4652 wrote to memory of 4440	4652	68648c7c668c22bc0c2c694ac6aa2fe9cad35e92707188deb4e7c35273072b4e.exe	83
PID 4652 wrote to memory of 4440	4652	68648c7c668c22bc0c2c694ac6aa2fe9cad35e92707188deb4e7c35273072b4e.exe	83
PID 4652 wrote to memory of 4440	4652	68648c7c668c22bc0c2c694ac6aa2fe9cad35e92707188deb4e7c35273072b4e.exe	83
PID 4652 wrote to memory of 4032	4652	68648c7c668c22bc0c2c694ac6aa2fe9cad35e92707188deb4e7c35273072b4e.exe	85
PID 4652 wrote to memory of 4032	4652	68648c7c668c22bc0c2c694ac6aa2fe9cad35e92707188deb4e7c35273072b4e.exe	85
PID 4652 wrote to memory of 4032	4652	68648c7c668c22bc0c2c694ac6aa2fe9cad35e92707188deb4e7c35273072b4e.exe	85
PID 4652 wrote to memory of 3432	4652	68648c7c668c22bc0c2c694ac6aa2fe9cad35e92707188deb4e7c35273072b4e.exe	87
PID 4652 wrote to memory of 3432	4652	68648c7c668c22bc0c2c694ac6aa2fe9cad35e92707188deb4e7c35273072b4e.exe	87
PID 4652 wrote to memory of 3432	4652	68648c7c668c22bc0c2c694ac6aa2fe9cad35e92707188deb4e7c35273072b4e.exe	87
PID 4440 wrote to memory of 204	4440	net.exe	88
PID 4440 wrote to memory of 204	4440	net.exe	88
PID 4440 wrote to memory of 204	4440	net.exe	88
PID 3432 wrote to memory of 4532	3432	Logo1_.exe	90
PID 3432 wrote to memory of 4532	3432	Logo1_.exe	90
PID 3432 wrote to memory of 4532	3432	Logo1_.exe	90
PID 4532 wrote to memory of 1940	4532	net.exe	91
PID 4532 wrote to memory of 1940	4532	net.exe	91
PID 4532 wrote to memory of 1940	4532	net.exe	91
PID 4032 wrote to memory of 1840	4032	cmd.exe	92
PID 4032 wrote to memory of 1840	4032	cmd.exe	92
PID 4032 wrote to memory of 1840	4032	cmd.exe	92
PID 3432 wrote to memory of 2404	3432	Logo1_.exe	93
PID 3432 wrote to memory of 2404	3432	Logo1_.exe	93
PID 3432 wrote to memory of 2404	3432	Logo1_.exe	93
PID 2404 wrote to memory of 3040	2404	net.exe	95
PID 2404 wrote to memory of 3040	2404	net.exe	95
PID 2404 wrote to memory of 3040	2404	net.exe	95
PID 3432 wrote to memory of 3024	3432	Logo1_.exe	36
PID 3432 wrote to memory of 3024	3432	Logo1_.exe	36

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3024
- C:\Users\Admin\AppData\Local\Temp\68648c7c668c22bc0c2c694ac6aa2fe9cad35e92707188deb4e7c35273072b4e.exe
  "C:\Users\Admin\AppData\Local\Temp\68648c7c668c22bc0c2c694ac6aa2fe9cad35e92707188deb4e7c35273072b4e.exe"
  2⤵
  - Drops file in Drivers directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4652
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4440
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      PID:204
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a2105.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4032
  - - C:\Users\Admin\AppData\Local\Temp\68648c7c668c22bc0c2c694ac6aa2fe9cad35e92707188deb4e7c35273072b4e.exe
      "C:\Users\Admin\AppData\Local\Temp\68648c7c668c22bc0c2c694ac6aa2fe9cad35e92707188deb4e7c35273072b4e.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1840
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1840 -s 1404
        5⤵
        Program crash
        
        PID:4952
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Drops startup file
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3432
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4532
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:1940
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2404
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:3040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1840 -ip 1840
1⤵
PID:4420

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\$$a2105.bat

Filesize
722B

MD5
d446e4f926f251fff2fb7a64c70d6738

SHA1
2d1a671e2c0ba899813954cd1ce1e66d10f343b7

SHA256
eff6722a97904e80c52ea96be88f14a2ee1ea3bd4f4e11c35b1e64ac1cee13ba

SHA512
d1860070c5acba3ba7a9a3754b5805ad8c4fc66ebc9939b9ca54bc047d3ed70d4437b557f021e2f0e67027e03cf4d74110ebf26b3ca8758309a709a56d89332a

Download Submit
C:\Users\Admin\AppData\Local\Temp\68648c7c668c22bc0c2c694ac6aa2fe9cad35e92707188deb4e7c35273072b4e.exe

Filesize
1.1MB

MD5
b0375fadbb808beaf33971aa2b1b56e2

SHA1
2b978167e0b264e7dd3484c61df8b31799f6867f

SHA256
92efe448504a68a44bdcdccad6c903580900a32977ef65b9af229f972551df33

SHA512
8e75fbda817d0c57e1206dbc689a0f2e2fc84f6af5774e0679c8b6088691b48e0399135b3ca9f530ded10a54ba84078f9b39060c54595b5ddd910b959a4f9d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\68648c7c668c22bc0c2c694ac6aa2fe9cad35e92707188deb4e7c35273072b4e.exe.exe

Filesize
1.1MB

MD5
b0375fadbb808beaf33971aa2b1b56e2

SHA1
2b978167e0b264e7dd3484c61df8b31799f6867f

SHA256
92efe448504a68a44bdcdccad6c903580900a32977ef65b9af229f972551df33

SHA512
8e75fbda817d0c57e1206dbc689a0f2e2fc84f6af5774e0679c8b6088691b48e0399135b3ca9f530ded10a54ba84078f9b39060c54595b5ddd910b959a4f9d58

Download Submit
C:\Windows\Logo1_.exe

Filesize
33KB

MD5
fda93e69b1fe9e9ba2bf9faef22b6829

SHA1
f782afc8aae08a93a4e7d444efc680d17fce002b

SHA256
180298bb40291e89cd0a6d4526b1f694f5f2b579f36d6eab9ae9fd1925785739

SHA512
91e0c39c4890a1a49082bbf14e2ba553bf8f563805b265892e2c985bccff2e266e5e81e298bfb37b16b6468ccb6064e564d11794cf06e4d9d094a58af0ca19f6

Download Submit
C:\Windows\Logo1_.exe

Filesize
33KB

MD5
fda93e69b1fe9e9ba2bf9faef22b6829

SHA1
f782afc8aae08a93a4e7d444efc680d17fce002b

SHA256
180298bb40291e89cd0a6d4526b1f694f5f2b579f36d6eab9ae9fd1925785739

SHA512
91e0c39c4890a1a49082bbf14e2ba553bf8f563805b265892e2c985bccff2e266e5e81e298bfb37b16b6468ccb6064e564d11794cf06e4d9d094a58af0ca19f6

Download Submit
C:\Windows\rundl132.exe

Filesize
33KB

MD5
fda93e69b1fe9e9ba2bf9faef22b6829

SHA1
f782afc8aae08a93a4e7d444efc680d17fce002b

SHA256
180298bb40291e89cd0a6d4526b1f694f5f2b579f36d6eab9ae9fd1925785739

SHA512
91e0c39c4890a1a49082bbf14e2ba553bf8f563805b265892e2c985bccff2e266e5e81e298bfb37b16b6468ccb6064e564d11794cf06e4d9d094a58af0ca19f6

Download Submit
memory/3432-140-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3432-150-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4652-132-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4652-139-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download