40559c73c9ff1fe763f3746f0e4a63eacc42af0b43a147de91504f69b6bc1a3d

Analysis

max time kernel
157s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
03/10/2022, 16:37

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

40559c73c9ff1fe763f3746f0e4a63eacc42af0b43a147de91504f69b6bc1a3d.exe
Size

212KB
MD5

32b83267e5b024b20b1d006a72e1d6d0
SHA1

688bd87d2f2102f61193e50a151315db7721547d
SHA256

40559c73c9ff1fe763f3746f0e4a63eacc42af0b43a147de91504f69b6bc1a3d
SHA512

54cd797c45bf57f6998925c69a89d3e6827078e942e08324fb9aff96305fc2c6113f8fe96706813e6f62daf8d262ec66357c652cec35e342acb309613799f69f
SSDEEP

3072:KQDe+aDtreDF6+FwYa2tf3d3CJPfmPDeKEc8GREDLYICEYFOUUzfPwVDpDO:dS+aY32YhtEx9c8ypICEYFOREVS

Score

8^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
216	Logo1_.exe
792	40559c73c9ff1fe763f3746f0e4a63eacc42af0b43a147de91504f69b6bc1a3d.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\F:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\ko-kr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javaws.exe	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Source Engine\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fy\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\themes\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\pack200.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\pt-br\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\fr-ma\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\nl-nl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\fr-fr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\de-de\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\uk-ua\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\fre\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\services_discovery\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sv-se\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ko-kr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\ja-jp\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\nl-nl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\sk-sk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ca-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\he-il\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\nn\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example2.Diagnostics\1.0.1\Diagnostics\Simple\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\tr-tr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\da-dk\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Internet Explorer\SIGNUP\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\Licenses\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\fr-ma\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\cs-cz\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\da-dk\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-gb\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\es-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\EQUATION\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\eu-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\ru-ru\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\en-il\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\dtplugin\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DBConnection.exe	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\packetizer\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\rhp\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\cs-cz\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\root\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\sk-sk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\nl-nl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\Java\Java Update\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\be\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\cs-cz\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\de-de\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Logo1_.exe	40559c73c9ff1fe763f3746f0e4a63eacc42af0b43a147de91504f69b6bc1a3d.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\Dll.dll	Logo1_.exe
File created	C:\Windows\rundl132.exe	40559c73c9ff1fe763f3746f0e4a63eacc42af0b43a147de91504f69b6bc1a3d.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4920	40559c73c9ff1fe763f3746f0e4a63eacc42af0b43a147de91504f69b6bc1a3d.exe
4920	40559c73c9ff1fe763f3746f0e4a63eacc42af0b43a147de91504f69b6bc1a3d.exe
4920	40559c73c9ff1fe763f3746f0e4a63eacc42af0b43a147de91504f69b6bc1a3d.exe
4920	40559c73c9ff1fe763f3746f0e4a63eacc42af0b43a147de91504f69b6bc1a3d.exe
4920	40559c73c9ff1fe763f3746f0e4a63eacc42af0b43a147de91504f69b6bc1a3d.exe
4920	40559c73c9ff1fe763f3746f0e4a63eacc42af0b43a147de91504f69b6bc1a3d.exe
4920	40559c73c9ff1fe763f3746f0e4a63eacc42af0b43a147de91504f69b6bc1a3d.exe
4920	40559c73c9ff1fe763f3746f0e4a63eacc42af0b43a147de91504f69b6bc1a3d.exe
4920	40559c73c9ff1fe763f3746f0e4a63eacc42af0b43a147de91504f69b6bc1a3d.exe
4920	40559c73c9ff1fe763f3746f0e4a63eacc42af0b43a147de91504f69b6bc1a3d.exe
4920	40559c73c9ff1fe763f3746f0e4a63eacc42af0b43a147de91504f69b6bc1a3d.exe
4920	40559c73c9ff1fe763f3746f0e4a63eacc42af0b43a147de91504f69b6bc1a3d.exe
4920	40559c73c9ff1fe763f3746f0e4a63eacc42af0b43a147de91504f69b6bc1a3d.exe
4920	40559c73c9ff1fe763f3746f0e4a63eacc42af0b43a147de91504f69b6bc1a3d.exe
4920	40559c73c9ff1fe763f3746f0e4a63eacc42af0b43a147de91504f69b6bc1a3d.exe
4920	40559c73c9ff1fe763f3746f0e4a63eacc42af0b43a147de91504f69b6bc1a3d.exe
4920	40559c73c9ff1fe763f3746f0e4a63eacc42af0b43a147de91504f69b6bc1a3d.exe
4920	40559c73c9ff1fe763f3746f0e4a63eacc42af0b43a147de91504f69b6bc1a3d.exe
4920	40559c73c9ff1fe763f3746f0e4a63eacc42af0b43a147de91504f69b6bc1a3d.exe
4920	40559c73c9ff1fe763f3746f0e4a63eacc42af0b43a147de91504f69b6bc1a3d.exe
4920	40559c73c9ff1fe763f3746f0e4a63eacc42af0b43a147de91504f69b6bc1a3d.exe
4920	40559c73c9ff1fe763f3746f0e4a63eacc42af0b43a147de91504f69b6bc1a3d.exe
4920	40559c73c9ff1fe763f3746f0e4a63eacc42af0b43a147de91504f69b6bc1a3d.exe
4920	40559c73c9ff1fe763f3746f0e4a63eacc42af0b43a147de91504f69b6bc1a3d.exe
4920	40559c73c9ff1fe763f3746f0e4a63eacc42af0b43a147de91504f69b6bc1a3d.exe
4920	40559c73c9ff1fe763f3746f0e4a63eacc42af0b43a147de91504f69b6bc1a3d.exe
216	Logo1_.exe
216	Logo1_.exe
216	Logo1_.exe
216	Logo1_.exe
216	Logo1_.exe
216	Logo1_.exe
216	Logo1_.exe
216	Logo1_.exe
216	Logo1_.exe
216	Logo1_.exe
216	Logo1_.exe
216	Logo1_.exe
216	Logo1_.exe
216	Logo1_.exe
216	Logo1_.exe
216	Logo1_.exe
216	Logo1_.exe
216	Logo1_.exe
216	Logo1_.exe
216	Logo1_.exe
216	Logo1_.exe
216	Logo1_.exe
216	Logo1_.exe
216	Logo1_.exe
216	Logo1_.exe
216	Logo1_.exe
216	Logo1_.exe
216	Logo1_.exe
216	Logo1_.exe
216	Logo1_.exe
216	Logo1_.exe
216	Logo1_.exe
216	Logo1_.exe
216	Logo1_.exe
216	Logo1_.exe
216	Logo1_.exe
216	Logo1_.exe
216	Logo1_.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 4920 wrote to memory of 2472	4920	40559c73c9ff1fe763f3746f0e4a63eacc42af0b43a147de91504f69b6bc1a3d.exe	84
PID 4920 wrote to memory of 2472	4920	40559c73c9ff1fe763f3746f0e4a63eacc42af0b43a147de91504f69b6bc1a3d.exe	84
PID 4920 wrote to memory of 2472	4920	40559c73c9ff1fe763f3746f0e4a63eacc42af0b43a147de91504f69b6bc1a3d.exe	84
PID 2472 wrote to memory of 32	2472	net.exe	86
PID 2472 wrote to memory of 32	2472	net.exe	86
PID 2472 wrote to memory of 32	2472	net.exe	86
PID 4920 wrote to memory of 204	4920	40559c73c9ff1fe763f3746f0e4a63eacc42af0b43a147de91504f69b6bc1a3d.exe	87
PID 4920 wrote to memory of 204	4920	40559c73c9ff1fe763f3746f0e4a63eacc42af0b43a147de91504f69b6bc1a3d.exe	87
PID 4920 wrote to memory of 204	4920	40559c73c9ff1fe763f3746f0e4a63eacc42af0b43a147de91504f69b6bc1a3d.exe	87
PID 4920 wrote to memory of 216	4920	40559c73c9ff1fe763f3746f0e4a63eacc42af0b43a147de91504f69b6bc1a3d.exe	88
PID 4920 wrote to memory of 216	4920	40559c73c9ff1fe763f3746f0e4a63eacc42af0b43a147de91504f69b6bc1a3d.exe	88
PID 4920 wrote to memory of 216	4920	40559c73c9ff1fe763f3746f0e4a63eacc42af0b43a147de91504f69b6bc1a3d.exe	88
PID 216 wrote to memory of 1544	216	Logo1_.exe	90
PID 216 wrote to memory of 1544	216	Logo1_.exe	90
PID 216 wrote to memory of 1544	216	Logo1_.exe	90
PID 1544 wrote to memory of 3488	1544	net.exe	92
PID 1544 wrote to memory of 3488	1544	net.exe	92
PID 1544 wrote to memory of 3488	1544	net.exe	92
PID 204 wrote to memory of 792	204	cmd.exe	93
PID 204 wrote to memory of 792	204	cmd.exe	93
PID 204 wrote to memory of 792	204	cmd.exe	93
PID 216 wrote to memory of 2844	216	Logo1_.exe	96
PID 216 wrote to memory of 2844	216	Logo1_.exe	96
PID 216 wrote to memory of 2844	216	Logo1_.exe	96
PID 2844 wrote to memory of 3768	2844	net.exe	98
PID 2844 wrote to memory of 3768	2844	net.exe	98
PID 2844 wrote to memory of 3768	2844	net.exe	98
PID 216 wrote to memory of 3040	216	Logo1_.exe	47
PID 216 wrote to memory of 3040	216	Logo1_.exe	47

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3040
- C:\Users\Admin\AppData\Local\Temp\40559c73c9ff1fe763f3746f0e4a63eacc42af0b43a147de91504f69b6bc1a3d.exe
  "C:\Users\Admin\AppData\Local\Temp\40559c73c9ff1fe763f3746f0e4a63eacc42af0b43a147de91504f69b6bc1a3d.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4920
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2472
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      PID:32
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aC614.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:204
  - - C:\Users\Admin\AppData\Local\Temp\40559c73c9ff1fe763f3746f0e4a63eacc42af0b43a147de91504f69b6bc1a3d.exe
      "C:\Users\Admin\AppData\Local\Temp\40559c73c9ff1fe763f3746f0e4a63eacc42af0b43a147de91504f69b6bc1a3d.exe"
      4⤵
      Executes dropped EXE
      PID:792
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Drops startup file
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:216
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1544
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:3488
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2844
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:3768

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\$$aC614.bat

Filesize
722B

MD5
5dde657e0116ba7a68c6d5e93e9a2cf4

SHA1
629fa9d1f912bddbc5588401d098492f46d3ba84

SHA256
9bc02789b807a036751b4856379125e2028a98d605b83cfdb0decbc769654cf8

SHA512
5beabda16fb53043363a0d3a5b24f1982e1e6b215f8ac7498d487eb0079efe35e19d180073bf62df271b50398bad4d94cb614e6996f4d9385e37071d5cd6bab9

Download Submit
C:\Users\Admin\AppData\Local\Temp\40559c73c9ff1fe763f3746f0e4a63eacc42af0b43a147de91504f69b6bc1a3d.exe

Filesize
179KB

MD5
7d393087ab7b496654fca80921e8d13a

SHA1
013f7901622ad7b0447b1183657ed8a129002c7e

SHA256
d3f257bca783e672de519ed4dda5774220e6a95e8248109aba9eada1f9cbd963

SHA512
1b2b9aa6cd9d601f754ecc8377343e05c201d0a8e1e4afe8c185187d4811c28ea030929956b6e69f45926e5a54cecd0f994ecc0f340b5f7a07330fa7df36f5dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\40559c73c9ff1fe763f3746f0e4a63eacc42af0b43a147de91504f69b6bc1a3d.exe.exe

Filesize
179KB

MD5
7d393087ab7b496654fca80921e8d13a

SHA1
013f7901622ad7b0447b1183657ed8a129002c7e

SHA256
d3f257bca783e672de519ed4dda5774220e6a95e8248109aba9eada1f9cbd963

SHA512
1b2b9aa6cd9d601f754ecc8377343e05c201d0a8e1e4afe8c185187d4811c28ea030929956b6e69f45926e5a54cecd0f994ecc0f340b5f7a07330fa7df36f5dc

Download Submit
C:\Windows\Logo1_.exe

Filesize
33KB

MD5
b6437610b9aea33e82e16ee685a65946

SHA1
389601f9fd8b3dabc381fd9ee4a15b5e3b3e06f2

SHA256
d44ada5a8f7b460afcc94c970ffad95dd1b074b73d7e4f6762cc5609717e2ec1

SHA512
0459e79884adaecce4ef54f9e9323681e21af27bd816387846c0764f4161859bbba408cdf215691f6e8649e754f86ece80793f4721a634cc7a3ae591631b607c

Download Submit
C:\Windows\Logo1_.exe

Filesize
33KB

MD5
b6437610b9aea33e82e16ee685a65946

SHA1
389601f9fd8b3dabc381fd9ee4a15b5e3b3e06f2

SHA256
d44ada5a8f7b460afcc94c970ffad95dd1b074b73d7e4f6762cc5609717e2ec1

SHA512
0459e79884adaecce4ef54f9e9323681e21af27bd816387846c0764f4161859bbba408cdf215691f6e8649e754f86ece80793f4721a634cc7a3ae591631b607c

Download Submit
C:\Windows\rundl132.exe

Filesize
33KB

MD5
b6437610b9aea33e82e16ee685a65946

SHA1
389601f9fd8b3dabc381fd9ee4a15b5e3b3e06f2

SHA256
d44ada5a8f7b460afcc94c970ffad95dd1b074b73d7e4f6762cc5609717e2ec1

SHA512
0459e79884adaecce4ef54f9e9323681e21af27bd816387846c0764f4161859bbba408cdf215691f6e8649e754f86ece80793f4721a634cc7a3ae591631b607c

Download Submit
memory/216-150-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/216-146-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4920-132-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4920-138-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download