694a01dabfcae9081427aaa200f6c0d43d09539e9c300f5165a799362a7a9bba

Analysis

max time kernel
172s
max time network
180s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
14/10/2022, 10:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

694a01dabfcae9081427aaa200f6c0d43d09539e9c300f5165a799362a7a9bba.exe
Size

436KB
MD5

68903762db226e18344ac90a11fb8fb0
SHA1

4ad4e25df70ded17bc5f4f1bc9bda781d704d899
SHA256

694a01dabfcae9081427aaa200f6c0d43d09539e9c300f5165a799362a7a9bba
SHA512

eae7273a9adca8f6dac4895eff0a6ac7fadb71ae8f43c031d6c0d741377ad4cf7c491e8c860aa9970367841fb9b1a8796c4dc3512a7ba8594ed338a2e6e63e83
SSDEEP

6144:vrQ7X8rQ7X8rQ7X8rQ7X8rQ7XqF/rxWoksa+IlzpN7kypXsGKLu8N:vrE8rE8rE8rE8rEoxWJsClzPIytmx

Score

8^/10

spyware stealer upx

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2160	Logo1_.exe
4732	694a01dabfcae9081427aaa200f6c0d43d09539e9c300f5165a799362a7a9bba.exe
3700	694a01dabfcae9081427aaa200f6c0d43d09539e9c300f5165a799362a7a9bba.exe
1980	694a01dabfcae9081427aaa200f6c0d43d09539e9c300f5165a799362a7a9bba.exe
3088	694a01dabfcae9081427aaa200f6c0d43d09539e9c300f5165a799362a7a9bba.exe
3940	694a01dabfcae9081427aaa200f6c0d43d09539e9c300f5165a799362a7a9bba.exe

UPX packed file 19 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1336-134-0x0000000000400000-0x0000000000439000-memory.dmp	upx
behavioral2/files/0x0009000000022e0e-137.dat	upx
behavioral2/files/0x0009000000022e0e-139.dat	upx
behavioral2/memory/1336-138-0x0000000000400000-0x0000000000439000-memory.dmp	upx
behavioral2/files/0x0009000000022e0d-143.dat	upx
behavioral2/files/0x0009000000022e0d-145.dat	upx
behavioral2/memory/4732-147-0x0000000000400000-0x0000000000439000-memory.dmp	upx
behavioral2/files/0x000a000000022e10-149.dat	upx
behavioral2/files/0x000a000000022e10-151.dat	upx
behavioral2/memory/3700-153-0x0000000000400000-0x0000000000439000-memory.dmp	upx
behavioral2/memory/2160-154-0x0000000000400000-0x0000000000439000-memory.dmp	upx
behavioral2/files/0x000a000000022e0d-156.dat	upx
behavioral2/files/0x000a000000022e0d-158.dat	upx
behavioral2/memory/1980-160-0x0000000000400000-0x0000000000439000-memory.dmp	upx
behavioral2/files/0x000b000000022e10-162.dat	upx
behavioral2/files/0x000b000000022e10-164.dat	upx
behavioral2/memory/3088-166-0x0000000000400000-0x0000000000439000-memory.dmp	upx
behavioral2/files/0x0008000000022e0a-169.dat	upx
behavioral2/memory/2160-174-0x0000000000400000-0x0000000000439000-memory.dmp	upx

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\F:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\he-il\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\sk-sk\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\swiftshader\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\en-il\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre1.8.0_66\lib\ext\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\fr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fr-fr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\plugins\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\tr-tr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\hu-hu\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\uk-ua\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Media Player\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Configuration\Schema\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\fr-fr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\META-INF\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\SkypeSrv\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ja-jp\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\pa\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Media Player\Media Renderer\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\sl-si\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\hr-hr\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\da-dk\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\STUDIO\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\root\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\root\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\en-us\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\fr-ma\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ca-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\ko-kr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\sl-sl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\fre\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\dc-annotations\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\fr-ma\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\fr-fr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\hr-hr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\ja-jp\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\sk-sk\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\zh-cn\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PAPYRUS\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ja-jp\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\ru-ru\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\br\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\root\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\he-il\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\en-ae\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\en-ae\_desktop.ini	Logo1_.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\Dll.dll	Logo1_.exe
File created	C:\Windows\rundl132.exe	694a01dabfcae9081427aaa200f6c0d43d09539e9c300f5165a799362a7a9bba.exe
File created	C:\Windows\Logo1_.exe	694a01dabfcae9081427aaa200f6c0d43d09539e9c300f5165a799362a7a9bba.exe
File created	C:\Windows\Logo1_.exe	694a01dabfcae9081427aaa200f6c0d43d09539e9c300f5165a799362a7a9bba.exe
File created	C:\Windows\Logo1_.exe	694a01dabfcae9081427aaa200f6c0d43d09539e9c300f5165a799362a7a9bba.exe
File created	C:\Windows\Logo1_.exe	694a01dabfcae9081427aaa200f6c0d43d09539e9c300f5165a799362a7a9bba.exe
File created	C:\Windows\Logo1_.exe	694a01dabfcae9081427aaa200f6c0d43d09539e9c300f5165a799362a7a9bba.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1336	694a01dabfcae9081427aaa200f6c0d43d09539e9c300f5165a799362a7a9bba.exe
1336	694a01dabfcae9081427aaa200f6c0d43d09539e9c300f5165a799362a7a9bba.exe
1336	694a01dabfcae9081427aaa200f6c0d43d09539e9c300f5165a799362a7a9bba.exe
1336	694a01dabfcae9081427aaa200f6c0d43d09539e9c300f5165a799362a7a9bba.exe
1336	694a01dabfcae9081427aaa200f6c0d43d09539e9c300f5165a799362a7a9bba.exe
1336	694a01dabfcae9081427aaa200f6c0d43d09539e9c300f5165a799362a7a9bba.exe
1336	694a01dabfcae9081427aaa200f6c0d43d09539e9c300f5165a799362a7a9bba.exe
1336	694a01dabfcae9081427aaa200f6c0d43d09539e9c300f5165a799362a7a9bba.exe
1336	694a01dabfcae9081427aaa200f6c0d43d09539e9c300f5165a799362a7a9bba.exe
1336	694a01dabfcae9081427aaa200f6c0d43d09539e9c300f5165a799362a7a9bba.exe
1336	694a01dabfcae9081427aaa200f6c0d43d09539e9c300f5165a799362a7a9bba.exe
1336	694a01dabfcae9081427aaa200f6c0d43d09539e9c300f5165a799362a7a9bba.exe
1336	694a01dabfcae9081427aaa200f6c0d43d09539e9c300f5165a799362a7a9bba.exe
1336	694a01dabfcae9081427aaa200f6c0d43d09539e9c300f5165a799362a7a9bba.exe
1336	694a01dabfcae9081427aaa200f6c0d43d09539e9c300f5165a799362a7a9bba.exe
1336	694a01dabfcae9081427aaa200f6c0d43d09539e9c300f5165a799362a7a9bba.exe
1336	694a01dabfcae9081427aaa200f6c0d43d09539e9c300f5165a799362a7a9bba.exe
1336	694a01dabfcae9081427aaa200f6c0d43d09539e9c300f5165a799362a7a9bba.exe
1336	694a01dabfcae9081427aaa200f6c0d43d09539e9c300f5165a799362a7a9bba.exe
1336	694a01dabfcae9081427aaa200f6c0d43d09539e9c300f5165a799362a7a9bba.exe
1336	694a01dabfcae9081427aaa200f6c0d43d09539e9c300f5165a799362a7a9bba.exe
1336	694a01dabfcae9081427aaa200f6c0d43d09539e9c300f5165a799362a7a9bba.exe
1336	694a01dabfcae9081427aaa200f6c0d43d09539e9c300f5165a799362a7a9bba.exe
1336	694a01dabfcae9081427aaa200f6c0d43d09539e9c300f5165a799362a7a9bba.exe
1336	694a01dabfcae9081427aaa200f6c0d43d09539e9c300f5165a799362a7a9bba.exe
1336	694a01dabfcae9081427aaa200f6c0d43d09539e9c300f5165a799362a7a9bba.exe
2160	Logo1_.exe
2160	Logo1_.exe
2160	Logo1_.exe
2160	Logo1_.exe
2160	Logo1_.exe
2160	Logo1_.exe
2160	Logo1_.exe
2160	Logo1_.exe
2160	Logo1_.exe
2160	Logo1_.exe
2160	Logo1_.exe
2160	Logo1_.exe
2160	Logo1_.exe
2160	Logo1_.exe
2160	Logo1_.exe
2160	Logo1_.exe
2160	Logo1_.exe
2160	Logo1_.exe
2160	Logo1_.exe
2160	Logo1_.exe
2160	Logo1_.exe
2160	Logo1_.exe
2160	Logo1_.exe
2160	Logo1_.exe
2160	Logo1_.exe
2160	Logo1_.exe
2160	Logo1_.exe
2160	Logo1_.exe
2160	Logo1_.exe
2160	Logo1_.exe
2160	Logo1_.exe
2160	Logo1_.exe
2160	Logo1_.exe
2160	Logo1_.exe
2160	Logo1_.exe
2160	Logo1_.exe
2160	Logo1_.exe
2160	Logo1_.exe

Suspicious use of WriteProcessMemory 53 IoCs

description	pid	Process	procid_target
PID 1336 wrote to memory of 3136	1336	694a01dabfcae9081427aaa200f6c0d43d09539e9c300f5165a799362a7a9bba.exe	82
PID 1336 wrote to memory of 3136	1336	694a01dabfcae9081427aaa200f6c0d43d09539e9c300f5165a799362a7a9bba.exe	82
PID 1336 wrote to memory of 3136	1336	694a01dabfcae9081427aaa200f6c0d43d09539e9c300f5165a799362a7a9bba.exe	82
PID 3136 wrote to memory of 1436	3136	net.exe	84
PID 3136 wrote to memory of 1436	3136	net.exe	84
PID 3136 wrote to memory of 1436	3136	net.exe	84
PID 1336 wrote to memory of 4632	1336	694a01dabfcae9081427aaa200f6c0d43d09539e9c300f5165a799362a7a9bba.exe	85
PID 1336 wrote to memory of 4632	1336	694a01dabfcae9081427aaa200f6c0d43d09539e9c300f5165a799362a7a9bba.exe	85
PID 1336 wrote to memory of 4632	1336	694a01dabfcae9081427aaa200f6c0d43d09539e9c300f5165a799362a7a9bba.exe	85
PID 1336 wrote to memory of 2160	1336	694a01dabfcae9081427aaa200f6c0d43d09539e9c300f5165a799362a7a9bba.exe	87
PID 1336 wrote to memory of 2160	1336	694a01dabfcae9081427aaa200f6c0d43d09539e9c300f5165a799362a7a9bba.exe	87
PID 1336 wrote to memory of 2160	1336	694a01dabfcae9081427aaa200f6c0d43d09539e9c300f5165a799362a7a9bba.exe	87
PID 2160 wrote to memory of 4432	2160	Logo1_.exe	89
PID 2160 wrote to memory of 4432	2160	Logo1_.exe	89
PID 2160 wrote to memory of 4432	2160	Logo1_.exe	89
PID 4432 wrote to memory of 2508	4432	net.exe	90
PID 4432 wrote to memory of 2508	4432	net.exe	90
PID 4432 wrote to memory of 2508	4432	net.exe	90
PID 4632 wrote to memory of 4732	4632	cmd.exe	91
PID 4632 wrote to memory of 4732	4632	cmd.exe	91
PID 4632 wrote to memory of 4732	4632	cmd.exe	91
PID 4732 wrote to memory of 2224	4732	694a01dabfcae9081427aaa200f6c0d43d09539e9c300f5165a799362a7a9bba.exe	92
PID 4732 wrote to memory of 2224	4732	694a01dabfcae9081427aaa200f6c0d43d09539e9c300f5165a799362a7a9bba.exe	92
PID 4732 wrote to memory of 2224	4732	694a01dabfcae9081427aaa200f6c0d43d09539e9c300f5165a799362a7a9bba.exe	92
PID 2224 wrote to memory of 3700	2224	cmd.exe	94
PID 2224 wrote to memory of 3700	2224	cmd.exe	94
PID 2224 wrote to memory of 3700	2224	cmd.exe	94
PID 3700 wrote to memory of 3536	3700	694a01dabfcae9081427aaa200f6c0d43d09539e9c300f5165a799362a7a9bba.exe	96
PID 3700 wrote to memory of 3536	3700	694a01dabfcae9081427aaa200f6c0d43d09539e9c300f5165a799362a7a9bba.exe	96
PID 3700 wrote to memory of 3536	3700	694a01dabfcae9081427aaa200f6c0d43d09539e9c300f5165a799362a7a9bba.exe	96
PID 3536 wrote to memory of 1980	3536	cmd.exe	97
PID 3536 wrote to memory of 1980	3536	cmd.exe	97
PID 3536 wrote to memory of 1980	3536	cmd.exe	97
PID 1980 wrote to memory of 3612	1980	694a01dabfcae9081427aaa200f6c0d43d09539e9c300f5165a799362a7a9bba.exe	99
PID 1980 wrote to memory of 3612	1980	694a01dabfcae9081427aaa200f6c0d43d09539e9c300f5165a799362a7a9bba.exe	99
PID 1980 wrote to memory of 3612	1980	694a01dabfcae9081427aaa200f6c0d43d09539e9c300f5165a799362a7a9bba.exe	99
PID 3612 wrote to memory of 3088	3612	cmd.exe	100
PID 3612 wrote to memory of 3088	3612	cmd.exe	100
PID 3612 wrote to memory of 3088	3612	cmd.exe	100
PID 3088 wrote to memory of 3372	3088	694a01dabfcae9081427aaa200f6c0d43d09539e9c300f5165a799362a7a9bba.exe	101
PID 3088 wrote to memory of 3372	3088	694a01dabfcae9081427aaa200f6c0d43d09539e9c300f5165a799362a7a9bba.exe	101
PID 3088 wrote to memory of 3372	3088	694a01dabfcae9081427aaa200f6c0d43d09539e9c300f5165a799362a7a9bba.exe	101
PID 2160 wrote to memory of 1008	2160	Logo1_.exe	103
PID 2160 wrote to memory of 1008	2160	Logo1_.exe	103
PID 2160 wrote to memory of 1008	2160	Logo1_.exe	103
PID 1008 wrote to memory of 1836	1008	net.exe	105
PID 1008 wrote to memory of 1836	1008	net.exe	105
PID 1008 wrote to memory of 1836	1008	net.exe	105
PID 3372 wrote to memory of 3940	3372	cmd.exe	106
PID 3372 wrote to memory of 3940	3372	cmd.exe	106
PID 3372 wrote to memory of 3940	3372	cmd.exe	106
PID 2160 wrote to memory of 1124	2160	Logo1_.exe	32
PID 2160 wrote to memory of 1124	2160	Logo1_.exe	32

C:\Users\Admin\AppData\Local\Temp\694a01dabfcae9081427aaa200f6c0d43d09539e9c300f5165a799362a7a9bba.exe
"C:\Users\Admin\AppData\Local\Temp\694a01dabfcae9081427aaa200f6c0d43d09539e9c300f5165a799362a7a9bba.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1336
- C:\Windows\SysWOW64\net.exe
  net stop "Kingsoft AntiVirus Service"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3136
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
    3⤵
    PID:1436
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aE803.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4632
- - C:\Users\Admin\AppData\Local\Temp\694a01dabfcae9081427aaa200f6c0d43d09539e9c300f5165a799362a7a9bba.exe
    "C:\Users\Admin\AppData\Local\Temp\694a01dabfcae9081427aaa200f6c0d43d09539e9c300f5165a799362a7a9bba.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of WriteProcessMemory
    PID:4732
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aECC6.bat
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2224
    - - C:\Users\Admin\AppData\Local\Temp\694a01dabfcae9081427aaa200f6c0d43d09539e9c300f5165a799362a7a9bba.exe
        
        "C:\Users\Admin\AppData\Local\Temp\694a01dabfcae9081427aaa200f6c0d43d09539e9c300f5165a799362a7a9bba.exe"
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:3700
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aED72.bat
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3536
        
        C:\Users\Admin\AppData\Local\Temp\694a01dabfcae9081427aaa200f6c0d43d09539e9c300f5165a799362a7a9bba.exe
        
        "C:\Users\Admin\AppData\Local\Temp\694a01dabfcae9081427aaa200f6c0d43d09539e9c300f5165a799362a7a9bba.exe"
        7⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:1980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aEDFE.bat
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:3612
        
        C:\Users\Admin\AppData\Local\Temp\694a01dabfcae9081427aaa200f6c0d43d09539e9c300f5165a799362a7a9bba.exe
        
        "C:\Users\Admin\AppData\Local\Temp\694a01dabfcae9081427aaa200f6c0d43d09539e9c300f5165a799362a7a9bba.exe"
        9⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:3088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aEE9B.bat
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:3372
        
        C:\Users\Admin\AppData\Local\Temp\694a01dabfcae9081427aaa200f6c0d43d09539e9c300f5165a799362a7a9bba.exe
        
        "C:\Users\Admin\AppData\Local\Temp\694a01dabfcae9081427aaa200f6c0d43d09539e9c300f5165a799362a7a9bba.exe"
        11⤵
        Executes dropped EXE
        
        PID:3940
- C:\Windows\Logo1_.exe
  C:\Windows\Logo1_.exe
  2⤵
  - Executes dropped EXE
  - Drops startup file
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2160
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4432
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      PID:2508
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1008
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      PID:1836

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1124

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\$$aE803.bat

Filesize
722B

MD5
b37a11482c8b763de89f04ea9b0d9b06

SHA1
1c9870e63e0cc5a7f2720220d6cc93419c7a3868

SHA256
6ba5764957917f6ecd6452411300bea7d7675c112c008a7e7d38459773c41489

SHA512
75e6e38aab3a4bb5511a2d0e89c4ce05d6d61e7a0e029cfbd2f801b61be5b0cd38e5bd7ccd7643b829065055fe75492ab23d9764f3bf0f2bfa6f14f774f93c78

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aECC6.bat

Filesize
722B

MD5
d144cf0436803afb90d650e6c82b6324

SHA1
a92d20b8d45cdd4da0b55f657de48ddcf48bdd9c

SHA256
2755b648b755543cd8d66b93331d3a84b05a5fb2d881849ffac807abf6ae6de0

SHA512
15d3b1e80fdc08f00aa89f4027de1a916b424f1c30bb8f7465d3155c9f155f85f52196daa872719f747959b03231722d3851f30c52879c9e4e28d4da603e7cf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aED72.bat

Filesize
722B

MD5
a2368d694cff5bec6b6ad6c4a7b36195

SHA1
bac8ef4760f701724791bc43a7af8b6d79638432

SHA256
04fb70423f46c9b22bed6107ef662e701e8abe6bd9c82fb34102e5e0e8ae974a

SHA512
697d56e3cb1332136b024df873e4c002b65ccb904c2b86e8aa2c61c3deffbc2984f87893a957353aaf9d02d0bfc8d128ceed642c62eebdee4f3a7d6dad59215a

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aEDFE.bat

Filesize
722B

MD5
3706096e15ed21ed2da067d217abc067

SHA1
091105bb45cfa9930e1f119122fa6078dad5bd49

SHA256
1d7928cd36944111c9ea4b0621940a86cd7bbbe2958447eeae082868b2cc4e48

SHA512
4ea231f84796dc0c4d078fa7df5055495ae5231fa0759a44313829ae322a3d97626f13f1d5a1c39c8adcb23ef16ab3bcef28d5f96366589f5fb96e74d1e9f504

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aEE9B.bat

Filesize
722B

MD5
c9ae94bff4dfff2fc55c4349b0152239

SHA1
229397d0f6215bb6276c840aab7e9fe55592ab61

SHA256
9bf3c54efe9341e9b26b422f888f355037139ddf54bbd7950a193828147a24ce

SHA512
c27a4cf0ef21d2b6dd988166420ad73631b1a0d7e8548133d662b8c66651c297dbcc597148e238a4527a8b1e1dd2b345c992ac755865e25de6312d7aabe7e38a

Download Submit
C:\Users\Admin\AppData\Local\Temp\694a01dabfcae9081427aaa200f6c0d43d09539e9c300f5165a799362a7a9bba.exe

Filesize
388KB

MD5
42eb7386a235f374ced15ff014c74fbc

SHA1
21aace04b3f7fe500ff2e07a0c340f8bdfc07d8a

SHA256
10b5b2bd640e5d49deca3819abbb3c3fc2d0657237b13ae389e7939ceb35b766

SHA512
64c014a85fbd4133b5446fb180eca9250a0b2bef6893aca2548de59147b769706a438092e24b1c5b3d53c9416422167c8454c8adc56024f2cb5458a12d469004

Download Submit
C:\Users\Admin\AppData\Local\Temp\694a01dabfcae9081427aaa200f6c0d43d09539e9c300f5165a799362a7a9bba.exe

Filesize
292KB

MD5
8262261e06fc26a33e6e6823f29aede2

SHA1
f56b7c3f8f3c36e54c9141afdc5b581f8c461dfa

SHA256
264069c891f0c19c66887a4fc02753076851cdf9a0621e876d94b812f396dd4b

SHA512
2b004a9147733cf05dd917645b6e4ddbd7773954ead59a89a527e09606d98f9d01a3c93f14f4fea4f086289916b4984f796028b1c9c5ebce7df34d2afe30c56f

Download Submit
C:\Users\Admin\AppData\Local\Temp\694a01dabfcae9081427aaa200f6c0d43d09539e9c300f5165a799362a7a9bba.exe

Filesize
340KB

MD5
bc1ff70814310ca61ed48b4846bd93d6

SHA1
f83575492bf084eef69aa73a450187bbde02cc27

SHA256
ba48d7d47b07cb9ed0091614a9aae1a2f3fdb95186fcd0ce018834753022acce

SHA512
3b55e76788a69154dccb13c54687d8dd33a182a220f00cea25bed3fb6f3ac56601250dae9ba633db5008fc5804ee6f77a9e131c8966d505c6c65d313924391c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\694a01dabfcae9081427aaa200f6c0d43d09539e9c300f5165a799362a7a9bba.exe

Filesize
196KB

MD5
e277c899323a685b21ff31a4da07bb6d

SHA1
1fdf231e80a4f0b8331313b577814348cdf224e6

SHA256
d3af26599e093e4f8250662f5590e9c556dadb271a31231a7e35fcd4da5b1700

SHA512
17ef1af2962d6a15dcc57bb2a9b22196405d839659b0b1be6960dd4b5f0a02f1a9aa9641a79ccf26a2b9b0214e95f0230593c2d91aa2966d9deadf1a05da04f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\694a01dabfcae9081427aaa200f6c0d43d09539e9c300f5165a799362a7a9bba.exe

Filesize
244KB

MD5
556bb40cb647ba8803469f3ff19249df

SHA1
f987beb346fec716a813bf8ec5715129eaead5e9

SHA256
d4e88b11d1d9142dd4942b928ec13fc13cbfffaeeb22832e1d292cd16a4d73fc

SHA512
d725843a3ffe38e3f8b41a577d00d2d972a02045a914cecffde66107e18b7e6890b44aec2743f5fe7bebc543db89e8a6507f2157ac23f4fc559f1c0393b33377

Download Submit
C:\Users\Admin\AppData\Local\Temp\694a01dabfcae9081427aaa200f6c0d43d09539e9c300f5165a799362a7a9bba.exe.exe

Filesize
388KB

MD5
42eb7386a235f374ced15ff014c74fbc

SHA1
21aace04b3f7fe500ff2e07a0c340f8bdfc07d8a

SHA256
10b5b2bd640e5d49deca3819abbb3c3fc2d0657237b13ae389e7939ceb35b766

SHA512
64c014a85fbd4133b5446fb180eca9250a0b2bef6893aca2548de59147b769706a438092e24b1c5b3d53c9416422167c8454c8adc56024f2cb5458a12d469004

Download Submit
C:\Users\Admin\AppData\Local\Temp\694a01dabfcae9081427aaa200f6c0d43d09539e9c300f5165a799362a7a9bba.exe.exe

Filesize
292KB

MD5
8262261e06fc26a33e6e6823f29aede2

SHA1
f56b7c3f8f3c36e54c9141afdc5b581f8c461dfa

SHA256
264069c891f0c19c66887a4fc02753076851cdf9a0621e876d94b812f396dd4b

SHA512
2b004a9147733cf05dd917645b6e4ddbd7773954ead59a89a527e09606d98f9d01a3c93f14f4fea4f086289916b4984f796028b1c9c5ebce7df34d2afe30c56f

Download Submit
C:\Users\Admin\AppData\Local\Temp\694a01dabfcae9081427aaa200f6c0d43d09539e9c300f5165a799362a7a9bba.exe.exe

Filesize
340KB

MD5
bc1ff70814310ca61ed48b4846bd93d6

SHA1
f83575492bf084eef69aa73a450187bbde02cc27

SHA256
ba48d7d47b07cb9ed0091614a9aae1a2f3fdb95186fcd0ce018834753022acce

SHA512
3b55e76788a69154dccb13c54687d8dd33a182a220f00cea25bed3fb6f3ac56601250dae9ba633db5008fc5804ee6f77a9e131c8966d505c6c65d313924391c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\694a01dabfcae9081427aaa200f6c0d43d09539e9c300f5165a799362a7a9bba.exe.exe

Filesize
196KB

MD5
e277c899323a685b21ff31a4da07bb6d

SHA1
1fdf231e80a4f0b8331313b577814348cdf224e6

SHA256
d3af26599e093e4f8250662f5590e9c556dadb271a31231a7e35fcd4da5b1700

SHA512
17ef1af2962d6a15dcc57bb2a9b22196405d839659b0b1be6960dd4b5f0a02f1a9aa9641a79ccf26a2b9b0214e95f0230593c2d91aa2966d9deadf1a05da04f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\694a01dabfcae9081427aaa200f6c0d43d09539e9c300f5165a799362a7a9bba.exe.exe

Filesize
244KB

MD5
556bb40cb647ba8803469f3ff19249df

SHA1
f987beb346fec716a813bf8ec5715129eaead5e9

SHA256
d4e88b11d1d9142dd4942b928ec13fc13cbfffaeeb22832e1d292cd16a4d73fc

SHA512
d725843a3ffe38e3f8b41a577d00d2d972a02045a914cecffde66107e18b7e6890b44aec2743f5fe7bebc543db89e8a6507f2157ac23f4fc559f1c0393b33377

Download Submit
C:\Windows\Logo1_.exe

Filesize
48KB

MD5
3e2de32f3ea909656d52b570d8c7dd29

SHA1
0ae3fa4ffc39e4f5faf4d6fadca810a3414832f9

SHA256
546dcbd7105ff7e2f9d8231711d582d557ec1ab1ed08c15b95aa74ba1673ed99

SHA512
3b5055aeab86d4f6f5a24105a869024035e7090e5e56f5a1e656e0a9422fd928f111d6f2611e7c77cfcbaffafc9894e9c2b269a3673a0d54a5bc2cfe547d61eb

Download Submit
C:\Windows\Logo1_.exe

Filesize
48KB

MD5
3e2de32f3ea909656d52b570d8c7dd29

SHA1
0ae3fa4ffc39e4f5faf4d6fadca810a3414832f9

SHA256
546dcbd7105ff7e2f9d8231711d582d557ec1ab1ed08c15b95aa74ba1673ed99

SHA512
3b5055aeab86d4f6f5a24105a869024035e7090e5e56f5a1e656e0a9422fd928f111d6f2611e7c77cfcbaffafc9894e9c2b269a3673a0d54a5bc2cfe547d61eb

Download Submit
C:\Windows\rundl132.exe

Filesize
48KB

MD5
3e2de32f3ea909656d52b570d8c7dd29

SHA1
0ae3fa4ffc39e4f5faf4d6fadca810a3414832f9

SHA256
546dcbd7105ff7e2f9d8231711d582d557ec1ab1ed08c15b95aa74ba1673ed99

SHA512
3b5055aeab86d4f6f5a24105a869024035e7090e5e56f5a1e656e0a9422fd928f111d6f2611e7c77cfcbaffafc9894e9c2b269a3673a0d54a5bc2cfe547d61eb

Download Submit
memory/1336-134-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1336-138-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1980-160-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2160-174-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2160-154-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3088-166-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3700-153-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4732-147-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download