1d54876c50c3ff84e542cba96807ddbc0a6c4a17533cdbc9d553e6ac59337dc2

Analysis

max time kernel
156s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
20/10/2022, 22:48

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

1d54876c50c3ff84e542cba96807ddbc0a6c4a17533cdbc9d553e6ac59337dc2.exe
Size

351KB
MD5

63e673ed120d52327d55a9eef69047e0
SHA1

48bf4b7091086c3a10b89222d8980a2ce66556ad
SHA256

1d54876c50c3ff84e542cba96807ddbc0a6c4a17533cdbc9d553e6ac59337dc2
SHA512

b255bc8b08d6e46c302c0a37b9233ff83e6e32b8360d58b77e8dd9e12b2e3aa6ad9a06f401e6cafe0a15114561193e484dc70304d878723692e353d544d204e7
SSDEEP

6144:W46tGdyQsI4A25lvmI541elbcsk7ybN8ChTBq9Pjs5VMJ708:W3NQsI4AsJtG7yxThT89J708

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	1d54876c50c3ff84e542cba96807ddbc0a6c4a17533cdbc9d553e6ac59337dc2.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	Logo1_.exe

Executes dropped EXE 2 IoCs

pid	Process
3192	Logo1_.exe
220	1d54876c50c3ff84e542cba96807ddbc0a6c4a17533cdbc9d553e6ac59337dc2.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\F:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\Modules\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\pa\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\lua\playlist\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\pl-pl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\tr-tr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\nl-nl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\nb-no\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\sl-sl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javafxpackager.exe	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\GRPHFLT\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\zh-tw\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\sk-sk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\sl-sl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\es-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fi-fi\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\es-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\hu-hu\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\es-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\es-es\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ach\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\pt_BR\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ca-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\en-gb\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\nl-nl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\en-gb\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\themes\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\uk-ua\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\fi-fi\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\LISTS\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ar-ae\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\Adobe\HelpCfg\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\en-il\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\lua\meta\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fr-ma\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\themes\dark\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\en-ae\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\sl-sl\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\fr-ma\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\hu-hu\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ja-jp\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\hr-hr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\hr-hr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\de-de\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\hr-hr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\orbd.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\en-il\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	1d54876c50c3ff84e542cba96807ddbc0a6c4a17533cdbc9d553e6ac59337dc2.exe
File created	C:\Windows\Logo1_.exe	1d54876c50c3ff84e542cba96807ddbc0a6c4a17533cdbc9d553e6ac59337dc2.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\Dll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4980	1d54876c50c3ff84e542cba96807ddbc0a6c4a17533cdbc9d553e6ac59337dc2.exe
4980	1d54876c50c3ff84e542cba96807ddbc0a6c4a17533cdbc9d553e6ac59337dc2.exe
4980	1d54876c50c3ff84e542cba96807ddbc0a6c4a17533cdbc9d553e6ac59337dc2.exe
4980	1d54876c50c3ff84e542cba96807ddbc0a6c4a17533cdbc9d553e6ac59337dc2.exe
4980	1d54876c50c3ff84e542cba96807ddbc0a6c4a17533cdbc9d553e6ac59337dc2.exe
4980	1d54876c50c3ff84e542cba96807ddbc0a6c4a17533cdbc9d553e6ac59337dc2.exe
4980	1d54876c50c3ff84e542cba96807ddbc0a6c4a17533cdbc9d553e6ac59337dc2.exe
4980	1d54876c50c3ff84e542cba96807ddbc0a6c4a17533cdbc9d553e6ac59337dc2.exe
4980	1d54876c50c3ff84e542cba96807ddbc0a6c4a17533cdbc9d553e6ac59337dc2.exe
4980	1d54876c50c3ff84e542cba96807ddbc0a6c4a17533cdbc9d553e6ac59337dc2.exe
4980	1d54876c50c3ff84e542cba96807ddbc0a6c4a17533cdbc9d553e6ac59337dc2.exe
4980	1d54876c50c3ff84e542cba96807ddbc0a6c4a17533cdbc9d553e6ac59337dc2.exe
4980	1d54876c50c3ff84e542cba96807ddbc0a6c4a17533cdbc9d553e6ac59337dc2.exe
4980	1d54876c50c3ff84e542cba96807ddbc0a6c4a17533cdbc9d553e6ac59337dc2.exe
4980	1d54876c50c3ff84e542cba96807ddbc0a6c4a17533cdbc9d553e6ac59337dc2.exe
4980	1d54876c50c3ff84e542cba96807ddbc0a6c4a17533cdbc9d553e6ac59337dc2.exe
4980	1d54876c50c3ff84e542cba96807ddbc0a6c4a17533cdbc9d553e6ac59337dc2.exe
4980	1d54876c50c3ff84e542cba96807ddbc0a6c4a17533cdbc9d553e6ac59337dc2.exe
4980	1d54876c50c3ff84e542cba96807ddbc0a6c4a17533cdbc9d553e6ac59337dc2.exe
4980	1d54876c50c3ff84e542cba96807ddbc0a6c4a17533cdbc9d553e6ac59337dc2.exe
4980	1d54876c50c3ff84e542cba96807ddbc0a6c4a17533cdbc9d553e6ac59337dc2.exe
4980	1d54876c50c3ff84e542cba96807ddbc0a6c4a17533cdbc9d553e6ac59337dc2.exe
4980	1d54876c50c3ff84e542cba96807ddbc0a6c4a17533cdbc9d553e6ac59337dc2.exe
4980	1d54876c50c3ff84e542cba96807ddbc0a6c4a17533cdbc9d553e6ac59337dc2.exe
4980	1d54876c50c3ff84e542cba96807ddbc0a6c4a17533cdbc9d553e6ac59337dc2.exe
4980	1d54876c50c3ff84e542cba96807ddbc0a6c4a17533cdbc9d553e6ac59337dc2.exe
3192	Logo1_.exe
3192	Logo1_.exe
3192	Logo1_.exe
3192	Logo1_.exe
3192	Logo1_.exe
3192	Logo1_.exe
3192	Logo1_.exe
3192	Logo1_.exe
3192	Logo1_.exe
3192	Logo1_.exe
3192	Logo1_.exe
3192	Logo1_.exe
3192	Logo1_.exe
3192	Logo1_.exe
3192	Logo1_.exe
3192	Logo1_.exe
3192	Logo1_.exe
3192	Logo1_.exe
3192	Logo1_.exe
3192	Logo1_.exe
3192	Logo1_.exe
3192	Logo1_.exe
3192	Logo1_.exe
3192	Logo1_.exe
3192	Logo1_.exe
3192	Logo1_.exe
3192	Logo1_.exe
3192	Logo1_.exe
3192	Logo1_.exe
3192	Logo1_.exe
3192	Logo1_.exe
3192	Logo1_.exe
3192	Logo1_.exe
3192	Logo1_.exe
3192	Logo1_.exe
3192	Logo1_.exe
3192	Logo1_.exe
3192	Logo1_.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 4980 wrote to memory of 4920	4980	1d54876c50c3ff84e542cba96807ddbc0a6c4a17533cdbc9d553e6ac59337dc2.exe	80
PID 4980 wrote to memory of 4920	4980	1d54876c50c3ff84e542cba96807ddbc0a6c4a17533cdbc9d553e6ac59337dc2.exe	80
PID 4980 wrote to memory of 4920	4980	1d54876c50c3ff84e542cba96807ddbc0a6c4a17533cdbc9d553e6ac59337dc2.exe	80
PID 4920 wrote to memory of 1084	4920	net.exe	82
PID 4920 wrote to memory of 1084	4920	net.exe	82
PID 4920 wrote to memory of 1084	4920	net.exe	82
PID 4980 wrote to memory of 4584	4980	1d54876c50c3ff84e542cba96807ddbc0a6c4a17533cdbc9d553e6ac59337dc2.exe	83
PID 4980 wrote to memory of 4584	4980	1d54876c50c3ff84e542cba96807ddbc0a6c4a17533cdbc9d553e6ac59337dc2.exe	83
PID 4980 wrote to memory of 4584	4980	1d54876c50c3ff84e542cba96807ddbc0a6c4a17533cdbc9d553e6ac59337dc2.exe	83
PID 4980 wrote to memory of 3192	4980	1d54876c50c3ff84e542cba96807ddbc0a6c4a17533cdbc9d553e6ac59337dc2.exe	85
PID 4980 wrote to memory of 3192	4980	1d54876c50c3ff84e542cba96807ddbc0a6c4a17533cdbc9d553e6ac59337dc2.exe	85
PID 4980 wrote to memory of 3192	4980	1d54876c50c3ff84e542cba96807ddbc0a6c4a17533cdbc9d553e6ac59337dc2.exe	85
PID 3192 wrote to memory of 3136	3192	Logo1_.exe	86
PID 3192 wrote to memory of 3136	3192	Logo1_.exe	86
PID 3192 wrote to memory of 3136	3192	Logo1_.exe	86
PID 3136 wrote to memory of 3840	3136	net.exe	88
PID 3136 wrote to memory of 3840	3136	net.exe	88
PID 3136 wrote to memory of 3840	3136	net.exe	88
PID 4584 wrote to memory of 220	4584	cmd.exe	89
PID 4584 wrote to memory of 220	4584	cmd.exe	89
PID 4584 wrote to memory of 220	4584	cmd.exe	89
PID 3192 wrote to memory of 2968	3192	Logo1_.exe	91
PID 3192 wrote to memory of 2968	3192	Logo1_.exe	91
PID 3192 wrote to memory of 2968	3192	Logo1_.exe	91
PID 2968 wrote to memory of 4032	2968	net.exe	92
PID 2968 wrote to memory of 4032	2968	net.exe	92
PID 2968 wrote to memory of 4032	2968	net.exe	92
PID 3192 wrote to memory of 1996	3192	Logo1_.exe	37
PID 3192 wrote to memory of 1996	3192	Logo1_.exe	37

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1996
- C:\Users\Admin\AppData\Local\Temp\1d54876c50c3ff84e542cba96807ddbc0a6c4a17533cdbc9d553e6ac59337dc2.exe
  "C:\Users\Admin\AppData\Local\Temp\1d54876c50c3ff84e542cba96807ddbc0a6c4a17533cdbc9d553e6ac59337dc2.exe"
  2⤵
  - Drops file in Drivers directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4980
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4920
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      PID:1084
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a14EF.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4584
  - - C:\Users\Admin\AppData\Local\Temp\1d54876c50c3ff84e542cba96807ddbc0a6c4a17533cdbc9d553e6ac59337dc2.exe
      "C:\Users\Admin\AppData\Local\Temp\1d54876c50c3ff84e542cba96807ddbc0a6c4a17533cdbc9d553e6ac59337dc2.exe"
      4⤵
      Executes dropped EXE
      PID:220
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3192
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3136
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:3840
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2968
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:4032

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\$$a14EF.bat

Filesize
722B

MD5
38b33915da9ab52bca4cb40393054403

SHA1
34af1e389b553080413dcb7ebdace74c4534fa45

SHA256
0e8ccdb8a133b1c9885d3d71d0f2be6990ce784dc1868377bb59dab8014432d7

SHA512
074e7f89cdb1242d04b15dc6142a78456cbf87be13dbe4575510abd306fd9a27cc124bf07e410699a06b05c27f6d362e92124604f14ca9089b4fe96bbdf09ee2

Download Submit
C:\Users\Admin\AppData\Local\Temp\1d54876c50c3ff84e542cba96807ddbc0a6c4a17533cdbc9d553e6ac59337dc2.exe

Filesize
317KB

MD5
831236bfaa7161c9be2ac4694d8886b1

SHA1
f9bb95928340743b9f821f2c026cc5ce366e8b3a

SHA256
8cd9798779ca219ee9e6a7fc3e1f40da7e3d83cb75f80fba0ed92215f9907228

SHA512
2569a669fd6a105b80979daca0aedd53192799bec60a2fb158ba72e132bfaf23d383e99813148b8e4a6b35104a4e616e801907553edf7fa9ffb473f1f78df0fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\1d54876c50c3ff84e542cba96807ddbc0a6c4a17533cdbc9d553e6ac59337dc2.exe.exe

Filesize
317KB

MD5
831236bfaa7161c9be2ac4694d8886b1

SHA1
f9bb95928340743b9f821f2c026cc5ce366e8b3a

SHA256
8cd9798779ca219ee9e6a7fc3e1f40da7e3d83cb75f80fba0ed92215f9907228

SHA512
2569a669fd6a105b80979daca0aedd53192799bec60a2fb158ba72e132bfaf23d383e99813148b8e4a6b35104a4e616e801907553edf7fa9ffb473f1f78df0fa

Download Submit
C:\Windows\Logo1_.exe

Filesize
33KB

MD5
fbebab93a8151508086987e157a37a68

SHA1
2afc3c6c9e4e9c647dba952b905dcea11108c68b

SHA256
5b351fbedb1e36cf590aa08b40d068dcfcac249707e66e5c9053d23874b61db0

SHA512
a893dd631c70a6f36f483ada3129934ed2cf9a6d413d4d60a62c36a0d9702a484425da8a3d0108cb1079c7fd825a2130904ff867b634422a8903aaf934018343

Download Submit
C:\Windows\Logo1_.exe

Filesize
33KB

MD5
fbebab93a8151508086987e157a37a68

SHA1
2afc3c6c9e4e9c647dba952b905dcea11108c68b

SHA256
5b351fbedb1e36cf590aa08b40d068dcfcac249707e66e5c9053d23874b61db0

SHA512
a893dd631c70a6f36f483ada3129934ed2cf9a6d413d4d60a62c36a0d9702a484425da8a3d0108cb1079c7fd825a2130904ff867b634422a8903aaf934018343

Download Submit
C:\Windows\rundl132.exe

Filesize
33KB

MD5
fbebab93a8151508086987e157a37a68

SHA1
2afc3c6c9e4e9c647dba952b905dcea11108c68b

SHA256
5b351fbedb1e36cf590aa08b40d068dcfcac249707e66e5c9053d23874b61db0

SHA512
a893dd631c70a6f36f483ada3129934ed2cf9a6d413d4d60a62c36a0d9702a484425da8a3d0108cb1079c7fd825a2130904ff867b634422a8903aaf934018343

Download Submit
memory/3192-140-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3192-150-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4980-132-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4980-138-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download