Analysis
-
max time kernel
150s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
29-10-2022 16:28
Static task
static1
Behavioral task
behavioral1
Sample
be14584dd7b2baad6c48d9d8a8dd7af1157d29fbb3ea10aaa307a9dfd50827f1.exe
Resource
win7-20220901-en
General
-
Target
be14584dd7b2baad6c48d9d8a8dd7af1157d29fbb3ea10aaa307a9dfd50827f1.exe
-
Size
48KB
-
MD5
5cb7266542e52ee0cc91eeb006fa7a50
-
SHA1
9af91c3336f3a8edecdfeff9055df8b232cd6fcd
-
SHA256
be14584dd7b2baad6c48d9d8a8dd7af1157d29fbb3ea10aaa307a9dfd50827f1
-
SHA512
e7caf5719c4edea2d54583f070f52bdde26ac2dfffb74ee61a4ec35411fc5bbcd25f37648354b4508b48d837dc5b2db933cf31f933cd3b982a4b83c5e9c75620
-
SSDEEP
768:5KtElOIEvzMXqtwp/lDTJg/MFksCRsd2o1spc/jXhnzgohBDYMUrOOKvL3eIbq:5KtaYzMXqtGN/Csnj/jXhzgo3LTTHq
Malware Config
Signatures
-
Drops file in Drivers directory 2 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts be14584dd7b2baad6c48d9d8a8dd7af1157d29fbb3ea10aaa307a9dfd50827f1.exe File opened for modification C:\Windows\system32\drivers\etc\hosts Logo1_.exe -
Executes dropped EXE 2 IoCs
pid Process 2356 Logo1_.exe 4992 be14584dd7b2baad6c48d9d8a8dd7af1157d29fbb3ea10aaa307a9dfd50827f1.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini Logo1_.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini Logo1_.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\F: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\kinit.exe Logo1_.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Media Player\Network Sharing\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\en-US\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\es-es\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\cs-cz\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\jfr\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\en-il\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\en-US\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\update_tracking\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Mozilla Firefox\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ko-kr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\root\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fi-fi\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\fr-fr\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\ja-jp\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\E072BA14-90AE-4ACC-B895-7EFF8F4C5727\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsPowerShell\Configuration\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\en-gb\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\sv-se\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\fr-fr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\ru-ru\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\management\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\hu\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\nn\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\pl-pl\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\eu-es\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\ja-jp\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\versions\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\es-es\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\sl-sl\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\ca-es\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\vreg\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\sl-si\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\tr-tr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\include\win32\bridge\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\be\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\ro-ro\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\ar-ae\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fr-fr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fr-ma\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\sl-si\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\it-it\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Media Player\en-US\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SUMIPNTG\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\eu-es\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\sv-se\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\fr-ma\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Web Server Extensions\16\BIN\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\Dll.dll Logo1_.exe File created C:\Windows\rundl132.exe be14584dd7b2baad6c48d9d8a8dd7af1157d29fbb3ea10aaa307a9dfd50827f1.exe File created C:\Windows\Logo1_.exe be14584dd7b2baad6c48d9d8a8dd7af1157d29fbb3ea10aaa307a9dfd50827f1.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2276 be14584dd7b2baad6c48d9d8a8dd7af1157d29fbb3ea10aaa307a9dfd50827f1.exe 2276 be14584dd7b2baad6c48d9d8a8dd7af1157d29fbb3ea10aaa307a9dfd50827f1.exe 2276 be14584dd7b2baad6c48d9d8a8dd7af1157d29fbb3ea10aaa307a9dfd50827f1.exe 2276 be14584dd7b2baad6c48d9d8a8dd7af1157d29fbb3ea10aaa307a9dfd50827f1.exe 2276 be14584dd7b2baad6c48d9d8a8dd7af1157d29fbb3ea10aaa307a9dfd50827f1.exe 2276 be14584dd7b2baad6c48d9d8a8dd7af1157d29fbb3ea10aaa307a9dfd50827f1.exe 2276 be14584dd7b2baad6c48d9d8a8dd7af1157d29fbb3ea10aaa307a9dfd50827f1.exe 2276 be14584dd7b2baad6c48d9d8a8dd7af1157d29fbb3ea10aaa307a9dfd50827f1.exe 2276 be14584dd7b2baad6c48d9d8a8dd7af1157d29fbb3ea10aaa307a9dfd50827f1.exe 2276 be14584dd7b2baad6c48d9d8a8dd7af1157d29fbb3ea10aaa307a9dfd50827f1.exe 2276 be14584dd7b2baad6c48d9d8a8dd7af1157d29fbb3ea10aaa307a9dfd50827f1.exe 2276 be14584dd7b2baad6c48d9d8a8dd7af1157d29fbb3ea10aaa307a9dfd50827f1.exe 2276 be14584dd7b2baad6c48d9d8a8dd7af1157d29fbb3ea10aaa307a9dfd50827f1.exe 2276 be14584dd7b2baad6c48d9d8a8dd7af1157d29fbb3ea10aaa307a9dfd50827f1.exe 2276 be14584dd7b2baad6c48d9d8a8dd7af1157d29fbb3ea10aaa307a9dfd50827f1.exe 2276 be14584dd7b2baad6c48d9d8a8dd7af1157d29fbb3ea10aaa307a9dfd50827f1.exe 2276 be14584dd7b2baad6c48d9d8a8dd7af1157d29fbb3ea10aaa307a9dfd50827f1.exe 2276 be14584dd7b2baad6c48d9d8a8dd7af1157d29fbb3ea10aaa307a9dfd50827f1.exe 2276 be14584dd7b2baad6c48d9d8a8dd7af1157d29fbb3ea10aaa307a9dfd50827f1.exe 2276 be14584dd7b2baad6c48d9d8a8dd7af1157d29fbb3ea10aaa307a9dfd50827f1.exe 2276 be14584dd7b2baad6c48d9d8a8dd7af1157d29fbb3ea10aaa307a9dfd50827f1.exe 2276 be14584dd7b2baad6c48d9d8a8dd7af1157d29fbb3ea10aaa307a9dfd50827f1.exe 2276 be14584dd7b2baad6c48d9d8a8dd7af1157d29fbb3ea10aaa307a9dfd50827f1.exe 2276 be14584dd7b2baad6c48d9d8a8dd7af1157d29fbb3ea10aaa307a9dfd50827f1.exe 2276 be14584dd7b2baad6c48d9d8a8dd7af1157d29fbb3ea10aaa307a9dfd50827f1.exe 2276 be14584dd7b2baad6c48d9d8a8dd7af1157d29fbb3ea10aaa307a9dfd50827f1.exe 2356 Logo1_.exe 2356 Logo1_.exe 2356 Logo1_.exe 2356 Logo1_.exe 2356 Logo1_.exe 2356 Logo1_.exe 2356 Logo1_.exe 2356 Logo1_.exe 2356 Logo1_.exe 2356 Logo1_.exe 2356 Logo1_.exe 2356 Logo1_.exe 2356 Logo1_.exe 2356 Logo1_.exe 2356 Logo1_.exe 2356 Logo1_.exe 2356 Logo1_.exe 2356 Logo1_.exe 2356 Logo1_.exe 2356 Logo1_.exe 2356 Logo1_.exe 2356 Logo1_.exe 2356 Logo1_.exe 2356 Logo1_.exe 2356 Logo1_.exe 2356 Logo1_.exe 2356 Logo1_.exe 2356 Logo1_.exe 2356 Logo1_.exe 2356 Logo1_.exe 2356 Logo1_.exe 2356 Logo1_.exe 2356 Logo1_.exe 2356 Logo1_.exe 2356 Logo1_.exe 2356 Logo1_.exe 2356 Logo1_.exe 2356 Logo1_.exe -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 2276 wrote to memory of 4144 2276 be14584dd7b2baad6c48d9d8a8dd7af1157d29fbb3ea10aaa307a9dfd50827f1.exe 77 PID 2276 wrote to memory of 4144 2276 be14584dd7b2baad6c48d9d8a8dd7af1157d29fbb3ea10aaa307a9dfd50827f1.exe 77 PID 2276 wrote to memory of 4144 2276 be14584dd7b2baad6c48d9d8a8dd7af1157d29fbb3ea10aaa307a9dfd50827f1.exe 77 PID 4144 wrote to memory of 3536 4144 net.exe 80 PID 4144 wrote to memory of 3536 4144 net.exe 80 PID 4144 wrote to memory of 3536 4144 net.exe 80 PID 2276 wrote to memory of 1804 2276 be14584dd7b2baad6c48d9d8a8dd7af1157d29fbb3ea10aaa307a9dfd50827f1.exe 81 PID 2276 wrote to memory of 1804 2276 be14584dd7b2baad6c48d9d8a8dd7af1157d29fbb3ea10aaa307a9dfd50827f1.exe 81 PID 2276 wrote to memory of 1804 2276 be14584dd7b2baad6c48d9d8a8dd7af1157d29fbb3ea10aaa307a9dfd50827f1.exe 81 PID 2276 wrote to memory of 2356 2276 be14584dd7b2baad6c48d9d8a8dd7af1157d29fbb3ea10aaa307a9dfd50827f1.exe 83 PID 2276 wrote to memory of 2356 2276 be14584dd7b2baad6c48d9d8a8dd7af1157d29fbb3ea10aaa307a9dfd50827f1.exe 83 PID 2276 wrote to memory of 2356 2276 be14584dd7b2baad6c48d9d8a8dd7af1157d29fbb3ea10aaa307a9dfd50827f1.exe 83 PID 2356 wrote to memory of 5024 2356 Logo1_.exe 85 PID 2356 wrote to memory of 5024 2356 Logo1_.exe 85 PID 2356 wrote to memory of 5024 2356 Logo1_.exe 85 PID 5024 wrote to memory of 4944 5024 net.exe 86 PID 5024 wrote to memory of 4944 5024 net.exe 86 PID 5024 wrote to memory of 4944 5024 net.exe 86 PID 1804 wrote to memory of 4992 1804 cmd.exe 87 PID 1804 wrote to memory of 4992 1804 cmd.exe 87 PID 1804 wrote to memory of 4992 1804 cmd.exe 87 PID 2356 wrote to memory of 2732 2356 Logo1_.exe 89 PID 2356 wrote to memory of 2732 2356 Logo1_.exe 89 PID 2356 wrote to memory of 2732 2356 Logo1_.exe 89 PID 2732 wrote to memory of 2996 2732 net.exe 91 PID 2732 wrote to memory of 2996 2732 net.exe 91 PID 2732 wrote to memory of 2996 2732 net.exe 91 PID 2356 wrote to memory of 3056 2356 Logo1_.exe 31 PID 2356 wrote to memory of 3056 2356 Logo1_.exe 31
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3056
-
C:\Users\Admin\AppData\Local\Temp\be14584dd7b2baad6c48d9d8a8dd7af1157d29fbb3ea10aaa307a9dfd50827f1.exe"C:\Users\Admin\AppData\Local\Temp\be14584dd7b2baad6c48d9d8a8dd7af1157d29fbb3ea10aaa307a9dfd50827f1.exe"2⤵
- Drops file in Drivers directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"3⤵
- Suspicious use of WriteProcessMemory
PID:4144 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"4⤵PID:3536
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aBD0B.bat3⤵
- Suspicious use of WriteProcessMemory
PID:1804 -
C:\Users\Admin\AppData\Local\Temp\be14584dd7b2baad6c48d9d8a8dd7af1157d29fbb3ea10aaa307a9dfd50827f1.exe"C:\Users\Admin\AppData\Local\Temp\be14584dd7b2baad6c48d9d8a8dd7af1157d29fbb3ea10aaa307a9dfd50827f1.exe"4⤵
- Executes dropped EXE
PID:4992
-
-
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops startup file
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:5024 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:4944
-
-
-
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:2996
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
722B
MD537b61d1993841548f257ce894ac27e84
SHA1dc096529e9e7380fe99e30bbd0d75d3156512c78
SHA2564ad7829a2c847ddf876a07615e56949ff2b1c40190095b494e31c59bb035ba64
SHA5126662ee13839ec602b555a794cca84ee03e113b16ae8fe2760d9b9990ec98a1343b02b9208667a1e73930fc4257b64f86314e557aa99dad2a1bf1fb0e192eff18
-
C:\Users\Admin\AppData\Local\Temp\be14584dd7b2baad6c48d9d8a8dd7af1157d29fbb3ea10aaa307a9dfd50827f1.exe
Filesize14KB
MD57c828fc782737049513268cd2cbf925d
SHA1455789bf7474ee69bb8c94a8e7d50d67267a95f2
SHA256406a8fab18888378266b32bc0b1be0f4ce352e9d00334dfd7ee57c00cabfe464
SHA51262d7cae903905b6f8eec5a7a0977a079611940084edae019040de7c8ebe51f0be33a57f2f4543218595aacbb555a9e951f54b88cc6aa11eca3a0b66869af7f7f
-
C:\Users\Admin\AppData\Local\Temp\be14584dd7b2baad6c48d9d8a8dd7af1157d29fbb3ea10aaa307a9dfd50827f1.exe.exe
Filesize14KB
MD57c828fc782737049513268cd2cbf925d
SHA1455789bf7474ee69bb8c94a8e7d50d67267a95f2
SHA256406a8fab18888378266b32bc0b1be0f4ce352e9d00334dfd7ee57c00cabfe464
SHA51262d7cae903905b6f8eec5a7a0977a079611940084edae019040de7c8ebe51f0be33a57f2f4543218595aacbb555a9e951f54b88cc6aa11eca3a0b66869af7f7f
-
Filesize
33KB
MD546d243671a27a3f62fff7ac56d55c480
SHA1ab14b6b36427eb0de669061af6e9b079a66bdc25
SHA256555cd01ff3bdc08123cfe8cca66ba84dec2f998fe8b954e735223714e88f4663
SHA51243acbea5715baa7de155248b75b049202b3631f3ccff4b89261e3de561c19c7c85dcff2dd134f085ce3dbfdae130f752a021769442385d48a9564935fb4456d8
-
Filesize
33KB
MD546d243671a27a3f62fff7ac56d55c480
SHA1ab14b6b36427eb0de669061af6e9b079a66bdc25
SHA256555cd01ff3bdc08123cfe8cca66ba84dec2f998fe8b954e735223714e88f4663
SHA51243acbea5715baa7de155248b75b049202b3631f3ccff4b89261e3de561c19c7c85dcff2dd134f085ce3dbfdae130f752a021769442385d48a9564935fb4456d8
-
Filesize
33KB
MD546d243671a27a3f62fff7ac56d55c480
SHA1ab14b6b36427eb0de669061af6e9b079a66bdc25
SHA256555cd01ff3bdc08123cfe8cca66ba84dec2f998fe8b954e735223714e88f4663
SHA51243acbea5715baa7de155248b75b049202b3631f3ccff4b89261e3de561c19c7c85dcff2dd134f085ce3dbfdae130f752a021769442385d48a9564935fb4456d8