63ac684ec0f4661ca18b2f5b07aeea5b1db40ced75b97d70b01357c378239b43

Analysis

max time kernel
151s
max time network
134s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
07/11/2022, 20:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

63ac684ec0f4661ca18b2f5b07aeea5b1db40ced75b97d70b01357c378239b43.exe
Size

116KB
MD5

0b885ed723a267e39d90dacd99d29e71
SHA1

0eea34d096dfd5b70cb8fea2bdd2fe411dfa39ab
SHA256

63ac684ec0f4661ca18b2f5b07aeea5b1db40ced75b97d70b01357c378239b43
SHA512

e4d120648b71010d7eb51c858e1c1e9b985a352bf4f16daa4ec59831e6131f9b5bcddfd318615e60fb25485dacd71514b03663503ed0cb7c2d9b02ae561179aa
SSDEEP

1536:6bqBQiRBxl5EzcBK/evhxx7C/iijdP5qHw76xDjqTQEnYa7bRgfoSXkgvV84vadC:zbRBxl5NBHt8RP4q6x0Zn3Cbkgy4C

Score

8^/10

spyware stealer

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	63ac684ec0f4661ca18b2f5b07aeea5b1db40ced75b97d70b01357c378239b43.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	Logo1_.exe

Executes dropped EXE 2 IoCs

pid	Process
4712	Logo1_.exe
3408	63ac684ec0f4661ca18b2f5b07aeea5b1db40ced75b97d70b01357c378239b43.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\F:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\sl-si\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\en-gb\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\cs-cz\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-ae\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Configuration\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\pl-pl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\sk-sk\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\bn\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\es-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\en-gb\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ca-es\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\themes\dark\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\de-de\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\sl-si\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\zh-tw\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\tr\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\lua\playlist\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\ja-jp\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\sv-se\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\da-dk\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\fr-ma\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\ENES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\ja-jp\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\themes\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vreg\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\en-ae\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\nb-no\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\zh-tw\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\{18F127B1-7EA9-4BC3-9FD3-434ABBAC765F}\MicrosoftEdgeUpdateSetup_X86_1.3.167.21.exe	Logo1_.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Resources\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ta\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\ja-jp\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\sl-si\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\MEIPreload\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Notifications\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\pa\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mr\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ms\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\sk-sk\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\cs-cz\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\sl-si\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\sv-se\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ko-kr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\collect_feedback\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\it-it\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Resources\1033\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	63ac684ec0f4661ca18b2f5b07aeea5b1db40ced75b97d70b01357c378239b43.exe
File created	C:\Windows\Logo1_.exe	63ac684ec0f4661ca18b2f5b07aeea5b1db40ced75b97d70b01357c378239b43.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\Dll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5048	63ac684ec0f4661ca18b2f5b07aeea5b1db40ced75b97d70b01357c378239b43.exe
5048	63ac684ec0f4661ca18b2f5b07aeea5b1db40ced75b97d70b01357c378239b43.exe
5048	63ac684ec0f4661ca18b2f5b07aeea5b1db40ced75b97d70b01357c378239b43.exe
5048	63ac684ec0f4661ca18b2f5b07aeea5b1db40ced75b97d70b01357c378239b43.exe
5048	63ac684ec0f4661ca18b2f5b07aeea5b1db40ced75b97d70b01357c378239b43.exe
5048	63ac684ec0f4661ca18b2f5b07aeea5b1db40ced75b97d70b01357c378239b43.exe
5048	63ac684ec0f4661ca18b2f5b07aeea5b1db40ced75b97d70b01357c378239b43.exe
5048	63ac684ec0f4661ca18b2f5b07aeea5b1db40ced75b97d70b01357c378239b43.exe
5048	63ac684ec0f4661ca18b2f5b07aeea5b1db40ced75b97d70b01357c378239b43.exe
5048	63ac684ec0f4661ca18b2f5b07aeea5b1db40ced75b97d70b01357c378239b43.exe
5048	63ac684ec0f4661ca18b2f5b07aeea5b1db40ced75b97d70b01357c378239b43.exe
5048	63ac684ec0f4661ca18b2f5b07aeea5b1db40ced75b97d70b01357c378239b43.exe
5048	63ac684ec0f4661ca18b2f5b07aeea5b1db40ced75b97d70b01357c378239b43.exe
5048	63ac684ec0f4661ca18b2f5b07aeea5b1db40ced75b97d70b01357c378239b43.exe
5048	63ac684ec0f4661ca18b2f5b07aeea5b1db40ced75b97d70b01357c378239b43.exe
5048	63ac684ec0f4661ca18b2f5b07aeea5b1db40ced75b97d70b01357c378239b43.exe
5048	63ac684ec0f4661ca18b2f5b07aeea5b1db40ced75b97d70b01357c378239b43.exe
5048	63ac684ec0f4661ca18b2f5b07aeea5b1db40ced75b97d70b01357c378239b43.exe
5048	63ac684ec0f4661ca18b2f5b07aeea5b1db40ced75b97d70b01357c378239b43.exe
5048	63ac684ec0f4661ca18b2f5b07aeea5b1db40ced75b97d70b01357c378239b43.exe
5048	63ac684ec0f4661ca18b2f5b07aeea5b1db40ced75b97d70b01357c378239b43.exe
5048	63ac684ec0f4661ca18b2f5b07aeea5b1db40ced75b97d70b01357c378239b43.exe
5048	63ac684ec0f4661ca18b2f5b07aeea5b1db40ced75b97d70b01357c378239b43.exe
5048	63ac684ec0f4661ca18b2f5b07aeea5b1db40ced75b97d70b01357c378239b43.exe
5048	63ac684ec0f4661ca18b2f5b07aeea5b1db40ced75b97d70b01357c378239b43.exe
5048	63ac684ec0f4661ca18b2f5b07aeea5b1db40ced75b97d70b01357c378239b43.exe
4712	Logo1_.exe
4712	Logo1_.exe
4712	Logo1_.exe
4712	Logo1_.exe
4712	Logo1_.exe
4712	Logo1_.exe
4712	Logo1_.exe
4712	Logo1_.exe
4712	Logo1_.exe
4712	Logo1_.exe
4712	Logo1_.exe
4712	Logo1_.exe
4712	Logo1_.exe
4712	Logo1_.exe
4712	Logo1_.exe
4712	Logo1_.exe
4712	Logo1_.exe
4712	Logo1_.exe
4712	Logo1_.exe
4712	Logo1_.exe
4712	Logo1_.exe
4712	Logo1_.exe
4712	Logo1_.exe
4712	Logo1_.exe
4712	Logo1_.exe
4712	Logo1_.exe
4712	Logo1_.exe
4712	Logo1_.exe
4712	Logo1_.exe
4712	Logo1_.exe
4712	Logo1_.exe
4712	Logo1_.exe
4712	Logo1_.exe
4712	Logo1_.exe
4712	Logo1_.exe
4712	Logo1_.exe
4712	Logo1_.exe
4712	Logo1_.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 5048 wrote to memory of 3412	5048	63ac684ec0f4661ca18b2f5b07aeea5b1db40ced75b97d70b01357c378239b43.exe	84
PID 5048 wrote to memory of 3412	5048	63ac684ec0f4661ca18b2f5b07aeea5b1db40ced75b97d70b01357c378239b43.exe	84
PID 5048 wrote to memory of 3412	5048	63ac684ec0f4661ca18b2f5b07aeea5b1db40ced75b97d70b01357c378239b43.exe	84
PID 5048 wrote to memory of 3816	5048	63ac684ec0f4661ca18b2f5b07aeea5b1db40ced75b97d70b01357c378239b43.exe	86
PID 5048 wrote to memory of 3816	5048	63ac684ec0f4661ca18b2f5b07aeea5b1db40ced75b97d70b01357c378239b43.exe	86
PID 5048 wrote to memory of 3816	5048	63ac684ec0f4661ca18b2f5b07aeea5b1db40ced75b97d70b01357c378239b43.exe	86
PID 5048 wrote to memory of 4712	5048	63ac684ec0f4661ca18b2f5b07aeea5b1db40ced75b97d70b01357c378239b43.exe	87
PID 5048 wrote to memory of 4712	5048	63ac684ec0f4661ca18b2f5b07aeea5b1db40ced75b97d70b01357c378239b43.exe	87
PID 5048 wrote to memory of 4712	5048	63ac684ec0f4661ca18b2f5b07aeea5b1db40ced75b97d70b01357c378239b43.exe	87
PID 3412 wrote to memory of 512	3412	net.exe	89
PID 3412 wrote to memory of 512	3412	net.exe	89
PID 3412 wrote to memory of 512	3412	net.exe	89
PID 4712 wrote to memory of 2980	4712	Logo1_.exe	90
PID 4712 wrote to memory of 2980	4712	Logo1_.exe	90
PID 4712 wrote to memory of 2980	4712	Logo1_.exe	90
PID 2980 wrote to memory of 4072	2980	net.exe	92
PID 2980 wrote to memory of 4072	2980	net.exe	92
PID 2980 wrote to memory of 4072	2980	net.exe	92
PID 3816 wrote to memory of 3408	3816	cmd.exe	93
PID 3816 wrote to memory of 3408	3816	cmd.exe	93
PID 3816 wrote to memory of 3408	3816	cmd.exe	93
PID 4712 wrote to memory of 1944	4712	Logo1_.exe	94
PID 4712 wrote to memory of 1944	4712	Logo1_.exe	94
PID 4712 wrote to memory of 1944	4712	Logo1_.exe	94
PID 1944 wrote to memory of 100	1944	net.exe	96
PID 1944 wrote to memory of 100	1944	net.exe	96
PID 1944 wrote to memory of 100	1944	net.exe	96
PID 4712 wrote to memory of 2756	4712	Logo1_.exe	51
PID 4712 wrote to memory of 2756	4712	Logo1_.exe	51

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2756
- C:\Users\Admin\AppData\Local\Temp\63ac684ec0f4661ca18b2f5b07aeea5b1db40ced75b97d70b01357c378239b43.exe
  "C:\Users\Admin\AppData\Local\Temp\63ac684ec0f4661ca18b2f5b07aeea5b1db40ced75b97d70b01357c378239b43.exe"
  2⤵
  - Drops file in Drivers directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:5048
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3412
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      PID:512
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aEFD3.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3816
  - - C:\Users\Admin\AppData\Local\Temp\63ac684ec0f4661ca18b2f5b07aeea5b1db40ced75b97d70b01357c378239b43.exe
      "C:\Users\Admin\AppData\Local\Temp\63ac684ec0f4661ca18b2f5b07aeea5b1db40ced75b97d70b01357c378239b43.exe"
      4⤵
      Executes dropped EXE
      PID:3408
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Drops startup file
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4712
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2980
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:4072
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1944
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:100

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\$$aEFD3.bat

Filesize
722B

MD5
0b31f34f5c490f1888c8eee8ba184537

SHA1
12c273284c5d01b9e6f78653bdb0c73c9433ff78

SHA256
9f652dec0d2e5b8532dc07819c7a35193685717712e3b357e89b37adf4aca737

SHA512
52f7dee51ea5d8577d802addc6d1312a730c01cafe3d885835a9ddc06924d81e7bede489556ad522dbcf382305d624244af2890c3af1a6df3cc2a688955bdb63

Download Submit
C:\Users\Admin\AppData\Local\Temp\63ac684ec0f4661ca18b2f5b07aeea5b1db40ced75b97d70b01357c378239b43.exe

Filesize
14KB

MD5
f0dfb2a69d35078d5df8739cb62fadf1

SHA1
2928b68d948940525c9a171a08c83f569d3ac744

SHA256
947df2894a77d3c4ea639222e2dfcc910430b6dc9618a48035c6e7cce62f4f85

SHA512
220ed6bcbb19897277f8b26a3ff541296d200932af102a0012dff973ca99cf52a1a2110b79d8a3597b740de42de4826cbdd4d03393a4aa2750db455ee0af73e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\63ac684ec0f4661ca18b2f5b07aeea5b1db40ced75b97d70b01357c378239b43.exe.exe

Filesize
14KB

MD5
f0dfb2a69d35078d5df8739cb62fadf1

SHA1
2928b68d948940525c9a171a08c83f569d3ac744

SHA256
947df2894a77d3c4ea639222e2dfcc910430b6dc9618a48035c6e7cce62f4f85

SHA512
220ed6bcbb19897277f8b26a3ff541296d200932af102a0012dff973ca99cf52a1a2110b79d8a3597b740de42de4826cbdd4d03393a4aa2750db455ee0af73e8

Download Submit
C:\Windows\Logo1_.exe

Filesize
102KB

MD5
d877bc30563b5b563dc157612abd7604

SHA1
529b855df49a169099c93401dd282fb2b5242a29

SHA256
99b6fec9b18091bb3dc617be2df3d75c5f5b51945503f23486f3f49579632cb6

SHA512
9398fd0078dce71cedaf067fcd59afcc8599d52cd6fddb66496d26025ab60d59b82aeeb471fe21a97b71c25a587fe4f202ff26fe46da347fea60d3d0105281a3

Download Submit
C:\Windows\Logo1_.exe

Filesize
102KB

MD5
d877bc30563b5b563dc157612abd7604

SHA1
529b855df49a169099c93401dd282fb2b5242a29

SHA256
99b6fec9b18091bb3dc617be2df3d75c5f5b51945503f23486f3f49579632cb6

SHA512
9398fd0078dce71cedaf067fcd59afcc8599d52cd6fddb66496d26025ab60d59b82aeeb471fe21a97b71c25a587fe4f202ff26fe46da347fea60d3d0105281a3

Download Submit
C:\Windows\rundl132.exe

Filesize
102KB

MD5
d877bc30563b5b563dc157612abd7604

SHA1
529b855df49a169099c93401dd282fb2b5242a29

SHA256
99b6fec9b18091bb3dc617be2df3d75c5f5b51945503f23486f3f49579632cb6

SHA512
9398fd0078dce71cedaf067fcd59afcc8599d52cd6fddb66496d26025ab60d59b82aeeb471fe21a97b71c25a587fe4f202ff26fe46da347fea60d3d0105281a3

Download Submit