ea653aa36cbcd0f1df0330d8b68c43af56fa92f730d4b17a6da9d5366255bc65

General

Target

ea653aa36cbcd0f1df0330d8b68c43af56fa92f730d4b17a6da9d5366255bc65.exe
Size

224KB
MD5

3d4f22097fcad60cfb4fd20e7b59eca0
SHA1

30d49c4d4f016ad0b107cc03a10347d44b5e72fa
SHA256

ea653aa36cbcd0f1df0330d8b68c43af56fa92f730d4b17a6da9d5366255bc65
SHA512

36016b33dde97401d2ef4239907942802ccc6c86e268d77f0005a64dc6e22996061c8db4ba9c92ec9df407dd6f1f9d2cfba4ca268b2df6da5229f27239fd8688
SSDEEP

3072:6CSjGoLpWM65lmjx73xOU4aukLQup8LXGCTobItEP4ghZglTsyL7RD:cXymtoPg5cjuP4ghZS7hD

Score

8^/10

persistence

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

Processes:

ea653aa36cbcd0f1df0330d8b68c43af56fa92f730d4b17a6da9d5366255bc65.exeLogo1_.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	ea653aa36cbcd0f1df0330d8b68c43af56fa92f730d4b17a6da9d5366255bc65.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	Logo1_.exe

Executes dropped EXE 2 IoCs

Processes:

Logo1_.exeea653aa36cbcd0f1df0330d8b68c43af56fa92f730d4b17a6da9d5366255bc65.exe

pid process

2240 Logo1_.exe
1788 ea653aa36cbcd0f1df0330d8b68c43af56fa92f730d4b17a6da9d5366255bc65.exe

pid	process
2240	Logo1_.exe
1788	ea653aa36cbcd0f1df0330d8b68c43af56fa92f730d4b17a6da9d5366255bc65.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ea653aa36cbcd0f1df0330d8b68c43af56fa92f730d4b17a6da9d5366255bc65.exeLogo1_.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	ea653aa36cbcd0f1df0330d8b68c43af56fa92f730d4b17a6da9d5366255bc65.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\load = "C:\\Windows\\uninstall\\rundl132.exe"	ea653aa36cbcd0f1df0330d8b68c43af56fa92f730d4b17a6da9d5366255bc65.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	Logo1_.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\load = "C:\\Windows\\uninstall\\rundl132.exe"	Logo1_.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Logo1_.exe

description	ioc	process
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\F:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

Processes:

Logo1_.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\java-rmi.exe.Exe	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\keytool.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\RCX80D4.tmp	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\extcheck.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jconsole.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javacpl.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\java.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jconsole.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jdeps.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\rmiregistry.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javapackager.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\pack200.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javap.exe.Exe	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\javac.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmiregistry.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\java.exe	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\idlj.exe.Exe	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\rmiregistry.exe.Exe	Logo1_.exe
File created	C:\Program Files\7-Zip\Uninstall.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javaws.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\servertool.exe.Exe	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\ssvagent.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javah.exe	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\javaws.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jjs.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\ktab.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe.Exe	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\jstat.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\native2ascii.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jarsigner.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\pack200.exe	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\jps.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javaws.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jcmd.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jinfo.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\tnameserv.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javah.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\keytool.exe	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\RCX7FE3.tmp	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\rmiregistry.exe	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\notification_helper.exe	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\jvisualvm.exe.Exe	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\pack200.exe.Exe	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\policytool.exe.Exe	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\wsimport.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\java-rmi.exe	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javaws.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javac.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\jinfo.exe.Exe	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\unpack200.exe.Exe	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\policytool.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\RCX7F53.tmp	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\jdeps.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstack.exe.Exe	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\jarsigner.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jmc.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmid.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javaw.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\servertool.exe.Exe	Logo1_.exe

Drops file in Windows directory 4 IoCs

Processes:

ea653aa36cbcd0f1df0330d8b68c43af56fa92f730d4b17a6da9d5366255bc65.exeLogo1_.exe

description	ioc	process
File created	C:\Windows\uninstall\rundl132.exe	ea653aa36cbcd0f1df0330d8b68c43af56fa92f730d4b17a6da9d5366255bc65.exe
File created	C:\Windows\Logo1_.exe	ea653aa36cbcd0f1df0330d8b68c43af56fa92f730d4b17a6da9d5366255bc65.exe
File opened for modification	C:\Windows\uninstall\rundl132.exe	Logo1_.exe
File created	C:\Windows\RichDll.dll	Logo1_.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

ea653aa36cbcd0f1df0330d8b68c43af56fa92f730d4b17a6da9d5366255bc65.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	ea653aa36cbcd0f1df0330d8b68c43af56fa92f730d4b17a6da9d5366255bc65.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	ea653aa36cbcd0f1df0330d8b68c43af56fa92f730d4b17a6da9d5366255bc65.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	ea653aa36cbcd0f1df0330d8b68c43af56fa92f730d4b17a6da9d5366255bc65.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	ea653aa36cbcd0f1df0330d8b68c43af56fa92f730d4b17a6da9d5366255bc65.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	ea653aa36cbcd0f1df0330d8b68c43af56fa92f730d4b17a6da9d5366255bc65.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	ea653aa36cbcd0f1df0330d8b68c43af56fa92f730d4b17a6da9d5366255bc65.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ea653aa36cbcd0f1df0330d8b68c43af56fa92f730d4b17a6da9d5366255bc65.exeLogo1_.exe

pid	process
4352	ea653aa36cbcd0f1df0330d8b68c43af56fa92f730d4b17a6da9d5366255bc65.exe
4352	ea653aa36cbcd0f1df0330d8b68c43af56fa92f730d4b17a6da9d5366255bc65.exe
4352	ea653aa36cbcd0f1df0330d8b68c43af56fa92f730d4b17a6da9d5366255bc65.exe
4352	ea653aa36cbcd0f1df0330d8b68c43af56fa92f730d4b17a6da9d5366255bc65.exe
4352	ea653aa36cbcd0f1df0330d8b68c43af56fa92f730d4b17a6da9d5366255bc65.exe
4352	ea653aa36cbcd0f1df0330d8b68c43af56fa92f730d4b17a6da9d5366255bc65.exe
4352	ea653aa36cbcd0f1df0330d8b68c43af56fa92f730d4b17a6da9d5366255bc65.exe
4352	ea653aa36cbcd0f1df0330d8b68c43af56fa92f730d4b17a6da9d5366255bc65.exe
4352	ea653aa36cbcd0f1df0330d8b68c43af56fa92f730d4b17a6da9d5366255bc65.exe
4352	ea653aa36cbcd0f1df0330d8b68c43af56fa92f730d4b17a6da9d5366255bc65.exe
4352	ea653aa36cbcd0f1df0330d8b68c43af56fa92f730d4b17a6da9d5366255bc65.exe
4352	ea653aa36cbcd0f1df0330d8b68c43af56fa92f730d4b17a6da9d5366255bc65.exe
4352	ea653aa36cbcd0f1df0330d8b68c43af56fa92f730d4b17a6da9d5366255bc65.exe
4352	ea653aa36cbcd0f1df0330d8b68c43af56fa92f730d4b17a6da9d5366255bc65.exe
4352	ea653aa36cbcd0f1df0330d8b68c43af56fa92f730d4b17a6da9d5366255bc65.exe
4352	ea653aa36cbcd0f1df0330d8b68c43af56fa92f730d4b17a6da9d5366255bc65.exe
4352	ea653aa36cbcd0f1df0330d8b68c43af56fa92f730d4b17a6da9d5366255bc65.exe
4352	ea653aa36cbcd0f1df0330d8b68c43af56fa92f730d4b17a6da9d5366255bc65.exe
4352	ea653aa36cbcd0f1df0330d8b68c43af56fa92f730d4b17a6da9d5366255bc65.exe
4352	ea653aa36cbcd0f1df0330d8b68c43af56fa92f730d4b17a6da9d5366255bc65.exe
4352	ea653aa36cbcd0f1df0330d8b68c43af56fa92f730d4b17a6da9d5366255bc65.exe
4352	ea653aa36cbcd0f1df0330d8b68c43af56fa92f730d4b17a6da9d5366255bc65.exe
4352	ea653aa36cbcd0f1df0330d8b68c43af56fa92f730d4b17a6da9d5366255bc65.exe
4352	ea653aa36cbcd0f1df0330d8b68c43af56fa92f730d4b17a6da9d5366255bc65.exe
4352	ea653aa36cbcd0f1df0330d8b68c43af56fa92f730d4b17a6da9d5366255bc65.exe
4352	ea653aa36cbcd0f1df0330d8b68c43af56fa92f730d4b17a6da9d5366255bc65.exe
2240	Logo1_.exe
2240	Logo1_.exe
2240	Logo1_.exe
2240	Logo1_.exe
2240	Logo1_.exe
2240	Logo1_.exe
2240	Logo1_.exe
2240	Logo1_.exe
2240	Logo1_.exe
2240	Logo1_.exe
2240	Logo1_.exe
2240	Logo1_.exe
2240	Logo1_.exe
2240	Logo1_.exe
2240	Logo1_.exe
2240	Logo1_.exe
2240	Logo1_.exe
2240	Logo1_.exe
2240	Logo1_.exe
2240	Logo1_.exe
2240	Logo1_.exe
2240	Logo1_.exe
2240	Logo1_.exe
2240	Logo1_.exe
2240	Logo1_.exe
2240	Logo1_.exe
2240	Logo1_.exe
2240	Logo1_.exe
2240	Logo1_.exe
2240	Logo1_.exe
2240	Logo1_.exe
2240	Logo1_.exe
2240	Logo1_.exe
2240	Logo1_.exe
2240	Logo1_.exe
2240	Logo1_.exe
2240	Logo1_.exe
2240	Logo1_.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

ea653aa36cbcd0f1df0330d8b68c43af56fa92f730d4b17a6da9d5366255bc65.exeLogo1_.exenet.execmd.exenet.exenet.exe

description	pid	process	target process
PID 4352 wrote to memory of 1476	4352	ea653aa36cbcd0f1df0330d8b68c43af56fa92f730d4b17a6da9d5366255bc65.exe	net.exe
PID 4352 wrote to memory of 1476	4352	ea653aa36cbcd0f1df0330d8b68c43af56fa92f730d4b17a6da9d5366255bc65.exe	net.exe
PID 4352 wrote to memory of 1476	4352	ea653aa36cbcd0f1df0330d8b68c43af56fa92f730d4b17a6da9d5366255bc65.exe	net.exe
PID 4352 wrote to memory of 4028	4352	ea653aa36cbcd0f1df0330d8b68c43af56fa92f730d4b17a6da9d5366255bc65.exe	cmd.exe
PID 4352 wrote to memory of 4028	4352	ea653aa36cbcd0f1df0330d8b68c43af56fa92f730d4b17a6da9d5366255bc65.exe	cmd.exe
PID 4352 wrote to memory of 4028	4352	ea653aa36cbcd0f1df0330d8b68c43af56fa92f730d4b17a6da9d5366255bc65.exe	cmd.exe
PID 4352 wrote to memory of 2240	4352	ea653aa36cbcd0f1df0330d8b68c43af56fa92f730d4b17a6da9d5366255bc65.exe	Logo1_.exe
PID 4352 wrote to memory of 2240	4352	ea653aa36cbcd0f1df0330d8b68c43af56fa92f730d4b17a6da9d5366255bc65.exe	Logo1_.exe
PID 4352 wrote to memory of 2240	4352	ea653aa36cbcd0f1df0330d8b68c43af56fa92f730d4b17a6da9d5366255bc65.exe	Logo1_.exe
PID 2240 wrote to memory of 4648	2240	Logo1_.exe	net.exe
PID 2240 wrote to memory of 4648	2240	Logo1_.exe	net.exe
PID 2240 wrote to memory of 4648	2240	Logo1_.exe	net.exe
PID 1476 wrote to memory of 4820	1476	net.exe	net1.exe
PID 1476 wrote to memory of 4820	1476	net.exe	net1.exe
PID 1476 wrote to memory of 4820	1476	net.exe	net1.exe
PID 4028 wrote to memory of 1788	4028	cmd.exe	ea653aa36cbcd0f1df0330d8b68c43af56fa92f730d4b17a6da9d5366255bc65.exe
PID 4028 wrote to memory of 1788	4028	cmd.exe	ea653aa36cbcd0f1df0330d8b68c43af56fa92f730d4b17a6da9d5366255bc65.exe
PID 4028 wrote to memory of 1788	4028	cmd.exe	ea653aa36cbcd0f1df0330d8b68c43af56fa92f730d4b17a6da9d5366255bc65.exe
PID 2240 wrote to memory of 536	2240	Logo1_.exe	net.exe
PID 2240 wrote to memory of 536	2240	Logo1_.exe	net.exe
PID 2240 wrote to memory of 536	2240	Logo1_.exe	net.exe
PID 2240 wrote to memory of 676	2240	Logo1_.exe	Explorer.EXE
PID 2240 wrote to memory of 676	2240	Logo1_.exe	Explorer.EXE
PID 4648 wrote to memory of 368	4648	net.exe	net1.exe
PID 4648 wrote to memory of 368	4648	net.exe	net1.exe
PID 4648 wrote to memory of 368	4648	net.exe	net1.exe
PID 536 wrote to memory of 4636	536	net.exe	net1.exe
PID 536 wrote to memory of 4636	536	net.exe	net1.exe
PID 536 wrote to memory of 4636	536	net.exe	net1.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:676

C:\Users\Admin\AppData\Local\Temp\ea653aa36cbcd0f1df0330d8b68c43af56fa92f730d4b17a6da9d5366255bc65.exe
"C:\Users\Admin\AppData\Local\Temp\ea653aa36cbcd0f1df0330d8b68c43af56fa92f730d4b17a6da9d5366255bc65.exe"
2⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4352

C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
3⤵
- Suspicious use of WriteProcessMemory
PID:1476

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
4⤵
PID:4820

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7188.bat
3⤵
- Suspicious use of WriteProcessMemory
PID:4028

C:\Users\Admin\AppData\Local\Temp\ea653aa36cbcd0f1df0330d8b68c43af56fa92f730d4b17a6da9d5366255bc65.exe
"C:\Users\Admin\AppData\Local\Temp\ea653aa36cbcd0f1df0330d8b68c43af56fa92f730d4b17a6da9d5366255bc65.exe"
4⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1788

C:\Windows\Logo1_.exe
C:\Windows\Logo1_.exe
3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2240

C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
4⤵
- Suspicious use of WriteProcessMemory
PID:4648

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
5⤵
PID:368

C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
4⤵
- Suspicious use of WriteProcessMemory
PID:536

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
5⤵
PID:4636

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

Peripheral Device Discovery

2

T1120

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\$$a7188.bat
Filesize
722B

MD5
c84b4b2e74cf8a594a925907133ab3e7

SHA1
fe14e6bb37233a80c7671b438fa44b815ad101de

SHA256
316a2538677b7b8d80e64682f110384c9338d3328c1404209b77fe987293108b

SHA512
c6daa695a65b588f2cf5f7f5c8d395af495df2cf544470cdab70df1f64255ec94ec37102cb8ea270a262007eef873b86f6fe12c4f3660234b04d2de957b3931e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ea653aa36cbcd0f1df0330d8b68c43af56fa92f730d4b17a6da9d5366255bc65.exe
Filesize
134KB

MD5
913c3c7a71d2a1b6f570c8ac837c7e85

SHA1
69190d09c6006c217fc074f65394089d4e999c09

SHA256
3c0a527220f3168ef6f8951234789dc0a3fadfd8217aa80c73af5b03fdf1cb84

SHA512
0db3b5156cbcb5d7cef11f39287487b6de3233fcac99f3c353b93d7be619e7cdb85b444cb97e7b1d052d371bd3c9ae942ee84934f41a78bc831b8f689ff6e5da

Download Submit
C:\Users\Admin\AppData\Local\Temp\ea653aa36cbcd0f1df0330d8b68c43af56fa92f730d4b17a6da9d5366255bc65.exe.exe
Filesize
134KB

MD5
913c3c7a71d2a1b6f570c8ac837c7e85

SHA1
69190d09c6006c217fc074f65394089d4e999c09

SHA256
3c0a527220f3168ef6f8951234789dc0a3fadfd8217aa80c73af5b03fdf1cb84

SHA512
0db3b5156cbcb5d7cef11f39287487b6de3233fcac99f3c353b93d7be619e7cdb85b444cb97e7b1d052d371bd3c9ae942ee84934f41a78bc831b8f689ff6e5da

Download Submit
C:\Windows\Logo1_.exe
Filesize
89KB

MD5
c49ae0fabe17bf0dde64923fc52c7577

SHA1
8460831d96811db3c31170c4015eb6302a2d8e9d

SHA256
f35ff873ab6e316d48c1cfc962c9676a09beaa673ded506f3022431559ec792c

SHA512
25dbe16deec17f821923056c8625344e445f356d20716fc176856b247d55e41d558b1f97245d07786125cbc3b3fb0d27c587139413b111a51e5ff6189c884cd0

Download Submit
C:\Windows\Logo1_.exe
Filesize
89KB

MD5
c49ae0fabe17bf0dde64923fc52c7577

SHA1
8460831d96811db3c31170c4015eb6302a2d8e9d

SHA256
f35ff873ab6e316d48c1cfc962c9676a09beaa673ded506f3022431559ec792c

SHA512
25dbe16deec17f821923056c8625344e445f356d20716fc176856b247d55e41d558b1f97245d07786125cbc3b3fb0d27c587139413b111a51e5ff6189c884cd0

Download Submit
C:\Windows\uninstall\rundl132.exe
Filesize
89KB

MD5
c49ae0fabe17bf0dde64923fc52c7577

SHA1
8460831d96811db3c31170c4015eb6302a2d8e9d

SHA256
f35ff873ab6e316d48c1cfc962c9676a09beaa673ded506f3022431559ec792c

SHA512
25dbe16deec17f821923056c8625344e445f356d20716fc176856b247d55e41d558b1f97245d07786125cbc3b3fb0d27c587139413b111a51e5ff6189c884cd0

Download Submit
memory/368-145-0x0000000000000000-mapping.dmp

Download
memory/536-144-0x0000000000000000-mapping.dmp

Download
memory/1476-132-0x0000000000000000-mapping.dmp

Download
memory/1788-141-0x0000000000000000-mapping.dmp

Download
memory/2240-134-0x0000000000000000-mapping.dmp

Download
memory/4028-133-0x0000000000000000-mapping.dmp

Download
memory/4636-146-0x0000000000000000-mapping.dmp

Download
memory/4648-138-0x0000000000000000-mapping.dmp

Download
memory/4820-139-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads