22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f

General

Target

22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe
Size

33KB
MD5

029f490254f0ac73b183d6af58652d40
SHA1

a2c582b1682ac07cd237a3fb76c203630be5d52e
SHA256

22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f
SHA512

f44cb113b3ec623103bd879ad62b5afa22fe06e60549192b572feb38eef459c21d826716809da3bf3f03bc4b5cbb1535e006f453fc8c9c244d2751ae7ba2c30c
SSDEEP

768:GeCUvblvmO5RroZJ76739sBWsYducUCgFGPb:G8Zvme+Zk78SubCgFGP

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe

description	ioc	process
File opened (read-only)	\??\W:	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe
File opened (read-only)	\??\S:	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe
File opened (read-only)	\??\E:	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe
File opened (read-only)	\??\Z:	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe
File opened (read-only)	\??\U:	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe
File opened (read-only)	\??\T:	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe
File opened (read-only)	\??\H:	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe
File opened (read-only)	\??\G:	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe
File opened (read-only)	\??\F:	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe
File opened (read-only)	\??\X:	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe
File opened (read-only)	\??\V:	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe
File opened (read-only)	\??\R:	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe
File opened (read-only)	\??\O:	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe
File opened (read-only)	\??\N:	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe
File opened (read-only)	\??\L:	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe
File opened (read-only)	\??\I:	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe
File opened (read-only)	\??\Y:	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe
File opened (read-only)	\??\Q:	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe
File opened (read-only)	\??\P:	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe
File opened (read-only)	\??\M:	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe
File opened (read-only)	\??\K:	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe
File opened (read-only)	\??\J:	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe

Drops file in Program Files directory 64 IoCs

Processes:

22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe

description	ioc	process
File created	C:\Program Files\VideoLAN\VLC\locale\si\_desktop.ini	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\html\_desktop.ini	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CASCADE\_desktop.ini	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Office Setup Controller\_desktop.ini	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Portal\_desktop.ini	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\_desktop.ini	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe
File created	C:\Program Files\Mozilla Firefox\uninstall\_desktop.ini	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe
File created	C:\Program Files\VideoLAN\VLC\locale\da\LC_MESSAGES\_desktop.ini	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fi\LC_MESSAGES\_desktop.ini	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe
File created	C:\Program Files\Internet Explorer\_desktop.ini	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\.data\_desktop.ini	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ia\_desktop.ini	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\_desktop.ini	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\_desktop.ini	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\tl\LC_MESSAGES\_desktop.ini	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe
File created	C:\Program Files\Java\jre1.8.0_66\lib\management\_desktop.ini	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\fre\_desktop.ini	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe
File created	C:\Program Files\Microsoft Office\_desktop.ini	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe
File created	C:\Program Files\VideoLAN\VLC\locale\an\LC_MESSAGES\_desktop.ini	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\az\LC_MESSAGES\_desktop.ini	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe
File created	C:\Program Files\VideoLAN\VLC\locale\be\LC_MESSAGES\_desktop.ini	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe
File created	C:\Program Files\VideoLAN\VLC\locale\he\_desktop.ini	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hi\LC_MESSAGES\_desktop.ini	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\notification_helper.exe	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\META-INF\_desktop.ini	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\packetizer\_desktop.ini	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\oc\LC_MESSAGES\_desktop.ini	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\d3d11\_desktop.ini	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe
File created	C:\Program Files\VideoLAN\VLC\locale\nn\_desktop.ini	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\_desktop.ini	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Cartridges\_desktop.ini	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\wa\_desktop.ini	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\include\_desktop.ini	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\_desktop.ini	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\_desktop.ini	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PIXEL\_desktop.ini	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\_desktop.ini	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe
File created	C:\Program Files\VideoLAN\VLC\locale\gl\LC_MESSAGES\_desktop.ini	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe
File created	C:\Program Files\VideoLAN\VLC\lua\meta\_desktop.ini	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe
File created	C:\Program Files\7-Zip\Lang\_desktop.ini	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\_desktop.ini	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SPRING\_desktop.ini	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\en-us\_desktop.ini	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\_desktop.ini	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\tet\_desktop.ini	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF\_desktop.ini	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\en-us\_desktop.ini	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\_desktop.ini	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\_desktop.ini	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\_desktop.ini	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Office Setup Controller\Office.en-us\_desktop.ini	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe
File created	C:\Program Files\Internet Explorer\fr-FR\_desktop.ini	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\_desktop.ini	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\ext\locale\_desktop.ini	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\_desktop.ini	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\_desktop.ini	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Web Server Extensions\16\_desktop.ini	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\ODBC\_desktop.ini	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\_desktop.ini	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe
File created	C:\Program Files\VideoLAN\VLC\locale\zh_CN\LC_MESSAGES\_desktop.ini	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\_desktop.ini	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\NETWORK\_desktop.ini	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\_desktop.ini	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe

Drops file in Windows directory 2 IoCs

Processes:

22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe

description	ioc	process
File created	C:\Windows\rundl132.exe	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe
File created	C:\Windows\Dll.dll	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 60 IoCs

Processes:

22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe

pid	process
4952	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe
4952	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe
4952	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe
4952	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe
4952	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe
4952	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe
4952	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe
4952	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe
4952	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe
4952	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe
4952	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe
4952	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe
4952	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe
4952	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe
4952	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe
4952	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe
4952	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe
4952	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe
4952	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe
4952	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe
4952	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe
4952	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe
4952	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe
4952	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe
4952	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe
4952	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe
4952	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe
4952	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe
4952	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe
4952	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe
4952	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe
4952	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe
4952	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe
4952	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe
4952	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe
4952	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe
4952	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe
4952	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe
4952	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe
4952	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe
4952	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe
4952	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe
4952	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe
4952	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe
4952	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe
4952	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe
4952	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe
4952	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe
4952	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe
4952	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe
4952	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe
4952	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe
4952	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe
4952	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe
4952	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe
4952	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe
4952	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe
4952	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe
4952	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe
4952	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exenet.exenet.exe

description	pid	process	target process
PID 4952 wrote to memory of 2172	4952	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe	net.exe
PID 4952 wrote to memory of 2172	4952	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe	net.exe
PID 4952 wrote to memory of 2172	4952	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe	net.exe
PID 2172 wrote to memory of 828	2172	net.exe	net1.exe
PID 2172 wrote to memory of 828	2172	net.exe	net1.exe
PID 2172 wrote to memory of 828	2172	net.exe	net1.exe
PID 4952 wrote to memory of 3500	4952	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe	net.exe
PID 4952 wrote to memory of 3500	4952	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe	net.exe
PID 4952 wrote to memory of 3500	4952	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe	net.exe
PID 3500 wrote to memory of 4644	3500	net.exe	net1.exe
PID 3500 wrote to memory of 4644	3500	net.exe	net1.exe
PID 3500 wrote to memory of 4644	3500	net.exe	net1.exe
PID 4952 wrote to memory of 2584	4952	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe	Explorer.EXE
PID 4952 wrote to memory of 2584	4952	22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2584

C:\Users\Admin\AppData\Local\Temp\22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe
"C:\Users\Admin\AppData\Local\Temp\22ab478c04b3a6ed95fb6efd6e997ffaf6d05332a6d0d1f5c722b05324b8a13f.exe"
2⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4952

C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
3⤵
- Suspicious use of WriteProcessMemory
PID:2172

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
4⤵
PID:828

C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
3⤵
- Suspicious use of WriteProcessMemory
PID:3500

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
4⤵
PID:4644

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/828-134-0x0000000000000000-mapping.dmp

Download
memory/2172-133-0x0000000000000000-mapping.dmp

Download
memory/3500-135-0x0000000000000000-mapping.dmp

Download
memory/4644-136-0x0000000000000000-mapping.dmp

Download
memory/4952-132-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads