3458283903b5cb83c884766faf2cfa2243f0ebe4cf482aa82ed60c4bea733ee0

General

Target

3458283903b5cb83c884766faf2cfa2243f0ebe4cf482aa82ed60c4bea733ee0.exe
Size

47KB
MD5

065de212eea42e33e13a3c10d5fb71f6
SHA1

44ac1bfc199b03750a50f399c70dffda301c7f66
SHA256

3458283903b5cb83c884766faf2cfa2243f0ebe4cf482aa82ed60c4bea733ee0
SHA512

85ebd7fbab94e28506074c6aa01eabafe41dcec4ec02e621b0b66614255653a74c21709c95e7e3da2a08441b39b4435db5c8927c748aa485e7cd6d0510b5b1c6
SSDEEP

768:PxElOIEvzMXqtwp/lttaL7HP4wIncLRdR5kP78a0RJW/aMDYMUrOOKvL3eIbqm:PxaYzMXqtGNttyUn01Q78a4R6LTTHqm

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

Processes:

Logo1_.exe3458283903b5cb83c884766faf2cfa2243f0ebe4cf482aa82ed60c4bea733ee0.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	Logo1_.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	3458283903b5cb83c884766faf2cfa2243f0ebe4cf482aa82ed60c4bea733ee0.exe

Executes dropped EXE 2 IoCs

Processes:

Logo1_.exe3458283903b5cb83c884766faf2cfa2243f0ebe4cf482aa82ed60c4bea733ee0.exe

pid process

4168 Logo1_.exe
3232 3458283903b5cb83c884766faf2cfa2243f0ebe4cf482aa82ed60c4bea733ee0.exe

pid	process
4168	Logo1_.exe
3232	3458283903b5cb83c884766faf2cfa2243f0ebe4cf482aa82ed60c4bea733ee0.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Logo1_.exe

description	ioc	process
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\F:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

Processes:

Logo1_.exe

description	ioc	process
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CASCADE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmid.exe	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\Heartbeat\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\AXIS\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\7-Zip\Lang\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\extcheck.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\images\cursors\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\.data\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\NETWORK\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javafxpackager.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\wsimport.exe	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\Integrator.exe	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\DEEPBLUE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre1.8.0_66\lib\amd64\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office15\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\policytool.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\orbd.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\Office16\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\chrome_pwa_launcher.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\amd64\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\AXIS\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EVRGREEN\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ICE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\META-INF\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\ext\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Cartridges\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\LISTS\1033\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ARCTIC\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\dtplugin\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\amd64\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\keytool.exe	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\Templates\Presentation Designs\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

Processes:

3458283903b5cb83c884766faf2cfa2243f0ebe4cf482aa82ed60c4bea733ee0.exeLogo1_.exe

description	ioc	process
File created	C:\Windows\rundl132.exe	3458283903b5cb83c884766faf2cfa2243f0ebe4cf482aa82ed60c4bea733ee0.exe
File created	C:\Windows\Logo1_.exe	3458283903b5cb83c884766faf2cfa2243f0ebe4cf482aa82ed60c4bea733ee0.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\Dll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

3458283903b5cb83c884766faf2cfa2243f0ebe4cf482aa82ed60c4bea733ee0.exeLogo1_.exe

pid	process
1164	3458283903b5cb83c884766faf2cfa2243f0ebe4cf482aa82ed60c4bea733ee0.exe
1164	3458283903b5cb83c884766faf2cfa2243f0ebe4cf482aa82ed60c4bea733ee0.exe
1164	3458283903b5cb83c884766faf2cfa2243f0ebe4cf482aa82ed60c4bea733ee0.exe
1164	3458283903b5cb83c884766faf2cfa2243f0ebe4cf482aa82ed60c4bea733ee0.exe
1164	3458283903b5cb83c884766faf2cfa2243f0ebe4cf482aa82ed60c4bea733ee0.exe
1164	3458283903b5cb83c884766faf2cfa2243f0ebe4cf482aa82ed60c4bea733ee0.exe
1164	3458283903b5cb83c884766faf2cfa2243f0ebe4cf482aa82ed60c4bea733ee0.exe
1164	3458283903b5cb83c884766faf2cfa2243f0ebe4cf482aa82ed60c4bea733ee0.exe
1164	3458283903b5cb83c884766faf2cfa2243f0ebe4cf482aa82ed60c4bea733ee0.exe
1164	3458283903b5cb83c884766faf2cfa2243f0ebe4cf482aa82ed60c4bea733ee0.exe
1164	3458283903b5cb83c884766faf2cfa2243f0ebe4cf482aa82ed60c4bea733ee0.exe
1164	3458283903b5cb83c884766faf2cfa2243f0ebe4cf482aa82ed60c4bea733ee0.exe
1164	3458283903b5cb83c884766faf2cfa2243f0ebe4cf482aa82ed60c4bea733ee0.exe
1164	3458283903b5cb83c884766faf2cfa2243f0ebe4cf482aa82ed60c4bea733ee0.exe
1164	3458283903b5cb83c884766faf2cfa2243f0ebe4cf482aa82ed60c4bea733ee0.exe
1164	3458283903b5cb83c884766faf2cfa2243f0ebe4cf482aa82ed60c4bea733ee0.exe
1164	3458283903b5cb83c884766faf2cfa2243f0ebe4cf482aa82ed60c4bea733ee0.exe
1164	3458283903b5cb83c884766faf2cfa2243f0ebe4cf482aa82ed60c4bea733ee0.exe
1164	3458283903b5cb83c884766faf2cfa2243f0ebe4cf482aa82ed60c4bea733ee0.exe
1164	3458283903b5cb83c884766faf2cfa2243f0ebe4cf482aa82ed60c4bea733ee0.exe
1164	3458283903b5cb83c884766faf2cfa2243f0ebe4cf482aa82ed60c4bea733ee0.exe
1164	3458283903b5cb83c884766faf2cfa2243f0ebe4cf482aa82ed60c4bea733ee0.exe
1164	3458283903b5cb83c884766faf2cfa2243f0ebe4cf482aa82ed60c4bea733ee0.exe
1164	3458283903b5cb83c884766faf2cfa2243f0ebe4cf482aa82ed60c4bea733ee0.exe
1164	3458283903b5cb83c884766faf2cfa2243f0ebe4cf482aa82ed60c4bea733ee0.exe
1164	3458283903b5cb83c884766faf2cfa2243f0ebe4cf482aa82ed60c4bea733ee0.exe
4168	Logo1_.exe
4168	Logo1_.exe
4168	Logo1_.exe
4168	Logo1_.exe
4168	Logo1_.exe
4168	Logo1_.exe
4168	Logo1_.exe
4168	Logo1_.exe
4168	Logo1_.exe
4168	Logo1_.exe
4168	Logo1_.exe
4168	Logo1_.exe
4168	Logo1_.exe
4168	Logo1_.exe
4168	Logo1_.exe
4168	Logo1_.exe
4168	Logo1_.exe
4168	Logo1_.exe
4168	Logo1_.exe
4168	Logo1_.exe
4168	Logo1_.exe
4168	Logo1_.exe
4168	Logo1_.exe
4168	Logo1_.exe
4168	Logo1_.exe
4168	Logo1_.exe
4168	Logo1_.exe
4168	Logo1_.exe
4168	Logo1_.exe
4168	Logo1_.exe
4168	Logo1_.exe
4168	Logo1_.exe
4168	Logo1_.exe
4168	Logo1_.exe
4168	Logo1_.exe
4168	Logo1_.exe
4168	Logo1_.exe
4168	Logo1_.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

3458283903b5cb83c884766faf2cfa2243f0ebe4cf482aa82ed60c4bea733ee0.exenet.exeLogo1_.exenet.execmd.exenet.exe

description	pid	process	target process
PID 1164 wrote to memory of 3764	1164	3458283903b5cb83c884766faf2cfa2243f0ebe4cf482aa82ed60c4bea733ee0.exe	net.exe
PID 1164 wrote to memory of 3764	1164	3458283903b5cb83c884766faf2cfa2243f0ebe4cf482aa82ed60c4bea733ee0.exe	net.exe
PID 1164 wrote to memory of 3764	1164	3458283903b5cb83c884766faf2cfa2243f0ebe4cf482aa82ed60c4bea733ee0.exe	net.exe
PID 3764 wrote to memory of 4944	3764	net.exe	net1.exe
PID 3764 wrote to memory of 4944	3764	net.exe	net1.exe
PID 3764 wrote to memory of 4944	3764	net.exe	net1.exe
PID 1164 wrote to memory of 5016	1164	3458283903b5cb83c884766faf2cfa2243f0ebe4cf482aa82ed60c4bea733ee0.exe	cmd.exe
PID 1164 wrote to memory of 5016	1164	3458283903b5cb83c884766faf2cfa2243f0ebe4cf482aa82ed60c4bea733ee0.exe	cmd.exe
PID 1164 wrote to memory of 5016	1164	3458283903b5cb83c884766faf2cfa2243f0ebe4cf482aa82ed60c4bea733ee0.exe	cmd.exe
PID 1164 wrote to memory of 4168	1164	3458283903b5cb83c884766faf2cfa2243f0ebe4cf482aa82ed60c4bea733ee0.exe	Logo1_.exe
PID 1164 wrote to memory of 4168	1164	3458283903b5cb83c884766faf2cfa2243f0ebe4cf482aa82ed60c4bea733ee0.exe	Logo1_.exe
PID 1164 wrote to memory of 4168	1164	3458283903b5cb83c884766faf2cfa2243f0ebe4cf482aa82ed60c4bea733ee0.exe	Logo1_.exe
PID 4168 wrote to memory of 4708	4168	Logo1_.exe	net.exe
PID 4168 wrote to memory of 4708	4168	Logo1_.exe	net.exe
PID 4168 wrote to memory of 4708	4168	Logo1_.exe	net.exe
PID 4708 wrote to memory of 3132	4708	net.exe	net1.exe
PID 4708 wrote to memory of 3132	4708	net.exe	net1.exe
PID 4708 wrote to memory of 3132	4708	net.exe	net1.exe
PID 5016 wrote to memory of 3232	5016	cmd.exe	3458283903b5cb83c884766faf2cfa2243f0ebe4cf482aa82ed60c4bea733ee0.exe
PID 5016 wrote to memory of 3232	5016	cmd.exe	3458283903b5cb83c884766faf2cfa2243f0ebe4cf482aa82ed60c4bea733ee0.exe
PID 5016 wrote to memory of 3232	5016	cmd.exe	3458283903b5cb83c884766faf2cfa2243f0ebe4cf482aa82ed60c4bea733ee0.exe
PID 4168 wrote to memory of 2212	4168	Logo1_.exe	net.exe
PID 4168 wrote to memory of 2212	4168	Logo1_.exe	net.exe
PID 4168 wrote to memory of 2212	4168	Logo1_.exe	net.exe
PID 2212 wrote to memory of 896	2212	net.exe	net1.exe
PID 2212 wrote to memory of 896	2212	net.exe	net1.exe
PID 2212 wrote to memory of 896	2212	net.exe	net1.exe
PID 4168 wrote to memory of 2640	4168	Logo1_.exe	Explorer.EXE
PID 4168 wrote to memory of 2640	4168	Logo1_.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2640

C:\Users\Admin\AppData\Local\Temp\3458283903b5cb83c884766faf2cfa2243f0ebe4cf482aa82ed60c4bea733ee0.exe
"C:\Users\Admin\AppData\Local\Temp\3458283903b5cb83c884766faf2cfa2243f0ebe4cf482aa82ed60c4bea733ee0.exe"
2⤵
- Drops file in Drivers directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1164

C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
3⤵
- Suspicious use of WriteProcessMemory
PID:3764

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
4⤵
PID:4944

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a32B8.bat
3⤵
- Suspicious use of WriteProcessMemory
PID:5016

C:\Users\Admin\AppData\Local\Temp\3458283903b5cb83c884766faf2cfa2243f0ebe4cf482aa82ed60c4bea733ee0.exe
"C:\Users\Admin\AppData\Local\Temp\3458283903b5cb83c884766faf2cfa2243f0ebe4cf482aa82ed60c4bea733ee0.exe"
4⤵
- Executes dropped EXE
PID:3232

C:\Windows\Logo1_.exe
C:\Windows\Logo1_.exe
3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4168

C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
4⤵
- Suspicious use of WriteProcessMemory
PID:4708

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
5⤵
PID:3132

C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
4⤵
- Suspicious use of WriteProcessMemory
PID:2212

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
5⤵
PID:896

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\$$a32B8.bat

Filesize
722B

MD5
1ec3f7d081ab57a079994ae329a1efb8

SHA1
795bda904c88475107c3b72ad974ec9b021ce807

SHA256
731790f1b94026798ca9fc0616d4cb628e37c89c8c7c736c79799248db8f8f5e

SHA512
28ee819fdb13e33df595a364414969e3b084f7253163b8de6b2c813f9a2dbf63cfa28245601d7ef118b2db6adba2eba96c60edd9e368233e4d947dce6c61913e

Download Submit
C:\Users\Admin\AppData\Local\Temp\3458283903b5cb83c884766faf2cfa2243f0ebe4cf482aa82ed60c4bea733ee0.exe

Filesize
14KB

MD5
b7a2fbbeb343cc841bb2a0e846455769

SHA1
591e1dc5e6f73212072db6873ce764a76056e2a7

SHA256
cd5b74669487ecaaf84d55a506aeb007d9be8b69fc392bf4cc752fc257ea6319

SHA512
69478ff8818bfd5df7b62094d49b23110c04bc6e4581c22f04b1fe4177b40cd8b61e9b67350080c6a4642afe7681155f4426546af27b7a66f94abc92e8c8d225

Download Submit
C:\Users\Admin\AppData\Local\Temp\3458283903b5cb83c884766faf2cfa2243f0ebe4cf482aa82ed60c4bea733ee0.exe.exe

Filesize
14KB

MD5
b7a2fbbeb343cc841bb2a0e846455769

SHA1
591e1dc5e6f73212072db6873ce764a76056e2a7

SHA256
cd5b74669487ecaaf84d55a506aeb007d9be8b69fc392bf4cc752fc257ea6319

SHA512
69478ff8818bfd5df7b62094d49b23110c04bc6e4581c22f04b1fe4177b40cd8b61e9b67350080c6a4642afe7681155f4426546af27b7a66f94abc92e8c8d225

Download Submit
C:\Windows\Logo1_.exe

Filesize
33KB

MD5
4af5ed4fa49ba9de6e65b33ed1b98b23

SHA1
78f747ec6e817ecb94e0cd8be4489eeaaa0b318f

SHA256
6bcea3e0ee25792f63ab8d37693db7c828413dedd7feeaf1268beb95439969b6

SHA512
8efc0dccf0c8b74158dd5511a81159c199634ffa77621dbcba02ffd6428cab6b31b3d21bc39cb37dadb0c4ffaad6d8c411df35a9b92bfab9b9056f97efd04bbf

Download Submit
C:\Windows\Logo1_.exe

Filesize
33KB

MD5
4af5ed4fa49ba9de6e65b33ed1b98b23

SHA1
78f747ec6e817ecb94e0cd8be4489eeaaa0b318f

SHA256
6bcea3e0ee25792f63ab8d37693db7c828413dedd7feeaf1268beb95439969b6

SHA512
8efc0dccf0c8b74158dd5511a81159c199634ffa77621dbcba02ffd6428cab6b31b3d21bc39cb37dadb0c4ffaad6d8c411df35a9b92bfab9b9056f97efd04bbf

Download Submit
C:\Windows\rundl132.exe

Filesize
33KB

MD5
4af5ed4fa49ba9de6e65b33ed1b98b23

SHA1
78f747ec6e817ecb94e0cd8be4489eeaaa0b318f

SHA256
6bcea3e0ee25792f63ab8d37693db7c828413dedd7feeaf1268beb95439969b6

SHA512
8efc0dccf0c8b74158dd5511a81159c199634ffa77621dbcba02ffd6428cab6b31b3d21bc39cb37dadb0c4ffaad6d8c411df35a9b92bfab9b9056f97efd04bbf

Download Submit
memory/896-149-0x0000000000000000-mapping.dmp

Download
memory/1164-132-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1164-139-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2212-148-0x0000000000000000-mapping.dmp

Download
memory/3132-141-0x0000000000000000-mapping.dmp

Download
memory/3232-145-0x0000000000000000-mapping.dmp

Download
memory/3764-133-0x0000000000000000-mapping.dmp

Download
memory/4168-136-0x0000000000000000-mapping.dmp

Download
memory/4168-142-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4168-150-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4708-140-0x0000000000000000-mapping.dmp

Download
memory/4944-134-0x0000000000000000-mapping.dmp

Download
memory/5016-135-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads