38245d744a9fb4e9267a940567395c474fc857d6fa21fe76fcdd4e71d962b661

Analysis

max time kernel
178s
max time network
29s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
24-11-2022 00:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

38245d744a9fb4e9267a940567395c474fc857d6fa21fe76fcdd4e71d962b661.exe
Size

992KB
MD5

05508a5aaaf8579863953f8308792540
SHA1

7c903b8f69f83515fc3d6fff086186892f853711
SHA256

38245d744a9fb4e9267a940567395c474fc857d6fa21fe76fcdd4e71d962b661
SHA512

191eb14fef7c63e25ffeff3d48e8b91f8a17c16c28bba549dd0c709f24f27b7be7d0dc61d39a9eeb2b262c8968c7d1562856a807bd2e794800a7728b66a6ed9a
SSDEEP

24576:jSK2Ph8dr3+aP6b3Jv2BChi3pA/VwgbIxCZbqfyCRsO:jSKYSdKjcBSApANohyCRB

Score

8^/10

persistence

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

Processes:

38245d744a9fb4e9267a940567395c474fc857d6fa21fe76fcdd4e71d962b661.exeLogo1_.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	38245d744a9fb4e9267a940567395c474fc857d6fa21fe76fcdd4e71d962b661.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	Logo1_.exe

Executes dropped EXE 3 IoCs

Processes:

Logo1_.exe38245d744a9fb4e9267a940567395c474fc857d6fa21fe76fcdd4e71d962b661.exeupdate.exe

pid process

936 Logo1_.exe
1156 38245d744a9fb4e9267a940567395c474fc857d6fa21fe76fcdd4e71d962b661.exe
692 update.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

588 cmd.exe

pid	process
936	Logo1_.exe
1156	38245d744a9fb4e9267a940567395c474fc857d6fa21fe76fcdd4e71d962b661.exe
692	update.exe

Loads dropped DLL 10 IoCs

Processes:

cmd.exe38245d744a9fb4e9267a940567395c474fc857d6fa21fe76fcdd4e71d962b661.exeupdate.exe

pid	process
588	cmd.exe
1156	38245d744a9fb4e9267a940567395c474fc857d6fa21fe76fcdd4e71d962b661.exe
1156	38245d744a9fb4e9267a940567395c474fc857d6fa21fe76fcdd4e71d962b661.exe
1156	38245d744a9fb4e9267a940567395c474fc857d6fa21fe76fcdd4e71d962b661.exe
1156	38245d744a9fb4e9267a940567395c474fc857d6fa21fe76fcdd4e71d962b661.exe
1156	38245d744a9fb4e9267a940567395c474fc857d6fa21fe76fcdd4e71d962b661.exe
692	update.exe
692	update.exe
692	update.exe
692	update.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Logo1_.exe38245d744a9fb4e9267a940567395c474fc857d6fa21fe76fcdd4e71d962b661.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	Logo1_.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\load = "C:\\Windows\\uninstall\\rundl132.exe"	Logo1_.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	38245d744a9fb4e9267a940567395c474fc857d6fa21fe76fcdd4e71d962b661.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\load = "C:\\Windows\\uninstall\\rundl132.exe"	38245d744a9fb4e9267a940567395c474fc857d6fa21fe76fcdd4e71d962b661.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Logo1_.exe

description	ioc	process
File opened (read-only)	\??\F:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

Processes:

Logo1_.exe

description	ioc	process
File created	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\klist.exe.Exe	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe.Exe	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe.Exe	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\bckgzm.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\PurblePlace.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\RCX6213.tmp	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe.Exe	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\RCX5119.tmp	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleUpdateOnDemand.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\RCX5139.tmp	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\RCX6212.tmp	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE.Exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\RCX72ED.tmp	Logo1_.exe
File created	C:\Program Files\7-Zip\Uninstall.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\FreeCell.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\RCX6BF5.tmp	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\RCX514B.tmp	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe.Exe	Logo1_.exe
File created	C:\Program Files\Java\jre7\bin\rmiregistry.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\policytool.exe	Logo1_.exe
File created	C:\Program Files\Java\jre7\bin\tnameserv.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\RCX6C15.tmp	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe.Exe	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java-rmi.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\RCX5F7E.tmp	Logo1_.exe
File created	C:\Program Files\Java\jre7\bin\jp2launcher.exe.Exe	Logo1_.exe
File created	C:\Program Files\Java\jre7\bin\ktab.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\Solitaire.exe	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Windows Defender\MpCmdRun.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe.Exe	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleUpdateSetup.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	Logo1_.exe

Drops file in Windows directory 6 IoCs

Processes:

38245d744a9fb4e9267a940567395c474fc857d6fa21fe76fcdd4e71d962b661.exeLogo1_.exeupdate.exe

description	ioc	process
File created	C:\Windows\uninstall\rundl132.exe	38245d744a9fb4e9267a940567395c474fc857d6fa21fe76fcdd4e71d962b661.exe
File created	C:\Windows\Logo1_.exe	38245d744a9fb4e9267a940567395c474fc857d6fa21fe76fcdd4e71d962b661.exe
File opened for modification	C:\Windows\uninstall\rundl132.exe	Logo1_.exe
File opened for modification	C:\Windows\setupapi.log	update.exe
File created	C:\Windows\RichDll.dll	Logo1_.exe
File opened for modification	\??\c:\windows\KB2698365.log	update.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 43 IoCs

Processes:

38245d744a9fb4e9267a940567395c474fc857d6fa21fe76fcdd4e71d962b661.exeLogo1_.exe

pid	process
1420	38245d744a9fb4e9267a940567395c474fc857d6fa21fe76fcdd4e71d962b661.exe
1420	38245d744a9fb4e9267a940567395c474fc857d6fa21fe76fcdd4e71d962b661.exe
1420	38245d744a9fb4e9267a940567395c474fc857d6fa21fe76fcdd4e71d962b661.exe
1420	38245d744a9fb4e9267a940567395c474fc857d6fa21fe76fcdd4e71d962b661.exe
1420	38245d744a9fb4e9267a940567395c474fc857d6fa21fe76fcdd4e71d962b661.exe
1420	38245d744a9fb4e9267a940567395c474fc857d6fa21fe76fcdd4e71d962b661.exe
1420	38245d744a9fb4e9267a940567395c474fc857d6fa21fe76fcdd4e71d962b661.exe
1420	38245d744a9fb4e9267a940567395c474fc857d6fa21fe76fcdd4e71d962b661.exe
1420	38245d744a9fb4e9267a940567395c474fc857d6fa21fe76fcdd4e71d962b661.exe
1420	38245d744a9fb4e9267a940567395c474fc857d6fa21fe76fcdd4e71d962b661.exe
1420	38245d744a9fb4e9267a940567395c474fc857d6fa21fe76fcdd4e71d962b661.exe
1420	38245d744a9fb4e9267a940567395c474fc857d6fa21fe76fcdd4e71d962b661.exe
1420	38245d744a9fb4e9267a940567395c474fc857d6fa21fe76fcdd4e71d962b661.exe
936	Logo1_.exe
936	Logo1_.exe
936	Logo1_.exe
936	Logo1_.exe
936	Logo1_.exe
936	Logo1_.exe
936	Logo1_.exe
936	Logo1_.exe
936	Logo1_.exe
936	Logo1_.exe
936	Logo1_.exe
936	Logo1_.exe
936	Logo1_.exe
936	Logo1_.exe
936	Logo1_.exe
936	Logo1_.exe
936	Logo1_.exe
936	Logo1_.exe
936	Logo1_.exe
936	Logo1_.exe
936	Logo1_.exe
936	Logo1_.exe
936	Logo1_.exe
936	Logo1_.exe
936	Logo1_.exe
936	Logo1_.exe
936	Logo1_.exe
936	Logo1_.exe
936	Logo1_.exe
936	Logo1_.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

update.exe

description	pid	process
Token: SeRestorePrivilege	692	update.exe
Token: SeRestorePrivilege	692	update.exe
Token: SeRestorePrivilege	692	update.exe
Token: SeRestorePrivilege	692	update.exe
Token: SeRestorePrivilege	692	update.exe
Token: SeRestorePrivilege	692	update.exe
Token: SeRestorePrivilege	692	update.exe
Token: SeBackupPrivilege	692	update.exe
Token: SeRestorePrivilege	692	update.exe
Token: SeShutdownPrivilege	692	update.exe
Token: SeSecurityPrivilege	692	update.exe
Token: SeTakeOwnershipPrivilege	692	update.exe

Suspicious use of WriteProcessMemory 48 IoCs

Processes:

38245d744a9fb4e9267a940567395c474fc857d6fa21fe76fcdd4e71d962b661.exenet.exeLogo1_.exenet.execmd.exenet.exe38245d744a9fb4e9267a940567395c474fc857d6fa21fe76fcdd4e71d962b661.exe

description	pid	process	target process
PID 1420 wrote to memory of 1996	1420	38245d744a9fb4e9267a940567395c474fc857d6fa21fe76fcdd4e71d962b661.exe	net.exe
PID 1420 wrote to memory of 1996	1420	38245d744a9fb4e9267a940567395c474fc857d6fa21fe76fcdd4e71d962b661.exe	net.exe
PID 1420 wrote to memory of 1996	1420	38245d744a9fb4e9267a940567395c474fc857d6fa21fe76fcdd4e71d962b661.exe	net.exe
PID 1420 wrote to memory of 1996	1420	38245d744a9fb4e9267a940567395c474fc857d6fa21fe76fcdd4e71d962b661.exe	net.exe
PID 1996 wrote to memory of 796	1996	net.exe	net1.exe
PID 1996 wrote to memory of 796	1996	net.exe	net1.exe
PID 1996 wrote to memory of 796	1996	net.exe	net1.exe
PID 1996 wrote to memory of 796	1996	net.exe	net1.exe
PID 1420 wrote to memory of 588	1420	38245d744a9fb4e9267a940567395c474fc857d6fa21fe76fcdd4e71d962b661.exe	cmd.exe
PID 1420 wrote to memory of 588	1420	38245d744a9fb4e9267a940567395c474fc857d6fa21fe76fcdd4e71d962b661.exe	cmd.exe
PID 1420 wrote to memory of 588	1420	38245d744a9fb4e9267a940567395c474fc857d6fa21fe76fcdd4e71d962b661.exe	cmd.exe
PID 1420 wrote to memory of 588	1420	38245d744a9fb4e9267a940567395c474fc857d6fa21fe76fcdd4e71d962b661.exe	cmd.exe
PID 1420 wrote to memory of 936	1420	38245d744a9fb4e9267a940567395c474fc857d6fa21fe76fcdd4e71d962b661.exe	Logo1_.exe
PID 1420 wrote to memory of 936	1420	38245d744a9fb4e9267a940567395c474fc857d6fa21fe76fcdd4e71d962b661.exe	Logo1_.exe
PID 1420 wrote to memory of 936	1420	38245d744a9fb4e9267a940567395c474fc857d6fa21fe76fcdd4e71d962b661.exe	Logo1_.exe
PID 1420 wrote to memory of 936	1420	38245d744a9fb4e9267a940567395c474fc857d6fa21fe76fcdd4e71d962b661.exe	Logo1_.exe
PID 936 wrote to memory of 528	936	Logo1_.exe	net.exe
PID 936 wrote to memory of 528	936	Logo1_.exe	net.exe
PID 936 wrote to memory of 528	936	Logo1_.exe	net.exe
PID 936 wrote to memory of 528	936	Logo1_.exe	net.exe
PID 528 wrote to memory of 992	528	net.exe	net1.exe
PID 528 wrote to memory of 992	528	net.exe	net1.exe
PID 528 wrote to memory of 992	528	net.exe	net1.exe
PID 528 wrote to memory of 992	528	net.exe	net1.exe
PID 588 wrote to memory of 1156	588	cmd.exe	38245d744a9fb4e9267a940567395c474fc857d6fa21fe76fcdd4e71d962b661.exe
PID 588 wrote to memory of 1156	588	cmd.exe	38245d744a9fb4e9267a940567395c474fc857d6fa21fe76fcdd4e71d962b661.exe
PID 588 wrote to memory of 1156	588	cmd.exe	38245d744a9fb4e9267a940567395c474fc857d6fa21fe76fcdd4e71d962b661.exe
PID 588 wrote to memory of 1156	588	cmd.exe	38245d744a9fb4e9267a940567395c474fc857d6fa21fe76fcdd4e71d962b661.exe
PID 588 wrote to memory of 1156	588	cmd.exe	38245d744a9fb4e9267a940567395c474fc857d6fa21fe76fcdd4e71d962b661.exe
PID 588 wrote to memory of 1156	588	cmd.exe	38245d744a9fb4e9267a940567395c474fc857d6fa21fe76fcdd4e71d962b661.exe
PID 588 wrote to memory of 1156	588	cmd.exe	38245d744a9fb4e9267a940567395c474fc857d6fa21fe76fcdd4e71d962b661.exe
PID 936 wrote to memory of 956	936	Logo1_.exe	net.exe
PID 936 wrote to memory of 956	936	Logo1_.exe	net.exe
PID 936 wrote to memory of 956	936	Logo1_.exe	net.exe
PID 936 wrote to memory of 956	936	Logo1_.exe	net.exe
PID 956 wrote to memory of 1540	956	net.exe	net1.exe
PID 956 wrote to memory of 1540	956	net.exe	net1.exe
PID 956 wrote to memory of 1540	956	net.exe	net1.exe
PID 956 wrote to memory of 1540	956	net.exe	net1.exe
PID 1156 wrote to memory of 692	1156	38245d744a9fb4e9267a940567395c474fc857d6fa21fe76fcdd4e71d962b661.exe	update.exe
PID 1156 wrote to memory of 692	1156	38245d744a9fb4e9267a940567395c474fc857d6fa21fe76fcdd4e71d962b661.exe	update.exe
PID 1156 wrote to memory of 692	1156	38245d744a9fb4e9267a940567395c474fc857d6fa21fe76fcdd4e71d962b661.exe	update.exe
PID 1156 wrote to memory of 692	1156	38245d744a9fb4e9267a940567395c474fc857d6fa21fe76fcdd4e71d962b661.exe	update.exe
PID 1156 wrote to memory of 692	1156	38245d744a9fb4e9267a940567395c474fc857d6fa21fe76fcdd4e71d962b661.exe	update.exe
PID 1156 wrote to memory of 692	1156	38245d744a9fb4e9267a940567395c474fc857d6fa21fe76fcdd4e71d962b661.exe	update.exe
PID 1156 wrote to memory of 692	1156	38245d744a9fb4e9267a940567395c474fc857d6fa21fe76fcdd4e71d962b661.exe	update.exe
PID 936 wrote to memory of 1276	936	Logo1_.exe	Explorer.EXE
PID 936 wrote to memory of 1276	936	Logo1_.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1276

C:\Users\Admin\AppData\Local\Temp\38245d744a9fb4e9267a940567395c474fc857d6fa21fe76fcdd4e71d962b661.exe
"C:\Users\Admin\AppData\Local\Temp\38245d744a9fb4e9267a940567395c474fc857d6fa21fe76fcdd4e71d962b661.exe"
2⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1420

C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
3⤵
- Suspicious use of WriteProcessMemory
PID:1996

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
4⤵
PID:796

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\$$a8E2D.bat
3⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:588

C:\Users\Admin\AppData\Local\Temp\38245d744a9fb4e9267a940567395c474fc857d6fa21fe76fcdd4e71d962b661.exe
"C:\Users\Admin\AppData\Local\Temp\38245d744a9fb4e9267a940567395c474fc857d6fa21fe76fcdd4e71d962b661.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1156

\??\c:\bf021d29c41502d47b8132aadcad14c8\update\update.exe
c:\bf021d29c41502d47b8132aadcad14c8\update\update.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:692

C:\Windows\Logo1_.exe
C:\Windows\Logo1_.exe
3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:936

C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
4⤵
- Suspicious use of WriteProcessMemory
PID:528

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
5⤵
PID:992

C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
4⤵
- Suspicious use of WriteProcessMemory
PID:956

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
5⤵
PID:1540

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\$$a8E2D.bat

Filesize
722B

MD5
b895df6401ff4ee78fd4feff6c659add

SHA1
19f9ce9d26d28440b657ba8688718805533c6457

SHA256
12bd40470949ee6d7970f9abbf0bab39d050207cbf044ddd8765c1ba783dcf7e

SHA512
67177386afc7a0db88b912735074096b8824737449e0fc5530021072a48faa023ff02e70b507b166a60cd0b2ad7c898cd2e7c4a0e8036bfa415552193498b70d

Download Submit
C:\Users\Admin\AppData\Local\Temp\38245d744a9fb4e9267a940567395c474fc857d6fa21fe76fcdd4e71d962b661.exe

Filesize
899KB

MD5
56be0c2c91a9c20c9d29aef01db6d321

SHA1
dd174373177f5f7ec98dbafbabce9dc35109a65e

SHA256
4e36cdb6405ed2260397bc0ed99cf8ebe787696005a26ecc00ab98ebf4f16546

SHA512
4259db53d5f1ab6263e7da6ca40323375a8b0dd5da37b442662fbd70e045c2680c4a118a24e78617f1661b9f1bccdb0e4c9c55ed02c3092f566b3fb4be780305

Download Submit
C:\Users\Admin\AppData\Local\Temp\38245d744a9fb4e9267a940567395c474fc857d6fa21fe76fcdd4e71d962b661.exe.exe

Filesize
899KB

MD5
56be0c2c91a9c20c9d29aef01db6d321

SHA1
dd174373177f5f7ec98dbafbabce9dc35109a65e

SHA256
4e36cdb6405ed2260397bc0ed99cf8ebe787696005a26ecc00ab98ebf4f16546

SHA512
4259db53d5f1ab6263e7da6ca40323375a8b0dd5da37b442662fbd70e045c2680c4a118a24e78617f1661b9f1bccdb0e4c9c55ed02c3092f566b3fb4be780305

Download Submit
C:\Windows\Logo1_.exe

Filesize
93KB

MD5
7d7e69ff06b1aa26788f1edd07ffa513

SHA1
fab87c1ea72e4262fcf209adff5b4c4b4682cd83

SHA256
1a5aefc5f7b35a1bf6d7dea1898f2888cc790f317f44a1507e56139c065aa4bc

SHA512
ebf9973e5f475d73f86a14b7186d2ce9de3b204eabeab940e2884b947731184e001448e5cd5fbf5f42b34310620ed0fa9eb086435ecb0b5caf7d4ad14289f835

Download Submit
C:\Windows\Logo1_.exe

Filesize
93KB

MD5
7d7e69ff06b1aa26788f1edd07ffa513

SHA1
fab87c1ea72e4262fcf209adff5b4c4b4682cd83

SHA256
1a5aefc5f7b35a1bf6d7dea1898f2888cc790f317f44a1507e56139c065aa4bc

SHA512
ebf9973e5f475d73f86a14b7186d2ce9de3b204eabeab940e2884b947731184e001448e5cd5fbf5f42b34310620ed0fa9eb086435ecb0b5caf7d4ad14289f835

Download Submit
C:\Windows\uninstall\rundl132.exe

Filesize
93KB

MD5
7d7e69ff06b1aa26788f1edd07ffa513

SHA1
fab87c1ea72e4262fcf209adff5b4c4b4682cd83

SHA256
1a5aefc5f7b35a1bf6d7dea1898f2888cc790f317f44a1507e56139c065aa4bc

SHA512
ebf9973e5f475d73f86a14b7186d2ce9de3b204eabeab940e2884b947731184e001448e5cd5fbf5f42b34310620ed0fa9eb086435ecb0b5caf7d4ad14289f835

Download Submit
C:\bf021d29c41502d47b8132aadcad14c8\update\update.exe

Filesize
712KB

MD5
9570121468658dcc6972f1dfa624a223

SHA1
61716952df7a03fc01ac919f44f07e9588840b8c

SHA256
bc2cde5db3027a726c81df78bdef10b5ec9a7b4a5ba297911c7b999638f76b33

SHA512
7c2168a6db5bf7dd7c09682983e9059524621834d0d9ae250382c74d714b0e99b625f5ee9a648e18de9fa25b580bac5ab770ad63c406a9f88c87ade1a372429c

Download Submit
\Users\Admin\AppData\Local\Temp\38245d744a9fb4e9267a940567395c474fc857d6fa21fe76fcdd4e71d962b661.exe

Filesize
899KB

MD5
56be0c2c91a9c20c9d29aef01db6d321

SHA1
dd174373177f5f7ec98dbafbabce9dc35109a65e

SHA256
4e36cdb6405ed2260397bc0ed99cf8ebe787696005a26ecc00ab98ebf4f16546

SHA512
4259db53d5f1ab6263e7da6ca40323375a8b0dd5da37b442662fbd70e045c2680c4a118a24e78617f1661b9f1bccdb0e4c9c55ed02c3092f566b3fb4be780305

Download Submit
\Users\Admin\AppData\Local\Temp\38245d744a9fb4e9267a940567395c474fc857d6fa21fe76fcdd4e71d962b661.exe

Filesize
899KB

MD5
56be0c2c91a9c20c9d29aef01db6d321

SHA1
dd174373177f5f7ec98dbafbabce9dc35109a65e

SHA256
4e36cdb6405ed2260397bc0ed99cf8ebe787696005a26ecc00ab98ebf4f16546

SHA512
4259db53d5f1ab6263e7da6ca40323375a8b0dd5da37b442662fbd70e045c2680c4a118a24e78617f1661b9f1bccdb0e4c9c55ed02c3092f566b3fb4be780305

Download Submit
\Users\Admin\AppData\Local\Temp\38245d744a9fb4e9267a940567395c474fc857d6fa21fe76fcdd4e71d962b661.exe

Filesize
899KB

MD5
56be0c2c91a9c20c9d29aef01db6d321

SHA1
dd174373177f5f7ec98dbafbabce9dc35109a65e

SHA256
4e36cdb6405ed2260397bc0ed99cf8ebe787696005a26ecc00ab98ebf4f16546

SHA512
4259db53d5f1ab6263e7da6ca40323375a8b0dd5da37b442662fbd70e045c2680c4a118a24e78617f1661b9f1bccdb0e4c9c55ed02c3092f566b3fb4be780305

Download Submit
\Users\Admin\AppData\Local\Temp\38245d744a9fb4e9267a940567395c474fc857d6fa21fe76fcdd4e71d962b661.exe

Filesize
899KB

MD5
56be0c2c91a9c20c9d29aef01db6d321

SHA1
dd174373177f5f7ec98dbafbabce9dc35109a65e

SHA256
4e36cdb6405ed2260397bc0ed99cf8ebe787696005a26ecc00ab98ebf4f16546

SHA512
4259db53d5f1ab6263e7da6ca40323375a8b0dd5da37b442662fbd70e045c2680c4a118a24e78617f1661b9f1bccdb0e4c9c55ed02c3092f566b3fb4be780305

Download Submit
\bf021d29c41502d47b8132aadcad14c8\_sfx_.dll

Filesize
25KB

MD5
ee207e35aea4d5df41d90221e1b66efa

SHA1
757469cf9ad2f21f267bbe730560114fdf8a89a5

SHA256
cf64c95e9a2d02967efc22b00efb3736156b913a95231eb63c1df45d43475e64

SHA512
43e9f75725daa4f3428b2d9cee2c2cc8b2f2e991b8e58d72d2f429fbdfb614c86d172f03d3f9da98756bd4e245643d9a57c6efa422d6c60ad364a2322245542d

Download Submit
\bf021d29c41502d47b8132aadcad14c8\update\update.exe

Filesize
712KB

MD5
9570121468658dcc6972f1dfa624a223

SHA1
61716952df7a03fc01ac919f44f07e9588840b8c

SHA256
bc2cde5db3027a726c81df78bdef10b5ec9a7b4a5ba297911c7b999638f76b33

SHA512
7c2168a6db5bf7dd7c09682983e9059524621834d0d9ae250382c74d714b0e99b625f5ee9a648e18de9fa25b580bac5ab770ad63c406a9f88c87ade1a372429c

Download Submit
\bf021d29c41502d47b8132aadcad14c8\update\update.exe

Filesize
712KB

MD5
9570121468658dcc6972f1dfa624a223

SHA1
61716952df7a03fc01ac919f44f07e9588840b8c

SHA256
bc2cde5db3027a726c81df78bdef10b5ec9a7b4a5ba297911c7b999638f76b33

SHA512
7c2168a6db5bf7dd7c09682983e9059524621834d0d9ae250382c74d714b0e99b625f5ee9a648e18de9fa25b580bac5ab770ad63c406a9f88c87ade1a372429c

Download Submit
\bf021d29c41502d47b8132aadcad14c8\update\update.exe

Filesize
712KB

MD5
9570121468658dcc6972f1dfa624a223

SHA1
61716952df7a03fc01ac919f44f07e9588840b8c

SHA256
bc2cde5db3027a726c81df78bdef10b5ec9a7b4a5ba297911c7b999638f76b33

SHA512
7c2168a6db5bf7dd7c09682983e9059524621834d0d9ae250382c74d714b0e99b625f5ee9a648e18de9fa25b580bac5ab770ad63c406a9f88c87ade1a372429c

Download Submit
\bf021d29c41502d47b8132aadcad14c8\update\update.exe

Filesize
712KB

MD5
9570121468658dcc6972f1dfa624a223

SHA1
61716952df7a03fc01ac919f44f07e9588840b8c

SHA256
bc2cde5db3027a726c81df78bdef10b5ec9a7b4a5ba297911c7b999638f76b33

SHA512
7c2168a6db5bf7dd7c09682983e9059524621834d0d9ae250382c74d714b0e99b625f5ee9a648e18de9fa25b580bac5ab770ad63c406a9f88c87ade1a372429c

Download Submit
\bf021d29c41502d47b8132aadcad14c8\update\updspapi.dll

Filesize
331KB

MD5
eb5c64286d987337f702813e73fcf615

SHA1
77c393b4cf5b61c29afa408ec1ebd93b22271e3f

SHA256
44062d8525a1de307491a46376d1831e23c27c18edb3de8f142d83eb7a21fc52

SHA512
0c71779a7b5a3507b5d0ccc0f9ff785032e1d8c32e76a0c0acadfd531d9ca87b61fd9742d69c610823a4315e181ad41f561811badbc262052d0f3ba86b9237a6

Download Submit
memory/528-60-0x0000000000000000-mapping.dmp

Download
memory/588-56-0x0000000000000000-mapping.dmp

Download
memory/692-80-0x0000000000170000-0x00000000001C4000-memory.dmp

Filesize
336KB

Download
memory/692-76-0x0000000000000000-mapping.dmp

Download
memory/796-55-0x0000000000000000-mapping.dmp

Download
memory/936-57-0x0000000000000000-mapping.dmp

Download
memory/956-73-0x0000000000000000-mapping.dmp

Download
memory/992-62-0x0000000000000000-mapping.dmp

Download
memory/1156-67-0x00000000767B1000-0x00000000767B3000-memory.dmp

Filesize
8KB

Download
memory/1156-65-0x0000000000000000-mapping.dmp

Download
memory/1540-74-0x0000000000000000-mapping.dmp

Download
memory/1996-54-0x0000000000000000-mapping.dmp

Download