38245d744a9fb4e9267a940567395c474fc857d6fa21fe76fcdd4e71d962b661

Analysis

max time kernel
162s
max time network
211s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2022 00:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

38245d744a9fb4e9267a940567395c474fc857d6fa21fe76fcdd4e71d962b661.exe
Size

992KB
MD5

05508a5aaaf8579863953f8308792540
SHA1

7c903b8f69f83515fc3d6fff086186892f853711
SHA256

38245d744a9fb4e9267a940567395c474fc857d6fa21fe76fcdd4e71d962b661
SHA512

191eb14fef7c63e25ffeff3d48e8b91f8a17c16c28bba549dd0c709f24f27b7be7d0dc61d39a9eeb2b262c8968c7d1562856a807bd2e794800a7728b66a6ed9a
SSDEEP

24576:jSK2Ph8dr3+aP6b3Jv2BChi3pA/VwgbIxCZbqfyCRsO:jSKYSdKjcBSApANohyCRB

Score

8^/10

persistence

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

Processes:

38245d744a9fb4e9267a940567395c474fc857d6fa21fe76fcdd4e71d962b661.exeLogo1_.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	38245d744a9fb4e9267a940567395c474fc857d6fa21fe76fcdd4e71d962b661.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	Logo1_.exe

Executes dropped EXE 3 IoCs

Processes:

Logo1_.exe38245d744a9fb4e9267a940567395c474fc857d6fa21fe76fcdd4e71d962b661.exeupdate.exe

pid process

5088 Logo1_.exe
1876 38245d744a9fb4e9267a940567395c474fc857d6fa21fe76fcdd4e71d962b661.exe
1192 update.exe
Loads dropped DLL 3 IoCs

Processes:

38245d744a9fb4e9267a940567395c474fc857d6fa21fe76fcdd4e71d962b661.exeupdate.exe

pid process

1876 38245d744a9fb4e9267a940567395c474fc857d6fa21fe76fcdd4e71d962b661.exe
1192 update.exe
1192 update.exe

pid	process
5088	Logo1_.exe
1876	38245d744a9fb4e9267a940567395c474fc857d6fa21fe76fcdd4e71d962b661.exe
1192	update.exe

pid	process
1876	38245d744a9fb4e9267a940567395c474fc857d6fa21fe76fcdd4e71d962b661.exe
1192	update.exe
1192	update.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

38245d744a9fb4e9267a940567395c474fc857d6fa21fe76fcdd4e71d962b661.exeLogo1_.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	38245d744a9fb4e9267a940567395c474fc857d6fa21fe76fcdd4e71d962b661.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\load = "C:\\Windows\\uninstall\\rundl132.exe"	38245d744a9fb4e9267a940567395c474fc857d6fa21fe76fcdd4e71d962b661.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	Logo1_.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\load = "C:\\Windows\\uninstall\\rundl132.exe"	Logo1_.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Logo1_.exe

description	ioc	process
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\F:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

Processes:

Logo1_.exe

description	ioc	process
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\appletviewer.exe	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\rmic.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jmap.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\servertool.exe	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\pack200.exe.Exe	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\rmiregistry.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\native2ascii.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\ssvagent.exe	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\javadoc.exe.Exe	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\javaws.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jsadebugd.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\java-rmi.exe	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\keytool.exe.Exe	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\kinit.exe.Exe	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\javac.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jrunscript.exe.Exe	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\servertool.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmid.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javapackager.exe	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\jsadebugd.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\kinit.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstat.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\unpack200.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jdb.exe	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\jdeps.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jabswitch.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\unpack200.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\java-rmi.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\RCXA23E.tmp	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javacpl.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\RCX9E55.tmp	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\java-rmi.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmic.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\rmiregistry.exe.Exe	Logo1_.exe
File created	C:\Program Files\7-Zip\7z.exe.Exe	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jjs.exe.Exe	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jp2launcher.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javaws.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\RCXF6A0.tmp	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\ktab.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jmc.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\keytool.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\tnameserv.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jp2launcher.exe	Logo1_.exe
File opened for modification	C:\Program Files\7-Zip\RCX9AB6.tmp	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jar.exe	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\java.exe.Exe	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\javap.exe.Exe	Logo1_.exe
File created	C:\Program Files\7-Zip\7zG.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\idlj.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\pack200.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jarsigner.exe	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\javah.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jinfo.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstat.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javaw.exe	Logo1_.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javap.exe.Exe	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\jconsole.exe.Exe	Logo1_.exe

Drops file in Windows directory 5 IoCs

Processes:

38245d744a9fb4e9267a940567395c474fc857d6fa21fe76fcdd4e71d962b661.exeLogo1_.exeupdate.exe

description	ioc	process
File created	C:\Windows\uninstall\rundl132.exe	38245d744a9fb4e9267a940567395c474fc857d6fa21fe76fcdd4e71d962b661.exe
File created	C:\Windows\Logo1_.exe	38245d744a9fb4e9267a940567395c474fc857d6fa21fe76fcdd4e71d962b661.exe
File opened for modification	C:\Windows\uninstall\rundl132.exe	Logo1_.exe
File created	C:\Windows\RichDll.dll	Logo1_.exe
File opened for modification	C:\Windows\setupapi.log	update.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

38245d744a9fb4e9267a940567395c474fc857d6fa21fe76fcdd4e71d962b661.exeLogo1_.exe

pid	process
4072	38245d744a9fb4e9267a940567395c474fc857d6fa21fe76fcdd4e71d962b661.exe
4072	38245d744a9fb4e9267a940567395c474fc857d6fa21fe76fcdd4e71d962b661.exe
4072	38245d744a9fb4e9267a940567395c474fc857d6fa21fe76fcdd4e71d962b661.exe
4072	38245d744a9fb4e9267a940567395c474fc857d6fa21fe76fcdd4e71d962b661.exe
4072	38245d744a9fb4e9267a940567395c474fc857d6fa21fe76fcdd4e71d962b661.exe
4072	38245d744a9fb4e9267a940567395c474fc857d6fa21fe76fcdd4e71d962b661.exe
4072	38245d744a9fb4e9267a940567395c474fc857d6fa21fe76fcdd4e71d962b661.exe
4072	38245d744a9fb4e9267a940567395c474fc857d6fa21fe76fcdd4e71d962b661.exe
4072	38245d744a9fb4e9267a940567395c474fc857d6fa21fe76fcdd4e71d962b661.exe
4072	38245d744a9fb4e9267a940567395c474fc857d6fa21fe76fcdd4e71d962b661.exe
4072	38245d744a9fb4e9267a940567395c474fc857d6fa21fe76fcdd4e71d962b661.exe
4072	38245d744a9fb4e9267a940567395c474fc857d6fa21fe76fcdd4e71d962b661.exe
4072	38245d744a9fb4e9267a940567395c474fc857d6fa21fe76fcdd4e71d962b661.exe
4072	38245d744a9fb4e9267a940567395c474fc857d6fa21fe76fcdd4e71d962b661.exe
4072	38245d744a9fb4e9267a940567395c474fc857d6fa21fe76fcdd4e71d962b661.exe
4072	38245d744a9fb4e9267a940567395c474fc857d6fa21fe76fcdd4e71d962b661.exe
4072	38245d744a9fb4e9267a940567395c474fc857d6fa21fe76fcdd4e71d962b661.exe
4072	38245d744a9fb4e9267a940567395c474fc857d6fa21fe76fcdd4e71d962b661.exe
4072	38245d744a9fb4e9267a940567395c474fc857d6fa21fe76fcdd4e71d962b661.exe
4072	38245d744a9fb4e9267a940567395c474fc857d6fa21fe76fcdd4e71d962b661.exe
4072	38245d744a9fb4e9267a940567395c474fc857d6fa21fe76fcdd4e71d962b661.exe
4072	38245d744a9fb4e9267a940567395c474fc857d6fa21fe76fcdd4e71d962b661.exe
4072	38245d744a9fb4e9267a940567395c474fc857d6fa21fe76fcdd4e71d962b661.exe
4072	38245d744a9fb4e9267a940567395c474fc857d6fa21fe76fcdd4e71d962b661.exe
4072	38245d744a9fb4e9267a940567395c474fc857d6fa21fe76fcdd4e71d962b661.exe
4072	38245d744a9fb4e9267a940567395c474fc857d6fa21fe76fcdd4e71d962b661.exe
5088	Logo1_.exe
5088	Logo1_.exe
5088	Logo1_.exe
5088	Logo1_.exe
5088	Logo1_.exe
5088	Logo1_.exe
5088	Logo1_.exe
5088	Logo1_.exe
5088	Logo1_.exe
5088	Logo1_.exe
5088	Logo1_.exe
5088	Logo1_.exe
5088	Logo1_.exe
5088	Logo1_.exe
5088	Logo1_.exe
5088	Logo1_.exe
5088	Logo1_.exe
5088	Logo1_.exe
5088	Logo1_.exe
5088	Logo1_.exe
5088	Logo1_.exe
5088	Logo1_.exe
5088	Logo1_.exe
5088	Logo1_.exe
5088	Logo1_.exe
5088	Logo1_.exe
5088	Logo1_.exe
5088	Logo1_.exe
5088	Logo1_.exe
5088	Logo1_.exe
5088	Logo1_.exe
5088	Logo1_.exe
5088	Logo1_.exe
5088	Logo1_.exe
5088	Logo1_.exe
5088	Logo1_.exe
5088	Logo1_.exe
5088	Logo1_.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

38245d744a9fb4e9267a940567395c474fc857d6fa21fe76fcdd4e71d962b661.exenet.exeLogo1_.exenet.execmd.exenet.exe38245d744a9fb4e9267a940567395c474fc857d6fa21fe76fcdd4e71d962b661.exe

description	pid	process	target process
PID 4072 wrote to memory of 3140	4072	38245d744a9fb4e9267a940567395c474fc857d6fa21fe76fcdd4e71d962b661.exe	net.exe
PID 4072 wrote to memory of 3140	4072	38245d744a9fb4e9267a940567395c474fc857d6fa21fe76fcdd4e71d962b661.exe	net.exe
PID 4072 wrote to memory of 3140	4072	38245d744a9fb4e9267a940567395c474fc857d6fa21fe76fcdd4e71d962b661.exe	net.exe
PID 3140 wrote to memory of 3888	3140	net.exe	net1.exe
PID 3140 wrote to memory of 3888	3140	net.exe	net1.exe
PID 3140 wrote to memory of 3888	3140	net.exe	net1.exe
PID 4072 wrote to memory of 3816	4072	38245d744a9fb4e9267a940567395c474fc857d6fa21fe76fcdd4e71d962b661.exe	cmd.exe
PID 4072 wrote to memory of 3816	4072	38245d744a9fb4e9267a940567395c474fc857d6fa21fe76fcdd4e71d962b661.exe	cmd.exe
PID 4072 wrote to memory of 3816	4072	38245d744a9fb4e9267a940567395c474fc857d6fa21fe76fcdd4e71d962b661.exe	cmd.exe
PID 4072 wrote to memory of 5088	4072	38245d744a9fb4e9267a940567395c474fc857d6fa21fe76fcdd4e71d962b661.exe	Logo1_.exe
PID 4072 wrote to memory of 5088	4072	38245d744a9fb4e9267a940567395c474fc857d6fa21fe76fcdd4e71d962b661.exe	Logo1_.exe
PID 4072 wrote to memory of 5088	4072	38245d744a9fb4e9267a940567395c474fc857d6fa21fe76fcdd4e71d962b661.exe	Logo1_.exe
PID 5088 wrote to memory of 4248	5088	Logo1_.exe	net.exe
PID 5088 wrote to memory of 4248	5088	Logo1_.exe	net.exe
PID 5088 wrote to memory of 4248	5088	Logo1_.exe	net.exe
PID 4248 wrote to memory of 4200	4248	net.exe	net1.exe
PID 4248 wrote to memory of 4200	4248	net.exe	net1.exe
PID 4248 wrote to memory of 4200	4248	net.exe	net1.exe
PID 3816 wrote to memory of 1876	3816	cmd.exe	38245d744a9fb4e9267a940567395c474fc857d6fa21fe76fcdd4e71d962b661.exe
PID 3816 wrote to memory of 1876	3816	cmd.exe	38245d744a9fb4e9267a940567395c474fc857d6fa21fe76fcdd4e71d962b661.exe
PID 3816 wrote to memory of 1876	3816	cmd.exe	38245d744a9fb4e9267a940567395c474fc857d6fa21fe76fcdd4e71d962b661.exe
PID 5088 wrote to memory of 5108	5088	Logo1_.exe	net.exe
PID 5088 wrote to memory of 5108	5088	Logo1_.exe	net.exe
PID 5088 wrote to memory of 5108	5088	Logo1_.exe	net.exe
PID 5108 wrote to memory of 3052	5108	net.exe	net1.exe
PID 5108 wrote to memory of 3052	5108	net.exe	net1.exe
PID 5108 wrote to memory of 3052	5108	net.exe	net1.exe
PID 5088 wrote to memory of 2680	5088	Logo1_.exe	Explorer.EXE
PID 5088 wrote to memory of 2680	5088	Logo1_.exe	Explorer.EXE
PID 1876 wrote to memory of 1192	1876	38245d744a9fb4e9267a940567395c474fc857d6fa21fe76fcdd4e71d962b661.exe	update.exe
PID 1876 wrote to memory of 1192	1876	38245d744a9fb4e9267a940567395c474fc857d6fa21fe76fcdd4e71d962b661.exe	update.exe
PID 1876 wrote to memory of 1192	1876	38245d744a9fb4e9267a940567395c474fc857d6fa21fe76fcdd4e71d962b661.exe	update.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2680

C:\Users\Admin\AppData\Local\Temp\38245d744a9fb4e9267a940567395c474fc857d6fa21fe76fcdd4e71d962b661.exe
"C:\Users\Admin\AppData\Local\Temp\38245d744a9fb4e9267a940567395c474fc857d6fa21fe76fcdd4e71d962b661.exe"
2⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4072

C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
3⤵
- Suspicious use of WriteProcessMemory
PID:3140

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
4⤵
PID:3888

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aEBE6.bat
3⤵
- Suspicious use of WriteProcessMemory
PID:3816

C:\Users\Admin\AppData\Local\Temp\38245d744a9fb4e9267a940567395c474fc857d6fa21fe76fcdd4e71d962b661.exe
"C:\Users\Admin\AppData\Local\Temp\38245d744a9fb4e9267a940567395c474fc857d6fa21fe76fcdd4e71d962b661.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1876

\??\c:\2d092f54959384007e595404c6cc\update\update.exe
c:\2d092f54959384007e595404c6cc\update\update.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:1192

C:\Windows\Logo1_.exe
C:\Windows\Logo1_.exe
3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5088

C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
4⤵
- Suspicious use of WriteProcessMemory
PID:4248

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
5⤵
PID:4200

C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
4⤵
- Suspicious use of WriteProcessMemory
PID:5108

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
5⤵
PID:3052

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\2d092f54959384007e595404c6cc\_sfx_.dll

Filesize
25KB

MD5
ee207e35aea4d5df41d90221e1b66efa

SHA1
757469cf9ad2f21f267bbe730560114fdf8a89a5

SHA256
cf64c95e9a2d02967efc22b00efb3736156b913a95231eb63c1df45d43475e64

SHA512
43e9f75725daa4f3428b2d9cee2c2cc8b2f2e991b8e58d72d2f429fbdfb614c86d172f03d3f9da98756bd4e245643d9a57c6efa422d6c60ad364a2322245542d

Download Submit
C:\2d092f54959384007e595404c6cc\update\update.exe

Filesize
712KB

MD5
9570121468658dcc6972f1dfa624a223

SHA1
61716952df7a03fc01ac919f44f07e9588840b8c

SHA256
bc2cde5db3027a726c81df78bdef10b5ec9a7b4a5ba297911c7b999638f76b33

SHA512
7c2168a6db5bf7dd7c09682983e9059524621834d0d9ae250382c74d714b0e99b625f5ee9a648e18de9fa25b580bac5ab770ad63c406a9f88c87ade1a372429c

Download Submit
C:\2d092f54959384007e595404c6cc\update\updspapi.dll

Filesize
331KB

MD5
eb5c64286d987337f702813e73fcf615

SHA1
77c393b4cf5b61c29afa408ec1ebd93b22271e3f

SHA256
44062d8525a1de307491a46376d1831e23c27c18edb3de8f142d83eb7a21fc52

SHA512
0c71779a7b5a3507b5d0ccc0f9ff785032e1d8c32e76a0c0acadfd531d9ca87b61fd9742d69c610823a4315e181ad41f561811badbc262052d0f3ba86b9237a6

Download Submit
C:\2d092f54959384007e595404c6cc\update\updspapi.dll

Filesize
331KB

MD5
eb5c64286d987337f702813e73fcf615

SHA1
77c393b4cf5b61c29afa408ec1ebd93b22271e3f

SHA256
44062d8525a1de307491a46376d1831e23c27c18edb3de8f142d83eb7a21fc52

SHA512
0c71779a7b5a3507b5d0ccc0f9ff785032e1d8c32e76a0c0acadfd531d9ca87b61fd9742d69c610823a4315e181ad41f561811badbc262052d0f3ba86b9237a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aEBE6.bat

Filesize
722B

MD5
eccd88a8274e3eb274dbcbac839ed7c7

SHA1
83ca56e2e181768e263656e38fe2c3a29c832b97

SHA256
e03f16f517a37c9f320ca4b84105f475e2b6000ade024849417d11108a2bfb53

SHA512
ef2fd17b25c8c921ff0495ab5d4a75d29e7578cb027d0e3d6338b2a9aba285a06a1be4d2966f7d101f31e03ca0adbc01c0218da1106d0cd0f4fd1f1f44287e07

Download Submit
C:\Users\Admin\AppData\Local\Temp\38245d744a9fb4e9267a940567395c474fc857d6fa21fe76fcdd4e71d962b661.exe

Filesize
899KB

MD5
56be0c2c91a9c20c9d29aef01db6d321

SHA1
dd174373177f5f7ec98dbafbabce9dc35109a65e

SHA256
4e36cdb6405ed2260397bc0ed99cf8ebe787696005a26ecc00ab98ebf4f16546

SHA512
4259db53d5f1ab6263e7da6ca40323375a8b0dd5da37b442662fbd70e045c2680c4a118a24e78617f1661b9f1bccdb0e4c9c55ed02c3092f566b3fb4be780305

Download Submit
C:\Users\Admin\AppData\Local\Temp\38245d744a9fb4e9267a940567395c474fc857d6fa21fe76fcdd4e71d962b661.exe.exe

Filesize
899KB

MD5
56be0c2c91a9c20c9d29aef01db6d321

SHA1
dd174373177f5f7ec98dbafbabce9dc35109a65e

SHA256
4e36cdb6405ed2260397bc0ed99cf8ebe787696005a26ecc00ab98ebf4f16546

SHA512
4259db53d5f1ab6263e7da6ca40323375a8b0dd5da37b442662fbd70e045c2680c4a118a24e78617f1661b9f1bccdb0e4c9c55ed02c3092f566b3fb4be780305

Download Submit
C:\Windows\Logo1_.exe

Filesize
93KB

MD5
7d7e69ff06b1aa26788f1edd07ffa513

SHA1
fab87c1ea72e4262fcf209adff5b4c4b4682cd83

SHA256
1a5aefc5f7b35a1bf6d7dea1898f2888cc790f317f44a1507e56139c065aa4bc

SHA512
ebf9973e5f475d73f86a14b7186d2ce9de3b204eabeab940e2884b947731184e001448e5cd5fbf5f42b34310620ed0fa9eb086435ecb0b5caf7d4ad14289f835

Download Submit
C:\Windows\Logo1_.exe

Filesize
93KB

MD5
7d7e69ff06b1aa26788f1edd07ffa513

SHA1
fab87c1ea72e4262fcf209adff5b4c4b4682cd83

SHA256
1a5aefc5f7b35a1bf6d7dea1898f2888cc790f317f44a1507e56139c065aa4bc

SHA512
ebf9973e5f475d73f86a14b7186d2ce9de3b204eabeab940e2884b947731184e001448e5cd5fbf5f42b34310620ed0fa9eb086435ecb0b5caf7d4ad14289f835

Download Submit
C:\Windows\uninstall\rundl132.exe

Filesize
93KB

MD5
7d7e69ff06b1aa26788f1edd07ffa513

SHA1
fab87c1ea72e4262fcf209adff5b4c4b4682cd83

SHA256
1a5aefc5f7b35a1bf6d7dea1898f2888cc790f317f44a1507e56139c065aa4bc

SHA512
ebf9973e5f475d73f86a14b7186d2ce9de3b204eabeab940e2884b947731184e001448e5cd5fbf5f42b34310620ed0fa9eb086435ecb0b5caf7d4ad14289f835

Download Submit
memory/1192-148-0x0000000000000000-mapping.dmp

Download
memory/1192-153-0x0000000000441000-0x0000000000463000-memory.dmp

Filesize
136KB

Download
memory/1192-152-0x0000000000440000-0x0000000000494000-memory.dmp

Filesize
336KB

Download
memory/1876-142-0x0000000000000000-mapping.dmp

Download
memory/3052-146-0x0000000000000000-mapping.dmp

Download
memory/3140-132-0x0000000000000000-mapping.dmp

Download
memory/3816-134-0x0000000000000000-mapping.dmp

Download
memory/3888-133-0x0000000000000000-mapping.dmp

Download
memory/4200-140-0x0000000000000000-mapping.dmp

Download
memory/4248-138-0x0000000000000000-mapping.dmp

Download
memory/5088-135-0x0000000000000000-mapping.dmp

Download
memory/5108-145-0x0000000000000000-mapping.dmp

Download