8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d

General

Target

8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
Size

45KB
MD5

35ef17feb8dac8aa742f38d7f7b37336
SHA1

943594766c46f183c27093d0d403b7ec8b7db4ea
SHA256

8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d
SHA512

6332651bae978d3a9db34f8913849808edbfdef8842fc7a81d461c4d0095aee13b24cd8b0a523aa3f5d4ba04a04c07078e735ce98a098405a83f26a06bd147e2
SSDEEP

768:gDONULnKSiDPxJDYZlrPW9ZSg4S0fKtcx8Jrg0vTLH4RcPOAKIsLSLCT/s2:gJKS8xdq0PqKtcSM4TLQcPOAKdoCTk2

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

Processes:

8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe

description	ioc	process
File opened (read-only)	\??\Y:	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File opened (read-only)	\??\X:	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File opened (read-only)	\??\R:	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File opened (read-only)	\??\P:	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File opened (read-only)	\??\O:	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File opened (read-only)	\??\J:	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File opened (read-only)	\??\Z:	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File opened (read-only)	\??\U:	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File opened (read-only)	\??\S:	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File opened (read-only)	\??\M:	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File opened (read-only)	\??\F:	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File opened (read-only)	\??\E:	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File opened (read-only)	\??\W:	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File opened (read-only)	\??\K:	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File opened (read-only)	\??\H:	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File opened (read-only)	\??\G:	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File opened (read-only)	\??\L:	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File opened (read-only)	\??\T:	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File opened (read-only)	\??\Q:	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File opened (read-only)	\??\N:	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File opened (read-only)	\??\I:	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File opened (read-only)	\??\V:	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe

Drops file in Program Files directory 64 IoCs

Processes:

8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\_desktop.ini	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\_desktop.ini	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File created	C:\Program Files\VideoLAN\VLC\locale\hu\LC_MESSAGES\_desktop.ini	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\mux\_desktop.ini	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\_desktop.ini	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\es-ES\_desktop.ini	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\css\_desktop.ini	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Help\en_US\_desktop.ini	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\LISTS\_desktop.ini	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\FREN\_desktop.ini	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\_desktop.ini	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\fr-FR\_desktop.ini	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File opened for modification	C:\Program Files\MSBuild\_desktop.ini	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\js\_desktop.ini	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\_desktop.ini	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\wab.exe	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\_desktop.ini	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\_desktop.ini	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\meta_engine\_desktop.ini	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\js\_desktop.ini	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Triedit\de-DE\_desktop.ini	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\_desktop.ini	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\css\_desktop.ini	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\en-US\css\_desktop.ini	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sq\_desktop.ini	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File created	C:\Program Files\Windows Photo Viewer\it-IT\_desktop.ini	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\js\_desktop.ini	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\_desktop.ini	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File created	C:\Program Files\Microsoft Games\Purble Place\_desktop.ini	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File created	C:\Program Files\VideoLAN\VLC\locale\he\LC_MESSAGES\_desktop.ini	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\_desktop.ini	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\es-ES\_desktop.ini	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File created	C:\Program Files\VideoLAN\VLC\hrtfs\_desktop.ini	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Help\_desktop.ini	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\_desktop.ini	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\_desktop.ini	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\he\_desktop.ini	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\1033\_desktop.ini	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Triedit\ja-JP\_desktop.ini	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\_desktop.ini	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\_desktop.ini	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\js\_desktop.ini	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Spades\fr-FR\_desktop.ini	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ks_IN\_desktop.ini	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\zh_TW\_desktop.ini	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\144DPI\_desktop.ini	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\DW\_desktop.ini	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\_desktop.ini	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\ja-JP\_desktop.ini	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File opened for modification	C:\Program Files\Java\jre7\bin\keytool.exe	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File created	C:\Program Files\Microsoft Games\Mahjong\fr-FR\_desktop.ini	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File created	C:\Program Files\Windows Defender\ja-JP\_desktop.ini	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\css\_desktop.ini	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\_desktop.ini	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\_desktop.ini	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\_desktop.ini	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Indiana\_desktop.ini	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ckb\_desktop.ini	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File created	C:\Program Files\VideoLAN\VLC\skins\_desktop.ini	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\js\_desktop.ini	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File opened for modification	C:\Program Files\7-Zip\Lang\_desktop.ini	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\_desktop.ini	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe

Drops file in Windows directory 2 IoCs

Processes:

8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe

description	ioc	process
File created	C:\Windows\command\rundl132.exe	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File created	C:\Windows\RichDll.dll	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe

pid	process
1616	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
1616	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
1616	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
1616	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
1616	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
1616	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
1616	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
1616	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
1616	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
1616	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
1616	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
1616	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
1616	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
1616	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
1616	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
1616	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
1616	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
1616	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
1616	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
1616	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
1616	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
1616	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
1616	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
1616	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
1616	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
1616	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
1616	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
1616	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
1616	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
1616	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exenet.exenet.exe

description	pid	process	target process
PID 1616 wrote to memory of 1620	1616	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe	net.exe
PID 1616 wrote to memory of 1620	1616	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe	net.exe
PID 1616 wrote to memory of 1620	1616	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe	net.exe
PID 1616 wrote to memory of 1620	1616	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe	net.exe
PID 1620 wrote to memory of 2040	1620	net.exe	net1.exe
PID 1620 wrote to memory of 2040	1620	net.exe	net1.exe
PID 1620 wrote to memory of 2040	1620	net.exe	net1.exe
PID 1620 wrote to memory of 2040	1620	net.exe	net1.exe
PID 1616 wrote to memory of 648	1616	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe	net.exe
PID 1616 wrote to memory of 648	1616	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe	net.exe
PID 1616 wrote to memory of 648	1616	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe	net.exe
PID 1616 wrote to memory of 648	1616	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe	net.exe
PID 648 wrote to memory of 1484	648	net.exe	net1.exe
PID 648 wrote to memory of 1484	648	net.exe	net1.exe
PID 648 wrote to memory of 1484	648	net.exe	net1.exe
PID 648 wrote to memory of 1484	648	net.exe	net1.exe
PID 1616 wrote to memory of 1212	1616	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe	Explorer.EXE
PID 1616 wrote to memory of 1212	1616	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1212

C:\Users\Admin\AppData\Local\Temp\8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
"C:\Users\Admin\AppData\Local\Temp\8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe"
2⤵
- Drops file in Drivers directory
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1616

C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
3⤵
- Suspicious use of WriteProcessMemory
PID:1620

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
4⤵
PID:2040

C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
3⤵
- Suspicious use of WriteProcessMemory
PID:648

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
4⤵
PID:1484

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/648-57-0x0000000000000000-mapping.dmp

Download
memory/1484-58-0x0000000000000000-mapping.dmp

Download
memory/1616-54-0x0000000000400000-0x0000000000430036-memory.dmp

Filesize
192KB

Download
memory/1616-59-0x0000000000400000-0x0000000000430036-memory.dmp

Filesize
192KB

Download
memory/1620-55-0x0000000000000000-mapping.dmp

Download
memory/2040-56-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads