8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d

General

Target

8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
Size

45KB
MD5

35ef17feb8dac8aa742f38d7f7b37336
SHA1

943594766c46f183c27093d0d403b7ec8b7db4ea
SHA256

8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d
SHA512

6332651bae978d3a9db34f8913849808edbfdef8842fc7a81d461c4d0095aee13b24cd8b0a523aa3f5d4ba04a04c07078e735ce98a098405a83f26a06bd147e2
SSDEEP

768:gDONULnKSiDPxJDYZlrPW9ZSg4S0fKtcx8Jrg0vTLH4RcPOAKIsLSLCT/s2:gJKS8xdq0PqKtcSM4TLQcPOAKdoCTk2

Score

8^/10

spyware stealer

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

Processes:

8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe

Drops startup file 2 IoCs

Processes:

8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe

description	ioc	process
File opened (read-only)	\??\Y:	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File opened (read-only)	\??\W:	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File opened (read-only)	\??\S:	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File opened (read-only)	\??\J:	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File opened (read-only)	\??\G:	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File opened (read-only)	\??\Z:	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File opened (read-only)	\??\X:	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File opened (read-only)	\??\O:	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File opened (read-only)	\??\I:	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File opened (read-only)	\??\H:	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File opened (read-only)	\??\U:	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File opened (read-only)	\??\T:	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File opened (read-only)	\??\R:	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File opened (read-only)	\??\Q:	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File opened (read-only)	\??\P:	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File opened (read-only)	\??\N:	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File opened (read-only)	\??\M:	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File opened (read-only)	\??\F:	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File opened (read-only)	\??\V:	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File opened (read-only)	\??\L:	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File opened (read-only)	\??\K:	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File opened (read-only)	\??\E:	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe

Drops file in Program Files directory 64 IoCs

Processes:

8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\fr-fr\_desktop.ini	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\es-es\_desktop.ini	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\_desktop.ini	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\zh-cn\_desktop.ini	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\sv-se\_desktop.ini	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\zh-tw\_desktop.ini	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_GB\_desktop.ini	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\MSOHTMED.EXE	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ach\LC_MESSAGES\_desktop.ini	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\_desktop.ini	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\sl-sl\_desktop.ini	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\_desktop.ini	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\_desktop.ini	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\be\_desktop.ini	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sk-sk\_desktop.ini	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\_desktop.ini	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\2.0.1\Diagnostics\_desktop.ini	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\ktab.exe	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File created	C:\Program Files\VideoLAN\VLC\locale\gu\LC_MESSAGES\_desktop.ini	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\de-de\_desktop.ini	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\sv-se\_desktop.ini	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\_desktop.ini	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\_desktop.ini	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\tr-tr\_desktop.ini	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\_desktop.ini	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\da-dk\_desktop.ini	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File created	C:\Program Files\VideoLAN\VLC\locale\eu\_desktop.ini	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\_desktop.ini	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ja-jp\_desktop.ini	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\_desktop.ini	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\tr-tr\_desktop.ini	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\en-US\_desktop.ini	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\pt_BR\_desktop.ini	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-ae\_desktop.ini	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\sl-si\_desktop.ini	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\PlayReadyCdm\_desktop.ini	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\VisualElements\_desktop.ini	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\it-it\_desktop.ini	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\sv-se\_desktop.ini	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\META-INF\_desktop.ini	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\_desktop.ini	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\nl-nl\_desktop.ini	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\es-es\_desktop.ini	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\fr-ma\_desktop.ini	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\sl-si\_desktop.ini	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\ODBC\Data Sources\_desktop.ini	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File created	C:\Program Files\VideoLAN\VLC\locale\he\_desktop.ini	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\sl-sl\_desktop.ini	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\images\themes\dark\_desktop.ini	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\es-es\_desktop.ini	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Templates\_desktop.ini	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\themes\_desktop.ini	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\eu-es\_desktop.ini	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\_desktop.ini	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\pt-br\_desktop.ini	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\sl-sl\_desktop.ini	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\WidevineCdm\_platform_specific\win_x64\_desktop.ini	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\_desktop.ini	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Examples\Calculator\_desktop.ini	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\root\_desktop.ini	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File created	C:\Program Files\Microsoft Office\root\vfs\SystemX86\_desktop.ini	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\nl-nl\_desktop.ini	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\he-il\_desktop.ini	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\nb-no\_desktop.ini	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe

Drops file in Windows directory 2 IoCs

Processes:

8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe

description	ioc	process
File created	C:\Windows\command\rundl132.exe	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
File created	C:\Windows\RichDll.dll	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 60 IoCs

Processes:

8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe

pid	process
1376	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
1376	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
1376	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
1376	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
1376	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
1376	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
1376	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
1376	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
1376	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
1376	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
1376	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
1376	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
1376	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
1376	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
1376	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
1376	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
1376	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
1376	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
1376	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
1376	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
1376	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
1376	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
1376	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
1376	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
1376	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
1376	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
1376	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
1376	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
1376	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
1376	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
1376	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
1376	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
1376	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
1376	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
1376	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
1376	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
1376	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
1376	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
1376	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
1376	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
1376	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
1376	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
1376	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
1376	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
1376	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
1376	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
1376	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
1376	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
1376	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
1376	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
1376	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
1376	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
1376	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
1376	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
1376	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
1376	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
1376	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
1376	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
1376	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
1376	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exenet.exenet.exe

description	pid	process	target process
PID 1376 wrote to memory of 2216	1376	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe	net.exe
PID 1376 wrote to memory of 2216	1376	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe	net.exe
PID 1376 wrote to memory of 2216	1376	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe	net.exe
PID 2216 wrote to memory of 2644	2216	net.exe	net1.exe
PID 2216 wrote to memory of 2644	2216	net.exe	net1.exe
PID 2216 wrote to memory of 2644	2216	net.exe	net1.exe
PID 1376 wrote to memory of 3420	1376	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe	net.exe
PID 1376 wrote to memory of 3420	1376	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe	net.exe
PID 1376 wrote to memory of 3420	1376	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe	net.exe
PID 3420 wrote to memory of 1444	3420	net.exe	net1.exe
PID 3420 wrote to memory of 1444	3420	net.exe	net1.exe
PID 3420 wrote to memory of 1444	3420	net.exe	net1.exe
PID 1376 wrote to memory of 2248	1376	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe	Explorer.EXE
PID 1376 wrote to memory of 2248	1376	8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe	Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe
"C:\Users\Admin\AppData\Local\Temp\8b7f30b19c662016a1d57fc7a87686c34ba5bf3be4cde7963d288312d6a7835d.exe"
1⤵
- Drops file in Drivers directory
- Drops startup file
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1376

C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
2⤵
- Suspicious use of WriteProcessMemory
PID:2216

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
3⤵
PID:2644

C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
2⤵
- Suspicious use of WriteProcessMemory
PID:3420

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
3⤵
PID:1444

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2248

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1376-132-0x0000000000400000-0x0000000000430036-memory.dmp

Filesize
192KB

Download
memory/1376-137-0x0000000000400000-0x0000000000430036-memory.dmp

Filesize
192KB

Download
memory/1444-136-0x0000000000000000-mapping.dmp

Download
memory/2216-133-0x0000000000000000-mapping.dmp

Download
memory/2644-134-0x0000000000000000-mapping.dmp

Download
memory/3420-135-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads