e9739036b9a7077547cab1fc7272d72a3e6c4c49f24b40fda2272715f3fd999c

General

Target

e9739036b9a7077547cab1fc7272d72a3e6c4c49f24b40fda2272715f3fd999c.exe
Size

269KB
MD5

006a802df60dc9b22b77c4c798f9a703
SHA1

6d410bf03883f133d1d094285c4615ca999e658b
SHA256

e9739036b9a7077547cab1fc7272d72a3e6c4c49f24b40fda2272715f3fd999c
SHA512

1e35e4425f60c27d8aea2e8c34fc3333437a65f17f6663ceb6ee0d17643f1ddefc8961e72d69cdda9667ff327fc843d55d4facbcf66f43af67a67f7ac8f5b663
SSDEEP

6144:cc46tGdyN83nLbxKVJ3nCMkQe5HZAsHFZlxo:cc3NNgsHyMqLHFZlxo

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

Processes:

e9739036b9a7077547cab1fc7272d72a3e6c4c49f24b40fda2272715f3fd999c.exeLogo1_.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	e9739036b9a7077547cab1fc7272d72a3e6c4c49f24b40fda2272715f3fd999c.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	Logo1_.exe

Executes dropped EXE 2 IoCs

Processes:

Logo1_.exee9739036b9a7077547cab1fc7272d72a3e6c4c49f24b40fda2272715f3fd999c.exe

pid process

1220 Logo1_.exe
2232 e9739036b9a7077547cab1fc7272d72a3e6c4c49f24b40fda2272715f3fd999c.exe

pid	process
1220	Logo1_.exe
2232	e9739036b9a7077547cab1fc7272d72a3e6c4c49f24b40fda2272715f3fd999c.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Logo1_.exe

description	ioc	process
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\F:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

Processes:

Logo1_.exe

description	ioc	process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javaw.exe	Logo1_.exe
File created	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\ru-ru\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Templates\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Portal\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\NETWORK\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example1.Diagnostics\Diagnostics\Simple\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\JOURNAL\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\lt\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Security\BrowserCore\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\eu-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\sk-sk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\tr-tr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\da-dk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BOLDSTRI\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\kn\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\playlist\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\ar-ae\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ru-ru\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\es-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x86\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\META-INF\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_proxy\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\1.1.1\Diagnostics\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ro-ro\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\pl-pl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\nb-no\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\plugins\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\es-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\zh-tw\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\tr-tr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\nb-no\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\es-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\uk-ua\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\2.0.1\Diagnostics\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fr-ma\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\es-es\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\uk-ua\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\it-it\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ja-jp\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\fr-ma\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\pt-br\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\sl-sl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\he-il\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\he-il\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

Processes:

e9739036b9a7077547cab1fc7272d72a3e6c4c49f24b40fda2272715f3fd999c.exeLogo1_.exe

description	ioc	process
File created	C:\Windows\rundl132.exe	e9739036b9a7077547cab1fc7272d72a3e6c4c49f24b40fda2272715f3fd999c.exe
File created	C:\Windows\Logo1_.exe	e9739036b9a7077547cab1fc7272d72a3e6c4c49f24b40fda2272715f3fd999c.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\Dll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

e9739036b9a7077547cab1fc7272d72a3e6c4c49f24b40fda2272715f3fd999c.exeLogo1_.exe

pid	process
3912	e9739036b9a7077547cab1fc7272d72a3e6c4c49f24b40fda2272715f3fd999c.exe
3912	e9739036b9a7077547cab1fc7272d72a3e6c4c49f24b40fda2272715f3fd999c.exe
3912	e9739036b9a7077547cab1fc7272d72a3e6c4c49f24b40fda2272715f3fd999c.exe
3912	e9739036b9a7077547cab1fc7272d72a3e6c4c49f24b40fda2272715f3fd999c.exe
3912	e9739036b9a7077547cab1fc7272d72a3e6c4c49f24b40fda2272715f3fd999c.exe
3912	e9739036b9a7077547cab1fc7272d72a3e6c4c49f24b40fda2272715f3fd999c.exe
3912	e9739036b9a7077547cab1fc7272d72a3e6c4c49f24b40fda2272715f3fd999c.exe
3912	e9739036b9a7077547cab1fc7272d72a3e6c4c49f24b40fda2272715f3fd999c.exe
3912	e9739036b9a7077547cab1fc7272d72a3e6c4c49f24b40fda2272715f3fd999c.exe
3912	e9739036b9a7077547cab1fc7272d72a3e6c4c49f24b40fda2272715f3fd999c.exe
3912	e9739036b9a7077547cab1fc7272d72a3e6c4c49f24b40fda2272715f3fd999c.exe
3912	e9739036b9a7077547cab1fc7272d72a3e6c4c49f24b40fda2272715f3fd999c.exe
3912	e9739036b9a7077547cab1fc7272d72a3e6c4c49f24b40fda2272715f3fd999c.exe
3912	e9739036b9a7077547cab1fc7272d72a3e6c4c49f24b40fda2272715f3fd999c.exe
3912	e9739036b9a7077547cab1fc7272d72a3e6c4c49f24b40fda2272715f3fd999c.exe
3912	e9739036b9a7077547cab1fc7272d72a3e6c4c49f24b40fda2272715f3fd999c.exe
3912	e9739036b9a7077547cab1fc7272d72a3e6c4c49f24b40fda2272715f3fd999c.exe
3912	e9739036b9a7077547cab1fc7272d72a3e6c4c49f24b40fda2272715f3fd999c.exe
3912	e9739036b9a7077547cab1fc7272d72a3e6c4c49f24b40fda2272715f3fd999c.exe
3912	e9739036b9a7077547cab1fc7272d72a3e6c4c49f24b40fda2272715f3fd999c.exe
3912	e9739036b9a7077547cab1fc7272d72a3e6c4c49f24b40fda2272715f3fd999c.exe
3912	e9739036b9a7077547cab1fc7272d72a3e6c4c49f24b40fda2272715f3fd999c.exe
3912	e9739036b9a7077547cab1fc7272d72a3e6c4c49f24b40fda2272715f3fd999c.exe
3912	e9739036b9a7077547cab1fc7272d72a3e6c4c49f24b40fda2272715f3fd999c.exe
3912	e9739036b9a7077547cab1fc7272d72a3e6c4c49f24b40fda2272715f3fd999c.exe
3912	e9739036b9a7077547cab1fc7272d72a3e6c4c49f24b40fda2272715f3fd999c.exe
1220	Logo1_.exe
1220	Logo1_.exe
1220	Logo1_.exe
1220	Logo1_.exe
1220	Logo1_.exe
1220	Logo1_.exe
1220	Logo1_.exe
1220	Logo1_.exe
1220	Logo1_.exe
1220	Logo1_.exe
1220	Logo1_.exe
1220	Logo1_.exe
1220	Logo1_.exe
1220	Logo1_.exe
1220	Logo1_.exe
1220	Logo1_.exe
1220	Logo1_.exe
1220	Logo1_.exe
1220	Logo1_.exe
1220	Logo1_.exe
1220	Logo1_.exe
1220	Logo1_.exe
1220	Logo1_.exe
1220	Logo1_.exe
1220	Logo1_.exe
1220	Logo1_.exe
1220	Logo1_.exe
1220	Logo1_.exe
1220	Logo1_.exe
1220	Logo1_.exe
1220	Logo1_.exe
1220	Logo1_.exe
1220	Logo1_.exe
1220	Logo1_.exe
1220	Logo1_.exe
1220	Logo1_.exe
1220	Logo1_.exe
1220	Logo1_.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

e9739036b9a7077547cab1fc7272d72a3e6c4c49f24b40fda2272715f3fd999c.exenet.exeLogo1_.exenet.execmd.exenet.exe

description	pid	process	target process
PID 3912 wrote to memory of 2576	3912	e9739036b9a7077547cab1fc7272d72a3e6c4c49f24b40fda2272715f3fd999c.exe	net.exe
PID 3912 wrote to memory of 2576	3912	e9739036b9a7077547cab1fc7272d72a3e6c4c49f24b40fda2272715f3fd999c.exe	net.exe
PID 3912 wrote to memory of 2576	3912	e9739036b9a7077547cab1fc7272d72a3e6c4c49f24b40fda2272715f3fd999c.exe	net.exe
PID 2576 wrote to memory of 1424	2576	net.exe	net1.exe
PID 2576 wrote to memory of 1424	2576	net.exe	net1.exe
PID 2576 wrote to memory of 1424	2576	net.exe	net1.exe
PID 3912 wrote to memory of 2556	3912	e9739036b9a7077547cab1fc7272d72a3e6c4c49f24b40fda2272715f3fd999c.exe	cmd.exe
PID 3912 wrote to memory of 2556	3912	e9739036b9a7077547cab1fc7272d72a3e6c4c49f24b40fda2272715f3fd999c.exe	cmd.exe
PID 3912 wrote to memory of 2556	3912	e9739036b9a7077547cab1fc7272d72a3e6c4c49f24b40fda2272715f3fd999c.exe	cmd.exe
PID 3912 wrote to memory of 1220	3912	e9739036b9a7077547cab1fc7272d72a3e6c4c49f24b40fda2272715f3fd999c.exe	Logo1_.exe
PID 3912 wrote to memory of 1220	3912	e9739036b9a7077547cab1fc7272d72a3e6c4c49f24b40fda2272715f3fd999c.exe	Logo1_.exe
PID 3912 wrote to memory of 1220	3912	e9739036b9a7077547cab1fc7272d72a3e6c4c49f24b40fda2272715f3fd999c.exe	Logo1_.exe
PID 1220 wrote to memory of 3196	1220	Logo1_.exe	net.exe
PID 1220 wrote to memory of 3196	1220	Logo1_.exe	net.exe
PID 1220 wrote to memory of 3196	1220	Logo1_.exe	net.exe
PID 3196 wrote to memory of 4360	3196	net.exe	net1.exe
PID 3196 wrote to memory of 4360	3196	net.exe	net1.exe
PID 3196 wrote to memory of 4360	3196	net.exe	net1.exe
PID 2556 wrote to memory of 2232	2556	cmd.exe	e9739036b9a7077547cab1fc7272d72a3e6c4c49f24b40fda2272715f3fd999c.exe
PID 2556 wrote to memory of 2232	2556	cmd.exe	e9739036b9a7077547cab1fc7272d72a3e6c4c49f24b40fda2272715f3fd999c.exe
PID 2556 wrote to memory of 2232	2556	cmd.exe	e9739036b9a7077547cab1fc7272d72a3e6c4c49f24b40fda2272715f3fd999c.exe
PID 1220 wrote to memory of 4240	1220	Logo1_.exe	net.exe
PID 1220 wrote to memory of 4240	1220	Logo1_.exe	net.exe
PID 1220 wrote to memory of 4240	1220	Logo1_.exe	net.exe
PID 4240 wrote to memory of 3564	4240	net.exe	net1.exe
PID 4240 wrote to memory of 3564	4240	net.exe	net1.exe
PID 4240 wrote to memory of 3564	4240	net.exe	net1.exe
PID 1220 wrote to memory of 744	1220	Logo1_.exe	Explorer.EXE
PID 1220 wrote to memory of 744	1220	Logo1_.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:744

C:\Users\Admin\AppData\Local\Temp\e9739036b9a7077547cab1fc7272d72a3e6c4c49f24b40fda2272715f3fd999c.exe
"C:\Users\Admin\AppData\Local\Temp\e9739036b9a7077547cab1fc7272d72a3e6c4c49f24b40fda2272715f3fd999c.exe"
2⤵
- Drops file in Drivers directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3912

C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
3⤵
- Suspicious use of WriteProcessMemory
PID:2576

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
4⤵
PID:1424

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aA9A2.bat
3⤵
- Suspicious use of WriteProcessMemory
PID:2556

C:\Users\Admin\AppData\Local\Temp\e9739036b9a7077547cab1fc7272d72a3e6c4c49f24b40fda2272715f3fd999c.exe
"C:\Users\Admin\AppData\Local\Temp\e9739036b9a7077547cab1fc7272d72a3e6c4c49f24b40fda2272715f3fd999c.exe"
4⤵
- Executes dropped EXE
PID:2232

C:\Windows\Logo1_.exe
C:\Windows\Logo1_.exe
3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1220

C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
4⤵
- Suspicious use of WriteProcessMemory
PID:3196

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
5⤵
PID:4360

C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
4⤵
- Suspicious use of WriteProcessMemory
PID:4240

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
5⤵
PID:3564

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\$$aA9A2.bat

Filesize
722B

MD5
6f1428fa17399446300e76863394d9bf

SHA1
0a5395bbf863c07858ce4a435fd8e253b89ef69a

SHA256
d56d7363fd698d664c0c9453d1cc7cdcdab534402bf05345d01cb07e92dd252d

SHA512
1f7edacc2a3ed3bed33a1dcd0eff5ae2b17f70681bdf5b25ffce353f8746bc62ae68b8ff37bfacf6156b22688a9cf9af834d9b1983369269fd9a9843d818154d

Download Submit
C:\Users\Admin\AppData\Local\Temp\e9739036b9a7077547cab1fc7272d72a3e6c4c49f24b40fda2272715f3fd999c.exe

Filesize
236KB

MD5
d095376682210d6ddcaeb636500eb0cb

SHA1
f3ba099deee863c83f78e1814eb345b56560b11a

SHA256
06b96b0d863b16f1ee7e705a6e463e74dc0bad110a2ecd69dc44349bf4aeaf71

SHA512
546874c3a4af3666c78c3d4085498c4524b19b226472f9da38cf96559993def11eeaa7dcd6af72a236cd73bffa01182ac42499696a0b60d09d23b22b9adb5c7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\e9739036b9a7077547cab1fc7272d72a3e6c4c49f24b40fda2272715f3fd999c.exe.exe

Filesize
236KB

MD5
d095376682210d6ddcaeb636500eb0cb

SHA1
f3ba099deee863c83f78e1814eb345b56560b11a

SHA256
06b96b0d863b16f1ee7e705a6e463e74dc0bad110a2ecd69dc44349bf4aeaf71

SHA512
546874c3a4af3666c78c3d4085498c4524b19b226472f9da38cf96559993def11eeaa7dcd6af72a236cd73bffa01182ac42499696a0b60d09d23b22b9adb5c7a

Download Submit
C:\Windows\Logo1_.exe

Filesize
33KB

MD5
b8738498596b67cee4b863b2926ff65a

SHA1
34b936a96fc79e56a988247770d03324b10ce3cb

SHA256
d69bf681ee6babb017e664e9b8ba5a03b7d2ff60abe2259174667019d00e8ff0

SHA512
ce88ba3d2bdaebc4e9f2468213b69d497f33b4c85a4bf68af5bce8a282d3905f22aa8a89341d093bfaa4f01fbbec7462138d2ca725b4c0cf31d69b87889871a3

Download Submit
C:\Windows\Logo1_.exe

Filesize
33KB

MD5
b8738498596b67cee4b863b2926ff65a

SHA1
34b936a96fc79e56a988247770d03324b10ce3cb

SHA256
d69bf681ee6babb017e664e9b8ba5a03b7d2ff60abe2259174667019d00e8ff0

SHA512
ce88ba3d2bdaebc4e9f2468213b69d497f33b4c85a4bf68af5bce8a282d3905f22aa8a89341d093bfaa4f01fbbec7462138d2ca725b4c0cf31d69b87889871a3

Download Submit
C:\Windows\rundl132.exe

Filesize
33KB

MD5
b8738498596b67cee4b863b2926ff65a

SHA1
34b936a96fc79e56a988247770d03324b10ce3cb

SHA256
d69bf681ee6babb017e664e9b8ba5a03b7d2ff60abe2259174667019d00e8ff0

SHA512
ce88ba3d2bdaebc4e9f2468213b69d497f33b4c85a4bf68af5bce8a282d3905f22aa8a89341d093bfaa4f01fbbec7462138d2ca725b4c0cf31d69b87889871a3

Download Submit
memory/1220-150-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1220-136-0x0000000000000000-mapping.dmp

Download
memory/1220-146-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1424-133-0x0000000000000000-mapping.dmp

Download
memory/2232-144-0x0000000000000000-mapping.dmp

Download
memory/2556-135-0x0000000000000000-mapping.dmp

Download
memory/2576-132-0x0000000000000000-mapping.dmp

Download
memory/3196-140-0x0000000000000000-mapping.dmp

Download
memory/3564-149-0x0000000000000000-mapping.dmp

Download
memory/3912-139-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3912-134-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4240-148-0x0000000000000000-mapping.dmp

Download
memory/4360-141-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads