dab65ff785fab0525e1d04cda78d76001c3fce7be9b47b6d04260fe7bf0a7323

General

Target

dab65ff785fab0525e1d04cda78d76001c3fce7be9b47b6d04260fe7bf0a7323.exe
Size

33KB
MD5

3499b6e1dfa63a3e59e8d21cd7871bde
SHA1

8d180febba9d1bcea2ea9db93d3d4c812156be47
SHA256

dab65ff785fab0525e1d04cda78d76001c3fce7be9b47b6d04260fe7bf0a7323
SHA512

61097e32a70537953b2d0d82b471f47adde7ecc671718649c614b0ef2e18a0e70ffaaebb9239741f8581bc172b29e5c38da2f48b535f72070370ca91101d3ba9
SSDEEP

768:P4X/IElOIEvzMXqtwp/lttaL7HP4wIncLRdR5kP78a0RJW/a:PKIaYzMXqtGNttyUn01Q78a4R

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

Processes:

dab65ff785fab0525e1d04cda78d76001c3fce7be9b47b6d04260fe7bf0a7323.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	dab65ff785fab0525e1d04cda78d76001c3fce7be9b47b6d04260fe7bf0a7323.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

dab65ff785fab0525e1d04cda78d76001c3fce7be9b47b6d04260fe7bf0a7323.exe

description	ioc	process
File opened (read-only)	\??\W:	dab65ff785fab0525e1d04cda78d76001c3fce7be9b47b6d04260fe7bf0a7323.exe
File opened (read-only)	\??\K:	dab65ff785fab0525e1d04cda78d76001c3fce7be9b47b6d04260fe7bf0a7323.exe
File opened (read-only)	\??\E:	dab65ff785fab0525e1d04cda78d76001c3fce7be9b47b6d04260fe7bf0a7323.exe
File opened (read-only)	\??\Y:	dab65ff785fab0525e1d04cda78d76001c3fce7be9b47b6d04260fe7bf0a7323.exe
File opened (read-only)	\??\V:	dab65ff785fab0525e1d04cda78d76001c3fce7be9b47b6d04260fe7bf0a7323.exe
File opened (read-only)	\??\U:	dab65ff785fab0525e1d04cda78d76001c3fce7be9b47b6d04260fe7bf0a7323.exe
File opened (read-only)	\??\Q:	dab65ff785fab0525e1d04cda78d76001c3fce7be9b47b6d04260fe7bf0a7323.exe
File opened (read-only)	\??\N:	dab65ff785fab0525e1d04cda78d76001c3fce7be9b47b6d04260fe7bf0a7323.exe
File opened (read-only)	\??\F:	dab65ff785fab0525e1d04cda78d76001c3fce7be9b47b6d04260fe7bf0a7323.exe
File opened (read-only)	\??\R:	dab65ff785fab0525e1d04cda78d76001c3fce7be9b47b6d04260fe7bf0a7323.exe
File opened (read-only)	\??\P:	dab65ff785fab0525e1d04cda78d76001c3fce7be9b47b6d04260fe7bf0a7323.exe
File opened (read-only)	\??\J:	dab65ff785fab0525e1d04cda78d76001c3fce7be9b47b6d04260fe7bf0a7323.exe
File opened (read-only)	\??\I:	dab65ff785fab0525e1d04cda78d76001c3fce7be9b47b6d04260fe7bf0a7323.exe
File opened (read-only)	\??\H:	dab65ff785fab0525e1d04cda78d76001c3fce7be9b47b6d04260fe7bf0a7323.exe
File opened (read-only)	\??\L:	dab65ff785fab0525e1d04cda78d76001c3fce7be9b47b6d04260fe7bf0a7323.exe
File opened (read-only)	\??\G:	dab65ff785fab0525e1d04cda78d76001c3fce7be9b47b6d04260fe7bf0a7323.exe
File opened (read-only)	\??\Z:	dab65ff785fab0525e1d04cda78d76001c3fce7be9b47b6d04260fe7bf0a7323.exe
File opened (read-only)	\??\X:	dab65ff785fab0525e1d04cda78d76001c3fce7be9b47b6d04260fe7bf0a7323.exe
File opened (read-only)	\??\T:	dab65ff785fab0525e1d04cda78d76001c3fce7be9b47b6d04260fe7bf0a7323.exe
File opened (read-only)	\??\S:	dab65ff785fab0525e1d04cda78d76001c3fce7be9b47b6d04260fe7bf0a7323.exe
File opened (read-only)	\??\O:	dab65ff785fab0525e1d04cda78d76001c3fce7be9b47b6d04260fe7bf0a7323.exe
File opened (read-only)	\??\M:	dab65ff785fab0525e1d04cda78d76001c3fce7be9b47b6d04260fe7bf0a7323.exe

Drops file in Program Files directory 64 IoCs

Processes:

dab65ff785fab0525e1d04cda78d76001c3fce7be9b47b6d04260fe7bf0a7323.exe

description	ioc	process
File created	C:\Program Files\Java\jdk1.7.0_80\lib\_desktop.ini	dab65ff785fab0525e1d04cda78d76001c3fce7be9b47b6d04260fe7bf0a7323.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\_desktop.ini	dab65ff785fab0525e1d04cda78d76001c3fce7be9b47b6d04260fe7bf0a7323.exe
File created	C:\Program Files\Microsoft Games\FreeCell\_desktop.ini	dab65ff785fab0525e1d04cda78d76001c3fce7be9b47b6d04260fe7bf0a7323.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\kn\LC_MESSAGES\_desktop.ini	dab65ff785fab0525e1d04cda78d76001c3fce7be9b47b6d04260fe7bf0a7323.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\d3d9\_desktop.ini	dab65ff785fab0525e1d04cda78d76001c3fce7be9b47b6d04260fe7bf0a7323.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\_desktop.ini	dab65ff785fab0525e1d04cda78d76001c3fce7be9b47b6d04260fe7bf0a7323.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	dab65ff785fab0525e1d04cda78d76001c3fce7be9b47b6d04260fe7bf0a7323.exe
File created	C:\Program Files\Java\jre7\lib\fonts\_desktop.ini	dab65ff785fab0525e1d04cda78d76001c3fce7be9b47b6d04260fe7bf0a7323.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\_desktop.ini	dab65ff785fab0525e1d04cda78d76001c3fce7be9b47b6d04260fe7bf0a7323.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	dab65ff785fab0525e1d04cda78d76001c3fce7be9b47b6d04260fe7bf0a7323.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\_desktop.ini	dab65ff785fab0525e1d04cda78d76001c3fce7be9b47b6d04260fe7bf0a7323.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\_desktop.ini	dab65ff785fab0525e1d04cda78d76001c3fce7be9b47b6d04260fe7bf0a7323.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\chkrzm.exe	dab65ff785fab0525e1d04cda78d76001c3fce7be9b47b6d04260fe7bf0a7323.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\fr-FR\_desktop.ini	dab65ff785fab0525e1d04cda78d76001c3fce7be9b47b6d04260fe7bf0a7323.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\_desktop.ini	dab65ff785fab0525e1d04cda78d76001c3fce7be9b47b6d04260fe7bf0a7323.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\_desktop.ini	dab65ff785fab0525e1d04cda78d76001c3fce7be9b47b6d04260fe7bf0a7323.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	dab65ff785fab0525e1d04cda78d76001c3fce7be9b47b6d04260fe7bf0a7323.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15\_desktop.ini	dab65ff785fab0525e1d04cda78d76001c3fce7be9b47b6d04260fe7bf0a7323.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Argentina\_desktop.ini	dab65ff785fab0525e1d04cda78d76001c3fce7be9b47b6d04260fe7bf0a7323.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\FreeCell.exe	dab65ff785fab0525e1d04cda78d76001c3fce7be9b47b6d04260fe7bf0a7323.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\_desktop.ini	dab65ff785fab0525e1d04cda78d76001c3fce7be9b47b6d04260fe7bf0a7323.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Checkers\en-US\_desktop.ini	dab65ff785fab0525e1d04cda78d76001c3fce7be9b47b6d04260fe7bf0a7323.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\cs\LC_MESSAGES\_desktop.ini	dab65ff785fab0525e1d04cda78d76001c3fce7be9b47b6d04260fe7bf0a7323.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	dab65ff785fab0525e1d04cda78d76001c3fce7be9b47b6d04260fe7bf0a7323.exe
File created	C:\Program Files\VideoLAN\VLC\locale\te\_desktop.ini	dab65ff785fab0525e1d04cda78d76001c3fce7be9b47b6d04260fe7bf0a7323.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sv\LC_MESSAGES\_desktop.ini	dab65ff785fab0525e1d04cda78d76001c3fce7be9b47b6d04260fe7bf0a7323.exe
File opened for modification	C:\Program Files\Java\jre7\bin\dtplugin\_desktop.ini	dab65ff785fab0525e1d04cda78d76001c3fce7be9b47b6d04260fe7bf0a7323.exe
File created	C:\Program Files\Microsoft Games\Mahjong\es-ES\_desktop.ini	dab65ff785fab0525e1d04cda78d76001c3fce7be9b47b6d04260fe7bf0a7323.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\_desktop.ini	dab65ff785fab0525e1d04cda78d76001c3fce7be9b47b6d04260fe7bf0a7323.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\as_IN\LC_MESSAGES\_desktop.ini	dab65ff785fab0525e1d04cda78d76001c3fce7be9b47b6d04260fe7bf0a7323.exe
File created	C:\Program Files\VideoLAN\VLC\locale\mn\_desktop.ini	dab65ff785fab0525e1d04cda78d76001c3fce7be9b47b6d04260fe7bf0a7323.exe
File created	C:\Program Files\VideoLAN\VLC\lua\intf\modules\_desktop.ini	dab65ff785fab0525e1d04cda78d76001c3fce7be9b47b6d04260fe7bf0a7323.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\css\_desktop.ini	dab65ff785fab0525e1d04cda78d76001c3fce7be9b47b6d04260fe7bf0a7323.exe
File opened for modification	C:\Program Files\Java\jre7\bin\orbd.exe	dab65ff785fab0525e1d04cda78d76001c3fce7be9b47b6d04260fe7bf0a7323.exe
File created	C:\Program Files\Java\jre7\lib\zi\Indian\_desktop.ini	dab65ff785fab0525e1d04cda78d76001c3fce7be9b47b6d04260fe7bf0a7323.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\ja-JP\_desktop.ini	dab65ff785fab0525e1d04cda78d76001c3fce7be9b47b6d04260fe7bf0a7323.exe
File created	C:\Program Files\VideoLAN\VLC\locale\el\_desktop.ini	dab65ff785fab0525e1d04cda78d76001c3fce7be9b47b6d04260fe7bf0a7323.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fy\LC_MESSAGES\_desktop.ini	dab65ff785fab0525e1d04cda78d76001c3fce7be9b47b6d04260fe7bf0a7323.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\lv\LC_MESSAGES\_desktop.ini	dab65ff785fab0525e1d04cda78d76001c3fce7be9b47b6d04260fe7bf0a7323.exe
File opened for modification	C:\Program Files\Windows Sidebar\en-US\_desktop.ini	dab65ff785fab0525e1d04cda78d76001c3fce7be9b47b6d04260fe7bf0a7323.exe
File created	C:\Program Files\Java\jre7\lib\management\_desktop.ini	dab65ff785fab0525e1d04cda78d76001c3fce7be9b47b6d04260fe7bf0a7323.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_filter\_desktop.ini	dab65ff785fab0525e1d04cda78d76001c3fce7be9b47b6d04260fe7bf0a7323.exe
File created	C:\Program Files\Windows Defender\ja-JP\_desktop.ini	dab65ff785fab0525e1d04cda78d76001c3fce7be9b47b6d04260fe7bf0a7323.exe
File created	C:\Program Files\Windows Sidebar\fr-FR\_desktop.ini	dab65ff785fab0525e1d04cda78d76001c3fce7be9b47b6d04260fe7bf0a7323.exe
File opened for modification	C:\Program Files\_desktop.ini	dab65ff785fab0525e1d04cda78d76001c3fce7be9b47b6d04260fe7bf0a7323.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	dab65ff785fab0525e1d04cda78d76001c3fce7be9b47b6d04260fe7bf0a7323.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	dab65ff785fab0525e1d04cda78d76001c3fce7be9b47b6d04260fe7bf0a7323.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\_desktop.ini	dab65ff785fab0525e1d04cda78d76001c3fce7be9b47b6d04260fe7bf0a7323.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\_desktop.ini	dab65ff785fab0525e1d04cda78d76001c3fce7be9b47b6d04260fe7bf0a7323.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\_desktop.ini	dab65ff785fab0525e1d04cda78d76001c3fce7be9b47b6d04260fe7bf0a7323.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hr\LC_MESSAGES\_desktop.ini	dab65ff785fab0525e1d04cda78d76001c3fce7be9b47b6d04260fe7bf0a7323.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ko\_desktop.ini	dab65ff785fab0525e1d04cda78d76001c3fce7be9b47b6d04260fe7bf0a7323.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	dab65ff785fab0525e1d04cda78d76001c3fce7be9b47b6d04260fe7bf0a7323.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_output\_desktop.ini	dab65ff785fab0525e1d04cda78d76001c3fce7be9b47b6d04260fe7bf0a7323.exe
File opened for modification	C:\Program Files\Windows Journal\ja-JP\_desktop.ini	dab65ff785fab0525e1d04cda78d76001c3fce7be9b47b6d04260fe7bf0a7323.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ug\LC_MESSAGES\_desktop.ini	dab65ff785fab0525e1d04cda78d76001c3fce7be9b47b6d04260fe7bf0a7323.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ky\LC_MESSAGES\_desktop.ini	dab65ff785fab0525e1d04cda78d76001c3fce7be9b47b6d04260fe7bf0a7323.exe
File opened for modification	C:\Program Files\Windows Sidebar\_desktop.ini	dab65ff785fab0525e1d04cda78d76001c3fce7be9b47b6d04260fe7bf0a7323.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\js\_desktop.ini	dab65ff785fab0525e1d04cda78d76001c3fce7be9b47b6d04260fe7bf0a7323.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	dab65ff785fab0525e1d04cda78d76001c3fce7be9b47b6d04260fe7bf0a7323.exe
File created	C:\Program Files\Microsoft Games\Solitaire\it-IT\_desktop.ini	dab65ff785fab0525e1d04cda78d76001c3fce7be9b47b6d04260fe7bf0a7323.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ca\LC_MESSAGES\_desktop.ini	dab65ff785fab0525e1d04cda78d76001c3fce7be9b47b6d04260fe7bf0a7323.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_output\_desktop.ini	dab65ff785fab0525e1d04cda78d76001c3fce7be9b47b6d04260fe7bf0a7323.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\_desktop.ini	dab65ff785fab0525e1d04cda78d76001c3fce7be9b47b6d04260fe7bf0a7323.exe

Drops file in Windows directory 2 IoCs

Processes:

dab65ff785fab0525e1d04cda78d76001c3fce7be9b47b6d04260fe7bf0a7323.exe

description	ioc	process
File created	C:\Windows\rundl132.exe	dab65ff785fab0525e1d04cda78d76001c3fce7be9b47b6d04260fe7bf0a7323.exe
File created	C:\Windows\Dll.dll	dab65ff785fab0525e1d04cda78d76001c3fce7be9b47b6d04260fe7bf0a7323.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

dab65ff785fab0525e1d04cda78d76001c3fce7be9b47b6d04260fe7bf0a7323.exe

pid	process
1620	dab65ff785fab0525e1d04cda78d76001c3fce7be9b47b6d04260fe7bf0a7323.exe
1620	dab65ff785fab0525e1d04cda78d76001c3fce7be9b47b6d04260fe7bf0a7323.exe
1620	dab65ff785fab0525e1d04cda78d76001c3fce7be9b47b6d04260fe7bf0a7323.exe
1620	dab65ff785fab0525e1d04cda78d76001c3fce7be9b47b6d04260fe7bf0a7323.exe
1620	dab65ff785fab0525e1d04cda78d76001c3fce7be9b47b6d04260fe7bf0a7323.exe
1620	dab65ff785fab0525e1d04cda78d76001c3fce7be9b47b6d04260fe7bf0a7323.exe
1620	dab65ff785fab0525e1d04cda78d76001c3fce7be9b47b6d04260fe7bf0a7323.exe
1620	dab65ff785fab0525e1d04cda78d76001c3fce7be9b47b6d04260fe7bf0a7323.exe
1620	dab65ff785fab0525e1d04cda78d76001c3fce7be9b47b6d04260fe7bf0a7323.exe
1620	dab65ff785fab0525e1d04cda78d76001c3fce7be9b47b6d04260fe7bf0a7323.exe
1620	dab65ff785fab0525e1d04cda78d76001c3fce7be9b47b6d04260fe7bf0a7323.exe
1620	dab65ff785fab0525e1d04cda78d76001c3fce7be9b47b6d04260fe7bf0a7323.exe
1620	dab65ff785fab0525e1d04cda78d76001c3fce7be9b47b6d04260fe7bf0a7323.exe
1620	dab65ff785fab0525e1d04cda78d76001c3fce7be9b47b6d04260fe7bf0a7323.exe
1620	dab65ff785fab0525e1d04cda78d76001c3fce7be9b47b6d04260fe7bf0a7323.exe
1620	dab65ff785fab0525e1d04cda78d76001c3fce7be9b47b6d04260fe7bf0a7323.exe
1620	dab65ff785fab0525e1d04cda78d76001c3fce7be9b47b6d04260fe7bf0a7323.exe
1620	dab65ff785fab0525e1d04cda78d76001c3fce7be9b47b6d04260fe7bf0a7323.exe
1620	dab65ff785fab0525e1d04cda78d76001c3fce7be9b47b6d04260fe7bf0a7323.exe
1620	dab65ff785fab0525e1d04cda78d76001c3fce7be9b47b6d04260fe7bf0a7323.exe
1620	dab65ff785fab0525e1d04cda78d76001c3fce7be9b47b6d04260fe7bf0a7323.exe
1620	dab65ff785fab0525e1d04cda78d76001c3fce7be9b47b6d04260fe7bf0a7323.exe
1620	dab65ff785fab0525e1d04cda78d76001c3fce7be9b47b6d04260fe7bf0a7323.exe
1620	dab65ff785fab0525e1d04cda78d76001c3fce7be9b47b6d04260fe7bf0a7323.exe
1620	dab65ff785fab0525e1d04cda78d76001c3fce7be9b47b6d04260fe7bf0a7323.exe
1620	dab65ff785fab0525e1d04cda78d76001c3fce7be9b47b6d04260fe7bf0a7323.exe
1620	dab65ff785fab0525e1d04cda78d76001c3fce7be9b47b6d04260fe7bf0a7323.exe
1620	dab65ff785fab0525e1d04cda78d76001c3fce7be9b47b6d04260fe7bf0a7323.exe
1620	dab65ff785fab0525e1d04cda78d76001c3fce7be9b47b6d04260fe7bf0a7323.exe
1620	dab65ff785fab0525e1d04cda78d76001c3fce7be9b47b6d04260fe7bf0a7323.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

dab65ff785fab0525e1d04cda78d76001c3fce7be9b47b6d04260fe7bf0a7323.exenet.exenet.exe

description	pid	process	target process
PID 1620 wrote to memory of 1744	1620	dab65ff785fab0525e1d04cda78d76001c3fce7be9b47b6d04260fe7bf0a7323.exe	net.exe
PID 1620 wrote to memory of 1744	1620	dab65ff785fab0525e1d04cda78d76001c3fce7be9b47b6d04260fe7bf0a7323.exe	net.exe
PID 1620 wrote to memory of 1744	1620	dab65ff785fab0525e1d04cda78d76001c3fce7be9b47b6d04260fe7bf0a7323.exe	net.exe
PID 1620 wrote to memory of 1744	1620	dab65ff785fab0525e1d04cda78d76001c3fce7be9b47b6d04260fe7bf0a7323.exe	net.exe
PID 1744 wrote to memory of 1608	1744	net.exe	net1.exe
PID 1744 wrote to memory of 1608	1744	net.exe	net1.exe
PID 1744 wrote to memory of 1608	1744	net.exe	net1.exe
PID 1744 wrote to memory of 1608	1744	net.exe	net1.exe
PID 1620 wrote to memory of 1112	1620	dab65ff785fab0525e1d04cda78d76001c3fce7be9b47b6d04260fe7bf0a7323.exe	net.exe
PID 1620 wrote to memory of 1112	1620	dab65ff785fab0525e1d04cda78d76001c3fce7be9b47b6d04260fe7bf0a7323.exe	net.exe
PID 1620 wrote to memory of 1112	1620	dab65ff785fab0525e1d04cda78d76001c3fce7be9b47b6d04260fe7bf0a7323.exe	net.exe
PID 1620 wrote to memory of 1112	1620	dab65ff785fab0525e1d04cda78d76001c3fce7be9b47b6d04260fe7bf0a7323.exe	net.exe
PID 1112 wrote to memory of 652	1112	net.exe	net1.exe
PID 1112 wrote to memory of 652	1112	net.exe	net1.exe
PID 1112 wrote to memory of 652	1112	net.exe	net1.exe
PID 1112 wrote to memory of 652	1112	net.exe	net1.exe
PID 1620 wrote to memory of 1272	1620	dab65ff785fab0525e1d04cda78d76001c3fce7be9b47b6d04260fe7bf0a7323.exe	Explorer.EXE
PID 1620 wrote to memory of 1272	1620	dab65ff785fab0525e1d04cda78d76001c3fce7be9b47b6d04260fe7bf0a7323.exe	Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\dab65ff785fab0525e1d04cda78d76001c3fce7be9b47b6d04260fe7bf0a7323.exe
"C:\Users\Admin\AppData\Local\Temp\dab65ff785fab0525e1d04cda78d76001c3fce7be9b47b6d04260fe7bf0a7323.exe"
1⤵
- Drops file in Drivers directory
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1620

C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
2⤵
- Suspicious use of WriteProcessMemory
PID:1744

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
3⤵
PID:1608

C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
2⤵
- Suspicious use of WriteProcessMemory
PID:1112

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
3⤵
PID:652

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1272

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/652-58-0x0000000000000000-mapping.dmp

Download
memory/1112-57-0x0000000000000000-mapping.dmp

Download
memory/1608-55-0x0000000000000000-mapping.dmp

Download
memory/1620-56-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1620-59-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1744-54-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads