d1c68a180a091558c7a31862eb3f4aa4996e35eccd6fa24f1080f52abd174156

Analysis

max time kernel
152s
max time network
32s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
24-11-2022 00:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d1c68a180a091558c7a31862eb3f4aa4996e35eccd6fa24f1080f52abd174156.exe
Size

323KB
MD5

434f99e3c2b4a7541237716c5b4cb740
SHA1

90cb1d2ac35323855940bb73b0bd0f9b96b9f32e
SHA256

d1c68a180a091558c7a31862eb3f4aa4996e35eccd6fa24f1080f52abd174156
SHA512

c210e736e2e76cdb027230c5cb0f42af5a4123637ca13aaf0c19c3e80edd34ab3bebf91969331f93fb79bbfde23d197896dc5b027b1cfbaaad92cb84388b4acd
SSDEEP

6144:P+aE/Be34RTMlHyCn4ik6yiUfFY2SzpYn2/gnqqjG:P+aExTaFkJy2Sz6n2/

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

Logo1_.exed1c68a180a091558c7a31862eb3f4aa4996e35eccd6fa24f1080f52abd174156.exeAu_.exe

pid process

556 Logo1_.exe
680 d1c68a180a091558c7a31862eb3f4aa4996e35eccd6fa24f1080f52abd174156.exe
628 Au_.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

480 cmd.exe
Loads dropped DLL 4 IoCs

Processes:

cmd.exed1c68a180a091558c7a31862eb3f4aa4996e35eccd6fa24f1080f52abd174156.exeAu_.exe

pid process

480 cmd.exe
680 d1c68a180a091558c7a31862eb3f4aa4996e35eccd6fa24f1080f52abd174156.exe
628 Au_.exe
628 Au_.exe

pid	process
556	Logo1_.exe
680	d1c68a180a091558c7a31862eb3f4aa4996e35eccd6fa24f1080f52abd174156.exe
628	Au_.exe

pid	process
480	cmd.exe

pid	process
480	cmd.exe
680	d1c68a180a091558c7a31862eb3f4aa4996e35eccd6fa24f1080f52abd174156.exe
628	Au_.exe
628	Au_.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Logo1_.exe

description	ioc	process
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\F:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

Processes:

Logo1_.exe

description	ioc	process
File created	C:\Program Files\VideoLAN\VLC\locale\ach\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\de\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ssvagent.exe	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\VisualElements\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\hrtfs\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\gl\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sq\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\More Games\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\br\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Journal\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Mail\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Internet Explorer\SIGNUP\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Minesweeper\MineSweeper.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\wa\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\mux\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\uz\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Journal\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\FreeCell\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ms\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sv\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Minesweeper\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Purble Place\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ka\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\da\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\zh_TW\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Hearts\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\MSBuild\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ckb\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Media Player\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\es\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\th\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Mail\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\gu\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\uk\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Defender\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre7\lib\images\cursors\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\More Games\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_chroma\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	Logo1_.exe

Drops file in Windows directory 4 IoCs

Processes:

d1c68a180a091558c7a31862eb3f4aa4996e35eccd6fa24f1080f52abd174156.exeLogo1_.exe

description	ioc	process
File created	C:\Windows\Logo1_.exe	d1c68a180a091558c7a31862eb3f4aa4996e35eccd6fa24f1080f52abd174156.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\Dll.dll	Logo1_.exe
File created	C:\Windows\rundl132.exe	d1c68a180a091558c7a31862eb3f4aa4996e35eccd6fa24f1080f52abd174156.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 12 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\d1c68a180a091558c7a31862eb3f4aa4996e35eccd6fa24f1080f52abd174156.exe.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\d1c68a180a091558c7a31862eb3f4aa4996e35eccd6fa24f1080f52abd174156.exe.exe	nsis_installer_2
\Users\Admin\AppData\Local\Temp\d1c68a180a091558c7a31862eb3f4aa4996e35eccd6fa24f1080f52abd174156.exe	nsis_installer_1
\Users\Admin\AppData\Local\Temp\d1c68a180a091558c7a31862eb3f4aa4996e35eccd6fa24f1080f52abd174156.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\d1c68a180a091558c7a31862eb3f4aa4996e35eccd6fa24f1080f52abd174156.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\d1c68a180a091558c7a31862eb3f4aa4996e35eccd6fa24f1080f52abd174156.exe	nsis_installer_2
\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe	nsis_installer_1
\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe	nsis_installer_2

Runs net.exe

Suspicious behavior: EnumeratesProcesses 44 IoCs

Processes:

d1c68a180a091558c7a31862eb3f4aa4996e35eccd6fa24f1080f52abd174156.exeLogo1_.exeAu_.exe

pid	process
1808	d1c68a180a091558c7a31862eb3f4aa4996e35eccd6fa24f1080f52abd174156.exe
1808	d1c68a180a091558c7a31862eb3f4aa4996e35eccd6fa24f1080f52abd174156.exe
1808	d1c68a180a091558c7a31862eb3f4aa4996e35eccd6fa24f1080f52abd174156.exe
1808	d1c68a180a091558c7a31862eb3f4aa4996e35eccd6fa24f1080f52abd174156.exe
1808	d1c68a180a091558c7a31862eb3f4aa4996e35eccd6fa24f1080f52abd174156.exe
1808	d1c68a180a091558c7a31862eb3f4aa4996e35eccd6fa24f1080f52abd174156.exe
1808	d1c68a180a091558c7a31862eb3f4aa4996e35eccd6fa24f1080f52abd174156.exe
1808	d1c68a180a091558c7a31862eb3f4aa4996e35eccd6fa24f1080f52abd174156.exe
1808	d1c68a180a091558c7a31862eb3f4aa4996e35eccd6fa24f1080f52abd174156.exe
1808	d1c68a180a091558c7a31862eb3f4aa4996e35eccd6fa24f1080f52abd174156.exe
1808	d1c68a180a091558c7a31862eb3f4aa4996e35eccd6fa24f1080f52abd174156.exe
1808	d1c68a180a091558c7a31862eb3f4aa4996e35eccd6fa24f1080f52abd174156.exe
1808	d1c68a180a091558c7a31862eb3f4aa4996e35eccd6fa24f1080f52abd174156.exe
556	Logo1_.exe
556	Logo1_.exe
556	Logo1_.exe
556	Logo1_.exe
556	Logo1_.exe
556	Logo1_.exe
556	Logo1_.exe
556	Logo1_.exe
556	Logo1_.exe
556	Logo1_.exe
556	Logo1_.exe
556	Logo1_.exe
556	Logo1_.exe
556	Logo1_.exe
556	Logo1_.exe
556	Logo1_.exe
556	Logo1_.exe
556	Logo1_.exe
556	Logo1_.exe
556	Logo1_.exe
556	Logo1_.exe
556	Logo1_.exe
556	Logo1_.exe
556	Logo1_.exe
556	Logo1_.exe
556	Logo1_.exe
556	Logo1_.exe
556	Logo1_.exe
556	Logo1_.exe
556	Logo1_.exe
628	Au_.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Au_.exe

pid process

628 Au_.exe

pid	process
628	Au_.exe

Suspicious use of WriteProcessMemory 48 IoCs

Processes:

d1c68a180a091558c7a31862eb3f4aa4996e35eccd6fa24f1080f52abd174156.exenet.exeLogo1_.execmd.exenet.exed1c68a180a091558c7a31862eb3f4aa4996e35eccd6fa24f1080f52abd174156.exenet.exe

description	pid	process	target process
PID 1808 wrote to memory of 2028	1808	d1c68a180a091558c7a31862eb3f4aa4996e35eccd6fa24f1080f52abd174156.exe	net.exe
PID 1808 wrote to memory of 2028	1808	d1c68a180a091558c7a31862eb3f4aa4996e35eccd6fa24f1080f52abd174156.exe	net.exe
PID 1808 wrote to memory of 2028	1808	d1c68a180a091558c7a31862eb3f4aa4996e35eccd6fa24f1080f52abd174156.exe	net.exe
PID 1808 wrote to memory of 2028	1808	d1c68a180a091558c7a31862eb3f4aa4996e35eccd6fa24f1080f52abd174156.exe	net.exe
PID 2028 wrote to memory of 1360	2028	net.exe	net1.exe
PID 2028 wrote to memory of 1360	2028	net.exe	net1.exe
PID 2028 wrote to memory of 1360	2028	net.exe	net1.exe
PID 2028 wrote to memory of 1360	2028	net.exe	net1.exe
PID 1808 wrote to memory of 480	1808	d1c68a180a091558c7a31862eb3f4aa4996e35eccd6fa24f1080f52abd174156.exe	cmd.exe
PID 1808 wrote to memory of 480	1808	d1c68a180a091558c7a31862eb3f4aa4996e35eccd6fa24f1080f52abd174156.exe	cmd.exe
PID 1808 wrote to memory of 480	1808	d1c68a180a091558c7a31862eb3f4aa4996e35eccd6fa24f1080f52abd174156.exe	cmd.exe
PID 1808 wrote to memory of 480	1808	d1c68a180a091558c7a31862eb3f4aa4996e35eccd6fa24f1080f52abd174156.exe	cmd.exe
PID 1808 wrote to memory of 556	1808	d1c68a180a091558c7a31862eb3f4aa4996e35eccd6fa24f1080f52abd174156.exe	Logo1_.exe
PID 1808 wrote to memory of 556	1808	d1c68a180a091558c7a31862eb3f4aa4996e35eccd6fa24f1080f52abd174156.exe	Logo1_.exe
PID 1808 wrote to memory of 556	1808	d1c68a180a091558c7a31862eb3f4aa4996e35eccd6fa24f1080f52abd174156.exe	Logo1_.exe
PID 1808 wrote to memory of 556	1808	d1c68a180a091558c7a31862eb3f4aa4996e35eccd6fa24f1080f52abd174156.exe	Logo1_.exe
PID 556 wrote to memory of 576	556	Logo1_.exe	net.exe
PID 556 wrote to memory of 576	556	Logo1_.exe	net.exe
PID 556 wrote to memory of 576	556	Logo1_.exe	net.exe
PID 556 wrote to memory of 576	556	Logo1_.exe	net.exe
PID 480 wrote to memory of 680	480	cmd.exe	d1c68a180a091558c7a31862eb3f4aa4996e35eccd6fa24f1080f52abd174156.exe
PID 480 wrote to memory of 680	480	cmd.exe	d1c68a180a091558c7a31862eb3f4aa4996e35eccd6fa24f1080f52abd174156.exe
PID 480 wrote to memory of 680	480	cmd.exe	d1c68a180a091558c7a31862eb3f4aa4996e35eccd6fa24f1080f52abd174156.exe
PID 480 wrote to memory of 680	480	cmd.exe	d1c68a180a091558c7a31862eb3f4aa4996e35eccd6fa24f1080f52abd174156.exe
PID 480 wrote to memory of 680	480	cmd.exe	d1c68a180a091558c7a31862eb3f4aa4996e35eccd6fa24f1080f52abd174156.exe
PID 480 wrote to memory of 680	480	cmd.exe	d1c68a180a091558c7a31862eb3f4aa4996e35eccd6fa24f1080f52abd174156.exe
PID 480 wrote to memory of 680	480	cmd.exe	d1c68a180a091558c7a31862eb3f4aa4996e35eccd6fa24f1080f52abd174156.exe
PID 576 wrote to memory of 1700	576	net.exe	net1.exe
PID 576 wrote to memory of 1700	576	net.exe	net1.exe
PID 576 wrote to memory of 1700	576	net.exe	net1.exe
PID 576 wrote to memory of 1700	576	net.exe	net1.exe
PID 680 wrote to memory of 628	680	d1c68a180a091558c7a31862eb3f4aa4996e35eccd6fa24f1080f52abd174156.exe	Au_.exe
PID 680 wrote to memory of 628	680	d1c68a180a091558c7a31862eb3f4aa4996e35eccd6fa24f1080f52abd174156.exe	Au_.exe
PID 680 wrote to memory of 628	680	d1c68a180a091558c7a31862eb3f4aa4996e35eccd6fa24f1080f52abd174156.exe	Au_.exe
PID 680 wrote to memory of 628	680	d1c68a180a091558c7a31862eb3f4aa4996e35eccd6fa24f1080f52abd174156.exe	Au_.exe
PID 680 wrote to memory of 628	680	d1c68a180a091558c7a31862eb3f4aa4996e35eccd6fa24f1080f52abd174156.exe	Au_.exe
PID 680 wrote to memory of 628	680	d1c68a180a091558c7a31862eb3f4aa4996e35eccd6fa24f1080f52abd174156.exe	Au_.exe
PID 680 wrote to memory of 628	680	d1c68a180a091558c7a31862eb3f4aa4996e35eccd6fa24f1080f52abd174156.exe	Au_.exe
PID 556 wrote to memory of 1748	556	Logo1_.exe	net.exe
PID 556 wrote to memory of 1748	556	Logo1_.exe	net.exe
PID 556 wrote to memory of 1748	556	Logo1_.exe	net.exe
PID 556 wrote to memory of 1748	556	Logo1_.exe	net.exe
PID 1748 wrote to memory of 1764	1748	net.exe	net1.exe
PID 1748 wrote to memory of 1764	1748	net.exe	net1.exe
PID 1748 wrote to memory of 1764	1748	net.exe	net1.exe
PID 1748 wrote to memory of 1764	1748	net.exe	net1.exe
PID 556 wrote to memory of 1304	556	Logo1_.exe	Explorer.EXE
PID 556 wrote to memory of 1304	556	Logo1_.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1304

C:\Users\Admin\AppData\Local\Temp\d1c68a180a091558c7a31862eb3f4aa4996e35eccd6fa24f1080f52abd174156.exe
"C:\Users\Admin\AppData\Local\Temp\d1c68a180a091558c7a31862eb3f4aa4996e35eccd6fa24f1080f52abd174156.exe"
2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1808

C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
3⤵
- Suspicious use of WriteProcessMemory
PID:2028

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
4⤵
PID:1360

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\$$aC514.bat
3⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:480

C:\Users\Admin\AppData\Local\Temp\d1c68a180a091558c7a31862eb3f4aa4996e35eccd6fa24f1080f52abd174156.exe
"C:\Users\Admin\AppData\Local\Temp\d1c68a180a091558c7a31862eb3f4aa4996e35eccd6fa24f1080f52abd174156.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:680

C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:628

C:\Windows\Logo1_.exe
C:\Windows\Logo1_.exe
3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:556

C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
4⤵
- Suspicious use of WriteProcessMemory
PID:576

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
5⤵
PID:1700

C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
4⤵
- Suspicious use of WriteProcessMemory
PID:1748

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
5⤵
PID:1764

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\$$aC514.bat

Filesize
722B

MD5
fa93bf5f59d0f50dadb2b0aa1f53a3dd

SHA1
e32be7c85299cb5d799fe36537c19de7e488b22e

SHA256
51cdd06c4f3480b262823e9cb6e52b4eca427e1b8fe141cb5b3d96e392225294

SHA512
b04b1addb61ca0df1b7b5119d3e48eefc997dc4118a22407c9e9061a2f6055fb90be65eec175606a612420034f21784f63b7dec5ce4d63cdd51ee0a908ad8bfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\d1c68a180a091558c7a31862eb3f4aa4996e35eccd6fa24f1080f52abd174156.exe

Filesize
289KB

MD5
4865e0dddfdc209fb7d87f523ec7e03c

SHA1
aaf615b2bf2c239fda1ec3e85d710cc3022350a0

SHA256
56b3a716464c0da4c18f53d64184f9de19bee651d4d0b026e368107fa4d1c18f

SHA512
052ff90dab76303687361c6d9163b0cf6fb2467ff5f9eddcc1b3628c0a383d37e12e5ebe5708e47a4e51e6a053934f37fc036934bd1372d2c6223526f1d7b3f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\d1c68a180a091558c7a31862eb3f4aa4996e35eccd6fa24f1080f52abd174156.exe.exe

Filesize
289KB

MD5
4865e0dddfdc209fb7d87f523ec7e03c

SHA1
aaf615b2bf2c239fda1ec3e85d710cc3022350a0

SHA256
56b3a716464c0da4c18f53d64184f9de19bee651d4d0b026e368107fa4d1c18f

SHA512
052ff90dab76303687361c6d9163b0cf6fb2467ff5f9eddcc1b3628c0a383d37e12e5ebe5708e47a4e51e6a053934f37fc036934bd1372d2c6223526f1d7b3f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

Filesize
289KB

MD5
4865e0dddfdc209fb7d87f523ec7e03c

SHA1
aaf615b2bf2c239fda1ec3e85d710cc3022350a0

SHA256
56b3a716464c0da4c18f53d64184f9de19bee651d4d0b026e368107fa4d1c18f

SHA512
052ff90dab76303687361c6d9163b0cf6fb2467ff5f9eddcc1b3628c0a383d37e12e5ebe5708e47a4e51e6a053934f37fc036934bd1372d2c6223526f1d7b3f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

Filesize
289KB

MD5
4865e0dddfdc209fb7d87f523ec7e03c

SHA1
aaf615b2bf2c239fda1ec3e85d710cc3022350a0

SHA256
56b3a716464c0da4c18f53d64184f9de19bee651d4d0b026e368107fa4d1c18f

SHA512
052ff90dab76303687361c6d9163b0cf6fb2467ff5f9eddcc1b3628c0a383d37e12e5ebe5708e47a4e51e6a053934f37fc036934bd1372d2c6223526f1d7b3f0

Download Submit
C:\Windows\Logo1_.exe

Filesize
33KB

MD5
c32a4eff49e39be369367c654777c780

SHA1
662216cb9bb1b556ee1773e3090d7966b583b763

SHA256
30ed17fd571b1e4593f10b744c816389962cac5c22541bcb7f54b18ac99a1cf9

SHA512
7d8bb4af57940fbc898cd2786f0dd2179ec298ebb07a3449e07a9b6faa9542f2349d81c1a880beac54a284f52e514b6d3771fe3b09b6b7728c4ca5a1c3c6ef26

Download Submit
C:\Windows\Logo1_.exe

Filesize
33KB

MD5
c32a4eff49e39be369367c654777c780

SHA1
662216cb9bb1b556ee1773e3090d7966b583b763

SHA256
30ed17fd571b1e4593f10b744c816389962cac5c22541bcb7f54b18ac99a1cf9

SHA512
7d8bb4af57940fbc898cd2786f0dd2179ec298ebb07a3449e07a9b6faa9542f2349d81c1a880beac54a284f52e514b6d3771fe3b09b6b7728c4ca5a1c3c6ef26

Download Submit
C:\Windows\rundl132.exe

Filesize
33KB

MD5
c32a4eff49e39be369367c654777c780

SHA1
662216cb9bb1b556ee1773e3090d7966b583b763

SHA256
30ed17fd571b1e4593f10b744c816389962cac5c22541bcb7f54b18ac99a1cf9

SHA512
7d8bb4af57940fbc898cd2786f0dd2179ec298ebb07a3449e07a9b6faa9542f2349d81c1a880beac54a284f52e514b6d3771fe3b09b6b7728c4ca5a1c3c6ef26

Download Submit
\Users\Admin\AppData\Local\Temp\d1c68a180a091558c7a31862eb3f4aa4996e35eccd6fa24f1080f52abd174156.exe

Filesize
289KB

MD5
4865e0dddfdc209fb7d87f523ec7e03c

SHA1
aaf615b2bf2c239fda1ec3e85d710cc3022350a0

SHA256
56b3a716464c0da4c18f53d64184f9de19bee651d4d0b026e368107fa4d1c18f

SHA512
052ff90dab76303687361c6d9163b0cf6fb2467ff5f9eddcc1b3628c0a383d37e12e5ebe5708e47a4e51e6a053934f37fc036934bd1372d2c6223526f1d7b3f0

Download Submit
\Users\Admin\AppData\Local\Temp\nsj2E0.tmp\FindProcDLL.dll

Filesize
3KB

MD5
8614c450637267afacad1645e23ba24a

SHA1
e7b7b09b5bbc13e910aa36316d9cc5fc5d4dcdc2

SHA256
0fa04f06a6de18d316832086891e9c23ae606d7784d5d5676385839b21ca2758

SHA512
af46cd679097584ff9a1d894a729b6397f4b3af17dff3e6f07bef257bc7e48ffa341d82daf298616cd5df1450fc5ab7435cacb70f27302b6db193f01a9f8391b

Download Submit
\Users\Admin\AppData\Local\Temp\nsj2E0.tmp\inetc.dll

Filesize
20KB

MD5
c498ae64b4971132bba676873978de1e

SHA1
92e4009cd776b6c8616d8bffade7668ef3cb3c27

SHA256
5552bdde7e4113393f683ef501e4cc84dccc071bdc51391ea7fa3e7c1d49e4e8

SHA512
8e5ca35493f749a39ceae6796d2658ba10f7d8d9ceca45bb4365b338fabd1dfa9b9f92e33f50c91b0273e66adfbce4b98b09c15fd2473f8b214ed797462333d7

Download Submit
\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

Filesize
289KB

MD5
4865e0dddfdc209fb7d87f523ec7e03c

SHA1
aaf615b2bf2c239fda1ec3e85d710cc3022350a0

SHA256
56b3a716464c0da4c18f53d64184f9de19bee651d4d0b026e368107fa4d1c18f

SHA512
052ff90dab76303687361c6d9163b0cf6fb2467ff5f9eddcc1b3628c0a383d37e12e5ebe5708e47a4e51e6a053934f37fc036934bd1372d2c6223526f1d7b3f0

Download Submit
memory/480-57-0x0000000000000000-mapping.dmp

Download
memory/556-58-0x0000000000000000-mapping.dmp

Download
memory/556-67-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/556-79-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/576-62-0x0000000000000000-mapping.dmp

Download
memory/628-81-0x0000000010000000-0x0000000010003000-memory.dmp

Filesize
12KB

Download
memory/628-83-0x0000000010000000-0x0000000010003000-memory.dmp

Filesize
12KB

Download
memory/628-72-0x0000000000000000-mapping.dmp

Download
memory/680-66-0x0000000000000000-mapping.dmp

Download
memory/680-69-0x0000000075511000-0x0000000075513000-memory.dmp

Filesize
8KB

Download
memory/1360-55-0x0000000000000000-mapping.dmp

Download
memory/1700-70-0x0000000000000000-mapping.dmp

Download
memory/1748-77-0x0000000000000000-mapping.dmp

Download
memory/1764-78-0x0000000000000000-mapping.dmp

Download
memory/1808-56-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1808-60-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2028-54-0x0000000000000000-mapping.dmp

Download