65bdafa6c86b9ed70e044620ed0c09f84fc0d514f6b3cf769480a13f442fe6f6

General

Target

65bdafa6c86b9ed70e044620ed0c09f84fc0d514f6b3cf769480a13f442fe6f6.exe
Size

33KB
MD5

43f779e48427c9f8745885d86a8f30a6
SHA1

64b1b1fbd5dc5ad70dccb3557ae8290e3b3c1156
SHA256

65bdafa6c86b9ed70e044620ed0c09f84fc0d514f6b3cf769480a13f442fe6f6
SHA512

eb84904a53cb54052d486b6d5cb19dd8b84b1f618f8c8e1d8e2ebb99ff13ea12c5a1e3eb644d644648b8aba7801b458ea1f894bbb91c2f76772233cbbbf13ea4
SSDEEP

768:PaFWoZx8SElOIEvzMXqtwp/lttaL7HP4wIncLRdR5kP78a0RJW/a:P+/Zx8SaYzMXqtGNttyUn01Q78a4R

Score

8^/10

spyware stealer

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

Processes:

65bdafa6c86b9ed70e044620ed0c09f84fc0d514f6b3cf769480a13f442fe6f6.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	65bdafa6c86b9ed70e044620ed0c09f84fc0d514f6b3cf769480a13f442fe6f6.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

65bdafa6c86b9ed70e044620ed0c09f84fc0d514f6b3cf769480a13f442fe6f6.exe

description	ioc	process
File opened (read-only)	\??\U:	65bdafa6c86b9ed70e044620ed0c09f84fc0d514f6b3cf769480a13f442fe6f6.exe
File opened (read-only)	\??\S:	65bdafa6c86b9ed70e044620ed0c09f84fc0d514f6b3cf769480a13f442fe6f6.exe
File opened (read-only)	\??\R:	65bdafa6c86b9ed70e044620ed0c09f84fc0d514f6b3cf769480a13f442fe6f6.exe
File opened (read-only)	\??\H:	65bdafa6c86b9ed70e044620ed0c09f84fc0d514f6b3cf769480a13f442fe6f6.exe
File opened (read-only)	\??\W:	65bdafa6c86b9ed70e044620ed0c09f84fc0d514f6b3cf769480a13f442fe6f6.exe
File opened (read-only)	\??\T:	65bdafa6c86b9ed70e044620ed0c09f84fc0d514f6b3cf769480a13f442fe6f6.exe
File opened (read-only)	\??\P:	65bdafa6c86b9ed70e044620ed0c09f84fc0d514f6b3cf769480a13f442fe6f6.exe
File opened (read-only)	\??\N:	65bdafa6c86b9ed70e044620ed0c09f84fc0d514f6b3cf769480a13f442fe6f6.exe
File opened (read-only)	\??\K:	65bdafa6c86b9ed70e044620ed0c09f84fc0d514f6b3cf769480a13f442fe6f6.exe
File opened (read-only)	\??\M:	65bdafa6c86b9ed70e044620ed0c09f84fc0d514f6b3cf769480a13f442fe6f6.exe
File opened (read-only)	\??\L:	65bdafa6c86b9ed70e044620ed0c09f84fc0d514f6b3cf769480a13f442fe6f6.exe
File opened (read-only)	\??\I:	65bdafa6c86b9ed70e044620ed0c09f84fc0d514f6b3cf769480a13f442fe6f6.exe
File opened (read-only)	\??\Z:	65bdafa6c86b9ed70e044620ed0c09f84fc0d514f6b3cf769480a13f442fe6f6.exe
File opened (read-only)	\??\Y:	65bdafa6c86b9ed70e044620ed0c09f84fc0d514f6b3cf769480a13f442fe6f6.exe
File opened (read-only)	\??\V:	65bdafa6c86b9ed70e044620ed0c09f84fc0d514f6b3cf769480a13f442fe6f6.exe
File opened (read-only)	\??\Q:	65bdafa6c86b9ed70e044620ed0c09f84fc0d514f6b3cf769480a13f442fe6f6.exe
File opened (read-only)	\??\O:	65bdafa6c86b9ed70e044620ed0c09f84fc0d514f6b3cf769480a13f442fe6f6.exe
File opened (read-only)	\??\G:	65bdafa6c86b9ed70e044620ed0c09f84fc0d514f6b3cf769480a13f442fe6f6.exe
File opened (read-only)	\??\X:	65bdafa6c86b9ed70e044620ed0c09f84fc0d514f6b3cf769480a13f442fe6f6.exe
File opened (read-only)	\??\J:	65bdafa6c86b9ed70e044620ed0c09f84fc0d514f6b3cf769480a13f442fe6f6.exe
File opened (read-only)	\??\F:	65bdafa6c86b9ed70e044620ed0c09f84fc0d514f6b3cf769480a13f442fe6f6.exe
File opened (read-only)	\??\E:	65bdafa6c86b9ed70e044620ed0c09f84fc0d514f6b3cf769480a13f442fe6f6.exe

Drops file in Program Files directory 64 IoCs

Processes:

65bdafa6c86b9ed70e044620ed0c09f84fc0d514f6b3cf769480a13f442fe6f6.exe

description	ioc	process
File opened for modification	C:\Program Files\Microsoft Games\Hearts\it-IT\_desktop.ini	65bdafa6c86b9ed70e044620ed0c09f84fc0d514f6b3cf769480a13f442fe6f6.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\_desktop.ini	65bdafa6c86b9ed70e044620ed0c09f84fc0d514f6b3cf769480a13f442fe6f6.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\am\LC_MESSAGES\_desktop.ini	65bdafa6c86b9ed70e044620ed0c09f84fc0d514f6b3cf769480a13f442fe6f6.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\js\_desktop.ini	65bdafa6c86b9ed70e044620ed0c09f84fc0d514f6b3cf769480a13f442fe6f6.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\css\_desktop.ini	65bdafa6c86b9ed70e044620ed0c09f84fc0d514f6b3cf769480a13f442fe6f6.exe
File created	C:\Program Files\Windows Defender\es-ES\_desktop.ini	65bdafa6c86b9ed70e044620ed0c09f84fc0d514f6b3cf769480a13f442fe6f6.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\js\_desktop.ini	65bdafa6c86b9ed70e044620ed0c09f84fc0d514f6b3cf769480a13f442fe6f6.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\_desktop.ini	65bdafa6c86b9ed70e044620ed0c09f84fc0d514f6b3cf769480a13f442fe6f6.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\_desktop.ini	65bdafa6c86b9ed70e044620ed0c09f84fc0d514f6b3cf769480a13f442fe6f6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\_desktop.ini	65bdafa6c86b9ed70e044620ed0c09f84fc0d514f6b3cf769480a13f442fe6f6.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\ja-JP\_desktop.ini	65bdafa6c86b9ed70e044620ed0c09f84fc0d514f6b3cf769480a13f442fe6f6.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ky\LC_MESSAGES\_desktop.ini	65bdafa6c86b9ed70e044620ed0c09f84fc0d514f6b3cf769480a13f442fe6f6.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\North_Dakota\_desktop.ini	65bdafa6c86b9ed70e044620ed0c09f84fc0d514f6b3cf769480a13f442fe6f6.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\css\_desktop.ini	65bdafa6c86b9ed70e044620ed0c09f84fc0d514f6b3cf769480a13f442fe6f6.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\it-IT\_desktop.ini	65bdafa6c86b9ed70e044620ed0c09f84fc0d514f6b3cf769480a13f442fe6f6.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\_desktop.ini	65bdafa6c86b9ed70e044620ed0c09f84fc0d514f6b3cf769480a13f442fe6f6.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\es-ES\_desktop.ini	65bdafa6c86b9ed70e044620ed0c09f84fc0d514f6b3cf769480a13f442fe6f6.exe
File opened for modification	C:\Program Files\Microsoft Games\Minesweeper\fr-FR\_desktop.ini	65bdafa6c86b9ed70e044620ed0c09f84fc0d514f6b3cf769480a13f442fe6f6.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\_desktop.ini	65bdafa6c86b9ed70e044620ed0c09f84fc0d514f6b3cf769480a13f442fe6f6.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUEPRNT\_desktop.ini	65bdafa6c86b9ed70e044620ed0c09f84fc0d514f6b3cf769480a13f442fe6f6.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CASCADE\_desktop.ini	65bdafa6c86b9ed70e044620ed0c09f84fc0d514f6b3cf769480a13f442fe6f6.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\WATER\_desktop.ini	65bdafa6c86b9ed70e044620ed0c09f84fc0d514f6b3cf769480a13f442fe6f6.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\_desktop.ini	65bdafa6c86b9ed70e044620ed0c09f84fc0d514f6b3cf769480a13f442fe6f6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	65bdafa6c86b9ed70e044620ed0c09f84fc0d514f6b3cf769480a13f442fe6f6.exe
File created	C:\Program Files\Mozilla Firefox\defaults\_desktop.ini	65bdafa6c86b9ed70e044620ed0c09f84fc0d514f6b3cf769480a13f442fe6f6.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ar\_desktop.ini	65bdafa6c86b9ed70e044620ed0c09f84fc0d514f6b3cf769480a13f442fe6f6.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\de\LC_MESSAGES\_desktop.ini	65bdafa6c86b9ed70e044620ed0c09f84fc0d514f6b3cf769480a13f442fe6f6.exe
File created	C:\Program Files\VideoLAN\VLC\locale\kn\LC_MESSAGES\_desktop.ini	65bdafa6c86b9ed70e044620ed0c09f84fc0d514f6b3cf769480a13f442fe6f6.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\14\BIN\1033\_desktop.ini	65bdafa6c86b9ed70e044620ed0c09f84fc0d514f6b3cf769480a13f442fe6f6.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\144DPI\_desktop.ini	65bdafa6c86b9ed70e044620ed0c09f84fc0d514f6b3cf769480a13f442fe6f6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	65bdafa6c86b9ed70e044620ed0c09f84fc0d514f6b3cf769480a13f442fe6f6.exe
File created	C:\Program Files\Java\jre7\lib\ext\_desktop.ini	65bdafa6c86b9ed70e044620ed0c09f84fc0d514f6b3cf769480a13f442fe6f6.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	65bdafa6c86b9ed70e044620ed0c09f84fc0d514f6b3cf769480a13f442fe6f6.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	65bdafa6c86b9ed70e044620ed0c09f84fc0d514f6b3cf769480a13f442fe6f6.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ckb\_desktop.ini	65bdafa6c86b9ed70e044620ed0c09f84fc0d514f6b3cf769480a13f442fe6f6.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\en-US\css\_desktop.ini	65bdafa6c86b9ed70e044620ed0c09f84fc0d514f6b3cf769480a13f442fe6f6.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\css\_desktop.ini	65bdafa6c86b9ed70e044620ed0c09f84fc0d514f6b3cf769480a13f442fe6f6.exe
File created	C:\Program Files\Google\_desktop.ini	65bdafa6c86b9ed70e044620ed0c09f84fc0d514f6b3cf769480a13f442fe6f6.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\_desktop.ini	65bdafa6c86b9ed70e044620ed0c09f84fc0d514f6b3cf769480a13f442fe6f6.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\lg\LC_MESSAGES\_desktop.ini	65bdafa6c86b9ed70e044620ed0c09f84fc0d514f6b3cf769480a13f442fe6f6.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\_desktop.ini	65bdafa6c86b9ed70e044620ed0c09f84fc0d514f6b3cf769480a13f442fe6f6.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\js\_desktop.ini	65bdafa6c86b9ed70e044620ed0c09f84fc0d514f6b3cf769480a13f442fe6f6.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\_desktop.ini	65bdafa6c86b9ed70e044620ed0c09f84fc0d514f6b3cf769480a13f442fe6f6.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\_desktop.ini	65bdafa6c86b9ed70e044620ed0c09f84fc0d514f6b3cf769480a13f442fe6f6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	65bdafa6c86b9ed70e044620ed0c09f84fc0d514f6b3cf769480a13f442fe6f6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\_desktop.ini	65bdafa6c86b9ed70e044620ed0c09f84fc0d514f6b3cf769480a13f442fe6f6.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15\windows-amd64\_desktop.ini	65bdafa6c86b9ed70e044620ed0c09f84fc0d514f6b3cf769480a13f442fe6f6.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fy\_desktop.ini	65bdafa6c86b9ed70e044620ed0c09f84fc0d514f6b3cf769480a13f442fe6f6.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\extensions\_desktop.ini	65bdafa6c86b9ed70e044620ed0c09f84fc0d514f6b3cf769480a13f442fe6f6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF\_desktop.ini	65bdafa6c86b9ed70e044620ed0c09f84fc0d514f6b3cf769480a13f442fe6f6.exe
File opened for modification	C:\Program Files\Windows Journal\es-ES\_desktop.ini	65bdafa6c86b9ed70e044620ed0c09f84fc0d514f6b3cf769480a13f442fe6f6.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\js\_desktop.ini	65bdafa6c86b9ed70e044620ed0c09f84fc0d514f6b3cf769480a13f442fe6f6.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\_desktop.ini	65bdafa6c86b9ed70e044620ed0c09f84fc0d514f6b3cf769480a13f442fe6f6.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\_desktop.ini	65bdafa6c86b9ed70e044620ed0c09f84fc0d514f6b3cf769480a13f442fe6f6.exe
File created	C:\Program Files\Microsoft Games\More Games\_desktop.ini	65bdafa6c86b9ed70e044620ed0c09f84fc0d514f6b3cf769480a13f442fe6f6.exe
File created	C:\Program Files\VideoLAN\VLC\locale\id\_desktop.ini	65bdafa6c86b9ed70e044620ed0c09f84fc0d514f6b3cf769480a13f442fe6f6.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ms\LC_MESSAGES\_desktop.ini	65bdafa6c86b9ed70e044620ed0c09f84fc0d514f6b3cf769480a13f442fe6f6.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\wab.exe	65bdafa6c86b9ed70e044620ed0c09f84fc0d514f6b3cf769480a13f442fe6f6.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\_desktop.ini	65bdafa6c86b9ed70e044620ed0c09f84fc0d514f6b3cf769480a13f442fe6f6.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\js\_desktop.ini	65bdafa6c86b9ed70e044620ed0c09f84fc0d514f6b3cf769480a13f442fe6f6.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\js\_desktop.ini	65bdafa6c86b9ed70e044620ed0c09f84fc0d514f6b3cf769480a13f442fe6f6.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\js\_desktop.ini	65bdafa6c86b9ed70e044620ed0c09f84fc0d514f6b3cf769480a13f442fe6f6.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\1033\_desktop.ini	65bdafa6c86b9ed70e044620ed0c09f84fc0d514f6b3cf769480a13f442fe6f6.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\_desktop.ini	65bdafa6c86b9ed70e044620ed0c09f84fc0d514f6b3cf769480a13f442fe6f6.exe

Drops file in Windows directory 2 IoCs

Processes:

65bdafa6c86b9ed70e044620ed0c09f84fc0d514f6b3cf769480a13f442fe6f6.exe

description	ioc	process
File created	C:\Windows\Dll.dll	65bdafa6c86b9ed70e044620ed0c09f84fc0d514f6b3cf769480a13f442fe6f6.exe
File created	C:\Windows\rundl132.exe	65bdafa6c86b9ed70e044620ed0c09f84fc0d514f6b3cf769480a13f442fe6f6.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

65bdafa6c86b9ed70e044620ed0c09f84fc0d514f6b3cf769480a13f442fe6f6.exe

pid	process
1728	65bdafa6c86b9ed70e044620ed0c09f84fc0d514f6b3cf769480a13f442fe6f6.exe
1728	65bdafa6c86b9ed70e044620ed0c09f84fc0d514f6b3cf769480a13f442fe6f6.exe
1728	65bdafa6c86b9ed70e044620ed0c09f84fc0d514f6b3cf769480a13f442fe6f6.exe
1728	65bdafa6c86b9ed70e044620ed0c09f84fc0d514f6b3cf769480a13f442fe6f6.exe
1728	65bdafa6c86b9ed70e044620ed0c09f84fc0d514f6b3cf769480a13f442fe6f6.exe
1728	65bdafa6c86b9ed70e044620ed0c09f84fc0d514f6b3cf769480a13f442fe6f6.exe
1728	65bdafa6c86b9ed70e044620ed0c09f84fc0d514f6b3cf769480a13f442fe6f6.exe
1728	65bdafa6c86b9ed70e044620ed0c09f84fc0d514f6b3cf769480a13f442fe6f6.exe
1728	65bdafa6c86b9ed70e044620ed0c09f84fc0d514f6b3cf769480a13f442fe6f6.exe
1728	65bdafa6c86b9ed70e044620ed0c09f84fc0d514f6b3cf769480a13f442fe6f6.exe
1728	65bdafa6c86b9ed70e044620ed0c09f84fc0d514f6b3cf769480a13f442fe6f6.exe
1728	65bdafa6c86b9ed70e044620ed0c09f84fc0d514f6b3cf769480a13f442fe6f6.exe
1728	65bdafa6c86b9ed70e044620ed0c09f84fc0d514f6b3cf769480a13f442fe6f6.exe
1728	65bdafa6c86b9ed70e044620ed0c09f84fc0d514f6b3cf769480a13f442fe6f6.exe
1728	65bdafa6c86b9ed70e044620ed0c09f84fc0d514f6b3cf769480a13f442fe6f6.exe
1728	65bdafa6c86b9ed70e044620ed0c09f84fc0d514f6b3cf769480a13f442fe6f6.exe
1728	65bdafa6c86b9ed70e044620ed0c09f84fc0d514f6b3cf769480a13f442fe6f6.exe
1728	65bdafa6c86b9ed70e044620ed0c09f84fc0d514f6b3cf769480a13f442fe6f6.exe
1728	65bdafa6c86b9ed70e044620ed0c09f84fc0d514f6b3cf769480a13f442fe6f6.exe
1728	65bdafa6c86b9ed70e044620ed0c09f84fc0d514f6b3cf769480a13f442fe6f6.exe
1728	65bdafa6c86b9ed70e044620ed0c09f84fc0d514f6b3cf769480a13f442fe6f6.exe
1728	65bdafa6c86b9ed70e044620ed0c09f84fc0d514f6b3cf769480a13f442fe6f6.exe
1728	65bdafa6c86b9ed70e044620ed0c09f84fc0d514f6b3cf769480a13f442fe6f6.exe
1728	65bdafa6c86b9ed70e044620ed0c09f84fc0d514f6b3cf769480a13f442fe6f6.exe
1728	65bdafa6c86b9ed70e044620ed0c09f84fc0d514f6b3cf769480a13f442fe6f6.exe
1728	65bdafa6c86b9ed70e044620ed0c09f84fc0d514f6b3cf769480a13f442fe6f6.exe
1728	65bdafa6c86b9ed70e044620ed0c09f84fc0d514f6b3cf769480a13f442fe6f6.exe
1728	65bdafa6c86b9ed70e044620ed0c09f84fc0d514f6b3cf769480a13f442fe6f6.exe
1728	65bdafa6c86b9ed70e044620ed0c09f84fc0d514f6b3cf769480a13f442fe6f6.exe
1728	65bdafa6c86b9ed70e044620ed0c09f84fc0d514f6b3cf769480a13f442fe6f6.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

65bdafa6c86b9ed70e044620ed0c09f84fc0d514f6b3cf769480a13f442fe6f6.exenet.exenet.exe

description	pid	process	target process
PID 1728 wrote to memory of 1748	1728	65bdafa6c86b9ed70e044620ed0c09f84fc0d514f6b3cf769480a13f442fe6f6.exe	net.exe
PID 1728 wrote to memory of 1748	1728	65bdafa6c86b9ed70e044620ed0c09f84fc0d514f6b3cf769480a13f442fe6f6.exe	net.exe
PID 1728 wrote to memory of 1748	1728	65bdafa6c86b9ed70e044620ed0c09f84fc0d514f6b3cf769480a13f442fe6f6.exe	net.exe
PID 1728 wrote to memory of 1748	1728	65bdafa6c86b9ed70e044620ed0c09f84fc0d514f6b3cf769480a13f442fe6f6.exe	net.exe
PID 1748 wrote to memory of 1436	1748	net.exe	net1.exe
PID 1748 wrote to memory of 1436	1748	net.exe	net1.exe
PID 1748 wrote to memory of 1436	1748	net.exe	net1.exe
PID 1748 wrote to memory of 1436	1748	net.exe	net1.exe
PID 1728 wrote to memory of 1328	1728	65bdafa6c86b9ed70e044620ed0c09f84fc0d514f6b3cf769480a13f442fe6f6.exe	net.exe
PID 1728 wrote to memory of 1328	1728	65bdafa6c86b9ed70e044620ed0c09f84fc0d514f6b3cf769480a13f442fe6f6.exe	net.exe
PID 1728 wrote to memory of 1328	1728	65bdafa6c86b9ed70e044620ed0c09f84fc0d514f6b3cf769480a13f442fe6f6.exe	net.exe
PID 1728 wrote to memory of 1328	1728	65bdafa6c86b9ed70e044620ed0c09f84fc0d514f6b3cf769480a13f442fe6f6.exe	net.exe
PID 1328 wrote to memory of 1324	1328	net.exe	net1.exe
PID 1328 wrote to memory of 1324	1328	net.exe	net1.exe
PID 1328 wrote to memory of 1324	1328	net.exe	net1.exe
PID 1328 wrote to memory of 1324	1328	net.exe	net1.exe
PID 1728 wrote to memory of 1216	1728	65bdafa6c86b9ed70e044620ed0c09f84fc0d514f6b3cf769480a13f442fe6f6.exe	Explorer.EXE
PID 1728 wrote to memory of 1216	1728	65bdafa6c86b9ed70e044620ed0c09f84fc0d514f6b3cf769480a13f442fe6f6.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1216

C:\Users\Admin\AppData\Local\Temp\65bdafa6c86b9ed70e044620ed0c09f84fc0d514f6b3cf769480a13f442fe6f6.exe
"C:\Users\Admin\AppData\Local\Temp\65bdafa6c86b9ed70e044620ed0c09f84fc0d514f6b3cf769480a13f442fe6f6.exe"
2⤵
- Drops file in Drivers directory
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1728

C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
3⤵
- Suspicious use of WriteProcessMemory
PID:1748

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
4⤵
PID:1436

C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
3⤵
- Suspicious use of WriteProcessMemory
PID:1328

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
4⤵
PID:1324

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1324-58-0x0000000000000000-mapping.dmp

Download
memory/1328-57-0x0000000000000000-mapping.dmp

Download
memory/1436-56-0x0000000000000000-mapping.dmp

Download
memory/1728-54-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1728-59-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1748-55-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads