222ef1dc2bc2df6066b103fcc6cad965ddb021f8a373024189524b0d169ce909

Analysis

max time kernel
150s
max time network
48s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
24-11-2022 00:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

222ef1dc2bc2df6066b103fcc6cad965ddb021f8a373024189524b0d169ce909.exe
Size

1.3MB
MD5

2b586e4ba54ab2f732874e69f1f730c0
SHA1

8bcc29f33ac664d489666fd71e0288abe4204193
SHA256

222ef1dc2bc2df6066b103fcc6cad965ddb021f8a373024189524b0d169ce909
SHA512

ec645247e4cc86db32f15412934df6d083c7dca898acfac79a41da194fa5b2a10b8e11e053a86134d56c4dc6eee241084fe9296127e1d2f7b5cf9e108e7add11
SSDEEP

24576:6j7+XfFR8CZ/CvI3HmFZVbk+Zu4DO/cBx/fTwFk4w8Tmp54eGq6sncx/u+4c2ltC:6jSXf0aUsaXwk4HTmpNAsnM/u+UltHfa

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

Logo1_.exe222ef1dc2bc2df6066b103fcc6cad965ddb021f8a373024189524b0d169ce909.exeB5_Uninst.exe

pid process

1712 Logo1_.exe
796 222ef1dc2bc2df6066b103fcc6cad965ddb021f8a373024189524b0d169ce909.exe
564 B5_Uninst.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1416 cmd.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exe222ef1dc2bc2df6066b103fcc6cad965ddb021f8a373024189524b0d169ce909.exe

pid process

1416 cmd.exe
796 222ef1dc2bc2df6066b103fcc6cad965ddb021f8a373024189524b0d169ce909.exe

pid	process
1712	Logo1_.exe
796	222ef1dc2bc2df6066b103fcc6cad965ddb021f8a373024189524b0d169ce909.exe
564	B5_Uninst.exe

pid	process
1416	cmd.exe

pid	process
1416	cmd.exe
796	222ef1dc2bc2df6066b103fcc6cad965ddb021f8a373024189524b0d169ce909.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Logo1_.exe

description	ioc	process
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\F:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

Processes:

Logo1_.exe

description	ioc	process
File created	C:\Program Files\Google\Chrome\Application\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Internet Explorer\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\FreeCell\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ENES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\WATERMAR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\Presentation Designs\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Defender\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Internet Explorer\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Minesweeper\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA7\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mk\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\te\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk16\windows-amd64\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre7\lib\zi\SystemV\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Media Player\Icons\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Triedit\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\.data\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\locale\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\More Games\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fi\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EDGE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ia\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

Processes:

222ef1dc2bc2df6066b103fcc6cad965ddb021f8a373024189524b0d169ce909.exeLogo1_.exe

description	ioc	process
File created	C:\Windows\rundl132.exe	222ef1dc2bc2df6066b103fcc6cad965ddb021f8a373024189524b0d169ce909.exe
File created	C:\Windows\Logo1_.exe	222ef1dc2bc2df6066b103fcc6cad965ddb021f8a373024189524b0d169ce909.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\Dll.dll	Logo1_.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 43 IoCs

Processes:

222ef1dc2bc2df6066b103fcc6cad965ddb021f8a373024189524b0d169ce909.exeLogo1_.exe

pid	process
1692	222ef1dc2bc2df6066b103fcc6cad965ddb021f8a373024189524b0d169ce909.exe
1692	222ef1dc2bc2df6066b103fcc6cad965ddb021f8a373024189524b0d169ce909.exe
1692	222ef1dc2bc2df6066b103fcc6cad965ddb021f8a373024189524b0d169ce909.exe
1692	222ef1dc2bc2df6066b103fcc6cad965ddb021f8a373024189524b0d169ce909.exe
1692	222ef1dc2bc2df6066b103fcc6cad965ddb021f8a373024189524b0d169ce909.exe
1692	222ef1dc2bc2df6066b103fcc6cad965ddb021f8a373024189524b0d169ce909.exe
1692	222ef1dc2bc2df6066b103fcc6cad965ddb021f8a373024189524b0d169ce909.exe
1692	222ef1dc2bc2df6066b103fcc6cad965ddb021f8a373024189524b0d169ce909.exe
1692	222ef1dc2bc2df6066b103fcc6cad965ddb021f8a373024189524b0d169ce909.exe
1692	222ef1dc2bc2df6066b103fcc6cad965ddb021f8a373024189524b0d169ce909.exe
1692	222ef1dc2bc2df6066b103fcc6cad965ddb021f8a373024189524b0d169ce909.exe
1692	222ef1dc2bc2df6066b103fcc6cad965ddb021f8a373024189524b0d169ce909.exe
1692	222ef1dc2bc2df6066b103fcc6cad965ddb021f8a373024189524b0d169ce909.exe
1712	Logo1_.exe
1712	Logo1_.exe
1712	Logo1_.exe
1712	Logo1_.exe
1712	Logo1_.exe
1712	Logo1_.exe
1712	Logo1_.exe
1712	Logo1_.exe
1712	Logo1_.exe
1712	Logo1_.exe
1712	Logo1_.exe
1712	Logo1_.exe
1712	Logo1_.exe
1712	Logo1_.exe
1712	Logo1_.exe
1712	Logo1_.exe
1712	Logo1_.exe
1712	Logo1_.exe
1712	Logo1_.exe
1712	Logo1_.exe
1712	Logo1_.exe
1712	Logo1_.exe
1712	Logo1_.exe
1712	Logo1_.exe
1712	Logo1_.exe
1712	Logo1_.exe
1712	Logo1_.exe
1712	Logo1_.exe
1712	Logo1_.exe
1712	Logo1_.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

B5_Uninst.exe

description pid process

Token: SeDebugPrivilege 564 B5_Uninst.exe

description	pid	process
Token: SeDebugPrivilege	564	B5_Uninst.exe

Suspicious use of WriteProcessMemory 45 IoCs

Processes:

222ef1dc2bc2df6066b103fcc6cad965ddb021f8a373024189524b0d169ce909.exenet.exeLogo1_.exenet.execmd.exe222ef1dc2bc2df6066b103fcc6cad965ddb021f8a373024189524b0d169ce909.exenet.exe

description	pid	process	target process
PID 1692 wrote to memory of 1644	1692	222ef1dc2bc2df6066b103fcc6cad965ddb021f8a373024189524b0d169ce909.exe	net.exe
PID 1692 wrote to memory of 1644	1692	222ef1dc2bc2df6066b103fcc6cad965ddb021f8a373024189524b0d169ce909.exe	net.exe
PID 1692 wrote to memory of 1644	1692	222ef1dc2bc2df6066b103fcc6cad965ddb021f8a373024189524b0d169ce909.exe	net.exe
PID 1692 wrote to memory of 1644	1692	222ef1dc2bc2df6066b103fcc6cad965ddb021f8a373024189524b0d169ce909.exe	net.exe
PID 1644 wrote to memory of 2004	1644	net.exe	net1.exe
PID 1644 wrote to memory of 2004	1644	net.exe	net1.exe
PID 1644 wrote to memory of 2004	1644	net.exe	net1.exe
PID 1644 wrote to memory of 2004	1644	net.exe	net1.exe
PID 1692 wrote to memory of 1416	1692	222ef1dc2bc2df6066b103fcc6cad965ddb021f8a373024189524b0d169ce909.exe	cmd.exe
PID 1692 wrote to memory of 1416	1692	222ef1dc2bc2df6066b103fcc6cad965ddb021f8a373024189524b0d169ce909.exe	cmd.exe
PID 1692 wrote to memory of 1416	1692	222ef1dc2bc2df6066b103fcc6cad965ddb021f8a373024189524b0d169ce909.exe	cmd.exe
PID 1692 wrote to memory of 1416	1692	222ef1dc2bc2df6066b103fcc6cad965ddb021f8a373024189524b0d169ce909.exe	cmd.exe
PID 1692 wrote to memory of 1712	1692	222ef1dc2bc2df6066b103fcc6cad965ddb021f8a373024189524b0d169ce909.exe	Logo1_.exe
PID 1692 wrote to memory of 1712	1692	222ef1dc2bc2df6066b103fcc6cad965ddb021f8a373024189524b0d169ce909.exe	Logo1_.exe
PID 1692 wrote to memory of 1712	1692	222ef1dc2bc2df6066b103fcc6cad965ddb021f8a373024189524b0d169ce909.exe	Logo1_.exe
PID 1692 wrote to memory of 1712	1692	222ef1dc2bc2df6066b103fcc6cad965ddb021f8a373024189524b0d169ce909.exe	Logo1_.exe
PID 1712 wrote to memory of 1996	1712	Logo1_.exe	net.exe
PID 1712 wrote to memory of 1996	1712	Logo1_.exe	net.exe
PID 1712 wrote to memory of 1996	1712	Logo1_.exe	net.exe
PID 1712 wrote to memory of 1996	1712	Logo1_.exe	net.exe
PID 1996 wrote to memory of 1172	1996	net.exe	net1.exe
PID 1996 wrote to memory of 1172	1996	net.exe	net1.exe
PID 1996 wrote to memory of 1172	1996	net.exe	net1.exe
PID 1996 wrote to memory of 1172	1996	net.exe	net1.exe
PID 1416 wrote to memory of 796	1416	cmd.exe	222ef1dc2bc2df6066b103fcc6cad965ddb021f8a373024189524b0d169ce909.exe
PID 1416 wrote to memory of 796	1416	cmd.exe	222ef1dc2bc2df6066b103fcc6cad965ddb021f8a373024189524b0d169ce909.exe
PID 1416 wrote to memory of 796	1416	cmd.exe	222ef1dc2bc2df6066b103fcc6cad965ddb021f8a373024189524b0d169ce909.exe
PID 1416 wrote to memory of 796	1416	cmd.exe	222ef1dc2bc2df6066b103fcc6cad965ddb021f8a373024189524b0d169ce909.exe
PID 1712 wrote to memory of 556	1712	Logo1_.exe	net.exe
PID 1712 wrote to memory of 556	1712	Logo1_.exe	net.exe
PID 1712 wrote to memory of 556	1712	Logo1_.exe	net.exe
PID 1712 wrote to memory of 556	1712	Logo1_.exe	net.exe
PID 796 wrote to memory of 564	796	222ef1dc2bc2df6066b103fcc6cad965ddb021f8a373024189524b0d169ce909.exe	B5_Uninst.exe
PID 796 wrote to memory of 564	796	222ef1dc2bc2df6066b103fcc6cad965ddb021f8a373024189524b0d169ce909.exe	B5_Uninst.exe
PID 796 wrote to memory of 564	796	222ef1dc2bc2df6066b103fcc6cad965ddb021f8a373024189524b0d169ce909.exe	B5_Uninst.exe
PID 796 wrote to memory of 564	796	222ef1dc2bc2df6066b103fcc6cad965ddb021f8a373024189524b0d169ce909.exe	B5_Uninst.exe
PID 796 wrote to memory of 564	796	222ef1dc2bc2df6066b103fcc6cad965ddb021f8a373024189524b0d169ce909.exe	B5_Uninst.exe
PID 796 wrote to memory of 564	796	222ef1dc2bc2df6066b103fcc6cad965ddb021f8a373024189524b0d169ce909.exe	B5_Uninst.exe
PID 796 wrote to memory of 564	796	222ef1dc2bc2df6066b103fcc6cad965ddb021f8a373024189524b0d169ce909.exe	B5_Uninst.exe
PID 556 wrote to memory of 1812	556	net.exe	net1.exe
PID 556 wrote to memory of 1812	556	net.exe	net1.exe
PID 556 wrote to memory of 1812	556	net.exe	net1.exe
PID 556 wrote to memory of 1812	556	net.exe	net1.exe
PID 1712 wrote to memory of 1384	1712	Logo1_.exe	Explorer.EXE
PID 1712 wrote to memory of 1384	1712	Logo1_.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1384

C:\Users\Admin\AppData\Local\Temp\222ef1dc2bc2df6066b103fcc6cad965ddb021f8a373024189524b0d169ce909.exe
"C:\Users\Admin\AppData\Local\Temp\222ef1dc2bc2df6066b103fcc6cad965ddb021f8a373024189524b0d169ce909.exe"
2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1692

C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
3⤵
- Suspicious use of WriteProcessMemory
PID:1644

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
4⤵
PID:2004

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\$$a57E1.bat
3⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1416

C:\Users\Admin\AppData\Local\Temp\222ef1dc2bc2df6066b103fcc6cad965ddb021f8a373024189524b0d169ce909.exe
"C:\Users\Admin\AppData\Local\Temp\222ef1dc2bc2df6066b103fcc6cad965ddb021f8a373024189524b0d169ce909.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:796

C:\Users\Admin\AppData\Local\Temp\B5_Uninst.exe
C:\Users\Admin\AppData\Local\Temp\B5_Uninst.exe
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:564

C:\Windows\Logo1_.exe
C:\Windows\Logo1_.exe
3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1712

C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
4⤵
- Suspicious use of WriteProcessMemory
PID:1996

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
5⤵
PID:1172

C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
4⤵
- Suspicious use of WriteProcessMemory
PID:556

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
5⤵
PID:1812

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\$$a57E1.bat

Filesize
722B

MD5
35cf91d87c6180a368129f1be70e6e02

SHA1
cc4855552262340ccf9f28ba4487a7f16bb02d81

SHA256
a77cf716d2199c329900f15c013d870307d1f4329db940aacdce53c133dd8814

SHA512
98bd7ed174ec69d992c5607af5407c3f1b3480bfe2657c35e0de6cbe8403619bcf2b8d6e5766a3afc31fb3f54319d5fa44a9776d6a625e9164e55c94b08ff18b

Download Submit
C:\Users\Admin\AppData\Local\Temp\222ef1dc2bc2df6066b103fcc6cad965ddb021f8a373024189524b0d169ce909.exe

Filesize
1.3MB

MD5
9e4c8baf81435998229bcd0b8207ea6f

SHA1
201b8c988434fd2170e62eab4b061287de7a93f1

SHA256
43e4b4095b82ab5aba8975986221ab35f27b42926f0fb3763f6c122e32263bec

SHA512
22c5d6eda55479797ea71ac0d4e86ebf9d64e1551f82abbda19cfc9b5cf77d43b24985f580f233eb575b154a6f26c6049e3b8c0027cc4548319223f4ef87f99b

Download Submit
C:\Users\Admin\AppData\Local\Temp\222ef1dc2bc2df6066b103fcc6cad965ddb021f8a373024189524b0d169ce909.exe.exe

Filesize
1.3MB

MD5
9e4c8baf81435998229bcd0b8207ea6f

SHA1
201b8c988434fd2170e62eab4b061287de7a93f1

SHA256
43e4b4095b82ab5aba8975986221ab35f27b42926f0fb3763f6c122e32263bec

SHA512
22c5d6eda55479797ea71ac0d4e86ebf9d64e1551f82abbda19cfc9b5cf77d43b24985f580f233eb575b154a6f26c6049e3b8c0027cc4548319223f4ef87f99b

Download Submit
C:\Users\Admin\AppData\Local\Temp\B5_Uninst.exe

Filesize
1.1MB

MD5
3216880b01ede7be8ebc89e379223212

SHA1
d59d1f0b3994897354c054960a15d3c4d1e1d472

SHA256
7d106d9ac7288d186fd1960ebd1add3eb973c0f7bf8dd393e5fe38af4216c2d1

SHA512
aa135f889cce0ec6ad2da402adf21f058428566b075e8e486b18306327676d5f01cb5629c83c59f2cc124df4e10932d6c2be05584d29d22e37fb3cb668e0ee22

Download Submit
C:\Windows\Logo1_.exe

Filesize
33KB

MD5
5e98b79c3f45bf7e27810994a0c732a6

SHA1
8df5bd2705f9b25767380029ccc2c5ba1dce947a

SHA256
d20db8d04a27b89cf54309a4eecb307cd5ff7534830237708969376758a3443c

SHA512
c7554479c1d0787889d63632db9f633990a4316db5ad3ce059e42f2a9f345dac5eaf4e4f8f9fb48baeda903052cf242e14027456b431e5237b41ac78da1e3810

Download Submit
C:\Windows\Logo1_.exe

Filesize
33KB

MD5
5e98b79c3f45bf7e27810994a0c732a6

SHA1
8df5bd2705f9b25767380029ccc2c5ba1dce947a

SHA256
d20db8d04a27b89cf54309a4eecb307cd5ff7534830237708969376758a3443c

SHA512
c7554479c1d0787889d63632db9f633990a4316db5ad3ce059e42f2a9f345dac5eaf4e4f8f9fb48baeda903052cf242e14027456b431e5237b41ac78da1e3810

Download Submit
C:\Windows\rundl132.exe

Filesize
33KB

MD5
5e98b79c3f45bf7e27810994a0c732a6

SHA1
8df5bd2705f9b25767380029ccc2c5ba1dce947a

SHA256
d20db8d04a27b89cf54309a4eecb307cd5ff7534830237708969376758a3443c

SHA512
c7554479c1d0787889d63632db9f633990a4316db5ad3ce059e42f2a9f345dac5eaf4e4f8f9fb48baeda903052cf242e14027456b431e5237b41ac78da1e3810

Download Submit
\Users\Admin\AppData\Local\Temp\222ef1dc2bc2df6066b103fcc6cad965ddb021f8a373024189524b0d169ce909.exe

Filesize
1.3MB

MD5
9e4c8baf81435998229bcd0b8207ea6f

SHA1
201b8c988434fd2170e62eab4b061287de7a93f1

SHA256
43e4b4095b82ab5aba8975986221ab35f27b42926f0fb3763f6c122e32263bec

SHA512
22c5d6eda55479797ea71ac0d4e86ebf9d64e1551f82abbda19cfc9b5cf77d43b24985f580f233eb575b154a6f26c6049e3b8c0027cc4548319223f4ef87f99b

Download Submit
\Users\Admin\AppData\Local\Temp\B5_Uninst.exe

Filesize
1.1MB

MD5
3216880b01ede7be8ebc89e379223212

SHA1
d59d1f0b3994897354c054960a15d3c4d1e1d472

SHA256
7d106d9ac7288d186fd1960ebd1add3eb973c0f7bf8dd393e5fe38af4216c2d1

SHA512
aa135f889cce0ec6ad2da402adf21f058428566b075e8e486b18306327676d5f01cb5629c83c59f2cc124df4e10932d6c2be05584d29d22e37fb3cb668e0ee22

Download Submit
memory/556-71-0x0000000000000000-mapping.dmp

Download
memory/564-74-0x0000000000000000-mapping.dmp

Download
memory/564-77-0x0000000075921000-0x0000000075923000-memory.dmp

Filesize
8KB

Download
memory/796-68-0x0000000000000000-mapping.dmp

Download
memory/1172-65-0x0000000000000000-mapping.dmp

Download
memory/1416-57-0x0000000000000000-mapping.dmp

Download
memory/1644-54-0x0000000000000000-mapping.dmp

Download
memory/1692-60-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1692-56-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1712-66-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1712-73-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1712-58-0x0000000000000000-mapping.dmp

Download
memory/1812-76-0x0000000000000000-mapping.dmp

Download
memory/1996-62-0x0000000000000000-mapping.dmp

Download
memory/2004-55-0x0000000000000000-mapping.dmp

Download