222ef1dc2bc2df6066b103fcc6cad965ddb021f8a373024189524b0d169ce909

General

Target

222ef1dc2bc2df6066b103fcc6cad965ddb021f8a373024189524b0d169ce909.exe
Size

1.3MB
MD5

2b586e4ba54ab2f732874e69f1f730c0
SHA1

8bcc29f33ac664d489666fd71e0288abe4204193
SHA256

222ef1dc2bc2df6066b103fcc6cad965ddb021f8a373024189524b0d169ce909
SHA512

ec645247e4cc86db32f15412934df6d083c7dca898acfac79a41da194fa5b2a10b8e11e053a86134d56c4dc6eee241084fe9296127e1d2f7b5cf9e108e7add11
SSDEEP

24576:6j7+XfFR8CZ/CvI3HmFZVbk+Zu4DO/cBx/fTwFk4w8Tmp54eGq6sncx/u+4c2ltC:6jSXf0aUsaXwk4HTmpNAsnM/u+UltHfa

Score

8^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

Logo1_.exe222ef1dc2bc2df6066b103fcc6cad965ddb021f8a373024189524b0d169ce909.exeB5_Uninst.exe

pid process

4752 Logo1_.exe
1308 222ef1dc2bc2df6066b103fcc6cad965ddb021f8a373024189524b0d169ce909.exe
2408 B5_Uninst.exe

pid	process
4752	Logo1_.exe
1308	222ef1dc2bc2df6066b103fcc6cad965ddb021f8a373024189524b0d169ce909.exe
2408	B5_Uninst.exe

Drops startup file 2 IoCs

Processes:

Logo1_.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Logo1_.exe

description	ioc	process
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\F:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

Processes:

Logo1_.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files-select\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\en-ae\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\ru-ru\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-gb\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-il\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ro-ro\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Help\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\PROOF\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\gu\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Security\BrowserCore\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example1.Diagnostics\Diagnostics\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\zu\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\bin\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\zh-tw\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ko-kr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\management\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.ShowHelp.exe	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\is\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ko-kr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ka\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ru-ru\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\themes\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jjs.exe	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLENDS\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ff\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\ru-ru\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\en-gb\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\wmpshare.exe	Logo1_.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\fi-fi\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\sv-se\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\nb-no\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\de-de\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\uk-ua\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sq\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\da-dk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\he-il\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\tr-tr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\sl-sl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_CA\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\META-INF\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\zh-cn\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\cs-cz\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.167.21\MicrosoftEdgeUpdateComRegisterShell64.exe	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ug\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\nb-no\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\sv-se\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\en-ae\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\tr-tr\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Web Server Extensions\16\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\sl-si\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javafxpackager.exe	Logo1_.exe

Drops file in Windows directory 4 IoCs

Processes:

222ef1dc2bc2df6066b103fcc6cad965ddb021f8a373024189524b0d169ce909.exeLogo1_.exe

description	ioc	process
File created	C:\Windows\rundl132.exe	222ef1dc2bc2df6066b103fcc6cad965ddb021f8a373024189524b0d169ce909.exe
File created	C:\Windows\Logo1_.exe	222ef1dc2bc2df6066b103fcc6cad965ddb021f8a373024189524b0d169ce909.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\Dll.dll	Logo1_.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

222ef1dc2bc2df6066b103fcc6cad965ddb021f8a373024189524b0d169ce909.exeLogo1_.exe

pid	process
4256	222ef1dc2bc2df6066b103fcc6cad965ddb021f8a373024189524b0d169ce909.exe
4256	222ef1dc2bc2df6066b103fcc6cad965ddb021f8a373024189524b0d169ce909.exe
4256	222ef1dc2bc2df6066b103fcc6cad965ddb021f8a373024189524b0d169ce909.exe
4256	222ef1dc2bc2df6066b103fcc6cad965ddb021f8a373024189524b0d169ce909.exe
4256	222ef1dc2bc2df6066b103fcc6cad965ddb021f8a373024189524b0d169ce909.exe
4256	222ef1dc2bc2df6066b103fcc6cad965ddb021f8a373024189524b0d169ce909.exe
4256	222ef1dc2bc2df6066b103fcc6cad965ddb021f8a373024189524b0d169ce909.exe
4256	222ef1dc2bc2df6066b103fcc6cad965ddb021f8a373024189524b0d169ce909.exe
4256	222ef1dc2bc2df6066b103fcc6cad965ddb021f8a373024189524b0d169ce909.exe
4256	222ef1dc2bc2df6066b103fcc6cad965ddb021f8a373024189524b0d169ce909.exe
4256	222ef1dc2bc2df6066b103fcc6cad965ddb021f8a373024189524b0d169ce909.exe
4256	222ef1dc2bc2df6066b103fcc6cad965ddb021f8a373024189524b0d169ce909.exe
4256	222ef1dc2bc2df6066b103fcc6cad965ddb021f8a373024189524b0d169ce909.exe
4256	222ef1dc2bc2df6066b103fcc6cad965ddb021f8a373024189524b0d169ce909.exe
4256	222ef1dc2bc2df6066b103fcc6cad965ddb021f8a373024189524b0d169ce909.exe
4256	222ef1dc2bc2df6066b103fcc6cad965ddb021f8a373024189524b0d169ce909.exe
4256	222ef1dc2bc2df6066b103fcc6cad965ddb021f8a373024189524b0d169ce909.exe
4256	222ef1dc2bc2df6066b103fcc6cad965ddb021f8a373024189524b0d169ce909.exe
4256	222ef1dc2bc2df6066b103fcc6cad965ddb021f8a373024189524b0d169ce909.exe
4256	222ef1dc2bc2df6066b103fcc6cad965ddb021f8a373024189524b0d169ce909.exe
4256	222ef1dc2bc2df6066b103fcc6cad965ddb021f8a373024189524b0d169ce909.exe
4256	222ef1dc2bc2df6066b103fcc6cad965ddb021f8a373024189524b0d169ce909.exe
4256	222ef1dc2bc2df6066b103fcc6cad965ddb021f8a373024189524b0d169ce909.exe
4256	222ef1dc2bc2df6066b103fcc6cad965ddb021f8a373024189524b0d169ce909.exe
4256	222ef1dc2bc2df6066b103fcc6cad965ddb021f8a373024189524b0d169ce909.exe
4256	222ef1dc2bc2df6066b103fcc6cad965ddb021f8a373024189524b0d169ce909.exe
4752	Logo1_.exe
4752	Logo1_.exe
4752	Logo1_.exe
4752	Logo1_.exe
4752	Logo1_.exe
4752	Logo1_.exe
4752	Logo1_.exe
4752	Logo1_.exe
4752	Logo1_.exe
4752	Logo1_.exe
4752	Logo1_.exe
4752	Logo1_.exe
4752	Logo1_.exe
4752	Logo1_.exe
4752	Logo1_.exe
4752	Logo1_.exe
4752	Logo1_.exe
4752	Logo1_.exe
4752	Logo1_.exe
4752	Logo1_.exe
4752	Logo1_.exe
4752	Logo1_.exe
4752	Logo1_.exe
4752	Logo1_.exe
4752	Logo1_.exe
4752	Logo1_.exe
4752	Logo1_.exe
4752	Logo1_.exe
4752	Logo1_.exe
4752	Logo1_.exe
4752	Logo1_.exe
4752	Logo1_.exe
4752	Logo1_.exe
4752	Logo1_.exe
4752	Logo1_.exe
4752	Logo1_.exe
4752	Logo1_.exe
4752	Logo1_.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

B5_Uninst.exe

description pid process

Token: SeDebugPrivilege 2408 B5_Uninst.exe

description	pid	process
Token: SeDebugPrivilege	2408	B5_Uninst.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

222ef1dc2bc2df6066b103fcc6cad965ddb021f8a373024189524b0d169ce909.exenet.exeLogo1_.exenet.execmd.exe222ef1dc2bc2df6066b103fcc6cad965ddb021f8a373024189524b0d169ce909.exenet.exe

description	pid	process	target process
PID 4256 wrote to memory of 4900	4256	222ef1dc2bc2df6066b103fcc6cad965ddb021f8a373024189524b0d169ce909.exe	net.exe
PID 4256 wrote to memory of 4900	4256	222ef1dc2bc2df6066b103fcc6cad965ddb021f8a373024189524b0d169ce909.exe	net.exe
PID 4256 wrote to memory of 4900	4256	222ef1dc2bc2df6066b103fcc6cad965ddb021f8a373024189524b0d169ce909.exe	net.exe
PID 4900 wrote to memory of 4424	4900	net.exe	net1.exe
PID 4900 wrote to memory of 4424	4900	net.exe	net1.exe
PID 4900 wrote to memory of 4424	4900	net.exe	net1.exe
PID 4256 wrote to memory of 1724	4256	222ef1dc2bc2df6066b103fcc6cad965ddb021f8a373024189524b0d169ce909.exe	cmd.exe
PID 4256 wrote to memory of 1724	4256	222ef1dc2bc2df6066b103fcc6cad965ddb021f8a373024189524b0d169ce909.exe	cmd.exe
PID 4256 wrote to memory of 1724	4256	222ef1dc2bc2df6066b103fcc6cad965ddb021f8a373024189524b0d169ce909.exe	cmd.exe
PID 4256 wrote to memory of 4752	4256	222ef1dc2bc2df6066b103fcc6cad965ddb021f8a373024189524b0d169ce909.exe	Logo1_.exe
PID 4256 wrote to memory of 4752	4256	222ef1dc2bc2df6066b103fcc6cad965ddb021f8a373024189524b0d169ce909.exe	Logo1_.exe
PID 4256 wrote to memory of 4752	4256	222ef1dc2bc2df6066b103fcc6cad965ddb021f8a373024189524b0d169ce909.exe	Logo1_.exe
PID 4752 wrote to memory of 5056	4752	Logo1_.exe	net.exe
PID 4752 wrote to memory of 5056	4752	Logo1_.exe	net.exe
PID 4752 wrote to memory of 5056	4752	Logo1_.exe	net.exe
PID 5056 wrote to memory of 3168	5056	net.exe	net1.exe
PID 5056 wrote to memory of 3168	5056	net.exe	net1.exe
PID 5056 wrote to memory of 3168	5056	net.exe	net1.exe
PID 1724 wrote to memory of 1308	1724	cmd.exe	222ef1dc2bc2df6066b103fcc6cad965ddb021f8a373024189524b0d169ce909.exe
PID 1724 wrote to memory of 1308	1724	cmd.exe	222ef1dc2bc2df6066b103fcc6cad965ddb021f8a373024189524b0d169ce909.exe
PID 1724 wrote to memory of 1308	1724	cmd.exe	222ef1dc2bc2df6066b103fcc6cad965ddb021f8a373024189524b0d169ce909.exe
PID 1308 wrote to memory of 2408	1308	222ef1dc2bc2df6066b103fcc6cad965ddb021f8a373024189524b0d169ce909.exe	B5_Uninst.exe
PID 1308 wrote to memory of 2408	1308	222ef1dc2bc2df6066b103fcc6cad965ddb021f8a373024189524b0d169ce909.exe	B5_Uninst.exe
PID 1308 wrote to memory of 2408	1308	222ef1dc2bc2df6066b103fcc6cad965ddb021f8a373024189524b0d169ce909.exe	B5_Uninst.exe
PID 4752 wrote to memory of 4552	4752	Logo1_.exe	net.exe
PID 4752 wrote to memory of 4552	4752	Logo1_.exe	net.exe
PID 4752 wrote to memory of 4552	4752	Logo1_.exe	net.exe
PID 4552 wrote to memory of 384	4552	net.exe	net1.exe
PID 4552 wrote to memory of 384	4552	net.exe	net1.exe
PID 4552 wrote to memory of 384	4552	net.exe	net1.exe
PID 4752 wrote to memory of 3036	4752	Logo1_.exe	Explorer.EXE
PID 4752 wrote to memory of 3036	4752	Logo1_.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3036

C:\Users\Admin\AppData\Local\Temp\222ef1dc2bc2df6066b103fcc6cad965ddb021f8a373024189524b0d169ce909.exe
"C:\Users\Admin\AppData\Local\Temp\222ef1dc2bc2df6066b103fcc6cad965ddb021f8a373024189524b0d169ce909.exe"
2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4256

C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
3⤵
- Suspicious use of WriteProcessMemory
PID:4900

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
4⤵
PID:4424

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aBA8B.bat
3⤵
- Suspicious use of WriteProcessMemory
PID:1724

C:\Users\Admin\AppData\Local\Temp\222ef1dc2bc2df6066b103fcc6cad965ddb021f8a373024189524b0d169ce909.exe
"C:\Users\Admin\AppData\Local\Temp\222ef1dc2bc2df6066b103fcc6cad965ddb021f8a373024189524b0d169ce909.exe"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1308

C:\Users\Admin\AppData\Local\Temp\B5_Uninst.exe
C:\Users\Admin\AppData\Local\Temp\B5_Uninst.exe
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2408

C:\Windows\Logo1_.exe
C:\Windows\Logo1_.exe
3⤵
- Executes dropped EXE
- Drops startup file
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4752

C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
4⤵
- Suspicious use of WriteProcessMemory
PID:5056

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
5⤵
PID:3168

C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
4⤵
- Suspicious use of WriteProcessMemory
PID:4552

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
5⤵
PID:384

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\$$aBA8B.bat

Filesize
722B

MD5
86cb06b7f338b5999aca2e3061d2bb9e

SHA1
dc30c189384f5d4f76e94239b7615866db29a5b5

SHA256
b2d46862e28bd31a3087b93097fca7b2efdb64d0dd04bd7335f1b18dabe3b958

SHA512
fd59b466b4a65aefb557779871843d4201e56b27840b93ff5adc447bb9bf31d85d08a0f9db5764fd8fdde8c1649e2cf6e909ebee992bb304dd16ad94f992703f

Download Submit
C:\Users\Admin\AppData\Local\Temp\222ef1dc2bc2df6066b103fcc6cad965ddb021f8a373024189524b0d169ce909.exe

Filesize
1.3MB

MD5
9e4c8baf81435998229bcd0b8207ea6f

SHA1
201b8c988434fd2170e62eab4b061287de7a93f1

SHA256
43e4b4095b82ab5aba8975986221ab35f27b42926f0fb3763f6c122e32263bec

SHA512
22c5d6eda55479797ea71ac0d4e86ebf9d64e1551f82abbda19cfc9b5cf77d43b24985f580f233eb575b154a6f26c6049e3b8c0027cc4548319223f4ef87f99b

Download Submit
C:\Users\Admin\AppData\Local\Temp\222ef1dc2bc2df6066b103fcc6cad965ddb021f8a373024189524b0d169ce909.exe.exe

Filesize
1.3MB

MD5
9e4c8baf81435998229bcd0b8207ea6f

SHA1
201b8c988434fd2170e62eab4b061287de7a93f1

SHA256
43e4b4095b82ab5aba8975986221ab35f27b42926f0fb3763f6c122e32263bec

SHA512
22c5d6eda55479797ea71ac0d4e86ebf9d64e1551f82abbda19cfc9b5cf77d43b24985f580f233eb575b154a6f26c6049e3b8c0027cc4548319223f4ef87f99b

Download Submit
C:\Users\Admin\AppData\Local\Temp\B5_Uninst.exe

Filesize
1.1MB

MD5
3216880b01ede7be8ebc89e379223212

SHA1
d59d1f0b3994897354c054960a15d3c4d1e1d472

SHA256
7d106d9ac7288d186fd1960ebd1add3eb973c0f7bf8dd393e5fe38af4216c2d1

SHA512
aa135f889cce0ec6ad2da402adf21f058428566b075e8e486b18306327676d5f01cb5629c83c59f2cc124df4e10932d6c2be05584d29d22e37fb3cb668e0ee22

Download Submit
C:\Users\Admin\AppData\Local\Temp\B5_Uninst.exe

Filesize
1.1MB

MD5
3216880b01ede7be8ebc89e379223212

SHA1
d59d1f0b3994897354c054960a15d3c4d1e1d472

SHA256
7d106d9ac7288d186fd1960ebd1add3eb973c0f7bf8dd393e5fe38af4216c2d1

SHA512
aa135f889cce0ec6ad2da402adf21f058428566b075e8e486b18306327676d5f01cb5629c83c59f2cc124df4e10932d6c2be05584d29d22e37fb3cb668e0ee22

Download Submit
C:\Windows\Logo1_.exe

Filesize
33KB

MD5
5e98b79c3f45bf7e27810994a0c732a6

SHA1
8df5bd2705f9b25767380029ccc2c5ba1dce947a

SHA256
d20db8d04a27b89cf54309a4eecb307cd5ff7534830237708969376758a3443c

SHA512
c7554479c1d0787889d63632db9f633990a4316db5ad3ce059e42f2a9f345dac5eaf4e4f8f9fb48baeda903052cf242e14027456b431e5237b41ac78da1e3810

Download Submit
C:\Windows\Logo1_.exe

Filesize
33KB

MD5
5e98b79c3f45bf7e27810994a0c732a6

SHA1
8df5bd2705f9b25767380029ccc2c5ba1dce947a

SHA256
d20db8d04a27b89cf54309a4eecb307cd5ff7534830237708969376758a3443c

SHA512
c7554479c1d0787889d63632db9f633990a4316db5ad3ce059e42f2a9f345dac5eaf4e4f8f9fb48baeda903052cf242e14027456b431e5237b41ac78da1e3810

Download Submit
C:\Windows\rundl132.exe

Filesize
33KB

MD5
5e98b79c3f45bf7e27810994a0c732a6

SHA1
8df5bd2705f9b25767380029ccc2c5ba1dce947a

SHA256
d20db8d04a27b89cf54309a4eecb307cd5ff7534830237708969376758a3443c

SHA512
c7554479c1d0787889d63632db9f633990a4316db5ad3ce059e42f2a9f345dac5eaf4e4f8f9fb48baeda903052cf242e14027456b431e5237b41ac78da1e3810

Download Submit
memory/384-152-0x0000000000000000-mapping.dmp

Download
memory/1308-145-0x0000000000000000-mapping.dmp

Download
memory/1724-135-0x0000000000000000-mapping.dmp

Download
memory/2408-147-0x0000000000000000-mapping.dmp

Download
memory/3168-141-0x0000000000000000-mapping.dmp

Download
memory/4256-134-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4256-138-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4424-133-0x0000000000000000-mapping.dmp

Download
memory/4552-151-0x0000000000000000-mapping.dmp

Download
memory/4752-144-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4752-136-0x0000000000000000-mapping.dmp

Download
memory/4752-153-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4900-132-0x0000000000000000-mapping.dmp

Download
memory/5056-140-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads