440855f9a7951a49d1434beee6183034d2ee15d569bd016591a4bd0f2a2f7bba

General

Target

440855f9a7951a49d1434beee6183034d2ee15d569bd016591a4bd0f2a2f7bba.exe
Size

169KB
MD5

027df46b9411263717ef91b5e8608820
SHA1

bdafedaed9c6ab83ec739f98bf638e80b555294a
SHA256

440855f9a7951a49d1434beee6183034d2ee15d569bd016591a4bd0f2a2f7bba
SHA512

82f2d347b0b1129f15749e05abd83604a231f35aef288c42b8fd15a12b28c9c36c024346b4bcc0b6fc0a63e59dbca56644e722b1910616ab920fe27142d8ef73
SSDEEP

3072:IVe+aX3zveyNIxq/iVo/MfafRUwFYC5TBf/2Fa9Y3zQOwNnYcVBPPy6t:5+aX3LVOx7Vo/Ms5TB6MCzQOwNnYcHKc

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

Logo1_.exe440855f9a7951a49d1434beee6183034d2ee15d569bd016591a4bd0f2a2f7bba.exe

pid process

2884 Logo1_.exe
4280 440855f9a7951a49d1434beee6183034d2ee15d569bd016591a4bd0f2a2f7bba.exe

pid	process
2884	Logo1_.exe
4280	440855f9a7951a49d1434beee6183034d2ee15d569bd016591a4bd0f2a2f7bba.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Logo1_.exe

description	ioc	process
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\F:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

Processes:

Logo1_.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\keytool.exe	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\cgg\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\plugins\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\eu-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\eu\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\VBA7.1\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example2.Diagnostics\1.0.1\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\eu-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\nl-nl\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\pl\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\hu-hu\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\themes\dark\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	Logo1_.exe
File created	C:\Program Files\Mozilla Firefox\defaults\pref\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\tr-tr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ca-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\da-dk\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\hu-hu\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\de\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstatd.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\sv-se\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\uk-ua\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\bs\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Photo Viewer\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\de-de\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\sk-sk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\zh-tw\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\gd\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\pack200.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ar-ae\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\es-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Internet Explorer\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\lib\security\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\management\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\GRPHFLT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\en-us\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ckb\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\cef\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\keystore\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ICE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\servertool.exe	Logo1_.exe
File created	C:\Program Files\Microsoft Office\Updates\Apply\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ks_IN\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\plugins\rhp\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\bn_IN\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\hu-hu\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SUMIPNTG\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

Processes:

440855f9a7951a49d1434beee6183034d2ee15d569bd016591a4bd0f2a2f7bba.exeLogo1_.exe

description	ioc	process
File created	C:\Windows\rundl132.exe	440855f9a7951a49d1434beee6183034d2ee15d569bd016591a4bd0f2a2f7bba.exe
File created	C:\Windows\Logo1_.exe	440855f9a7951a49d1434beee6183034d2ee15d569bd016591a4bd0f2a2f7bba.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\Dll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

440855f9a7951a49d1434beee6183034d2ee15d569bd016591a4bd0f2a2f7bba.exeLogo1_.exe

pid	process
4288	440855f9a7951a49d1434beee6183034d2ee15d569bd016591a4bd0f2a2f7bba.exe
4288	440855f9a7951a49d1434beee6183034d2ee15d569bd016591a4bd0f2a2f7bba.exe
4288	440855f9a7951a49d1434beee6183034d2ee15d569bd016591a4bd0f2a2f7bba.exe
4288	440855f9a7951a49d1434beee6183034d2ee15d569bd016591a4bd0f2a2f7bba.exe
4288	440855f9a7951a49d1434beee6183034d2ee15d569bd016591a4bd0f2a2f7bba.exe
4288	440855f9a7951a49d1434beee6183034d2ee15d569bd016591a4bd0f2a2f7bba.exe
4288	440855f9a7951a49d1434beee6183034d2ee15d569bd016591a4bd0f2a2f7bba.exe
4288	440855f9a7951a49d1434beee6183034d2ee15d569bd016591a4bd0f2a2f7bba.exe
4288	440855f9a7951a49d1434beee6183034d2ee15d569bd016591a4bd0f2a2f7bba.exe
4288	440855f9a7951a49d1434beee6183034d2ee15d569bd016591a4bd0f2a2f7bba.exe
4288	440855f9a7951a49d1434beee6183034d2ee15d569bd016591a4bd0f2a2f7bba.exe
4288	440855f9a7951a49d1434beee6183034d2ee15d569bd016591a4bd0f2a2f7bba.exe
4288	440855f9a7951a49d1434beee6183034d2ee15d569bd016591a4bd0f2a2f7bba.exe
4288	440855f9a7951a49d1434beee6183034d2ee15d569bd016591a4bd0f2a2f7bba.exe
4288	440855f9a7951a49d1434beee6183034d2ee15d569bd016591a4bd0f2a2f7bba.exe
4288	440855f9a7951a49d1434beee6183034d2ee15d569bd016591a4bd0f2a2f7bba.exe
4288	440855f9a7951a49d1434beee6183034d2ee15d569bd016591a4bd0f2a2f7bba.exe
4288	440855f9a7951a49d1434beee6183034d2ee15d569bd016591a4bd0f2a2f7bba.exe
4288	440855f9a7951a49d1434beee6183034d2ee15d569bd016591a4bd0f2a2f7bba.exe
4288	440855f9a7951a49d1434beee6183034d2ee15d569bd016591a4bd0f2a2f7bba.exe
4288	440855f9a7951a49d1434beee6183034d2ee15d569bd016591a4bd0f2a2f7bba.exe
4288	440855f9a7951a49d1434beee6183034d2ee15d569bd016591a4bd0f2a2f7bba.exe
4288	440855f9a7951a49d1434beee6183034d2ee15d569bd016591a4bd0f2a2f7bba.exe
4288	440855f9a7951a49d1434beee6183034d2ee15d569bd016591a4bd0f2a2f7bba.exe
4288	440855f9a7951a49d1434beee6183034d2ee15d569bd016591a4bd0f2a2f7bba.exe
4288	440855f9a7951a49d1434beee6183034d2ee15d569bd016591a4bd0f2a2f7bba.exe
2884	Logo1_.exe
2884	Logo1_.exe
2884	Logo1_.exe
2884	Logo1_.exe
2884	Logo1_.exe
2884	Logo1_.exe
2884	Logo1_.exe
2884	Logo1_.exe
2884	Logo1_.exe
2884	Logo1_.exe
2884	Logo1_.exe
2884	Logo1_.exe
2884	Logo1_.exe
2884	Logo1_.exe
2884	Logo1_.exe
2884	Logo1_.exe
2884	Logo1_.exe
2884	Logo1_.exe
2884	Logo1_.exe
2884	Logo1_.exe
2884	Logo1_.exe
2884	Logo1_.exe
2884	Logo1_.exe
2884	Logo1_.exe
2884	Logo1_.exe
2884	Logo1_.exe
2884	Logo1_.exe
2884	Logo1_.exe
2884	Logo1_.exe
2884	Logo1_.exe
2884	Logo1_.exe
2884	Logo1_.exe
2884	Logo1_.exe
2884	Logo1_.exe
2884	Logo1_.exe
2884	Logo1_.exe
2884	Logo1_.exe
2884	Logo1_.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

440855f9a7951a49d1434beee6183034d2ee15d569bd016591a4bd0f2a2f7bba.exenet.exeLogo1_.exenet.execmd.exenet.exe

description	pid	process	target process
PID 4288 wrote to memory of 5012	4288	440855f9a7951a49d1434beee6183034d2ee15d569bd016591a4bd0f2a2f7bba.exe	net.exe
PID 4288 wrote to memory of 5012	4288	440855f9a7951a49d1434beee6183034d2ee15d569bd016591a4bd0f2a2f7bba.exe	net.exe
PID 4288 wrote to memory of 5012	4288	440855f9a7951a49d1434beee6183034d2ee15d569bd016591a4bd0f2a2f7bba.exe	net.exe
PID 5012 wrote to memory of 4696	5012	net.exe	net1.exe
PID 5012 wrote to memory of 4696	5012	net.exe	net1.exe
PID 5012 wrote to memory of 4696	5012	net.exe	net1.exe
PID 4288 wrote to memory of 3264	4288	440855f9a7951a49d1434beee6183034d2ee15d569bd016591a4bd0f2a2f7bba.exe	cmd.exe
PID 4288 wrote to memory of 3264	4288	440855f9a7951a49d1434beee6183034d2ee15d569bd016591a4bd0f2a2f7bba.exe	cmd.exe
PID 4288 wrote to memory of 3264	4288	440855f9a7951a49d1434beee6183034d2ee15d569bd016591a4bd0f2a2f7bba.exe	cmd.exe
PID 4288 wrote to memory of 2884	4288	440855f9a7951a49d1434beee6183034d2ee15d569bd016591a4bd0f2a2f7bba.exe	Logo1_.exe
PID 4288 wrote to memory of 2884	4288	440855f9a7951a49d1434beee6183034d2ee15d569bd016591a4bd0f2a2f7bba.exe	Logo1_.exe
PID 4288 wrote to memory of 2884	4288	440855f9a7951a49d1434beee6183034d2ee15d569bd016591a4bd0f2a2f7bba.exe	Logo1_.exe
PID 2884 wrote to memory of 4932	2884	Logo1_.exe	net.exe
PID 2884 wrote to memory of 4932	2884	Logo1_.exe	net.exe
PID 2884 wrote to memory of 4932	2884	Logo1_.exe	net.exe
PID 4932 wrote to memory of 4824	4932	net.exe	net1.exe
PID 4932 wrote to memory of 4824	4932	net.exe	net1.exe
PID 4932 wrote to memory of 4824	4932	net.exe	net1.exe
PID 3264 wrote to memory of 4280	3264	cmd.exe	440855f9a7951a49d1434beee6183034d2ee15d569bd016591a4bd0f2a2f7bba.exe
PID 3264 wrote to memory of 4280	3264	cmd.exe	440855f9a7951a49d1434beee6183034d2ee15d569bd016591a4bd0f2a2f7bba.exe
PID 3264 wrote to memory of 4280	3264	cmd.exe	440855f9a7951a49d1434beee6183034d2ee15d569bd016591a4bd0f2a2f7bba.exe
PID 2884 wrote to memory of 5060	2884	Logo1_.exe	net.exe
PID 2884 wrote to memory of 5060	2884	Logo1_.exe	net.exe
PID 2884 wrote to memory of 5060	2884	Logo1_.exe	net.exe
PID 5060 wrote to memory of 1288	5060	net.exe	net1.exe
PID 5060 wrote to memory of 1288	5060	net.exe	net1.exe
PID 5060 wrote to memory of 1288	5060	net.exe	net1.exe
PID 2884 wrote to memory of 684	2884	Logo1_.exe	Explorer.EXE
PID 2884 wrote to memory of 684	2884	Logo1_.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:684

C:\Users\Admin\AppData\Local\Temp\440855f9a7951a49d1434beee6183034d2ee15d569bd016591a4bd0f2a2f7bba.exe
"C:\Users\Admin\AppData\Local\Temp\440855f9a7951a49d1434beee6183034d2ee15d569bd016591a4bd0f2a2f7bba.exe"
2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4288

C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
3⤵
- Suspicious use of WriteProcessMemory
PID:5012

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
4⤵
PID:4696

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aA84B.bat
3⤵
- Suspicious use of WriteProcessMemory
PID:3264

C:\Users\Admin\AppData\Local\Temp\440855f9a7951a49d1434beee6183034d2ee15d569bd016591a4bd0f2a2f7bba.exe
"C:\Users\Admin\AppData\Local\Temp\440855f9a7951a49d1434beee6183034d2ee15d569bd016591a4bd0f2a2f7bba.exe"
4⤵
- Executes dropped EXE
PID:4280

C:\Windows\Logo1_.exe
C:\Windows\Logo1_.exe
3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2884

C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
4⤵
- Suspicious use of WriteProcessMemory
PID:4932

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
5⤵
PID:4824

C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
4⤵
- Suspicious use of WriteProcessMemory
PID:5060

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
5⤵
PID:1288

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\$$aA84B.bat

Filesize
722B

MD5
b15922540d505bcba09fb07ac0fe9de8

SHA1
02b5b09575f8090ca879b956b9975144e1356735

SHA256
6a78123d695cfd630cb56d691888ca01a3a9fd453ebbe9825b103beef28854a0

SHA512
b33be6be42b1b58a51348d4d8ef27f5175cbe37929a021a56050faaadd301076f6eefac9bdc6dd2a719dcb51065dfcef858e1a6153689510b0e17cfbd271c61f

Download Submit
C:\Users\Admin\AppData\Local\Temp\440855f9a7951a49d1434beee6183034d2ee15d569bd016591a4bd0f2a2f7bba.exe

Filesize
135KB

MD5
41b81620620326b1839a9da43f343cdf

SHA1
6bd246cbe4bd1d68e03174ce30ff8fd9a79f8d3f

SHA256
1f92d1b7e3de8ddbd6611b3abba3af464d9aad06f5326b288b2d27ffcd6412a7

SHA512
6f3270b4d895dbd62608d9c381d3c327c01a99f17b0b4f3a4e50af1f9b233790e1a148ed34b2ce6842d16083cba25f5b535e65a12849eb47565b52b8b188cbe3

Download Submit
C:\Users\Admin\AppData\Local\Temp\440855f9a7951a49d1434beee6183034d2ee15d569bd016591a4bd0f2a2f7bba.exe.exe

Filesize
135KB

MD5
41b81620620326b1839a9da43f343cdf

SHA1
6bd246cbe4bd1d68e03174ce30ff8fd9a79f8d3f

SHA256
1f92d1b7e3de8ddbd6611b3abba3af464d9aad06f5326b288b2d27ffcd6412a7

SHA512
6f3270b4d895dbd62608d9c381d3c327c01a99f17b0b4f3a4e50af1f9b233790e1a148ed34b2ce6842d16083cba25f5b535e65a12849eb47565b52b8b188cbe3

Download Submit
C:\Windows\Logo1_.exe

Filesize
33KB

MD5
1f5204f508b53f2c6c29023102ece203

SHA1
02bce63bdf6c0c9e7730327bade2ba4800dd8598

SHA256
29761e6db585a7a66b8d1842492baa7e006d35d17107853c3ca7501d1dd55d90

SHA512
b6b2b8939b46635340129e0de698b7f578a70b8666e862cce638ec7acb9b920cac7c9f845a1b2789a0a1c939f231a942067b72cc7c12bfd1a6d619879ecaf78d

Download Submit
C:\Windows\Logo1_.exe

Filesize
33KB

MD5
1f5204f508b53f2c6c29023102ece203

SHA1
02bce63bdf6c0c9e7730327bade2ba4800dd8598

SHA256
29761e6db585a7a66b8d1842492baa7e006d35d17107853c3ca7501d1dd55d90

SHA512
b6b2b8939b46635340129e0de698b7f578a70b8666e862cce638ec7acb9b920cac7c9f845a1b2789a0a1c939f231a942067b72cc7c12bfd1a6d619879ecaf78d

Download Submit
C:\Windows\rundl132.exe

Filesize
33KB

MD5
1f5204f508b53f2c6c29023102ece203

SHA1
02bce63bdf6c0c9e7730327bade2ba4800dd8598

SHA256
29761e6db585a7a66b8d1842492baa7e006d35d17107853c3ca7501d1dd55d90

SHA512
b6b2b8939b46635340129e0de698b7f578a70b8666e862cce638ec7acb9b920cac7c9f845a1b2789a0a1c939f231a942067b72cc7c12bfd1a6d619879ecaf78d

Download Submit
memory/1288-149-0x0000000000000000-mapping.dmp

Download
memory/2884-144-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2884-136-0x0000000000000000-mapping.dmp

Download
memory/2884-150-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3264-135-0x0000000000000000-mapping.dmp

Download
memory/4280-145-0x0000000000000000-mapping.dmp

Download
memory/4288-139-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4288-134-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4696-133-0x0000000000000000-mapping.dmp

Download
memory/4824-141-0x0000000000000000-mapping.dmp

Download
memory/4932-140-0x0000000000000000-mapping.dmp

Download
memory/5012-132-0x0000000000000000-mapping.dmp

Download
memory/5060-148-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads