dd2e2d4269e7b153bb50dcea996fe5962f0acf8c0bbdab1e58614307789cb099

Analysis

max time kernel
151s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20230824-en
resource tags

arch:x64arch:x86image:win10v2004-20230824-enlocale:en-usos:windows10-2004-x64system
submitted
27-08-2023 10:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dd2e2d4269e7b153bb50dcea996fe5962f0acf8c0bbdab1e58614307789cb099.exe
Size

27KB
MD5

561f430a0fbc2005d448f4ff02ec9d10
SHA1

a84c3b09f9ee68ec521d29e86fabe62b906eae40
SHA256

dd2e2d4269e7b153bb50dcea996fe5962f0acf8c0bbdab1e58614307789cb099
SHA512

f7e93dbedad789ee10bb6526f3c13f44761bc0287274dbe375ccb04bea687ecf4f928e6990f2c380cfa30cbd27aab71737e4acdcae57d14de3cd5019659fea33
SSDEEP

384:MdRY1Gt5M0zhIV/DZ3KZp7JcTO4yf9KFL/KaUUqd3qR+FlYTj9QTN0wpD9p5Cs:x16GVRu1yK9fMFLKaTxsujCT7pZpY

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\R:	dd2e2d4269e7b153bb50dcea996fe5962f0acf8c0bbdab1e58614307789cb099.exe
File opened (read-only)	\??\J:	dd2e2d4269e7b153bb50dcea996fe5962f0acf8c0bbdab1e58614307789cb099.exe
File opened (read-only)	\??\H:	dd2e2d4269e7b153bb50dcea996fe5962f0acf8c0bbdab1e58614307789cb099.exe
File opened (read-only)	\??\U:	dd2e2d4269e7b153bb50dcea996fe5962f0acf8c0bbdab1e58614307789cb099.exe
File opened (read-only)	\??\P:	dd2e2d4269e7b153bb50dcea996fe5962f0acf8c0bbdab1e58614307789cb099.exe
File opened (read-only)	\??\G:	dd2e2d4269e7b153bb50dcea996fe5962f0acf8c0bbdab1e58614307789cb099.exe
File opened (read-only)	\??\I:	dd2e2d4269e7b153bb50dcea996fe5962f0acf8c0bbdab1e58614307789cb099.exe
File opened (read-only)	\??\X:	dd2e2d4269e7b153bb50dcea996fe5962f0acf8c0bbdab1e58614307789cb099.exe
File opened (read-only)	\??\W:	dd2e2d4269e7b153bb50dcea996fe5962f0acf8c0bbdab1e58614307789cb099.exe
File opened (read-only)	\??\V:	dd2e2d4269e7b153bb50dcea996fe5962f0acf8c0bbdab1e58614307789cb099.exe
File opened (read-only)	\??\S:	dd2e2d4269e7b153bb50dcea996fe5962f0acf8c0bbdab1e58614307789cb099.exe
File opened (read-only)	\??\M:	dd2e2d4269e7b153bb50dcea996fe5962f0acf8c0bbdab1e58614307789cb099.exe
File opened (read-only)	\??\L:	dd2e2d4269e7b153bb50dcea996fe5962f0acf8c0bbdab1e58614307789cb099.exe
File opened (read-only)	\??\K:	dd2e2d4269e7b153bb50dcea996fe5962f0acf8c0bbdab1e58614307789cb099.exe
File opened (read-only)	\??\E:	dd2e2d4269e7b153bb50dcea996fe5962f0acf8c0bbdab1e58614307789cb099.exe
File opened (read-only)	\??\Z:	dd2e2d4269e7b153bb50dcea996fe5962f0acf8c0bbdab1e58614307789cb099.exe
File opened (read-only)	\??\Y:	dd2e2d4269e7b153bb50dcea996fe5962f0acf8c0bbdab1e58614307789cb099.exe
File opened (read-only)	\??\T:	dd2e2d4269e7b153bb50dcea996fe5962f0acf8c0bbdab1e58614307789cb099.exe
File opened (read-only)	\??\Q:	dd2e2d4269e7b153bb50dcea996fe5962f0acf8c0bbdab1e58614307789cb099.exe
File opened (read-only)	\??\O:	dd2e2d4269e7b153bb50dcea996fe5962f0acf8c0bbdab1e58614307789cb099.exe
File opened (read-only)	\??\N:	dd2e2d4269e7b153bb50dcea996fe5962f0acf8c0bbdab1e58614307789cb099.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{C4EC6216-F77D-417A-8A7C-43784F17E7FC}.catalogItem	svchost.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\images\_desktop.ini	dd2e2d4269e7b153bb50dcea996fe5962f0acf8c0bbdab1e58614307789cb099.exe
File created	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\_desktop.ini	dd2e2d4269e7b153bb50dcea996fe5962f0acf8c0bbdab1e58614307789cb099.exe
File created	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\1.1.1\Diagnostics\Simple\_desktop.ini	dd2e2d4269e7b153bb50dcea996fe5962f0acf8c0bbdab1e58614307789cb099.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\_desktop.ini	dd2e2d4269e7b153bb50dcea996fe5962f0acf8c0bbdab1e58614307789cb099.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\en-il\_desktop.ini	dd2e2d4269e7b153bb50dcea996fe5962f0acf8c0bbdab1e58614307789cb099.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\en-gb\_desktop.ini	dd2e2d4269e7b153bb50dcea996fe5962f0acf8c0bbdab1e58614307789cb099.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\it-IT\_desktop.ini	dd2e2d4269e7b153bb50dcea996fe5962f0acf8c0bbdab1e58614307789cb099.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\_desktop.ini	dd2e2d4269e7b153bb50dcea996fe5962f0acf8c0bbdab1e58614307789cb099.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\plugins\_desktop.ini	dd2e2d4269e7b153bb50dcea996fe5962f0acf8c0bbdab1e58614307789cb099.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInViews\_desktop.ini	dd2e2d4269e7b153bb50dcea996fe5962f0acf8c0bbdab1e58614307789cb099.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	dd2e2d4269e7b153bb50dcea996fe5962f0acf8c0bbdab1e58614307789cb099.exe
File created	C:\Program Files\Java\jre1.8.0_66\lib\applet\_desktop.ini	dd2e2d4269e7b153bb50dcea996fe5962f0acf8c0bbdab1e58614307789cb099.exe
File opened for modification	C:\Program Files\Windows Security\BrowserCore\_desktop.ini	dd2e2d4269e7b153bb50dcea996fe5962f0acf8c0bbdab1e58614307789cb099.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\nl-NL\View3d\_desktop.ini	dd2e2d4269e7b153bb50dcea996fe5962f0acf8c0bbdab1e58614307789cb099.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ar-ae\_desktop.ini	dd2e2d4269e7b153bb50dcea996fe5962f0acf8c0bbdab1e58614307789cb099.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\ar-ae\_desktop.ini	dd2e2d4269e7b153bb50dcea996fe5962f0acf8c0bbdab1e58614307789cb099.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\de-de\_desktop.ini	dd2e2d4269e7b153bb50dcea996fe5962f0acf8c0bbdab1e58614307789cb099.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\css\_desktop.ini	dd2e2d4269e7b153bb50dcea996fe5962f0acf8c0bbdab1e58614307789cb099.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-125_8wekyb3d8bbwe\_desktop.ini	dd2e2d4269e7b153bb50dcea996fe5962f0acf8c0bbdab1e58614307789cb099.exe
File created	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\_desktop.ini	dd2e2d4269e7b153bb50dcea996fe5962f0acf8c0bbdab1e58614307789cb099.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_neutral_split.scale-100_8wekyb3d8bbwe\_desktop.ini	dd2e2d4269e7b153bb50dcea996fe5962f0acf8c0bbdab1e58614307789cb099.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\en\_desktop.ini	dd2e2d4269e7b153bb50dcea996fe5962f0acf8c0bbdab1e58614307789cb099.exe
File created	C:\Program Files (x86)\Windows Defender\de-DE\_desktop.ini	dd2e2d4269e7b153bb50dcea996fe5962f0acf8c0bbdab1e58614307789cb099.exe
File created	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini	dd2e2d4269e7b153bb50dcea996fe5962f0acf8c0bbdab1e58614307789cb099.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\_desktop.ini	dd2e2d4269e7b153bb50dcea996fe5962f0acf8c0bbdab1e58614307789cb099.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\_desktop.ini	dd2e2d4269e7b153bb50dcea996fe5962f0acf8c0bbdab1e58614307789cb099.exe
File created	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Microsoft.Membership.MeControl\Assets\OfflinePages\_desktop.ini	dd2e2d4269e7b153bb50dcea996fe5962f0acf8c0bbdab1e58614307789cb099.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fr-ma\_desktop.ini	dd2e2d4269e7b153bb50dcea996fe5962f0acf8c0bbdab1e58614307789cb099.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\da-dk\_desktop.ini	dd2e2d4269e7b153bb50dcea996fe5962f0acf8c0bbdab1e58614307789cb099.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\_desktop.ini	dd2e2d4269e7b153bb50dcea996fe5962f0acf8c0bbdab1e58614307789cb099.exe
File created	C:\Program Files\VideoLAN\VLC\locale\gl\LC_MESSAGES\_desktop.ini	dd2e2d4269e7b153bb50dcea996fe5962f0acf8c0bbdab1e58614307789cb099.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_chroma\_desktop.ini	dd2e2d4269e7b153bb50dcea996fe5962f0acf8c0bbdab1e58614307789cb099.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\sq-AL\View3d\_desktop.ini	dd2e2d4269e7b153bb50dcea996fe5962f0acf8c0bbdab1e58614307789cb099.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\ro-ro\_desktop.ini	dd2e2d4269e7b153bb50dcea996fe5962f0acf8c0bbdab1e58614307789cb099.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\sl-sl\_desktop.ini	dd2e2d4269e7b153bb50dcea996fe5962f0acf8c0bbdab1e58614307789cb099.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\uk-ua\_desktop.ini	dd2e2d4269e7b153bb50dcea996fe5962f0acf8c0bbdab1e58614307789cb099.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\en-US\_desktop.ini	dd2e2d4269e7b153bb50dcea996fe5962f0acf8c0bbdab1e58614307789cb099.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\IDPValueAssets\_desktop.ini	dd2e2d4269e7b153bb50dcea996fe5962f0acf8c0bbdab1e58614307789cb099.exe
File created	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\_desktop.ini	dd2e2d4269e7b153bb50dcea996fe5962f0acf8c0bbdab1e58614307789cb099.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-il\_desktop.ini	dd2e2d4269e7b153bb50dcea996fe5962f0acf8c0bbdab1e58614307789cb099.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\_desktop.ini	dd2e2d4269e7b153bb50dcea996fe5962f0acf8c0bbdab1e58614307789cb099.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Examples\_desktop.ini	dd2e2d4269e7b153bb50dcea996fe5962f0acf8c0bbdab1e58614307789cb099.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\tr-tr\_desktop.ini	dd2e2d4269e7b153bb50dcea996fe5962f0acf8c0bbdab1e58614307789cb099.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\_desktop.ini	dd2e2d4269e7b153bb50dcea996fe5962f0acf8c0bbdab1e58614307789cb099.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\_desktop.ini	dd2e2d4269e7b153bb50dcea996fe5962f0acf8c0bbdab1e58614307789cb099.exe
File created	C:\Program Files (x86)\Windows Defender\fr-FR\_desktop.ini	dd2e2d4269e7b153bb50dcea996fe5962f0acf8c0bbdab1e58614307789cb099.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\_desktop.ini	dd2e2d4269e7b153bb50dcea996fe5962f0acf8c0bbdab1e58614307789cb099.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\zh-cn\_desktop.ini	dd2e2d4269e7b153bb50dcea996fe5962f0acf8c0bbdab1e58614307789cb099.exe
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\commerce\_desktop.ini	dd2e2d4269e7b153bb50dcea996fe5962f0acf8c0bbdab1e58614307789cb099.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ru-ru\_desktop.ini	dd2e2d4269e7b153bb50dcea996fe5962f0acf8c0bbdab1e58614307789cb099.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\_desktop.ini	dd2e2d4269e7b153bb50dcea996fe5962f0acf8c0bbdab1e58614307789cb099.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\ca-es\_desktop.ini	dd2e2d4269e7b153bb50dcea996fe5962f0acf8c0bbdab1e58614307789cb099.exe
File opened for modification	C:\Program Files\Windows Portable Devices\_desktop.ini	dd2e2d4269e7b153bb50dcea996fe5962f0acf8c0bbdab1e58614307789cb099.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\es-es\_desktop.ini	dd2e2d4269e7b153bb50dcea996fe5962f0acf8c0bbdab1e58614307789cb099.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\_desktop.ini	dd2e2d4269e7b153bb50dcea996fe5962f0acf8c0bbdab1e58614307789cb099.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\it-IT\_desktop.ini	dd2e2d4269e7b153bb50dcea996fe5962f0acf8c0bbdab1e58614307789cb099.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\zh-tw\_desktop.ini	dd2e2d4269e7b153bb50dcea996fe5962f0acf8c0bbdab1e58614307789cb099.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\_desktop.ini	dd2e2d4269e7b153bb50dcea996fe5962f0acf8c0bbdab1e58614307789cb099.exe
File created	C:\Program Files (x86)\Internet Explorer\de-DE\_desktop.ini	dd2e2d4269e7b153bb50dcea996fe5962f0acf8c0bbdab1e58614307789cb099.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\fr-FR\_desktop.ini	dd2e2d4269e7b153bb50dcea996fe5962f0acf8c0bbdab1e58614307789cb099.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\_desktop.ini	dd2e2d4269e7b153bb50dcea996fe5962f0acf8c0bbdab1e58614307789cb099.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\es-es\_desktop.ini	dd2e2d4269e7b153bb50dcea996fe5962f0acf8c0bbdab1e58614307789cb099.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ko-kr\_desktop.ini	dd2e2d4269e7b153bb50dcea996fe5962f0acf8c0bbdab1e58614307789cb099.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\hr-hr\_desktop.ini	dd2e2d4269e7b153bb50dcea996fe5962f0acf8c0bbdab1e58614307789cb099.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	dd2e2d4269e7b153bb50dcea996fe5962f0acf8c0bbdab1e58614307789cb099.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
4992	dd2e2d4269e7b153bb50dcea996fe5962f0acf8c0bbdab1e58614307789cb099.exe
4992	dd2e2d4269e7b153bb50dcea996fe5962f0acf8c0bbdab1e58614307789cb099.exe
4992	dd2e2d4269e7b153bb50dcea996fe5962f0acf8c0bbdab1e58614307789cb099.exe
4992	dd2e2d4269e7b153bb50dcea996fe5962f0acf8c0bbdab1e58614307789cb099.exe
4992	dd2e2d4269e7b153bb50dcea996fe5962f0acf8c0bbdab1e58614307789cb099.exe
4992	dd2e2d4269e7b153bb50dcea996fe5962f0acf8c0bbdab1e58614307789cb099.exe
4992	dd2e2d4269e7b153bb50dcea996fe5962f0acf8c0bbdab1e58614307789cb099.exe
4992	dd2e2d4269e7b153bb50dcea996fe5962f0acf8c0bbdab1e58614307789cb099.exe
4992	dd2e2d4269e7b153bb50dcea996fe5962f0acf8c0bbdab1e58614307789cb099.exe
4992	dd2e2d4269e7b153bb50dcea996fe5962f0acf8c0bbdab1e58614307789cb099.exe
4992	dd2e2d4269e7b153bb50dcea996fe5962f0acf8c0bbdab1e58614307789cb099.exe
4992	dd2e2d4269e7b153bb50dcea996fe5962f0acf8c0bbdab1e58614307789cb099.exe
4992	dd2e2d4269e7b153bb50dcea996fe5962f0acf8c0bbdab1e58614307789cb099.exe
4992	dd2e2d4269e7b153bb50dcea996fe5962f0acf8c0bbdab1e58614307789cb099.exe
4992	dd2e2d4269e7b153bb50dcea996fe5962f0acf8c0bbdab1e58614307789cb099.exe
4992	dd2e2d4269e7b153bb50dcea996fe5962f0acf8c0bbdab1e58614307789cb099.exe
4992	dd2e2d4269e7b153bb50dcea996fe5962f0acf8c0bbdab1e58614307789cb099.exe
4992	dd2e2d4269e7b153bb50dcea996fe5962f0acf8c0bbdab1e58614307789cb099.exe
4992	dd2e2d4269e7b153bb50dcea996fe5962f0acf8c0bbdab1e58614307789cb099.exe
4992	dd2e2d4269e7b153bb50dcea996fe5962f0acf8c0bbdab1e58614307789cb099.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4992 wrote to memory of 4480	4992	dd2e2d4269e7b153bb50dcea996fe5962f0acf8c0bbdab1e58614307789cb099.exe	84
PID 4992 wrote to memory of 4480	4992	dd2e2d4269e7b153bb50dcea996fe5962f0acf8c0bbdab1e58614307789cb099.exe	84
PID 4992 wrote to memory of 4480	4992	dd2e2d4269e7b153bb50dcea996fe5962f0acf8c0bbdab1e58614307789cb099.exe	84
PID 4480 wrote to memory of 3824	4480	net.exe	86
PID 4480 wrote to memory of 3824	4480	net.exe	86
PID 4480 wrote to memory of 3824	4480	net.exe	86
PID 4992 wrote to memory of 760	4992	dd2e2d4269e7b153bb50dcea996fe5962f0acf8c0bbdab1e58614307789cb099.exe	50
PID 4992 wrote to memory of 760	4992	dd2e2d4269e7b153bb50dcea996fe5962f0acf8c0bbdab1e58614307789cb099.exe	50

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:760
- C:\Users\Admin\AppData\Local\Temp\dd2e2d4269e7b153bb50dcea996fe5962f0acf8c0bbdab1e58614307789cb099.exe
  "C:\Users\Admin\AppData\Local\Temp\dd2e2d4269e7b153bb50dcea996fe5962f0acf8c0bbdab1e58614307789cb099.exe"
  2⤵
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4992
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4480
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      PID:3824

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
- Drops file in System32 directory
PID:4228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
252KB

MD5
5d86662509c82a2ed910908133d198b1

SHA1
81416173502df444627f29dda1033ee976dd54bd

SHA256
0bb3ea7ae3d34fb791f483c3a660f831610ffb83fe5b59ac3e73c2d6c3016782

SHA512
5bbc0c6893b6706f530ea0b1264f4964ecf87f0a761a635fe11cd279aee667aa8b3a042607339b4208458731dd6ea6c158dd48b3ed3e06cee58a31ee9913ab57

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
595KB

MD5
f32080be182bf031eb14da4ce2c4953d

SHA1
64b307a847862c8f541826ccfc9f9caf4a0f5415

SHA256
cfb4e0e338bc6ae13da1c175bdcac6afe31f54b7aa4a90c1df617c86351a0e8b

SHA512
d4a0259058d4e87ba91b22eeda3808dcff840e88fe4c1509efc5e33933f649725fca41dbc780d9afdb6b3bd89f41468c0592dbe07e484252a02bd61efecb8179

Download Submit
C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\ja-JP\_desktop.ini

Filesize
9B

MD5
8b4f0f3794942a0b3324694b5aaf44a6

SHA1
fa029f48b39b48494bf104d59cb517c977e7600d

SHA256
95c3656ec724bcf3b2d760138a1704c4ef9db0552c9a0895dc32e77ffd430a9d

SHA512
9716014d0639ef302640a773dbfbe69bd3592f3d8dedee83268352013a67cd72fc60a28a02d22f35406a3fb1b9e6461102a1d66b756855d8e68728d6ab8913ee

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-642304425-1816607141-2958861556-1000\_desktop.ini

Filesize
9B

MD5
c0232c2f01c543d260713210da47a57b

SHA1
63f2c13c2c5c83091133c2802e69993d52e3ec65

SHA256
278e1b8fd3f40d95faaecf548098b8d9ee4b32e98a8878559c8c8dfcd5cd1197

SHA512
2ccfd67393a63f03f588296bb798d7a7d4ec2ea5d6ac486cb7bdf8a5a66b1df944d8b548f317e58bfe17dea2ae54e536ffe77bc11a43c931f3d10e299ab3fca0

Download Submit
memory/4992-35-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4992-31-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4992-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4992-26-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4992-20-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4992-1272-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4992-1363-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4992-2400-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4992-12-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download