4b396f3b3d76cd75e64a47eb652ab93d6239a197fd9b32c66619d6a8ffbdc2da

Analysis

max time kernel
149s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230831-en
resource tags

arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system
submitted
01/09/2023, 05:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4b396f3b3d76cd75e64a47eb652ab93d6239a197fd9b32c66619d6a8ffbdc2da.exe
Size

26KB
MD5

fdd504678a404fbffc560cd95a4363ff
SHA1

0e8a87142acaeadfe96f00ea117c05758b0514cc
SHA256

4b396f3b3d76cd75e64a47eb652ab93d6239a197fd9b32c66619d6a8ffbdc2da
SHA512

c6e5b506c5988072cbee535f18c89fec46fad599adff83a13ecb819bc157391a527eb5336c9c03392174a6ab345b699602fe9ecb0139a2a10a053f557ccc769f
SSDEEP

768:1Hcp1ODKAaDMG8H92RwZNQSwcfymNBg+g61GoL:YfgLdQAQfcfymN

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Y:	4b396f3b3d76cd75e64a47eb652ab93d6239a197fd9b32c66619d6a8ffbdc2da.exe
File opened (read-only)	\??\W:	4b396f3b3d76cd75e64a47eb652ab93d6239a197fd9b32c66619d6a8ffbdc2da.exe
File opened (read-only)	\??\S:	4b396f3b3d76cd75e64a47eb652ab93d6239a197fd9b32c66619d6a8ffbdc2da.exe
File opened (read-only)	\??\Q:	4b396f3b3d76cd75e64a47eb652ab93d6239a197fd9b32c66619d6a8ffbdc2da.exe
File opened (read-only)	\??\I:	4b396f3b3d76cd75e64a47eb652ab93d6239a197fd9b32c66619d6a8ffbdc2da.exe
File opened (read-only)	\??\H:	4b396f3b3d76cd75e64a47eb652ab93d6239a197fd9b32c66619d6a8ffbdc2da.exe
File opened (read-only)	\??\T:	4b396f3b3d76cd75e64a47eb652ab93d6239a197fd9b32c66619d6a8ffbdc2da.exe
File opened (read-only)	\??\P:	4b396f3b3d76cd75e64a47eb652ab93d6239a197fd9b32c66619d6a8ffbdc2da.exe
File opened (read-only)	\??\J:	4b396f3b3d76cd75e64a47eb652ab93d6239a197fd9b32c66619d6a8ffbdc2da.exe
File opened (read-only)	\??\E:	4b396f3b3d76cd75e64a47eb652ab93d6239a197fd9b32c66619d6a8ffbdc2da.exe
File opened (read-only)	\??\L:	4b396f3b3d76cd75e64a47eb652ab93d6239a197fd9b32c66619d6a8ffbdc2da.exe
File opened (read-only)	\??\X:	4b396f3b3d76cd75e64a47eb652ab93d6239a197fd9b32c66619d6a8ffbdc2da.exe
File opened (read-only)	\??\V:	4b396f3b3d76cd75e64a47eb652ab93d6239a197fd9b32c66619d6a8ffbdc2da.exe
File opened (read-only)	\??\R:	4b396f3b3d76cd75e64a47eb652ab93d6239a197fd9b32c66619d6a8ffbdc2da.exe
File opened (read-only)	\??\O:	4b396f3b3d76cd75e64a47eb652ab93d6239a197fd9b32c66619d6a8ffbdc2da.exe
File opened (read-only)	\??\N:	4b396f3b3d76cd75e64a47eb652ab93d6239a197fd9b32c66619d6a8ffbdc2da.exe
File opened (read-only)	\??\M:	4b396f3b3d76cd75e64a47eb652ab93d6239a197fd9b32c66619d6a8ffbdc2da.exe
File opened (read-only)	\??\Z:	4b396f3b3d76cd75e64a47eb652ab93d6239a197fd9b32c66619d6a8ffbdc2da.exe
File opened (read-only)	\??\U:	4b396f3b3d76cd75e64a47eb652ab93d6239a197fd9b32c66619d6a8ffbdc2da.exe
File opened (read-only)	\??\K:	4b396f3b3d76cd75e64a47eb652ab93d6239a197fd9b32c66619d6a8ffbdc2da.exe
File opened (read-only)	\??\G:	4b396f3b3d76cd75e64a47eb652ab93d6239a197fd9b32c66619d6a8ffbdc2da.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-150_8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini	4b396f3b3d76cd75e64a47eb652ab93d6239a197fd9b32c66619d6a8ffbdc2da.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mn\_desktop.ini	4b396f3b3d76cd75e64a47eb652ab93d6239a197fd9b32c66619d6a8ffbdc2da.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\sv-se\_desktop.ini	4b396f3b3d76cd75e64a47eb652ab93d6239a197fd9b32c66619d6a8ffbdc2da.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\en-il\_desktop.ini	4b396f3b3d76cd75e64a47eb652ab93d6239a197fd9b32c66619d6a8ffbdc2da.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\_desktop.ini	4b396f3b3d76cd75e64a47eb652ab93d6239a197fd9b32c66619d6a8ffbdc2da.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\uk-ua\_desktop.ini	4b396f3b3d76cd75e64a47eb652ab93d6239a197fd9b32c66619d6a8ffbdc2da.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\{91131962-5926-4D99-A405-E4363FE75614}\_desktop.ini	4b396f3b3d76cd75e64a47eb652ab93d6239a197fd9b32c66619d6a8ffbdc2da.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\lib\security\_desktop.ini	4b396f3b3d76cd75e64a47eb652ab93d6239a197fd9b32c66619d6a8ffbdc2da.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\uk-ua\_desktop.ini	4b396f3b3d76cd75e64a47eb652ab93d6239a197fd9b32c66619d6a8ffbdc2da.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\it-it\_desktop.ini	4b396f3b3d76cd75e64a47eb652ab93d6239a197fd9b32c66619d6a8ffbdc2da.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\css\_desktop.ini	4b396f3b3d76cd75e64a47eb652ab93d6239a197fd9b32c66619d6a8ffbdc2da.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\ro-ro\_desktop.ini	4b396f3b3d76cd75e64a47eb652ab93d6239a197fd9b32c66619d6a8ffbdc2da.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\hu-hu\_desktop.ini	4b396f3b3d76cd75e64a47eb652ab93d6239a197fd9b32c66619d6a8ffbdc2da.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\cs-cz\_desktop.ini	4b396f3b3d76cd75e64a47eb652ab93d6239a197fd9b32c66619d6a8ffbdc2da.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\_desktop.ini	4b396f3b3d76cd75e64a47eb652ab93d6239a197fd9b32c66619d6a8ffbdc2da.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Configuration\Registration\_desktop.ini	4b396f3b3d76cd75e64a47eb652ab93d6239a197fd9b32c66619d6a8ffbdc2da.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\_desktop.ini	4b396f3b3d76cd75e64a47eb652ab93d6239a197fd9b32c66619d6a8ffbdc2da.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\es-es\_desktop.ini	4b396f3b3d76cd75e64a47eb652ab93d6239a197fd9b32c66619d6a8ffbdc2da.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\pt-br\_desktop.ini	4b396f3b3d76cd75e64a47eb652ab93d6239a197fd9b32c66619d6a8ffbdc2da.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\eu-es\_desktop.ini	4b396f3b3d76cd75e64a47eb652ab93d6239a197fd9b32c66619d6a8ffbdc2da.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\ja-JP\_desktop.ini	4b396f3b3d76cd75e64a47eb652ab93d6239a197fd9b32c66619d6a8ffbdc2da.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\ssvagent.exe	4b396f3b3d76cd75e64a47eb652ab93d6239a197fd9b32c66619d6a8ffbdc2da.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\_desktop.ini	4b396f3b3d76cd75e64a47eb652ab93d6239a197fd9b32c66619d6a8ffbdc2da.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ms\LC_MESSAGES\_desktop.ini	4b396f3b3d76cd75e64a47eb652ab93d6239a197fd9b32c66619d6a8ffbdc2da.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\zh-cn\_desktop.ini	4b396f3b3d76cd75e64a47eb652ab93d6239a197fd9b32c66619d6a8ffbdc2da.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\_desktop.ini	4b396f3b3d76cd75e64a47eb652ab93d6239a197fd9b32c66619d6a8ffbdc2da.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\_desktop.ini	4b396f3b3d76cd75e64a47eb652ab93d6239a197fd9b32c66619d6a8ffbdc2da.exe
File created	C:\Program Files\WindowsApps\Microsoft.NET.Native.Runtime.1.7_1.7.25531.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini	4b396f3b3d76cd75e64a47eb652ab93d6239a197fd9b32c66619d6a8ffbdc2da.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\_desktop.ini	4b396f3b3d76cd75e64a47eb652ab93d6239a197fd9b32c66619d6a8ffbdc2da.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\dark\_desktop.ini	4b396f3b3d76cd75e64a47eb652ab93d6239a197fd9b32c66619d6a8ffbdc2da.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-ae\_desktop.ini	4b396f3b3d76cd75e64a47eb652ab93d6239a197fd9b32c66619d6a8ffbdc2da.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\_desktop.ini	4b396f3b3d76cd75e64a47eb652ab93d6239a197fd9b32c66619d6a8ffbdc2da.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bs\LC_MESSAGES\_desktop.ini	4b396f3b3d76cd75e64a47eb652ab93d6239a197fd9b32c66619d6a8ffbdc2da.exe
File created	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\_desktop.ini	4b396f3b3d76cd75e64a47eb652ab93d6239a197fd9b32c66619d6a8ffbdc2da.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_neutral_split.scale-100_8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini	4b396f3b3d76cd75e64a47eb652ab93d6239a197fd9b32c66619d6a8ffbdc2da.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\_desktop.ini	4b396f3b3d76cd75e64a47eb652ab93d6239a197fd9b32c66619d6a8ffbdc2da.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\ro-ro\_desktop.ini	4b396f3b3d76cd75e64a47eb652ab93d6239a197fd9b32c66619d6a8ffbdc2da.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ca-es\_desktop.ini	4b396f3b3d76cd75e64a47eb652ab93d6239a197fd9b32c66619d6a8ffbdc2da.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\da-dk\_desktop.ini	4b396f3b3d76cd75e64a47eb652ab93d6239a197fd9b32c66619d6a8ffbdc2da.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-125_8wekyb3d8bbwe\_desktop.ini	4b396f3b3d76cd75e64a47eb652ab93d6239a197fd9b32c66619d6a8ffbdc2da.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ky\LC_MESSAGES\_desktop.ini	4b396f3b3d76cd75e64a47eb652ab93d6239a197fd9b32c66619d6a8ffbdc2da.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\si\_desktop.ini	4b396f3b3d76cd75e64a47eb652ab93d6239a197fd9b32c66619d6a8ffbdc2da.exe
File created	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\_desktop.ini	4b396f3b3d76cd75e64a47eb652ab93d6239a197fd9b32c66619d6a8ffbdc2da.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\_desktop.ini	4b396f3b3d76cd75e64a47eb652ab93d6239a197fd9b32c66619d6a8ffbdc2da.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\_desktop.ini	4b396f3b3d76cd75e64a47eb652ab93d6239a197fd9b32c66619d6a8ffbdc2da.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\images\_desktop.ini	4b396f3b3d76cd75e64a47eb652ab93d6239a197fd9b32c66619d6a8ffbdc2da.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\themes\_desktop.ini	4b396f3b3d76cd75e64a47eb652ab93d6239a197fd9b32c66619d6a8ffbdc2da.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bg\LC_MESSAGES\_desktop.ini	4b396f3b3d76cd75e64a47eb652ab93d6239a197fd9b32c66619d6a8ffbdc2da.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example1.Diagnostics\_desktop.ini	4b396f3b3d76cd75e64a47eb652ab93d6239a197fd9b32c66619d6a8ffbdc2da.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\_desktop.ini	4b396f3b3d76cd75e64a47eb652ab93d6239a197fd9b32c66619d6a8ffbdc2da.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\en-gb\_desktop.ini	4b396f3b3d76cd75e64a47eb652ab93d6239a197fd9b32c66619d6a8ffbdc2da.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\_desktop.ini	4b396f3b3d76cd75e64a47eb652ab93d6239a197fd9b32c66619d6a8ffbdc2da.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\root\_desktop.ini	4b396f3b3d76cd75e64a47eb652ab93d6239a197fd9b32c66619d6a8ffbdc2da.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Resources\RetailDemo\strings\_desktop.ini	4b396f3b3d76cd75e64a47eb652ab93d6239a197fd9b32c66619d6a8ffbdc2da.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\_desktop.ini	4b396f3b3d76cd75e64a47eb652ab93d6239a197fd9b32c66619d6a8ffbdc2da.exe
File created	C:\Program Files (x86)\Windows Media Player\_desktop.ini	4b396f3b3d76cd75e64a47eb652ab93d6239a197fd9b32c66619d6a8ffbdc2da.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\_desktop.ini	4b396f3b3d76cd75e64a47eb652ab93d6239a197fd9b32c66619d6a8ffbdc2da.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\ar-SA\_desktop.ini	4b396f3b3d76cd75e64a47eb652ab93d6239a197fd9b32c66619d6a8ffbdc2da.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\fr-ma\_desktop.ini	4b396f3b3d76cd75e64a47eb652ab93d6239a197fd9b32c66619d6a8ffbdc2da.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\images\themes\_desktop.ini	4b396f3b3d76cd75e64a47eb652ab93d6239a197fd9b32c66619d6a8ffbdc2da.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\ru-ru\_desktop.ini	4b396f3b3d76cd75e64a47eb652ab93d6239a197fd9b32c66619d6a8ffbdc2da.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\sl-si\_desktop.ini	4b396f3b3d76cd75e64a47eb652ab93d6239a197fd9b32c66619d6a8ffbdc2da.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\es-ES\_desktop.ini	4b396f3b3d76cd75e64a47eb652ab93d6239a197fd9b32c66619d6a8ffbdc2da.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\ext\_desktop.ini	4b396f3b3d76cd75e64a47eb652ab93d6239a197fd9b32c66619d6a8ffbdc2da.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	4b396f3b3d76cd75e64a47eb652ab93d6239a197fd9b32c66619d6a8ffbdc2da.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2196	4b396f3b3d76cd75e64a47eb652ab93d6239a197fd9b32c66619d6a8ffbdc2da.exe
2196	4b396f3b3d76cd75e64a47eb652ab93d6239a197fd9b32c66619d6a8ffbdc2da.exe
2196	4b396f3b3d76cd75e64a47eb652ab93d6239a197fd9b32c66619d6a8ffbdc2da.exe
2196	4b396f3b3d76cd75e64a47eb652ab93d6239a197fd9b32c66619d6a8ffbdc2da.exe
2196	4b396f3b3d76cd75e64a47eb652ab93d6239a197fd9b32c66619d6a8ffbdc2da.exe
2196	4b396f3b3d76cd75e64a47eb652ab93d6239a197fd9b32c66619d6a8ffbdc2da.exe
2196	4b396f3b3d76cd75e64a47eb652ab93d6239a197fd9b32c66619d6a8ffbdc2da.exe
2196	4b396f3b3d76cd75e64a47eb652ab93d6239a197fd9b32c66619d6a8ffbdc2da.exe
2196	4b396f3b3d76cd75e64a47eb652ab93d6239a197fd9b32c66619d6a8ffbdc2da.exe
2196	4b396f3b3d76cd75e64a47eb652ab93d6239a197fd9b32c66619d6a8ffbdc2da.exe
2196	4b396f3b3d76cd75e64a47eb652ab93d6239a197fd9b32c66619d6a8ffbdc2da.exe
2196	4b396f3b3d76cd75e64a47eb652ab93d6239a197fd9b32c66619d6a8ffbdc2da.exe
2196	4b396f3b3d76cd75e64a47eb652ab93d6239a197fd9b32c66619d6a8ffbdc2da.exe
2196	4b396f3b3d76cd75e64a47eb652ab93d6239a197fd9b32c66619d6a8ffbdc2da.exe
2196	4b396f3b3d76cd75e64a47eb652ab93d6239a197fd9b32c66619d6a8ffbdc2da.exe
2196	4b396f3b3d76cd75e64a47eb652ab93d6239a197fd9b32c66619d6a8ffbdc2da.exe
2196	4b396f3b3d76cd75e64a47eb652ab93d6239a197fd9b32c66619d6a8ffbdc2da.exe
2196	4b396f3b3d76cd75e64a47eb652ab93d6239a197fd9b32c66619d6a8ffbdc2da.exe
2196	4b396f3b3d76cd75e64a47eb652ab93d6239a197fd9b32c66619d6a8ffbdc2da.exe
2196	4b396f3b3d76cd75e64a47eb652ab93d6239a197fd9b32c66619d6a8ffbdc2da.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2196 wrote to memory of 4192	2196	4b396f3b3d76cd75e64a47eb652ab93d6239a197fd9b32c66619d6a8ffbdc2da.exe	83
PID 2196 wrote to memory of 4192	2196	4b396f3b3d76cd75e64a47eb652ab93d6239a197fd9b32c66619d6a8ffbdc2da.exe	83
PID 2196 wrote to memory of 4192	2196	4b396f3b3d76cd75e64a47eb652ab93d6239a197fd9b32c66619d6a8ffbdc2da.exe	83
PID 4192 wrote to memory of 2288	4192	net.exe	84
PID 4192 wrote to memory of 2288	4192	net.exe	84
PID 4192 wrote to memory of 2288	4192	net.exe	84
PID 2196 wrote to memory of 3156	2196	4b396f3b3d76cd75e64a47eb652ab93d6239a197fd9b32c66619d6a8ffbdc2da.exe	30
PID 2196 wrote to memory of 3156	2196	4b396f3b3d76cd75e64a47eb652ab93d6239a197fd9b32c66619d6a8ffbdc2da.exe	30

C:\Users\Admin\AppData\Local\Temp\4b396f3b3d76cd75e64a47eb652ab93d6239a197fd9b32c66619d6a8ffbdc2da.exe
"C:\Users\Admin\AppData\Local\Temp\4b396f3b3d76cd75e64a47eb652ab93d6239a197fd9b32c66619d6a8ffbdc2da.exe"
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2196
- C:\Windows\SysWOW64\net.exe
  net stop "Kingsoft AntiVirus Service"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4192
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
    3⤵
    PID:2288

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
251KB

MD5
b343af0eeb9afdb9455510c0f05e9372

SHA1
ef8cfb66c0aef6fda0451379f1cb64b3d694b28a

SHA256
93b73324dbcba7eac8188bb80575b1314a07bea677595e32d51fb524a025c40d

SHA512
db4c12269e011a44f6b95e5bc4a90bf863519712ea61de3c8f5f3e617305e1491817e2a8f9b35beb05548956086fa960d32afa583763bf8194bc213730641da5

Download Submit
C:\Program Files\Google\Chrome\Application\chrome.exe

Filesize
2.8MB

MD5
8c5ee5609a2369add68abcab1ef7a4fa

SHA1
a038a38927411574bbdde5a64188ffa9d702ac1c

SHA256
d336f4588ad33a82f388eb747d1bf8dea45912ddf4a45214ad78d234198c8bb9

SHA512
4cb6041918d31cdcfb098207660b63108b97184b37e1ba05bd03e687a86527fd895245a903289a5cb20b49e89210292eb19ce580e67d8a6c4dc8a8b6c94b61fa

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2415528079-3794552930-4264847036-1000\_desktop.ini

Filesize
8B

MD5
621383aab05ec88688f5cce893e26550

SHA1
03967cdd69bd47cd2ccede557778546ef7c015eb

SHA256
0992c9b2d0872dece2ee570393745ccb6fbeadc2ded371a1f5406447aa872360

SHA512
085e0e3da3ad9ebb7b05ad58803f979ad4873337f91e4e0f209756ecf02b5050e33c3ad4a38212308e8beaf1f81625003f28bdc52d41cb2853e8f5a7eeb7a18b

Download Submit
memory/2196-24-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2196-18-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2196-22-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2196-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2196-27-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2196-13-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2196-59-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2196-1264-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2196-3479-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2196-5-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2196-4806-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download