a017cf526df93460bd60441b158a8c055b0c61184fa3f18ddcb6911150130e9d

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
11/10/2023, 21:33

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a017cf526df93460bd60441b158a8c055b0c61184fa3f18ddcb6911150130e9d.exe
Size

39KB
MD5

ad35c2712c973978d430623144ffa937
SHA1

607a5ae2f329180420d5559193d68d670ec17adf
SHA256

a017cf526df93460bd60441b158a8c055b0c61184fa3f18ddcb6911150130e9d
SHA512

38e06a2bd595da3d18fcc7a7b0ddb2368971fea812ad13226a6bcec3d0e1e289a004aa4e41cfda44af8b37f00fea34e5466a2c059752522e0e3eb74bcc9be3f7
SSDEEP

768:8mtJ3O5RroZJ76739/dZVdfpULiAYXjPrN+8WEjrZMYjV8mp8w:80e+Zk7VJbwlYXjPrsqrZMYR5p8w

Score

7^/10

spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\W:	a017cf526df93460bd60441b158a8c055b0c61184fa3f18ddcb6911150130e9d.exe
File opened (read-only)	\??\Q:	a017cf526df93460bd60441b158a8c055b0c61184fa3f18ddcb6911150130e9d.exe
File opened (read-only)	\??\M:	a017cf526df93460bd60441b158a8c055b0c61184fa3f18ddcb6911150130e9d.exe
File opened (read-only)	\??\L:	a017cf526df93460bd60441b158a8c055b0c61184fa3f18ddcb6911150130e9d.exe
File opened (read-only)	\??\K:	a017cf526df93460bd60441b158a8c055b0c61184fa3f18ddcb6911150130e9d.exe
File opened (read-only)	\??\H:	a017cf526df93460bd60441b158a8c055b0c61184fa3f18ddcb6911150130e9d.exe
File opened (read-only)	\??\G:	a017cf526df93460bd60441b158a8c055b0c61184fa3f18ddcb6911150130e9d.exe
File opened (read-only)	\??\Z:	a017cf526df93460bd60441b158a8c055b0c61184fa3f18ddcb6911150130e9d.exe
File opened (read-only)	\??\P:	a017cf526df93460bd60441b158a8c055b0c61184fa3f18ddcb6911150130e9d.exe
File opened (read-only)	\??\O:	a017cf526df93460bd60441b158a8c055b0c61184fa3f18ddcb6911150130e9d.exe
File opened (read-only)	\??\R:	a017cf526df93460bd60441b158a8c055b0c61184fa3f18ddcb6911150130e9d.exe
File opened (read-only)	\??\U:	a017cf526df93460bd60441b158a8c055b0c61184fa3f18ddcb6911150130e9d.exe
File opened (read-only)	\??\T:	a017cf526df93460bd60441b158a8c055b0c61184fa3f18ddcb6911150130e9d.exe
File opened (read-only)	\??\I:	a017cf526df93460bd60441b158a8c055b0c61184fa3f18ddcb6911150130e9d.exe
File opened (read-only)	\??\X:	a017cf526df93460bd60441b158a8c055b0c61184fa3f18ddcb6911150130e9d.exe
File opened (read-only)	\??\V:	a017cf526df93460bd60441b158a8c055b0c61184fa3f18ddcb6911150130e9d.exe
File opened (read-only)	\??\S:	a017cf526df93460bd60441b158a8c055b0c61184fa3f18ddcb6911150130e9d.exe
File opened (read-only)	\??\N:	a017cf526df93460bd60441b158a8c055b0c61184fa3f18ddcb6911150130e9d.exe
File opened (read-only)	\??\J:	a017cf526df93460bd60441b158a8c055b0c61184fa3f18ddcb6911150130e9d.exe
File opened (read-only)	\??\E:	a017cf526df93460bd60441b158a8c055b0c61184fa3f18ddcb6911150130e9d.exe
File opened (read-only)	\??\Y:	a017cf526df93460bd60441b158a8c055b0c61184fa3f18ddcb6911150130e9d.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Help\_desktop.ini	a017cf526df93460bd60441b158a8c055b0c61184fa3f18ddcb6911150130e9d.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\_desktop.ini	a017cf526df93460bd60441b158a8c055b0c61184fa3f18ddcb6911150130e9d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\_desktop.ini	a017cf526df93460bd60441b158a8c055b0c61184fa3f18ddcb6911150130e9d.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\_desktop.ini	a017cf526df93460bd60441b158a8c055b0c61184fa3f18ddcb6911150130e9d.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\_desktop.ini	a017cf526df93460bd60441b158a8c055b0c61184fa3f18ddcb6911150130e9d.exe
File opened for modification	C:\Program Files\Java\jre7\lib\cmm\_desktop.ini	a017cf526df93460bd60441b158a8c055b0c61184fa3f18ddcb6911150130e9d.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\_desktop.ini	a017cf526df93460bd60441b158a8c055b0c61184fa3f18ddcb6911150130e9d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\_desktop.ini	a017cf526df93460bd60441b158a8c055b0c61184fa3f18ddcb6911150130e9d.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\css\_desktop.ini	a017cf526df93460bd60441b158a8c055b0c61184fa3f18ddcb6911150130e9d.exe
File opened for modification	C:\Program Files\DVD Maker\_desktop.ini	a017cf526df93460bd60441b158a8c055b0c61184fa3f18ddcb6911150130e9d.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\cs\_desktop.ini	a017cf526df93460bd60441b158a8c055b0c61184fa3f18ddcb6911150130e9d.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ff\_desktop.ini	a017cf526df93460bd60441b158a8c055b0c61184fa3f18ddcb6911150130e9d.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\on_desktop\_desktop.ini	a017cf526df93460bd60441b158a8c055b0c61184fa3f18ddcb6911150130e9d.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\FREN\_desktop.ini	a017cf526df93460bd60441b158a8c055b0c61184fa3f18ddcb6911150130e9d.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\_desktop.ini	a017cf526df93460bd60441b158a8c055b0c61184fa3f18ddcb6911150130e9d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	a017cf526df93460bd60441b158a8c055b0c61184fa3f18ddcb6911150130e9d.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\_desktop.ini	a017cf526df93460bd60441b158a8c055b0c61184fa3f18ddcb6911150130e9d.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\STRTEDGE\_desktop.ini	a017cf526df93460bd60441b158a8c055b0c61184fa3f18ddcb6911150130e9d.exe
File created	C:\Program Files (x86)\Internet Explorer\it-IT\_desktop.ini	a017cf526df93460bd60441b158a8c055b0c61184fa3f18ddcb6911150130e9d.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\en-US\css\_desktop.ini	a017cf526df93460bd60441b158a8c055b0c61184fa3f18ddcb6911150130e9d.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\en-US\_desktop.ini	a017cf526df93460bd60441b158a8c055b0c61184fa3f18ddcb6911150130e9d.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\css\_desktop.ini	a017cf526df93460bd60441b158a8c055b0c61184fa3f18ddcb6911150130e9d.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\_desktop.ini	a017cf526df93460bd60441b158a8c055b0c61184fa3f18ddcb6911150130e9d.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\dtplugin\_desktop.ini	a017cf526df93460bd60441b158a8c055b0c61184fa3f18ddcb6911150130e9d.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\_desktop.ini	a017cf526df93460bd60441b158a8c055b0c61184fa3f18ddcb6911150130e9d.exe
File created	C:\Program Files\Microsoft Games\Purble Place\de-DE\_desktop.ini	a017cf526df93460bd60441b158a8c055b0c61184fa3f18ddcb6911150130e9d.exe
File opened for modification	C:\Program Files\Windows Mail\es-ES\_desktop.ini	a017cf526df93460bd60441b158a8c055b0c61184fa3f18ddcb6911150130e9d.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\_desktop.ini	a017cf526df93460bd60441b158a8c055b0c61184fa3f18ddcb6911150130e9d.exe
File created	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\_desktop.ini	a017cf526df93460bd60441b158a8c055b0c61184fa3f18ddcb6911150130e9d.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\_desktop.ini	a017cf526df93460bd60441b158a8c055b0c61184fa3f18ddcb6911150130e9d.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\css\_desktop.ini	a017cf526df93460bd60441b158a8c055b0c61184fa3f18ddcb6911150130e9d.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\js\_desktop.ini	a017cf526df93460bd60441b158a8c055b0c61184fa3f18ddcb6911150130e9d.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\_desktop.ini	a017cf526df93460bd60441b158a8c055b0c61184fa3f18ddcb6911150130e9d.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\DAO\_desktop.ini	a017cf526df93460bd60441b158a8c055b0c61184fa3f18ddcb6911150130e9d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\_desktop.ini	a017cf526df93460bd60441b158a8c055b0c61184fa3f18ddcb6911150130e9d.exe
File opened for modification	C:\Program Files\DVD Maker\de-DE\_desktop.ini	a017cf526df93460bd60441b158a8c055b0c61184fa3f18ddcb6911150130e9d.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\_desktop.ini	a017cf526df93460bd60441b158a8c055b0c61184fa3f18ddcb6911150130e9d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\_desktop.ini	a017cf526df93460bd60441b158a8c055b0c61184fa3f18ddcb6911150130e9d.exe
File created	C:\Program Files\VideoLAN\VLC\locale\cgg\_desktop.ini	a017cf526df93460bd60441b158a8c055b0c61184fa3f18ddcb6911150130e9d.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\tr\_desktop.ini	a017cf526df93460bd60441b158a8c055b0c61184fa3f18ddcb6911150130e9d.exe
File opened for modification	C:\Program Files\Windows Defender\en-US\_desktop.ini	a017cf526df93460bd60441b158a8c055b0c61184fa3f18ddcb6911150130e9d.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\fr-FR\_desktop.ini	a017cf526df93460bd60441b158a8c055b0c61184fa3f18ddcb6911150130e9d.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\_desktop.ini	a017cf526df93460bd60441b158a8c055b0c61184fa3f18ddcb6911150130e9d.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\en-US\_desktop.ini	a017cf526df93460bd60441b158a8c055b0c61184fa3f18ddcb6911150130e9d.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\_desktop.ini	a017cf526df93460bd60441b158a8c055b0c61184fa3f18ddcb6911150130e9d.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	a017cf526df93460bd60441b158a8c055b0c61184fa3f18ddcb6911150130e9d.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\_desktop.ini	a017cf526df93460bd60441b158a8c055b0c61184fa3f18ddcb6911150130e9d.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\_desktop.ini	a017cf526df93460bd60441b158a8c055b0c61184fa3f18ddcb6911150130e9d.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Indiana\_desktop.ini	a017cf526df93460bd60441b158a8c055b0c61184fa3f18ddcb6911150130e9d.exe
File created	C:\Program Files\VideoLAN\VLC\locale\be\_desktop.ini	a017cf526df93460bd60441b158a8c055b0c61184fa3f18ddcb6911150130e9d.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\_desktop.ini	a017cf526df93460bd60441b158a8c055b0c61184fa3f18ddcb6911150130e9d.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\_desktop.ini	a017cf526df93460bd60441b158a8c055b0c61184fa3f18ddcb6911150130e9d.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\de-DE\_desktop.ini	a017cf526df93460bd60441b158a8c055b0c61184fa3f18ddcb6911150130e9d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\_desktop.ini	a017cf526df93460bd60441b158a8c055b0c61184fa3f18ddcb6911150130e9d.exe
File created	C:\Program Files\Microsoft Games\More Games\it-IT\_desktop.ini	a017cf526df93460bd60441b158a8c055b0c61184fa3f18ddcb6911150130e9d.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\it-IT\_desktop.ini	a017cf526df93460bd60441b158a8c055b0c61184fa3f18ddcb6911150130e9d.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\en-US\_desktop.ini	a017cf526df93460bd60441b158a8c055b0c61184fa3f18ddcb6911150130e9d.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\en-US\_desktop.ini	a017cf526df93460bd60441b158a8c055b0c61184fa3f18ddcb6911150130e9d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\_desktop.ini	a017cf526df93460bd60441b158a8c055b0c61184fa3f18ddcb6911150130e9d.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\_desktop.ini	a017cf526df93460bd60441b158a8c055b0c61184fa3f18ddcb6911150130e9d.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Offline\_desktop.ini	a017cf526df93460bd60441b158a8c055b0c61184fa3f18ddcb6911150130e9d.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\_desktop.ini	a017cf526df93460bd60441b158a8c055b0c61184fa3f18ddcb6911150130e9d.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\_desktop.ini	a017cf526df93460bd60441b158a8c055b0c61184fa3f18ddcb6911150130e9d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\META-INF\_desktop.ini	a017cf526df93460bd60441b158a8c055b0c61184fa3f18ddcb6911150130e9d.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Dll.dll	a017cf526df93460bd60441b158a8c055b0c61184fa3f18ddcb6911150130e9d.exe
File created	C:\Windows\rundl132.exe	a017cf526df93460bd60441b158a8c055b0c61184fa3f18ddcb6911150130e9d.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
2068	a017cf526df93460bd60441b158a8c055b0c61184fa3f18ddcb6911150130e9d.exe
2068	a017cf526df93460bd60441b158a8c055b0c61184fa3f18ddcb6911150130e9d.exe
2068	a017cf526df93460bd60441b158a8c055b0c61184fa3f18ddcb6911150130e9d.exe
2068	a017cf526df93460bd60441b158a8c055b0c61184fa3f18ddcb6911150130e9d.exe
2068	a017cf526df93460bd60441b158a8c055b0c61184fa3f18ddcb6911150130e9d.exe
2068	a017cf526df93460bd60441b158a8c055b0c61184fa3f18ddcb6911150130e9d.exe
2068	a017cf526df93460bd60441b158a8c055b0c61184fa3f18ddcb6911150130e9d.exe
2068	a017cf526df93460bd60441b158a8c055b0c61184fa3f18ddcb6911150130e9d.exe
2068	a017cf526df93460bd60441b158a8c055b0c61184fa3f18ddcb6911150130e9d.exe
2068	a017cf526df93460bd60441b158a8c055b0c61184fa3f18ddcb6911150130e9d.exe
2068	a017cf526df93460bd60441b158a8c055b0c61184fa3f18ddcb6911150130e9d.exe
2068	a017cf526df93460bd60441b158a8c055b0c61184fa3f18ddcb6911150130e9d.exe
2068	a017cf526df93460bd60441b158a8c055b0c61184fa3f18ddcb6911150130e9d.exe
2068	a017cf526df93460bd60441b158a8c055b0c61184fa3f18ddcb6911150130e9d.exe
2068	a017cf526df93460bd60441b158a8c055b0c61184fa3f18ddcb6911150130e9d.exe
2068	a017cf526df93460bd60441b158a8c055b0c61184fa3f18ddcb6911150130e9d.exe
2068	a017cf526df93460bd60441b158a8c055b0c61184fa3f18ddcb6911150130e9d.exe
2068	a017cf526df93460bd60441b158a8c055b0c61184fa3f18ddcb6911150130e9d.exe
2068	a017cf526df93460bd60441b158a8c055b0c61184fa3f18ddcb6911150130e9d.exe
2068	a017cf526df93460bd60441b158a8c055b0c61184fa3f18ddcb6911150130e9d.exe
2068	a017cf526df93460bd60441b158a8c055b0c61184fa3f18ddcb6911150130e9d.exe
2068	a017cf526df93460bd60441b158a8c055b0c61184fa3f18ddcb6911150130e9d.exe
2068	a017cf526df93460bd60441b158a8c055b0c61184fa3f18ddcb6911150130e9d.exe
2068	a017cf526df93460bd60441b158a8c055b0c61184fa3f18ddcb6911150130e9d.exe
2068	a017cf526df93460bd60441b158a8c055b0c61184fa3f18ddcb6911150130e9d.exe
2068	a017cf526df93460bd60441b158a8c055b0c61184fa3f18ddcb6911150130e9d.exe
2068	a017cf526df93460bd60441b158a8c055b0c61184fa3f18ddcb6911150130e9d.exe
2068	a017cf526df93460bd60441b158a8c055b0c61184fa3f18ddcb6911150130e9d.exe
2068	a017cf526df93460bd60441b158a8c055b0c61184fa3f18ddcb6911150130e9d.exe
2068	a017cf526df93460bd60441b158a8c055b0c61184fa3f18ddcb6911150130e9d.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2068 wrote to memory of 1940	2068	a017cf526df93460bd60441b158a8c055b0c61184fa3f18ddcb6911150130e9d.exe	28
PID 2068 wrote to memory of 1940	2068	a017cf526df93460bd60441b158a8c055b0c61184fa3f18ddcb6911150130e9d.exe	28
PID 2068 wrote to memory of 1940	2068	a017cf526df93460bd60441b158a8c055b0c61184fa3f18ddcb6911150130e9d.exe	28
PID 2068 wrote to memory of 1940	2068	a017cf526df93460bd60441b158a8c055b0c61184fa3f18ddcb6911150130e9d.exe	28
PID 1940 wrote to memory of 1636	1940	net.exe	30
PID 1940 wrote to memory of 1636	1940	net.exe	30
PID 1940 wrote to memory of 1636	1940	net.exe	30
PID 1940 wrote to memory of 1636	1940	net.exe	30
PID 2068 wrote to memory of 2024	2068	a017cf526df93460bd60441b158a8c055b0c61184fa3f18ddcb6911150130e9d.exe	31
PID 2068 wrote to memory of 2024	2068	a017cf526df93460bd60441b158a8c055b0c61184fa3f18ddcb6911150130e9d.exe	31
PID 2068 wrote to memory of 2024	2068	a017cf526df93460bd60441b158a8c055b0c61184fa3f18ddcb6911150130e9d.exe	31
PID 2068 wrote to memory of 2024	2068	a017cf526df93460bd60441b158a8c055b0c61184fa3f18ddcb6911150130e9d.exe	31
PID 2024 wrote to memory of 2384	2024	net.exe	33
PID 2024 wrote to memory of 2384	2024	net.exe	33
PID 2024 wrote to memory of 2384	2024	net.exe	33
PID 2024 wrote to memory of 2384	2024	net.exe	33
PID 2068 wrote to memory of 1232	2068	a017cf526df93460bd60441b158a8c055b0c61184fa3f18ddcb6911150130e9d.exe	18
PID 2068 wrote to memory of 1232	2068	a017cf526df93460bd60441b158a8c055b0c61184fa3f18ddcb6911150130e9d.exe	18

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1232
- C:\Users\Admin\AppData\Local\Temp\a017cf526df93460bd60441b158a8c055b0c61184fa3f18ddcb6911150130e9d.exe
  "C:\Users\Admin\AppData\Local\Temp\a017cf526df93460bd60441b158a8c055b0c61184fa3f18ddcb6911150130e9d.exe"
  2⤵
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2068
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1940
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      PID:1636
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2024
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      PID:2384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
264KB

MD5
57bcf5661d4873aba79b7f6842bd9583

SHA1
7e5c04b58d342fe37a6351699533955ac2f62435

SHA256
6c536fd79748fe0b1c586a5872ca444e9efc9737c5a72119c42d83b007aac731

SHA512
b57f5bf5c476ffd65c613398027e6d77cca1368c262031c4caea601a7b267c63abbaaae36a648179bd8fb00d633f2295fd8cdaf33cf71c63a781c2aaae5539d7

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
607KB

MD5
1bb0e8c7f7aa4605f2de07512754910a

SHA1
e0fa6d3376934879bc3a1ac68c87ad6d521d03ea

SHA256
f1126aadccca76628f3e9214c226a4f253fd32126570cfcaa07f6afdf77fa806

SHA512
9723b30fb7c02e7d0b71da82c605eff3e291cdc92cb59884c8ae0769ef5d29c6dffa5c44322d42fc9542e987d301a742acda227622e547dab4dde2d2dd59ae68

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
484KB

MD5
564d667bd07becc1760124e3d4385031

SHA1
69c12d6e192d59013eefe74d4bf013ddad273a62

SHA256
cc893a7227fe6b20fb918127523b3b179bf0a55fbf6929e3491ab2161b582f10

SHA512
c18700057927d403ed9b82553cced341bcafe9bf9126a28f614f3feb69131c9f0791983d6f5fa46987f86f75eb4b628a27634e45ec3478b35853f3546057c3b5

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-686452656-3203474025-4140627569-1000\_desktop.ini

Filesize
10B

MD5
dbf19ca54500e964528b156763234c1d

SHA1
05376f86423aec8badf0adbc47887234ac83ef5a

SHA256
bfa0ad2e861e2369dc239edf8f62fbe1c4507d877ec2f76e46e48f1e68fdd5ae

SHA512
fb8ce1253ad6d3c1b7d970614dbc2d21574576336a490b54a8dc705a3d8637c0669747ba821fb2f4da14d7447dc24607aca988b0cd3bd9fc4d9d5988b4b631d0

Download Submit
memory/1232-3-0x0000000002A00000-0x0000000002A01000-memory.dmp

Filesize
4KB

Download
memory/2068-0-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2068-7-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2068-22-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2068-2158-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2068-2954-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2068-2993-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2068-4065-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download