b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee

Analysis

max time kernel
141s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2023, 14:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe
Size

33KB
MD5

2dbe6bbefc65c1ca0ee7171a08383336
SHA1

68fb3d025158255f8be919c3587fcec8786879a7
SHA256

b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee
SHA512

4d642abe74c7acb964dbd99c57f8b598a9311cec2cb0bfbd8b4532c0a584e3d7eec82177783b7c1936224fb554527f604b1eba991fb046ae8393e450c44a800a
SSDEEP

768:PwjhElOIEvzMXqtwp/lttaL7HP4wIncLRdR5kP78a0RJW/a:PoaYzMXqtGNttyUn01Q78a4R

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\N:	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe
File opened (read-only)	\??\K:	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe
File opened (read-only)	\??\H:	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe
File opened (read-only)	\??\Y:	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe
File opened (read-only)	\??\V:	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe
File opened (read-only)	\??\R:	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe
File opened (read-only)	\??\Q:	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe
File opened (read-only)	\??\P:	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe
File opened (read-only)	\??\L:	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe
File opened (read-only)	\??\E:	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe
File opened (read-only)	\??\Z:	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe
File opened (read-only)	\??\X:	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe
File opened (read-only)	\??\W:	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe
File opened (read-only)	\??\T:	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe
File opened (read-only)	\??\S:	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe
File opened (read-only)	\??\J:	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe
File opened (read-only)	\??\G:	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe
File opened (read-only)	\??\U:	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe
File opened (read-only)	\??\O:	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe
File opened (read-only)	\??\M:	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe
File opened (read-only)	\??\I:	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PAPYRUS\_desktop.ini	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\lt\_desktop.ini	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\gui\_desktop.ini	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\en-US\_desktop.ini	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\nl-nl\_desktop.ini	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\images\themeless\_desktop.ini	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Templates\Presentation Designs\_desktop.ini	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Common AppData\_desktop.ini	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\root\_desktop.ini	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\da-dk\_desktop.ini	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\tr-tr\_desktop.ini	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\security\_desktop.ini	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\_desktop.ini	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\sv-se\_desktop.ini	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\_desktop.ini	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\_desktop.ini	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\_desktop.ini	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\_desktop.ini	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe
File opened for modification	C:\Program Files (x86)\_desktop.ini	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\_desktop.ini	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\eu-es\_desktop.ini	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\es-es\_desktop.ini	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\en-gb\_desktop.ini	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\_desktop.ini	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\_desktop.ini	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe
File created	C:\Program Files\VideoLAN\VLC\locale\hi\LC_MESSAGES\_desktop.ini	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ja\LC_MESSAGES\_desktop.ini	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sv-se\_desktop.ini	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\fi-fi\_desktop.ini	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jsadebugd.exe	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe
File created	C:\Program Files\VideoLAN\VLC\locale\cgg\LC_MESSAGES\_desktop.ini	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ja-jp\_desktop.ini	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\_desktop.ini	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\_desktop.ini	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\en\_desktop.ini	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\_desktop.ini	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe
File created	C:\Program Files\VideoLAN\_desktop.ini	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\bin\_desktop.ini	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-il\_desktop.ini	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\fr-fr\_desktop.ini	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\idlj.exe	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\_desktop.ini	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\fr-FR\_desktop.ini	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\_desktop.ini	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ar-ae\_desktop.ini	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ca-es\_desktop.ini	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\VBA\_desktop.ini	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\_desktop.ini	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe
File created	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Diagnostics\Comprehensive\_desktop.ini	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\es-es\_desktop.ini	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_output\_desktop.ini	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe
File created	C:\Program Files (x86)\Adobe\_desktop.ini	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\_desktop.ini	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\_desktop.ini	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fa\_desktop.ini	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\fr-FR\_desktop.ini	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\_desktop.ini	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\am\_desktop.ini	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sl-sl\_desktop.ini	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jar.exe	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe
File created	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\D81E4632-E37A-4E03-BFEB-99AEB37FF3F3\root\vfs\_desktop.ini	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe
File created	C:\Program Files\VideoLAN\VLC\locale\af\_desktop.ini	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe
File created	C:\Program Files\VideoLAN\VLC\lua\meta\art\_desktop.ini	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe
File created	C:\Windows\Dll.dll	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 60 IoCs

pid	Process
4772	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe
4772	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe
4772	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe
4772	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe
4772	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe
4772	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe
4772	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe
4772	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe
4772	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe
4772	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe
4772	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe
4772	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe
4772	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe
4772	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe
4772	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe
4772	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe
4772	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe
4772	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe
4772	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe
4772	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe
4772	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe
4772	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe
4772	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe
4772	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe
4772	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe
4772	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe
4772	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe
4772	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe
4772	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe
4772	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe
4772	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe
4772	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe
4772	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe
4772	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe
4772	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe
4772	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe
4772	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe
4772	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe
4772	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe
4772	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe
4772	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe
4772	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe
4772	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe
4772	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe
4772	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe
4772	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe
4772	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe
4772	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe
4772	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe
4772	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe
4772	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe
4772	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe
4772	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe
4772	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe
4772	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe
4772	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe
4772	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe
4772	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe
4772	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe
4772	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 4772 wrote to memory of 968	4772	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe	84
PID 4772 wrote to memory of 968	4772	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe	84
PID 4772 wrote to memory of 968	4772	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe	84
PID 968 wrote to memory of 884	968	net.exe	86
PID 968 wrote to memory of 884	968	net.exe	86
PID 968 wrote to memory of 884	968	net.exe	86
PID 4772 wrote to memory of 4296	4772	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe	87
PID 4772 wrote to memory of 4296	4772	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe	87
PID 4772 wrote to memory of 4296	4772	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe	87
PID 4296 wrote to memory of 1716	4296	net.exe	89
PID 4296 wrote to memory of 1716	4296	net.exe	89
PID 4296 wrote to memory of 1716	4296	net.exe	89
PID 4772 wrote to memory of 3248	4772	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe	57
PID 4772 wrote to memory of 3248	4772	b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe	57

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3248
- C:\Users\Admin\AppData\Local\Temp\b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe
  "C:\Users\Admin\AppData\Local\Temp\b2148e329ae3005f4465b006b51b21a60c06c32d6aaf01c27bd85685bb1663ee.exe"
  2⤵
  - Drops file in Drivers directory
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4772
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:968
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      PID:884
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4296
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      PID:1716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\Application\chrome.exe

Filesize
2.8MB

MD5
9d5fbaad712c01c8f14741b98284aba9

SHA1
b2e87bb774b27278569035129b76f3fe976cf532

SHA256
67dd78b29ab5d04140846a07704446b8136a999e9db731f44dd8d9117a2f5011

SHA512
5b547acad6e9caf1bf05fe0c609c8f6dbd25812110e0f4cf8e2f5c4d20aed4944db656399034a3a7908bdfbe877c02b024ea6a606204960f7716e48e53ca497b

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2344688013-2965468717-2034126-1000\_desktop.ini

Filesize
10B

MD5
81570c50286369016cef7a9f904c4b04

SHA1
b5758b23667cb35cad0adb23371b830fcee4f4e5

SHA256
b882f41a5c84d248a75714eaf215a9e363a49361b6a14beedb921ee3dfdb46a1

SHA512
0e6c479b0252e24635810b7d030cc9b5b17603ee20ccf62812446b8d15884521c6c7be65dfc0090bb1502e859fae27c2a63b3e58be714021f473a88407982162

Download Submit
memory/4772-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4772-5-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4772-23-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4772-1646-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4772-1658-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4772-1661-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4772-1664-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4772-1666-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4772-1671-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4772-2645-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download