be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982

Analysis

max time kernel
166s
max time network
164s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2023, 21:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe
Size

33KB
MD5

afb1df335886aaf70e400464366304b8
SHA1

e2f387cc4c49e1d8d8fc827e9fde2fc0c7bd93f6
SHA256

be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982
SHA512

26a0e3445020313a2e2ac66cdadc826d995ba74227e34714ec04d638db8f6b54afe980b77bc6bf678f63ff3ba22af19686756b9071aeea0cc60ba56d7276afbc
SSDEEP

768:0siVj4jElOIEvzMXqtwp/lttaL7HP4ATCf0vn4DAwdHtLuQN:0/VjKaYzMXqtGNttyOf0v4DAyNjN

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\R:	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe
File opened (read-only)	\??\I:	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe
File opened (read-only)	\??\X:	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe
File opened (read-only)	\??\W:	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe
File opened (read-only)	\??\T:	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe
File opened (read-only)	\??\S:	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe
File opened (read-only)	\??\N:	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe
File opened (read-only)	\??\G:	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe
File opened (read-only)	\??\Y:	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe
File opened (read-only)	\??\U:	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe
File opened (read-only)	\??\P:	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe
File opened (read-only)	\??\O:	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe
File opened (read-only)	\??\K:	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe
File opened (read-only)	\??\J:	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe
File opened (read-only)	\??\H:	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe
File opened (read-only)	\??\E:	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe
File opened (read-only)	\??\Z:	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe
File opened (read-only)	\??\V:	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe
File opened (read-only)	\??\Q:	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe
File opened (read-only)	\??\M:	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe
File opened (read-only)	\??\L:	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\_desktop.ini	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PSReadline\_desktop.ini	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CAPSULES\_desktop.ini	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\_desktop.ini	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ja\LC_MESSAGES\_desktop.ini	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\_desktop.ini	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe
File opened for modification	C:\Program Files\Microsoft Office\Office16\OSPPREARM.EXE	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\_desktop.ini	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javac.exe	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\an\LC_MESSAGES\_desktop.ini	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe
File created	C:\Program Files\Microsoft Office\root\Templates\_desktop.ini	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Resources\1033\_desktop.ini	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\_desktop.ini	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SPRING\_desktop.ini	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe
File created	C:\Program Files\Mozilla Firefox\gmp-clearkey\_desktop.ini	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\_desktop.ini	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\pa\_desktop.ini	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe
File created	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\bin\_desktop.ini	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jmap.exe	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\server\_desktop.ini	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\_desktop.ini	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\_desktop.ini	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Cartridges\_desktop.ini	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ca\_desktop.ini	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\_desktop.ini	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example1.Diagnostics\_desktop.ini	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\_desktop.ini	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe
File created	C:\Program Files\VideoLAN\VLC\locale\gl\_desktop.ini	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ps\LC_MESSAGES\_desktop.ini	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sk\_desktop.ini	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sr\LC_MESSAGES\_desktop.ini	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\en-US\_desktop.ini	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\LISTS\1033\_desktop.ini	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\_desktop.ini	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\_desktop.ini	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\_desktop.ini	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ia\_desktop.ini	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\keystore\_desktop.ini	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\_desktop.ini	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\SmartTagInstall.exe	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\_desktop.ini	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\NETWORK\_desktop.ini	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\pa\LC_MESSAGES\_desktop.ini	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\jfr\_desktop.ini	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\_desktop.ini	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fur\LC_MESSAGES\_desktop.ini	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\_desktop.ini	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe
File opened for modification	C:\Program Files\Windows Security\BrowserCore\BrowserCore.exe	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\_desktop.ini	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\_desktop.ini	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe
File created	C:\Program Files\VideoLAN\VLC\locale\de\LC_MESSAGES\_desktop.ini	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\gd\LC_MESSAGES\_desktop.ini	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\_desktop.ini	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\nbexec64.exe	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\dark\_desktop.ini	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\ext\_desktop.ini	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Client\AppVLP.exe	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\_desktop.ini	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bg\_desktop.ini	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\da\LC_MESSAGES\_desktop.ini	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\.settings\_desktop.ini	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe
File created	C:\Windows\Dll.dll	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 60 IoCs

pid	Process
2992	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe
2992	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe
2992	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe
2992	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe
2992	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe
2992	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe
2992	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe
2992	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe
2992	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe
2992	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe
2992	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe
2992	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe
2992	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe
2992	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe
2992	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe
2992	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe
2992	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe
2992	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe
2992	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe
2992	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe
2992	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe
2992	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe
2992	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe
2992	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe
2992	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe
2992	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe
2992	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe
2992	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe
2992	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe
2992	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe
2992	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe
2992	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe
2992	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe
2992	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe
2992	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe
2992	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe
2992	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe
2992	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe
2992	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe
2992	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe
2992	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe
2992	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe
2992	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe
2992	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe
2992	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe
2992	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe
2992	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe
2992	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe
2992	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe
2992	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe
2992	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe
2992	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe
2992	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe
2992	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe
2992	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe
2992	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe
2992	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe
2992	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe
2992	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe
2992	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2992 wrote to memory of 4480	2992	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe	88
PID 2992 wrote to memory of 4480	2992	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe	88
PID 2992 wrote to memory of 4480	2992	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe	88
PID 4480 wrote to memory of 1328	4480	net.exe	92
PID 4480 wrote to memory of 1328	4480	net.exe	92
PID 4480 wrote to memory of 1328	4480	net.exe	92
PID 2992 wrote to memory of 1844	2992	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe	93
PID 2992 wrote to memory of 1844	2992	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe	93
PID 2992 wrote to memory of 1844	2992	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe	93
PID 1844 wrote to memory of 1792	1844	net.exe	95
PID 1844 wrote to memory of 1792	1844	net.exe	95
PID 1844 wrote to memory of 1792	1844	net.exe	95
PID 2992 wrote to memory of 3184	2992	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe	58
PID 2992 wrote to memory of 3184	2992	be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe	58

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3184
- C:\Users\Admin\AppData\Local\Temp\be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe
  "C:\Users\Admin\AppData\Local\Temp\be74ad2bd361dcea36f92e40749f49c1489455934879faf465e790713b025982.exe"
  2⤵
  - Drops file in Drivers directory
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2992
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4480
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      PID:1328
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1844
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      PID:1792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7zG.exe

Filesize
601KB

MD5
15e558ac554200520144c6b9bbf98c3b

SHA1
76da159cef0d45bb2744de85aa7fe44c549f1757

SHA256
7e56b43c651924f337c79ab528fa78bd923bbfa24511bf1290c59f7009486820

SHA512
cf30f26884c947682b8f1728fe90515c5f6446eccb57688e78aac13f587d22dcccbc3af44fb2759f292ad5f3304d59e80453665cc9e4a14cd8fa1c8462c419d3

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-1574508946-349927670-1185736483-1000\_desktop.ini

Filesize
10B

MD5
dbf19ca54500e964528b156763234c1d

SHA1
05376f86423aec8badf0adbc47887234ac83ef5a

SHA256
bfa0ad2e861e2369dc239edf8f62fbe1c4507d877ec2f76e46e48f1e68fdd5ae

SHA512
fb8ce1253ad6d3c1b7d970614dbc2d21574576336a490b54a8dc705a3d8637c0669747ba821fb2f4da14d7447dc24607aca988b0cd3bd9fc4d9d5988b4b631d0

Download Submit
memory/2992-91-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2992-136-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2992-2-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2992-18-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2992-1-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2992-51-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2992-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2992-7-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2992-169-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2992-305-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2992-412-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2992-509-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2992-602-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2992-920-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2992-1733-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download