d261aaf0cdaead257ca8d4073d91e963cadd22c224196a82f7c40a6ca2e274ad

Analysis

max time kernel
152s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
07/11/2023, 05:40

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d261aaf0cdaead257ca8d4073d91e963cadd22c224196a82f7c40a6ca2e274ad.exe
Size

26KB
MD5

e62dc8ac2d75729eb5ffb64020c84132
SHA1

c26d48f4c442065333bfed6ac2fb12213aba54a6
SHA256

d261aaf0cdaead257ca8d4073d91e963cadd22c224196a82f7c40a6ca2e274ad
SHA512

c18760847c365ab1c59b4378924123eba45e97e677a9ecb7bc086238487af6c84b7100edc05dcd4c7e298e69aed1b1db9b8fa3715f034647c9674f6ff90642fb
SSDEEP

768:W1ODKAaDMG8H92RwZNQSwcfymNBg+g61GoL:QfgLdQAQfcfymN

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\W:	d261aaf0cdaead257ca8d4073d91e963cadd22c224196a82f7c40a6ca2e274ad.exe
File opened (read-only)	\??\T:	d261aaf0cdaead257ca8d4073d91e963cadd22c224196a82f7c40a6ca2e274ad.exe
File opened (read-only)	\??\S:	d261aaf0cdaead257ca8d4073d91e963cadd22c224196a82f7c40a6ca2e274ad.exe
File opened (read-only)	\??\R:	d261aaf0cdaead257ca8d4073d91e963cadd22c224196a82f7c40a6ca2e274ad.exe
File opened (read-only)	\??\O:	d261aaf0cdaead257ca8d4073d91e963cadd22c224196a82f7c40a6ca2e274ad.exe
File opened (read-only)	\??\L:	d261aaf0cdaead257ca8d4073d91e963cadd22c224196a82f7c40a6ca2e274ad.exe
File opened (read-only)	\??\X:	d261aaf0cdaead257ca8d4073d91e963cadd22c224196a82f7c40a6ca2e274ad.exe
File opened (read-only)	\??\N:	d261aaf0cdaead257ca8d4073d91e963cadd22c224196a82f7c40a6ca2e274ad.exe
File opened (read-only)	\??\M:	d261aaf0cdaead257ca8d4073d91e963cadd22c224196a82f7c40a6ca2e274ad.exe
File opened (read-only)	\??\K:	d261aaf0cdaead257ca8d4073d91e963cadd22c224196a82f7c40a6ca2e274ad.exe
File opened (read-only)	\??\G:	d261aaf0cdaead257ca8d4073d91e963cadd22c224196a82f7c40a6ca2e274ad.exe
File opened (read-only)	\??\Z:	d261aaf0cdaead257ca8d4073d91e963cadd22c224196a82f7c40a6ca2e274ad.exe
File opened (read-only)	\??\Q:	d261aaf0cdaead257ca8d4073d91e963cadd22c224196a82f7c40a6ca2e274ad.exe
File opened (read-only)	\??\J:	d261aaf0cdaead257ca8d4073d91e963cadd22c224196a82f7c40a6ca2e274ad.exe
File opened (read-only)	\??\I:	d261aaf0cdaead257ca8d4073d91e963cadd22c224196a82f7c40a6ca2e274ad.exe
File opened (read-only)	\??\Y:	d261aaf0cdaead257ca8d4073d91e963cadd22c224196a82f7c40a6ca2e274ad.exe
File opened (read-only)	\??\V:	d261aaf0cdaead257ca8d4073d91e963cadd22c224196a82f7c40a6ca2e274ad.exe
File opened (read-only)	\??\U:	d261aaf0cdaead257ca8d4073d91e963cadd22c224196a82f7c40a6ca2e274ad.exe
File opened (read-only)	\??\P:	d261aaf0cdaead257ca8d4073d91e963cadd22c224196a82f7c40a6ca2e274ad.exe
File opened (read-only)	\??\H:	d261aaf0cdaead257ca8d4073d91e963cadd22c224196a82f7c40a6ca2e274ad.exe
File opened (read-only)	\??\E:	d261aaf0cdaead257ca8d4073d91e963cadd22c224196a82f7c40a6ca2e274ad.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\_desktop.ini	d261aaf0cdaead257ca8d4073d91e963cadd22c224196a82f7c40a6ca2e274ad.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\zh-cn\_desktop.ini	d261aaf0cdaead257ca8d4073d91e963cadd22c224196a82f7c40a6ca2e274ad.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\sv-se\_desktop.ini	d261aaf0cdaead257ca8d4073d91e963cadd22c224196a82f7c40a6ca2e274ad.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\si\LC_MESSAGES\_desktop.ini	d261aaf0cdaead257ca8d4073d91e963cadd22c224196a82f7c40a6ca2e274ad.exe
File created	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Microsoft.Membership.MeControl\Assets\OfflinePages\Scripts\Me\MeControl\_desktop.ini	d261aaf0cdaead257ca8d4073d91e963cadd22c224196a82f7c40a6ca2e274ad.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\ja-jp\_desktop.ini	d261aaf0cdaead257ca8d4073d91e963cadd22c224196a82f7c40a6ca2e274ad.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\en-gb\_desktop.ini	d261aaf0cdaead257ca8d4073d91e963cadd22c224196a82f7c40a6ca2e274ad.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\ro-ro\_desktop.ini	d261aaf0cdaead257ca8d4073d91e963cadd22c224196a82f7c40a6ca2e274ad.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\tl\_desktop.ini	d261aaf0cdaead257ca8d4073d91e963cadd22c224196a82f7c40a6ca2e274ad.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\root\_desktop.ini	d261aaf0cdaead257ca8d4073d91e963cadd22c224196a82f7c40a6ca2e274ad.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\pl-pl\_desktop.ini	d261aaf0cdaead257ca8d4073d91e963cadd22c224196a82f7c40a6ca2e274ad.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\pt-br\_desktop.ini	d261aaf0cdaead257ca8d4073d91e963cadd22c224196a82f7c40a6ca2e274ad.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\meta\_desktop.ini	d261aaf0cdaead257ca8d4073d91e963cadd22c224196a82f7c40a6ca2e274ad.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\LTR\_desktop.ini	d261aaf0cdaead257ca8d4073d91e963cadd22c224196a82f7c40a6ca2e274ad.exe
File created	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_~_8wekyb3d8bbwe\_desktop.ini	d261aaf0cdaead257ca8d4073d91e963cadd22c224196a82f7c40a6ca2e274ad.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\zh-tw\_desktop.ini	d261aaf0cdaead257ca8d4073d91e963cadd22c224196a82f7c40a6ca2e274ad.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\fr-fr\_desktop.ini	d261aaf0cdaead257ca8d4073d91e963cadd22c224196a82f7c40a6ca2e274ad.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\_desktop.ini	d261aaf0cdaead257ca8d4073d91e963cadd22c224196a82f7c40a6ca2e274ad.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\_desktop.ini	d261aaf0cdaead257ca8d4073d91e963cadd22c224196a82f7c40a6ca2e274ad.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\sl-sl\_desktop.ini	d261aaf0cdaead257ca8d4073d91e963cadd22c224196a82f7c40a6ca2e274ad.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sr\LC_MESSAGES\_desktop.ini	d261aaf0cdaead257ca8d4073d91e963cadd22c224196a82f7c40a6ca2e274ad.exe
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-100_kzf8qxf38zg5c\Assets\_desktop.ini	d261aaf0cdaead257ca8d4073d91e963cadd22c224196a82f7c40a6ca2e274ad.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\_desktop.ini	d261aaf0cdaead257ca8d4073d91e963cadd22c224196a82f7c40a6ca2e274ad.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\_desktop.ini	d261aaf0cdaead257ca8d4073d91e963cadd22c224196a82f7c40a6ca2e274ad.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\fr-ma\_desktop.ini	d261aaf0cdaead257ca8d4073d91e963cadd22c224196a82f7c40a6ca2e274ad.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\it\_desktop.ini	d261aaf0cdaead257ca8d4073d91e963cadd22c224196a82f7c40a6ca2e274ad.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\plugins\_desktop.ini	d261aaf0cdaead257ca8d4073d91e963cadd22c224196a82f7c40a6ca2e274ad.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\themes\dark\_desktop.ini	d261aaf0cdaead257ca8d4073d91e963cadd22c224196a82f7c40a6ca2e274ad.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\_desktop.ini	d261aaf0cdaead257ca8d4073d91e963cadd22c224196a82f7c40a6ca2e274ad.exe
File created	C:\Program Files\Java\jdk-1.8\include\_desktop.ini	d261aaf0cdaead257ca8d4073d91e963cadd22c224196a82f7c40a6ca2e274ad.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\as_IN\_desktop.ini	d261aaf0cdaead257ca8d4073d91e963cadd22c224196a82f7c40a6ca2e274ad.exe
File created	C:\Program Files\VideoLAN\VLC\locale\tet\_desktop.ini	d261aaf0cdaead257ca8d4073d91e963cadd22c224196a82f7c40a6ca2e274ad.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\_desktop.ini	d261aaf0cdaead257ca8d4073d91e963cadd22c224196a82f7c40a6ca2e274ad.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\_desktop.ini	d261aaf0cdaead257ca8d4073d91e963cadd22c224196a82f7c40a6ca2e274ad.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\_desktop.ini	d261aaf0cdaead257ca8d4073d91e963cadd22c224196a82f7c40a6ca2e274ad.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_output\_desktop.ini	d261aaf0cdaead257ca8d4073d91e963cadd22c224196a82f7c40a6ca2e274ad.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_neutral_split.scale-100_8wekyb3d8bbwe\_desktop.ini	d261aaf0cdaead257ca8d4073d91e963cadd22c224196a82f7c40a6ca2e274ad.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app-api\_desktop.ini	d261aaf0cdaead257ca8d4073d91e963cadd22c224196a82f7c40a6ca2e274ad.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\root\_desktop.ini	d261aaf0cdaead257ca8d4073d91e963cadd22c224196a82f7c40a6ca2e274ad.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\images\_desktop.ini	d261aaf0cdaead257ca8d4073d91e963cadd22c224196a82f7c40a6ca2e274ad.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	d261aaf0cdaead257ca8d4073d91e963cadd22c224196a82f7c40a6ca2e274ad.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\limited\_desktop.ini	d261aaf0cdaead257ca8d4073d91e963cadd22c224196a82f7c40a6ca2e274ad.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Views\Utilities\_desktop.ini	d261aaf0cdaead257ca8d4073d91e963cadd22c224196a82f7c40a6ca2e274ad.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\zh-cn\_desktop.ini	d261aaf0cdaead257ca8d4073d91e963cadd22c224196a82f7c40a6ca2e274ad.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\ja-jp\_desktop.ini	d261aaf0cdaead257ca8d4073d91e963cadd22c224196a82f7c40a6ca2e274ad.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\_desktop.ini	d261aaf0cdaead257ca8d4073d91e963cadd22c224196a82f7c40a6ca2e274ad.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	d261aaf0cdaead257ca8d4073d91e963cadd22c224196a82f7c40a6ca2e274ad.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files-select\_desktop.ini	d261aaf0cdaead257ca8d4073d91e963cadd22c224196a82f7c40a6ca2e274ad.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\hu-hu\_desktop.ini	d261aaf0cdaead257ca8d4073d91e963cadd22c224196a82f7c40a6ca2e274ad.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\eu-es\_desktop.ini	d261aaf0cdaead257ca8d4073d91e963cadd22c224196a82f7c40a6ca2e274ad.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\en-US\_desktop.ini	d261aaf0cdaead257ca8d4073d91e963cadd22c224196a82f7c40a6ca2e274ad.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\email\_desktop.ini	d261aaf0cdaead257ca8d4073d91e963cadd22c224196a82f7c40a6ca2e274ad.exe
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\microsoft.system.package.metadata\_desktop.ini	d261aaf0cdaead257ca8d4073d91e963cadd22c224196a82f7c40a6ca2e274ad.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\_desktop.ini	d261aaf0cdaead257ca8d4073d91e963cadd22c224196a82f7c40a6ca2e274ad.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\_desktop.ini	d261aaf0cdaead257ca8d4073d91e963cadd22c224196a82f7c40a6ca2e274ad.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\tr-tr\_desktop.ini	d261aaf0cdaead257ca8d4073d91e963cadd22c224196a82f7c40a6ca2e274ad.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\fr-fr\_desktop.ini	d261aaf0cdaead257ca8d4073d91e963cadd22c224196a82f7c40a6ca2e274ad.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\af\_desktop.ini	d261aaf0cdaead257ca8d4073d91e963cadd22c224196a82f7c40a6ca2e274ad.exe
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-100_kzf8qxf38zg5c\_desktop.ini	d261aaf0cdaead257ca8d4073d91e963cadd22c224196a82f7c40a6ca2e274ad.exe
File created	C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_neutral_~_8wekyb3d8bbwe\_desktop.ini	d261aaf0cdaead257ca8d4073d91e963cadd22c224196a82f7c40a6ca2e274ad.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\zh-cn\_desktop.ini	d261aaf0cdaead257ca8d4073d91e963cadd22c224196a82f7c40a6ca2e274ad.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\root\_desktop.ini	d261aaf0cdaead257ca8d4073d91e963cadd22c224196a82f7c40a6ca2e274ad.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\themes\_desktop.ini	d261aaf0cdaead257ca8d4073d91e963cadd22c224196a82f7c40a6ca2e274ad.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\nl-nl\_desktop.ini	d261aaf0cdaead257ca8d4073d91e963cadd22c224196a82f7c40a6ca2e274ad.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	d261aaf0cdaead257ca8d4073d91e963cadd22c224196a82f7c40a6ca2e274ad.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
3836	d261aaf0cdaead257ca8d4073d91e963cadd22c224196a82f7c40a6ca2e274ad.exe
3836	d261aaf0cdaead257ca8d4073d91e963cadd22c224196a82f7c40a6ca2e274ad.exe
3836	d261aaf0cdaead257ca8d4073d91e963cadd22c224196a82f7c40a6ca2e274ad.exe
3836	d261aaf0cdaead257ca8d4073d91e963cadd22c224196a82f7c40a6ca2e274ad.exe
3836	d261aaf0cdaead257ca8d4073d91e963cadd22c224196a82f7c40a6ca2e274ad.exe
3836	d261aaf0cdaead257ca8d4073d91e963cadd22c224196a82f7c40a6ca2e274ad.exe
3836	d261aaf0cdaead257ca8d4073d91e963cadd22c224196a82f7c40a6ca2e274ad.exe
3836	d261aaf0cdaead257ca8d4073d91e963cadd22c224196a82f7c40a6ca2e274ad.exe
3836	d261aaf0cdaead257ca8d4073d91e963cadd22c224196a82f7c40a6ca2e274ad.exe
3836	d261aaf0cdaead257ca8d4073d91e963cadd22c224196a82f7c40a6ca2e274ad.exe
3836	d261aaf0cdaead257ca8d4073d91e963cadd22c224196a82f7c40a6ca2e274ad.exe
3836	d261aaf0cdaead257ca8d4073d91e963cadd22c224196a82f7c40a6ca2e274ad.exe
3836	d261aaf0cdaead257ca8d4073d91e963cadd22c224196a82f7c40a6ca2e274ad.exe
3836	d261aaf0cdaead257ca8d4073d91e963cadd22c224196a82f7c40a6ca2e274ad.exe
3836	d261aaf0cdaead257ca8d4073d91e963cadd22c224196a82f7c40a6ca2e274ad.exe
3836	d261aaf0cdaead257ca8d4073d91e963cadd22c224196a82f7c40a6ca2e274ad.exe
3836	d261aaf0cdaead257ca8d4073d91e963cadd22c224196a82f7c40a6ca2e274ad.exe
3836	d261aaf0cdaead257ca8d4073d91e963cadd22c224196a82f7c40a6ca2e274ad.exe
3836	d261aaf0cdaead257ca8d4073d91e963cadd22c224196a82f7c40a6ca2e274ad.exe
3836	d261aaf0cdaead257ca8d4073d91e963cadd22c224196a82f7c40a6ca2e274ad.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3836 wrote to memory of 3300	3836	d261aaf0cdaead257ca8d4073d91e963cadd22c224196a82f7c40a6ca2e274ad.exe	89
PID 3836 wrote to memory of 3300	3836	d261aaf0cdaead257ca8d4073d91e963cadd22c224196a82f7c40a6ca2e274ad.exe	89
PID 3836 wrote to memory of 3300	3836	d261aaf0cdaead257ca8d4073d91e963cadd22c224196a82f7c40a6ca2e274ad.exe	89
PID 3300 wrote to memory of 4224	3300	net.exe	92
PID 3300 wrote to memory of 4224	3300	net.exe	92
PID 3300 wrote to memory of 4224	3300	net.exe	92
PID 3836 wrote to memory of 3312	3836	d261aaf0cdaead257ca8d4073d91e963cadd22c224196a82f7c40a6ca2e274ad.exe	56
PID 3836 wrote to memory of 3312	3836	d261aaf0cdaead257ca8d4073d91e963cadd22c224196a82f7c40a6ca2e274ad.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3312
- C:\Users\Admin\AppData\Local\Temp\d261aaf0cdaead257ca8d4073d91e963cadd22c224196a82f7c40a6ca2e274ad.exe
  "C:\Users\Admin\AppData\Local\Temp\d261aaf0cdaead257ca8d4073d91e963cadd22c224196a82f7c40a6ca2e274ad.exe"
  2⤵
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3836
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3300
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      PID:4224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
251KB

MD5
33951e39802ca98b5a00926ae8598f60

SHA1
d6ac94ae76af9a721b39df56e2948cf7d56050ec

SHA256
2a248552204958ec1d6555e575871e625092080807d7185ecc1b46246f1da7d9

SHA512
b99476cd816bea733b03c814aadefd8ba2da95f1d183be44a870fbbb21366a528423fae5627be01b868740b7c3f71d6d584e1cd55cb64a78c67c6aea684c89ea

Download Submit
C:\Program Files\Google\Chrome\Application\chrome.exe

Filesize
2.8MB

MD5
a9e55b8175abb1bee5f4787cc1e587cb

SHA1
259077ea927d9dab6ff07696e4bd68805f6be5c5

SHA256
b68bf64f34c2ea1aa0c4617b12cce0cf7dc9af097546fd2c22f4d7491e434eb0

SHA512
93973aa9d65c44704e7e226aae4208c24278880cb7c5114698690b7aab6767666bd34c53e8aa94ef62047b682ce2d85440bf7e378717cd177689aa52451cb81a

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3125601242-331447593-1512828465-1000\_desktop.ini

Filesize
9B

MD5
35dff1b2d2822022424940d4487e8d0d

SHA1
cf3c5e0326ffacd39689a35b566c8d3c626cc96b

SHA256
0432a628b4273444218f05d7d906b391ab84e1d51bc1b084c37456324e0f84ae

SHA512
91c1e3f5497c8c249e695b9e6f844f141b8747d5d1c5d23d09a2e39aae974cfcfe26b6a4580904b87aa495d452df942937fd721ff8189016a59f61c0835e1665

Download Submit
memory/3836-28-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3836-19-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3836-24-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3836-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3836-13-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3836-353-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3836-909-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3836-1072-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3836-4073-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3836-5-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download