02fb4694c8c76cdc7827d543f1d32e818a5cc4e8bf53975a8a160c2af3d9eb62

Analysis

max time kernel
170s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20231025-en
resource tags

arch:x64arch:x86image:win10v2004-20231025-enlocale:en-usos:windows10-2004-x64system
submitted
07-11-2023 15:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

02fb4694c8c76cdc7827d543f1d32e818a5cc4e8bf53975a8a160c2af3d9eb62.exe
Size

111KB
MD5

27cb5fe796f170c9d3fed93882592703
SHA1

29b4e6bf13275bc577c8d5e92cc5e5922aa2ec8d
SHA256

02fb4694c8c76cdc7827d543f1d32e818a5cc4e8bf53975a8a160c2af3d9eb62
SHA512

2c236266a549049d82af754a0706be8676b6525631a7844587473e2bc2907f7288181c2eaaa0c35a2f911027ff85d5e051f60a0f9c40b3e7d1e006731ca0f5e7
SSDEEP

3072:ETTj95SXqLhByvfc2KTTj95SXqLhByvfc2FXUh:ITj9N/Gfc2GTj9N/Gfc2FE

Score

7^/10

spyware stealer

Malware Config

Signatures

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe

Executes dropped EXE 3 IoCs

pid	Process
4784	Logo1_.exe
4084	02fb4694c8c76cdc7827d543f1d32e818a5cc4e8bf53975a8a160c2af3d9eb62.exe
4424	02fb4694c8c76cdc7827d543f1d32e818a5cc4e8bf53975a8a160c2af3d9eb62.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\en-ae\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\sk-sk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\es-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\epdf\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\hu-hu\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\en-gb\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\fr-fr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\es-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\de-de\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\zh-cn\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\sr-Latn-RS\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\1033\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\images\themes\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\uk-ua\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\fi-fi\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\sk-sk\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\he\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Photo Viewer\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\ja\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\he-il\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\fi-fi\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\de-de\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\pt-br\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\bn\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\gd\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\hr-hr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\sl-sl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\en-gb\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\LAYERS\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\extensions\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\themes\dark\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\fr-fr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ECLIPSE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ru\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\ru-ru\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ca-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\pl-pl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\en-ae\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\pt-br\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\az\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\tet\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\it\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\da-dk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\en-gb\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\kk\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\ar-ae\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\MEIPreload\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ckb\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\sl-si\_desktop.ini	Logo1_.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\Logo1_.exe	02fb4694c8c76cdc7827d543f1d32e818a5cc4e8bf53975a8a160c2af3d9eb62.exe
File created	C:\Windows\Dll.dll	Logo1_.exe
File created	C:\Windows\rundl132.exe	02fb4694c8c76cdc7827d543f1d32e818a5cc4e8bf53975a8a160c2af3d9eb62.exe
File created	C:\Windows\Logo1_.exe	02fb4694c8c76cdc7827d543f1d32e818a5cc4e8bf53975a8a160c2af3d9eb62.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 62 IoCs

pid	Process
4780	02fb4694c8c76cdc7827d543f1d32e818a5cc4e8bf53975a8a160c2af3d9eb62.exe
4780	02fb4694c8c76cdc7827d543f1d32e818a5cc4e8bf53975a8a160c2af3d9eb62.exe
4780	02fb4694c8c76cdc7827d543f1d32e818a5cc4e8bf53975a8a160c2af3d9eb62.exe
4780	02fb4694c8c76cdc7827d543f1d32e818a5cc4e8bf53975a8a160c2af3d9eb62.exe
4780	02fb4694c8c76cdc7827d543f1d32e818a5cc4e8bf53975a8a160c2af3d9eb62.exe
4780	02fb4694c8c76cdc7827d543f1d32e818a5cc4e8bf53975a8a160c2af3d9eb62.exe
4780	02fb4694c8c76cdc7827d543f1d32e818a5cc4e8bf53975a8a160c2af3d9eb62.exe
4780	02fb4694c8c76cdc7827d543f1d32e818a5cc4e8bf53975a8a160c2af3d9eb62.exe
4780	02fb4694c8c76cdc7827d543f1d32e818a5cc4e8bf53975a8a160c2af3d9eb62.exe
4780	02fb4694c8c76cdc7827d543f1d32e818a5cc4e8bf53975a8a160c2af3d9eb62.exe
4780	02fb4694c8c76cdc7827d543f1d32e818a5cc4e8bf53975a8a160c2af3d9eb62.exe
4780	02fb4694c8c76cdc7827d543f1d32e818a5cc4e8bf53975a8a160c2af3d9eb62.exe
4780	02fb4694c8c76cdc7827d543f1d32e818a5cc4e8bf53975a8a160c2af3d9eb62.exe
4780	02fb4694c8c76cdc7827d543f1d32e818a5cc4e8bf53975a8a160c2af3d9eb62.exe
4780	02fb4694c8c76cdc7827d543f1d32e818a5cc4e8bf53975a8a160c2af3d9eb62.exe
4780	02fb4694c8c76cdc7827d543f1d32e818a5cc4e8bf53975a8a160c2af3d9eb62.exe
4780	02fb4694c8c76cdc7827d543f1d32e818a5cc4e8bf53975a8a160c2af3d9eb62.exe
4780	02fb4694c8c76cdc7827d543f1d32e818a5cc4e8bf53975a8a160c2af3d9eb62.exe
4784	Logo1_.exe
4784	Logo1_.exe
4784	Logo1_.exe
4784	Logo1_.exe
4784	Logo1_.exe
4784	Logo1_.exe
4784	Logo1_.exe
4784	Logo1_.exe
4784	Logo1_.exe
4784	Logo1_.exe
4784	Logo1_.exe
4784	Logo1_.exe
4784	Logo1_.exe
4784	Logo1_.exe
4784	Logo1_.exe
4784	Logo1_.exe
4784	Logo1_.exe
4784	Logo1_.exe
4784	Logo1_.exe
4784	Logo1_.exe
4784	Logo1_.exe
4784	Logo1_.exe
4784	Logo1_.exe
4784	Logo1_.exe
4784	Logo1_.exe
4784	Logo1_.exe
4784	Logo1_.exe
4784	Logo1_.exe
4784	Logo1_.exe
4784	Logo1_.exe
4784	Logo1_.exe
4784	Logo1_.exe
4784	Logo1_.exe
4784	Logo1_.exe
4784	Logo1_.exe
4784	Logo1_.exe
4784	Logo1_.exe
4784	Logo1_.exe
4784	Logo1_.exe
4784	Logo1_.exe
4784	Logo1_.exe
4784	Logo1_.exe
4784	Logo1_.exe
4784	Logo1_.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4424	02fb4694c8c76cdc7827d543f1d32e818a5cc4e8bf53975a8a160c2af3d9eb62.exe
4424	02fb4694c8c76cdc7827d543f1d32e818a5cc4e8bf53975a8a160c2af3d9eb62.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 4780 wrote to memory of 3332	4780	02fb4694c8c76cdc7827d543f1d32e818a5cc4e8bf53975a8a160c2af3d9eb62.exe	89
PID 4780 wrote to memory of 3332	4780	02fb4694c8c76cdc7827d543f1d32e818a5cc4e8bf53975a8a160c2af3d9eb62.exe	89
PID 4780 wrote to memory of 3332	4780	02fb4694c8c76cdc7827d543f1d32e818a5cc4e8bf53975a8a160c2af3d9eb62.exe	89
PID 4780 wrote to memory of 4784	4780	02fb4694c8c76cdc7827d543f1d32e818a5cc4e8bf53975a8a160c2af3d9eb62.exe	90
PID 4780 wrote to memory of 4784	4780	02fb4694c8c76cdc7827d543f1d32e818a5cc4e8bf53975a8a160c2af3d9eb62.exe	90
PID 4780 wrote to memory of 4784	4780	02fb4694c8c76cdc7827d543f1d32e818a5cc4e8bf53975a8a160c2af3d9eb62.exe	90
PID 4784 wrote to memory of 1640	4784	Logo1_.exe	92
PID 4784 wrote to memory of 1640	4784	Logo1_.exe	92
PID 4784 wrote to memory of 1640	4784	Logo1_.exe	92
PID 3332 wrote to memory of 4084	3332	cmd.exe	94
PID 3332 wrote to memory of 4084	3332	cmd.exe	94
PID 3332 wrote to memory of 4084	3332	cmd.exe	94
PID 1640 wrote to memory of 3656	1640	net.exe	95
PID 1640 wrote to memory of 3656	1640	net.exe	95
PID 1640 wrote to memory of 3656	1640	net.exe	95
PID 4084 wrote to memory of 3904	4084	02fb4694c8c76cdc7827d543f1d32e818a5cc4e8bf53975a8a160c2af3d9eb62.exe	96
PID 4084 wrote to memory of 3904	4084	02fb4694c8c76cdc7827d543f1d32e818a5cc4e8bf53975a8a160c2af3d9eb62.exe	96
PID 4084 wrote to memory of 3904	4084	02fb4694c8c76cdc7827d543f1d32e818a5cc4e8bf53975a8a160c2af3d9eb62.exe	96
PID 3904 wrote to memory of 4424	3904	cmd.exe	98
PID 3904 wrote to memory of 4424	3904	cmd.exe	98
PID 3904 wrote to memory of 4424	3904	cmd.exe	98
PID 4784 wrote to memory of 3136	4784	Logo1_.exe	62
PID 4784 wrote to memory of 3136	4784	Logo1_.exe	62

C:\Users\Admin\AppData\Local\Temp\02fb4694c8c76cdc7827d543f1d32e818a5cc4e8bf53975a8a160c2af3d9eb62.exe
"C:\Users\Admin\AppData\Local\Temp\02fb4694c8c76cdc7827d543f1d32e818a5cc4e8bf53975a8a160c2af3d9eb62.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4780
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aDD7F.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3332
- - C:\Users\Admin\AppData\Local\Temp\02fb4694c8c76cdc7827d543f1d32e818a5cc4e8bf53975a8a160c2af3d9eb62.exe
    "C:\Users\Admin\AppData\Local\Temp\02fb4694c8c76cdc7827d543f1d32e818a5cc4e8bf53975a8a160c2af3d9eb62.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of WriteProcessMemory
    PID:4084
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aDFF0.bat
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3904
    - - C:\Users\Admin\AppData\Local\Temp\02fb4694c8c76cdc7827d543f1d32e818a5cc4e8bf53975a8a160c2af3d9eb62.exe
        
        "C:\Users\Admin\AppData\Local\Temp\02fb4694c8c76cdc7827d543f1d32e818a5cc4e8bf53975a8a160c2af3d9eb62.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4424
- C:\Windows\Logo1_.exe
  C:\Windows\Logo1_.exe
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4784
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1640
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      PID:3656

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\$$aDD7F.bat

Filesize
722B

MD5
f4becbb5a17ad73bdbf47a7d66301901

SHA1
a03d2ffe46709c750e59809fb9be84bddbb13532

SHA256
66e48fc6b37053a3696c63551a59e428fe8cca237770297697c283112809a8ca

SHA512
592ce92201578b22fde1d0333691af69f332e36504b9e5754098c1e17a468f6b940f7f2101e29a79845e92366938f4ae925a66028fc7843bd0a309c447b3c4d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aDFF0.bat

Filesize
722B

MD5
7a6bb076bb0e634a5f2d4495ebf9339c

SHA1
efc842e0ab968ed836cc3974dfeab838983bf16b

SHA256
626c118a3856f324c45206c21d520be35bf8396e08304fbb52c156152c3e05c5

SHA512
9733c62ba9412a6a8ed5b2f394f4d464007e38fd55d91025b096b08ba7c97c97d969713a4abaaad2d9d89a13477d7a697452bf5b65578cbec27f8d46d50b9356

Download Submit
C:\Users\Admin\AppData\Local\Temp\02fb4694c8c76cdc7827d543f1d32e818a5cc4e8bf53975a8a160c2af3d9eb62.exe

Filesize
67KB

MD5
9bd1a5820e3e1b44681df57ddfa86a68

SHA1
f2e8773f4626a168f8fa409818431b8dffa129bb

SHA256
8e8b645e97de6652e1f82eff95bc08f2015964889047d7348f01fef6a02fa39d

SHA512
ef43070fccc4af766a9bb574ce35a9592090a21bf7c2910fb58bfb2dfe3f02d71d86d5c7ab877f65679cd86af2857f9726b10fd3c9be312a5c9c4add4bf12e56

Download Submit
C:\Users\Admin\AppData\Local\Temp\02fb4694c8c76cdc7827d543f1d32e818a5cc4e8bf53975a8a160c2af3d9eb62.exe

Filesize
24KB

MD5
debd6485333cd5250861983cd26e137f

SHA1
221f02c85f03747c7ac07a3f50b67a09dbcf1475

SHA256
486b815e15c96b878052513fa3d6d20a3566208fc283e5542e53b24efc595f38

SHA512
7a52d4b2e25823be86e68e1aa44cc9eae08f0b0ea6060ae0a00e4262937ac7f38227427ce7431548f44269d9cb2c113f34b83020cd714bea3b3f990705d730d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\02fb4694c8c76cdc7827d543f1d32e818a5cc4e8bf53975a8a160c2af3d9eb62.exe.exe

Filesize
67KB

MD5
9bd1a5820e3e1b44681df57ddfa86a68

SHA1
f2e8773f4626a168f8fa409818431b8dffa129bb

SHA256
8e8b645e97de6652e1f82eff95bc08f2015964889047d7348f01fef6a02fa39d

SHA512
ef43070fccc4af766a9bb574ce35a9592090a21bf7c2910fb58bfb2dfe3f02d71d86d5c7ab877f65679cd86af2857f9726b10fd3c9be312a5c9c4add4bf12e56

Download Submit
C:\Users\Admin\AppData\Local\Temp\02fb4694c8c76cdc7827d543f1d32e818a5cc4e8bf53975a8a160c2af3d9eb62.exe.exe

Filesize
24KB

MD5
debd6485333cd5250861983cd26e137f

SHA1
221f02c85f03747c7ac07a3f50b67a09dbcf1475

SHA256
486b815e15c96b878052513fa3d6d20a3566208fc283e5542e53b24efc595f38

SHA512
7a52d4b2e25823be86e68e1aa44cc9eae08f0b0ea6060ae0a00e4262937ac7f38227427ce7431548f44269d9cb2c113f34b83020cd714bea3b3f990705d730d9

Download Submit
C:\Windows\Logo1_.exe

Filesize
43KB

MD5
9dad25ab3a5e219070e93fce23717645

SHA1
2941b29ff538eaac033574637c56ae0ebbae7dfb

SHA256
d00233d759270ed1e803ba3f42c9e2415f302325ac9d4d0ad5da964f3d2ac0a0

SHA512
501a8ee23529342a2efbbb0555f8b1852867da48b677c01b3db99a684a16b5b9ac25053ee6fca9ec065ae48a7e0001e1e0694f2bb68b679e9fa59cc22770879c

Download Submit
C:\Windows\Logo1_.exe

Filesize
43KB

MD5
9dad25ab3a5e219070e93fce23717645

SHA1
2941b29ff538eaac033574637c56ae0ebbae7dfb

SHA256
d00233d759270ed1e803ba3f42c9e2415f302325ac9d4d0ad5da964f3d2ac0a0

SHA512
501a8ee23529342a2efbbb0555f8b1852867da48b677c01b3db99a684a16b5b9ac25053ee6fca9ec065ae48a7e0001e1e0694f2bb68b679e9fa59cc22770879c

Download Submit
C:\Windows\rundl132.exe

Filesize
43KB

MD5
9dad25ab3a5e219070e93fce23717645

SHA1
2941b29ff538eaac033574637c56ae0ebbae7dfb

SHA256
d00233d759270ed1e803ba3f42c9e2415f302325ac9d4d0ad5da964f3d2ac0a0

SHA512
501a8ee23529342a2efbbb0555f8b1852867da48b677c01b3db99a684a16b5b9ac25053ee6fca9ec065ae48a7e0001e1e0694f2bb68b679e9fa59cc22770879c

Download Submit
C:\Windows\rundl132.exe

Filesize
43KB

MD5
9dad25ab3a5e219070e93fce23717645

SHA1
2941b29ff538eaac033574637c56ae0ebbae7dfb

SHA256
d00233d759270ed1e803ba3f42c9e2415f302325ac9d4d0ad5da964f3d2ac0a0

SHA512
501a8ee23529342a2efbbb0555f8b1852867da48b677c01b3db99a684a16b5b9ac25053ee6fca9ec065ae48a7e0001e1e0694f2bb68b679e9fa59cc22770879c

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-177160434-2093019976-369403398-1000\_desktop.ini

Filesize
9B

MD5
35dff1b2d2822022424940d4487e8d0d

SHA1
cf3c5e0326ffacd39689a35b566c8d3c626cc96b

SHA256
0432a628b4273444218f05d7d906b391ab84e1d51bc1b084c37456324e0f84ae

SHA512
91c1e3f5497c8c249e695b9e6f844f141b8747d5d1c5d23d09a2e39aae974cfcfe26b6a4580904b87aa495d452df942937fd721ff8189016a59f61c0835e1665

Download Submit
memory/4084-20-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4084-16-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4780-9-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4780-0-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4784-8-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4784-1619-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4784-2140-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4784-3451-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4784-5157-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4784-8567-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download