1d3b7afd8b8a20328057eecf47d6576c793d4a2ee161fb240bce23497ddbcdae

Analysis

max time kernel
149s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20231201-en
resource tags

arch:x64arch:x86image:win10v2004-20231201-enlocale:en-usos:windows10-2004-x64system
submitted
11/12/2023, 03:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1d3b7afd8b8a20328057eecf47d6576c793d4a2ee161fb240bce23497ddbcdae.exe
Size

26KB
MD5

afad2627c96b11ad68c9d73d364eb080
SHA1

be397a122b0d88bbc755aa5a70ebbb6b9e5ef0ee
SHA256

1d3b7afd8b8a20328057eecf47d6576c793d4a2ee161fb240bce23497ddbcdae
SHA512

c086cad946573e0cb14d18c39e3f0bd1c6db534d56a6262c9b419a34f9cb3dece42347e58764693852b1ae4b45f368f2b8350ad13168d37569a3a917203ee821
SSDEEP

768:qnW1ODKAaDMG8H92RwZNQSw+JnbmQj3FZJ9Vs9XnsD:zfgLdQAQfwt7FZJ92Bs

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\T:	1d3b7afd8b8a20328057eecf47d6576c793d4a2ee161fb240bce23497ddbcdae.exe
File opened (read-only)	\??\M:	1d3b7afd8b8a20328057eecf47d6576c793d4a2ee161fb240bce23497ddbcdae.exe
File opened (read-only)	\??\I:	1d3b7afd8b8a20328057eecf47d6576c793d4a2ee161fb240bce23497ddbcdae.exe
File opened (read-only)	\??\W:	1d3b7afd8b8a20328057eecf47d6576c793d4a2ee161fb240bce23497ddbcdae.exe
File opened (read-only)	\??\U:	1d3b7afd8b8a20328057eecf47d6576c793d4a2ee161fb240bce23497ddbcdae.exe
File opened (read-only)	\??\S:	1d3b7afd8b8a20328057eecf47d6576c793d4a2ee161fb240bce23497ddbcdae.exe
File opened (read-only)	\??\L:	1d3b7afd8b8a20328057eecf47d6576c793d4a2ee161fb240bce23497ddbcdae.exe
File opened (read-only)	\??\E:	1d3b7afd8b8a20328057eecf47d6576c793d4a2ee161fb240bce23497ddbcdae.exe
File opened (read-only)	\??\K:	1d3b7afd8b8a20328057eecf47d6576c793d4a2ee161fb240bce23497ddbcdae.exe
File opened (read-only)	\??\J:	1d3b7afd8b8a20328057eecf47d6576c793d4a2ee161fb240bce23497ddbcdae.exe
File opened (read-only)	\??\Y:	1d3b7afd8b8a20328057eecf47d6576c793d4a2ee161fb240bce23497ddbcdae.exe
File opened (read-only)	\??\V:	1d3b7afd8b8a20328057eecf47d6576c793d4a2ee161fb240bce23497ddbcdae.exe
File opened (read-only)	\??\R:	1d3b7afd8b8a20328057eecf47d6576c793d4a2ee161fb240bce23497ddbcdae.exe
File opened (read-only)	\??\Q:	1d3b7afd8b8a20328057eecf47d6576c793d4a2ee161fb240bce23497ddbcdae.exe
File opened (read-only)	\??\P:	1d3b7afd8b8a20328057eecf47d6576c793d4a2ee161fb240bce23497ddbcdae.exe
File opened (read-only)	\??\N:	1d3b7afd8b8a20328057eecf47d6576c793d4a2ee161fb240bce23497ddbcdae.exe
File opened (read-only)	\??\H:	1d3b7afd8b8a20328057eecf47d6576c793d4a2ee161fb240bce23497ddbcdae.exe
File opened (read-only)	\??\G:	1d3b7afd8b8a20328057eecf47d6576c793d4a2ee161fb240bce23497ddbcdae.exe
File opened (read-only)	\??\Z:	1d3b7afd8b8a20328057eecf47d6576c793d4a2ee161fb240bce23497ddbcdae.exe
File opened (read-only)	\??\X:	1d3b7afd8b8a20328057eecf47d6576c793d4a2ee161fb240bce23497ddbcdae.exe
File opened (read-only)	\??\O:	1d3b7afd8b8a20328057eecf47d6576c793d4a2ee161fb240bce23497ddbcdae.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Transit\_desktop.ini	1d3b7afd8b8a20328057eecf47d6576c793d4a2ee161fb240bce23497ddbcdae.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\en-GB\View3d\_desktop.ini	1d3b7afd8b8a20328057eecf47d6576c793d4a2ee161fb240bce23497ddbcdae.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-white\_desktop.ini	1d3b7afd8b8a20328057eecf47d6576c793d4a2ee161fb240bce23497ddbcdae.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Transit\contrast-black\_desktop.ini	1d3b7afd8b8a20328057eecf47d6576c793d4a2ee161fb240bce23497ddbcdae.exe
File created	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\_desktop.ini	1d3b7afd8b8a20328057eecf47d6576c793d4a2ee161fb240bce23497ddbcdae.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\_desktop.ini	1d3b7afd8b8a20328057eecf47d6576c793d4a2ee161fb240bce23497ddbcdae.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\hr-hr\_desktop.ini	1d3b7afd8b8a20328057eecf47d6576c793d4a2ee161fb240bce23497ddbcdae.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sk\_desktop.ini	1d3b7afd8b8a20328057eecf47d6576c793d4a2ee161fb240bce23497ddbcdae.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\pt-BR\_desktop.ini	1d3b7afd8b8a20328057eecf47d6576c793d4a2ee161fb240bce23497ddbcdae.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	1d3b7afd8b8a20328057eecf47d6576c793d4a2ee161fb240bce23497ddbcdae.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\themes\dark\_desktop.ini	1d3b7afd8b8a20328057eecf47d6576c793d4a2ee161fb240bce23497ddbcdae.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\_desktop.ini	1d3b7afd8b8a20328057eecf47d6576c793d4a2ee161fb240bce23497ddbcdae.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\te\LC_MESSAGES\_desktop.ini	1d3b7afd8b8a20328057eecf47d6576c793d4a2ee161fb240bce23497ddbcdae.exe
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\_desktop.ini	1d3b7afd8b8a20328057eecf47d6576c793d4a2ee161fb240bce23497ddbcdae.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\_desktop.ini	1d3b7afd8b8a20328057eecf47d6576c793d4a2ee161fb240bce23497ddbcdae.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\zh-cn\_desktop.ini	1d3b7afd8b8a20328057eecf47d6576c793d4a2ee161fb240bce23497ddbcdae.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\ca-es\_desktop.ini	1d3b7afd8b8a20328057eecf47d6576c793d4a2ee161fb240bce23497ddbcdae.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ar\_desktop.ini	1d3b7afd8b8a20328057eecf47d6576c793d4a2ee161fb240bce23497ddbcdae.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-125_8wekyb3d8bbwe\_desktop.ini	1d3b7afd8b8a20328057eecf47d6576c793d4a2ee161fb240bce23497ddbcdae.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\pt-br\_desktop.ini	1d3b7afd8b8a20328057eecf47d6576c793d4a2ee161fb240bce23497ddbcdae.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\ar-ae\_desktop.ini	1d3b7afd8b8a20328057eecf47d6576c793d4a2ee161fb240bce23497ddbcdae.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ta\_desktop.ini	1d3b7afd8b8a20328057eecf47d6576c793d4a2ee161fb240bce23497ddbcdae.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\contrast-black\_desktop.ini	1d3b7afd8b8a20328057eecf47d6576c793d4a2ee161fb240bce23497ddbcdae.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\zh-tw\_desktop.ini	1d3b7afd8b8a20328057eecf47d6576c793d4a2ee161fb240bce23497ddbcdae.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\pt-br\_desktop.ini	1d3b7afd8b8a20328057eecf47d6576c793d4a2ee161fb240bce23497ddbcdae.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\zh-tw\_desktop.ini	1d3b7afd8b8a20328057eecf47d6576c793d4a2ee161fb240bce23497ddbcdae.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\zh_TW\LC_MESSAGES\_desktop.ini	1d3b7afd8b8a20328057eecf47d6576c793d4a2ee161fb240bce23497ddbcdae.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\wa\LC_MESSAGES\_desktop.ini	1d3b7afd8b8a20328057eecf47d6576c793d4a2ee161fb240bce23497ddbcdae.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Resources\_desktop.ini	1d3b7afd8b8a20328057eecf47d6576c793d4a2ee161fb240bce23497ddbcdae.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\nb-no\_desktop.ini	1d3b7afd8b8a20328057eecf47d6576c793d4a2ee161fb240bce23497ddbcdae.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\fr-ma\_desktop.ini	1d3b7afd8b8a20328057eecf47d6576c793d4a2ee161fb240bce23497ddbcdae.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\it-it\_desktop.ini	1d3b7afd8b8a20328057eecf47d6576c793d4a2ee161fb240bce23497ddbcdae.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ps\LC_MESSAGES\_desktop.ini	1d3b7afd8b8a20328057eecf47d6576c793d4a2ee161fb240bce23497ddbcdae.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Car\LTR\contrast-white\_desktop.ini	1d3b7afd8b8a20328057eecf47d6576c793d4a2ee161fb240bce23497ddbcdae.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\_desktop.ini	1d3b7afd8b8a20328057eecf47d6576c793d4a2ee161fb240bce23497ddbcdae.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\zh-tw\_desktop.ini	1d3b7afd8b8a20328057eecf47d6576c793d4a2ee161fb240bce23497ddbcdae.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\it-it\_desktop.ini	1d3b7afd8b8a20328057eecf47d6576c793d4a2ee161fb240bce23497ddbcdae.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\_desktop.ini	1d3b7afd8b8a20328057eecf47d6576c793d4a2ee161fb240bce23497ddbcdae.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	1d3b7afd8b8a20328057eecf47d6576c793d4a2ee161fb240bce23497ddbcdae.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_filter\_desktop.ini	1d3b7afd8b8a20328057eecf47d6576c793d4a2ee161fb240bce23497ddbcdae.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_chroma\_desktop.ini	1d3b7afd8b8a20328057eecf47d6576c793d4a2ee161fb240bce23497ddbcdae.exe
File created	C:\Program Files\WindowsApps\Microsoft.People_2019.305.632.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini	1d3b7afd8b8a20328057eecf47d6576c793d4a2ee161fb240bce23497ddbcdae.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_2019.716.2316.0_neutral_~_8wekyb3d8bbwe\_desktop.ini	1d3b7afd8b8a20328057eecf47d6576c793d4a2ee161fb240bce23497ddbcdae.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\_desktop.ini	1d3b7afd8b8a20328057eecf47d6576c793d4a2ee161fb240bce23497ddbcdae.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\uk-ua\_desktop.ini	1d3b7afd8b8a20328057eecf47d6576c793d4a2ee161fb240bce23497ddbcdae.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\en-US\_desktop.ini	1d3b7afd8b8a20328057eecf47d6576c793d4a2ee161fb240bce23497ddbcdae.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\_desktop.ini	1d3b7afd8b8a20328057eecf47d6576c793d4a2ee161fb240bce23497ddbcdae.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ka\LC_MESSAGES\_desktop.ini	1d3b7afd8b8a20328057eecf47d6576c793d4a2ee161fb240bce23497ddbcdae.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\_desktop.ini	1d3b7afd8b8a20328057eecf47d6576c793d4a2ee161fb240bce23497ddbcdae.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account-select\css\_desktop.ini	1d3b7afd8b8a20328057eecf47d6576c793d4a2ee161fb240bce23497ddbcdae.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\de-de\_desktop.ini	1d3b7afd8b8a20328057eecf47d6576c793d4a2ee161fb240bce23497ddbcdae.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\ja-jp\_desktop.ini	1d3b7afd8b8a20328057eecf47d6576c793d4a2ee161fb240bce23497ddbcdae.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\es-es\_desktop.ini	1d3b7afd8b8a20328057eecf47d6576c793d4a2ee161fb240bce23497ddbcdae.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\uk-ua\_desktop.ini	1d3b7afd8b8a20328057eecf47d6576c793d4a2ee161fb240bce23497ddbcdae.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\_desktop.ini	1d3b7afd8b8a20328057eecf47d6576c793d4a2ee161fb240bce23497ddbcdae.exe
File created	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\_desktop.ini	1d3b7afd8b8a20328057eecf47d6576c793d4a2ee161fb240bce23497ddbcdae.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x86\_desktop.ini	1d3b7afd8b8a20328057eecf47d6576c793d4a2ee161fb240bce23497ddbcdae.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\hu-hu\_desktop.ini	1d3b7afd8b8a20328057eecf47d6576c793d4a2ee161fb240bce23497ddbcdae.exe
File opened for modification	C:\Program Files\Mozilla Firefox\defaults\pref\_desktop.ini	1d3b7afd8b8a20328057eecf47d6576c793d4a2ee161fb240bce23497ddbcdae.exe
File created	C:\Program Files\VideoLAN\VLC\locale\gl\LC_MESSAGES\_desktop.ini	1d3b7afd8b8a20328057eecf47d6576c793d4a2ee161fb240bce23497ddbcdae.exe
File created	C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\Store.Purchase\Controls\_desktop.ini	1d3b7afd8b8a20328057eecf47d6576c793d4a2ee161fb240bce23497ddbcdae.exe
File created	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\_desktop.ini	1d3b7afd8b8a20328057eecf47d6576c793d4a2ee161fb240bce23497ddbcdae.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app-api\dev\_desktop.ini	1d3b7afd8b8a20328057eecf47d6576c793d4a2ee161fb240bce23497ddbcdae.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\de-de\_desktop.ini	1d3b7afd8b8a20328057eecf47d6576c793d4a2ee161fb240bce23497ddbcdae.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	1d3b7afd8b8a20328057eecf47d6576c793d4a2ee161fb240bce23497ddbcdae.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
5092	1d3b7afd8b8a20328057eecf47d6576c793d4a2ee161fb240bce23497ddbcdae.exe
5092	1d3b7afd8b8a20328057eecf47d6576c793d4a2ee161fb240bce23497ddbcdae.exe
5092	1d3b7afd8b8a20328057eecf47d6576c793d4a2ee161fb240bce23497ddbcdae.exe
5092	1d3b7afd8b8a20328057eecf47d6576c793d4a2ee161fb240bce23497ddbcdae.exe
5092	1d3b7afd8b8a20328057eecf47d6576c793d4a2ee161fb240bce23497ddbcdae.exe
5092	1d3b7afd8b8a20328057eecf47d6576c793d4a2ee161fb240bce23497ddbcdae.exe
5092	1d3b7afd8b8a20328057eecf47d6576c793d4a2ee161fb240bce23497ddbcdae.exe
5092	1d3b7afd8b8a20328057eecf47d6576c793d4a2ee161fb240bce23497ddbcdae.exe
5092	1d3b7afd8b8a20328057eecf47d6576c793d4a2ee161fb240bce23497ddbcdae.exe
5092	1d3b7afd8b8a20328057eecf47d6576c793d4a2ee161fb240bce23497ddbcdae.exe
5092	1d3b7afd8b8a20328057eecf47d6576c793d4a2ee161fb240bce23497ddbcdae.exe
5092	1d3b7afd8b8a20328057eecf47d6576c793d4a2ee161fb240bce23497ddbcdae.exe
5092	1d3b7afd8b8a20328057eecf47d6576c793d4a2ee161fb240bce23497ddbcdae.exe
5092	1d3b7afd8b8a20328057eecf47d6576c793d4a2ee161fb240bce23497ddbcdae.exe
5092	1d3b7afd8b8a20328057eecf47d6576c793d4a2ee161fb240bce23497ddbcdae.exe
5092	1d3b7afd8b8a20328057eecf47d6576c793d4a2ee161fb240bce23497ddbcdae.exe
5092	1d3b7afd8b8a20328057eecf47d6576c793d4a2ee161fb240bce23497ddbcdae.exe
5092	1d3b7afd8b8a20328057eecf47d6576c793d4a2ee161fb240bce23497ddbcdae.exe
5092	1d3b7afd8b8a20328057eecf47d6576c793d4a2ee161fb240bce23497ddbcdae.exe
5092	1d3b7afd8b8a20328057eecf47d6576c793d4a2ee161fb240bce23497ddbcdae.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 5092 wrote to memory of 2140	5092	1d3b7afd8b8a20328057eecf47d6576c793d4a2ee161fb240bce23497ddbcdae.exe	87
PID 5092 wrote to memory of 2140	5092	1d3b7afd8b8a20328057eecf47d6576c793d4a2ee161fb240bce23497ddbcdae.exe	87
PID 5092 wrote to memory of 2140	5092	1d3b7afd8b8a20328057eecf47d6576c793d4a2ee161fb240bce23497ddbcdae.exe	87
PID 2140 wrote to memory of 1636	2140	net.exe	89
PID 2140 wrote to memory of 1636	2140	net.exe	89
PID 2140 wrote to memory of 1636	2140	net.exe	89
PID 5092 wrote to memory of 3468	5092	1d3b7afd8b8a20328057eecf47d6576c793d4a2ee161fb240bce23497ddbcdae.exe	56
PID 5092 wrote to memory of 3468	5092	1d3b7afd8b8a20328057eecf47d6576c793d4a2ee161fb240bce23497ddbcdae.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3468
- C:\Users\Admin\AppData\Local\Temp\1d3b7afd8b8a20328057eecf47d6576c793d4a2ee161fb240bce23497ddbcdae.exe
  "C:\Users\Admin\AppData\Local\Temp\1d3b7afd8b8a20328057eecf47d6576c793d4a2ee161fb240bce23497ddbcdae.exe"
  2⤵
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:5092
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2140
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      PID:1636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
251KB

MD5
2cf41fc4ff69fc9ee439525a0bf82cc0

SHA1
1aee485d54083a1f7b8f068bd152355b7acd6d48

SHA256
e95e07df7dc359250779e234e9caceb4e760ca495dd23af4cd6acde4735202d7

SHA512
2cb5dd8a357536d410f5143a0d39c2622757031a2df25dff7fa59ea4a0549801a13f742a5d29678fa07d67ef8eebc05397617772678543fa182d122f86928968

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
165KB

MD5
9991466d3ea3686afda1b311c35234e2

SHA1
a047434062fb025bfb67d7603a799f3fbb2671c0

SHA256
f2f27d69a68a6c3f921d1163ddf5462f81ba8f1822d4a09ca35b55fbb53c5553

SHA512
206751bd9f34073becc28b1b482cd33b705d6145654028b59774a6a8f7293037e1895b87f47eb60f0810af9d81fa1a3d80b5783ccf0dbe097b809d0a080ec2d2

Download Submit
C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe

Filesize
481KB

MD5
d9a20f38778ddec5c48e2acde4956248

SHA1
fe41d404f38c2d570cd55158524d450f5ed50da3

SHA256
f39c91803fd8d891849aa7b16cd6f82fa4a3b0eaf12d6699127206f48dbf9c63

SHA512
c879087690924c702a818643329c7c8c2fae5fae3d9a2c6b1c5eb608f3c899ba4bd4708cde9565e957b669c09fa8ab11ad289128bc5871dd85fe4fa90c31e4b4

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2192493100-457715857-1189582111-1000\_desktop.ini

Filesize
10B

MD5
cca2df68694b7b2b5f3fcd9d48fc8b33

SHA1
9237896c46a87ca46bba7a1830de78405425ecf9

SHA256
eb7f64f08cc544ff36927d516073b4e0057282131385ffa402ee6e797f142fa4

SHA512
78848570be3e3b6d4a24d18322d1ebdbea4434a6120d3296b0dfe6d1678ef7e912bae6bb448600a7fc71bb56a4f5465af39883a383b1bc2ace9be435ee9d2f96

Download Submit
memory/5092-27-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5092-23-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5092-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5092-18-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5092-988-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5092-1151-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5092-2331-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5092-12-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5092-4704-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5092-5-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download