8e56873e8c10d8796c18e7d79c3de802ad7c323245a43e507ce34b37856f185f

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2023, 17:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8e56873e8c10d8796c18e7d79c3de802ad7c323245a43e507ce34b37856f185f.exe
Size

29KB
MD5

7aea48f9fa2aea5339fa11c26a327590
SHA1

108b44d94a84f6cf0608e43f4ff84aa2b72cd4e6
SHA256

8e56873e8c10d8796c18e7d79c3de802ad7c323245a43e507ce34b37856f185f
SHA512

740dd54b9ad3671f5a8e0b3072ab88c20471615d6eff151d95f00e174f5dfc068f8cf8aafc46d9a1e54ab9c10743e24ce087eac670220878fdcb0c843f6f4254
SSDEEP

384:z7nbbObwP1Gt5M0zhIV/DZ3KZp7JcTO4yf9Knuf2MqlUV2V9wVfUnfR9C5fyuGyR:/bqG16GVRu1yK9fMnJG2V9dDClcx

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\R:	8e56873e8c10d8796c18e7d79c3de802ad7c323245a43e507ce34b37856f185f.exe
File opened (read-only)	\??\Q:	8e56873e8c10d8796c18e7d79c3de802ad7c323245a43e507ce34b37856f185f.exe
File opened (read-only)	\??\P:	8e56873e8c10d8796c18e7d79c3de802ad7c323245a43e507ce34b37856f185f.exe
File opened (read-only)	\??\H:	8e56873e8c10d8796c18e7d79c3de802ad7c323245a43e507ce34b37856f185f.exe
File opened (read-only)	\??\Z:	8e56873e8c10d8796c18e7d79c3de802ad7c323245a43e507ce34b37856f185f.exe
File opened (read-only)	\??\X:	8e56873e8c10d8796c18e7d79c3de802ad7c323245a43e507ce34b37856f185f.exe
File opened (read-only)	\??\V:	8e56873e8c10d8796c18e7d79c3de802ad7c323245a43e507ce34b37856f185f.exe
File opened (read-only)	\??\S:	8e56873e8c10d8796c18e7d79c3de802ad7c323245a43e507ce34b37856f185f.exe
File opened (read-only)	\??\N:	8e56873e8c10d8796c18e7d79c3de802ad7c323245a43e507ce34b37856f185f.exe
File opened (read-only)	\??\L:	8e56873e8c10d8796c18e7d79c3de802ad7c323245a43e507ce34b37856f185f.exe
File opened (read-only)	\??\K:	8e56873e8c10d8796c18e7d79c3de802ad7c323245a43e507ce34b37856f185f.exe
File opened (read-only)	\??\J:	8e56873e8c10d8796c18e7d79c3de802ad7c323245a43e507ce34b37856f185f.exe
File opened (read-only)	\??\Y:	8e56873e8c10d8796c18e7d79c3de802ad7c323245a43e507ce34b37856f185f.exe
File opened (read-only)	\??\E:	8e56873e8c10d8796c18e7d79c3de802ad7c323245a43e507ce34b37856f185f.exe
File opened (read-only)	\??\I:	8e56873e8c10d8796c18e7d79c3de802ad7c323245a43e507ce34b37856f185f.exe
File opened (read-only)	\??\O:	8e56873e8c10d8796c18e7d79c3de802ad7c323245a43e507ce34b37856f185f.exe
File opened (read-only)	\??\U:	8e56873e8c10d8796c18e7d79c3de802ad7c323245a43e507ce34b37856f185f.exe
File opened (read-only)	\??\T:	8e56873e8c10d8796c18e7d79c3de802ad7c323245a43e507ce34b37856f185f.exe
File opened (read-only)	\??\M:	8e56873e8c10d8796c18e7d79c3de802ad7c323245a43e507ce34b37856f185f.exe
File opened (read-only)	\??\G:	8e56873e8c10d8796c18e7d79c3de802ad7c323245a43e507ce34b37856f185f.exe
File opened (read-only)	\??\W:	8e56873e8c10d8796c18e7d79c3de802ad7c323245a43e507ce34b37856f185f.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jre-1.8\bin\dtplugin\_desktop.ini	8e56873e8c10d8796c18e7d79c3de802ad7c323245a43e507ce34b37856f185f.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\nb-no\_desktop.ini	8e56873e8c10d8796c18e7d79c3de802ad7c323245a43e507ce34b37856f185f.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\themes\_desktop.ini	8e56873e8c10d8796c18e7d79c3de802ad7c323245a43e507ce34b37856f185f.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\he-il\_desktop.ini	8e56873e8c10d8796c18e7d79c3de802ad7c323245a43e507ce34b37856f185f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\he-il\_desktop.ini	8e56873e8c10d8796c18e7d79c3de802ad7c323245a43e507ce34b37856f185f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\en-il\_desktop.ini	8e56873e8c10d8796c18e7d79c3de802ad7c323245a43e507ce34b37856f185f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\ar-ae\_desktop.ini	8e56873e8c10d8796c18e7d79c3de802ad7c323245a43e507ce34b37856f185f.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\_desktop.ini	8e56873e8c10d8796c18e7d79c3de802ad7c323245a43e507ce34b37856f185f.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\wa\_desktop.ini	8e56873e8c10d8796c18e7d79c3de802ad7c323245a43e507ce34b37856f185f.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\cs-CZ\View3d\_desktop.ini	8e56873e8c10d8796c18e7d79c3de802ad7c323245a43e507ce34b37856f185f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\zh-cn\_desktop.ini	8e56873e8c10d8796c18e7d79c3de802ad7c323245a43e507ce34b37856f185f.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\_desktop.ini	8e56873e8c10d8796c18e7d79c3de802ad7c323245a43e507ce34b37856f185f.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\_desktop.ini	8e56873e8c10d8796c18e7d79c3de802ad7c323245a43e507ce34b37856f185f.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\zh-CN\_desktop.ini	8e56873e8c10d8796c18e7d79c3de802ad7c323245a43e507ce34b37856f185f.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\fr-ma\_desktop.ini	8e56873e8c10d8796c18e7d79c3de802ad7c323245a43e507ce34b37856f185f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\eu-es\_desktop.ini	8e56873e8c10d8796c18e7d79c3de802ad7c323245a43e507ce34b37856f185f.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\hu-hu\_desktop.ini	8e56873e8c10d8796c18e7d79c3de802ad7c323245a43e507ce34b37856f185f.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\hu-hu\_desktop.ini	8e56873e8c10d8796c18e7d79c3de802ad7c323245a43e507ce34b37856f185f.exe
File created	C:\Program Files\Java\jdk-1.8\include\win32\_desktop.ini	8e56873e8c10d8796c18e7d79c3de802ad7c323245a43e507ce34b37856f185f.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\en-us\jscripts\_desktop.ini	8e56873e8c10d8796c18e7d79c3de802ad7c323245a43e507ce34b37856f185f.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini	8e56873e8c10d8796c18e7d79c3de802ad7c323245a43e507ce34b37856f185f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\nl-nl\_desktop.ini	8e56873e8c10d8796c18e7d79c3de802ad7c323245a43e507ce34b37856f185f.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\es-es\_desktop.ini	8e56873e8c10d8796c18e7d79c3de802ad7c323245a43e507ce34b37856f185f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\css\_desktop.ini	8e56873e8c10d8796c18e7d79c3de802ad7c323245a43e507ce34b37856f185f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\zh-cn\_desktop.ini	8e56873e8c10d8796c18e7d79c3de802ad7c323245a43e507ce34b37856f185f.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\ja-jp\_desktop.ini	8e56873e8c10d8796c18e7d79c3de802ad7c323245a43e507ce34b37856f185f.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	8e56873e8c10d8796c18e7d79c3de802ad7c323245a43e507ce34b37856f185f.exe
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\_desktop.ini	8e56873e8c10d8796c18e7d79c3de802ad7c323245a43e507ce34b37856f185f.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\_desktop.ini	8e56873e8c10d8796c18e7d79c3de802ad7c323245a43e507ce34b37856f185f.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\_desktop.ini	8e56873e8c10d8796c18e7d79c3de802ad7c323245a43e507ce34b37856f185f.exe
File created	C:\Program Files\WindowsApps\Microsoft.NET.Native.Framework.2.2_2.2.27405.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\Autogen\_desktop.ini	8e56873e8c10d8796c18e7d79c3de802ad7c323245a43e507ce34b37856f185f.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\eu-es\_desktop.ini	8e56873e8c10d8796c18e7d79c3de802ad7c323245a43e507ce34b37856f185f.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\it-it\_desktop.ini	8e56873e8c10d8796c18e7d79c3de802ad7c323245a43e507ce34b37856f185f.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\tr\_desktop.ini	8e56873e8c10d8796c18e7d79c3de802ad7c323245a43e507ce34b37856f185f.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\images\_desktop.ini	8e56873e8c10d8796c18e7d79c3de802ad7c323245a43e507ce34b37856f185f.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ro\_desktop.ini	8e56873e8c10d8796c18e7d79c3de802ad7c323245a43e507ce34b37856f185f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Cortana.exe	8e56873e8c10d8796c18e7d79c3de802ad7c323245a43e507ce34b37856f185f.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\_desktop.ini	8e56873e8c10d8796c18e7d79c3de802ad7c323245a43e507ce34b37856f185f.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\_desktop.ini	8e56873e8c10d8796c18e7d79c3de802ad7c323245a43e507ce34b37856f185f.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\_desktop.ini	8e56873e8c10d8796c18e7d79c3de802ad7c323245a43e507ce34b37856f185f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\codecpacks.webp.exe	8e56873e8c10d8796c18e7d79c3de802ad7c323245a43e507ce34b37856f185f.exe
File created	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini	8e56873e8c10d8796c18e7d79c3de802ad7c323245a43e507ce34b37856f185f.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Transit\contrast-white\_desktop.ini	8e56873e8c10d8796c18e7d79c3de802ad7c323245a43e507ce34b37856f185f.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\ko-kr\_desktop.ini	8e56873e8c10d8796c18e7d79c3de802ad7c323245a43e507ce34b37856f185f.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\fr-ma\_desktop.ini	8e56873e8c10d8796c18e7d79c3de802ad7c323245a43e507ce34b37856f185f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\de-de\_desktop.ini	8e56873e8c10d8796c18e7d79c3de802ad7c323245a43e507ce34b37856f185f.exe
File created	C:\Program Files (x86)\Windows Defender\it-IT\_desktop.ini	8e56873e8c10d8796c18e7d79c3de802ad7c323245a43e507ce34b37856f185f.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\1.1.1\Diagnostics\_desktop.ini	8e56873e8c10d8796c18e7d79c3de802ad7c323245a43e507ce34b37856f185f.exe
File created	C:\Program Files\VideoLAN\VLC\locale\co\_desktop.ini	8e56873e8c10d8796c18e7d79c3de802ad7c323245a43e507ce34b37856f185f.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\lt\LC_MESSAGES\_desktop.ini	8e56873e8c10d8796c18e7d79c3de802ad7c323245a43e507ce34b37856f185f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\MixedRealityPortal.exe	8e56873e8c10d8796c18e7d79c3de802ad7c323245a43e507ce34b37856f185f.exe
File created	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\_desktop.ini	8e56873e8c10d8796c18e7d79c3de802ad7c323245a43e507ce34b37856f185f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\_desktop.ini	8e56873e8c10d8796c18e7d79c3de802ad7c323245a43e507ce34b37856f185f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\he-il\_desktop.ini	8e56873e8c10d8796c18e7d79c3de802ad7c323245a43e507ce34b37856f185f.exe
File created	C:\Program Files\VideoLAN\VLC\locale\uk\LC_MESSAGES\_desktop.ini	8e56873e8c10d8796c18e7d79c3de802ad7c323245a43e507ce34b37856f185f.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\_desktop.ini	8e56873e8c10d8796c18e7d79c3de802ad7c323245a43e507ce34b37856f185f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\_desktop.ini	8e56873e8c10d8796c18e7d79c3de802ad7c323245a43e507ce34b37856f185f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\root\_desktop.ini	8e56873e8c10d8796c18e7d79c3de802ad7c323245a43e507ce34b37856f185f.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\tr-tr\_desktop.ini	8e56873e8c10d8796c18e7d79c3de802ad7c323245a43e507ce34b37856f185f.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\tr-tr\_desktop.ini	8e56873e8c10d8796c18e7d79c3de802ad7c323245a43e507ce34b37856f185f.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sl\LC_MESSAGES\_desktop.ini	8e56873e8c10d8796c18e7d79c3de802ad7c323245a43e507ce34b37856f185f.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-125_8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini	8e56873e8c10d8796c18e7d79c3de802ad7c323245a43e507ce34b37856f185f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\_desktop.ini	8e56873e8c10d8796c18e7d79c3de802ad7c323245a43e507ce34b37856f185f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\fr-fr\_desktop.ini	8e56873e8c10d8796c18e7d79c3de802ad7c323245a43e507ce34b37856f185f.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	8e56873e8c10d8796c18e7d79c3de802ad7c323245a43e507ce34b37856f185f.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
5116	8e56873e8c10d8796c18e7d79c3de802ad7c323245a43e507ce34b37856f185f.exe
5116	8e56873e8c10d8796c18e7d79c3de802ad7c323245a43e507ce34b37856f185f.exe
5116	8e56873e8c10d8796c18e7d79c3de802ad7c323245a43e507ce34b37856f185f.exe
5116	8e56873e8c10d8796c18e7d79c3de802ad7c323245a43e507ce34b37856f185f.exe
5116	8e56873e8c10d8796c18e7d79c3de802ad7c323245a43e507ce34b37856f185f.exe
5116	8e56873e8c10d8796c18e7d79c3de802ad7c323245a43e507ce34b37856f185f.exe
5116	8e56873e8c10d8796c18e7d79c3de802ad7c323245a43e507ce34b37856f185f.exe
5116	8e56873e8c10d8796c18e7d79c3de802ad7c323245a43e507ce34b37856f185f.exe
5116	8e56873e8c10d8796c18e7d79c3de802ad7c323245a43e507ce34b37856f185f.exe
5116	8e56873e8c10d8796c18e7d79c3de802ad7c323245a43e507ce34b37856f185f.exe
5116	8e56873e8c10d8796c18e7d79c3de802ad7c323245a43e507ce34b37856f185f.exe
5116	8e56873e8c10d8796c18e7d79c3de802ad7c323245a43e507ce34b37856f185f.exe
5116	8e56873e8c10d8796c18e7d79c3de802ad7c323245a43e507ce34b37856f185f.exe
5116	8e56873e8c10d8796c18e7d79c3de802ad7c323245a43e507ce34b37856f185f.exe
5116	8e56873e8c10d8796c18e7d79c3de802ad7c323245a43e507ce34b37856f185f.exe
5116	8e56873e8c10d8796c18e7d79c3de802ad7c323245a43e507ce34b37856f185f.exe
5116	8e56873e8c10d8796c18e7d79c3de802ad7c323245a43e507ce34b37856f185f.exe
5116	8e56873e8c10d8796c18e7d79c3de802ad7c323245a43e507ce34b37856f185f.exe
5116	8e56873e8c10d8796c18e7d79c3de802ad7c323245a43e507ce34b37856f185f.exe
5116	8e56873e8c10d8796c18e7d79c3de802ad7c323245a43e507ce34b37856f185f.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 5116 wrote to memory of 712	5116	8e56873e8c10d8796c18e7d79c3de802ad7c323245a43e507ce34b37856f185f.exe	90
PID 5116 wrote to memory of 712	5116	8e56873e8c10d8796c18e7d79c3de802ad7c323245a43e507ce34b37856f185f.exe	90
PID 5116 wrote to memory of 712	5116	8e56873e8c10d8796c18e7d79c3de802ad7c323245a43e507ce34b37856f185f.exe	90
PID 712 wrote to memory of 4908	712	net.exe	92
PID 712 wrote to memory of 4908	712	net.exe	92
PID 712 wrote to memory of 4908	712	net.exe	92
PID 5116 wrote to memory of 3316	5116	8e56873e8c10d8796c18e7d79c3de802ad7c323245a43e507ce34b37856f185f.exe	22
PID 5116 wrote to memory of 3316	5116	8e56873e8c10d8796c18e7d79c3de802ad7c323245a43e507ce34b37856f185f.exe	22

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3316
- C:\Users\Admin\AppData\Local\Temp\8e56873e8c10d8796c18e7d79c3de802ad7c323245a43e507ce34b37856f185f.exe
  "C:\Users\Admin\AppData\Local\Temp\8e56873e8c10d8796c18e7d79c3de802ad7c323245a43e507ce34b37856f185f.exe"
  2⤵
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:5116
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:712
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      PID:4908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
254KB

MD5
e79fcf4255e40c2a8a11de628de5815a

SHA1
d119badf2bd2ad46de1c39f276ebf45844d5db1a

SHA256
4278b09f9591925446be952fb55114dca89affbb5592080b86e3658d8fc507fa

SHA512
a66ef182c9a01a7db6903b284e7a27e9f0a8d1ed40b5b9a331adf2c237518e8b1666783b3b67f6c259ef693249b405130a8bbff151ab9f373eac68ff97fad139

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
168KB

MD5
b01d3c7c121a5927d583e408ab813e5e

SHA1
945958b8ec4825615566b774484a09adefde8895

SHA256
0e4473e41f7a5abbd209842ec7a06d0b9d2fdbc8d3775a9a3102898b9f0520a0

SHA512
cfecdbf545c13dbee204a9a1772c256940ececf6bc11a2c9b44d7c51c38a7d708bba252859aa4a7050bbf9c1cf03ef7a46384dc99527fba4d5a43c74b5fbc50b

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-983843758-932321429-1636175382-1000\_desktop.ini

Filesize
10B

MD5
0c6beb6d4da16bbf902e01a42ff163f5

SHA1
aeeec783750199c10f8dd6e8aa828a44233e760b

SHA256
2c5a0b332a8c9449c746ee8dd0d751b77f5ff89c525609cd48a7959a9cf2e793

SHA512
3f4ec9bc64092ea98aee91777e052f410194ce728890df45cbeccb60c321c5547e52eaae747c8b64c4f8a9c22a04c0f20146bb7cc5826552ae23e3be8ccb7c3a

Download Submit
memory/5116-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5116-5-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5116-12-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5116-19-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5116-24-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5116-28-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5116-1151-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5116-2536-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5116-4703-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download