dcdab50960b0892057ac59e8ea946c30a2e4ec4b881f8d6ecc8d869c91d7bf8d

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
01/01/2024, 04:59

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

dcdab50960b0892057ac59e8ea946c30a2e4ec4b881f8d6ecc8d869c91d7bf8d.exe
Size

26KB
MD5

f5041293575c09a72717639c8f9f4830
SHA1

b42d5154949e4e6cb6a80eb23653b3b410e86fc1
SHA256

dcdab50960b0892057ac59e8ea946c30a2e4ec4b881f8d6ecc8d869c91d7bf8d
SHA512

364b7c634d1651ea3881a314eb6e83994c9fcaaa4985335b50ce43da70b8357cb02d8c8992bb88e5f45dde34f5a287576b7fee3fae2b771e30fd048a5ee31d51
SSDEEP

768:tb1ODKAaDMG8H92RwZNQSwcfymNBg+g61GoGwXnKx:HfgLdQAQfcfymNG+Kx

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Z:	dcdab50960b0892057ac59e8ea946c30a2e4ec4b881f8d6ecc8d869c91d7bf8d.exe
File opened (read-only)	\??\W:	dcdab50960b0892057ac59e8ea946c30a2e4ec4b881f8d6ecc8d869c91d7bf8d.exe
File opened (read-only)	\??\U:	dcdab50960b0892057ac59e8ea946c30a2e4ec4b881f8d6ecc8d869c91d7bf8d.exe
File opened (read-only)	\??\Q:	dcdab50960b0892057ac59e8ea946c30a2e4ec4b881f8d6ecc8d869c91d7bf8d.exe
File opened (read-only)	\??\N:	dcdab50960b0892057ac59e8ea946c30a2e4ec4b881f8d6ecc8d869c91d7bf8d.exe
File opened (read-only)	\??\L:	dcdab50960b0892057ac59e8ea946c30a2e4ec4b881f8d6ecc8d869c91d7bf8d.exe
File opened (read-only)	\??\K:	dcdab50960b0892057ac59e8ea946c30a2e4ec4b881f8d6ecc8d869c91d7bf8d.exe
File opened (read-only)	\??\I:	dcdab50960b0892057ac59e8ea946c30a2e4ec4b881f8d6ecc8d869c91d7bf8d.exe
File opened (read-only)	\??\X:	dcdab50960b0892057ac59e8ea946c30a2e4ec4b881f8d6ecc8d869c91d7bf8d.exe
File opened (read-only)	\??\S:	dcdab50960b0892057ac59e8ea946c30a2e4ec4b881f8d6ecc8d869c91d7bf8d.exe
File opened (read-only)	\??\P:	dcdab50960b0892057ac59e8ea946c30a2e4ec4b881f8d6ecc8d869c91d7bf8d.exe
File opened (read-only)	\??\O:	dcdab50960b0892057ac59e8ea946c30a2e4ec4b881f8d6ecc8d869c91d7bf8d.exe
File opened (read-only)	\??\T:	dcdab50960b0892057ac59e8ea946c30a2e4ec4b881f8d6ecc8d869c91d7bf8d.exe
File opened (read-only)	\??\R:	dcdab50960b0892057ac59e8ea946c30a2e4ec4b881f8d6ecc8d869c91d7bf8d.exe
File opened (read-only)	\??\G:	dcdab50960b0892057ac59e8ea946c30a2e4ec4b881f8d6ecc8d869c91d7bf8d.exe
File opened (read-only)	\??\E:	dcdab50960b0892057ac59e8ea946c30a2e4ec4b881f8d6ecc8d869c91d7bf8d.exe
File opened (read-only)	\??\Y:	dcdab50960b0892057ac59e8ea946c30a2e4ec4b881f8d6ecc8d869c91d7bf8d.exe
File opened (read-only)	\??\V:	dcdab50960b0892057ac59e8ea946c30a2e4ec4b881f8d6ecc8d869c91d7bf8d.exe
File opened (read-only)	\??\M:	dcdab50960b0892057ac59e8ea946c30a2e4ec4b881f8d6ecc8d869c91d7bf8d.exe
File opened (read-only)	\??\J:	dcdab50960b0892057ac59e8ea946c30a2e4ec4b881f8d6ecc8d869c91d7bf8d.exe
File opened (read-only)	\??\H:	dcdab50960b0892057ac59e8ea946c30a2e4ec4b881f8d6ecc8d869c91d7bf8d.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\pl-pl\_desktop.ini	dcdab50960b0892057ac59e8ea946c30a2e4ec4b881f8d6ecc8d869c91d7bf8d.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\uk-ua\_desktop.ini	dcdab50960b0892057ac59e8ea946c30a2e4ec4b881f8d6ecc8d869c91d7bf8d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\ja-jp\_desktop.ini	dcdab50960b0892057ac59e8ea946c30a2e4ec4b881f8d6ecc8d869c91d7bf8d.exe
File created	C:\Program Files\Java\jre-1.8\bin\_desktop.ini	dcdab50960b0892057ac59e8ea946c30a2e4ec4b881f8d6ecc8d869c91d7bf8d.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\cs-cz\_desktop.ini	dcdab50960b0892057ac59e8ea946c30a2e4ec4b881f8d6ecc8d869c91d7bf8d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\eu-es\_desktop.ini	dcdab50960b0892057ac59e8ea946c30a2e4ec4b881f8d6ecc8d869c91d7bf8d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\images\themes\dark\_desktop.ini	dcdab50960b0892057ac59e8ea946c30a2e4ec4b881f8d6ecc8d869c91d7bf8d.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ca-es\_desktop.ini	dcdab50960b0892057ac59e8ea946c30a2e4ec4b881f8d6ecc8d869c91d7bf8d.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\nb-no\_desktop.ini	dcdab50960b0892057ac59e8ea946c30a2e4ec4b881f8d6ecc8d869c91d7bf8d.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\fr-fr\_desktop.ini	dcdab50960b0892057ac59e8ea946c30a2e4ec4b881f8d6ecc8d869c91d7bf8d.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hu\LC_MESSAGES\_desktop.ini	dcdab50960b0892057ac59e8ea946c30a2e4ec4b881f8d6ecc8d869c91d7bf8d.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\_desktop.ini	dcdab50960b0892057ac59e8ea946c30a2e4ec4b881f8d6ecc8d869c91d7bf8d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\MixedRealityPortal.Brokered.exe	dcdab50960b0892057ac59e8ea946c30a2e4ec4b881f8d6ecc8d869c91d7bf8d.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Collections\_desktop.ini	dcdab50960b0892057ac59e8ea946c30a2e4ec4b881f8d6ecc8d869c91d7bf8d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\libs\_desktop.ini	dcdab50960b0892057ac59e8ea946c30a2e4ec4b881f8d6ecc8d869c91d7bf8d.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\pt-br\_desktop.ini	dcdab50960b0892057ac59e8ea946c30a2e4ec4b881f8d6ecc8d869c91d7bf8d.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\de-de\_desktop.ini	dcdab50960b0892057ac59e8ea946c30a2e4ec4b881f8d6ecc8d869c91d7bf8d.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\fr-fr\_desktop.ini	dcdab50960b0892057ac59e8ea946c30a2e4ec4b881f8d6ecc8d869c91d7bf8d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\root\_desktop.ini	dcdab50960b0892057ac59e8ea946c30a2e4ec4b881f8d6ecc8d869c91d7bf8d.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\identity_proxy\_desktop.ini	dcdab50960b0892057ac59e8ea946c30a2e4ec4b881f8d6ecc8d869c91d7bf8d.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\ru\_desktop.ini	dcdab50960b0892057ac59e8ea946c30a2e4ec4b881f8d6ecc8d869c91d7bf8d.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Speech\en-GB\_desktop.ini	dcdab50960b0892057ac59e8ea946c30a2e4ec4b881f8d6ecc8d869c91d7bf8d.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_x64__8wekyb3d8bbwe\AppxMetadata\_desktop.ini	dcdab50960b0892057ac59e8ea946c30a2e4ec4b881f8d6ecc8d869c91d7bf8d.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\tr-tr\_desktop.ini	dcdab50960b0892057ac59e8ea946c30a2e4ec4b881f8d6ecc8d869c91d7bf8d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\sv-se\_desktop.ini	dcdab50960b0892057ac59e8ea946c30a2e4ec4b881f8d6ecc8d869c91d7bf8d.exe
File created	C:\Program Files\WindowsApps\Microsoft.People_2019.305.632.0_neutral_~_8wekyb3d8bbwe\_desktop.ini	dcdab50960b0892057ac59e8ea946c30a2e4ec4b881f8d6ecc8d869c91d7bf8d.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Voices\beeps\_desktop.ini	dcdab50960b0892057ac59e8ea946c30a2e4ec4b881f8d6ecc8d869c91d7bf8d.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\_desktop.ini	dcdab50960b0892057ac59e8ea946c30a2e4ec4b881f8d6ecc8d869c91d7bf8d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\_desktop.ini	dcdab50960b0892057ac59e8ea946c30a2e4ec4b881f8d6ecc8d869c91d7bf8d.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\nl-nl\_desktop.ini	dcdab50960b0892057ac59e8ea946c30a2e4ec4b881f8d6ecc8d869c91d7bf8d.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\he-il\_desktop.ini	dcdab50960b0892057ac59e8ea946c30a2e4ec4b881f8d6ecc8d869c91d7bf8d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\css\_desktop.ini	dcdab50960b0892057ac59e8ea946c30a2e4ec4b881f8d6ecc8d869c91d7bf8d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\_desktop.ini	dcdab50960b0892057ac59e8ea946c30a2e4ec4b881f8d6ecc8d869c91d7bf8d.exe
File opened for modification	C:\Program Files\Windows Sidebar\_desktop.ini	dcdab50960b0892057ac59e8ea946c30a2e4ec4b881f8d6ecc8d869c91d7bf8d.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\RTL\contrast-white\_desktop.ini	dcdab50960b0892057ac59e8ea946c30a2e4ec4b881f8d6ecc8d869c91d7bf8d.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_~_8wekyb3d8bbwe\_desktop.ini	dcdab50960b0892057ac59e8ea946c30a2e4ec4b881f8d6ecc8d869c91d7bf8d.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_proxy\_desktop.ini	dcdab50960b0892057ac59e8ea946c30a2e4ec4b881f8d6ecc8d869c91d7bf8d.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\_desktop.ini	dcdab50960b0892057ac59e8ea946c30a2e4ec4b881f8d6ecc8d869c91d7bf8d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\themes\_desktop.ini	dcdab50960b0892057ac59e8ea946c30a2e4ec4b881f8d6ecc8d869c91d7bf8d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\_desktop.ini	dcdab50960b0892057ac59e8ea946c30a2e4ec4b881f8d6ecc8d869c91d7bf8d.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\nb-no\_desktop.ini	dcdab50960b0892057ac59e8ea946c30a2e4ec4b881f8d6ecc8d869c91d7bf8d.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\cs-cz\_desktop.ini	dcdab50960b0892057ac59e8ea946c30a2e4ec4b881f8d6ecc8d869c91d7bf8d.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\_desktop.ini	dcdab50960b0892057ac59e8ea946c30a2e4ec4b881f8d6ecc8d869c91d7bf8d.exe
File created	C:\Program Files\MSBuild\Microsoft\_desktop.ini	dcdab50960b0892057ac59e8ea946c30a2e4ec4b881f8d6ecc8d869c91d7bf8d.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\en\_desktop.ini	dcdab50960b0892057ac59e8ea946c30a2e4ec4b881f8d6ecc8d869c91d7bf8d.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\it-it\_desktop.ini	dcdab50960b0892057ac59e8ea946c30a2e4ec4b881f8d6ecc8d869c91d7bf8d.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\en-il\_desktop.ini	dcdab50960b0892057ac59e8ea946c30a2e4ec4b881f8d6ecc8d869c91d7bf8d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\root\_desktop.ini	dcdab50960b0892057ac59e8ea946c30a2e4ec4b881f8d6ecc8d869c91d7bf8d.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ja-jp\_desktop.ini	dcdab50960b0892057ac59e8ea946c30a2e4ec4b881f8d6ecc8d869c91d7bf8d.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\fi-fi\_desktop.ini	dcdab50960b0892057ac59e8ea946c30a2e4ec4b881f8d6ecc8d869c91d7bf8d.exe
File created	C:\Program Files (x86)\Windows Mail\_desktop.ini	dcdab50960b0892057ac59e8ea946c30a2e4ec4b881f8d6ecc8d869c91d7bf8d.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\pa\_desktop.ini	dcdab50960b0892057ac59e8ea946c30a2e4ec4b881f8d6ecc8d869c91d7bf8d.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\nb-no\_desktop.ini	dcdab50960b0892057ac59e8ea946c30a2e4ec4b881f8d6ecc8d869c91d7bf8d.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\zh-tw\_desktop.ini	dcdab50960b0892057ac59e8ea946c30a2e4ec4b881f8d6ecc8d869c91d7bf8d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\pt-br\_desktop.ini	dcdab50960b0892057ac59e8ea946c30a2e4ec4b881f8d6ecc8d869c91d7bf8d.exe
File created	C:\Program Files (x86)\Common Files\Oracle\Java\_desktop.ini	dcdab50960b0892057ac59e8ea946c30a2e4ec4b881f8d6ecc8d869c91d7bf8d.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\_desktop.ini	dcdab50960b0892057ac59e8ea946c30a2e4ec4b881f8d6ecc8d869c91d7bf8d.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\it\_desktop.ini	dcdab50960b0892057ac59e8ea946c30a2e4ec4b881f8d6ecc8d869c91d7bf8d.exe
File created	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\contrast-white\_desktop.ini	dcdab50960b0892057ac59e8ea946c30a2e4ec4b881f8d6ecc8d869c91d7bf8d.exe
File created	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\WinMetadata\_desktop.ini	dcdab50960b0892057ac59e8ea946c30a2e4ec4b881f8d6ecc8d869c91d7bf8d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\pl-pl\_desktop.ini	dcdab50960b0892057ac59e8ea946c30a2e4ec4b881f8d6ecc8d869c91d7bf8d.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ar-ae\_desktop.ini	dcdab50960b0892057ac59e8ea946c30a2e4ec4b881f8d6ecc8d869c91d7bf8d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\it-it\_desktop.ini	dcdab50960b0892057ac59e8ea946c30a2e4ec4b881f8d6ecc8d869c91d7bf8d.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\pt-br\_desktop.ini	dcdab50960b0892057ac59e8ea946c30a2e4ec4b881f8d6ecc8d869c91d7bf8d.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	dcdab50960b0892057ac59e8ea946c30a2e4ec4b881f8d6ecc8d869c91d7bf8d.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2608	dcdab50960b0892057ac59e8ea946c30a2e4ec4b881f8d6ecc8d869c91d7bf8d.exe
2608	dcdab50960b0892057ac59e8ea946c30a2e4ec4b881f8d6ecc8d869c91d7bf8d.exe
2608	dcdab50960b0892057ac59e8ea946c30a2e4ec4b881f8d6ecc8d869c91d7bf8d.exe
2608	dcdab50960b0892057ac59e8ea946c30a2e4ec4b881f8d6ecc8d869c91d7bf8d.exe
2608	dcdab50960b0892057ac59e8ea946c30a2e4ec4b881f8d6ecc8d869c91d7bf8d.exe
2608	dcdab50960b0892057ac59e8ea946c30a2e4ec4b881f8d6ecc8d869c91d7bf8d.exe
2608	dcdab50960b0892057ac59e8ea946c30a2e4ec4b881f8d6ecc8d869c91d7bf8d.exe
2608	dcdab50960b0892057ac59e8ea946c30a2e4ec4b881f8d6ecc8d869c91d7bf8d.exe
2608	dcdab50960b0892057ac59e8ea946c30a2e4ec4b881f8d6ecc8d869c91d7bf8d.exe
2608	dcdab50960b0892057ac59e8ea946c30a2e4ec4b881f8d6ecc8d869c91d7bf8d.exe
2608	dcdab50960b0892057ac59e8ea946c30a2e4ec4b881f8d6ecc8d869c91d7bf8d.exe
2608	dcdab50960b0892057ac59e8ea946c30a2e4ec4b881f8d6ecc8d869c91d7bf8d.exe
2608	dcdab50960b0892057ac59e8ea946c30a2e4ec4b881f8d6ecc8d869c91d7bf8d.exe
2608	dcdab50960b0892057ac59e8ea946c30a2e4ec4b881f8d6ecc8d869c91d7bf8d.exe
2608	dcdab50960b0892057ac59e8ea946c30a2e4ec4b881f8d6ecc8d869c91d7bf8d.exe
2608	dcdab50960b0892057ac59e8ea946c30a2e4ec4b881f8d6ecc8d869c91d7bf8d.exe
2608	dcdab50960b0892057ac59e8ea946c30a2e4ec4b881f8d6ecc8d869c91d7bf8d.exe
2608	dcdab50960b0892057ac59e8ea946c30a2e4ec4b881f8d6ecc8d869c91d7bf8d.exe
2608	dcdab50960b0892057ac59e8ea946c30a2e4ec4b881f8d6ecc8d869c91d7bf8d.exe
2608	dcdab50960b0892057ac59e8ea946c30a2e4ec4b881f8d6ecc8d869c91d7bf8d.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2608 wrote to memory of 1180	2608	dcdab50960b0892057ac59e8ea946c30a2e4ec4b881f8d6ecc8d869c91d7bf8d.exe	20
PID 2608 wrote to memory of 1180	2608	dcdab50960b0892057ac59e8ea946c30a2e4ec4b881f8d6ecc8d869c91d7bf8d.exe	20
PID 2608 wrote to memory of 1180	2608	dcdab50960b0892057ac59e8ea946c30a2e4ec4b881f8d6ecc8d869c91d7bf8d.exe	20
PID 1180 wrote to memory of 4292	1180	net.exe	16
PID 1180 wrote to memory of 4292	1180	net.exe	16
PID 1180 wrote to memory of 4292	1180	net.exe	16
PID 2608 wrote to memory of 3396	2608	dcdab50960b0892057ac59e8ea946c30a2e4ec4b881f8d6ecc8d869c91d7bf8d.exe	53
PID 2608 wrote to memory of 3396	2608	dcdab50960b0892057ac59e8ea946c30a2e4ec4b881f8d6ecc8d869c91d7bf8d.exe	53

C:\Users\Admin\AppData\Local\Temp\dcdab50960b0892057ac59e8ea946c30a2e4ec4b881f8d6ecc8d869c91d7bf8d.exe
"C:\Users\Admin\AppData\Local\Temp\dcdab50960b0892057ac59e8ea946c30a2e4ec4b881f8d6ecc8d869c91d7bf8d.exe"
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2608
- C:\Windows\SysWOW64\net.exe
  net stop "Kingsoft AntiVirus Service"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1180

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
1⤵
PID:4292

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
251KB

MD5
8b754c88e6b3b3e1f58711cf19479321

SHA1
27b50803f2694c275aae1e4a96486c20e83d54f6

SHA256
47889bdd1ccf03cf7d5f58807464020d2f8b26b11fd8ef7d306d91b2e5b8a578

SHA512
dbc04f8c17faaa4f785d99441555baca40562859acd906653d4c87f1506973936504970ccdc47e3eb0318c1b3e95b33f4f75ad4bcbd177d014250d83c4ecb975

Download Submit
C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe

Filesize
481KB

MD5
0c5536c6a3aefefb2d4cc1cfbb729119

SHA1
660b05e7c4543df8ec6d4e80d6c8f3c9d667bf8c

SHA256
297984cb1c691abf3614c0c64ed3ed1b8cbf2e2f2efae02e5392e110a717394c

SHA512
9f833ca254c2e29c8fa9fe95ebeb6d62a686b99dd6597761ffb2797a0b50daa531a483f6047b8bbb059c2f15abe19aa030e67d2c1198624633146d76aebc7da8

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3791175113-1062217823-1177695025-1000\_desktop.ini

Filesize
8B

MD5
6b797c0366c2ec714ca2989daf0254d4

SHA1
b59a115d157050eb74929670d9f566df66f3d823

SHA256
d63bfce395f8546df44b15e24a240ececabb89b6932cc8317ca02fe64972fa2e

SHA512
3205080a6fcf42e6ee4c4229af097de16133649325755e0c3c876fe03068848e47bcba20934bd42f474e08d1535bbed35f3bd995c73e661be363fdcfe6719bde

Download Submit
memory/2608-27-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2608-18-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2608-23-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2608-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2608-988-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2608-1151-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2608-2037-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2608-12-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2608-4702-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2608-5-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download