kinsing | 4899397070cb1ff124ff7457b43e872fd6c3d06d854bfffb4d8cdc112f9db6cc

General

Target

4899397070cb1ff124ff7457b43e872fd6c3d06d854bfffb4d8cdc112f9db6cc.exe
Size

26KB
MD5

f2cd6007528300a8009ed1a42b1c2e95
SHA1

94050956f9e353a5f9046945d7319cca5b312abe
SHA256

4899397070cb1ff124ff7457b43e872fd6c3d06d854bfffb4d8cdc112f9db6cc
SHA512

284a090449cc06f5eb0394431b213c6e8958a8fe5c884b89c7ab259c3f5fc9be84d024479d85603c05dc1d3801441e1a8a394963573a9b4ef0025acff61d136d
SSDEEP

768:61ODKAaDMG8H92RwZNQSwcfymNBg+g61GoL:8fgLdQAQfcfymN

Score

10^/10

kinsing loader

Malware Config

Signatures

Kinsing
Kinsing is a loader written in Golang.
loader kinsing

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

4899397070cb1ff124ff7457b43e872fd6c3d06d854bfffb4d8cdc112f9db6cc.exe

description	ioc	process
File opened (read-only)	\??\Y:	4899397070cb1ff124ff7457b43e872fd6c3d06d854bfffb4d8cdc112f9db6cc.exe
File opened (read-only)	\??\N:	4899397070cb1ff124ff7457b43e872fd6c3d06d854bfffb4d8cdc112f9db6cc.exe
File opened (read-only)	\??\G:	4899397070cb1ff124ff7457b43e872fd6c3d06d854bfffb4d8cdc112f9db6cc.exe
File opened (read-only)	\??\W:	4899397070cb1ff124ff7457b43e872fd6c3d06d854bfffb4d8cdc112f9db6cc.exe
File opened (read-only)	\??\V:	4899397070cb1ff124ff7457b43e872fd6c3d06d854bfffb4d8cdc112f9db6cc.exe
File opened (read-only)	\??\P:	4899397070cb1ff124ff7457b43e872fd6c3d06d854bfffb4d8cdc112f9db6cc.exe
File opened (read-only)	\??\M:	4899397070cb1ff124ff7457b43e872fd6c3d06d854bfffb4d8cdc112f9db6cc.exe
File opened (read-only)	\??\X:	4899397070cb1ff124ff7457b43e872fd6c3d06d854bfffb4d8cdc112f9db6cc.exe
File opened (read-only)	\??\U:	4899397070cb1ff124ff7457b43e872fd6c3d06d854bfffb4d8cdc112f9db6cc.exe
File opened (read-only)	\??\T:	4899397070cb1ff124ff7457b43e872fd6c3d06d854bfffb4d8cdc112f9db6cc.exe
File opened (read-only)	\??\O:	4899397070cb1ff124ff7457b43e872fd6c3d06d854bfffb4d8cdc112f9db6cc.exe
File opened (read-only)	\??\L:	4899397070cb1ff124ff7457b43e872fd6c3d06d854bfffb4d8cdc112f9db6cc.exe
File opened (read-only)	\??\E:	4899397070cb1ff124ff7457b43e872fd6c3d06d854bfffb4d8cdc112f9db6cc.exe
File opened (read-only)	\??\H:	4899397070cb1ff124ff7457b43e872fd6c3d06d854bfffb4d8cdc112f9db6cc.exe
File opened (read-only)	\??\Z:	4899397070cb1ff124ff7457b43e872fd6c3d06d854bfffb4d8cdc112f9db6cc.exe
File opened (read-only)	\??\S:	4899397070cb1ff124ff7457b43e872fd6c3d06d854bfffb4d8cdc112f9db6cc.exe
File opened (read-only)	\??\R:	4899397070cb1ff124ff7457b43e872fd6c3d06d854bfffb4d8cdc112f9db6cc.exe
File opened (read-only)	\??\Q:	4899397070cb1ff124ff7457b43e872fd6c3d06d854bfffb4d8cdc112f9db6cc.exe
File opened (read-only)	\??\K:	4899397070cb1ff124ff7457b43e872fd6c3d06d854bfffb4d8cdc112f9db6cc.exe
File opened (read-only)	\??\J:	4899397070cb1ff124ff7457b43e872fd6c3d06d854bfffb4d8cdc112f9db6cc.exe
File opened (read-only)	\??\I:	4899397070cb1ff124ff7457b43e872fd6c3d06d854bfffb4d8cdc112f9db6cc.exe

Drops file in Program Files directory 64 IoCs

Processes:

4899397070cb1ff124ff7457b43e872fd6c3d06d854bfffb4d8cdc112f9db6cc.exe

description	ioc	process
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example2.Diagnostics\1.0.1\Diagnostics\Simple\_desktop.ini	4899397070cb1ff124ff7457b43e872fd6c3d06d854bfffb4d8cdc112f9db6cc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\es-es\_desktop.ini	4899397070cb1ff124ff7457b43e872fd6c3d06d854bfffb4d8cdc112f9db6cc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\cs-cz\_desktop.ini	4899397070cb1ff124ff7457b43e872fd6c3d06d854bfffb4d8cdc112f9db6cc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\it-it\_desktop.ini	4899397070cb1ff124ff7457b43e872fd6c3d06d854bfffb4d8cdc112f9db6cc.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\_desktop.ini	4899397070cb1ff124ff7457b43e872fd6c3d06d854bfffb4d8cdc112f9db6cc.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\es-ES\_desktop.ini	4899397070cb1ff124ff7457b43e872fd6c3d06d854bfffb4d8cdc112f9db6cc.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\en_GB\_desktop.ini	4899397070cb1ff124ff7457b43e872fd6c3d06d854bfffb4d8cdc112f9db6cc.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\kk-KZ\View3d\_desktop.ini	4899397070cb1ff124ff7457b43e872fd6c3d06d854bfffb4d8cdc112f9db6cc.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\zh-TW\View3d\_desktop.ini	4899397070cb1ff124ff7457b43e872fd6c3d06d854bfffb4d8cdc112f9db6cc.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\contrast-white\_desktop.ini	4899397070cb1ff124ff7457b43e872fd6c3d06d854bfffb4d8cdc112f9db6cc.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\_desktop.ini	4899397070cb1ff124ff7457b43e872fd6c3d06d854bfffb4d8cdc112f9db6cc.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\it-IT\_desktop.ini	4899397070cb1ff124ff7457b43e872fd6c3d06d854bfffb4d8cdc112f9db6cc.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\plugins\rhp\_desktop.ini	4899397070cb1ff124ff7457b43e872fd6c3d06d854bfffb4d8cdc112f9db6cc.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\ko-kr\_desktop.ini	4899397070cb1ff124ff7457b43e872fd6c3d06d854bfffb4d8cdc112f9db6cc.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\he\_desktop.ini	4899397070cb1ff124ff7457b43e872fd6c3d06d854bfffb4d8cdc112f9db6cc.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\_desktop.ini	4899397070cb1ff124ff7457b43e872fd6c3d06d854bfffb4d8cdc112f9db6cc.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\archives\_desktop.ini	4899397070cb1ff124ff7457b43e872fd6c3d06d854bfffb4d8cdc112f9db6cc.exe
File created	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\_desktop.ini	4899397070cb1ff124ff7457b43e872fd6c3d06d854bfffb4d8cdc112f9db6cc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\_desktop.ini	4899397070cb1ff124ff7457b43e872fd6c3d06d854bfffb4d8cdc112f9db6cc.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\zh-cn\_desktop.ini	4899397070cb1ff124ff7457b43e872fd6c3d06d854bfffb4d8cdc112f9db6cc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\ca-es\_desktop.ini	4899397070cb1ff124ff7457b43e872fd6c3d06d854bfffb4d8cdc112f9db6cc.exe
File created	C:\Program Files (x86)\Microsoft\Temp\_desktop.ini	4899397070cb1ff124ff7457b43e872fd6c3d06d854bfffb4d8cdc112f9db6cc.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	4899397070cb1ff124ff7457b43e872fd6c3d06d854bfffb4d8cdc112f9db6cc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\sl-si\_desktop.ini	4899397070cb1ff124ff7457b43e872fd6c3d06d854bfffb4d8cdc112f9db6cc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\fr-fr\_desktop.ini	4899397070cb1ff124ff7457b43e872fd6c3d06d854bfffb4d8cdc112f9db6cc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\en-il\_desktop.ini	4899397070cb1ff124ff7457b43e872fd6c3d06d854bfffb4d8cdc112f9db6cc.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\en-ae\_desktop.ini	4899397070cb1ff124ff7457b43e872fd6c3d06d854bfffb4d8cdc112f9db6cc.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\WidevineCdm\_platform_specific\win_x64\_desktop.ini	4899397070cb1ff124ff7457b43e872fd6c3d06d854bfffb4d8cdc112f9db6cc.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\RTL\_desktop.ini	4899397070cb1ff124ff7457b43e872fd6c3d06d854bfffb4d8cdc112f9db6cc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\fi-fi\_desktop.ini	4899397070cb1ff124ff7457b43e872fd6c3d06d854bfffb4d8cdc112f9db6cc.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\_desktop.ini	4899397070cb1ff124ff7457b43e872fd6c3d06d854bfffb4d8cdc112f9db6cc.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\_desktop.ini	4899397070cb1ff124ff7457b43e872fd6c3d06d854bfffb4d8cdc112f9db6cc.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Triedit\en-US\_desktop.ini	4899397070cb1ff124ff7457b43e872fd6c3d06d854bfffb4d8cdc112f9db6cc.exe
File created	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\_desktop.ini	4899397070cb1ff124ff7457b43e872fd6c3d06d854bfffb4d8cdc112f9db6cc.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\hu-hu\_desktop.ini	4899397070cb1ff124ff7457b43e872fd6c3d06d854bfffb4d8cdc112f9db6cc.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example2.Diagnostics\1.0.1\Diagnostics\Simple\_desktop.ini	4899397070cb1ff124ff7457b43e872fd6c3d06d854bfffb4d8cdc112f9db6cc.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\_desktop.ini	4899397070cb1ff124ff7457b43e872fd6c3d06d854bfffb4d8cdc112f9db6cc.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\_desktop.ini	4899397070cb1ff124ff7457b43e872fd6c3d06d854bfffb4d8cdc112f9db6cc.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\policy\unlimited\_desktop.ini	4899397070cb1ff124ff7457b43e872fd6c3d06d854bfffb4d8cdc112f9db6cc.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-black\_desktop.ini	4899397070cb1ff124ff7457b43e872fd6c3d06d854bfffb4d8cdc112f9db6cc.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\_desktop.ini	4899397070cb1ff124ff7457b43e872fd6c3d06d854bfffb4d8cdc112f9db6cc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\sk-sk\_desktop.ini	4899397070cb1ff124ff7457b43e872fd6c3d06d854bfffb4d8cdc112f9db6cc.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\_desktop.ini	4899397070cb1ff124ff7457b43e872fd6c3d06d854bfffb4d8cdc112f9db6cc.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\de-de\_desktop.ini	4899397070cb1ff124ff7457b43e872fd6c3d06d854bfffb4d8cdc112f9db6cc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\_desktop.ini	4899397070cb1ff124ff7457b43e872fd6c3d06d854bfffb4d8cdc112f9db6cc.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\de-DE\_desktop.ini	4899397070cb1ff124ff7457b43e872fd6c3d06d854bfffb4d8cdc112f9db6cc.exe
File created	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\Square150x150\_desktop.ini	4899397070cb1ff124ff7457b43e872fd6c3d06d854bfffb4d8cdc112f9db6cc.exe
File created	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-white\_desktop.ini	4899397070cb1ff124ff7457b43e872fd6c3d06d854bfffb4d8cdc112f9db6cc.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Voices\beeps\beeps\_desktop.ini	4899397070cb1ff124ff7457b43e872fd6c3d06d854bfffb4d8cdc112f9db6cc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\fi-fi\_desktop.ini	4899397070cb1ff124ff7457b43e872fd6c3d06d854bfffb4d8cdc112f9db6cc.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\ru-ru\_desktop.ini	4899397070cb1ff124ff7457b43e872fd6c3d06d854bfffb4d8cdc112f9db6cc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\zh-cn\_desktop.ini	4899397070cb1ff124ff7457b43e872fd6c3d06d854bfffb4d8cdc112f9db6cc.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	4899397070cb1ff124ff7457b43e872fd6c3d06d854bfffb4d8cdc112f9db6cc.exe
File created	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\_desktop.ini	4899397070cb1ff124ff7457b43e872fd6c3d06d854bfffb4d8cdc112f9db6cc.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\en-gb\_desktop.ini	4899397070cb1ff124ff7457b43e872fd6c3d06d854bfffb4d8cdc112f9db6cc.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\sk-sk\_desktop.ini	4899397070cb1ff124ff7457b43e872fd6c3d06d854bfffb4d8cdc112f9db6cc.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\ja-jp\_desktop.ini	4899397070cb1ff124ff7457b43e872fd6c3d06d854bfffb4d8cdc112f9db6cc.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\images\_desktop.ini	4899397070cb1ff124ff7457b43e872fd6c3d06d854bfffb4d8cdc112f9db6cc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\de-de\_desktop.ini	4899397070cb1ff124ff7457b43e872fd6c3d06d854bfffb4d8cdc112f9db6cc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\en-il\_desktop.ini	4899397070cb1ff124ff7457b43e872fd6c3d06d854bfffb4d8cdc112f9db6cc.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\_desktop.ini	4899397070cb1ff124ff7457b43e872fd6c3d06d854bfffb4d8cdc112f9db6cc.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\vi\_desktop.ini	4899397070cb1ff124ff7457b43e872fd6c3d06d854bfffb4d8cdc112f9db6cc.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\_desktop.ini	4899397070cb1ff124ff7457b43e872fd6c3d06d854bfffb4d8cdc112f9db6cc.exe
File created	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Images\contrast-standard\theme-dark\_desktop.ini	4899397070cb1ff124ff7457b43e872fd6c3d06d854bfffb4d8cdc112f9db6cc.exe

Drops file in Windows directory 1 IoCs

Processes:

4899397070cb1ff124ff7457b43e872fd6c3d06d854bfffb4d8cdc112f9db6cc.exe

description ioc process

File created C:\Windows\rundl132.exe 4899397070cb1ff124ff7457b43e872fd6c3d06d854bfffb4d8cdc112f9db6cc.exe
Runs net.exe

description	ioc	process
File created	C:\Windows\rundl132.exe	4899397070cb1ff124ff7457b43e872fd6c3d06d854bfffb4d8cdc112f9db6cc.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

4899397070cb1ff124ff7457b43e872fd6c3d06d854bfffb4d8cdc112f9db6cc.exe

pid	process
1996	4899397070cb1ff124ff7457b43e872fd6c3d06d854bfffb4d8cdc112f9db6cc.exe
1996	4899397070cb1ff124ff7457b43e872fd6c3d06d854bfffb4d8cdc112f9db6cc.exe
1996	4899397070cb1ff124ff7457b43e872fd6c3d06d854bfffb4d8cdc112f9db6cc.exe
1996	4899397070cb1ff124ff7457b43e872fd6c3d06d854bfffb4d8cdc112f9db6cc.exe
1996	4899397070cb1ff124ff7457b43e872fd6c3d06d854bfffb4d8cdc112f9db6cc.exe
1996	4899397070cb1ff124ff7457b43e872fd6c3d06d854bfffb4d8cdc112f9db6cc.exe
1996	4899397070cb1ff124ff7457b43e872fd6c3d06d854bfffb4d8cdc112f9db6cc.exe
1996	4899397070cb1ff124ff7457b43e872fd6c3d06d854bfffb4d8cdc112f9db6cc.exe
1996	4899397070cb1ff124ff7457b43e872fd6c3d06d854bfffb4d8cdc112f9db6cc.exe
1996	4899397070cb1ff124ff7457b43e872fd6c3d06d854bfffb4d8cdc112f9db6cc.exe
1996	4899397070cb1ff124ff7457b43e872fd6c3d06d854bfffb4d8cdc112f9db6cc.exe
1996	4899397070cb1ff124ff7457b43e872fd6c3d06d854bfffb4d8cdc112f9db6cc.exe
1996	4899397070cb1ff124ff7457b43e872fd6c3d06d854bfffb4d8cdc112f9db6cc.exe
1996	4899397070cb1ff124ff7457b43e872fd6c3d06d854bfffb4d8cdc112f9db6cc.exe
1996	4899397070cb1ff124ff7457b43e872fd6c3d06d854bfffb4d8cdc112f9db6cc.exe
1996	4899397070cb1ff124ff7457b43e872fd6c3d06d854bfffb4d8cdc112f9db6cc.exe
1996	4899397070cb1ff124ff7457b43e872fd6c3d06d854bfffb4d8cdc112f9db6cc.exe
1996	4899397070cb1ff124ff7457b43e872fd6c3d06d854bfffb4d8cdc112f9db6cc.exe
1996	4899397070cb1ff124ff7457b43e872fd6c3d06d854bfffb4d8cdc112f9db6cc.exe
1996	4899397070cb1ff124ff7457b43e872fd6c3d06d854bfffb4d8cdc112f9db6cc.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

4899397070cb1ff124ff7457b43e872fd6c3d06d854bfffb4d8cdc112f9db6cc.exenet.exe

description	pid	process	target process
PID 1996 wrote to memory of 4512	1996	4899397070cb1ff124ff7457b43e872fd6c3d06d854bfffb4d8cdc112f9db6cc.exe	net.exe
PID 1996 wrote to memory of 4512	1996	4899397070cb1ff124ff7457b43e872fd6c3d06d854bfffb4d8cdc112f9db6cc.exe	net.exe
PID 1996 wrote to memory of 4512	1996	4899397070cb1ff124ff7457b43e872fd6c3d06d854bfffb4d8cdc112f9db6cc.exe	net.exe
PID 4512 wrote to memory of 3944	4512	net.exe	net1.exe
PID 4512 wrote to memory of 3944	4512	net.exe	net1.exe
PID 4512 wrote to memory of 3944	4512	net.exe	net1.exe
PID 1996 wrote to memory of 3436	1996	4899397070cb1ff124ff7457b43e872fd6c3d06d854bfffb4d8cdc112f9db6cc.exe	Explorer.EXE
PID 1996 wrote to memory of 3436	1996	4899397070cb1ff124ff7457b43e872fd6c3d06d854bfffb4d8cdc112f9db6cc.exe	Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\4899397070cb1ff124ff7457b43e872fd6c3d06d854bfffb4d8cdc112f9db6cc.exe
"C:\Users\Admin\AppData\Local\Temp\4899397070cb1ff124ff7457b43e872fd6c3d06d854bfffb4d8cdc112f9db6cc.exe"
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1996

C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
2⤵
- Suspicious use of WriteProcessMemory
PID:4512

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
3⤵
PID:3944

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
Filesize
251KB

MD5
56e508339984e36e9c97830b83585181

SHA1
afd30df8b41553d9d7ef18f576ee7ef18ced4452

SHA256
22c6e725220677df66e6d50263bcb238c7142f816725af54c371bc55975379bd

SHA512
6f4a7833fc4800b835ad4c1f5ddbf1955ba5df930cc63f3dfcf7664d2915accd384c0353a0290e5d3389b1500a118007d8270ff3092769e7afb261001702bcef

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
165KB

MD5
e3802a43bc1898362010b4c7d9677a92

SHA1
90032ba39b656afed50b7082ad916548d6dd5e33

SHA256
dbd95cfd04c7d28f06208822092844550fcd281d1178e27b0968b4e74e39b1c8

SHA512
1386257692c7e6773d01437466e202917c5c0bbcc0a6fa4effd60d2441045934cf57f4b1c3d6f604b6160b111a775ef0567c378f8efed83dcab620c173c43b36

Download Submit
C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe
Filesize
481KB

MD5
1db5b390daa2d070657fbdb4f5d2cc55

SHA1
77e633e49df484b827080753514cc376749b0ceb

SHA256
d5fbaf5c0d8e313d4dad23b28cac4256c5dbed6ab3b0d797e2971f30c5e095ad

SHA512
68aa0152f5aae79a146c1813915fd16ec5454b285bd1781370923f97d6c147d53684192f7f4161e5c1a340959ec432ecaac127b0abe7d08f70c387e08ee4f617

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3803511929-1339359695-2191195476-1000\_desktop.ini
Filesize
9B

MD5
17dd96321b176e3561b64c6ca18fcc3e

SHA1
eeeb96d6ade3aae107d13dee64261ae3abe01ca9

SHA256
eea67eaefd0090abf13b8b67f5d4692e6d8364edb3627775a60c6d67962187e0

SHA512
d7cb68c3d7da341df9c36b5e778876fee0df4e60d546e0c6af1994a4dfae20ca576dc879d5f4f311b38cc780411aa905d347857e11b6c099282ff7cc8be1fe36

Download Submit
memory/1996-27-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1996-23-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1996-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1996-18-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1996-988-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1996-1151-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1996-1491-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1996-12-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1996-4702-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1996-5-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads