d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
12/03/2024, 18:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe
Size

340KB
MD5

758b274ef374e88dde853065014f595b
SHA1

9ef6a663d02365ce550fb8fce254e0d3d5acb71b
SHA256

d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03
SHA512

a9ec5ec1950f380eb4a4240035280d90b76f042836cbcb45c4839b667edb00d7a5daea6f4bcb3321162e66cdf1c87f2d459a7e4acb15fe29e79d29cc8bcb2c6e
SSDEEP

3072:xftffjmNOCSjGoLpWM6VbBVjxyZ2wuhttQyrftffjmNOCSjGoLpWM6VbBVjxyZ2N:5VfjmNAXq1V599VfjmNAXq1V59a0Jal

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	startup.bat

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe

Executes dropped EXE 6 IoCs

pid	Process
3768	Logo1_.exe
2592	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe
1668	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe
1952	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe
4784	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe
3368	startup.bat

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000d000000023135-46.dat	upx
behavioral2/memory/4784-48-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral2/files/0x000a000000023137-55.dat	upx
behavioral2/memory/4784-58-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral2/memory/3368-59-0x0000000000400000-0x000000000042F000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\load = "C:\\Windows\\uninstall\\rundl132.exe"	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\load = "C:\\Windows\\uninstall\\rundl132.exe"	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\sd\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\plugins\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\root\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\en-gb\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\hr-hr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\it-it\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\en-gb\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\en-gb\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\nb-no\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\uk-UA\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fy\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\AppxMetadata\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ky\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsAppRuntime.1.2_2000.802.31.0_x86__8wekyb3d8bbwe\Microsoft.UI.Xaml\Assets\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\themes\dark\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ja-jp\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files-select\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\pl-pl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\ru-ru\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\af\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.YourPhone_2019.430.2026.0_neutral_~_8wekyb3d8bbwe\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\ko-kr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\sv-se\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\lv\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ro\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\en-us\View3d\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\mk-MK\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\sl-si\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\pt-br\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ro-ro\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\ro-ro\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\it\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\kk\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Microsoft.Membership.MeControl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ca-es\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\it-it\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\zh-tw\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\sv-se\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\nl-nl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\en-gb\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_neutral_split.scale-100_8wekyb3d8bbwe\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ru-ru\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\en-gb\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sv\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\x64\_desktop.ini	Logo1_.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\Logo1_.exe	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe
File created	C:\Windows\vDll.dll	Logo1_.exe
File created	C:\Windows\Logo1_.exe	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe
File opened for modification	C:\Windows\log.ini	startup.bat
File created	C:\Windows\rundl132.exe	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe
File created	C:\Windows\Logo1_.exe	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe
File created	C:\Windows\uninstall\rundl132.exe	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe
File created	C:\Windows\Logo1_.exe	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File opened for modification	C:\Windows\rundl132.exe	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe
File opened for modification	C:\Windows\uninstall\rundl132.exe	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3768	Logo1_.exe
3768	Logo1_.exe
3768	Logo1_.exe
3768	Logo1_.exe
3768	Logo1_.exe
3768	Logo1_.exe
3768	Logo1_.exe
3768	Logo1_.exe
3768	Logo1_.exe
3768	Logo1_.exe
3768	Logo1_.exe
3768	Logo1_.exe
2592	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe
2592	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe
2592	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe
2592	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe
2592	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe
2592	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe
2592	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe
2592	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe
2592	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe
2592	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe
2592	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe
2592	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe
2592	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe
2592	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe
2592	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe
2592	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe
2592	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe
2592	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe
2592	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe
2592	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe
2592	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe
2592	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe
2592	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe
2592	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe
2592	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe
2592	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe
1952	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe
1952	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe
1952	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe
1952	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe
1952	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe
1952	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe
1952	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe
1952	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe
1952	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe
1952	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe
1952	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe
1952	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe
1952	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe
1952	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe
1952	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe
1952	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe
1952	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe
1952	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe
1952	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe
1952	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe
1952	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe
1952	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe
1952	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe
1952	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe
1952	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe
1952	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4784	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe
3368	startup.bat

Suspicious use of WriteProcessMemory 50 IoCs

description	pid	Process	procid_target
PID 1204 wrote to memory of 3680	1204	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe	87
PID 1204 wrote to memory of 3680	1204	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe	87
PID 1204 wrote to memory of 3680	1204	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe	87
PID 1204 wrote to memory of 3768	1204	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe	88
PID 1204 wrote to memory of 3768	1204	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe	88
PID 1204 wrote to memory of 3768	1204	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe	88
PID 3768 wrote to memory of 264	3768	Logo1_.exe	90
PID 3768 wrote to memory of 264	3768	Logo1_.exe	90
PID 3768 wrote to memory of 264	3768	Logo1_.exe	90
PID 264 wrote to memory of 4380	264	net.exe	93
PID 264 wrote to memory of 4380	264	net.exe	93
PID 264 wrote to memory of 4380	264	net.exe	93
PID 3680 wrote to memory of 2592	3680	cmd.exe	94
PID 3680 wrote to memory of 2592	3680	cmd.exe	94
PID 3680 wrote to memory of 2592	3680	cmd.exe	94
PID 2592 wrote to memory of 2108	2592	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe	95
PID 2592 wrote to memory of 2108	2592	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe	95
PID 2592 wrote to memory of 2108	2592	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe	95
PID 2108 wrote to memory of 3360	2108	net.exe	97
PID 2108 wrote to memory of 3360	2108	net.exe	97
PID 2108 wrote to memory of 3360	2108	net.exe	97
PID 2592 wrote to memory of 4020	2592	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe	101
PID 2592 wrote to memory of 4020	2592	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe	101
PID 2592 wrote to memory of 4020	2592	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe	101
PID 4020 wrote to memory of 1668	4020	cmd.exe	103
PID 4020 wrote to memory of 1668	4020	cmd.exe	103
PID 4020 wrote to memory of 1668	4020	cmd.exe	103
PID 1668 wrote to memory of 3548	1668	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe	104
PID 1668 wrote to memory of 3548	1668	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe	104
PID 1668 wrote to memory of 3548	1668	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe	104
PID 3548 wrote to memory of 1952	3548	cmd.exe	106
PID 3548 wrote to memory of 1952	3548	cmd.exe	106
PID 3548 wrote to memory of 1952	3548	cmd.exe	106
PID 1952 wrote to memory of 3484	1952	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe	107
PID 1952 wrote to memory of 3484	1952	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe	107
PID 1952 wrote to memory of 3484	1952	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe	107
PID 3484 wrote to memory of 3576	3484	net.exe	109
PID 3484 wrote to memory of 3576	3484	net.exe	109
PID 3484 wrote to memory of 3576	3484	net.exe	109
PID 3768 wrote to memory of 3500	3768	Logo1_.exe	57
PID 3768 wrote to memory of 3500	3768	Logo1_.exe	57
PID 1952 wrote to memory of 3608	1952	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe	111
PID 1952 wrote to memory of 3608	1952	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe	111
PID 1952 wrote to memory of 3608	1952	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe	111
PID 3608 wrote to memory of 4784	3608	cmd.exe	113
PID 3608 wrote to memory of 4784	3608	cmd.exe	113
PID 3608 wrote to memory of 4784	3608	cmd.exe	113
PID 4784 wrote to memory of 3368	4784	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe	114
PID 4784 wrote to memory of 3368	4784	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe	114
PID 4784 wrote to memory of 3368	4784	d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe	114

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3500
- C:\Users\Admin\AppData\Local\Temp\d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe
  "C:\Users\Admin\AppData\Local\Temp\d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1204
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4EEB.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3680
  - - C:\Users\Admin\AppData\Local\Temp\d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe
      "C:\Users\Admin\AppData\Local\Temp\d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe"
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2592
    - - C:\Windows\SysWOW64\net.exe
        
        net stop "Kingsoft AntiVirus Service"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2108
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        6⤵
        
        PID:3360
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a545A.bat
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4020
      - C:\Users\Admin\AppData\Local\Temp\d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe"
        6⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:1668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a54B7.bat
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:3548
        
        C:\Users\Admin\AppData\Local\Temp\d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe"
        8⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1952
        
        C:\Windows\SysWOW64\net.exe
        
        net stop "Kingsoft AntiVirus Service"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:3484
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        10⤵
        
        PID:3576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a595B.bat
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:3608
        
        C:\Users\Admin\AppData\Local\Temp\d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe"
        10⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4784
        
        C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\startup.bat
        
        "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\startup.bat"
        11⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:3368
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3768
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:264
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:4380

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
251KB

MD5
587a94faadffb3e35b9c22cd224cccb8

SHA1
46b314a568e1d480d115d2a24d57bcc78524f93a

SHA256
1a81c27481f6f3380f6928259edffa8e9c18db92c2f574655553ab490d05a9cc

SHA512
b1635bb433d7ef8adff5b2c53a2e51ab105f542e0767f579c7849e901748d74898742f2d0223954ce101603aa617282ebf87932d472ac475f2f21a1135a2c4ca

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\startup.bat

Filesize
1KB

MD5
1683584d825fbddaf1a885e37dd1ac1e

SHA1
26000eb7eec4a7cf5306867fafdfcc2688b411e7

SHA256
3cc6c935e7880976fc2173e65693453e418b300a75579bfcd8e09f757e25c4a8

SHA512
da4a697dd7a84fed3299d0adb1cf74ff0791bc71c7c92f54fa5ab91248758fe5b163457c2779f790694712e2c49ad6efaf27c4db091a70cba96aa93b51657820

Download Submit
C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe

Filesize
481KB

MD5
1db5b390daa2d070657fbdb4f5d2cc55

SHA1
77e633e49df484b827080753514cc376749b0ceb

SHA256
d5fbaf5c0d8e313d4dad23b28cac4256c5dbed6ab3b0d797e2971f30c5e095ad

SHA512
68aa0152f5aae79a146c1813915fd16ec5454b285bd1781370923f97d6c147d53684192f7f4161e5c1a340959ec432ecaac127b0abe7d08f70c387e08ee4f617

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a4EEB.bat

Filesize
722B

MD5
1150d7e97e9f1c6e0d7171243f5bc882

SHA1
d48652a56ef85b22170fca289f7b54035f013d09

SHA256
fb4201fd1c60441d00eda6abf44554587f8b95ec45ea9c65c9ad55e4cfa93dd5

SHA512
a8ceb9daa2b40c7ba84dd076eb28d43c1606b17707cf3a3837b8aab9b7bd8f666fc01e084c04b1e2b5f23c08f3ce33670ead8f1986f0ef05363cd612d711d883

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a545A.bat

Filesize
722B

MD5
023a59b0fde18b0d73b4cb9e60c55d28

SHA1
8ef702ea0813743d83b8350dd50d81c5033b1a11

SHA256
9242c69ea24298c226708e60903961a715b94cd0e382618130505eed14f77272

SHA512
9048255eec9bbd15accf4a26b15ab6307a10a89a6f27afa701da78209e755058d4d11c6d5ba2e3cf6cac1ce7873e8e13b53448b5a756d7ccd7428b719c5f218a

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a54B7.bat

Filesize
722B

MD5
db5bd9d3c5468658607e24aebece9d69

SHA1
c10d156f6a84e03f3ac6941a3c23bb0af904f478

SHA256
894f0955d79542e6e40d9a0832afeb8a6bf1f327c278e2a495cae9183858c946

SHA512
9aa3b4e7bcb4d24ceba2c0b41a6ddc38eec6241e761294d3873d2f6f83396ebc0daae110064f38ee6f7eda37cabb519df52d3cb22887b9f3b1c04e9bdc3e223c

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a595B.bat

Filesize
722B

MD5
506e4fc3b83d6bb0414682705c1b03f6

SHA1
416a6a09b8c80c2a0181e42c48916c2ec9bd69c0

SHA256
45ec385521a29e2cce3e220b7503315b03ecb4bcdf6430b9cadcfdb1ae886c00

SHA512
6d7e67f3abef1b4bf5031d34ca274fb44033748bc0a4c999d41b6bd1cac9dd18d998ef1a13b60230af644e8bcca7d92ff94dc49aefd97b62a780651cfa8f0d59

Download Submit
C:\Users\Admin\AppData\Local\Temp\d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe.exe

Filesize
220KB

MD5
1bc4ecc0423d2bac2486d6e88d637589

SHA1
ca7fad601acf04bec1fe46be02690c575f840513

SHA256
804178b82ada2733358985d9f469cd047df364edb63ea313d00f8bcd86e8721b

SHA512
df92a239d75fb4bed65593c3e947bac24edfb5ac94e383cff802a5a690c14c6f2f3babf1a2103efcbde22088c8fc13e3eaf67499b5286c12a784e75209319d38

Download Submit
C:\Users\Admin\AppData\Local\Temp\d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe.exe

Filesize
313KB

MD5
b464d0150ec177b7b8c6cca974dc8f94

SHA1
621716cd9503afea0e3e34741e5c0ad1dccfea38

SHA256
4bc55ad96505ddb421679d1867c91c44e5547b0f688824adf94d1b92caba5b0d

SHA512
f2f79fbdc58c016779d2330fcc7ab923c169239ebd58b8a4fbf7f917f021b6bf715a24043b94b13f408119d3638602ee4889edcaae6bb94f5eaa3e687faa2a66

Download Submit
C:\Users\Admin\AppData\Local\Temp\d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe.exe

Filesize
194KB

MD5
69c3a9d6ac33a93f2002ee38c2a46434

SHA1
aa1e3497f5151fb76811665750956d4aaea7c3c8

SHA256
4ca1a8c14d03e78442789e84bf33091e3c74a84cf5bd6af84b1732eacf2a2dd9

SHA512
32f16e695ab7fd57e60a47d0d5976da19e944107001d41a37ef5f9a42029ec5b212c82ce763811629144c0545dcf31f8a3a7d46f1c021a7fa8b1099e2e58e5cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\d2d723a89afee709e86eef8a140625b84ca7926c7a49826c75cd4963d821df03.exe.exe

Filesize
101KB

MD5
de817f8996a5f524523514779f909a76

SHA1
4674880202435822341ba492843c2dcb126d5e50

SHA256
a21a9356c7a473988efbb5e8785047cb0fa93ac5ad093d429ef119fbb33edf6d

SHA512
8c02e93b54baee8b7bea96a80cd209f38aef6ff38b06d65d1ce04a709ebfec7b26126874aba611e893f87ae2ed719ebef05aad5f1077e68bbabe39a3048929aa

Download Submit
C:\Windows\Logo1_.exe

Filesize
26KB

MD5
5ebae18d758a2785c25800cf9f602426

SHA1
729c110aa5f4a19f6e932b399adb68373f788870

SHA256
3c8634b7cfad1704299882ee1d8cc86fdec88831103959d2589b2a62e33deb63

SHA512
0b5196e7c7d10a5f3bd504e649fd16a714948339e9401efa562492a852e9f46502688c52c03c64155652aacbce0229cd6a2babcff7863ee30103f8ece9ba9f9a

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
842B

MD5
6f4adf207ef402d9ef40c6aa52ffd245

SHA1
4b05b495619c643f02e278dede8f5b1392555a57

SHA256
d9704dab05e988be3e5e7b7c020bb9814906d11bb9c31ad80d4ed1316f6bc94e

SHA512
a6306bd200a26ea78192ae5b00cc49cfab3fba025fe7233709a4e62db0f9ed60030dce22b34afe57aad86a098c9a8c44e080cedc43227cb87ef4690baec35b47

Download Submit
C:\Windows\uninstall\rundl132.exe

Filesize
93KB

MD5
ee708472eb382dddfd8001ae980d7709

SHA1
20ac19a71e2ce5d5b222abd839212765dce86b81

SHA256
6e8abcda1d86afdd7475e56054fb1d7e55f176debee67da7b62e37b120435617

SHA512
a76f9694cedcec781158c256c845aecc85b9414987f466b3838f3f4631b13cb1dacdd2b70dbf6f5f33a895b194704fe3997d5d1e3787666f3670ca980c549310

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-983155329-280873152-1838004294-1000\_desktop.ini

Filesize
9B

MD5
ac7ef6d7fcd23c228941057dc1a38427

SHA1
aec0bc6ea51cea8edb23dd9ea7be81f113f42493

SHA256
fd687092833ff2ed530a5ba6d4cebe3c1e5f6c318da1610320743cc7e073a740

SHA512
6cf8518e3448d5f19775ac462fab31aac662f0386ed2aeae85b2b5591ee3092f25527beb74592f1c1e4a20f6488277b429c9f46e783937c4bb9f7439ffb6c4f3

Download Submit
memory/1204-8-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1204-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1668-33-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1668-29-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1952-44-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2592-23-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3368-59-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3768-67-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3768-60-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3768-73-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3768-78-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3768-82-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3768-1051-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3768-1218-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3768-4783-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3768-12-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4784-48-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4784-58-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download