Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
07-04-2024 19:58
Static task
static1
Behavioral task
behavioral1
Sample
1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe
Resource
win7-20240221-en
General
-
Target
1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe
-
Size
33KB
-
MD5
b59d8960d516dd1c8af90e16e9b32606
-
SHA1
324f6305151e613b528ec016c57d4fb17d6c2743
-
SHA256
1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35
-
SHA512
07d576132e937b630b066b16b45ae4ebe7b4b7c941b774c61423a32d03a8e11709929f1b837ef08378e1502deed0abeb49e6523f728a32f303ae8976d61a6b78
-
SSDEEP
768:AZZZZZZZZZZZZZZHO5RroZJ767395uINH2iTQKvFrQ2XKxgkQe:ADe+Zk77RNH2iT919XKKkQe
Malware Config
Signatures
-
Drops startup file 2 IoCs
Processes:
1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exedescription ioc process File opened (read-only) \??\Z: 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe File opened (read-only) \??\M: 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe File opened (read-only) \??\L: 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe File opened (read-only) \??\J: 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe File opened (read-only) \??\I: 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe File opened (read-only) \??\X: 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe File opened (read-only) \??\W: 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe File opened (read-only) \??\H: 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe File opened (read-only) \??\N: 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe File opened (read-only) \??\K: 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe File opened (read-only) \??\G: 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe File opened (read-only) \??\Y: 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe File opened (read-only) \??\U: 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe File opened (read-only) \??\S: 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe File opened (read-only) \??\R: 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe File opened (read-only) \??\Q: 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe File opened (read-only) \??\V: 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe File opened (read-only) \??\T: 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe File opened (read-only) \??\P: 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe File opened (read-only) \??\O: 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe File opened (read-only) \??\E: 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe -
Drops file in Program Files directory 64 IoCs
Processes:
1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exedescription ioc process File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\_desktop.ini 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\wa\_desktop.ini 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ar-ae\_desktop.ini 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\sv-se\_desktop.ini 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\zh-cn\_desktop.ini 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\da-dk\_desktop.ini 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\eu-es\_desktop.ini 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\uk-ua\_desktop.ini 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ar-ae\_desktop.ini 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\he-il\_desktop.ini 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\sl-si\_desktop.ini 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\es\_desktop.ini 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\sk-sk\_desktop.ini 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\ca-es\_desktop.ini 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\nb-no\_desktop.ini 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\cs\_desktop.ini 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\nb\LC_MESSAGES\_desktop.ini 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\pt_BR\_desktop.ini 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\_desktop.ini 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ro-ro\_desktop.ini 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\hr-hr\_desktop.ini 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ast\_desktop.ini 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\id\_desktop.ini 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\it-it\_desktop.ini 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\_desktop.ini 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\it-IT\_desktop.ini 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\rhp\_desktop.ini 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\sl-si\_desktop.ini 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\de-de\_desktop.ini 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\_desktop.ini 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\tr\_desktop.ini 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe File created C:\Program Files\VideoLAN\VLC\skins\fonts\_desktop.ini 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\fr-ma\_desktop.ini 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\fi-fi\_desktop.ini 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\en-gb\_desktop.ini 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\en-ae\_desktop.ini 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\eu-es\_desktop.ini 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\_desktop.ini 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\eu\_desktop.ini 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\pl-pl\_desktop.ini 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\zh-tw\_desktop.ini 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\plugins\rhp\_desktop.ini 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\themes\_desktop.ini 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\da-dk\_desktop.ini 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\EQUATION\_desktop.ini 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\nb-no\_desktop.ini 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\ro-ro\_desktop.ini 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\images\_desktop.ini 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\_desktop.ini 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\ko-kr\_desktop.ini 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ru-ru\_desktop.ini 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\ca-es\_desktop.ini 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\services_discovery\_desktop.ini 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe File created C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\_desktop.ini 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\_desktop.ini 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\fi-fi\_desktop.ini 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery\_desktop.ini 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe File created C:\Program Files\VideoLAN\VLC\locale\ca\_desktop.ini 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\_desktop.ini 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\fr-ma\_desktop.ini 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\uk-ua\_desktop.ini 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe -
Drops file in Windows directory 2 IoCs
Processes:
1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exedescription ioc process File created C:\Windows\rundl132.exe 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe File created C:\Windows\Dll.dll 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exepid process 2748 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe 2748 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe 2748 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe 2748 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe 2748 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe 2748 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe 2748 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe 2748 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe 2748 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe 2748 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe 2748 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe 2748 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe 2748 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe 2748 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe 2748 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe 2748 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe 2748 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe 2748 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe 2748 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe 2748 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe 2748 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe 2748 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe 2748 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe 2748 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe 2748 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe 2748 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe 2748 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe 2748 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe 2748 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe 2748 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe 2748 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe 2748 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe 2748 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe 2748 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe 2748 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe 2748 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe 2748 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe 2748 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe 2748 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe 2748 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe 2748 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe 2748 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe 2748 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe 2748 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe 2748 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe 2748 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe 2748 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe 2748 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe 2748 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe 2748 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe 2748 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe 2748 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe 2748 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe 2748 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe 2748 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe 2748 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe 2748 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe 2748 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe 2748 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe 2748 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exenet.exenet.exedescription pid process target process PID 2748 wrote to memory of 4888 2748 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe net.exe PID 2748 wrote to memory of 4888 2748 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe net.exe PID 2748 wrote to memory of 4888 2748 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe net.exe PID 4888 wrote to memory of 3232 4888 net.exe net1.exe PID 4888 wrote to memory of 3232 4888 net.exe net1.exe PID 4888 wrote to memory of 3232 4888 net.exe net1.exe PID 2748 wrote to memory of 3604 2748 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe net.exe PID 2748 wrote to memory of 3604 2748 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe net.exe PID 2748 wrote to memory of 3604 2748 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe net.exe PID 3604 wrote to memory of 1520 3604 net.exe net1.exe PID 3604 wrote to memory of 1520 3604 net.exe net1.exe PID 3604 wrote to memory of 1520 3604 net.exe net1.exe PID 2748 wrote to memory of 3440 2748 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe Explorer.EXE PID 2748 wrote to memory of 3440 2748 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3440
-
C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe"C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe"2⤵
- Drops startup file
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"3⤵
- Suspicious use of WriteProcessMemory
PID:4888 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"4⤵PID:3232
-
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"3⤵
- Suspicious use of WriteProcessMemory
PID:3604 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"4⤵PID:1520
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
258KB
MD5283f68a6ebd27193167b0d393e0854c1
SHA169e7e2be3615cda7f36ea083f8a0ab7bee51bdbf
SHA2561ea60a85ed4901ceb24b582d53251a8a4565fe7baa5fa3b61bdbdd8152bd93bf
SHA5122ab41536a69db38af5ec16f82bf633eec88797733654bdee5c3ec098839806106934e67f9390c1c4b5702094ae7ba6adf32896a4c7d4d095c3b2d2c8559d6350
-
Filesize
171KB
MD538a1e97d7187fdc11589e5e15a8fc4fc
SHA1c517b9ee6f5e30759c0b6ce4daf4a15e0463a9cf
SHA2560aa10f34fd6e443727817f49157b78f01860247c8b9e02c29e09b80e8272b61b
SHA51202bae4826fda6d6fc9bbd69c34372705707513a2409ff8d7b61afffd6787952ab81c39cad257b26d60758de6a9275c8d17711763ec4225315fb875b7c899283c
-
Filesize
488KB
MD5c990d863ba6bead31194a4d94ea65a1a
SHA19425bf1710eb26690cd8151ba6a3e292fd7f3814
SHA25656912c50f21ad52af2fd4e0062ea113de7971e8123ec86e761791c06b76a5a9c
SHA512b912641772efd0fd89fbacdd162350b5c933b541a64e9287ec729b777e668f0dd4d8ec6747eb095f5e4dc8d7c2b1e59ad542add5db21864181af221fa0d18196
-
Filesize
8B
MD5331b730a7f1adbf1f0bc05e0c610f0f1
SHA12f2283f84f040fbd4ecf99055026b70bb3b732ec
SHA2562d3dbb80989e5cc7ef9ef800cc986bb8dccf4ca1f78437040bccd59312a55593
SHA51216790117c382e66c8af2932ed0c37229ae5ee6b8bbaa8bd4e3f9afed6e07cd89c5807c81145f19f561ab714d844826cf6099a6dc97d84fa3f9da5e763bcc78c4