Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
07-04-2024 19:58
Static task
static1
Behavioral task
behavioral1
Sample
5e0c95260c4c4ab11672e950d4a74f173e8a5f66cb5822437c0d0fe29430a30b.exe
Resource
win7-20240221-en
General
-
Target
5e0c95260c4c4ab11672e950d4a74f173e8a5f66cb5822437c0d0fe29430a30b.exe
-
Size
82KB
-
MD5
3d9e59602e062a031df6c503c52d90a7
-
SHA1
3682fb2487951fa338ffd096f994e905fbc9c6eb
-
SHA256
5e0c95260c4c4ab11672e950d4a74f173e8a5f66cb5822437c0d0fe29430a30b
-
SHA512
dce83c814998714131a047e7d0dbb0d73c94c82535ed4429895489febbc74dc9435e2fbe0c497b60c0208abd92d232ad8c3ea0eefaa879c51c665419d2a19022
-
SSDEEP
1536:PVaYzMXqtGNttyUn01Q78a4Re2zHxvuS6YGJYjilZrPMC5V:PVaY46tGNttyJQ7KRv6Y0ZIC5V
Malware Config
Signatures
-
Drops file in Drivers directory 2 IoCs
Processes:
5e0c95260c4c4ab11672e950d4a74f173e8a5f66cb5822437c0d0fe29430a30b.exeLogo1_.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts 5e0c95260c4c4ab11672e950d4a74f173e8a5f66cb5822437c0d0fe29430a30b.exe File opened for modification C:\Windows\system32\drivers\etc\hosts Logo1_.exe -
Drops startup file 2 IoCs
Processes:
Logo1_.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini Logo1_.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini Logo1_.exe -
Executes dropped EXE 2 IoCs
Processes:
Logo1_.exe5e0c95260c4c4ab11672e950d4a74f173e8a5f66cb5822437c0d0fe29430a30b.exepid process 3904 Logo1_.exe 5044 5e0c95260c4c4ab11672e950d4a74f173e8a5f66cb5822437c0d0fe29430a30b.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
Logo1_.exedescription ioc process File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
Processes:
Logo1_.exedescription ioc process File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\sv-se\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\es-es\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\fur\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\en-gb\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\sl-sl\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}\1.3.185.17\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Media Player\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\1033\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\zh-tw\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\fi-fi\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\ja-jp\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\1033\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\eu-es\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\pl-pl\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\da-dk\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\fr-ma\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\nl-nl\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\Templates\Presentation Designs\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows NT\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\dotnet\dotnet.exe Logo1_.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\createdump.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\legal\jdk\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\br\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\images\themes\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\zh-tw\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\en_GB\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\de-de\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ja-jp\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\css\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\fi-fi\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\sk-sk\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ECLIPSE\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\ru\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\fi-fi\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\he-il\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\zh_TW\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\eu-es\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\images\themeless\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\hr-hr\_desktop.ini Logo1_.exe File created C:\Program Files\Uninstall Information\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Diagnostics\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\zh-tw\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\email\dummy\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Defender\it-IT\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\root\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}\1.3.185.17\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
Processes:
5e0c95260c4c4ab11672e950d4a74f173e8a5f66cb5822437c0d0fe29430a30b.exeLogo1_.exedescription ioc process File created C:\Windows\Logo1_.exe 5e0c95260c4c4ab11672e950d4a74f173e8a5f66cb5822437c0d0fe29430a30b.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\Dll.dll Logo1_.exe File created C:\Windows\rundl132.exe 5e0c95260c4c4ab11672e950d4a74f173e8a5f66cb5822437c0d0fe29430a30b.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
5e0c95260c4c4ab11672e950d4a74f173e8a5f66cb5822437c0d0fe29430a30b.exeLogo1_.exepid process 3220 5e0c95260c4c4ab11672e950d4a74f173e8a5f66cb5822437c0d0fe29430a30b.exe 3220 5e0c95260c4c4ab11672e950d4a74f173e8a5f66cb5822437c0d0fe29430a30b.exe 3220 5e0c95260c4c4ab11672e950d4a74f173e8a5f66cb5822437c0d0fe29430a30b.exe 3220 5e0c95260c4c4ab11672e950d4a74f173e8a5f66cb5822437c0d0fe29430a30b.exe 3220 5e0c95260c4c4ab11672e950d4a74f173e8a5f66cb5822437c0d0fe29430a30b.exe 3220 5e0c95260c4c4ab11672e950d4a74f173e8a5f66cb5822437c0d0fe29430a30b.exe 3220 5e0c95260c4c4ab11672e950d4a74f173e8a5f66cb5822437c0d0fe29430a30b.exe 3220 5e0c95260c4c4ab11672e950d4a74f173e8a5f66cb5822437c0d0fe29430a30b.exe 3220 5e0c95260c4c4ab11672e950d4a74f173e8a5f66cb5822437c0d0fe29430a30b.exe 3220 5e0c95260c4c4ab11672e950d4a74f173e8a5f66cb5822437c0d0fe29430a30b.exe 3220 5e0c95260c4c4ab11672e950d4a74f173e8a5f66cb5822437c0d0fe29430a30b.exe 3220 5e0c95260c4c4ab11672e950d4a74f173e8a5f66cb5822437c0d0fe29430a30b.exe 3220 5e0c95260c4c4ab11672e950d4a74f173e8a5f66cb5822437c0d0fe29430a30b.exe 3220 5e0c95260c4c4ab11672e950d4a74f173e8a5f66cb5822437c0d0fe29430a30b.exe 3220 5e0c95260c4c4ab11672e950d4a74f173e8a5f66cb5822437c0d0fe29430a30b.exe 3220 5e0c95260c4c4ab11672e950d4a74f173e8a5f66cb5822437c0d0fe29430a30b.exe 3220 5e0c95260c4c4ab11672e950d4a74f173e8a5f66cb5822437c0d0fe29430a30b.exe 3220 5e0c95260c4c4ab11672e950d4a74f173e8a5f66cb5822437c0d0fe29430a30b.exe 3220 5e0c95260c4c4ab11672e950d4a74f173e8a5f66cb5822437c0d0fe29430a30b.exe 3220 5e0c95260c4c4ab11672e950d4a74f173e8a5f66cb5822437c0d0fe29430a30b.exe 3220 5e0c95260c4c4ab11672e950d4a74f173e8a5f66cb5822437c0d0fe29430a30b.exe 3220 5e0c95260c4c4ab11672e950d4a74f173e8a5f66cb5822437c0d0fe29430a30b.exe 3220 5e0c95260c4c4ab11672e950d4a74f173e8a5f66cb5822437c0d0fe29430a30b.exe 3220 5e0c95260c4c4ab11672e950d4a74f173e8a5f66cb5822437c0d0fe29430a30b.exe 3220 5e0c95260c4c4ab11672e950d4a74f173e8a5f66cb5822437c0d0fe29430a30b.exe 3220 5e0c95260c4c4ab11672e950d4a74f173e8a5f66cb5822437c0d0fe29430a30b.exe 3904 Logo1_.exe 3904 Logo1_.exe 3904 Logo1_.exe 3904 Logo1_.exe 3904 Logo1_.exe 3904 Logo1_.exe 3904 Logo1_.exe 3904 Logo1_.exe 3904 Logo1_.exe 3904 Logo1_.exe 3904 Logo1_.exe 3904 Logo1_.exe 3904 Logo1_.exe 3904 Logo1_.exe 3904 Logo1_.exe 3904 Logo1_.exe 3904 Logo1_.exe 3904 Logo1_.exe 3904 Logo1_.exe 3904 Logo1_.exe 3904 Logo1_.exe 3904 Logo1_.exe 3904 Logo1_.exe 3904 Logo1_.exe 3904 Logo1_.exe 3904 Logo1_.exe 3904 Logo1_.exe 3904 Logo1_.exe 3904 Logo1_.exe 3904 Logo1_.exe 3904 Logo1_.exe 3904 Logo1_.exe 3904 Logo1_.exe 3904 Logo1_.exe 3904 Logo1_.exe 3904 Logo1_.exe 3904 Logo1_.exe 3904 Logo1_.exe -
Suspicious use of WriteProcessMemory 29 IoCs
Processes:
5e0c95260c4c4ab11672e950d4a74f173e8a5f66cb5822437c0d0fe29430a30b.exenet.exeLogo1_.exenet.execmd.exenet.exedescription pid process target process PID 3220 wrote to memory of 4640 3220 5e0c95260c4c4ab11672e950d4a74f173e8a5f66cb5822437c0d0fe29430a30b.exe net.exe PID 3220 wrote to memory of 4640 3220 5e0c95260c4c4ab11672e950d4a74f173e8a5f66cb5822437c0d0fe29430a30b.exe net.exe PID 3220 wrote to memory of 4640 3220 5e0c95260c4c4ab11672e950d4a74f173e8a5f66cb5822437c0d0fe29430a30b.exe net.exe PID 4640 wrote to memory of 3012 4640 net.exe net1.exe PID 4640 wrote to memory of 3012 4640 net.exe net1.exe PID 4640 wrote to memory of 3012 4640 net.exe net1.exe PID 3220 wrote to memory of 4712 3220 5e0c95260c4c4ab11672e950d4a74f173e8a5f66cb5822437c0d0fe29430a30b.exe cmd.exe PID 3220 wrote to memory of 4712 3220 5e0c95260c4c4ab11672e950d4a74f173e8a5f66cb5822437c0d0fe29430a30b.exe cmd.exe PID 3220 wrote to memory of 4712 3220 5e0c95260c4c4ab11672e950d4a74f173e8a5f66cb5822437c0d0fe29430a30b.exe cmd.exe PID 3220 wrote to memory of 3904 3220 5e0c95260c4c4ab11672e950d4a74f173e8a5f66cb5822437c0d0fe29430a30b.exe Logo1_.exe PID 3220 wrote to memory of 3904 3220 5e0c95260c4c4ab11672e950d4a74f173e8a5f66cb5822437c0d0fe29430a30b.exe Logo1_.exe PID 3220 wrote to memory of 3904 3220 5e0c95260c4c4ab11672e950d4a74f173e8a5f66cb5822437c0d0fe29430a30b.exe Logo1_.exe PID 3904 wrote to memory of 5004 3904 Logo1_.exe net.exe PID 3904 wrote to memory of 5004 3904 Logo1_.exe net.exe PID 3904 wrote to memory of 5004 3904 Logo1_.exe net.exe PID 5004 wrote to memory of 3460 5004 net.exe net1.exe PID 5004 wrote to memory of 3460 5004 net.exe net1.exe PID 5004 wrote to memory of 3460 5004 net.exe net1.exe PID 4712 wrote to memory of 5044 4712 cmd.exe 5e0c95260c4c4ab11672e950d4a74f173e8a5f66cb5822437c0d0fe29430a30b.exe PID 4712 wrote to memory of 5044 4712 cmd.exe 5e0c95260c4c4ab11672e950d4a74f173e8a5f66cb5822437c0d0fe29430a30b.exe PID 4712 wrote to memory of 5044 4712 cmd.exe 5e0c95260c4c4ab11672e950d4a74f173e8a5f66cb5822437c0d0fe29430a30b.exe PID 3904 wrote to memory of 4728 3904 Logo1_.exe net.exe PID 3904 wrote to memory of 4728 3904 Logo1_.exe net.exe PID 3904 wrote to memory of 4728 3904 Logo1_.exe net.exe PID 4728 wrote to memory of 4516 4728 net.exe net1.exe PID 4728 wrote to memory of 4516 4728 net.exe net1.exe PID 4728 wrote to memory of 4516 4728 net.exe net1.exe PID 3904 wrote to memory of 3556 3904 Logo1_.exe Explorer.EXE PID 3904 wrote to memory of 3556 3904 Logo1_.exe Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3556
-
C:\Users\Admin\AppData\Local\Temp\5e0c95260c4c4ab11672e950d4a74f173e8a5f66cb5822437c0d0fe29430a30b.exe"C:\Users\Admin\AppData\Local\Temp\5e0c95260c4c4ab11672e950d4a74f173e8a5f66cb5822437c0d0fe29430a30b.exe"2⤵
- Drops file in Drivers directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3220 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"3⤵
- Suspicious use of WriteProcessMemory
PID:4640 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"4⤵PID:3012
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a3D57.bat3⤵
- Suspicious use of WriteProcessMemory
PID:4712 -
C:\Users\Admin\AppData\Local\Temp\5e0c95260c4c4ab11672e950d4a74f173e8a5f66cb5822437c0d0fe29430a30b.exe"C:\Users\Admin\AppData\Local\Temp\5e0c95260c4c4ab11672e950d4a74f173e8a5f66cb5822437c0d0fe29430a30b.exe"4⤵
- Executes dropped EXE
PID:5044 -
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Drops file in Drivers directory
- Drops startup file
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3904 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:5004 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:3460
-
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:4728 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:4516
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
258KB
MD5196e80c6461b51a75560df3e57cfbd9a
SHA13dd1bb9835e97f093efe4ffd8c078d8fa3d4ef7f
SHA256dee2cf210ee5f75549462b7cb03674155eb011190c77e332d53edcf655bcc237
SHA51200a3d357b589b85a644c78558fd8eff80832cec119f8d4976f7248ce2521dbe331078129ec35af26ec18d182daad55812e3d57f2f9b73615762a37ac2fc15798
-
Filesize
332KB
MD5eba4d2fd3484554a1a7b5a2a710ebc2d
SHA1abe5a406fb504ac9f162e09a19feb2d03531536d
SHA25681c05ae1c3edb1641d1f8f6d2f92bbc40b961d8add021780df7097de977af664
SHA5126b3da4f01925221b55127468523ca7aab4c32363c954a673e91c2e1c0c8cbcd0f0685e1d044511fee26d05c69e99a34e985aa3483ab8b854461b5004a5dae9da
-
Filesize
488KB
MD515137620fba9c2013dfa9107be4321d5
SHA131c790632ae19274fc2ed7e1615458324bc199bd
SHA25637cf90de70064c0ecf765ae35e8b0cf412c90cca2aaa2513cfba95b408b4e604
SHA512e2cbb59ec77cb009bf1b0d8d398c0898e65380858d33afb58e6ffc762842526f097d112369200cda95f015f5aa75e5af88810e2f2e174e0d1600cb6ec22a77e3
-
Filesize
722B
MD53268a4efc6707af5ea6d28f8e4b4f410
SHA13edca913a863bd1b68d71b2d930921b35fa71bfe
SHA2568b032ec3bb9bef3b5f037c39225876b4ec2912f0622ce0e1d2563b05d14a13ad
SHA512c193b578fe06bda4d546b773959b44ac1d4fa5adb7808771a53771027c05666a5f9daf12d4046526afcd79d8212960a8c981d97d26a02f9f39c594c74ad1b8ce
-
C:\Users\Admin\AppData\Local\Temp\5e0c95260c4c4ab11672e950d4a74f173e8a5f66cb5822437c0d0fe29430a30b.exe.exe
Filesize48KB
MD5422a02111fabd3e229ffd105d6054f56
SHA17930d07dbc89c1113eec7cbd492daf3a025939b2
SHA2562d6bd317e34216f318ce9fb34fbc24e6260b1472930a8c0f126792f8ff821a9e
SHA512a46b5f8b6cb3cf2cb9714a0708ff63dfe4b543ab4a651f2b8ab93ce54ae77e8c7f6d67a8d9d4481957ada966f778ac6d1cceb24b1d8bbad2a6bca77b0bc9ea59
-
Filesize
33KB
MD50e8792b58f9237e03516447b7048d63c
SHA16f28494f0766ee470bbced1fe79fb10e5fee8252
SHA2567e4e7447ce04580a3af3a9bf90810712d6daebc0ced6c6856eae22771ac50956
SHA5126b935debde1916d7b1f2239ac3534c1f1585406c0d5f1060fdb356253cfab2fe9c716fd7ad05f20b9b3bb222307f15ae1b88e9062c7282d570b523150364e8a5
-
Filesize
842B
MD56f4adf207ef402d9ef40c6aa52ffd245
SHA14b05b495619c643f02e278dede8f5b1392555a57
SHA256d9704dab05e988be3e5e7b7c020bb9814906d11bb9c31ad80d4ed1316f6bc94e
SHA512a6306bd200a26ea78192ae5b00cc49cfab3fba025fe7233709a4e62db0f9ed60030dce22b34afe57aad86a098c9a8c44e080cedc43227cb87ef4690baec35b47
-
Filesize
8B
MD5331b730a7f1adbf1f0bc05e0c610f0f1
SHA12f2283f84f040fbd4ecf99055026b70bb3b732ec
SHA2562d3dbb80989e5cc7ef9ef800cc986bb8dccf4ca1f78437040bccd59312a55593
SHA51216790117c382e66c8af2932ed0c37229ae5ee6b8bbaa8bd4e3f9afed6e07cd89c5807c81145f19f561ab714d844826cf6099a6dc97d84fa3f9da5e763bcc78c4