Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
07-04-2024 19:58
Static task
static1
Behavioral task
behavioral1
Sample
9490201d077a00baeb0c1ce225c9445610b9455dbb0739f6cdd54c45e590c52f.exe
Resource
win7-20240221-en
General
-
Target
9490201d077a00baeb0c1ce225c9445610b9455dbb0739f6cdd54c45e590c52f.exe
-
Size
285KB
-
MD5
e182b72782205a2619d9ba1bcba116f1
-
SHA1
4d7de464132ac063c7cfc1ef23cf9e04334238ea
-
SHA256
9490201d077a00baeb0c1ce225c9445610b9455dbb0739f6cdd54c45e590c52f
-
SHA512
c6f5369254f01edbe33b3e1cae505aaa92ec42aa81aca768c3fe6aea4848a3d9a76606acc1bb49ec741c9e8863856fc96688b117c3c3ec72f1b07f3e422e3315
-
SSDEEP
6144:346tGdywMTi0+lfh+L5qe9T5q4GAFzWTBPMmC1UC6fOaU:33NwMTi0uhMqe9ts2zWTpMmCG7W
Malware Config
Signatures
-
Drops file in Drivers directory 2 IoCs
Processes:
9490201d077a00baeb0c1ce225c9445610b9455dbb0739f6cdd54c45e590c52f.exeLogo1_.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts 9490201d077a00baeb0c1ce225c9445610b9455dbb0739f6cdd54c45e590c52f.exe File opened for modification C:\Windows\system32\drivers\etc\hosts Logo1_.exe -
Drops startup file 2 IoCs
Processes:
Logo1_.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini Logo1_.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini Logo1_.exe -
Executes dropped EXE 2 IoCs
Processes:
Logo1_.exe9490201d077a00baeb0c1ce225c9445610b9455dbb0739f6cdd54c45e590c52f.exepid process 2008 Logo1_.exe 3956 9490201d077a00baeb0c1ce225c9445610b9455dbb0739f6cdd54c45e590c52f.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
Logo1_.exedescription ioc process File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
Processes:
Logo1_.exedescription ioc process File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft.NET\ADOMD.NET\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\en-il\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\pt-br\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\fr-fr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\themes\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Cartridges\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\zh-tw\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Google\CrashReports\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example2.Diagnostics\1.0.1\Diagnostics\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\VBA\VBA7.1\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ta\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\tl\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\de-de\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\he-il\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk-1.8\include\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DBConnection.exe Logo1_.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\pt-br\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk-1.8\lib\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\fr-ma\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\skins\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\zh-cn\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\zh-cn\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ar-ae\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Defender\uk-UA\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\et\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\nb-no\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\da-dk\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\de-de\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate32.exe Logo1_.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\fr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\nb-no\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\ko-kr\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\es-es\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\eu-es\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ja\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\es-es\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\en-il\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\fr-FR\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\cs-cz\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\zh-tw\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\themes\dark\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\zh-cn\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\ja-jp\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ja-JP\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\bin\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\WidevineCdm\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\nb-no\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\ru-ru\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsPowerShell\Modules\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\dialogs\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\fr-FR\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\themes\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\plugins\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\hr-hr\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
Processes:
9490201d077a00baeb0c1ce225c9445610b9455dbb0739f6cdd54c45e590c52f.exeLogo1_.exedescription ioc process File created C:\Windows\rundl132.exe 9490201d077a00baeb0c1ce225c9445610b9455dbb0739f6cdd54c45e590c52f.exe File created C:\Windows\Logo1_.exe 9490201d077a00baeb0c1ce225c9445610b9455dbb0739f6cdd54c45e590c52f.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\Dll.dll Logo1_.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
9490201d077a00baeb0c1ce225c9445610b9455dbb0739f6cdd54c45e590c52f.exeLogo1_.exepid process 1812 9490201d077a00baeb0c1ce225c9445610b9455dbb0739f6cdd54c45e590c52f.exe 1812 9490201d077a00baeb0c1ce225c9445610b9455dbb0739f6cdd54c45e590c52f.exe 1812 9490201d077a00baeb0c1ce225c9445610b9455dbb0739f6cdd54c45e590c52f.exe 1812 9490201d077a00baeb0c1ce225c9445610b9455dbb0739f6cdd54c45e590c52f.exe 1812 9490201d077a00baeb0c1ce225c9445610b9455dbb0739f6cdd54c45e590c52f.exe 1812 9490201d077a00baeb0c1ce225c9445610b9455dbb0739f6cdd54c45e590c52f.exe 1812 9490201d077a00baeb0c1ce225c9445610b9455dbb0739f6cdd54c45e590c52f.exe 1812 9490201d077a00baeb0c1ce225c9445610b9455dbb0739f6cdd54c45e590c52f.exe 1812 9490201d077a00baeb0c1ce225c9445610b9455dbb0739f6cdd54c45e590c52f.exe 1812 9490201d077a00baeb0c1ce225c9445610b9455dbb0739f6cdd54c45e590c52f.exe 1812 9490201d077a00baeb0c1ce225c9445610b9455dbb0739f6cdd54c45e590c52f.exe 1812 9490201d077a00baeb0c1ce225c9445610b9455dbb0739f6cdd54c45e590c52f.exe 1812 9490201d077a00baeb0c1ce225c9445610b9455dbb0739f6cdd54c45e590c52f.exe 1812 9490201d077a00baeb0c1ce225c9445610b9455dbb0739f6cdd54c45e590c52f.exe 1812 9490201d077a00baeb0c1ce225c9445610b9455dbb0739f6cdd54c45e590c52f.exe 1812 9490201d077a00baeb0c1ce225c9445610b9455dbb0739f6cdd54c45e590c52f.exe 1812 9490201d077a00baeb0c1ce225c9445610b9455dbb0739f6cdd54c45e590c52f.exe 1812 9490201d077a00baeb0c1ce225c9445610b9455dbb0739f6cdd54c45e590c52f.exe 1812 9490201d077a00baeb0c1ce225c9445610b9455dbb0739f6cdd54c45e590c52f.exe 1812 9490201d077a00baeb0c1ce225c9445610b9455dbb0739f6cdd54c45e590c52f.exe 1812 9490201d077a00baeb0c1ce225c9445610b9455dbb0739f6cdd54c45e590c52f.exe 1812 9490201d077a00baeb0c1ce225c9445610b9455dbb0739f6cdd54c45e590c52f.exe 1812 9490201d077a00baeb0c1ce225c9445610b9455dbb0739f6cdd54c45e590c52f.exe 1812 9490201d077a00baeb0c1ce225c9445610b9455dbb0739f6cdd54c45e590c52f.exe 1812 9490201d077a00baeb0c1ce225c9445610b9455dbb0739f6cdd54c45e590c52f.exe 1812 9490201d077a00baeb0c1ce225c9445610b9455dbb0739f6cdd54c45e590c52f.exe 2008 Logo1_.exe 2008 Logo1_.exe 2008 Logo1_.exe 2008 Logo1_.exe 2008 Logo1_.exe 2008 Logo1_.exe 2008 Logo1_.exe 2008 Logo1_.exe 2008 Logo1_.exe 2008 Logo1_.exe 2008 Logo1_.exe 2008 Logo1_.exe 2008 Logo1_.exe 2008 Logo1_.exe 2008 Logo1_.exe 2008 Logo1_.exe 2008 Logo1_.exe 2008 Logo1_.exe 2008 Logo1_.exe 2008 Logo1_.exe 2008 Logo1_.exe 2008 Logo1_.exe 2008 Logo1_.exe 2008 Logo1_.exe 2008 Logo1_.exe 2008 Logo1_.exe 2008 Logo1_.exe 2008 Logo1_.exe 2008 Logo1_.exe 2008 Logo1_.exe 2008 Logo1_.exe 2008 Logo1_.exe 2008 Logo1_.exe 2008 Logo1_.exe 2008 Logo1_.exe 2008 Logo1_.exe 2008 Logo1_.exe 2008 Logo1_.exe -
Suspicious use of WriteProcessMemory 29 IoCs
Processes:
9490201d077a00baeb0c1ce225c9445610b9455dbb0739f6cdd54c45e590c52f.exenet.exeLogo1_.exenet.execmd.exenet.exedescription pid process target process PID 1812 wrote to memory of 4996 1812 9490201d077a00baeb0c1ce225c9445610b9455dbb0739f6cdd54c45e590c52f.exe net.exe PID 1812 wrote to memory of 4996 1812 9490201d077a00baeb0c1ce225c9445610b9455dbb0739f6cdd54c45e590c52f.exe net.exe PID 1812 wrote to memory of 4996 1812 9490201d077a00baeb0c1ce225c9445610b9455dbb0739f6cdd54c45e590c52f.exe net.exe PID 4996 wrote to memory of 1592 4996 net.exe net1.exe PID 4996 wrote to memory of 1592 4996 net.exe net1.exe PID 4996 wrote to memory of 1592 4996 net.exe net1.exe PID 1812 wrote to memory of 2200 1812 9490201d077a00baeb0c1ce225c9445610b9455dbb0739f6cdd54c45e590c52f.exe cmd.exe PID 1812 wrote to memory of 2200 1812 9490201d077a00baeb0c1ce225c9445610b9455dbb0739f6cdd54c45e590c52f.exe cmd.exe PID 1812 wrote to memory of 2200 1812 9490201d077a00baeb0c1ce225c9445610b9455dbb0739f6cdd54c45e590c52f.exe cmd.exe PID 1812 wrote to memory of 2008 1812 9490201d077a00baeb0c1ce225c9445610b9455dbb0739f6cdd54c45e590c52f.exe Logo1_.exe PID 1812 wrote to memory of 2008 1812 9490201d077a00baeb0c1ce225c9445610b9455dbb0739f6cdd54c45e590c52f.exe Logo1_.exe PID 1812 wrote to memory of 2008 1812 9490201d077a00baeb0c1ce225c9445610b9455dbb0739f6cdd54c45e590c52f.exe Logo1_.exe PID 2008 wrote to memory of 3352 2008 Logo1_.exe net.exe PID 2008 wrote to memory of 3352 2008 Logo1_.exe net.exe PID 2008 wrote to memory of 3352 2008 Logo1_.exe net.exe PID 3352 wrote to memory of 3380 3352 net.exe net1.exe PID 3352 wrote to memory of 3380 3352 net.exe net1.exe PID 3352 wrote to memory of 3380 3352 net.exe net1.exe PID 2200 wrote to memory of 3956 2200 cmd.exe 9490201d077a00baeb0c1ce225c9445610b9455dbb0739f6cdd54c45e590c52f.exe PID 2200 wrote to memory of 3956 2200 cmd.exe 9490201d077a00baeb0c1ce225c9445610b9455dbb0739f6cdd54c45e590c52f.exe PID 2200 wrote to memory of 3956 2200 cmd.exe 9490201d077a00baeb0c1ce225c9445610b9455dbb0739f6cdd54c45e590c52f.exe PID 2008 wrote to memory of 2432 2008 Logo1_.exe net.exe PID 2008 wrote to memory of 2432 2008 Logo1_.exe net.exe PID 2008 wrote to memory of 2432 2008 Logo1_.exe net.exe PID 2432 wrote to memory of 3760 2432 net.exe net1.exe PID 2432 wrote to memory of 3760 2432 net.exe net1.exe PID 2432 wrote to memory of 3760 2432 net.exe net1.exe PID 2008 wrote to memory of 3400 2008 Logo1_.exe Explorer.EXE PID 2008 wrote to memory of 3400 2008 Logo1_.exe Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3400
-
C:\Users\Admin\AppData\Local\Temp\9490201d077a00baeb0c1ce225c9445610b9455dbb0739f6cdd54c45e590c52f.exe"C:\Users\Admin\AppData\Local\Temp\9490201d077a00baeb0c1ce225c9445610b9455dbb0739f6cdd54c45e590c52f.exe"2⤵
- Drops file in Drivers directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1812 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"3⤵
- Suspicious use of WriteProcessMemory
PID:4996 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"4⤵PID:1592
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a66C8.bat3⤵
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Users\Admin\AppData\Local\Temp\9490201d077a00baeb0c1ce225c9445610b9455dbb0739f6cdd54c45e590c52f.exe"C:\Users\Admin\AppData\Local\Temp\9490201d077a00baeb0c1ce225c9445610b9455dbb0739f6cdd54c45e590c52f.exe"4⤵
- Executes dropped EXE
PID:3956 -
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Drops file in Drivers directory
- Drops startup file
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:3352 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:3380
-
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:3760
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
258KB
MD5196e80c6461b51a75560df3e57cfbd9a
SHA13dd1bb9835e97f093efe4ffd8c078d8fa3d4ef7f
SHA256dee2cf210ee5f75549462b7cb03674155eb011190c77e332d53edcf655bcc237
SHA51200a3d357b589b85a644c78558fd8eff80832cec119f8d4976f7248ce2521dbe331078129ec35af26ec18d182daad55812e3d57f2f9b73615762a37ac2fc15798
-
Filesize
577KB
MD552b929e3308c6c5cf1e9366799ba774d
SHA173367e44a6aeb30f38c053492485ccc88f3f96b9
SHA2561371f108190c128f882a8babd65e575855c16a158530163f97d4aaec08204a3a
SHA512074eb6f7224979654bf1f5239a9b46a4a30ce8a17c3e47b3f38902cffdbb4c394facbe948d6b0b7f99077483708f8bc03aa40fb1ddba2c18033d52719ac47baa
-
Filesize
488KB
MD515137620fba9c2013dfa9107be4321d5
SHA131c790632ae19274fc2ed7e1615458324bc199bd
SHA25637cf90de70064c0ecf765ae35e8b0cf412c90cca2aaa2513cfba95b408b4e604
SHA512e2cbb59ec77cb009bf1b0d8d398c0898e65380858d33afb58e6ffc762842526f097d112369200cda95f015f5aa75e5af88810e2f2e174e0d1600cb6ec22a77e3
-
Filesize
722B
MD5a8688ec0284b56d0f609eaf789ac18b5
SHA15a4da9b684a916edf627cb706627cbfb00950646
SHA25640e8c01a9b7b6205f2823f60d36c762b2a7b20e439906da95c0b5ca52add463e
SHA512399340f5646edf6fac3d11e6a3ddf7ec4d7beaf1cdfaf00fe43f7a931d8dbbecd117182fac60bcc0f37ebfaa079273d82ac7c05d120b8de0f37c7675436b77c8
-
C:\Users\Admin\AppData\Local\Temp\9490201d077a00baeb0c1ce225c9445610b9455dbb0739f6cdd54c45e590c52f.exe.exe
Filesize252KB
MD59e2b9928c89a9d0da1d3e8f4bd96afa7
SHA1ec66cda99f44b62470c6930e5afda061579cde35
SHA2568899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043
SHA5122ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156
-
Filesize
33KB
MD50e8792b58f9237e03516447b7048d63c
SHA16f28494f0766ee470bbced1fe79fb10e5fee8252
SHA2567e4e7447ce04580a3af3a9bf90810712d6daebc0ced6c6856eae22771ac50956
SHA5126b935debde1916d7b1f2239ac3534c1f1585406c0d5f1060fdb356253cfab2fe9c716fd7ad05f20b9b3bb222307f15ae1b88e9062c7282d570b523150364e8a5
-
Filesize
842B
MD56f4adf207ef402d9ef40c6aa52ffd245
SHA14b05b495619c643f02e278dede8f5b1392555a57
SHA256d9704dab05e988be3e5e7b7c020bb9814906d11bb9c31ad80d4ed1316f6bc94e
SHA512a6306bd200a26ea78192ae5b00cc49cfab3fba025fe7233709a4e62db0f9ed60030dce22b34afe57aad86a098c9a8c44e080cedc43227cb87ef4690baec35b47
-
Filesize
8B
MD5331b730a7f1adbf1f0bc05e0c610f0f1
SHA12f2283f84f040fbd4ecf99055026b70bb3b732ec
SHA2562d3dbb80989e5cc7ef9ef800cc986bb8dccf4ca1f78437040bccd59312a55593
SHA51216790117c382e66c8af2932ed0c37229ae5ee6b8bbaa8bd4e3f9afed6e07cd89c5807c81145f19f561ab714d844826cf6099a6dc97d84fa3f9da5e763bcc78c4