Analysis
-
max time kernel
149s -
max time network
121s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
07-04-2024 19:58
Static task
static1
Behavioral task
behavioral1
Sample
e036ad1fe55cdbf1033e28521e39488c7b591fcdeac7778a4565c0927da5d662.exe
Resource
win7-20240220-en
General
-
Target
e036ad1fe55cdbf1033e28521e39488c7b591fcdeac7778a4565c0927da5d662.exe
-
Size
163KB
-
MD5
ff852c6f60f2be0d44c01ee585d94bad
-
SHA1
1798667029690d25851e4528b689a81b92eda8bc
-
SHA256
e036ad1fe55cdbf1033e28521e39488c7b591fcdeac7778a4565c0927da5d662
-
SHA512
01e891c71dd6814661e3ef8036fc6e3a51b4a06119decbf55b40f7a109c7b4a2b9ccb92de15c2a07ab59859f1b502051f908d27be530792e1c2f932a42e008f5
-
SSDEEP
3072:PVaY46tGNttyJQ7KREQekqnwLD9m0WjfuRRfEdj4E3f90bC:346tGdySQek9if1Vv+W
Malware Config
Signatures
-
Drops file in Drivers directory 2 IoCs
Processes:
e036ad1fe55cdbf1033e28521e39488c7b591fcdeac7778a4565c0927da5d662.exeLogo1_.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts e036ad1fe55cdbf1033e28521e39488c7b591fcdeac7778a4565c0927da5d662.exe File opened for modification C:\Windows\system32\drivers\etc\hosts Logo1_.exe -
Drops startup file 2 IoCs
Processes:
Logo1_.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini Logo1_.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini Logo1_.exe -
Executes dropped EXE 2 IoCs
Processes:
Logo1_.exee036ad1fe55cdbf1033e28521e39488c7b591fcdeac7778a4565c0927da5d662.exepid process 60 Logo1_.exe 4732 e036ad1fe55cdbf1033e28521e39488c7b591fcdeac7778a4565c0927da5d662.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
Logo1_.exedescription ioc process File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
Processes:
Logo1_.exedescription ioc process File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\root\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Uninstall Information\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\cs\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\de-de\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\he-il\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Media Player\Skins\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\lt\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\nl-nl\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\plugins\rhp\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\eu-es\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\hu-hu\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\MSBuild\Microsoft\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\ca-es\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\1033\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\es-ES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\sv-se\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\pt-br\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\zh-cn\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\ko-kr\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\loc\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PIXEL\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\es-es\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\MEIPreload\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\am\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\sk\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\de-DE\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\fr-ma\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\zh-tw\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Internet Explorer\es-ES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\cmm\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PAPYRUS\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\brx\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\eu-es\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\sk-sk\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\vfs\SystemX86\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\de-de\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\hr-hr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe Logo1_.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\fr-fr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\sv-se\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\ja-JP\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ca-es\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\es-es\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\it-it\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\fr-fr\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\ky\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\en-gb\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Cultures\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\sv-se\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\css\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
Processes:
e036ad1fe55cdbf1033e28521e39488c7b591fcdeac7778a4565c0927da5d662.exeLogo1_.exedescription ioc process File created C:\Windows\rundl132.exe e036ad1fe55cdbf1033e28521e39488c7b591fcdeac7778a4565c0927da5d662.exe File created C:\Windows\Logo1_.exe e036ad1fe55cdbf1033e28521e39488c7b591fcdeac7778a4565c0927da5d662.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\Dll.dll Logo1_.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
e036ad1fe55cdbf1033e28521e39488c7b591fcdeac7778a4565c0927da5d662.exeLogo1_.exepid process 4520 e036ad1fe55cdbf1033e28521e39488c7b591fcdeac7778a4565c0927da5d662.exe 4520 e036ad1fe55cdbf1033e28521e39488c7b591fcdeac7778a4565c0927da5d662.exe 4520 e036ad1fe55cdbf1033e28521e39488c7b591fcdeac7778a4565c0927da5d662.exe 4520 e036ad1fe55cdbf1033e28521e39488c7b591fcdeac7778a4565c0927da5d662.exe 4520 e036ad1fe55cdbf1033e28521e39488c7b591fcdeac7778a4565c0927da5d662.exe 4520 e036ad1fe55cdbf1033e28521e39488c7b591fcdeac7778a4565c0927da5d662.exe 4520 e036ad1fe55cdbf1033e28521e39488c7b591fcdeac7778a4565c0927da5d662.exe 4520 e036ad1fe55cdbf1033e28521e39488c7b591fcdeac7778a4565c0927da5d662.exe 4520 e036ad1fe55cdbf1033e28521e39488c7b591fcdeac7778a4565c0927da5d662.exe 4520 e036ad1fe55cdbf1033e28521e39488c7b591fcdeac7778a4565c0927da5d662.exe 4520 e036ad1fe55cdbf1033e28521e39488c7b591fcdeac7778a4565c0927da5d662.exe 4520 e036ad1fe55cdbf1033e28521e39488c7b591fcdeac7778a4565c0927da5d662.exe 4520 e036ad1fe55cdbf1033e28521e39488c7b591fcdeac7778a4565c0927da5d662.exe 4520 e036ad1fe55cdbf1033e28521e39488c7b591fcdeac7778a4565c0927da5d662.exe 4520 e036ad1fe55cdbf1033e28521e39488c7b591fcdeac7778a4565c0927da5d662.exe 4520 e036ad1fe55cdbf1033e28521e39488c7b591fcdeac7778a4565c0927da5d662.exe 4520 e036ad1fe55cdbf1033e28521e39488c7b591fcdeac7778a4565c0927da5d662.exe 4520 e036ad1fe55cdbf1033e28521e39488c7b591fcdeac7778a4565c0927da5d662.exe 4520 e036ad1fe55cdbf1033e28521e39488c7b591fcdeac7778a4565c0927da5d662.exe 4520 e036ad1fe55cdbf1033e28521e39488c7b591fcdeac7778a4565c0927da5d662.exe 4520 e036ad1fe55cdbf1033e28521e39488c7b591fcdeac7778a4565c0927da5d662.exe 4520 e036ad1fe55cdbf1033e28521e39488c7b591fcdeac7778a4565c0927da5d662.exe 4520 e036ad1fe55cdbf1033e28521e39488c7b591fcdeac7778a4565c0927da5d662.exe 4520 e036ad1fe55cdbf1033e28521e39488c7b591fcdeac7778a4565c0927da5d662.exe 4520 e036ad1fe55cdbf1033e28521e39488c7b591fcdeac7778a4565c0927da5d662.exe 4520 e036ad1fe55cdbf1033e28521e39488c7b591fcdeac7778a4565c0927da5d662.exe 60 Logo1_.exe 60 Logo1_.exe 60 Logo1_.exe 60 Logo1_.exe 60 Logo1_.exe 60 Logo1_.exe 60 Logo1_.exe 60 Logo1_.exe 60 Logo1_.exe 60 Logo1_.exe 60 Logo1_.exe 60 Logo1_.exe 60 Logo1_.exe 60 Logo1_.exe 60 Logo1_.exe 60 Logo1_.exe 60 Logo1_.exe 60 Logo1_.exe 60 Logo1_.exe 60 Logo1_.exe 60 Logo1_.exe 60 Logo1_.exe 60 Logo1_.exe 60 Logo1_.exe 60 Logo1_.exe 60 Logo1_.exe 60 Logo1_.exe 60 Logo1_.exe 60 Logo1_.exe 60 Logo1_.exe 60 Logo1_.exe 60 Logo1_.exe 60 Logo1_.exe 60 Logo1_.exe 60 Logo1_.exe 60 Logo1_.exe 60 Logo1_.exe 60 Logo1_.exe -
Suspicious use of WriteProcessMemory 29 IoCs
Processes:
e036ad1fe55cdbf1033e28521e39488c7b591fcdeac7778a4565c0927da5d662.exenet.exeLogo1_.exenet.execmd.exenet.exedescription pid process target process PID 4520 wrote to memory of 4424 4520 e036ad1fe55cdbf1033e28521e39488c7b591fcdeac7778a4565c0927da5d662.exe net.exe PID 4520 wrote to memory of 4424 4520 e036ad1fe55cdbf1033e28521e39488c7b591fcdeac7778a4565c0927da5d662.exe net.exe PID 4520 wrote to memory of 4424 4520 e036ad1fe55cdbf1033e28521e39488c7b591fcdeac7778a4565c0927da5d662.exe net.exe PID 4424 wrote to memory of 3748 4424 net.exe net1.exe PID 4424 wrote to memory of 3748 4424 net.exe net1.exe PID 4424 wrote to memory of 3748 4424 net.exe net1.exe PID 4520 wrote to memory of 4656 4520 e036ad1fe55cdbf1033e28521e39488c7b591fcdeac7778a4565c0927da5d662.exe cmd.exe PID 4520 wrote to memory of 4656 4520 e036ad1fe55cdbf1033e28521e39488c7b591fcdeac7778a4565c0927da5d662.exe cmd.exe PID 4520 wrote to memory of 4656 4520 e036ad1fe55cdbf1033e28521e39488c7b591fcdeac7778a4565c0927da5d662.exe cmd.exe PID 4520 wrote to memory of 60 4520 e036ad1fe55cdbf1033e28521e39488c7b591fcdeac7778a4565c0927da5d662.exe Logo1_.exe PID 4520 wrote to memory of 60 4520 e036ad1fe55cdbf1033e28521e39488c7b591fcdeac7778a4565c0927da5d662.exe Logo1_.exe PID 4520 wrote to memory of 60 4520 e036ad1fe55cdbf1033e28521e39488c7b591fcdeac7778a4565c0927da5d662.exe Logo1_.exe PID 60 wrote to memory of 1708 60 Logo1_.exe net.exe PID 60 wrote to memory of 1708 60 Logo1_.exe net.exe PID 60 wrote to memory of 1708 60 Logo1_.exe net.exe PID 1708 wrote to memory of 444 1708 net.exe net1.exe PID 1708 wrote to memory of 444 1708 net.exe net1.exe PID 1708 wrote to memory of 444 1708 net.exe net1.exe PID 4656 wrote to memory of 4732 4656 cmd.exe e036ad1fe55cdbf1033e28521e39488c7b591fcdeac7778a4565c0927da5d662.exe PID 4656 wrote to memory of 4732 4656 cmd.exe e036ad1fe55cdbf1033e28521e39488c7b591fcdeac7778a4565c0927da5d662.exe PID 4656 wrote to memory of 4732 4656 cmd.exe e036ad1fe55cdbf1033e28521e39488c7b591fcdeac7778a4565c0927da5d662.exe PID 60 wrote to memory of 3932 60 Logo1_.exe net.exe PID 60 wrote to memory of 3932 60 Logo1_.exe net.exe PID 60 wrote to memory of 3932 60 Logo1_.exe net.exe PID 3932 wrote to memory of 4876 3932 net.exe net1.exe PID 3932 wrote to memory of 4876 3932 net.exe net1.exe PID 3932 wrote to memory of 4876 3932 net.exe net1.exe PID 60 wrote to memory of 3516 60 Logo1_.exe Explorer.EXE PID 60 wrote to memory of 3516 60 Logo1_.exe Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3516
-
C:\Users\Admin\AppData\Local\Temp\e036ad1fe55cdbf1033e28521e39488c7b591fcdeac7778a4565c0927da5d662.exe"C:\Users\Admin\AppData\Local\Temp\e036ad1fe55cdbf1033e28521e39488c7b591fcdeac7778a4565c0927da5d662.exe"2⤵
- Drops file in Drivers directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4520 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"3⤵
- Suspicious use of WriteProcessMemory
PID:4424 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"4⤵PID:3748
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a3DC4.bat3⤵
- Suspicious use of WriteProcessMemory
PID:4656 -
C:\Users\Admin\AppData\Local\Temp\e036ad1fe55cdbf1033e28521e39488c7b591fcdeac7778a4565c0927da5d662.exe"C:\Users\Admin\AppData\Local\Temp\e036ad1fe55cdbf1033e28521e39488c7b591fcdeac7778a4565c0927da5d662.exe"4⤵
- Executes dropped EXE
PID:4732 -
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Drops file in Drivers directory
- Drops startup file
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:60 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:444
-
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:3932 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:4876
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
258KB
MD5196e80c6461b51a75560df3e57cfbd9a
SHA13dd1bb9835e97f093efe4ffd8c078d8fa3d4ef7f
SHA256dee2cf210ee5f75549462b7cb03674155eb011190c77e332d53edcf655bcc237
SHA51200a3d357b589b85a644c78558fd8eff80832cec119f8d4976f7248ce2521dbe331078129ec35af26ec18d182daad55812e3d57f2f9b73615762a37ac2fc15798
-
Filesize
577KB
MD552b929e3308c6c5cf1e9366799ba774d
SHA173367e44a6aeb30f38c053492485ccc88f3f96b9
SHA2561371f108190c128f882a8babd65e575855c16a158530163f97d4aaec08204a3a
SHA512074eb6f7224979654bf1f5239a9b46a4a30ce8a17c3e47b3f38902cffdbb4c394facbe948d6b0b7f99077483708f8bc03aa40fb1ddba2c18033d52719ac47baa
-
Filesize
488KB
MD515137620fba9c2013dfa9107be4321d5
SHA131c790632ae19274fc2ed7e1615458324bc199bd
SHA25637cf90de70064c0ecf765ae35e8b0cf412c90cca2aaa2513cfba95b408b4e604
SHA512e2cbb59ec77cb009bf1b0d8d398c0898e65380858d33afb58e6ffc762842526f097d112369200cda95f015f5aa75e5af88810e2f2e174e0d1600cb6ec22a77e3
-
Filesize
722B
MD56eedb04c2247ec65500c60c39483240a
SHA12438f3f49e4570a7aaa115e1edd8c288dad261d6
SHA256c4f3abc13bb7671ff16cd54b512ae99b7ab1ae73bde05a96de4a197c41fb6f4b
SHA512b0e7340f915e834a2212519247f3da263662f31595333bd2f1a9486cdb7d467c427a97186189965b5290f9619b775fd2c05e74355e227dfb90fed5447365ff47
-
C:\Users\Admin\AppData\Local\Temp\e036ad1fe55cdbf1033e28521e39488c7b591fcdeac7778a4565c0927da5d662.exe.exe
Filesize129KB
MD511111df26aba5a177fbd3ff2821a9e5d
SHA1dba82329673e02dd99adbeb2d20538d10b6f484a
SHA25625e0e882cca2fc89942924ae208abf9059fe3f8bd87a16f788f8aad1f61521df
SHA5124d814017ce21b06208b5cd6814d40e801283a41216ea27986a88af50d2d61d23e9c54c0aafe6a8c509a94d156c59fb3dc8f46b902bcbc5acd185a712d31b2034
-
Filesize
33KB
MD50e8792b58f9237e03516447b7048d63c
SHA16f28494f0766ee470bbced1fe79fb10e5fee8252
SHA2567e4e7447ce04580a3af3a9bf90810712d6daebc0ced6c6856eae22771ac50956
SHA5126b935debde1916d7b1f2239ac3534c1f1585406c0d5f1060fdb356253cfab2fe9c716fd7ad05f20b9b3bb222307f15ae1b88e9062c7282d570b523150364e8a5
-
Filesize
842B
MD56f4adf207ef402d9ef40c6aa52ffd245
SHA14b05b495619c643f02e278dede8f5b1392555a57
SHA256d9704dab05e988be3e5e7b7c020bb9814906d11bb9c31ad80d4ed1316f6bc94e
SHA512a6306bd200a26ea78192ae5b00cc49cfab3fba025fe7233709a4e62db0f9ed60030dce22b34afe57aad86a098c9a8c44e080cedc43227cb87ef4690baec35b47
-
Filesize
8B
MD5331b730a7f1adbf1f0bc05e0c610f0f1
SHA12f2283f84f040fbd4ecf99055026b70bb3b732ec
SHA2562d3dbb80989e5cc7ef9ef800cc986bb8dccf4ca1f78437040bccd59312a55593
SHA51216790117c382e66c8af2932ed0c37229ae5ee6b8bbaa8bd4e3f9afed6e07cd89c5807c81145f19f561ab714d844826cf6099a6dc97d84fa3f9da5e763bcc78c4