e3500312be49cde8dce63a9dbae27b94a8d739b79b6ddf0a395f62e81c6870c2

Analysis

max time kernel
150s
max time network
143s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
17/04/2024, 20:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e3500312be49cde8dce63a9dbae27b94a8d739b79b6ddf0a395f62e81c6870c2.exe
Size

2.6MB
MD5

55f2ac98ecaf89e0d3b770704951de97
SHA1

a810a392ff8300b2299082fbc87a172948ce0ee7
SHA256

e3500312be49cde8dce63a9dbae27b94a8d739b79b6ddf0a395f62e81c6870c2
SHA512

c19c961b919685e8fc1373b7afcfaa65561234bc3ba29cae3d8c424c83f521e8bf6a2b9e4db6cc98737dbe56054a050a6559eb2354c809d134d64bceb344bef0
SSDEEP

49152:/74QjRFxhHmPJhtG6ToOKK6j+BpriB55IKNdyVTvKSRr42/rTmJ7kgRgOP:UUFdKdBpriH5IkyVTCZ2OhkgT

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2028	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2100	Logo1_.exe
2564	e3500312be49cde8dce63a9dbae27b94a8d739b79b6ddf0a395f62e81c6870c2.exe

Loads dropped DLL 2 IoCs

pid	Process
2028	cmd.exe
2564	e3500312be49cde8dce63a9dbae27b94a8d739b79b6ddf0a395f62e81c6870c2.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\VideoLAN\VLC\locale\ff\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\ADDINS\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Oasis\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Photo Viewer\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\FRAR\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Publisher.en-us\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\hrtfs\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\bin\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Spades\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\requests\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Defender\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fa\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Defender\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\on_desktop\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre7\lib\amd64\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Americana\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\Presentation Designs\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\pack200.exe	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\an\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\si\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EVRGREEN\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jabswitch.exe	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\1036\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\IRIS\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sr\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	e3500312be49cde8dce63a9dbae27b94a8d739b79b6ddf0a395f62e81c6870c2.exe
File created	C:\Windows\Logo1_.exe	e3500312be49cde8dce63a9dbae27b94a8d739b79b6ddf0a395f62e81c6870c2.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "419549422"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e0c4576d0a91da01	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009d182698a4727943a65bc6c9ecfd0fc5000000000200000000001066000000010000200000007e0537a11204f71a064a2e6b9ac938746e26bf5e810e903f3d5da3ffb03c87b2000000000e8000000002000020000000a2c900cd28e06605ba38033f33047e2689dc034697aab7730893498b27dcd7502000000058acca16cfe6a551db6621953faec0dffd24c8160ce499964c440d43b015950f4000000031d722ef774f48887d25a989617336775400672e09c2f4998a83b3d47f0017c96191decbb1c2897231db89c78817c203002754a51f110bc92a4b899f241ee5aa	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{58D90881-FCFD-11EE-9D94-D2EFD46A7D0E} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009d182698a4727943a65bc6c9ecfd0fc500000000020000000000106600000001000020000000c754ea389b1be75154fc9d0314c525c3943a7576e32baab7cba3c7f36bff6fc4000000000e8000000002000020000000b47d98ff577e0bf6344cb8876cd10f13f07bfb180aee4c47e3a82efc512c7998900000005787ccc99eaf69abb4d718e0b20289171ae2b73eb14f515783c54aa57e0c4c1af4ebba3e98eb814756f09189c8bbdfa75df0c178655cbdc8c6d69ab7feb7c71af1ff3d457d88c4648d394956fa3ae768a073f7319ce90e42472560b04b5e11ec6d18240300c0cf98eec5019727731534a938381104823de2f083daa3e7e22c6c107dc6731ae53c657cc34d6f7e96662e40000000e42027e33b371124c898e7ebb170cd4e0eb537a273af7c74b4426cea98c4b4e3072a0b5df9523431f0a31d8f29922494904c106f18a2ce4f8bd3db172fc06053	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2100	Logo1_.exe
2100	Logo1_.exe
2100	Logo1_.exe
2100	Logo1_.exe
2100	Logo1_.exe
2100	Logo1_.exe
2100	Logo1_.exe
2100	Logo1_.exe
2100	Logo1_.exe
2100	Logo1_.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2144	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2144	IEXPLORE.EXE
2144	IEXPLORE.EXE
2452	IEXPLORE.EXE
2452	IEXPLORE.EXE
2452	IEXPLORE.EXE
2452	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 1740 wrote to memory of 2028	1740	e3500312be49cde8dce63a9dbae27b94a8d739b79b6ddf0a395f62e81c6870c2.exe	28
PID 1740 wrote to memory of 2028	1740	e3500312be49cde8dce63a9dbae27b94a8d739b79b6ddf0a395f62e81c6870c2.exe	28
PID 1740 wrote to memory of 2028	1740	e3500312be49cde8dce63a9dbae27b94a8d739b79b6ddf0a395f62e81c6870c2.exe	28
PID 1740 wrote to memory of 2028	1740	e3500312be49cde8dce63a9dbae27b94a8d739b79b6ddf0a395f62e81c6870c2.exe	28
PID 1740 wrote to memory of 2100	1740	e3500312be49cde8dce63a9dbae27b94a8d739b79b6ddf0a395f62e81c6870c2.exe	30
PID 1740 wrote to memory of 2100	1740	e3500312be49cde8dce63a9dbae27b94a8d739b79b6ddf0a395f62e81c6870c2.exe	30
PID 1740 wrote to memory of 2100	1740	e3500312be49cde8dce63a9dbae27b94a8d739b79b6ddf0a395f62e81c6870c2.exe	30
PID 1740 wrote to memory of 2100	1740	e3500312be49cde8dce63a9dbae27b94a8d739b79b6ddf0a395f62e81c6870c2.exe	30
PID 2100 wrote to memory of 2068	2100	Logo1_.exe	31
PID 2100 wrote to memory of 2068	2100	Logo1_.exe	31
PID 2100 wrote to memory of 2068	2100	Logo1_.exe	31
PID 2100 wrote to memory of 2068	2100	Logo1_.exe	31
PID 2068 wrote to memory of 2840	2068	net.exe	33
PID 2068 wrote to memory of 2840	2068	net.exe	33
PID 2068 wrote to memory of 2840	2068	net.exe	33
PID 2068 wrote to memory of 2840	2068	net.exe	33
PID 2028 wrote to memory of 2564	2028	cmd.exe	34
PID 2028 wrote to memory of 2564	2028	cmd.exe	34
PID 2028 wrote to memory of 2564	2028	cmd.exe	34
PID 2028 wrote to memory of 2564	2028	cmd.exe	34
PID 2100 wrote to memory of 1296	2100	Logo1_.exe	21
PID 2100 wrote to memory of 1296	2100	Logo1_.exe	21
PID 2564 wrote to memory of 2436	2564	e3500312be49cde8dce63a9dbae27b94a8d739b79b6ddf0a395f62e81c6870c2.exe	35
PID 2564 wrote to memory of 2436	2564	e3500312be49cde8dce63a9dbae27b94a8d739b79b6ddf0a395f62e81c6870c2.exe	35
PID 2564 wrote to memory of 2436	2564	e3500312be49cde8dce63a9dbae27b94a8d739b79b6ddf0a395f62e81c6870c2.exe	35
PID 2564 wrote to memory of 2436	2564	e3500312be49cde8dce63a9dbae27b94a8d739b79b6ddf0a395f62e81c6870c2.exe	35
PID 2436 wrote to memory of 2144	2436	iexplore.exe	36
PID 2436 wrote to memory of 2144	2436	iexplore.exe	36
PID 2436 wrote to memory of 2144	2436	iexplore.exe	36
PID 2436 wrote to memory of 2144	2436	iexplore.exe	36
PID 2144 wrote to memory of 2452	2144	IEXPLORE.EXE	38
PID 2144 wrote to memory of 2452	2144	IEXPLORE.EXE	38
PID 2144 wrote to memory of 2452	2144	IEXPLORE.EXE	38
PID 2144 wrote to memory of 2452	2144	IEXPLORE.EXE	38

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1296
- C:\Users\Admin\AppData\Local\Temp\e3500312be49cde8dce63a9dbae27b94a8d739b79b6ddf0a395f62e81c6870c2.exe
  "C:\Users\Admin\AppData\Local\Temp\e3500312be49cde8dce63a9dbae27b94a8d739b79b6ddf0a395f62e81c6870c2.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1740
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$a5F30.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2028
  - - C:\Users\Admin\AppData\Local\Temp\e3500312be49cde8dce63a9dbae27b94a8d739b79b6ddf0a395f62e81c6870c2.exe
      "C:\Users\Admin\AppData\Local\Temp\e3500312be49cde8dce63a9dbae27b94a8d739b79b6ddf0a395f62e81c6870c2.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2564
    - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
        
        "C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://se.360.cn/
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2436
      - C:\Program Files\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://se.360.cn/
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2144
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2144 CREDAT:275457 /prefetch:2
        7⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2452
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2100
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2068
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
251KB

MD5
3a4ae7d36a409e517a8b88e7c8884f43

SHA1
a1131b4bb058dc5d5200e265ab93a2e6f706691f

SHA256
0e03a0de5ba761adc588229fddca341da31f1c3e2a0d8787ffd2f04aa2c7375f

SHA512
73a23fefa570f033b9126abfee56bbc20ade32aa98e9887ea5cc81b54dc8349eeb79b1c35b10022e5560cf3055304be278762a3d62529204638c3c1cdbbb03eb

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
471KB

MD5
c6c8fde27f649c91ddaab8cb9ca344a6

SHA1
5e4865aec432a18107182f47edda176e8c566152

SHA256
32c3fed53bfc1d890e9bd1d771fdc7e2c81480e03f1425bce07b4045a192d100

SHA512
a8df7d1e852d871d7f16bae10c4ff049359583da88cc85a039f0298525839040d5363ce5ef4cbdb92a12a25785f73df83cf0df07752b78e6e6444f32160a2155

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
75e5628ce403ed110cc6f490a27582c8

SHA1
9fef492f799951d1a5257e752dfd2f2d905c1d4b

SHA256
8b129bb9e78f5986c26fad3c681f90fb9d3bbfbba375a9dcccdaa5abccf7aa1f

SHA512
fd36bb62d63d2e5f5cb18f925d5c5b141fb4d12df55f638b96574f774418dcedc46158b8aeb49dd4b4cc15f2468dbe66f88d64703ec98fbfb66ab862d2e259d0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
61b38ac8afb1e980fe015a27459e65fa

SHA1
37feef321a756acecb81acec55f2fdec1c512a2a

SHA256
5608d21fdc410dac420ccb1feb4ccade29e3e35dabf5d80c398723ea5873e452

SHA512
65737ba4d75adbebc0c7be83ff4f5007ad4c8e67c66711d486e15900d2fcee04947cf9a536000bd2563ea637b6b8ced9f470f75bbeaec15e5e5b5bda9643d1a4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8ecc7dbc5f77fcbbac82ca0125710c9f

SHA1
0408be02bd16ac7e776c27d7aba3a3a02d390f9c

SHA256
8e2235a704349f0b1a593dddd6af7a9533b90d650c0a3565e61038f892628e53

SHA512
9d56c86b59c792f4cca3150c1d1c617f3b925970c596cd233c804891e428aff0d1ae0ec01dd9758ac8897718c28b7eaec94aeb17a3ed9cae10853d6202f27dab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a7c6a00b43d9e7aa1803b6b25e66a110

SHA1
2666ba72f939a1ef626eb59d2b898753bf5af50d

SHA256
68dd760dab58d64c5e0aa522b9768be56c7e725bc651b2480d01c73f321ddaaa

SHA512
a63669364263aecc2daaeab35118f1273f199ae0590e4a42052897a03f46a9bf99f120f8d49365ba97561a61accfe020a6d36b5b0fa0b604ff7b29cd578144da

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
520bf0793add7903fbd5773f163f0d02

SHA1
e20d0372fb1043c019b8679bc98c8e92558c6293

SHA256
5886a57bd4556f71f93b6202507a7df66aef289e19160339c5f6f7c8a70886d6

SHA512
13c915b2879d9f49926b351f0e68a15f2cc51c853f39fda01b5d99afc46c98e77df1bc01aa374a87e3dbfc49fa1b066320b8244946a463e9b07a6de653e3e51e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1f9aed1a1e05b2cb0ff7ca3918bf0cae

SHA1
268210dceaf1554b36a22f7faa265aea4285e6d9

SHA256
98127acc3f4f090194c5d50e33929253010452d56c8fdd56a9e81e2fce5c7bd6

SHA512
1f45119be3ee2f72d9ed94c26c5546d16fa8abb7700c4729e262ac022a55dc866989838c1beb62b6e146f7f646521c160b60e6d6abddc3b45bdf3522451706fb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
05be585d45e7d41f440736f1c99466f2

SHA1
c53ed401c68d39238372a710e3a5ac2f963b6942

SHA256
d97afbddbc83212aebdfb5b0f1951b09944051f08aab78b48dc835081a2882eb

SHA512
e4db58f1883e7336943fe39e4d03e27f6d5cfb26aa749838a1c27b723760e91aaf7ffa0a22babcc84994f2cdceac8d1791c398758e4023cdb0f5dd295102db59

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
457e6aac9c5e0b51e26f2b2e6f0c1ff5

SHA1
212722adb38ae673aeb396bcb479a08df0a8e9e9

SHA256
222dcd5a342becb6036297b3104d5c6f61f81f8c7f15d0dcfcc89210d8d64c73

SHA512
c8ebcc6beccc2b8e65fb989880081da30d78f5dc41797f994abd3fa5c2fec28d61123d0af19a89e15a4df60a36e2b827e71724a9cbf3e2936509f4146094d22e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4e7f67b2204a5d19e768c874929621c5

SHA1
15c2e5d720abe0b34710dbafc5602243e7e8f368

SHA256
7573b17d2593f296e5db02a563161bba62a88a298b1a222453b6c7d2288b3316

SHA512
73e2165460dd108547e791a2cc28a04db18cfe96e2df8672eb2d429031efe8ce84792efd126ec18d4b387c48e3c66e1f4d6f0bad11146b0c793bef2376a4bc21

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4dd23b612171412ddabb61497e1a310a

SHA1
f548b46f50cf2f9ce1b3f3d4278b68eae5127698

SHA256
8e056b958eeccb4c6e6228b8497a511d64e1b95c4fec62885efbee9e860ce4c6

SHA512
ec980f453c26942db667feb4a325d10cff5f7d7bfc30f413e44f992c16c4353d14fa5487bf11680d84338ac7857b3d0a95e88d9a952139b070a5a30daba92b3c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
39501aad69a723e745c74780aed8e5dc

SHA1
8c4e95ed726e5cbcd2683a8a356f63c52bfcbf28

SHA256
7bde65f7647d4a26bbdc80904f449668e8772e830d5eccf27e1586add7df35de

SHA512
0e3468482cf31bb6c1f606cafb1e63af3f054f9660cb024ea7278a3ccf43603fb2bb0e41c337070817416228930443340cf70fb4ab05c3b580158b4ace120a8a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
cf9657926e0095bda0758a2c7c572c87

SHA1
152711e591d0b980d24ccf84cac1e0bbf183fdff

SHA256
cc77707aea4bed001bf4c709d28f98fa61195680dfbe5309f66e5f0c7f635536

SHA512
fba7cad494a4761b7ea44502434c7f4383d2dacd18a7812f41cafded63b0a5615861b6c97ef51eea466da40b7a423ee4fffc206a876d0cfb7c11bd634271dfc2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5c343fbe19552b123ab767cf718b0934

SHA1
19d0eb591e5e33d91aaaed41b66aad4b6bd6d203

SHA256
142e324e65d1616f6e1519328a584840886b7d00c236f2ba3088ff0b443a3f54

SHA512
e3c0813f395031826751933483f2b394caa28ada4905638a3a3779852af7a8fd683b237d3f04a4387719a7be8e2e1a4ca2063d14a2d647247ff5bafb5eabcd3a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
fb30220989ba20f88499b4875ff17381

SHA1
ef51ab5724509cc93ba671815fc6015a7f93ca2d

SHA256
545ee2c2df0f582eebd70f9d14908cf0e1429b51cc079a53aeaa4d2a7178e733

SHA512
7d890d649ad25fb7116d235cfbcaac021ee86f09546af869c2b921cd30ef8df6d19adca9170c9ae700ea2473a385fb17f6c98a96e591f6cca4f8046c9ba87dc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e21b8a29ea3076399abd7d25d6cd236a

SHA1
3773c9f69f8610fc1617f430629364249a7059c4

SHA256
8abea72d896b952229232dd9ee65cdb47d3db4a3c62675d7ef61653437305c97

SHA512
51fb85832d35e84770e4fcb36f3d67d222f0f9ede9493c2e2719698f14e45f5483bc73692127fa0fd8a0001a7414d2118880a44178f5857f8b16d989a93fe5d5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b455bd1ecba40ab2f04e8f10f61cfcb1

SHA1
64b65b053f2a13e0a7225471bb82ad1b99fe8fb1

SHA256
eec611d9ee8331983e33c5035b29514d3f305be8286c07bf48758c237d9cab78

SHA512
ed56d5b1f5aa481fc62c9017da5497c119b162d9bd201c92abbced3d45e7e429a323af6bd6b3636e0656620acacbbfd78158e0c4feca64f078725c99ebcd1daf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f67b346de7d3b346c00b20d139869349

SHA1
3b53e3bea81ea28556153013921a6cd2d4ad94ed

SHA256
9a6603b1d182015a8f71c4f977912306638fd9243e17238b43d3206b022c03e1

SHA512
3bb2fef170185e9212a6ce7c0eb058d75f9591efe67c3df83a3fce0b687ecd12ce31a679a530fe89c8f17998ee661e8427b05c5b8660476638afae5018419daa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1264948dfc63ca72c881425023d28cbc

SHA1
0205651c9914de7682dc35b512126d3c49320427

SHA256
47ad42be621460b73ee77a1ad6d7b75917a8af1d603e0579ddb5e24b9f15a7bc

SHA512
2f1724c46c52e05bd55957b97eb51409e7af72e2b42c030e24945c8fde5f8956f2d4cef5ab4d7851424da44bdb458b4b75a402d8ca750291215033590fba9125

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a5F30.bat

Filesize
722B

MD5
2ecfd2cacad5323c26f6f893f13e7f7a

SHA1
7dab9d7757f304c29219ef7b9bfe9685543df39a

SHA256
6ad3f761da61410339b630ade4512c9fe871648bb93fdb5751d2d6bb0219aefc

SHA512
cd1af1603dafbfa41b768ae744b7947ee9549d9ded49d270c611f5be475fc482c8cb4413cd3dce6a378db2fe5e102ccfcc295de95448c32efa983bcae6121680

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab7A02.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab7AA0.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar7AC4.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\e3500312be49cde8dce63a9dbae27b94a8d739b79b6ddf0a395f62e81c6870c2.exe.exe

Filesize
2.6MB

MD5
63283f1fbf548b531be48bdaa16fe426

SHA1
5e61729e95fdce9accf098cec41e9fef53d2075c

SHA256
04db7817d515dc7093293a76cb3971babdd70122d6b77cbaf9655c6fbf06b63e

SHA512
cf75aa9270ffa074acc2434309177e1ffa94650ca5a0e059a43292310a0d917ca169a35760d7cd5a0ecc2d4b2754c8238c24db271c39fd263b0308473d233e51

Download Submit
C:\Windows\Logo1_.exe

Filesize
26KB

MD5
6ff88aed67261a9080c1e62fd8bd0504

SHA1
14aed18f7ccd0e479389f111b63e79f2578001b1

SHA256
ee50a980fa1e7b2d29fc3adfa8acdeeda2cfd4937f4efe6346bfd9d0dac37a45

SHA512
4eac127c6e81a6c5c91b5276cd4a059c1fc3d78f8b5911d1c4b8fb77cb355d61f32b22c8230d55c6ac61f7ef52062dffe76f9b98dd0d18331e26a8c7eb070172

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-406356229-2805545415-1236085040-1000\_desktop.ini

Filesize
9B

MD5
2be02af4dacf3254e321ffba77f0b1c6

SHA1
d8349307ec08d45f2db9c9735bde8f13e27a551d

SHA256
766fe9c47ca710d9a00c08965550ee7de9cba2d32d67e4901e8cec7e33151d16

SHA512
57f61e1b939ed98e6db460ccdbc36a1460b727a99baac0e3b041666dedcef11fcd72a486d91ec7f0ee6e1aec40465719a6a5c22820c28be1066fe12fcd47ddd0

Download Submit
memory/1296-31-0x00000000039F0000-0x00000000039F1000-memory.dmp

Filesize
4KB

Download
memory/1740-21-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/1740-43-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/1740-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1740-15-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1740-16-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/2100-42-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2100-49-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2100-95-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2100-708-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2100-35-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2100-2328-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2100-575-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2100-4272-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2100-22-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download