e3500312be49cde8dce63a9dbae27b94a8d739b79b6ddf0a395f62e81c6870c2

Analysis

max time kernel
151s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
17/04/2024, 20:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e3500312be49cde8dce63a9dbae27b94a8d739b79b6ddf0a395f62e81c6870c2.exe
Size

2.6MB
MD5

55f2ac98ecaf89e0d3b770704951de97
SHA1

a810a392ff8300b2299082fbc87a172948ce0ee7
SHA256

e3500312be49cde8dce63a9dbae27b94a8d739b79b6ddf0a395f62e81c6870c2
SHA512

c19c961b919685e8fc1373b7afcfaa65561234bc3ba29cae3d8c424c83f521e8bf6a2b9e4db6cc98737dbe56054a050a6559eb2354c809d134d64bceb344bef0
SSDEEP

49152:/74QjRFxhHmPJhtG6ToOKK6j+BpriB55IKNdyVTvKSRr42/rTmJ7kgRgOP:UUFdKdBpriH5IkyVTCZ2OhkgT

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	e3500312be49cde8dce63a9dbae27b94a8d739b79b6ddf0a395f62e81c6870c2.exe

Executes dropped EXE 2 IoCs

pid	Process
1360	Logo1_.exe
4980	e3500312be49cde8dce63a9dbae27b94a8d739b79b6ddf0a395f62e81c6870c2.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\es-es\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\es-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\ar-ae\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\en-il\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\zh-tw\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\nl\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\tr-tr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\hr-hr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\ResiliencyLinks\edge_feedback\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_output\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\pl-pl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\da-dk\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Media Player\Skins\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\PeopleApp.exe	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\en-gb\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Diagnostics\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\km\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\ja-jp\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\ko-kr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\Triedit\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Resources\Fonts\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\sk-sk\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Text\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\ar-ae\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\edge_feedback\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\wabmig.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\en-il\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk-1.8\legal\javafx\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Defender\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\be-BY\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Microsoft.Membership.MeControl\Assets\OfflinePages\Scripts\Me\MeControl\offline\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\pl-pl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\pt-br\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\en-gb\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files-select\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\nb-no\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\fr-ma\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\contrast-black\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe	Logo1_.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ast\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\it-it\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\da-dk\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\he-il\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\zh-tw\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	e3500312be49cde8dce63a9dbae27b94a8d739b79b6ddf0a395f62e81c6870c2.exe
File created	C:\Windows\Logo1_.exe	e3500312be49cde8dce63a9dbae27b94a8d739b79b6ddf0a395f62e81c6870c2.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 37 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31101194"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "840264449"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31101194"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{5D3246A7-FCFD-11EE-B9F7-6655CA8B1A37} = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c05b724a0a91da01	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003e15d6e14f38454ea63b5f1bfd951702000000000200000000001066000000010000200000002d21729b475a157cf273143899014cf8d1bf9c1cd87ffdde37e3293fda9c540f000000000e8000000002000020000000cb75606bfda399404423e70690b9f8edfa1ba028ecaf63e7a157fc47afdbe4a720000000c4880dd5cd3dab181d4df5e6f3156880e0e59ab2b5596f3951bcf627bdaf02c840000000567746a893038359cf8fb00b8d3304df92730d43dc454406798012c64116154efcf8a5ecff8932be27363da57380d9ec1f15e08d3e5b69be6e6899118de912f0	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "840264449"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31101194"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "860891370"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "420152538"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 80298a4a0a91da01	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003e15d6e14f38454ea63b5f1bfd951702000000000200000000001066000000010000200000003a0df4b23605124e35be41c0be8608ecd43c61bf0213e7bccb4e0b83b9286b3b000000000e800000000200002000000053624a3d2c40e88812128ad9e1f127ffcb9632779ea963559f6f0fa82f9d365b20000000de555cbf323389ccc69decf98757e45e3f03d709e0f810974ed8bf791ad6862140000000b2bc35e9893a3d2837989dab95680c813acb463faa67d20781a4ea8b0b416d898783d3d397c88beaeec261fcdf997f48c9534548ca4ea324b3c8b48d293966f0	IEXPLORE.EXE

Runs net.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
1360	Logo1_.exe
1360	Logo1_.exe
1360	Logo1_.exe
1360	Logo1_.exe
1360	Logo1_.exe
1360	Logo1_.exe
1360	Logo1_.exe
1360	Logo1_.exe
1360	Logo1_.exe
1360	Logo1_.exe
1360	Logo1_.exe
1360	Logo1_.exe
1360	Logo1_.exe
1360	Logo1_.exe
1360	Logo1_.exe
1360	Logo1_.exe
1360	Logo1_.exe
1360	Logo1_.exe
1360	Logo1_.exe
1360	Logo1_.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4384	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
4384	IEXPLORE.EXE
4384	IEXPLORE.EXE
2100	IEXPLORE.EXE
2100	IEXPLORE.EXE
2100	IEXPLORE.EXE
2100	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 3456 wrote to memory of 3368	3456	e3500312be49cde8dce63a9dbae27b94a8d739b79b6ddf0a395f62e81c6870c2.exe	91
PID 3456 wrote to memory of 3368	3456	e3500312be49cde8dce63a9dbae27b94a8d739b79b6ddf0a395f62e81c6870c2.exe	91
PID 3456 wrote to memory of 3368	3456	e3500312be49cde8dce63a9dbae27b94a8d739b79b6ddf0a395f62e81c6870c2.exe	91
PID 3456 wrote to memory of 1360	3456	e3500312be49cde8dce63a9dbae27b94a8d739b79b6ddf0a395f62e81c6870c2.exe	92
PID 3456 wrote to memory of 1360	3456	e3500312be49cde8dce63a9dbae27b94a8d739b79b6ddf0a395f62e81c6870c2.exe	92
PID 3456 wrote to memory of 1360	3456	e3500312be49cde8dce63a9dbae27b94a8d739b79b6ddf0a395f62e81c6870c2.exe	92
PID 1360 wrote to memory of 3360	1360	Logo1_.exe	94
PID 1360 wrote to memory of 3360	1360	Logo1_.exe	94
PID 1360 wrote to memory of 3360	1360	Logo1_.exe	94
PID 3360 wrote to memory of 692	3360	net.exe	96
PID 3360 wrote to memory of 692	3360	net.exe	96
PID 3360 wrote to memory of 692	3360	net.exe	96
PID 3368 wrote to memory of 4980	3368	cmd.exe	97
PID 3368 wrote to memory of 4980	3368	cmd.exe	97
PID 3368 wrote to memory of 4980	3368	cmd.exe	97
PID 1360 wrote to memory of 3372	1360	Logo1_.exe	57
PID 1360 wrote to memory of 3372	1360	Logo1_.exe	57
PID 4980 wrote to memory of 4816	4980	e3500312be49cde8dce63a9dbae27b94a8d739b79b6ddf0a395f62e81c6870c2.exe	98
PID 4980 wrote to memory of 4816	4980	e3500312be49cde8dce63a9dbae27b94a8d739b79b6ddf0a395f62e81c6870c2.exe	98
PID 4980 wrote to memory of 4816	4980	e3500312be49cde8dce63a9dbae27b94a8d739b79b6ddf0a395f62e81c6870c2.exe	98
PID 4816 wrote to memory of 4384	4816	iexplore.exe	99
PID 4816 wrote to memory of 4384	4816	iexplore.exe	99
PID 4384 wrote to memory of 2100	4384	IEXPLORE.EXE	102
PID 4384 wrote to memory of 2100	4384	IEXPLORE.EXE	102
PID 4384 wrote to memory of 2100	4384	IEXPLORE.EXE	102

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3372
- C:\Users\Admin\AppData\Local\Temp\e3500312be49cde8dce63a9dbae27b94a8d739b79b6ddf0a395f62e81c6870c2.exe
  "C:\Users\Admin\AppData\Local\Temp\e3500312be49cde8dce63a9dbae27b94a8d739b79b6ddf0a395f62e81c6870c2.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:3456
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aF30B.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3368
  - - C:\Users\Admin\AppData\Local\Temp\e3500312be49cde8dce63a9dbae27b94a8d739b79b6ddf0a395f62e81c6870c2.exe
      "C:\Users\Admin\AppData\Local\Temp\e3500312be49cde8dce63a9dbae27b94a8d739b79b6ddf0a395f62e81c6870c2.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4980
    - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
        
        "C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://se.360.cn/
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4816
      - C:\Program Files\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://se.360.cn/
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4384
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4384 CREDAT:17410 /prefetch:2
        7⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2100
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1360
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3360
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:692

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4064 --field-trial-handle=2744,i,16362475727591565961,3676688664819797550,262144 --variations-seed-version /prefetch:8
1⤵
PID:5084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
251KB

MD5
3a4ae7d36a409e517a8b88e7c8884f43

SHA1
a1131b4bb058dc5d5200e265ab93a2e6f706691f

SHA256
0e03a0de5ba761adc588229fddca341da31f1c3e2a0d8787ffd2f04aa2c7375f

SHA512
73a23fefa570f033b9126abfee56bbc20ade32aa98e9887ea5cc81b54dc8349eeb79b1c35b10022e5560cf3055304be278762a3d62529204638c3c1cdbbb03eb

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
570KB

MD5
abc39bb762c9fdd1df9c48340d1239ca

SHA1
af372f979fc9ca1c41de73510dfa05f3cd89f887

SHA256
1b722ae85b8c09e3a993db4b39131a4c4aba3bf86549b48e94f3f4e1f5d6c506

SHA512
3eff4ded8371184869f407a347765d0574281634f33ae99b96bc28c405fafe2f721c9969eba56a22815a4fce7a4fc478b32b1f16ce4be99e10d6d548f3a552e0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
5886ebbb06bf5a12f0dc4ddef0815261

SHA1
7e1f7bafed4d483f4add5636aa87c589f6e4a92c

SHA256
79ce166b0137a3ad2c42f02a97b0e52d73032eb31c520e71405820250426c6c4

SHA512
2dd350196a0cc8e339065603a6459cd7704e413f95202a38a4b21c0c6fb85609c2b794e517675c270eb9881b73f11b000b647c539a129c301d38b16d6bdf73e1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
573064140ea52a656d2ff2bb9592a248

SHA1
701f0d5af2bb465ab8d2dc0346e792e3d536540d

SHA256
32e7e6631826ee93e612306153b079f82197e3b646d7a5cc70c35d6bc19a149c

SHA512
3bb8bc9fbb13dca3727626f1aaf49929467b82113b05601d4c8e1785926d6dbb00ccd6daf4b8ea61f72bc5d933de6bc3cc3049d5f906e5715620873c9e510ee4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BHC2O5WS\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aF30B.bat

Filesize
722B

MD5
89f138fbc828f6210e823cf29161a4ee

SHA1
01e8501b739bd5107984cf27f0613190910de481

SHA256
b6f21ac4a67eba969c194c26bcbe1444d9fe29e55ec95d2b222288e2118b1ee2

SHA512
cbd6f66263b85d948726e3b52bb0fbd0574b88fc954b434be5c5b0d030fa3a0d418b629cc758496b198ad35cce6f2e31749e3db655c616a77ee7dc28d3fbb0d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\e3500312be49cde8dce63a9dbae27b94a8d739b79b6ddf0a395f62e81c6870c2.exe.exe

Filesize
2.6MB

MD5
63283f1fbf548b531be48bdaa16fe426

SHA1
5e61729e95fdce9accf098cec41e9fef53d2075c

SHA256
04db7817d515dc7093293a76cb3971babdd70122d6b77cbaf9655c6fbf06b63e

SHA512
cf75aa9270ffa074acc2434309177e1ffa94650ca5a0e059a43292310a0d917ca169a35760d7cd5a0ecc2d4b2754c8238c24db271c39fd263b0308473d233e51

Download Submit
C:\Windows\Logo1_.exe

Filesize
26KB

MD5
6ff88aed67261a9080c1e62fd8bd0504

SHA1
14aed18f7ccd0e479389f111b63e79f2578001b1

SHA256
ee50a980fa1e7b2d29fc3adfa8acdeeda2cfd4937f4efe6346bfd9d0dac37a45

SHA512
4eac127c6e81a6c5c91b5276cd4a059c1fc3d78f8b5911d1c4b8fb77cb355d61f32b22c8230d55c6ac61f7ef52062dffe76f9b98dd0d18331e26a8c7eb070172

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3808065738-1666277613-1125846146-1000\_desktop.ini

Filesize
9B

MD5
2be02af4dacf3254e321ffba77f0b1c6

SHA1
d8349307ec08d45f2db9c9735bde8f13e27a551d

SHA256
766fe9c47ca710d9a00c08965550ee7de9cba2d32d67e4901e8cec7e33151d16

SHA512
57f61e1b939ed98e6db460ccdbc36a1460b727a99baac0e3b041666dedcef11fcd72a486d91ec7f0ee6e1aec40465719a6a5c22820c28be1066fe12fcd47ddd0

Download Submit
memory/1360-42-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1360-52-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1360-27-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1360-69-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1360-9-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1360-211-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1360-1208-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1360-1997-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1360-20-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1360-4937-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3456-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3456-10-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download