504dceb0fd1e1144dcab0899ab891aa7e89778cbdb6296e750c7054addb30726

Analysis

max time kernel
149s
max time network
149s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
20/04/2024, 19:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

504dceb0fd1e1144dcab0899ab891aa7e89778cbdb6296e750c7054addb30726.exe
Size

673KB
MD5

eef95824599c1dbe16300e150ad781ea
SHA1

1e1dfd666565885fba88c805aacaffe62075cbe7
SHA256

504dceb0fd1e1144dcab0899ab891aa7e89778cbdb6296e750c7054addb30726
SHA512

a3d5d4557e8fc068a137ae7fd01feb304cc5d937c91b9b200908e70e522a5997876a1a0c347db26671cc2d53a928320da7b1ba60bbed756de420942d87c9da12
SSDEEP

6144:iTVfjmNintDDE565kzLGKlMy7j6soGtLEKyyK29PRgVIR:ip7+intHE565kzLGnAj9XLESn0VK

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1956	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
2180	Logo1_.exe
2588	504dceb0fd1e1144dcab0899ab891aa7e89778cbdb6296e750c7054addb30726.exe
1256	Explorer.EXE

Loads dropped DLL 1 IoCs

pid	Process
1956	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mn\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\1033\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\SAMPLES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\wmlaunch.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bs\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\am\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\skins\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUECALM\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\lv\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Journal\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\lib\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\META-INF\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\gd\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Defender\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\DEEPBLUE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\br\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\fr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\in_sidebar\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\keytool.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\kn\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Portable Devices\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\More Games\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mai\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\wmpenc.exe	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VC\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	504dceb0fd1e1144dcab0899ab891aa7e89778cbdb6296e750c7054addb30726.exe
File created	C:\Windows\Logo1_.exe	504dceb0fd1e1144dcab0899ab891aa7e89778cbdb6296e750c7054addb30726.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000071c834f68b8ed044a0afda50fbc58a7000000000020000000000106600000001000020000000e73e58e02e793cee7adcfc5a27631f1a0e5ce9a2d78ae911e5791d615aa772a1000000000e8000000002000020000000ba131773ebe66c4edf6c211b72c050e9392a063f6f9c262f1e42a9c40f729269200000003ca7d21f48689dcb5a64c80f60a6b23f5231839715f4af7d1cf11db282b178e440000000af72bd8445574994ed967272e133e579b736b992b0fe4521d74b73a6c2af9a1fb905b06bfa57527e2325ce643fb41dae8e7af6273e1240e1a4b5272fa0e66834	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E5544CD1-FF4A-11EE-A635-D2EFD46A7D0E} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 80d06abe5793da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "419802640"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000071c834f68b8ed044a0afda50fbc58a7000000000020000000000106600000001000020000000254abcb4cc1af2a6b1ab9d4a8d823fbfa659ce46814631d21be12ce400570129000000000e80000000020000200000004d50ab64aa68f72553de2680ca1081469284d516b634b17cf8795fc5bc09d7f0900000002dbfe38353713d8cbf95787db145435ca89b560f4208c8d030adaab23261c8880690b32f7291e3d150dbe7c9c18b7c5226e4daf94a6ef0deb90fcfbaaba87b0fa566680542978e2ecb218800e25bca53bc6476b783afc2012033ec3b21394282c3d7efdc283b9bd6753c36cb96c8b36053a76ee2532ea017e6d7aaf202fa65f8c9c8b7d41b346a347d0fb3c7dd6f8bd540000000d062d85bcb7e8a37c28e8f7ba8a9f21a880ff257c3a01ed01a748c9d3fd0b36c4edcac824b233ea8531da7815d0c7e78136639024f93b4f9d59a9e4df88fdba5	iexplore.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2180	Logo1_.exe
2180	Logo1_.exe
2180	Logo1_.exe
2180	Logo1_.exe
2180	Logo1_.exe
2180	Logo1_.exe
2180	Logo1_.exe
2180	Logo1_.exe
2180	Logo1_.exe
2180	Logo1_.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2732	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2732	iexplore.exe
2732	iexplore.exe
2428	IEXPLORE.EXE
2428	IEXPLORE.EXE
2428	IEXPLORE.EXE
2428	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 2320 wrote to memory of 1956	2320	504dceb0fd1e1144dcab0899ab891aa7e89778cbdb6296e750c7054addb30726.exe	28
PID 2320 wrote to memory of 1956	2320	504dceb0fd1e1144dcab0899ab891aa7e89778cbdb6296e750c7054addb30726.exe	28
PID 2320 wrote to memory of 1956	2320	504dceb0fd1e1144dcab0899ab891aa7e89778cbdb6296e750c7054addb30726.exe	28
PID 2320 wrote to memory of 1956	2320	504dceb0fd1e1144dcab0899ab891aa7e89778cbdb6296e750c7054addb30726.exe	28
PID 2320 wrote to memory of 2180	2320	504dceb0fd1e1144dcab0899ab891aa7e89778cbdb6296e750c7054addb30726.exe	29
PID 2320 wrote to memory of 2180	2320	504dceb0fd1e1144dcab0899ab891aa7e89778cbdb6296e750c7054addb30726.exe	29
PID 2320 wrote to memory of 2180	2320	504dceb0fd1e1144dcab0899ab891aa7e89778cbdb6296e750c7054addb30726.exe	29
PID 2320 wrote to memory of 2180	2320	504dceb0fd1e1144dcab0899ab891aa7e89778cbdb6296e750c7054addb30726.exe	29
PID 2180 wrote to memory of 2488	2180	Logo1_.exe	31
PID 2180 wrote to memory of 2488	2180	Logo1_.exe	31
PID 2180 wrote to memory of 2488	2180	Logo1_.exe	31
PID 2180 wrote to memory of 2488	2180	Logo1_.exe	31
PID 1956 wrote to memory of 2588	1956	cmd.exe	34
PID 1956 wrote to memory of 2588	1956	cmd.exe	34
PID 1956 wrote to memory of 2588	1956	cmd.exe	34
PID 1956 wrote to memory of 2588	1956	cmd.exe	34
PID 2488 wrote to memory of 2672	2488	net.exe	33
PID 2488 wrote to memory of 2672	2488	net.exe	33
PID 2488 wrote to memory of 2672	2488	net.exe	33
PID 2488 wrote to memory of 2672	2488	net.exe	33
PID 2180 wrote to memory of 1256	2180	Logo1_.exe	21
PID 2180 wrote to memory of 1256	2180	Logo1_.exe	21
PID 2588 wrote to memory of 2732	2588	504dceb0fd1e1144dcab0899ab891aa7e89778cbdb6296e750c7054addb30726.exe	35
PID 2588 wrote to memory of 2732	2588	504dceb0fd1e1144dcab0899ab891aa7e89778cbdb6296e750c7054addb30726.exe	35
PID 2588 wrote to memory of 2732	2588	504dceb0fd1e1144dcab0899ab891aa7e89778cbdb6296e750c7054addb30726.exe	35
PID 2732 wrote to memory of 2428	2732	iexplore.exe	37
PID 2732 wrote to memory of 2428	2732	iexplore.exe	37
PID 2732 wrote to memory of 2428	2732	iexplore.exe	37
PID 2732 wrote to memory of 2428	2732	iexplore.exe	37

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Executes dropped EXE
PID:1256
- C:\Users\Admin\AppData\Local\Temp\504dceb0fd1e1144dcab0899ab891aa7e89778cbdb6296e750c7054addb30726.exe
  "C:\Users\Admin\AppData\Local\Temp\504dceb0fd1e1144dcab0899ab891aa7e89778cbdb6296e750c7054addb30726.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2320
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$a2194.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1956
  - - C:\Users\Admin\AppData\Local\Temp\504dceb0fd1e1144dcab0899ab891aa7e89778cbdb6296e750c7054addb30726.exe
      "C:\Users\Admin\AppData\Local\Temp\504dceb0fd1e1144dcab0899ab891aa7e89778cbdb6296e750c7054addb30726.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2588
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" http://pc.weixin.qq.com/
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2732
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2732 CREDAT:275457 /prefetch:2
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2428
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2180
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2488
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
251KB

MD5
88a7dac99617788a3f6e9e10f9ac447d

SHA1
c2adfcd7118facbf99366d28337665ce802baa1b

SHA256
284e0eb238a30fda222ad9ecd9f3dc0acd6aef33027562e0fa878e17d54a8d0b

SHA512
6fb722713b705434816e30bdd3e26a68553bf4ba184ca6d59e47e61dbfc2ae4b72833a573e5a263f33f183e0ad6f2ab3c7e0b6e84cacd49d08d5921f3ef1e156

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
471KB

MD5
4cfdb20b04aa239d6f9e83084d5d0a77

SHA1
f22863e04cc1fd4435f785993ede165bd8245ac6

SHA256
30ed17ca6ae530e8bf002bcef6048f94dba4b3b10252308147031f5c86ace1b9

SHA512
35b4c2f68a7caa45f2bb14b168947e06831f358e191478a6659b49f30ca6f538dc910fe6067448d5d8af4cb8558825d70f94d4bd67709aee414b2be37d49be86

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AD5F118F7897046E8CA970AE6A6AB70B_9B8670363F58B4643EB28A4A03EE9887

Filesize
471B

MD5
7737dd648162eed418025ad0648e9f2a

SHA1
d9ed1ea359d2467e9382eed723d9fef8dfb123f4

SHA256
024fd0b8305f2f70c542667716d7ebb95e7c304ff2a41b984bc6b1ffa78309ec

SHA512
8d2d615da2b3cd2f2f82c0f981dd71eb678dcc70eb753854db57824e018d94a08ef8f49b16a880f759e778b7291338ee31cce0b6f4d7f869f5ec5a89152f2514

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
625dd733bca8154381273e2f44ac5286

SHA1
319d71f1c494c703de8255578c9c22990c8d8391

SHA256
1b1fd8b533d12c7a0a9fa7e09c4e45aad5c7ede3b79af122fca384d246c0bcb4

SHA512
d720e4bb874f4737d6f2b8abd31c9e3638a8251253976d0e473b7b2515ee9e43454553a6242f216394bb3cc78e04abafe95bfd65ab2ef481d81ae6e7febe6158

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
888b094e6022c16857dc5888a70d9ea5

SHA1
973cadac350e017428e827d1c19ba523c86ca0e4

SHA256
3af86939f8397c4e2121c2556ba8c0eddd089ed02c50584dd68738557f1e09a7

SHA512
5c4169791089cd35d289b8c1d6d5884645eb9ffe80e3f6f2c7ce6630cbfa989f0c224a3de1608ebc2c8159bcf8f00fc88bebb561f7aae6fd963423ab2422b248

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ce9448646eab1d68d45254160c788e2f

SHA1
f47956522df5c2fea6e9b1780f8365a5e649fa92

SHA256
e4ef9facac69ad4a741ed34fdf1aebbd8d9f1dae2b76c52b95618e357ef94026

SHA512
852154bc21dcba40db912331a8baf61e61e6d6669a675098e2b0a56a3da42955b42efdddafbbc67e366b3de04a0bf6152cc884ea4348faf07f3e33f28d5ba753

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6bc17d73905ea1ceae53a305f8e667df

SHA1
213310f12b962d4ed34c6cb7f94c8050b9274c65

SHA256
63c0f69391074a8a88f3c539543c2ef20b8445e2a24770cbea5cbb9f1bf9ec43

SHA512
fc2bb5564fc41eea632de935375a79244330d4f53bd79336e39ffb0c1339c991ea764049b3d390292bda6b05427030b920a54153b84c08be728117017292f0fd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f5496ceca8f8388d1f7ad3c864496f55

SHA1
741878df41882712ec1f03e6e852f7c8bf01c913

SHA256
af4fbcbf9294d68cacff303d2a41d174720a03d213eedf122c67e80479076149

SHA512
dbafed225edf38261cec151cf102ccdd91bb0b020370720d991848e596b83454143db99f353758b5c21290b96a336e0c087548817e0694cf3abfda62e0a4e927

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
34cb6c533513a21459b4787f68e493ab

SHA1
8d546d8a9381fde49361b32c4fec9188cf9bddb9

SHA256
598b24e43a7cddfcf93fa62308ba3d1c4b4546d871baf31d36fbb7e4bff2f172

SHA512
b42d08ee02e6adea90d09475c82ddabd1d3d62c07b765464becfc706e51a5e2001867f93af2dcb373b2d264ed4906c1fa7f1449fffdd0ea7c73aca1925b0fa10

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1054a41ae11029c2250f934b452244ac

SHA1
934b73e80b9d01e596bfdf1e7c6ac6cee2e38058

SHA256
71f61168cb160bb381d6484aa03df59e8fc2028900476b7684b564f47ee7c773

SHA512
61bd5c1e03c9c417726024ad6cfdb7e94fd7f29a31823f8f0fcf9685d4a5d77787c83a10405d3c3c9371c38264fe8621803c789e0c45b305e0e4f417f4032c8a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
014cb5df10e0547cab7071d252327309

SHA1
f46bec1a4f7fd15d451924b751fef5f6ff8a7a99

SHA256
a24c8797e59ab3d51ea1cbc79954277276678ef976f871acb31743e46ee9a577

SHA512
eca87a2e10cfa66d34e11ef94f32fd00699a6d13b9d17aede67ec6e76b6e1bd33e383f34e08512df5d5753b1ca58d748f7771d0279e89aebe21a7d5ffb8732b9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8245acc602b1a2757eebd261873e4feb

SHA1
f23d038e1a848d7c6f406763e42d2df5fa82d33d

SHA256
cbe55fd3c3b4fa96810b12d760935562a247747cf45cf5bdad7bb6200bd634ab

SHA512
65f518ee6b6765127e970b9947699e0e898aa9b21475ee87ff4f6795b331dfb1c63870a11b0e715770761ad9a6f680e6322ab3ac732fc5e80582b1348cdee2a8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
67b7e0fa6e2eb8ab9de4643b10636a84

SHA1
144ca30f845d259eb162f67ca4a5898ed6798b40

SHA256
3eba7c50fc535a19ffde59e7db3652c29bd6794873dbc89cd35c9652b47bbbf2

SHA512
3c2dce4d1d0ee7f1a178b62a6f635e739e4b1645b29c5bfdb8b28ce4f88672abae385c0b15f69a1bf425fc3b0267cff0a39615c6e968f543e9cd627da3a5b9a0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
06de59124d1264e330e371ef6f18e56a

SHA1
b9571de69868ed79f913af9cc23d478275b1a563

SHA256
310f2ee59be7d4b7a15c3ea931da0a5a360a2fb2669dc3d79c1158eea08b4c79

SHA512
cb8d4a0646663bea046bde1bb1a2c98a8afb576b42d29c41ef9a1177f08db140e7f61a18563e997ac1b0d4745dafb3468cc09fb39d1d71b933e3eddd196e4ab6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
6c8902a69e607d2fe9e7c4f1dbe26c3b

SHA1
2ff7761f6ef91c3eaacb118134b64b40a7c70e5f

SHA256
26d86c0e0f8840b5e88bc92943656c5106353086096cca741243f6a13ed7c69b

SHA512
7d45de26ed252f2adc73b3eab52357b9f571599868fdc90685675ae5ed7bde007ccca2f9afa21a128d207141b85da69b05480fabc80bf609f0ff8e7d8d7d0a35

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
381a49084948429e59ace8276907b9b0

SHA1
cf7f5859c1c26fc72a2a0eb1dfe3691779776373

SHA256
620a4f721220f1ae61ad8ce30389b3f7ea205a4d31cd6ea58b29593771682326

SHA512
53b72a00abe79eb09dbc0e0cb21c232f65c058c10519b448afc9ab5d03df9c390f59cbac985c8e882a43d8c3675b9ed4f6bde60619769bd6cbd15c08bb8494ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a2194.bat

Filesize
722B

MD5
9c9b1b1965c0d9192b7a76488bbdf6a8

SHA1
1fbfe99fb71f9cf048c27d2b9ca1e90b526ce54c

SHA256
b1c85c3bcedd4f65212b106cd7e3fa06b8fbee87c0796750744e37212dd75343

SHA512
6a0021ed2a1a5a0f2971e40b6a6d7d42f6ce1258b1c1e2f289a64e98c340cd6538fb51678486592b754ea17700aee773465a6d3962973c76381f4fed89e77050

Download Submit
C:\Users\Admin\AppData\Local\Temp\504dceb0fd1e1144dcab0899ab891aa7e89778cbdb6296e750c7054addb30726.exe.exe

Filesize
647KB

MD5
4b7610b2ba975260a7b5dc7c75dbcf1c

SHA1
499bdffa3bf2e1bb491f779038fe00c7b490b006

SHA256
fa6547b900576cd637233033849f2467aa37c0b93b5e0daef977a90e6c242d58

SHA512
4f95407d83c781bd2a07286ce8c94531ffe7609bec62532d08760f0c2be63333f8d44bc5132cb386c0f018bff64667f4ee521e98cfee274738c0b533bcb9c507

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab7264.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar7276.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar7395.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Windows\Logo1_.exe

Filesize
26KB

MD5
033f832ce1346b7839ab0114b7d46349

SHA1
339553f046186e54c91ea18765bfef551701f37b

SHA256
771a6d5ca90b397c56e449ed8c2966364db1f6774dca74b74fe0f6eed8db4226

SHA512
e6a2ac92e6cac4774e5d3f8438388dacbc8359f60c40a6c76574d87de6da4ae65e06008c1d060f1c50a2804d432981105e71cb89a8ba65c2b1095da9eb951858

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3452737119-3959686427-228443150-1000\_desktop.ini

Filesize
9B

MD5
27729a3995958245e2d6799df42e26e7

SHA1
dfe386f53277c8387b50122f3fda9bc2467815ba

SHA256
9313041e89d4585b2606afa4809b101e7e8a2c944d063a28c796b0c0f070b5f1

SHA512
ba9157cea7ca5c01b52e2a4a758f4e12e018990e49f1ece5fa6d83423f37a0a4dd5246d9b01e5e212d5e8c36a66a8d0e2645bc73753671295965a855a5028ec6

Download Submit
memory/1256-29-0x0000000002D20000-0x0000000002D21000-memory.dmp

Filesize
4KB

Download
memory/2180-31-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2180-605-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2180-17-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2180-559-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2180-1043-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2180-1848-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2180-2957-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2180-3458-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2180-4417-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2180-172-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2320-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2320-15-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download