87347ec679ce4a6cf51a074e4d80856f97e4f2d3fdf47a3cef943430abcc2407

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
24/04/2024, 18:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

87347ec679ce4a6cf51a074e4d80856f97e4f2d3fdf47a3cef943430abcc2407.exe
Size

88KB
MD5

d386bb351fddb626b8b9bc5ef4d25c6e
SHA1

976d783c5286f25443bb71e39859bb0edde2b4ec
SHA256

87347ec679ce4a6cf51a074e4d80856f97e4f2d3fdf47a3cef943430abcc2407
SHA512

7af1c21a99961d3cf316f919ff257390af55805328f3d9848dbbd63cee21d9a9fbcd97e02c911f4a4e0f7074c53db4275ac10e3d459305019e1417ef7b68856c
SSDEEP

1536:8GKFe+Zk7VJbwlYXjPrsqrZMYR5p8w22zHxvuS6YGJYjilZrPMC5V:8GYe+azbRPrlr9RXF36Y0ZIC5V

Score

7^/10

spyware stealer

Malware Config

Signatures

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe

Executes dropped EXE 2 IoCs

pid	Process
1404	Logo1_.exe
4172	87347ec679ce4a6cf51a074e4d80856f97e4f2d3fdf47a3cef943430abcc2407.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\es-es\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\nl-nl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\nb-no\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_filter\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\he-il\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\sl-si\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\eu-es\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\es-es\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\nl-nl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\msedge_proxy.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\lt\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\de-de\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\he-il\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\tr-tr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\en-ae\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\fr-fr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Portal\1033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ms\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sk\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\es-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\plugins\rhp\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\cs-cz\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\fr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\plugin2\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Cartridges\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Resources\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account-select\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\EQUATION\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fa\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\uz\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example2.Diagnostics\1.0.1\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\en-il\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\ru-ru\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ca-es\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\_desktop.ini	Logo1_.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\zh_TW\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\uk-ua\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\it-it\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\ar-ae\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	Logo1_.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\it\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.185.29\MicrosoftEdgeUpdate.exe	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	87347ec679ce4a6cf51a074e4d80856f97e4f2d3fdf47a3cef943430abcc2407.exe
File created	C:\Windows\Logo1_.exe	87347ec679ce4a6cf51a074e4d80856f97e4f2d3fdf47a3cef943430abcc2407.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\Dll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4744	87347ec679ce4a6cf51a074e4d80856f97e4f2d3fdf47a3cef943430abcc2407.exe
4744	87347ec679ce4a6cf51a074e4d80856f97e4f2d3fdf47a3cef943430abcc2407.exe
4744	87347ec679ce4a6cf51a074e4d80856f97e4f2d3fdf47a3cef943430abcc2407.exe
4744	87347ec679ce4a6cf51a074e4d80856f97e4f2d3fdf47a3cef943430abcc2407.exe
4744	87347ec679ce4a6cf51a074e4d80856f97e4f2d3fdf47a3cef943430abcc2407.exe
4744	87347ec679ce4a6cf51a074e4d80856f97e4f2d3fdf47a3cef943430abcc2407.exe
4744	87347ec679ce4a6cf51a074e4d80856f97e4f2d3fdf47a3cef943430abcc2407.exe
4744	87347ec679ce4a6cf51a074e4d80856f97e4f2d3fdf47a3cef943430abcc2407.exe
4744	87347ec679ce4a6cf51a074e4d80856f97e4f2d3fdf47a3cef943430abcc2407.exe
4744	87347ec679ce4a6cf51a074e4d80856f97e4f2d3fdf47a3cef943430abcc2407.exe
4744	87347ec679ce4a6cf51a074e4d80856f97e4f2d3fdf47a3cef943430abcc2407.exe
4744	87347ec679ce4a6cf51a074e4d80856f97e4f2d3fdf47a3cef943430abcc2407.exe
4744	87347ec679ce4a6cf51a074e4d80856f97e4f2d3fdf47a3cef943430abcc2407.exe
4744	87347ec679ce4a6cf51a074e4d80856f97e4f2d3fdf47a3cef943430abcc2407.exe
4744	87347ec679ce4a6cf51a074e4d80856f97e4f2d3fdf47a3cef943430abcc2407.exe
4744	87347ec679ce4a6cf51a074e4d80856f97e4f2d3fdf47a3cef943430abcc2407.exe
4744	87347ec679ce4a6cf51a074e4d80856f97e4f2d3fdf47a3cef943430abcc2407.exe
4744	87347ec679ce4a6cf51a074e4d80856f97e4f2d3fdf47a3cef943430abcc2407.exe
4744	87347ec679ce4a6cf51a074e4d80856f97e4f2d3fdf47a3cef943430abcc2407.exe
4744	87347ec679ce4a6cf51a074e4d80856f97e4f2d3fdf47a3cef943430abcc2407.exe
4744	87347ec679ce4a6cf51a074e4d80856f97e4f2d3fdf47a3cef943430abcc2407.exe
4744	87347ec679ce4a6cf51a074e4d80856f97e4f2d3fdf47a3cef943430abcc2407.exe
4744	87347ec679ce4a6cf51a074e4d80856f97e4f2d3fdf47a3cef943430abcc2407.exe
4744	87347ec679ce4a6cf51a074e4d80856f97e4f2d3fdf47a3cef943430abcc2407.exe
4744	87347ec679ce4a6cf51a074e4d80856f97e4f2d3fdf47a3cef943430abcc2407.exe
4744	87347ec679ce4a6cf51a074e4d80856f97e4f2d3fdf47a3cef943430abcc2407.exe
1404	Logo1_.exe
1404	Logo1_.exe
1404	Logo1_.exe
1404	Logo1_.exe
1404	Logo1_.exe
1404	Logo1_.exe
1404	Logo1_.exe
1404	Logo1_.exe
1404	Logo1_.exe
1404	Logo1_.exe
1404	Logo1_.exe
1404	Logo1_.exe
1404	Logo1_.exe
1404	Logo1_.exe
1404	Logo1_.exe
1404	Logo1_.exe
1404	Logo1_.exe
1404	Logo1_.exe
1404	Logo1_.exe
1404	Logo1_.exe
1404	Logo1_.exe
1404	Logo1_.exe
1404	Logo1_.exe
1404	Logo1_.exe
1404	Logo1_.exe
1404	Logo1_.exe
1404	Logo1_.exe
1404	Logo1_.exe
1404	Logo1_.exe
1404	Logo1_.exe
1404	Logo1_.exe
1404	Logo1_.exe
1404	Logo1_.exe
1404	Logo1_.exe
1404	Logo1_.exe
1404	Logo1_.exe
1404	Logo1_.exe
1404	Logo1_.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 4744 wrote to memory of 4524	4744	87347ec679ce4a6cf51a074e4d80856f97e4f2d3fdf47a3cef943430abcc2407.exe	84
PID 4744 wrote to memory of 4524	4744	87347ec679ce4a6cf51a074e4d80856f97e4f2d3fdf47a3cef943430abcc2407.exe	84
PID 4744 wrote to memory of 4524	4744	87347ec679ce4a6cf51a074e4d80856f97e4f2d3fdf47a3cef943430abcc2407.exe	84
PID 4524 wrote to memory of 4420	4524	net.exe	86
PID 4524 wrote to memory of 4420	4524	net.exe	86
PID 4524 wrote to memory of 4420	4524	net.exe	86
PID 4744 wrote to memory of 2172	4744	87347ec679ce4a6cf51a074e4d80856f97e4f2d3fdf47a3cef943430abcc2407.exe	90
PID 4744 wrote to memory of 2172	4744	87347ec679ce4a6cf51a074e4d80856f97e4f2d3fdf47a3cef943430abcc2407.exe	90
PID 4744 wrote to memory of 2172	4744	87347ec679ce4a6cf51a074e4d80856f97e4f2d3fdf47a3cef943430abcc2407.exe	90
PID 4744 wrote to memory of 1404	4744	87347ec679ce4a6cf51a074e4d80856f97e4f2d3fdf47a3cef943430abcc2407.exe	91
PID 4744 wrote to memory of 1404	4744	87347ec679ce4a6cf51a074e4d80856f97e4f2d3fdf47a3cef943430abcc2407.exe	91
PID 4744 wrote to memory of 1404	4744	87347ec679ce4a6cf51a074e4d80856f97e4f2d3fdf47a3cef943430abcc2407.exe	91
PID 1404 wrote to memory of 4860	1404	Logo1_.exe	93
PID 1404 wrote to memory of 4860	1404	Logo1_.exe	93
PID 1404 wrote to memory of 4860	1404	Logo1_.exe	93
PID 4860 wrote to memory of 2564	4860	net.exe	95
PID 4860 wrote to memory of 2564	4860	net.exe	95
PID 4860 wrote to memory of 2564	4860	net.exe	95
PID 2172 wrote to memory of 4172	2172	cmd.exe	96
PID 2172 wrote to memory of 4172	2172	cmd.exe	96
PID 2172 wrote to memory of 4172	2172	cmd.exe	96
PID 1404 wrote to memory of 2560	1404	Logo1_.exe	97
PID 1404 wrote to memory of 2560	1404	Logo1_.exe	97
PID 1404 wrote to memory of 2560	1404	Logo1_.exe	97
PID 2560 wrote to memory of 4056	2560	net.exe	99
PID 2560 wrote to memory of 4056	2560	net.exe	99
PID 2560 wrote to memory of 4056	2560	net.exe	99
PID 1404 wrote to memory of 3540	1404	Logo1_.exe	56
PID 1404 wrote to memory of 3540	1404	Logo1_.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3540
- C:\Users\Admin\AppData\Local\Temp\87347ec679ce4a6cf51a074e4d80856f97e4f2d3fdf47a3cef943430abcc2407.exe
  "C:\Users\Admin\AppData\Local\Temp\87347ec679ce4a6cf51a074e4d80856f97e4f2d3fdf47a3cef943430abcc2407.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4744
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4524
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      PID:4420
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a3E03.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2172
  - - C:\Users\Admin\AppData\Local\Temp\87347ec679ce4a6cf51a074e4d80856f97e4f2d3fdf47a3cef943430abcc2407.exe
      "C:\Users\Admin\AppData\Local\Temp\87347ec679ce4a6cf51a074e4d80856f97e4f2d3fdf47a3cef943430abcc2407.exe"
      4⤵
      Executes dropped EXE
      PID:4172
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1404
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4860
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2564
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2560
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:4056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
264KB

MD5
ab6e14fd3b3b82a74d70dd03d0a8e116

SHA1
e8263c09ed7968ab04e1459ad46041ccdd9ff5e9

SHA256
03dda7016a22dd98411b67875e2fe461c960b068fbcb019579d8392530b41571

SHA512
851e9288ba102d5eabd34d887b70a883307bce31ccb4c7eeaf2b3010cb6bb9435a9c0261bfdafb4a0bf4046b6bc7928cbfb62599269a9c197ec2f83efaf258e8

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
583KB

MD5
612c71f176cbb3a987994ef9d580f372

SHA1
ab77fb255f0b3da4d50e3cdbf649c87188373a62

SHA256
6ad09d061abc19754e50e37200a4c935dda0d4a33b03f4ff9c16bf58bf8f1be2

SHA512
57a5d59e2b2892b17d769053ffc44957b7a119c43bab4528f9ea744b7df146dd0db25c82420e97515811c8a3e0dd8b6caf90b100a3a3dc2fb0fb0fe42cadbd9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a3E03.bat

Filesize
722B

MD5
bfc0a1580a501d4f8e2765f131b58dff

SHA1
4201c06bdbde9db80d75e09a92439f82c39101c6

SHA256
4480ecfefcb7ab3c6eaa09aa6594caaf9029d593dd688e0d7e9e3f611775db67

SHA512
38817c0572807ddaed44cdc7ef63a8d27f6614822fb6e755e6b8bf138b08727cf60a1499545bb954d6904992f87f140ec137fa5dd870e148e75b00a26be72e69

Download Submit
C:\Users\Admin\AppData\Local\Temp\87347ec679ce4a6cf51a074e4d80856f97e4f2d3fdf47a3cef943430abcc2407.exe.exe

Filesize
48KB

MD5
422a02111fabd3e229ffd105d6054f56

SHA1
7930d07dbc89c1113eec7cbd492daf3a025939b2

SHA256
2d6bd317e34216f318ce9fb34fbc24e6260b1472930a8c0f126792f8ff821a9e

SHA512
a46b5f8b6cb3cf2cb9714a0708ff63dfe4b543ab4a651f2b8ab93ce54ae77e8c7f6d67a8d9d4481957ada966f778ac6d1cceb24b1d8bbad2a6bca77b0bc9ea59

Download Submit
C:\Windows\Logo1_.exe

Filesize
39KB

MD5
bc43e3c481e7fbe3ee697f9017cf4c1b

SHA1
6a76534a3a4bd72437b06bdccf1475846d7a308d

SHA256
c33f277a3cea2a938fc05fda7bf9b9a0ae89474eaacf6b0b6223e07eb4ec3b6a

SHA512
e5c2f3485b7573a6638f6d5ea2907371efc68b35655739e8e0c8f841de9c2d302b246eacb9627912cee5dd7ab0a9f7f652e73eb7d1925ddde20bb92e29310ce1

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-1132431369-515282257-1998160155-1000\_desktop.ini

Filesize
9B

MD5
f29b71f66ac42a28a8d1e12a13d61861

SHA1
bd61fbc8b6eed4cae3fa29d7b950784258be10cd

SHA256
9a5e4ff44f8f5bb21798074ea03e493911b59680e37191522562dece826da1cf

SHA512
90c31cda60a9a63e3fa78e99f1104d1a9c9f811e11b62f75063b6007ae284c8c233b5d1235defab7ae0deec3b7892c85af9319219405c44d16fa29a3215f50e0

Download Submit
memory/1404-10-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1404-17-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1404-5215-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1404-8693-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4744-0-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4744-8-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download