38cf9411519069bba7943792dd7d5d0f94177329a93cfd3a7312a9146ca6ee7b

General

Target

38cf9411519069bba7943792dd7d5d0f94177329a93cfd3a7312a9146ca6ee7b.exe
Size

98KB
MD5

0128c540ec430ff8b746c42c485e4dc9
SHA1

15274f68e9096329f4647f75bdbe333503e45274
SHA256

38cf9411519069bba7943792dd7d5d0f94177329a93cfd3a7312a9146ca6ee7b
SHA512

15067a3abe8b5e28e20bad97ddec3aae7340abb85b554a4b9049aea8e6029ab64837e588f845e5210abd832c8dd5a5eeb27b5fa990d4d044e6a766236d482f86
SSDEEP

3072:80e+azbRPrlr9RXFHLK4ddJMY86ipmns6S:Y+azbRZvNKCJMYU

Score

7^/10

spyware stealer

Malware Config

Signatures

Drops startup file 2 IoCs

Processes:

Logo1_.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe

Executes dropped EXE 2 IoCs

Processes:

Logo1_.exe38cf9411519069bba7943792dd7d5d0f94177329a93cfd3a7312a9146ca6ee7b.exe

pid process

2496 Logo1_.exe
4336 38cf9411519069bba7943792dd7d5d0f94177329a93cfd3a7312a9146ca6ee7b.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2496	Logo1_.exe
4336	38cf9411519069bba7943792dd7d5d0f94177329a93cfd3a7312a9146ca6ee7b.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Logo1_.exe

description	ioc	process
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

Processes:

Logo1_.exe

description	ioc	process
File created	C:\Program Files (x86)\Windows Mail\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example1.Diagnostics\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\uk\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\epdf\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\pl-pl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\fi-fi\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_156609\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\es-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\EFDFFF65-1A55-4E3F-ADB6-89E563AD2004\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\themes\dark\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\fr-fr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\ca-es\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\EBWebView\x86\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\_desktop.ini	Logo1_.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\mk\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\fr-fr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\uk-ua\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\ko-kr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\zh-cn\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\sl-sl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ne\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\pt_BR\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\pl-pl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\themes\dark\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\root\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\fi-fi\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\wabmig.exe	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EDGE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\cy\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\eu-es\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\fr-fr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\sl-sl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\da-dk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\images\themes\dark\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre-1.8\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\require\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ro-ro\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre-1.8\legal\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\uk-ua\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\en-il\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\root\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\nb-no\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\root\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VC\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\Installer\setup.exe	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\LISTS\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\cs\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\nl\LC_MESSAGES\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

Processes:

38cf9411519069bba7943792dd7d5d0f94177329a93cfd3a7312a9146ca6ee7b.exeLogo1_.exe

description	ioc	process
File created	C:\Windows\Logo1_.exe	38cf9411519069bba7943792dd7d5d0f94177329a93cfd3a7312a9146ca6ee7b.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\Dll.dll	Logo1_.exe
File created	C:\Windows\rundl132.exe	38cf9411519069bba7943792dd7d5d0f94177329a93cfd3a7312a9146ca6ee7b.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

38cf9411519069bba7943792dd7d5d0f94177329a93cfd3a7312a9146ca6ee7b.exeLogo1_.exe

pid	process
2420	38cf9411519069bba7943792dd7d5d0f94177329a93cfd3a7312a9146ca6ee7b.exe
2420	38cf9411519069bba7943792dd7d5d0f94177329a93cfd3a7312a9146ca6ee7b.exe
2420	38cf9411519069bba7943792dd7d5d0f94177329a93cfd3a7312a9146ca6ee7b.exe
2420	38cf9411519069bba7943792dd7d5d0f94177329a93cfd3a7312a9146ca6ee7b.exe
2420	38cf9411519069bba7943792dd7d5d0f94177329a93cfd3a7312a9146ca6ee7b.exe
2420	38cf9411519069bba7943792dd7d5d0f94177329a93cfd3a7312a9146ca6ee7b.exe
2420	38cf9411519069bba7943792dd7d5d0f94177329a93cfd3a7312a9146ca6ee7b.exe
2420	38cf9411519069bba7943792dd7d5d0f94177329a93cfd3a7312a9146ca6ee7b.exe
2420	38cf9411519069bba7943792dd7d5d0f94177329a93cfd3a7312a9146ca6ee7b.exe
2420	38cf9411519069bba7943792dd7d5d0f94177329a93cfd3a7312a9146ca6ee7b.exe
2420	38cf9411519069bba7943792dd7d5d0f94177329a93cfd3a7312a9146ca6ee7b.exe
2420	38cf9411519069bba7943792dd7d5d0f94177329a93cfd3a7312a9146ca6ee7b.exe
2420	38cf9411519069bba7943792dd7d5d0f94177329a93cfd3a7312a9146ca6ee7b.exe
2420	38cf9411519069bba7943792dd7d5d0f94177329a93cfd3a7312a9146ca6ee7b.exe
2420	38cf9411519069bba7943792dd7d5d0f94177329a93cfd3a7312a9146ca6ee7b.exe
2420	38cf9411519069bba7943792dd7d5d0f94177329a93cfd3a7312a9146ca6ee7b.exe
2420	38cf9411519069bba7943792dd7d5d0f94177329a93cfd3a7312a9146ca6ee7b.exe
2420	38cf9411519069bba7943792dd7d5d0f94177329a93cfd3a7312a9146ca6ee7b.exe
2420	38cf9411519069bba7943792dd7d5d0f94177329a93cfd3a7312a9146ca6ee7b.exe
2420	38cf9411519069bba7943792dd7d5d0f94177329a93cfd3a7312a9146ca6ee7b.exe
2420	38cf9411519069bba7943792dd7d5d0f94177329a93cfd3a7312a9146ca6ee7b.exe
2420	38cf9411519069bba7943792dd7d5d0f94177329a93cfd3a7312a9146ca6ee7b.exe
2420	38cf9411519069bba7943792dd7d5d0f94177329a93cfd3a7312a9146ca6ee7b.exe
2420	38cf9411519069bba7943792dd7d5d0f94177329a93cfd3a7312a9146ca6ee7b.exe
2420	38cf9411519069bba7943792dd7d5d0f94177329a93cfd3a7312a9146ca6ee7b.exe
2420	38cf9411519069bba7943792dd7d5d0f94177329a93cfd3a7312a9146ca6ee7b.exe
2496	Logo1_.exe
2496	Logo1_.exe
2496	Logo1_.exe
2496	Logo1_.exe
2496	Logo1_.exe
2496	Logo1_.exe
2496	Logo1_.exe
2496	Logo1_.exe
2496	Logo1_.exe
2496	Logo1_.exe
2496	Logo1_.exe
2496	Logo1_.exe
2496	Logo1_.exe
2496	Logo1_.exe
2496	Logo1_.exe
2496	Logo1_.exe
2496	Logo1_.exe
2496	Logo1_.exe
2496	Logo1_.exe
2496	Logo1_.exe
2496	Logo1_.exe
2496	Logo1_.exe
2496	Logo1_.exe
2496	Logo1_.exe
2496	Logo1_.exe
2496	Logo1_.exe
2496	Logo1_.exe
2496	Logo1_.exe
2496	Logo1_.exe
2496	Logo1_.exe
2496	Logo1_.exe
2496	Logo1_.exe
2496	Logo1_.exe
2496	Logo1_.exe
2496	Logo1_.exe
2496	Logo1_.exe
2496	Logo1_.exe
2496	Logo1_.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

38cf9411519069bba7943792dd7d5d0f94177329a93cfd3a7312a9146ca6ee7b.exenet.exeLogo1_.exenet.execmd.exenet.exe

description	pid	process	target process
PID 2420 wrote to memory of 2784	2420	38cf9411519069bba7943792dd7d5d0f94177329a93cfd3a7312a9146ca6ee7b.exe	net.exe
PID 2420 wrote to memory of 2784	2420	38cf9411519069bba7943792dd7d5d0f94177329a93cfd3a7312a9146ca6ee7b.exe	net.exe
PID 2420 wrote to memory of 2784	2420	38cf9411519069bba7943792dd7d5d0f94177329a93cfd3a7312a9146ca6ee7b.exe	net.exe
PID 2784 wrote to memory of 3664	2784	net.exe	net1.exe
PID 2784 wrote to memory of 3664	2784	net.exe	net1.exe
PID 2784 wrote to memory of 3664	2784	net.exe	net1.exe
PID 2420 wrote to memory of 4828	2420	38cf9411519069bba7943792dd7d5d0f94177329a93cfd3a7312a9146ca6ee7b.exe	cmd.exe
PID 2420 wrote to memory of 4828	2420	38cf9411519069bba7943792dd7d5d0f94177329a93cfd3a7312a9146ca6ee7b.exe	cmd.exe
PID 2420 wrote to memory of 4828	2420	38cf9411519069bba7943792dd7d5d0f94177329a93cfd3a7312a9146ca6ee7b.exe	cmd.exe
PID 2420 wrote to memory of 2496	2420	38cf9411519069bba7943792dd7d5d0f94177329a93cfd3a7312a9146ca6ee7b.exe	Logo1_.exe
PID 2420 wrote to memory of 2496	2420	38cf9411519069bba7943792dd7d5d0f94177329a93cfd3a7312a9146ca6ee7b.exe	Logo1_.exe
PID 2420 wrote to memory of 2496	2420	38cf9411519069bba7943792dd7d5d0f94177329a93cfd3a7312a9146ca6ee7b.exe	Logo1_.exe
PID 2496 wrote to memory of 4064	2496	Logo1_.exe	net.exe
PID 2496 wrote to memory of 4064	2496	Logo1_.exe	net.exe
PID 2496 wrote to memory of 4064	2496	Logo1_.exe	net.exe
PID 4064 wrote to memory of 1448	4064	net.exe	net1.exe
PID 4064 wrote to memory of 1448	4064	net.exe	net1.exe
PID 4064 wrote to memory of 1448	4064	net.exe	net1.exe
PID 4828 wrote to memory of 4336	4828	cmd.exe	38cf9411519069bba7943792dd7d5d0f94177329a93cfd3a7312a9146ca6ee7b.exe
PID 4828 wrote to memory of 4336	4828	cmd.exe	38cf9411519069bba7943792dd7d5d0f94177329a93cfd3a7312a9146ca6ee7b.exe
PID 2496 wrote to memory of 528	2496	Logo1_.exe	net.exe
PID 2496 wrote to memory of 528	2496	Logo1_.exe	net.exe
PID 2496 wrote to memory of 528	2496	Logo1_.exe	net.exe
PID 528 wrote to memory of 1776	528	net.exe	net1.exe
PID 528 wrote to memory of 1776	528	net.exe	net1.exe
PID 528 wrote to memory of 1776	528	net.exe	net1.exe
PID 2496 wrote to memory of 3336	2496	Logo1_.exe	Explorer.EXE
PID 2496 wrote to memory of 3336	2496	Logo1_.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3336

C:\Users\Admin\AppData\Local\Temp\38cf9411519069bba7943792dd7d5d0f94177329a93cfd3a7312a9146ca6ee7b.exe
"C:\Users\Admin\AppData\Local\Temp\38cf9411519069bba7943792dd7d5d0f94177329a93cfd3a7312a9146ca6ee7b.exe"
2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2420

C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
3⤵
- Suspicious use of WriteProcessMemory
PID:2784

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
4⤵
PID:3664

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aF4FF.bat
3⤵
- Suspicious use of WriteProcessMemory
PID:4828

C:\Users\Admin\AppData\Local\Temp\38cf9411519069bba7943792dd7d5d0f94177329a93cfd3a7312a9146ca6ee7b.exe
"C:\Users\Admin\AppData\Local\Temp\38cf9411519069bba7943792dd7d5d0f94177329a93cfd3a7312a9146ca6ee7b.exe"
4⤵
- Executes dropped EXE
PID:4336

C:\Windows\Logo1_.exe
C:\Windows\Logo1_.exe
3⤵
- Drops startup file
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2496

C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
4⤵
- Suspicious use of WriteProcessMemory
PID:4064

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
5⤵
PID:1448

C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
4⤵
- Suspicious use of WriteProcessMemory
PID:528

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
5⤵
PID:1776

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4092 --field-trial-handle=2280,i,716736634476467098,11449718822158202904,262144 --variations-seed-version /prefetch:8
1⤵
PID:4316

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
Filesize
264KB

MD5
82aff40c160a0a881bf7a0fa4b647957

SHA1
dee101a59ad91bf0065dafb0fd680c339c110c17

SHA256
c0025a5dc9fd03e01f08941e4163078e5ce9adc3401c1e1da6441c27cdf0d0a3

SHA512
de32bf34a53fa0c80ba3b1277ff42f708fba5414f6d281baada7bf1268d4cebf09c3fca613b73962ba112c22ba6690689a0c2727d63e2a8adbe0868ba2ec6ce5

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
583KB

MD5
ffce7186affb98d402348d8e067a924d

SHA1
7f1c92939190eb24cb037addc8ebc9a239284948

SHA256
5f01a5bc2e2c29e93955ede7ae878f843d7b9dcb63064127b29fbdde28489385

SHA512
3e70387155d76edd1b819c065dc11748291e78371ba129931eb939d7dd12e78537862b190f9b317604812830c9bd703ae451200e03d5006a23c5fcb62f73ae90

Download Submit
C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe
Filesize
494KB

MD5
1b817b54adfc26cf7040cf6cf292d1da

SHA1
2f0ab6c15c9e98b86ef9ec7018244ee9b30a8e9c

SHA256
d3009c1cc3dea487478340c9c95eb10bff9d668b8307610ccca19ad865bfb08e

SHA512
08bcdaae2b2272453aa74669e2b95b221e588ad75421e936454c167155d58e3afa6ca1a5f2a5457130907b4df51217634bcddb18d7427bd4051124e84d280b74

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aF4FF.bat
Filesize
722B

MD5
8330d85bdd2e6254554c244438c6f495

SHA1
cd1f7262d565313e682544f9e166f637c5122b4a

SHA256
0f2db1d806a3f264af1ff735fadfdc540df6eb2aab57e82cd4fa1df5749e16f3

SHA512
13de58800330b1c6beb78b7c8d9586a75fcbe0fdf255e4790e7d55b256edcf9147fccd168784396f07dca0728a93dba24f19930c283a8a403f3e223155a56abd

Download Submit
C:\Users\Admin\AppData\Local\Temp\38cf9411519069bba7943792dd7d5d0f94177329a93cfd3a7312a9146ca6ee7b.exe.exe
Filesize
59KB

MD5
dfc18f7068913dde25742b856788d7ca

SHA1
cbaa23f782c2ddcd7c9ff024fd0b096952a2b387

SHA256
ff4ac75c02247000da084de006c214d3dd3583867bd3533ba788e22734c7a2bf

SHA512
d0c7ec1dae41a803325b51c12490c355ed779d297daa35247889950491e52427810132f0829fc7ffa3022f1a106f4e4ba78ed612223395313a6f267e9ab24945

Download Submit
C:\Windows\Logo1_.exe
Filesize
39KB

MD5
0c66c78eb026971356126503c6366615

SHA1
0a6ff1ba641cbda042328329393fff95e356f94b

SHA256
7db6e7b89825e97a70ffddd87caf6a9b6296134a89388986ea4867359903f260

SHA512
b5a781cf4eda3414c0c0ba6f1db084f5d19d7df625c587bef83867d1f6bec8a0e96789015acb15adc5b7572fcd203458a26d5a1a00aa6702fc77eb3b08f20495

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3808065738-1666277613-1125846146-1000\_desktop.ini
Filesize
9B

MD5
7d02194d5f21d1288ee3e3f595122aba

SHA1
68e51fcc75148bf51da5ad67c7137b85946fc393

SHA256
a4da2cd5e1bd5b7cc915b0572d2805cb074c16122fa7e5a41fbc1203aafc3416

SHA512
b5aba933dbbe76d9c49da7e4bd9aa8449f164d1a6563feb65e795fd497f42a5c8cc317186adf817990a180e46499987a7403b68b0b089a38ccda0fc9f2dd6c1c

Download Submit
memory/2420-0-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2420-11-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2496-874-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2496-117-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2496-1990-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2496-2497-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2496-9-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2496-5593-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2496-18-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2496-8138-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2496-8819-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads