a5954e7b06481dc25f525a7bb4c62015368acfbc2d99634940e62d8a34e15ab9

Analysis

max time kernel
150s
max time network
54s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
30-04-2024 23:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a5954e7b06481dc25f525a7bb4c62015368acfbc2d99634940e62d8a34e15ab9.exe
Size

29KB
MD5

f600d3b05604eed2eb0e978ecaec3752
SHA1

c7e79069cd2c171d732cf22ad3c471200b8261a8
SHA256

a5954e7b06481dc25f525a7bb4c62015368acfbc2d99634940e62d8a34e15ab9
SHA512

81fbc800450084e269e715130f3097c432ced7dcffaafffcc3c9b7f42fabc8ac24bc4b2d12f36cc84a1427335abc728fb53f648bb0e874ba582f87e73d56ff51
SSDEEP

384:NbbbKDvJ3IZrJY1Gt5M0zhIV/DZ3KZp7JcTO4yf9Knuf2MqlUV2V9wVfUnfRqOzL:pGJYZ+16GVRu1yK9fMnJG2V9dHS8

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Q:	a5954e7b06481dc25f525a7bb4c62015368acfbc2d99634940e62d8a34e15ab9.exe
File opened (read-only)	\??\J:	a5954e7b06481dc25f525a7bb4c62015368acfbc2d99634940e62d8a34e15ab9.exe
File opened (read-only)	\??\I:	a5954e7b06481dc25f525a7bb4c62015368acfbc2d99634940e62d8a34e15ab9.exe
File opened (read-only)	\??\H:	a5954e7b06481dc25f525a7bb4c62015368acfbc2d99634940e62d8a34e15ab9.exe
File opened (read-only)	\??\X:	a5954e7b06481dc25f525a7bb4c62015368acfbc2d99634940e62d8a34e15ab9.exe
File opened (read-only)	\??\W:	a5954e7b06481dc25f525a7bb4c62015368acfbc2d99634940e62d8a34e15ab9.exe
File opened (read-only)	\??\V:	a5954e7b06481dc25f525a7bb4c62015368acfbc2d99634940e62d8a34e15ab9.exe
File opened (read-only)	\??\S:	a5954e7b06481dc25f525a7bb4c62015368acfbc2d99634940e62d8a34e15ab9.exe
File opened (read-only)	\??\Z:	a5954e7b06481dc25f525a7bb4c62015368acfbc2d99634940e62d8a34e15ab9.exe
File opened (read-only)	\??\Y:	a5954e7b06481dc25f525a7bb4c62015368acfbc2d99634940e62d8a34e15ab9.exe
File opened (read-only)	\??\T:	a5954e7b06481dc25f525a7bb4c62015368acfbc2d99634940e62d8a34e15ab9.exe
File opened (read-only)	\??\L:	a5954e7b06481dc25f525a7bb4c62015368acfbc2d99634940e62d8a34e15ab9.exe
File opened (read-only)	\??\R:	a5954e7b06481dc25f525a7bb4c62015368acfbc2d99634940e62d8a34e15ab9.exe
File opened (read-only)	\??\P:	a5954e7b06481dc25f525a7bb4c62015368acfbc2d99634940e62d8a34e15ab9.exe
File opened (read-only)	\??\M:	a5954e7b06481dc25f525a7bb4c62015368acfbc2d99634940e62d8a34e15ab9.exe
File opened (read-only)	\??\E:	a5954e7b06481dc25f525a7bb4c62015368acfbc2d99634940e62d8a34e15ab9.exe
File opened (read-only)	\??\G:	a5954e7b06481dc25f525a7bb4c62015368acfbc2d99634940e62d8a34e15ab9.exe
File opened (read-only)	\??\U:	a5954e7b06481dc25f525a7bb4c62015368acfbc2d99634940e62d8a34e15ab9.exe
File opened (read-only)	\??\O:	a5954e7b06481dc25f525a7bb4c62015368acfbc2d99634940e62d8a34e15ab9.exe
File opened (read-only)	\??\N:	a5954e7b06481dc25f525a7bb4c62015368acfbc2d99634940e62d8a34e15ab9.exe
File opened (read-only)	\??\K:	a5954e7b06481dc25f525a7bb4c62015368acfbc2d99634940e62d8a34e15ab9.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\_desktop.ini	a5954e7b06481dc25f525a7bb4c62015368acfbc2d99634940e62d8a34e15ab9.exe
File created	C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\Store.Purchase\Resources\_desktop.ini	a5954e7b06481dc25f525a7bb4c62015368acfbc2d99634940e62d8a34e15ab9.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Voices\en-US\en-US_female_TTS\_desktop.ini	a5954e7b06481dc25f525a7bb4c62015368acfbc2d99634940e62d8a34e15ab9.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ko-kr\_desktop.ini	a5954e7b06481dc25f525a7bb4c62015368acfbc2d99634940e62d8a34e15ab9.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\fr-fr\_desktop.ini	a5954e7b06481dc25f525a7bb4c62015368acfbc2d99634940e62d8a34e15ab9.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\es\_desktop.ini	a5954e7b06481dc25f525a7bb4c62015368acfbc2d99634940e62d8a34e15ab9.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\_desktop.ini	a5954e7b06481dc25f525a7bb4c62015368acfbc2d99634940e62d8a34e15ab9.exe
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\stickers\_desktop.ini	a5954e7b06481dc25f525a7bb4c62015368acfbc2d99634940e62d8a34e15ab9.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\_desktop.ini	a5954e7b06481dc25f525a7bb4c62015368acfbc2d99634940e62d8a34e15ab9.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\hr-hr\_desktop.ini	a5954e7b06481dc25f525a7bb4c62015368acfbc2d99634940e62d8a34e15ab9.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\zh-TW\_desktop.ini	a5954e7b06481dc25f525a7bb4c62015368acfbc2d99634940e62d8a34e15ab9.exe
File created	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini	a5954e7b06481dc25f525a7bb4c62015368acfbc2d99634940e62d8a34e15ab9.exe
File created	C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.1813.0_neutral_~_8wekyb3d8bbwe\_desktop.ini	a5954e7b06481dc25f525a7bb4c62015368acfbc2d99634940e62d8a34e15ab9.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\es-es\_desktop.ini	a5954e7b06481dc25f525a7bb4c62015368acfbc2d99634940e62d8a34e15ab9.exe
File created	C:\Program Files\VideoLAN\VLC\locale\oc\_desktop.ini	a5954e7b06481dc25f525a7bb4c62015368acfbc2d99634940e62d8a34e15ab9.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\de-de\_desktop.ini	a5954e7b06481dc25f525a7bb4c62015368acfbc2d99634940e62d8a34e15ab9.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\hr-hr\_desktop.ini	a5954e7b06481dc25f525a7bb4c62015368acfbc2d99634940e62d8a34e15ab9.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\_desktop.ini	a5954e7b06481dc25f525a7bb4c62015368acfbc2d99634940e62d8a34e15ab9.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\css\_desktop.ini	a5954e7b06481dc25f525a7bb4c62015368acfbc2d99634940e62d8a34e15ab9.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\en-il\_desktop.ini	a5954e7b06481dc25f525a7bb4c62015368acfbc2d99634940e62d8a34e15ab9.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\en-il\_desktop.ini	a5954e7b06481dc25f525a7bb4c62015368acfbc2d99634940e62d8a34e15ab9.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\css\_desktop.ini	a5954e7b06481dc25f525a7bb4c62015368acfbc2d99634940e62d8a34e15ab9.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\el\_desktop.ini	a5954e7b06481dc25f525a7bb4c62015368acfbc2d99634940e62d8a34e15ab9.exe
File created	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini	a5954e7b06481dc25f525a7bb4c62015368acfbc2d99634940e62d8a34e15ab9.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\_desktop.ini	a5954e7b06481dc25f525a7bb4c62015368acfbc2d99634940e62d8a34e15ab9.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\_desktop.ini	a5954e7b06481dc25f525a7bb4c62015368acfbc2d99634940e62d8a34e15ab9.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\da-dk\_desktop.ini	a5954e7b06481dc25f525a7bb4c62015368acfbc2d99634940e62d8a34e15ab9.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\ko-kr\_desktop.ini	a5954e7b06481dc25f525a7bb4c62015368acfbc2d99634940e62d8a34e15ab9.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\_desktop.ini	a5954e7b06481dc25f525a7bb4c62015368acfbc2d99634940e62d8a34e15ab9.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\_desktop.ini	a5954e7b06481dc25f525a7bb4c62015368acfbc2d99634940e62d8a34e15ab9.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-100_8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini	a5954e7b06481dc25f525a7bb4c62015368acfbc2d99634940e62d8a34e15ab9.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteshare.exe	a5954e7b06481dc25f525a7bb4c62015368acfbc2d99634940e62d8a34e15ab9.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files-select\css\_desktop.ini	a5954e7b06481dc25f525a7bb4c62015368acfbc2d99634940e62d8a34e15ab9.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ro-ro\_desktop.ini	a5954e7b06481dc25f525a7bb4c62015368acfbc2d99634940e62d8a34e15ab9.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\_desktop.ini	a5954e7b06481dc25f525a7bb4c62015368acfbc2d99634940e62d8a34e15ab9.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\it-IT\_desktop.ini	a5954e7b06481dc25f525a7bb4c62015368acfbc2d99634940e62d8a34e15ab9.exe
File created	C:\Program Files\VideoLAN\VLC\lua\extensions\_desktop.ini	a5954e7b06481dc25f525a7bb4c62015368acfbc2d99634940e62d8a34e15ab9.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftEdge.Stable_92.0.902.67_neutral__8wekyb3d8bbwe\_desktop.ini	a5954e7b06481dc25f525a7bb4c62015368acfbc2d99634940e62d8a34e15ab9.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ca-es\_desktop.ini	a5954e7b06481dc25f525a7bb4c62015368acfbc2d99634940e62d8a34e15ab9.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\sk-sk\_desktop.ini	a5954e7b06481dc25f525a7bb4c62015368acfbc2d99634940e62d8a34e15ab9.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\_desktop.ini	a5954e7b06481dc25f525a7bb4c62015368acfbc2d99634940e62d8a34e15ab9.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Microsoft.UI.Xaml\Assets\_desktop.ini	a5954e7b06481dc25f525a7bb4c62015368acfbc2d99634940e62d8a34e15ab9.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\it-it\_desktop.ini	a5954e7b06481dc25f525a7bb4c62015368acfbc2d99634940e62d8a34e15ab9.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\sl-si\_desktop.ini	a5954e7b06481dc25f525a7bb4c62015368acfbc2d99634940e62d8a34e15ab9.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\fi-fi\_desktop.ini	a5954e7b06481dc25f525a7bb4c62015368acfbc2d99634940e62d8a34e15ab9.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\sk-sk\_desktop.ini	a5954e7b06481dc25f525a7bb4c62015368acfbc2d99634940e62d8a34e15ab9.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_2020.1906.55.0_neutral_~_8wekyb3d8bbwe\_desktop.ini	a5954e7b06481dc25f525a7bb4c62015368acfbc2d99634940e62d8a34e15ab9.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\da-dk\_desktop.ini	a5954e7b06481dc25f525a7bb4c62015368acfbc2d99634940e62d8a34e15ab9.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\_desktop.ini	a5954e7b06481dc25f525a7bb4c62015368acfbc2d99634940e62d8a34e15ab9.exe
File opened for modification	C:\Program Files (x86)\Google\Update\_desktop.ini	a5954e7b06481dc25f525a7bb4c62015368acfbc2d99634940e62d8a34e15ab9.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	a5954e7b06481dc25f525a7bb4c62015368acfbc2d99634940e62d8a34e15ab9.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sv\_desktop.ini	a5954e7b06481dc25f525a7bb4c62015368acfbc2d99634940e62d8a34e15ab9.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\_desktop.ini	a5954e7b06481dc25f525a7bb4c62015368acfbc2d99634940e62d8a34e15ab9.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Configuration\Registration\_desktop.ini	a5954e7b06481dc25f525a7bb4c62015368acfbc2d99634940e62d8a34e15ab9.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\_desktop.ini	a5954e7b06481dc25f525a7bb4c62015368acfbc2d99634940e62d8a34e15ab9.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\he-il\_desktop.ini	a5954e7b06481dc25f525a7bb4c62015368acfbc2d99634940e62d8a34e15ab9.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\security\_desktop.ini	a5954e7b06481dc25f525a7bb4c62015368acfbc2d99634940e62d8a34e15ab9.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\LTR\contrast-black\_desktop.ini	a5954e7b06481dc25f525a7bb4c62015368acfbc2d99634940e62d8a34e15ab9.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\cs-cz\_desktop.ini	a5954e7b06481dc25f525a7bb4c62015368acfbc2d99634940e62d8a34e15ab9.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\hr-hr\_desktop.ini	a5954e7b06481dc25f525a7bb4c62015368acfbc2d99634940e62d8a34e15ab9.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\_desktop.ini	a5954e7b06481dc25f525a7bb4c62015368acfbc2d99634940e62d8a34e15ab9.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\themes\_desktop.ini	a5954e7b06481dc25f525a7bb4c62015368acfbc2d99634940e62d8a34e15ab9.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\uk-ua\_desktop.ini	a5954e7b06481dc25f525a7bb4c62015368acfbc2d99634940e62d8a34e15ab9.exe
File created	C:\Program Files\VideoLAN\VLC\locale\eo\_desktop.ini	a5954e7b06481dc25f525a7bb4c62015368acfbc2d99634940e62d8a34e15ab9.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	a5954e7b06481dc25f525a7bb4c62015368acfbc2d99634940e62d8a34e15ab9.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2232	a5954e7b06481dc25f525a7bb4c62015368acfbc2d99634940e62d8a34e15ab9.exe
2232	a5954e7b06481dc25f525a7bb4c62015368acfbc2d99634940e62d8a34e15ab9.exe
2232	a5954e7b06481dc25f525a7bb4c62015368acfbc2d99634940e62d8a34e15ab9.exe
2232	a5954e7b06481dc25f525a7bb4c62015368acfbc2d99634940e62d8a34e15ab9.exe
2232	a5954e7b06481dc25f525a7bb4c62015368acfbc2d99634940e62d8a34e15ab9.exe
2232	a5954e7b06481dc25f525a7bb4c62015368acfbc2d99634940e62d8a34e15ab9.exe
2232	a5954e7b06481dc25f525a7bb4c62015368acfbc2d99634940e62d8a34e15ab9.exe
2232	a5954e7b06481dc25f525a7bb4c62015368acfbc2d99634940e62d8a34e15ab9.exe
2232	a5954e7b06481dc25f525a7bb4c62015368acfbc2d99634940e62d8a34e15ab9.exe
2232	a5954e7b06481dc25f525a7bb4c62015368acfbc2d99634940e62d8a34e15ab9.exe
2232	a5954e7b06481dc25f525a7bb4c62015368acfbc2d99634940e62d8a34e15ab9.exe
2232	a5954e7b06481dc25f525a7bb4c62015368acfbc2d99634940e62d8a34e15ab9.exe
2232	a5954e7b06481dc25f525a7bb4c62015368acfbc2d99634940e62d8a34e15ab9.exe
2232	a5954e7b06481dc25f525a7bb4c62015368acfbc2d99634940e62d8a34e15ab9.exe
2232	a5954e7b06481dc25f525a7bb4c62015368acfbc2d99634940e62d8a34e15ab9.exe
2232	a5954e7b06481dc25f525a7bb4c62015368acfbc2d99634940e62d8a34e15ab9.exe
2232	a5954e7b06481dc25f525a7bb4c62015368acfbc2d99634940e62d8a34e15ab9.exe
2232	a5954e7b06481dc25f525a7bb4c62015368acfbc2d99634940e62d8a34e15ab9.exe
2232	a5954e7b06481dc25f525a7bb4c62015368acfbc2d99634940e62d8a34e15ab9.exe
2232	a5954e7b06481dc25f525a7bb4c62015368acfbc2d99634940e62d8a34e15ab9.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2232 wrote to memory of 372	2232	a5954e7b06481dc25f525a7bb4c62015368acfbc2d99634940e62d8a34e15ab9.exe	83
PID 2232 wrote to memory of 372	2232	a5954e7b06481dc25f525a7bb4c62015368acfbc2d99634940e62d8a34e15ab9.exe	83
PID 2232 wrote to memory of 372	2232	a5954e7b06481dc25f525a7bb4c62015368acfbc2d99634940e62d8a34e15ab9.exe	83
PID 372 wrote to memory of 2268	372	net.exe	85
PID 372 wrote to memory of 2268	372	net.exe	85
PID 372 wrote to memory of 2268	372	net.exe	85
PID 2232 wrote to memory of 3464	2232	a5954e7b06481dc25f525a7bb4c62015368acfbc2d99634940e62d8a34e15ab9.exe	55
PID 2232 wrote to memory of 3464	2232	a5954e7b06481dc25f525a7bb4c62015368acfbc2d99634940e62d8a34e15ab9.exe	55

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3464
- C:\Users\Admin\AppData\Local\Temp\a5954e7b06481dc25f525a7bb4c62015368acfbc2d99634940e62d8a34e15ab9.exe
  "C:\Users\Admin\AppData\Local\Temp\a5954e7b06481dc25f525a7bb4c62015368acfbc2d99634940e62d8a34e15ab9.exe"
  2⤵
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2232
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:372
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      PID:2268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe

Filesize
247KB

MD5
490b33a98d5ebc7a17a6566fba0c7ef1

SHA1
9ac668ab118d7db0d51b711935be6386c461ab7e

SHA256
6b3411f97fb00fc59098fc6b6c9d0c2642df5d5e3a12b7b113923ef33f1ce78d

SHA512
9bfcc8564261cb40f1d4db53fad1f1587d5959409ae4c9628b8951415a54e382e1b5bb8b3617e53135b41ffaafcb842efcb7525feea99f88df83e48ff6f1072f

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
173KB

MD5
1f7051b575be5737e95f73f9aac86a62

SHA1
bec6c037a27297b89f8e71b2f5672153bb512008

SHA256
9fc85bc356767616b29cccd5fdb1258f3aa1b2981896dcd7769fd7f40df512d5

SHA512
d13dfb19d90bada4461f83c46c1593426b9f30e8cee47917d902b530eea0e97c5c98f4f056a3b16fbc63e8740500da2d5c80a0e3be07ed02dd359a9f22e85fd1

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-877519540-908060166-1852957295-1000\_desktop.ini

Filesize
9B

MD5
3441ca64b7a268fd1abb0c149aa9e827

SHA1
977a6be7624a5ff4ea1de4f422b44b4974c17827

SHA256
fafa54a384b4b9bfe970b0e803afe0c0284021acca503892961170d49985dd99

SHA512
84d8adce555267049d33544c4402eaa9bb3ff2022fd76cd619e4cb1fd544c5825cd7769065dd525b58e3befd579d3dd11ec2e0032907ff7dd36f83975b5b5848

Download Submit
memory/2232-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2232-5-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2232-12-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2232-18-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2232-22-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2232-1222-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2232-4786-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2232-5249-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download