be068b340871da52490283160797f2257d6ce0016c32c14992d71260fef1cc16

General

Target

be068b340871da52490283160797f2257d6ce0016c32c14992d71260fef1cc16.exe
Size

70KB
MD5

9b5e3afec7f6424af3b48ff46ff4e46d
SHA1

565d745139f60287cbf9bed567f38c11aa78ce3a
SHA256

be068b340871da52490283160797f2257d6ce0016c32c14992d71260fef1cc16
SHA512

15ae6f2a7b1c7b3b3777e0a4d1c3861e4c60287c2d357b528bb545451360842c26e15979a4892953a0e9f9a480c8f7c6510bd1be4b44f7c24843d56bb8ee6c7d
SSDEEP

1536:PFaYzMXqtGNttyUn01Q78a4Rwriw+d9bHrkT5gUHz7FxtJ:PFaY46tGNttyJQ7KRwrBkfkT5xHzD

Score

8^/10

spyware stealer

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

Processes:

be068b340871da52490283160797f2257d6ce0016c32c14992d71260fef1cc16.exeLogo1_.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	be068b340871da52490283160797f2257d6ce0016c32c14992d71260fef1cc16.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	Logo1_.exe

Drops startup file 2 IoCs

Processes:

Logo1_.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe

Executes dropped EXE 2 IoCs

Processes:

Logo1_.exebe068b340871da52490283160797f2257d6ce0016c32c14992d71260fef1cc16.exe

pid process

1888 Logo1_.exe
5288 be068b340871da52490283160797f2257d6ce0016c32c14992d71260fef1cc16.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
1888	Logo1_.exe
5288	be068b340871da52490283160797f2257d6ce0016c32c14992d71260fef1cc16.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Logo1_.exe

description	ioc	process
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

Processes:

Logo1_.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\fr-fr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\Sigma\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Mail\wabmig.exe	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\pl-pl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\nl-nl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ru-ru\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\de-de\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\uk-ua\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\en-ae\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\en-us\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\tt\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\Sigma\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\sv-se\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Services\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\eu\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PSReadline\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\de-de\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\cs-cz\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\ko-kr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\it-it\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLENDS\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\en-ae\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\plugins\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\hu-hu\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Security\BrowserCore\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fi-fi\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sk-sk\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\ja-jp\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\sk-sk\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\zh-tw\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre8\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\ENES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Uninstall Information\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ko\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\fr-fr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\pt-br\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_US\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\lua\intf\modules\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsPowerShell\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\eu-es\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\hu-hu\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\uk-ua\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\sk-sk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\ca-es\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\sk-sk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ja-jp\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\nb\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\uk-ua\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\da-dk\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

Processes:

be068b340871da52490283160797f2257d6ce0016c32c14992d71260fef1cc16.exeLogo1_.exe

description	ioc	process
File created	C:\Windows\rundl132.exe	be068b340871da52490283160797f2257d6ce0016c32c14992d71260fef1cc16.exe
File created	C:\Windows\Logo1_.exe	be068b340871da52490283160797f2257d6ce0016c32c14992d71260fef1cc16.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\Dll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

be068b340871da52490283160797f2257d6ce0016c32c14992d71260fef1cc16.exeLogo1_.exe

pid	process
2072	be068b340871da52490283160797f2257d6ce0016c32c14992d71260fef1cc16.exe
2072	be068b340871da52490283160797f2257d6ce0016c32c14992d71260fef1cc16.exe
2072	be068b340871da52490283160797f2257d6ce0016c32c14992d71260fef1cc16.exe
2072	be068b340871da52490283160797f2257d6ce0016c32c14992d71260fef1cc16.exe
2072	be068b340871da52490283160797f2257d6ce0016c32c14992d71260fef1cc16.exe
2072	be068b340871da52490283160797f2257d6ce0016c32c14992d71260fef1cc16.exe
2072	be068b340871da52490283160797f2257d6ce0016c32c14992d71260fef1cc16.exe
2072	be068b340871da52490283160797f2257d6ce0016c32c14992d71260fef1cc16.exe
2072	be068b340871da52490283160797f2257d6ce0016c32c14992d71260fef1cc16.exe
2072	be068b340871da52490283160797f2257d6ce0016c32c14992d71260fef1cc16.exe
2072	be068b340871da52490283160797f2257d6ce0016c32c14992d71260fef1cc16.exe
2072	be068b340871da52490283160797f2257d6ce0016c32c14992d71260fef1cc16.exe
2072	be068b340871da52490283160797f2257d6ce0016c32c14992d71260fef1cc16.exe
2072	be068b340871da52490283160797f2257d6ce0016c32c14992d71260fef1cc16.exe
2072	be068b340871da52490283160797f2257d6ce0016c32c14992d71260fef1cc16.exe
2072	be068b340871da52490283160797f2257d6ce0016c32c14992d71260fef1cc16.exe
2072	be068b340871da52490283160797f2257d6ce0016c32c14992d71260fef1cc16.exe
2072	be068b340871da52490283160797f2257d6ce0016c32c14992d71260fef1cc16.exe
2072	be068b340871da52490283160797f2257d6ce0016c32c14992d71260fef1cc16.exe
2072	be068b340871da52490283160797f2257d6ce0016c32c14992d71260fef1cc16.exe
2072	be068b340871da52490283160797f2257d6ce0016c32c14992d71260fef1cc16.exe
2072	be068b340871da52490283160797f2257d6ce0016c32c14992d71260fef1cc16.exe
2072	be068b340871da52490283160797f2257d6ce0016c32c14992d71260fef1cc16.exe
2072	be068b340871da52490283160797f2257d6ce0016c32c14992d71260fef1cc16.exe
2072	be068b340871da52490283160797f2257d6ce0016c32c14992d71260fef1cc16.exe
2072	be068b340871da52490283160797f2257d6ce0016c32c14992d71260fef1cc16.exe
1888	Logo1_.exe
1888	Logo1_.exe
1888	Logo1_.exe
1888	Logo1_.exe
1888	Logo1_.exe
1888	Logo1_.exe
1888	Logo1_.exe
1888	Logo1_.exe
1888	Logo1_.exe
1888	Logo1_.exe
1888	Logo1_.exe
1888	Logo1_.exe
1888	Logo1_.exe
1888	Logo1_.exe
1888	Logo1_.exe
1888	Logo1_.exe
1888	Logo1_.exe
1888	Logo1_.exe
1888	Logo1_.exe
1888	Logo1_.exe
1888	Logo1_.exe
1888	Logo1_.exe
1888	Logo1_.exe
1888	Logo1_.exe
1888	Logo1_.exe
1888	Logo1_.exe
1888	Logo1_.exe
1888	Logo1_.exe
1888	Logo1_.exe
1888	Logo1_.exe
1888	Logo1_.exe
1888	Logo1_.exe
1888	Logo1_.exe
1888	Logo1_.exe
1888	Logo1_.exe
1888	Logo1_.exe
1888	Logo1_.exe
1888	Logo1_.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

be068b340871da52490283160797f2257d6ce0016c32c14992d71260fef1cc16.exenet.exeLogo1_.exenet.execmd.exenet.exe

description	pid	process	target process
PID 2072 wrote to memory of 4132	2072	be068b340871da52490283160797f2257d6ce0016c32c14992d71260fef1cc16.exe	net.exe
PID 2072 wrote to memory of 4132	2072	be068b340871da52490283160797f2257d6ce0016c32c14992d71260fef1cc16.exe	net.exe
PID 2072 wrote to memory of 4132	2072	be068b340871da52490283160797f2257d6ce0016c32c14992d71260fef1cc16.exe	net.exe
PID 4132 wrote to memory of 2448	4132	net.exe	net1.exe
PID 4132 wrote to memory of 2448	4132	net.exe	net1.exe
PID 4132 wrote to memory of 2448	4132	net.exe	net1.exe
PID 2072 wrote to memory of 2624	2072	be068b340871da52490283160797f2257d6ce0016c32c14992d71260fef1cc16.exe	cmd.exe
PID 2072 wrote to memory of 2624	2072	be068b340871da52490283160797f2257d6ce0016c32c14992d71260fef1cc16.exe	cmd.exe
PID 2072 wrote to memory of 2624	2072	be068b340871da52490283160797f2257d6ce0016c32c14992d71260fef1cc16.exe	cmd.exe
PID 2072 wrote to memory of 1888	2072	be068b340871da52490283160797f2257d6ce0016c32c14992d71260fef1cc16.exe	Logo1_.exe
PID 2072 wrote to memory of 1888	2072	be068b340871da52490283160797f2257d6ce0016c32c14992d71260fef1cc16.exe	Logo1_.exe
PID 2072 wrote to memory of 1888	2072	be068b340871da52490283160797f2257d6ce0016c32c14992d71260fef1cc16.exe	Logo1_.exe
PID 1888 wrote to memory of 5024	1888	Logo1_.exe	net.exe
PID 1888 wrote to memory of 5024	1888	Logo1_.exe	net.exe
PID 1888 wrote to memory of 5024	1888	Logo1_.exe	net.exe
PID 5024 wrote to memory of 3228	5024	net.exe	net1.exe
PID 5024 wrote to memory of 3228	5024	net.exe	net1.exe
PID 5024 wrote to memory of 3228	5024	net.exe	net1.exe
PID 2624 wrote to memory of 5288	2624	cmd.exe	be068b340871da52490283160797f2257d6ce0016c32c14992d71260fef1cc16.exe
PID 2624 wrote to memory of 5288	2624	cmd.exe	be068b340871da52490283160797f2257d6ce0016c32c14992d71260fef1cc16.exe
PID 1888 wrote to memory of 3164	1888	Logo1_.exe	net.exe
PID 1888 wrote to memory of 3164	1888	Logo1_.exe	net.exe
PID 1888 wrote to memory of 3164	1888	Logo1_.exe	net.exe
PID 3164 wrote to memory of 3476	3164	net.exe	net1.exe
PID 3164 wrote to memory of 3476	3164	net.exe	net1.exe
PID 3164 wrote to memory of 3476	3164	net.exe	net1.exe
PID 1888 wrote to memory of 3500	1888	Logo1_.exe	Explorer.EXE
PID 1888 wrote to memory of 3500	1888	Logo1_.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3500

C:\Users\Admin\AppData\Local\Temp\be068b340871da52490283160797f2257d6ce0016c32c14992d71260fef1cc16.exe
"C:\Users\Admin\AppData\Local\Temp\be068b340871da52490283160797f2257d6ce0016c32c14992d71260fef1cc16.exe"
2⤵
- Drops file in Drivers directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2072

C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
3⤵
- Suspicious use of WriteProcessMemory
PID:4132

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
4⤵
PID:2448

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a343F.bat
3⤵
- Suspicious use of WriteProcessMemory
PID:2624

C:\Users\Admin\AppData\Local\Temp\be068b340871da52490283160797f2257d6ce0016c32c14992d71260fef1cc16.exe
"C:\Users\Admin\AppData\Local\Temp\be068b340871da52490283160797f2257d6ce0016c32c14992d71260fef1cc16.exe"
4⤵
- Executes dropped EXE
PID:5288

C:\Windows\Logo1_.exe
C:\Windows\Logo1_.exe
3⤵
- Drops file in Drivers directory
- Drops startup file
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1888

C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
4⤵
- Suspicious use of WriteProcessMemory
PID:5024

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
5⤵
PID:3228

C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
4⤵
- Suspicious use of WriteProcessMemory
PID:3164

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
5⤵
PID:3476

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\WriteGet.exe
Filesize
892KB

MD5
fad6f914752e85a082681b82c2dcff8a

SHA1
cbd7536c82d7084c4bb9b32ce289bbc56cfe696d

SHA256
9cd390e355aa190334fe4744c37aeda54daee63ceb9bbbfa5c6717466929c9c1

SHA512
4378b61cea43c829654a1fe8553af6cc7e1b64ad7e6dd3fe4f0e2f60f28cf617b174afa9157c0be9b6cdb1dcc25cf4937a93edfcd72966184af8aa6c38496bdd

Download Submit
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
Filesize
643KB

MD5
635e9422a0a86f5c7ac989802b0ac448

SHA1
3ea9cc1462b063639526a8d278b571f38b846d1d

SHA256
a97d8545a6204abf1a179f2098ca8780e92f4448c7a03e62f6c32e8e5e5cb17f

SHA512
857c6d683fe1f7a6757420c84efc4f7f48f58e586e601c969ce27e4ded8cad6ca774ef367a1a1e075081c4e2d41f8cdda558fddf5622e062975cfeff5a929133

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a343F.bat
Filesize
722B

MD5
4982eab065660d74beeecf4d26dc100a

SHA1
231f8fffd4518bdad1e444f2baf53b024456001a

SHA256
fa370f3a2c39e75b1785c632f4fa6434c5700856ab9219c4718345feb5fd16e5

SHA512
afc1849e23609d08c55b9f71ddd340bf9db4d2e1fe1b6cd2d47c84901e3f566f712e2bc48bedfbf9f6bdaa3eb9bcdb6badd475dd36820a3d9b0be1cb68c6c520

Download Submit
C:\Users\Admin\AppData\Local\Temp\be068b340871da52490283160797f2257d6ce0016c32c14992d71260fef1cc16.exe.exe
Filesize
36KB

MD5
9f498971cbe636662f3d210747d619e1

SHA1
44b8e2732fa1e2f204fc70eaa1cb406616250085

SHA256
8adf6748981c3e7b62f5dbca992be6675574fffbce7673743f2d7fe787d56a41

SHA512
b73083c2f7b028d2946cb8f7b4fe2289fedaa4175364a2aac37db0aeff4602aede772ccc9eba7e6dcfcb7276e52604ca45d8021952201b5834485b48bca3dc93

Download Submit
C:\Windows\Logo1_.exe
Filesize
33KB

MD5
1f84b18db78866f74a67bd2659cabbdb

SHA1
a939bce6428210b23131eaf06bc7b08a5cb971e4

SHA256
3e05e2a6fc214496dd7e7200ea3b0375fb22b111e3e7bce4d4728c6b528b209a

SHA512
21a24ce58d7e8555d3ac8fa48f8efe648215caf2d4692564a5015f241a8abd62492dda085d48630eac588602b9ef53bc939f633e2771a05562468545104d81e1

Download Submit
C:\Windows\system32\drivers\etc\hosts
Filesize
842B

MD5
6f4adf207ef402d9ef40c6aa52ffd245

SHA1
4b05b495619c643f02e278dede8f5b1392555a57

SHA256
d9704dab05e988be3e5e7b7c020bb9814906d11bb9c31ad80d4ed1316f6bc94e

SHA512
a6306bd200a26ea78192ae5b00cc49cfab3fba025fe7233709a4e62db0f9ed60030dce22b34afe57aad86a098c9a8c44e080cedc43227cb87ef4690baec35b47

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3906287020-2915474608-1755617787-1000\_desktop.ini
Filesize
9B

MD5
ef2876ec14bdb3dc085fc3af9311b015

SHA1
68b64b46b1ff0fdc9f009d8fffb8ee87c597fa56

SHA256
ac2a34b4f2d44d19ca4269caf9f4e71cdb0b95ba8eb89ed52c5bc56eeeb1971c

SHA512
c9998caa062ad5b1da853fabb80e88e41d9f96109af89df0309be20469ca8f5be9dd1c08f3c97030e3a487732e82304f60ee2627462e017579da4204bc163c8f

Download Submit
memory/1888-20-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1888-2797-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1888-13-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1888-8656-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2072-12-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2072-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads