46734a72ad4a3ea2fa7e7b6a8ed4c4cc25ba0747149af0d3b54918c93a151e5a

General

Target

46734a72ad4a3ea2fa7e7b6a8ed4c4cc25ba0747149af0d3b54918c93a151e5a.exe
Size

93KB
MD5

4c4135b941383e1b9ef40bf720d3f24a
SHA1

1b687f3100fbb9fa3941b9afcb57111e0cf44ace
SHA256

46734a72ad4a3ea2fa7e7b6a8ed4c4cc25ba0747149af0d3b54918c93a151e5a
SHA512

1b0dc94fc169ed94cc77a17fc03392973c82b9f78e4d82502484e0b426acc470050c4b2bfe360046e781f1448618e894680c183f1a015ee1662b63950f543d3d
SSDEEP

1536:JZ84UaYzMXqtGN/CstC9qVFeyapmebn4ddJZeY86iLflLJYEIs67rxo:JmaY46tGNFC0VFDLK4ddJMY86ipmns6S

Score

8^/10

spyware stealer

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

Processes:

46734a72ad4a3ea2fa7e7b6a8ed4c4cc25ba0747149af0d3b54918c93a151e5a.exeLogo1_.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	46734a72ad4a3ea2fa7e7b6a8ed4c4cc25ba0747149af0d3b54918c93a151e5a.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	Logo1_.exe

Drops startup file 2 IoCs

Processes:

Logo1_.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe

Executes dropped EXE 2 IoCs

Processes:

Logo1_.exe46734a72ad4a3ea2fa7e7b6a8ed4c4cc25ba0747149af0d3b54918c93a151e5a.exe

pid process

4684 Logo1_.exe
1808 46734a72ad4a3ea2fa7e7b6a8ed4c4cc25ba0747149af0d3b54918c93a151e5a.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
4684	Logo1_.exe
1808	46734a72ad4a3ea2fa7e7b6a8ed4c4cc25ba0747149af0d3b54918c93a151e5a.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Logo1_.exe

description	ioc	process
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

Processes:

Logo1_.exe

description	ioc	process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\es-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\ja\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\ru-ru\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\cs-cz\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\ResiliencyLinks\Notifications\_desktop.ini	Logo1_.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\fr\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\keystore\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\sl-sl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files-select\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ar-ae\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_extractor\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\ca-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\STUDIO\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\hr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\nb-no\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\en-gb\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\da-dk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\zh-tw\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\es\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\fi-fi\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\hr-hr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\nl-nl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\notification_click_helper.exe	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\ResiliencyLinks\WidevineCdm\_desktop.ini	Logo1_.exe
File created	C:\Program Files\dotnet\shared\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\zh-Hans\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sl\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fr-fr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\themes\dark\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\es-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\pt-br\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bs\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\de-de\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\en-gb\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\hu-hu\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\HostSideAdapters\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\fr-fr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\de-de\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\sl-si\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\fr-fr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\de-de\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\uk-ua\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ar-ae\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\_desktop.ini	Logo1_.exe
File created	C:\Program Files\dotnet\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Download\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\collect_feedback\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\pl-pl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\it-it\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\nl-nl\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

Processes:

46734a72ad4a3ea2fa7e7b6a8ed4c4cc25ba0747149af0d3b54918c93a151e5a.exeLogo1_.exe

description	ioc	process
File created	C:\Windows\rundl132.exe	46734a72ad4a3ea2fa7e7b6a8ed4c4cc25ba0747149af0d3b54918c93a151e5a.exe
File created	C:\Windows\Logo1_.exe	46734a72ad4a3ea2fa7e7b6a8ed4c4cc25ba0747149af0d3b54918c93a151e5a.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\Dll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

46734a72ad4a3ea2fa7e7b6a8ed4c4cc25ba0747149af0d3b54918c93a151e5a.exeLogo1_.exe

pid	process
3844	46734a72ad4a3ea2fa7e7b6a8ed4c4cc25ba0747149af0d3b54918c93a151e5a.exe
3844	46734a72ad4a3ea2fa7e7b6a8ed4c4cc25ba0747149af0d3b54918c93a151e5a.exe
3844	46734a72ad4a3ea2fa7e7b6a8ed4c4cc25ba0747149af0d3b54918c93a151e5a.exe
3844	46734a72ad4a3ea2fa7e7b6a8ed4c4cc25ba0747149af0d3b54918c93a151e5a.exe
3844	46734a72ad4a3ea2fa7e7b6a8ed4c4cc25ba0747149af0d3b54918c93a151e5a.exe
3844	46734a72ad4a3ea2fa7e7b6a8ed4c4cc25ba0747149af0d3b54918c93a151e5a.exe
3844	46734a72ad4a3ea2fa7e7b6a8ed4c4cc25ba0747149af0d3b54918c93a151e5a.exe
3844	46734a72ad4a3ea2fa7e7b6a8ed4c4cc25ba0747149af0d3b54918c93a151e5a.exe
3844	46734a72ad4a3ea2fa7e7b6a8ed4c4cc25ba0747149af0d3b54918c93a151e5a.exe
3844	46734a72ad4a3ea2fa7e7b6a8ed4c4cc25ba0747149af0d3b54918c93a151e5a.exe
3844	46734a72ad4a3ea2fa7e7b6a8ed4c4cc25ba0747149af0d3b54918c93a151e5a.exe
3844	46734a72ad4a3ea2fa7e7b6a8ed4c4cc25ba0747149af0d3b54918c93a151e5a.exe
3844	46734a72ad4a3ea2fa7e7b6a8ed4c4cc25ba0747149af0d3b54918c93a151e5a.exe
3844	46734a72ad4a3ea2fa7e7b6a8ed4c4cc25ba0747149af0d3b54918c93a151e5a.exe
3844	46734a72ad4a3ea2fa7e7b6a8ed4c4cc25ba0747149af0d3b54918c93a151e5a.exe
3844	46734a72ad4a3ea2fa7e7b6a8ed4c4cc25ba0747149af0d3b54918c93a151e5a.exe
3844	46734a72ad4a3ea2fa7e7b6a8ed4c4cc25ba0747149af0d3b54918c93a151e5a.exe
3844	46734a72ad4a3ea2fa7e7b6a8ed4c4cc25ba0747149af0d3b54918c93a151e5a.exe
3844	46734a72ad4a3ea2fa7e7b6a8ed4c4cc25ba0747149af0d3b54918c93a151e5a.exe
3844	46734a72ad4a3ea2fa7e7b6a8ed4c4cc25ba0747149af0d3b54918c93a151e5a.exe
3844	46734a72ad4a3ea2fa7e7b6a8ed4c4cc25ba0747149af0d3b54918c93a151e5a.exe
3844	46734a72ad4a3ea2fa7e7b6a8ed4c4cc25ba0747149af0d3b54918c93a151e5a.exe
3844	46734a72ad4a3ea2fa7e7b6a8ed4c4cc25ba0747149af0d3b54918c93a151e5a.exe
3844	46734a72ad4a3ea2fa7e7b6a8ed4c4cc25ba0747149af0d3b54918c93a151e5a.exe
3844	46734a72ad4a3ea2fa7e7b6a8ed4c4cc25ba0747149af0d3b54918c93a151e5a.exe
3844	46734a72ad4a3ea2fa7e7b6a8ed4c4cc25ba0747149af0d3b54918c93a151e5a.exe
4684	Logo1_.exe
4684	Logo1_.exe
4684	Logo1_.exe
4684	Logo1_.exe
4684	Logo1_.exe
4684	Logo1_.exe
4684	Logo1_.exe
4684	Logo1_.exe
4684	Logo1_.exe
4684	Logo1_.exe
4684	Logo1_.exe
4684	Logo1_.exe
4684	Logo1_.exe
4684	Logo1_.exe
4684	Logo1_.exe
4684	Logo1_.exe
4684	Logo1_.exe
4684	Logo1_.exe
4684	Logo1_.exe
4684	Logo1_.exe
4684	Logo1_.exe
4684	Logo1_.exe
4684	Logo1_.exe
4684	Logo1_.exe
4684	Logo1_.exe
4684	Logo1_.exe
4684	Logo1_.exe
4684	Logo1_.exe
4684	Logo1_.exe
4684	Logo1_.exe
4684	Logo1_.exe
4684	Logo1_.exe
4684	Logo1_.exe
4684	Logo1_.exe
4684	Logo1_.exe
4684	Logo1_.exe
4684	Logo1_.exe
4684	Logo1_.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

46734a72ad4a3ea2fa7e7b6a8ed4c4cc25ba0747149af0d3b54918c93a151e5a.exenet.exeLogo1_.exenet.execmd.exenet.exe

description	pid	process	target process
PID 3844 wrote to memory of 1208	3844	46734a72ad4a3ea2fa7e7b6a8ed4c4cc25ba0747149af0d3b54918c93a151e5a.exe	net.exe
PID 3844 wrote to memory of 1208	3844	46734a72ad4a3ea2fa7e7b6a8ed4c4cc25ba0747149af0d3b54918c93a151e5a.exe	net.exe
PID 3844 wrote to memory of 1208	3844	46734a72ad4a3ea2fa7e7b6a8ed4c4cc25ba0747149af0d3b54918c93a151e5a.exe	net.exe
PID 1208 wrote to memory of 3100	1208	net.exe	net1.exe
PID 1208 wrote to memory of 3100	1208	net.exe	net1.exe
PID 1208 wrote to memory of 3100	1208	net.exe	net1.exe
PID 3844 wrote to memory of 2600	3844	46734a72ad4a3ea2fa7e7b6a8ed4c4cc25ba0747149af0d3b54918c93a151e5a.exe	cmd.exe
PID 3844 wrote to memory of 2600	3844	46734a72ad4a3ea2fa7e7b6a8ed4c4cc25ba0747149af0d3b54918c93a151e5a.exe	cmd.exe
PID 3844 wrote to memory of 2600	3844	46734a72ad4a3ea2fa7e7b6a8ed4c4cc25ba0747149af0d3b54918c93a151e5a.exe	cmd.exe
PID 3844 wrote to memory of 4684	3844	46734a72ad4a3ea2fa7e7b6a8ed4c4cc25ba0747149af0d3b54918c93a151e5a.exe	Logo1_.exe
PID 3844 wrote to memory of 4684	3844	46734a72ad4a3ea2fa7e7b6a8ed4c4cc25ba0747149af0d3b54918c93a151e5a.exe	Logo1_.exe
PID 3844 wrote to memory of 4684	3844	46734a72ad4a3ea2fa7e7b6a8ed4c4cc25ba0747149af0d3b54918c93a151e5a.exe	Logo1_.exe
PID 4684 wrote to memory of 3428	4684	Logo1_.exe	net.exe
PID 4684 wrote to memory of 3428	4684	Logo1_.exe	net.exe
PID 4684 wrote to memory of 3428	4684	Logo1_.exe	net.exe
PID 3428 wrote to memory of 4988	3428	net.exe	net1.exe
PID 3428 wrote to memory of 4988	3428	net.exe	net1.exe
PID 3428 wrote to memory of 4988	3428	net.exe	net1.exe
PID 2600 wrote to memory of 1808	2600	cmd.exe	46734a72ad4a3ea2fa7e7b6a8ed4c4cc25ba0747149af0d3b54918c93a151e5a.exe
PID 2600 wrote to memory of 1808	2600	cmd.exe	46734a72ad4a3ea2fa7e7b6a8ed4c4cc25ba0747149af0d3b54918c93a151e5a.exe
PID 4684 wrote to memory of 4912	4684	Logo1_.exe	net.exe
PID 4684 wrote to memory of 4912	4684	Logo1_.exe	net.exe
PID 4684 wrote to memory of 4912	4684	Logo1_.exe	net.exe
PID 4912 wrote to memory of 2076	4912	net.exe	net1.exe
PID 4912 wrote to memory of 2076	4912	net.exe	net1.exe
PID 4912 wrote to memory of 2076	4912	net.exe	net1.exe
PID 4684 wrote to memory of 3372	4684	Logo1_.exe	Explorer.EXE
PID 4684 wrote to memory of 3372	4684	Logo1_.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3372
- C:\Users\Admin\AppData\Local\Temp\46734a72ad4a3ea2fa7e7b6a8ed4c4cc25ba0747149af0d3b54918c93a151e5a.exe
  "C:\Users\Admin\AppData\Local\Temp\46734a72ad4a3ea2fa7e7b6a8ed4c4cc25ba0747149af0d3b54918c93a151e5a.exe"
  2⤵
  - Drops file in Drivers directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3844
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1208
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      PID:3100
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aCFB.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2600
  - - C:\Users\Admin\AppData\Local\Temp\46734a72ad4a3ea2fa7e7b6a8ed4c4cc25ba0747149af0d3b54918c93a151e5a.exe
      "C:\Users\Admin\AppData\Local\Temp\46734a72ad4a3ea2fa7e7b6a8ed4c4cc25ba0747149af0d3b54918c93a151e5a.exe"
      4⤵
      Executes dropped EXE
      PID:1808
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Drops file in Drivers directory
    - Drops startup file
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4684
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3428
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:4988
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4912
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2076

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=2524 --field-trial-handle=2304,i,6987730730348465820,3913273227385401271,262144 --variations-seed-version /prefetch:8
1⤵
PID:3244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7z.exe

Filesize
577KB

MD5
2eb930ab764c7a226aad2650e09e608d

SHA1
35701cc91b828a1b1ce14a4f56d8fc3291624409

SHA256
270829b95b6dd6e4e3233ff54bc0ef2406e45e48c5915150401273309450188c

SHA512
7b8370d26b35b4125a4a39cb69658a36759725c9b2a10b89b6b7975cd4a2d8d2b63cb9f2c296ddf0c51ddcc3418c3d6871749ca4c28d5422997f1b8bbe6d3339

Download Submit
C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe

Filesize
488KB

MD5
b43565d3a0fadc8aecf3064968a4a656

SHA1
c31c6f633aa5d22f1a137a6f0780253239b0509c

SHA256
2eda969e6cea654b109cbe1e416fac2ae07790483bc77456814a357c3fa75bf3

SHA512
e0aa70d54daeca5dfa50dc3d309bbe3d131da2a7a2b3a50708ccf08fc1f23b480c45241ff2cf93d21287483d94a477ea94b9060e2a7b7525daf693a2efd382c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aCFB.bat

Filesize
721B

MD5
bc3b21d713fc6dd11ffab3d43ee1ddce

SHA1
1f11c905ebf6ae20e90237a3a35a68c81ab9d693

SHA256
b8f497dc4347848a953822b3ea7745cb87ec3a1321cd47036813c763983a9ddb

SHA512
51c0084e8f84afa7c94b1d7e3fa6a81601f32963ed60dd0f72f957a3adc5866678f998f0723d917ab4b0d79eba4dcfd1ff3aad444d5d7f74a24ab35fe9ade9b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\46734a72ad4a3ea2fa7e7b6a8ed4c4cc25ba0747149af0d3b54918c93a151e5a.exe.exe

Filesize
59KB

MD5
dfc18f7068913dde25742b856788d7ca

SHA1
cbaa23f782c2ddcd7c9ff024fd0b096952a2b387

SHA256
ff4ac75c02247000da084de006c214d3dd3583867bd3533ba788e22734c7a2bf

SHA512
d0c7ec1dae41a803325b51c12490c355ed779d297daa35247889950491e52427810132f0829fc7ffa3022f1a106f4e4ba78ed612223395313a6f267e9ab24945

Download Submit
C:\Windows\Logo1_.exe

Filesize
33KB

MD5
54bf44306953a5b6f406e5540e60c7b4

SHA1
5252474cc785229e8b958668a72650a1d5777a4d

SHA256
25ba409f54719204b0cc95c4f522e39892c2cf19acb35df862bf9c47556c1c45

SHA512
17e48d33e3012ae8790af9677434dbbad419c6876388c4b4c9e7178d582e7967b63b5107a85e5a4062656241006c1d6d8d5183f0e20b1a3aa2cb6eff5abf176f

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
842B

MD5
6f4adf207ef402d9ef40c6aa52ffd245

SHA1
4b05b495619c643f02e278dede8f5b1392555a57

SHA256
d9704dab05e988be3e5e7b7c020bb9814906d11bb9c31ad80d4ed1316f6bc94e

SHA512
a6306bd200a26ea78192ae5b00cc49cfab3fba025fe7233709a4e62db0f9ed60030dce22b34afe57aad86a098c9a8c44e080cedc43227cb87ef4690baec35b47

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3808065738-1666277613-1125846146-1000\_desktop.ini

Filesize
9B

MD5
ef2876ec14bdb3dc085fc3af9311b015

SHA1
68b64b46b1ff0fdc9f009d8fffb8ee87c597fa56

SHA256
ac2a34b4f2d44d19ca4269caf9f4e71cdb0b95ba8eb89ed52c5bc56eeeb1971c

SHA512
c9998caa062ad5b1da853fabb80e88e41d9f96109af89df0309be20469ca8f5be9dd1c08f3c97030e3a487732e82304f60ee2627462e017579da4204bc163c8f

Download Submit
memory/3844-13-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3844-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4684-212-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4684-20-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4684-1581-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4684-1680-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4684-2443-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4684-2914-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4684-5129-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4684-9-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4684-5868-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4684-8589-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4684-8779-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads