c9dd3682f37e3d6394fb30d787ad60f24d7dab5234f07edc19e5cbb2a5e05725

General

Target

c9dd3682f37e3d6394fb30d787ad60f24d7dab5234f07edc19e5cbb2a5e05725.exe
Size

5.7MB
MD5

c281217553f46ac406f26b520cad1f0b
SHA1

85e3b8baff69cc3df6e70a9f70670f13dae7d8b4
SHA256

c9dd3682f37e3d6394fb30d787ad60f24d7dab5234f07edc19e5cbb2a5e05725
SHA512

1f29b1fbe372f6452e8153ca10153632c6c15cca775a3a756e23ffa81e911d456ab264e82abc34f5d56db3e5ffec5988369aa7c3a7987c1f974a726d3f65dd7a
SSDEEP

49152:QKPv94AEsKU8ggw1g+1CART5eBiyKS3EI3wybn20DCYIHvc8ixuZm9+fWsw6dTPn:QsKUgTH2M2m9UMpu1QfLczqssnKSk

Score

8^/10

spyware stealer

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

Processes:

c9dd3682f37e3d6394fb30d787ad60f24d7dab5234f07edc19e5cbb2a5e05725.exeLogo1_.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	c9dd3682f37e3d6394fb30d787ad60f24d7dab5234f07edc19e5cbb2a5e05725.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	Logo1_.exe

Drops startup file 2 IoCs

Processes:

Logo1_.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe

Executes dropped EXE 2 IoCs

Processes:

Logo1_.exec9dd3682f37e3d6394fb30d787ad60f24d7dab5234f07edc19e5cbb2a5e05725.exe

pid process

1660 Logo1_.exe
3140 c9dd3682f37e3d6394fb30d787ad60f24d7dab5234f07edc19e5cbb2a5e05725.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
1660	Logo1_.exe
3140	c9dd3682f37e3d6394fb30d787ad60f24d7dab5234f07edc19e5cbb2a5e05725.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Logo1_.exe

description	ioc	process
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

Processes:

Logo1_.exe

description	ioc	process
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	Logo1_.exe
File created	C:\Program Files\Windows Portable Devices\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example2.Diagnostics\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\jquery.ui.touch-punch\0.2.2\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\en-ae\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\en-il\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\de-de\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\collect_feedback\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\am\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\as_IN\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\co\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\or_IN\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sl\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\sl-sl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\he-il\_desktop.ini	Logo1_.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\_desktop.ini	Logo1_.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\nb-no\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\sl-si\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VC\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\meta\art\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\zh-cn\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\pt-br\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\da-dk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\gui\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\es-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\misc\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\he-il\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre-1.8\bin\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\uk-ua\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\es-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\he-il\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ca-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\he-il\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\pt-br\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\he-il\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\pl-pl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Network Sharing\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BOLDSTRI\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\eo\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\en-il\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\eu-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\zu\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ar-ae\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example2.Diagnostics\1.0.1\Diagnostics\Simple\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ko-kr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ja-jp\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\cs-cz\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\ko-kr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\da-dk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\eu-es\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

Processes:

c9dd3682f37e3d6394fb30d787ad60f24d7dab5234f07edc19e5cbb2a5e05725.exeLogo1_.exe

description	ioc	process
File created	C:\Windows\rundl132.exe	c9dd3682f37e3d6394fb30d787ad60f24d7dab5234f07edc19e5cbb2a5e05725.exe
File created	C:\Windows\Logo1_.exe	c9dd3682f37e3d6394fb30d787ad60f24d7dab5234f07edc19e5cbb2a5e05725.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\Dll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

c9dd3682f37e3d6394fb30d787ad60f24d7dab5234f07edc19e5cbb2a5e05725.exeLogo1_.exe

pid	process
3468	c9dd3682f37e3d6394fb30d787ad60f24d7dab5234f07edc19e5cbb2a5e05725.exe
3468	c9dd3682f37e3d6394fb30d787ad60f24d7dab5234f07edc19e5cbb2a5e05725.exe
3468	c9dd3682f37e3d6394fb30d787ad60f24d7dab5234f07edc19e5cbb2a5e05725.exe
3468	c9dd3682f37e3d6394fb30d787ad60f24d7dab5234f07edc19e5cbb2a5e05725.exe
3468	c9dd3682f37e3d6394fb30d787ad60f24d7dab5234f07edc19e5cbb2a5e05725.exe
3468	c9dd3682f37e3d6394fb30d787ad60f24d7dab5234f07edc19e5cbb2a5e05725.exe
3468	c9dd3682f37e3d6394fb30d787ad60f24d7dab5234f07edc19e5cbb2a5e05725.exe
3468	c9dd3682f37e3d6394fb30d787ad60f24d7dab5234f07edc19e5cbb2a5e05725.exe
3468	c9dd3682f37e3d6394fb30d787ad60f24d7dab5234f07edc19e5cbb2a5e05725.exe
3468	c9dd3682f37e3d6394fb30d787ad60f24d7dab5234f07edc19e5cbb2a5e05725.exe
3468	c9dd3682f37e3d6394fb30d787ad60f24d7dab5234f07edc19e5cbb2a5e05725.exe
3468	c9dd3682f37e3d6394fb30d787ad60f24d7dab5234f07edc19e5cbb2a5e05725.exe
3468	c9dd3682f37e3d6394fb30d787ad60f24d7dab5234f07edc19e5cbb2a5e05725.exe
3468	c9dd3682f37e3d6394fb30d787ad60f24d7dab5234f07edc19e5cbb2a5e05725.exe
3468	c9dd3682f37e3d6394fb30d787ad60f24d7dab5234f07edc19e5cbb2a5e05725.exe
3468	c9dd3682f37e3d6394fb30d787ad60f24d7dab5234f07edc19e5cbb2a5e05725.exe
3468	c9dd3682f37e3d6394fb30d787ad60f24d7dab5234f07edc19e5cbb2a5e05725.exe
3468	c9dd3682f37e3d6394fb30d787ad60f24d7dab5234f07edc19e5cbb2a5e05725.exe
3468	c9dd3682f37e3d6394fb30d787ad60f24d7dab5234f07edc19e5cbb2a5e05725.exe
3468	c9dd3682f37e3d6394fb30d787ad60f24d7dab5234f07edc19e5cbb2a5e05725.exe
3468	c9dd3682f37e3d6394fb30d787ad60f24d7dab5234f07edc19e5cbb2a5e05725.exe
3468	c9dd3682f37e3d6394fb30d787ad60f24d7dab5234f07edc19e5cbb2a5e05725.exe
3468	c9dd3682f37e3d6394fb30d787ad60f24d7dab5234f07edc19e5cbb2a5e05725.exe
3468	c9dd3682f37e3d6394fb30d787ad60f24d7dab5234f07edc19e5cbb2a5e05725.exe
3468	c9dd3682f37e3d6394fb30d787ad60f24d7dab5234f07edc19e5cbb2a5e05725.exe
3468	c9dd3682f37e3d6394fb30d787ad60f24d7dab5234f07edc19e5cbb2a5e05725.exe
1660	Logo1_.exe
1660	Logo1_.exe
1660	Logo1_.exe
1660	Logo1_.exe
1660	Logo1_.exe
1660	Logo1_.exe
1660	Logo1_.exe
1660	Logo1_.exe
1660	Logo1_.exe
1660	Logo1_.exe
1660	Logo1_.exe
1660	Logo1_.exe
1660	Logo1_.exe
1660	Logo1_.exe
1660	Logo1_.exe
1660	Logo1_.exe
1660	Logo1_.exe
1660	Logo1_.exe
1660	Logo1_.exe
1660	Logo1_.exe
1660	Logo1_.exe
1660	Logo1_.exe
1660	Logo1_.exe
1660	Logo1_.exe
1660	Logo1_.exe
1660	Logo1_.exe
1660	Logo1_.exe
1660	Logo1_.exe
1660	Logo1_.exe
1660	Logo1_.exe
1660	Logo1_.exe
1660	Logo1_.exe
1660	Logo1_.exe
1660	Logo1_.exe
1660	Logo1_.exe
1660	Logo1_.exe
1660	Logo1_.exe
1660	Logo1_.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

c9dd3682f37e3d6394fb30d787ad60f24d7dab5234f07edc19e5cbb2a5e05725.exenet.exeLogo1_.exenet.exenet.exe

description	pid	process	target process
PID 3468 wrote to memory of 692	3468	c9dd3682f37e3d6394fb30d787ad60f24d7dab5234f07edc19e5cbb2a5e05725.exe	net.exe
PID 3468 wrote to memory of 692	3468	c9dd3682f37e3d6394fb30d787ad60f24d7dab5234f07edc19e5cbb2a5e05725.exe	net.exe
PID 3468 wrote to memory of 692	3468	c9dd3682f37e3d6394fb30d787ad60f24d7dab5234f07edc19e5cbb2a5e05725.exe	net.exe
PID 692 wrote to memory of 2532	692	net.exe	net1.exe
PID 692 wrote to memory of 2532	692	net.exe	net1.exe
PID 692 wrote to memory of 2532	692	net.exe	net1.exe
PID 3468 wrote to memory of 896	3468	c9dd3682f37e3d6394fb30d787ad60f24d7dab5234f07edc19e5cbb2a5e05725.exe	cmd.exe
PID 3468 wrote to memory of 896	3468	c9dd3682f37e3d6394fb30d787ad60f24d7dab5234f07edc19e5cbb2a5e05725.exe	cmd.exe
PID 3468 wrote to memory of 896	3468	c9dd3682f37e3d6394fb30d787ad60f24d7dab5234f07edc19e5cbb2a5e05725.exe	cmd.exe
PID 3468 wrote to memory of 1660	3468	c9dd3682f37e3d6394fb30d787ad60f24d7dab5234f07edc19e5cbb2a5e05725.exe	Logo1_.exe
PID 3468 wrote to memory of 1660	3468	c9dd3682f37e3d6394fb30d787ad60f24d7dab5234f07edc19e5cbb2a5e05725.exe	Logo1_.exe
PID 3468 wrote to memory of 1660	3468	c9dd3682f37e3d6394fb30d787ad60f24d7dab5234f07edc19e5cbb2a5e05725.exe	Logo1_.exe
PID 1660 wrote to memory of 4332	1660	Logo1_.exe	net.exe
PID 1660 wrote to memory of 4332	1660	Logo1_.exe	net.exe
PID 1660 wrote to memory of 4332	1660	Logo1_.exe	net.exe
PID 4332 wrote to memory of 3088	4332	net.exe	net1.exe
PID 4332 wrote to memory of 3088	4332	net.exe	net1.exe
PID 4332 wrote to memory of 3088	4332	net.exe	net1.exe
PID 1660 wrote to memory of 4424	1660	Logo1_.exe	net.exe
PID 1660 wrote to memory of 4424	1660	Logo1_.exe	net.exe
PID 1660 wrote to memory of 4424	1660	Logo1_.exe	net.exe
PID 4424 wrote to memory of 4128	4424	net.exe	net1.exe
PID 4424 wrote to memory of 4128	4424	net.exe	net1.exe
PID 4424 wrote to memory of 4128	4424	net.exe	net1.exe
PID 1660 wrote to memory of 3428	1660	Logo1_.exe	Explorer.EXE
PID 1660 wrote to memory of 3428	1660	Logo1_.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3428
- C:\Users\Admin\AppData\Local\Temp\c9dd3682f37e3d6394fb30d787ad60f24d7dab5234f07edc19e5cbb2a5e05725.exe
  "C:\Users\Admin\AppData\Local\Temp\c9dd3682f37e3d6394fb30d787ad60f24d7dab5234f07edc19e5cbb2a5e05725.exe"
  2⤵
  - Drops file in Drivers directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3468
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:692
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      PID:2532
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4045.bat
    3⤵
    PID:896
  - - C:\Users\Admin\AppData\Local\Temp\c9dd3682f37e3d6394fb30d787ad60f24d7dab5234f07edc19e5cbb2a5e05725.exe
      "C:\Users\Admin\AppData\Local\Temp\c9dd3682f37e3d6394fb30d787ad60f24d7dab5234f07edc19e5cbb2a5e05725.exe"
      4⤵
      Executes dropped EXE
      PID:3140
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Drops file in Drivers directory
    - Drops startup file
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1660
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4332
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:3088
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4424
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:4128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7z.exe

Filesize
577KB

MD5
2eb930ab764c7a226aad2650e09e608d

SHA1
35701cc91b828a1b1ce14a4f56d8fc3291624409

SHA256
270829b95b6dd6e4e3233ff54bc0ef2406e45e48c5915150401273309450188c

SHA512
7b8370d26b35b4125a4a39cb69658a36759725c9b2a10b89b6b7975cd4a2d8d2b63cb9f2c296ddf0c51ddcc3418c3d6871749ca4c28d5422997f1b8bbe6d3339

Download Submit
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

Filesize
644KB

MD5
3908c6f85096d094870328fabaebbe66

SHA1
9106bf68a43f77be7cb02afe73fe299b60961153

SHA256
864b33d1d5b355ef42f7911c58ec7b33a902815bfbd69d73e7f304ce49ae7ef7

SHA512
8ace41dd303c4a5a8caad76e99d3445f7a8e992bd0d74a5ab3e6afd5c5f2d2b52fbf8160d37dd412d9db4d8db018c62b0576975275dd0367dd19397c8b3463b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a4045.bat

Filesize
722B

MD5
3946d1bf6fd4efd6d1a280dd48fe51e1

SHA1
e9210a490f70898c13baaeaf833e89ddce494357

SHA256
5cbcff27f0b2fe519f4d77bfd6aa6496ad2a2ebaaf92d1fa2aac015179c98651

SHA512
ebd7d0ccf20f54ea73d76a9ebae07c75121ab91cac3ef78cd5188991a2c11e133d609190d3dca780df7d9381ef766f221c45f8c613da84443e1f36b02ee3b4f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\c9dd3682f37e3d6394fb30d787ad60f24d7dab5234f07edc19e5cbb2a5e05725.exe.exe

Filesize
5.7MB

MD5
ba18e99b3e17adb5b029eaebc457dd89

SHA1
ec0458f3c00d35b323f08d4e1cc2e72899429c38

SHA256
f5ee36de8edf9be2ac2752b219cfdcb7ca1677071b8e116cb876306e9f1b6628

SHA512
1f41929e6f5b555b60c411c7810cbf14e3af26100df5ac4533ec3739a278c1b925687284660efb4868e3741305098e2737836229efc9fe46c97a6057c10e677c

Download Submit
C:\Windows\Logo1_.exe

Filesize
33KB

MD5
54bf44306953a5b6f406e5540e60c7b4

SHA1
5252474cc785229e8b958668a72650a1d5777a4d

SHA256
25ba409f54719204b0cc95c4f522e39892c2cf19acb35df862bf9c47556c1c45

SHA512
17e48d33e3012ae8790af9677434dbbad419c6876388c4b4c9e7178d582e7967b63b5107a85e5a4062656241006c1d6d8d5183f0e20b1a3aa2cb6eff5abf176f

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
842B

MD5
6f4adf207ef402d9ef40c6aa52ffd245

SHA1
4b05b495619c643f02e278dede8f5b1392555a57

SHA256
d9704dab05e988be3e5e7b7c020bb9814906d11bb9c31ad80d4ed1316f6bc94e

SHA512
a6306bd200a26ea78192ae5b00cc49cfab3fba025fe7233709a4e62db0f9ed60030dce22b34afe57aad86a098c9a8c44e080cedc43227cb87ef4690baec35b47

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2804150937-2146708401-419095071-1000\_desktop.ini

Filesize
9B

MD5
ef2876ec14bdb3dc085fc3af9311b015

SHA1
68b64b46b1ff0fdc9f009d8fffb8ee87c597fa56

SHA256
ac2a34b4f2d44d19ca4269caf9f4e71cdb0b95ba8eb89ed52c5bc56eeeb1971c

SHA512
c9998caa062ad5b1da853fabb80e88e41d9f96109af89df0309be20469ca8f5be9dd1c08f3c97030e3a487732e82304f60ee2627462e017579da4204bc163c8f

Download Submit
memory/1660-19-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1660-3425-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1660-8695-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3468-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3468-11-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads