Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
22-05-2024 20:21
Static task
static1
Behavioral task
behavioral1
Sample
6e198e3755af0e06470d17e6fdc7673c48d03390b1409734b278afd37e6e3a28.exe
Resource
win7-20240220-en
General
-
Target
6e198e3755af0e06470d17e6fdc7673c48d03390b1409734b278afd37e6e3a28.exe
-
Size
717KB
-
MD5
845936b1ce35a6c44e943e4997caaf10
-
SHA1
ba0226f01fd028a1316ccb6e2f6c747d5b0554ec
-
SHA256
6e198e3755af0e06470d17e6fdc7673c48d03390b1409734b278afd37e6e3a28
-
SHA512
e6ef9e8e7bd00cf91da6e0fc23a1c0f1343a401dc0751d4195e3612337394f3732ecaffc94c1042e9a1f086d6dd0ae70a9cc0345a367dd218dd415f1b4a26ef4
-
SSDEEP
12288:L3NPfC6Aj+TN5uixZN+8rKhUdTC/wE1ZD0Ca5ZIXV:L3NnLOS2opPIXV
Malware Config
Signatures
-
Drops file in Drivers directory 2 IoCs
Processes:
6e198e3755af0e06470d17e6fdc7673c48d03390b1409734b278afd37e6e3a28.exeLogo1_.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts 6e198e3755af0e06470d17e6fdc7673c48d03390b1409734b278afd37e6e3a28.exe File opened for modification C:\Windows\system32\drivers\etc\hosts Logo1_.exe -
Drops startup file 2 IoCs
Processes:
Logo1_.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini Logo1_.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini Logo1_.exe -
Executes dropped EXE 2 IoCs
Processes:
Logo1_.exe6e198e3755af0e06470d17e6fdc7673c48d03390b1409734b278afd37e6e3a28.exepid process 4064 Logo1_.exe 2640 6e198e3755af0e06470d17e6fdc7673c48d03390b1409734b278afd37e6e3a28.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
Logo1_.exedescription ioc process File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
Processes:
Logo1_.exedescription ioc process File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\sl-sl\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\hr-hr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\es-es\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\fi-fi\_desktop.ini Logo1_.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\sv\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\zh_TW\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe Logo1_.exe File created C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\PlayReadyCdm\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sk-sk\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ja-jp\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\fi-fi\_desktop.ini Logo1_.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\sk-sk\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\WidevineCdm\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Defender\de-DE\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\he-il\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\sl-si\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\en-ae\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\sl-si\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\css\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Multimedia Platform\_desktop.ini Logo1_.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\_desktop.ini Logo1_.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ca\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\zh-tw\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\lua\meta\art\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\uk-ua\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Photo Viewer\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files-select\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\MEIPreload\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\libs\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ko-kr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\en-il\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\root\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\ca-es\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ko-kr\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Web Server Extensions\16\BIN\1033\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\nb-no\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\zh_CN\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ar-ae\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\da-dk\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\nl-nl\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\uk-ua\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ug\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ar-ae\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\en-gb\_desktop.ini Logo1_.exe File created C:\Program Files\Google\Chrome\Application\110.0.5481.104\WidevineCdm\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\es-es\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\sl-si\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
Processes:
6e198e3755af0e06470d17e6fdc7673c48d03390b1409734b278afd37e6e3a28.exeLogo1_.exedescription ioc process File created C:\Windows\rundl132.exe 6e198e3755af0e06470d17e6fdc7673c48d03390b1409734b278afd37e6e3a28.exe File created C:\Windows\Logo1_.exe 6e198e3755af0e06470d17e6fdc7673c48d03390b1409734b278afd37e6e3a28.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\Dll.dll Logo1_.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
6e198e3755af0e06470d17e6fdc7673c48d03390b1409734b278afd37e6e3a28.exeLogo1_.exepid process 1956 6e198e3755af0e06470d17e6fdc7673c48d03390b1409734b278afd37e6e3a28.exe 1956 6e198e3755af0e06470d17e6fdc7673c48d03390b1409734b278afd37e6e3a28.exe 1956 6e198e3755af0e06470d17e6fdc7673c48d03390b1409734b278afd37e6e3a28.exe 1956 6e198e3755af0e06470d17e6fdc7673c48d03390b1409734b278afd37e6e3a28.exe 1956 6e198e3755af0e06470d17e6fdc7673c48d03390b1409734b278afd37e6e3a28.exe 1956 6e198e3755af0e06470d17e6fdc7673c48d03390b1409734b278afd37e6e3a28.exe 1956 6e198e3755af0e06470d17e6fdc7673c48d03390b1409734b278afd37e6e3a28.exe 1956 6e198e3755af0e06470d17e6fdc7673c48d03390b1409734b278afd37e6e3a28.exe 1956 6e198e3755af0e06470d17e6fdc7673c48d03390b1409734b278afd37e6e3a28.exe 1956 6e198e3755af0e06470d17e6fdc7673c48d03390b1409734b278afd37e6e3a28.exe 1956 6e198e3755af0e06470d17e6fdc7673c48d03390b1409734b278afd37e6e3a28.exe 1956 6e198e3755af0e06470d17e6fdc7673c48d03390b1409734b278afd37e6e3a28.exe 1956 6e198e3755af0e06470d17e6fdc7673c48d03390b1409734b278afd37e6e3a28.exe 1956 6e198e3755af0e06470d17e6fdc7673c48d03390b1409734b278afd37e6e3a28.exe 1956 6e198e3755af0e06470d17e6fdc7673c48d03390b1409734b278afd37e6e3a28.exe 1956 6e198e3755af0e06470d17e6fdc7673c48d03390b1409734b278afd37e6e3a28.exe 1956 6e198e3755af0e06470d17e6fdc7673c48d03390b1409734b278afd37e6e3a28.exe 1956 6e198e3755af0e06470d17e6fdc7673c48d03390b1409734b278afd37e6e3a28.exe 1956 6e198e3755af0e06470d17e6fdc7673c48d03390b1409734b278afd37e6e3a28.exe 1956 6e198e3755af0e06470d17e6fdc7673c48d03390b1409734b278afd37e6e3a28.exe 1956 6e198e3755af0e06470d17e6fdc7673c48d03390b1409734b278afd37e6e3a28.exe 1956 6e198e3755af0e06470d17e6fdc7673c48d03390b1409734b278afd37e6e3a28.exe 1956 6e198e3755af0e06470d17e6fdc7673c48d03390b1409734b278afd37e6e3a28.exe 1956 6e198e3755af0e06470d17e6fdc7673c48d03390b1409734b278afd37e6e3a28.exe 1956 6e198e3755af0e06470d17e6fdc7673c48d03390b1409734b278afd37e6e3a28.exe 1956 6e198e3755af0e06470d17e6fdc7673c48d03390b1409734b278afd37e6e3a28.exe 4064 Logo1_.exe 4064 Logo1_.exe 4064 Logo1_.exe 4064 Logo1_.exe 4064 Logo1_.exe 4064 Logo1_.exe 4064 Logo1_.exe 4064 Logo1_.exe 4064 Logo1_.exe 4064 Logo1_.exe 4064 Logo1_.exe 4064 Logo1_.exe 4064 Logo1_.exe 4064 Logo1_.exe 4064 Logo1_.exe 4064 Logo1_.exe 4064 Logo1_.exe 4064 Logo1_.exe 4064 Logo1_.exe 4064 Logo1_.exe 4064 Logo1_.exe 4064 Logo1_.exe 4064 Logo1_.exe 4064 Logo1_.exe 4064 Logo1_.exe 4064 Logo1_.exe 4064 Logo1_.exe 4064 Logo1_.exe 4064 Logo1_.exe 4064 Logo1_.exe 4064 Logo1_.exe 4064 Logo1_.exe 4064 Logo1_.exe 4064 Logo1_.exe 4064 Logo1_.exe 4064 Logo1_.exe 4064 Logo1_.exe 4064 Logo1_.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
6e198e3755af0e06470d17e6fdc7673c48d03390b1409734b278afd37e6e3a28.exenet.exeLogo1_.execmd.exenet.exenet.exedescription pid process target process PID 1956 wrote to memory of 4492 1956 6e198e3755af0e06470d17e6fdc7673c48d03390b1409734b278afd37e6e3a28.exe net.exe PID 1956 wrote to memory of 4492 1956 6e198e3755af0e06470d17e6fdc7673c48d03390b1409734b278afd37e6e3a28.exe net.exe PID 1956 wrote to memory of 4492 1956 6e198e3755af0e06470d17e6fdc7673c48d03390b1409734b278afd37e6e3a28.exe net.exe PID 4492 wrote to memory of 648 4492 net.exe net1.exe PID 4492 wrote to memory of 648 4492 net.exe net1.exe PID 4492 wrote to memory of 648 4492 net.exe net1.exe PID 1956 wrote to memory of 968 1956 6e198e3755af0e06470d17e6fdc7673c48d03390b1409734b278afd37e6e3a28.exe cmd.exe PID 1956 wrote to memory of 968 1956 6e198e3755af0e06470d17e6fdc7673c48d03390b1409734b278afd37e6e3a28.exe cmd.exe PID 1956 wrote to memory of 968 1956 6e198e3755af0e06470d17e6fdc7673c48d03390b1409734b278afd37e6e3a28.exe cmd.exe PID 1956 wrote to memory of 4064 1956 6e198e3755af0e06470d17e6fdc7673c48d03390b1409734b278afd37e6e3a28.exe Logo1_.exe PID 1956 wrote to memory of 4064 1956 6e198e3755af0e06470d17e6fdc7673c48d03390b1409734b278afd37e6e3a28.exe Logo1_.exe PID 1956 wrote to memory of 4064 1956 6e198e3755af0e06470d17e6fdc7673c48d03390b1409734b278afd37e6e3a28.exe Logo1_.exe PID 4064 wrote to memory of 3756 4064 Logo1_.exe net.exe PID 4064 wrote to memory of 3756 4064 Logo1_.exe net.exe PID 4064 wrote to memory of 3756 4064 Logo1_.exe net.exe PID 968 wrote to memory of 2640 968 cmd.exe 6e198e3755af0e06470d17e6fdc7673c48d03390b1409734b278afd37e6e3a28.exe PID 968 wrote to memory of 2640 968 cmd.exe 6e198e3755af0e06470d17e6fdc7673c48d03390b1409734b278afd37e6e3a28.exe PID 3756 wrote to memory of 4928 3756 net.exe net1.exe PID 3756 wrote to memory of 4928 3756 net.exe net1.exe PID 3756 wrote to memory of 4928 3756 net.exe net1.exe PID 4064 wrote to memory of 3360 4064 Logo1_.exe net.exe PID 4064 wrote to memory of 3360 4064 Logo1_.exe net.exe PID 4064 wrote to memory of 3360 4064 Logo1_.exe net.exe PID 3360 wrote to memory of 3252 3360 net.exe net1.exe PID 3360 wrote to memory of 3252 3360 net.exe net1.exe PID 3360 wrote to memory of 3252 3360 net.exe net1.exe PID 4064 wrote to memory of 3512 4064 Logo1_.exe Explorer.EXE PID 4064 wrote to memory of 3512 4064 Logo1_.exe Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3512
-
C:\Users\Admin\AppData\Local\Temp\6e198e3755af0e06470d17e6fdc7673c48d03390b1409734b278afd37e6e3a28.exe"C:\Users\Admin\AppData\Local\Temp\6e198e3755af0e06470d17e6fdc7673c48d03390b1409734b278afd37e6e3a28.exe"2⤵
- Drops file in Drivers directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"3⤵
- Suspicious use of WriteProcessMemory
PID:4492 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"4⤵PID:648
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a37E8.bat3⤵
- Suspicious use of WriteProcessMemory
PID:968 -
C:\Users\Admin\AppData\Local\Temp\6e198e3755af0e06470d17e6fdc7673c48d03390b1409734b278afd37e6e3a28.exe"C:\Users\Admin\AppData\Local\Temp\6e198e3755af0e06470d17e6fdc7673c48d03390b1409734b278afd37e6e3a28.exe"4⤵
- Executes dropped EXE
PID:2640
-
-
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Drops file in Drivers directory
- Drops startup file
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4064 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:3756 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:4928
-
-
-
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:3360 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:3252
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
258KB
MD591426419de9f79662dd3b3a1c325584f
SHA104eed48a67d05bc8e551d6f7448ae320f4cddaca
SHA2569dbf125caa2702fde7a3ad40445516f129e594ed8ab56bf925a68febd64d6b05
SHA5122d8bc8cbd6565c9c027dbad80eaba61bef1ece4de30b280c7a93e50b4836d77a2789e5e70f58f54ced9794f90c4c0779bbb308f9abccfe3521fc90788603b005
-
Filesize
577KB
MD5de1b64ffacd8aa845b03cdefb366e0ba
SHA12a9a61dccc1b1d3063b2fb7cc682a06abea4a96a
SHA256aa169823311171a65bf1c5e84ca5bdc9bee8cab9938a459077d15c37c443fc08
SHA512e9a6712bbe28c594d85178403ae46f5d67f148afcc8e90e6318cde1ce41e4e53c1aa5e0f9b8cc46772810bdc8379e25f04689342ce66df10180939fa78e398f7
-
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
Filesize643KB
MD5635e9422a0a86f5c7ac989802b0ac448
SHA13ea9cc1462b063639526a8d278b571f38b846d1d
SHA256a97d8545a6204abf1a179f2098ca8780e92f4448c7a03e62f6c32e8e5e5cb17f
SHA512857c6d683fe1f7a6757420c84efc4f7f48f58e586e601c969ce27e4ded8cad6ca774ef367a1a1e075081c4e2d41f8cdda558fddf5622e062975cfeff5a929133
-
Filesize
722B
MD5009dbb8d6f695b4d6ee967a2b1074b43
SHA18eedec83b8318a13e9d35383cddcbe250ee86774
SHA256d210820d974cab31b2c213ad8d1877a30a6c8e46ae40237947445f8c6478d035
SHA51277feedaa03ef84d7d85cfb09a441e3352344cb8b752ac1efed928c1807cc97d2e70ce6c3bdaca04868ff30d72ecddd0b60579da0d402bcbeaaa80e74d00c6b70
-
C:\Users\Admin\AppData\Local\Temp\6e198e3755af0e06470d17e6fdc7673c48d03390b1409734b278afd37e6e3a28.exe.exe
Filesize684KB
MD550f289df0c19484e970849aac4e6f977
SHA13dc77c8830836ab844975eb002149b66da2e10be
SHA256b9b179b305c5268ad428b6ae59de10b4fe99cf0199bbc89b7017181905e97305
SHA512877d852ea1062b90e2fd2f3c4dc7d05d9697e9a9b2929c830a770b62741f6a11e06de73275eb871113f11143faf1cb40d99f7c247862ffb778d26833ed5d7e38
-
Filesize
33KB
MD540c659a8b5ac66e0675fbe146adfc4ca
SHA1fa4fb8cab8a5bf8f5a878a2e17d6ad5e8465c482
SHA2564ac9c14f22c8bdcd31a49201cabd2ffbb596fdcfd9ada82c300d4efc80b6876d
SHA512c78671d2baea0a6ca6f5ff911f2b8934329fcbe5e04c3ae010683f70abe935b241bb38b94ec60391e9f944435c2622196eb84cabbf5c341ea574bb3f419af268
-
Filesize
842B
MD56f4adf207ef402d9ef40c6aa52ffd245
SHA14b05b495619c643f02e278dede8f5b1392555a57
SHA256d9704dab05e988be3e5e7b7c020bb9814906d11bb9c31ad80d4ed1316f6bc94e
SHA512a6306bd200a26ea78192ae5b00cc49cfab3fba025fe7233709a4e62db0f9ed60030dce22b34afe57aad86a098c9a8c44e080cedc43227cb87ef4690baec35b47
-
Filesize
9B
MD5ef2876ec14bdb3dc085fc3af9311b015
SHA168b64b46b1ff0fdc9f009d8fffb8ee87c597fa56
SHA256ac2a34b4f2d44d19ca4269caf9f4e71cdb0b95ba8eb89ed52c5bc56eeeb1971c
SHA512c9998caa062ad5b1da853fabb80e88e41d9f96109af89df0309be20469ca8f5be9dd1c08f3c97030e3a487732e82304f60ee2627462e017579da4204bc163c8f