613355bd61c2a63bf55e9343f532e5287d4147990f6e9eb836103b7de4917290

General

Target

613355bd61c2a63bf55e9343f532e5287d4147990f6e9eb836103b7de4917290.exe
Size

75KB
MD5

f15a4423f8a6165c566a1d874c26e167
SHA1

0c5f1285b6b05b4c4a6de3d700ffdd74cafa289a
SHA256

613355bd61c2a63bf55e9343f532e5287d4147990f6e9eb836103b7de4917290
SHA512

357474447eea125be6f7415b773b0ed62450ec33fb59b2761353d9394bc88fecef309c8559e1bd38b081cd26e35d0e5f8436865fc9363413e8cf2f27a668994c
SSDEEP

1536:PpaYzMXqtGNttyUn01Q78a4R4EToa9D4ZQKbgZi1dst7x9PxQ:PpaY46tGNttyJQ7KRwlZQKbgZi1St7xQ

Score

8^/10

spyware stealer

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

Processes:

Logo1_.exe613355bd61c2a63bf55e9343f532e5287d4147990f6e9eb836103b7de4917290.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	Logo1_.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	613355bd61c2a63bf55e9343f532e5287d4147990f6e9eb836103b7de4917290.exe

Drops startup file 2 IoCs

Processes:

Logo1_.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe

Executes dropped EXE 2 IoCs

Processes:

Logo1_.exe613355bd61c2a63bf55e9343f532e5287d4147990f6e9eb836103b7de4917290.exe

pid process

2440 Logo1_.exe
2776 613355bd61c2a63bf55e9343f532e5287d4147990f6e9eb836103b7de4917290.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2440	Logo1_.exe
2776	613355bd61c2a63bf55e9343f532e5287d4147990f6e9eb836103b7de4917290.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Logo1_.exe

description	ioc	process
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

Processes:

Logo1_.exe

description	ioc	process
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\LAYERS\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\zh-tw\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\nb-no\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\pt-br\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\zu\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\skins\fonts\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\pl-pl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\uk-ua\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\es-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Services\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SKY\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\bg\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\collect_feedback\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\hu-hu\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\hu-hu\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\am_ET\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\eu-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\modules\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\libs\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\de-de\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\it-it\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\root\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\cs\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\ru-ru\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\zh-cn\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\nl-nl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\eu-es\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\eu-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\en-gb\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\en-il\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\hr-hr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\WindowsPowerShell\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sw\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Defender\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\VC\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Diagnostics\Comprehensive\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ms\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\hu-hu\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\Integration\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TEXTCONV\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\zh-tw\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\da-dk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\tr-tr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\sl-sl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\is\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\gui\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account-select\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\ro-ro\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\ar-ae\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\Services\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\VBA\VBA7.1\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

Processes:

613355bd61c2a63bf55e9343f532e5287d4147990f6e9eb836103b7de4917290.exeLogo1_.exe

description	ioc	process
File created	C:\Windows\rundl132.exe	613355bd61c2a63bf55e9343f532e5287d4147990f6e9eb836103b7de4917290.exe
File created	C:\Windows\Logo1_.exe	613355bd61c2a63bf55e9343f532e5287d4147990f6e9eb836103b7de4917290.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\Dll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

613355bd61c2a63bf55e9343f532e5287d4147990f6e9eb836103b7de4917290.exeLogo1_.exe

pid	process
4312	613355bd61c2a63bf55e9343f532e5287d4147990f6e9eb836103b7de4917290.exe
4312	613355bd61c2a63bf55e9343f532e5287d4147990f6e9eb836103b7de4917290.exe
4312	613355bd61c2a63bf55e9343f532e5287d4147990f6e9eb836103b7de4917290.exe
4312	613355bd61c2a63bf55e9343f532e5287d4147990f6e9eb836103b7de4917290.exe
4312	613355bd61c2a63bf55e9343f532e5287d4147990f6e9eb836103b7de4917290.exe
4312	613355bd61c2a63bf55e9343f532e5287d4147990f6e9eb836103b7de4917290.exe
4312	613355bd61c2a63bf55e9343f532e5287d4147990f6e9eb836103b7de4917290.exe
4312	613355bd61c2a63bf55e9343f532e5287d4147990f6e9eb836103b7de4917290.exe
4312	613355bd61c2a63bf55e9343f532e5287d4147990f6e9eb836103b7de4917290.exe
4312	613355bd61c2a63bf55e9343f532e5287d4147990f6e9eb836103b7de4917290.exe
4312	613355bd61c2a63bf55e9343f532e5287d4147990f6e9eb836103b7de4917290.exe
4312	613355bd61c2a63bf55e9343f532e5287d4147990f6e9eb836103b7de4917290.exe
4312	613355bd61c2a63bf55e9343f532e5287d4147990f6e9eb836103b7de4917290.exe
4312	613355bd61c2a63bf55e9343f532e5287d4147990f6e9eb836103b7de4917290.exe
4312	613355bd61c2a63bf55e9343f532e5287d4147990f6e9eb836103b7de4917290.exe
4312	613355bd61c2a63bf55e9343f532e5287d4147990f6e9eb836103b7de4917290.exe
4312	613355bd61c2a63bf55e9343f532e5287d4147990f6e9eb836103b7de4917290.exe
4312	613355bd61c2a63bf55e9343f532e5287d4147990f6e9eb836103b7de4917290.exe
4312	613355bd61c2a63bf55e9343f532e5287d4147990f6e9eb836103b7de4917290.exe
4312	613355bd61c2a63bf55e9343f532e5287d4147990f6e9eb836103b7de4917290.exe
4312	613355bd61c2a63bf55e9343f532e5287d4147990f6e9eb836103b7de4917290.exe
4312	613355bd61c2a63bf55e9343f532e5287d4147990f6e9eb836103b7de4917290.exe
4312	613355bd61c2a63bf55e9343f532e5287d4147990f6e9eb836103b7de4917290.exe
4312	613355bd61c2a63bf55e9343f532e5287d4147990f6e9eb836103b7de4917290.exe
4312	613355bd61c2a63bf55e9343f532e5287d4147990f6e9eb836103b7de4917290.exe
4312	613355bd61c2a63bf55e9343f532e5287d4147990f6e9eb836103b7de4917290.exe
2440	Logo1_.exe
2440	Logo1_.exe
2440	Logo1_.exe
2440	Logo1_.exe
2440	Logo1_.exe
2440	Logo1_.exe
2440	Logo1_.exe
2440	Logo1_.exe
2440	Logo1_.exe
2440	Logo1_.exe
2440	Logo1_.exe
2440	Logo1_.exe
2440	Logo1_.exe
2440	Logo1_.exe
2440	Logo1_.exe
2440	Logo1_.exe
2440	Logo1_.exe
2440	Logo1_.exe
2440	Logo1_.exe
2440	Logo1_.exe
2440	Logo1_.exe
2440	Logo1_.exe
2440	Logo1_.exe
2440	Logo1_.exe
2440	Logo1_.exe
2440	Logo1_.exe
2440	Logo1_.exe
2440	Logo1_.exe
2440	Logo1_.exe
2440	Logo1_.exe
2440	Logo1_.exe
2440	Logo1_.exe
2440	Logo1_.exe
2440	Logo1_.exe
2440	Logo1_.exe
2440	Logo1_.exe
2440	Logo1_.exe
2440	Logo1_.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

613355bd61c2a63bf55e9343f532e5287d4147990f6e9eb836103b7de4917290.exenet.exeLogo1_.execmd.exenet.exenet.exe

description	pid	process	target process
PID 4312 wrote to memory of 3056	4312	613355bd61c2a63bf55e9343f532e5287d4147990f6e9eb836103b7de4917290.exe	net.exe
PID 4312 wrote to memory of 3056	4312	613355bd61c2a63bf55e9343f532e5287d4147990f6e9eb836103b7de4917290.exe	net.exe
PID 4312 wrote to memory of 3056	4312	613355bd61c2a63bf55e9343f532e5287d4147990f6e9eb836103b7de4917290.exe	net.exe
PID 3056 wrote to memory of 3564	3056	net.exe	net1.exe
PID 3056 wrote to memory of 3564	3056	net.exe	net1.exe
PID 3056 wrote to memory of 3564	3056	net.exe	net1.exe
PID 4312 wrote to memory of 4332	4312	613355bd61c2a63bf55e9343f532e5287d4147990f6e9eb836103b7de4917290.exe	cmd.exe
PID 4312 wrote to memory of 4332	4312	613355bd61c2a63bf55e9343f532e5287d4147990f6e9eb836103b7de4917290.exe	cmd.exe
PID 4312 wrote to memory of 4332	4312	613355bd61c2a63bf55e9343f532e5287d4147990f6e9eb836103b7de4917290.exe	cmd.exe
PID 4312 wrote to memory of 2440	4312	613355bd61c2a63bf55e9343f532e5287d4147990f6e9eb836103b7de4917290.exe	Logo1_.exe
PID 4312 wrote to memory of 2440	4312	613355bd61c2a63bf55e9343f532e5287d4147990f6e9eb836103b7de4917290.exe	Logo1_.exe
PID 4312 wrote to memory of 2440	4312	613355bd61c2a63bf55e9343f532e5287d4147990f6e9eb836103b7de4917290.exe	Logo1_.exe
PID 2440 wrote to memory of 4084	2440	Logo1_.exe	net.exe
PID 2440 wrote to memory of 4084	2440	Logo1_.exe	net.exe
PID 2440 wrote to memory of 4084	2440	Logo1_.exe	net.exe
PID 4332 wrote to memory of 2776	4332	cmd.exe	613355bd61c2a63bf55e9343f532e5287d4147990f6e9eb836103b7de4917290.exe
PID 4332 wrote to memory of 2776	4332	cmd.exe	613355bd61c2a63bf55e9343f532e5287d4147990f6e9eb836103b7de4917290.exe
PID 4084 wrote to memory of 4140	4084	net.exe	net1.exe
PID 4084 wrote to memory of 4140	4084	net.exe	net1.exe
PID 4084 wrote to memory of 4140	4084	net.exe	net1.exe
PID 2440 wrote to memory of 3760	2440	Logo1_.exe	net.exe
PID 2440 wrote to memory of 3760	2440	Logo1_.exe	net.exe
PID 2440 wrote to memory of 3760	2440	Logo1_.exe	net.exe
PID 3760 wrote to memory of 4628	3760	net.exe	net1.exe
PID 3760 wrote to memory of 4628	3760	net.exe	net1.exe
PID 3760 wrote to memory of 4628	3760	net.exe	net1.exe
PID 2440 wrote to memory of 3532	2440	Logo1_.exe	Explorer.EXE
PID 2440 wrote to memory of 3532	2440	Logo1_.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3532
- C:\Users\Admin\AppData\Local\Temp\613355bd61c2a63bf55e9343f532e5287d4147990f6e9eb836103b7de4917290.exe
  "C:\Users\Admin\AppData\Local\Temp\613355bd61c2a63bf55e9343f532e5287d4147990f6e9eb836103b7de4917290.exe"
  2⤵
  - Drops file in Drivers directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4312
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3056
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      PID:3564
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a37AA.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4332
  - - C:\Users\Admin\AppData\Local\Temp\613355bd61c2a63bf55e9343f532e5287d4147990f6e9eb836103b7de4917290.exe
      "C:\Users\Admin\AppData\Local\Temp\613355bd61c2a63bf55e9343f532e5287d4147990f6e9eb836103b7de4917290.exe"
      4⤵
      Executes dropped EXE
      PID:2776
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Drops file in Drivers directory
    - Drops startup file
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2440
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4084
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:4140
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3760
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:4628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
258KB

MD5
91426419de9f79662dd3b3a1c325584f

SHA1
04eed48a67d05bc8e551d6f7448ae320f4cddaca

SHA256
9dbf125caa2702fde7a3ad40445516f129e594ed8ab56bf925a68febd64d6b05

SHA512
2d8bc8cbd6565c9c027dbad80eaba61bef1ece4de30b280c7a93e50b4836d77a2789e5e70f58f54ced9794f90c4c0779bbb308f9abccfe3521fc90788603b005

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
577KB

MD5
de1b64ffacd8aa845b03cdefb366e0ba

SHA1
2a9a61dccc1b1d3063b2fb7cc682a06abea4a96a

SHA256
aa169823311171a65bf1c5e84ca5bdc9bee8cab9938a459077d15c37c443fc08

SHA512
e9a6712bbe28c594d85178403ae46f5d67f148afcc8e90e6318cde1ce41e4e53c1aa5e0f9b8cc46772810bdc8379e25f04689342ce66df10180939fa78e398f7

Download Submit
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

Filesize
643KB

MD5
635e9422a0a86f5c7ac989802b0ac448

SHA1
3ea9cc1462b063639526a8d278b571f38b846d1d

SHA256
a97d8545a6204abf1a179f2098ca8780e92f4448c7a03e62f6c32e8e5e5cb17f

SHA512
857c6d683fe1f7a6757420c84efc4f7f48f58e586e601c969ce27e4ded8cad6ca774ef367a1a1e075081c4e2d41f8cdda558fddf5622e062975cfeff5a929133

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a37AA.bat

Filesize
722B

MD5
e1dc86c2416bf46f87a513612b02f6c4

SHA1
5b14be7e466024be4325d4ec1c6aaa83754178d1

SHA256
fa35e8492639e5a6d68f7c951708e5c80c7caa5654f6d8d22a27db65ce263349

SHA512
4e06e6197a97e439f3fdb078f2715dbf5210c2d22a4dfbd205faa330a894384941a27b010ead752f19aeaa8897074fdb3a1bc02fa79878bc8a331faa4e6da642

Download Submit
C:\Users\Admin\AppData\Local\Temp\613355bd61c2a63bf55e9343f532e5287d4147990f6e9eb836103b7de4917290.exe.exe

Filesize
41KB

MD5
977e405c109268909fd24a94cc23d4f0

SHA1
af5d032c2b6caa2164cf298e95b09060665c4188

SHA256
cd24c61fe7dc3896c6c928c92a2adc58fab0a3ff61ef7ddcac1ba794182ab12f

SHA512
12b4b59c1a8e65e72aa07ee4b6b6cd9fdedead01d5ce8e30f16ca26b5d733655e23a71c1d273a950a5b1a6cce810b696612de4a1148ac5f468ddf05d4549eed5

Download Submit
C:\Windows\Logo1_.exe

Filesize
33KB

MD5
40c659a8b5ac66e0675fbe146adfc4ca

SHA1
fa4fb8cab8a5bf8f5a878a2e17d6ad5e8465c482

SHA256
4ac9c14f22c8bdcd31a49201cabd2ffbb596fdcfd9ada82c300d4efc80b6876d

SHA512
c78671d2baea0a6ca6f5ff911f2b8934329fcbe5e04c3ae010683f70abe935b241bb38b94ec60391e9f944435c2622196eb84cabbf5c341ea574bb3f419af268

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
842B

MD5
6f4adf207ef402d9ef40c6aa52ffd245

SHA1
4b05b495619c643f02e278dede8f5b1392555a57

SHA256
d9704dab05e988be3e5e7b7c020bb9814906d11bb9c31ad80d4ed1316f6bc94e

SHA512
a6306bd200a26ea78192ae5b00cc49cfab3fba025fe7233709a4e62db0f9ed60030dce22b34afe57aad86a098c9a8c44e080cedc43227cb87ef4690baec35b47

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-711569230-3659488422-571408806-1000\_desktop.ini

Filesize
9B

MD5
ef2876ec14bdb3dc085fc3af9311b015

SHA1
68b64b46b1ff0fdc9f009d8fffb8ee87c597fa56

SHA256
ac2a34b4f2d44d19ca4269caf9f4e71cdb0b95ba8eb89ed52c5bc56eeeb1971c

SHA512
c9998caa062ad5b1da853fabb80e88e41d9f96109af89df0309be20469ca8f5be9dd1c08f3c97030e3a487732e82304f60ee2627462e017579da4204bc163c8f

Download Submit
memory/2440-20-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2440-2680-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2440-13-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2440-8660-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4312-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4312-12-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads