e6b96aa2b1d768aec3f6c19f52926b79deeaff920bc733397cb2345221bd3c0f

General

Target

e6b96aa2b1d768aec3f6c19f52926b79deeaff920bc733397cb2345221bd3c0f.exe
Size

717KB
MD5

fdb01b0966f22705893fe636811b03c1
SHA1

ed69e85e740567ef4b71a6464f69c7c830002e8d
SHA256

e6b96aa2b1d768aec3f6c19f52926b79deeaff920bc733397cb2345221bd3c0f
SHA512

d7f62421d1c42ac7e51545f9de862fae4c9f6e4ea285abd0cd0a934b1a9991218d6d6911dee783e1e6bb050b1a19d8735d013ee055ffe7d31c79552beb444f5e
SSDEEP

12288:O+aJfC6Aj+TN5uixZN+8rKhUdTC/wE1ZD0Ca5ZIXV:OBpLOS2opPIXV

Score

7^/10

spyware stealer

Malware Config

Signatures

Drops startup file 2 IoCs

Processes:

Logo1_.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe

Executes dropped EXE 2 IoCs

Processes:

Logo1_.exee6b96aa2b1d768aec3f6c19f52926b79deeaff920bc733397cb2345221bd3c0f.exe

pid process

2320 Logo1_.exe
2780 e6b96aa2b1d768aec3f6c19f52926b79deeaff920bc733397cb2345221bd3c0f.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2320	Logo1_.exe
2780	e6b96aa2b1d768aec3f6c19f52926b79deeaff920bc733397cb2345221bd3c0f.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Logo1_.exe

description	ioc	process
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

Processes:

Logo1_.exe

description	ioc	process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\ko-kr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\versions\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Media Renderer\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ml\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\uk-ua\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\sk-sk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\lg\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\ImagingDevices.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-ae\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Fonts\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft.NET\ADOMD.NET\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bs\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\km\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\ru-ru\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\2.0.1\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\JOURNAL\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\pt-br\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\sk-sk\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\themes\dark\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\tr-tr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	Logo1_.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\de\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\vi\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\uk-ua\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\de-de\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\sl-sl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\en-il\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\sl-si\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fur\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\hu-hu\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_proxy\win10\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\eu-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\en-il\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\sv-se\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\eu-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\nb-no\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\MsEdgeCrashpad\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\de-de\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLENDS\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\root\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\eu-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\requests\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\it-it\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\zh-tw\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

Processes:

e6b96aa2b1d768aec3f6c19f52926b79deeaff920bc733397cb2345221bd3c0f.exeLogo1_.exe

description	ioc	process
File created	C:\Windows\Logo1_.exe	e6b96aa2b1d768aec3f6c19f52926b79deeaff920bc733397cb2345221bd3c0f.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\Dll.dll	Logo1_.exe
File created	C:\Windows\rundl132.exe	e6b96aa2b1d768aec3f6c19f52926b79deeaff920bc733397cb2345221bd3c0f.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

e6b96aa2b1d768aec3f6c19f52926b79deeaff920bc733397cb2345221bd3c0f.exeLogo1_.exe

pid	process
4888	e6b96aa2b1d768aec3f6c19f52926b79deeaff920bc733397cb2345221bd3c0f.exe
4888	e6b96aa2b1d768aec3f6c19f52926b79deeaff920bc733397cb2345221bd3c0f.exe
4888	e6b96aa2b1d768aec3f6c19f52926b79deeaff920bc733397cb2345221bd3c0f.exe
4888	e6b96aa2b1d768aec3f6c19f52926b79deeaff920bc733397cb2345221bd3c0f.exe
4888	e6b96aa2b1d768aec3f6c19f52926b79deeaff920bc733397cb2345221bd3c0f.exe
4888	e6b96aa2b1d768aec3f6c19f52926b79deeaff920bc733397cb2345221bd3c0f.exe
4888	e6b96aa2b1d768aec3f6c19f52926b79deeaff920bc733397cb2345221bd3c0f.exe
4888	e6b96aa2b1d768aec3f6c19f52926b79deeaff920bc733397cb2345221bd3c0f.exe
4888	e6b96aa2b1d768aec3f6c19f52926b79deeaff920bc733397cb2345221bd3c0f.exe
4888	e6b96aa2b1d768aec3f6c19f52926b79deeaff920bc733397cb2345221bd3c0f.exe
4888	e6b96aa2b1d768aec3f6c19f52926b79deeaff920bc733397cb2345221bd3c0f.exe
4888	e6b96aa2b1d768aec3f6c19f52926b79deeaff920bc733397cb2345221bd3c0f.exe
4888	e6b96aa2b1d768aec3f6c19f52926b79deeaff920bc733397cb2345221bd3c0f.exe
4888	e6b96aa2b1d768aec3f6c19f52926b79deeaff920bc733397cb2345221bd3c0f.exe
4888	e6b96aa2b1d768aec3f6c19f52926b79deeaff920bc733397cb2345221bd3c0f.exe
4888	e6b96aa2b1d768aec3f6c19f52926b79deeaff920bc733397cb2345221bd3c0f.exe
4888	e6b96aa2b1d768aec3f6c19f52926b79deeaff920bc733397cb2345221bd3c0f.exe
4888	e6b96aa2b1d768aec3f6c19f52926b79deeaff920bc733397cb2345221bd3c0f.exe
4888	e6b96aa2b1d768aec3f6c19f52926b79deeaff920bc733397cb2345221bd3c0f.exe
4888	e6b96aa2b1d768aec3f6c19f52926b79deeaff920bc733397cb2345221bd3c0f.exe
4888	e6b96aa2b1d768aec3f6c19f52926b79deeaff920bc733397cb2345221bd3c0f.exe
4888	e6b96aa2b1d768aec3f6c19f52926b79deeaff920bc733397cb2345221bd3c0f.exe
4888	e6b96aa2b1d768aec3f6c19f52926b79deeaff920bc733397cb2345221bd3c0f.exe
4888	e6b96aa2b1d768aec3f6c19f52926b79deeaff920bc733397cb2345221bd3c0f.exe
4888	e6b96aa2b1d768aec3f6c19f52926b79deeaff920bc733397cb2345221bd3c0f.exe
4888	e6b96aa2b1d768aec3f6c19f52926b79deeaff920bc733397cb2345221bd3c0f.exe
2320	Logo1_.exe
2320	Logo1_.exe
2320	Logo1_.exe
2320	Logo1_.exe
2320	Logo1_.exe
2320	Logo1_.exe
2320	Logo1_.exe
2320	Logo1_.exe
2320	Logo1_.exe
2320	Logo1_.exe
2320	Logo1_.exe
2320	Logo1_.exe
2320	Logo1_.exe
2320	Logo1_.exe
2320	Logo1_.exe
2320	Logo1_.exe
2320	Logo1_.exe
2320	Logo1_.exe
2320	Logo1_.exe
2320	Logo1_.exe
2320	Logo1_.exe
2320	Logo1_.exe
2320	Logo1_.exe
2320	Logo1_.exe
2320	Logo1_.exe
2320	Logo1_.exe
2320	Logo1_.exe
2320	Logo1_.exe
2320	Logo1_.exe
2320	Logo1_.exe
2320	Logo1_.exe
2320	Logo1_.exe
2320	Logo1_.exe
2320	Logo1_.exe
2320	Logo1_.exe
2320	Logo1_.exe
2320	Logo1_.exe
2320	Logo1_.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

e6b96aa2b1d768aec3f6c19f52926b79deeaff920bc733397cb2345221bd3c0f.exenet.exeLogo1_.exenet.execmd.exenet.exe

description	pid	process	target process
PID 4888 wrote to memory of 828	4888	e6b96aa2b1d768aec3f6c19f52926b79deeaff920bc733397cb2345221bd3c0f.exe	net.exe
PID 4888 wrote to memory of 828	4888	e6b96aa2b1d768aec3f6c19f52926b79deeaff920bc733397cb2345221bd3c0f.exe	net.exe
PID 4888 wrote to memory of 828	4888	e6b96aa2b1d768aec3f6c19f52926b79deeaff920bc733397cb2345221bd3c0f.exe	net.exe
PID 828 wrote to memory of 2672	828	net.exe	net1.exe
PID 828 wrote to memory of 2672	828	net.exe	net1.exe
PID 828 wrote to memory of 2672	828	net.exe	net1.exe
PID 4888 wrote to memory of 1284	4888	e6b96aa2b1d768aec3f6c19f52926b79deeaff920bc733397cb2345221bd3c0f.exe	cmd.exe
PID 4888 wrote to memory of 1284	4888	e6b96aa2b1d768aec3f6c19f52926b79deeaff920bc733397cb2345221bd3c0f.exe	cmd.exe
PID 4888 wrote to memory of 1284	4888	e6b96aa2b1d768aec3f6c19f52926b79deeaff920bc733397cb2345221bd3c0f.exe	cmd.exe
PID 4888 wrote to memory of 2320	4888	e6b96aa2b1d768aec3f6c19f52926b79deeaff920bc733397cb2345221bd3c0f.exe	Logo1_.exe
PID 4888 wrote to memory of 2320	4888	e6b96aa2b1d768aec3f6c19f52926b79deeaff920bc733397cb2345221bd3c0f.exe	Logo1_.exe
PID 4888 wrote to memory of 2320	4888	e6b96aa2b1d768aec3f6c19f52926b79deeaff920bc733397cb2345221bd3c0f.exe	Logo1_.exe
PID 2320 wrote to memory of 2768	2320	Logo1_.exe	net.exe
PID 2320 wrote to memory of 2768	2320	Logo1_.exe	net.exe
PID 2320 wrote to memory of 2768	2320	Logo1_.exe	net.exe
PID 2768 wrote to memory of 2796	2768	net.exe	net1.exe
PID 2768 wrote to memory of 2796	2768	net.exe	net1.exe
PID 2768 wrote to memory of 2796	2768	net.exe	net1.exe
PID 1284 wrote to memory of 2780	1284	cmd.exe	e6b96aa2b1d768aec3f6c19f52926b79deeaff920bc733397cb2345221bd3c0f.exe
PID 1284 wrote to memory of 2780	1284	cmd.exe	e6b96aa2b1d768aec3f6c19f52926b79deeaff920bc733397cb2345221bd3c0f.exe
PID 2320 wrote to memory of 1712	2320	Logo1_.exe	net.exe
PID 2320 wrote to memory of 1712	2320	Logo1_.exe	net.exe
PID 2320 wrote to memory of 1712	2320	Logo1_.exe	net.exe
PID 1712 wrote to memory of 4760	1712	net.exe	net1.exe
PID 1712 wrote to memory of 4760	1712	net.exe	net1.exe
PID 1712 wrote to memory of 4760	1712	net.exe	net1.exe
PID 2320 wrote to memory of 3348	2320	Logo1_.exe	Explorer.EXE
PID 2320 wrote to memory of 3348	2320	Logo1_.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3348

C:\Users\Admin\AppData\Local\Temp\e6b96aa2b1d768aec3f6c19f52926b79deeaff920bc733397cb2345221bd3c0f.exe
"C:\Users\Admin\AppData\Local\Temp\e6b96aa2b1d768aec3f6c19f52926b79deeaff920bc733397cb2345221bd3c0f.exe"
2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4888

C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
3⤵
- Suspicious use of WriteProcessMemory
PID:828

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
4⤵
PID:2672

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a1A3A.bat
3⤵
- Suspicious use of WriteProcessMemory
PID:1284

C:\Users\Admin\AppData\Local\Temp\e6b96aa2b1d768aec3f6c19f52926b79deeaff920bc733397cb2345221bd3c0f.exe
"C:\Users\Admin\AppData\Local\Temp\e6b96aa2b1d768aec3f6c19f52926b79deeaff920bc733397cb2345221bd3c0f.exe"
4⤵
- Executes dropped EXE
PID:2780

C:\Windows\Logo1_.exe
C:\Windows\Logo1_.exe
3⤵
- Drops startup file
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2320

C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
4⤵
- Suspicious use of WriteProcessMemory
PID:2768

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
5⤵
PID:2796

C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
4⤵
- Suspicious use of WriteProcessMemory
PID:1712

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
5⤵
PID:4760

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3760 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:8
1⤵
PID:4444

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
Filesize
258KB

MD5
9ac10f2289f81d00cb5315e30a25967d

SHA1
43f3ec8b12b8ef26c5e0151a50e708edd8a3e979

SHA256
a978211529b28a3b66408c32636b82ef4405121d57e90a911c60f3810be3c0cc

SHA512
211d2c4d98509e4b0df64c0b31331431486886ae40c106ca1af496a2573fcfce3737d3574f6f41e39b02cf35b67859c14e46d58b30cf59062f8b68ec76dc1a77

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
577KB

MD5
9b73ea744610add358a523c48b536d6d

SHA1
38d35606d7b18b9f9ec4e4bfac20b523ecc1ed88

SHA256
02cff7e352a7c94505a1d1c73425ec9968637b9010c8c017dc70f7d6a78a3a45

SHA512
aa6b8405c175a2cf9be163d8f282894498f2e8ddffde0caa59c0ad2b357582fd21454f1b742d2169e1d326576e08ed8869de861f549cc0fd8c1e4c42fbe6b3eb

Download Submit
C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe
Filesize
488KB

MD5
85b76d0e0da4b34c0acc7abcd83d7150

SHA1
3c361c827353e87281950c2baef4ed7a24eee844

SHA256
a2beda607517ea941d193ff76cd746ba01dd55a62725874c59e93776cf3f3f53

SHA512
407a41a1fd8a4e24dbddbc624a50a94d101c541e9d73e5db4b1fa68fd2915c1cb92f6444fa8416429134b88610de31be620eaacda2b9a96e76182ca2323c3644

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a1A3A.bat
Filesize
722B

MD5
b3b06ac9d8e1b099a7780d05e4f47b2e

SHA1
28bfc924e25f1af145a4b16d0a22578d87992d8c

SHA256
81bcb98fec624ac94c29c6857899d3388431fadfc223d17a9b70aca7315a4a33

SHA512
35ffd3d65c9253a3c49c8512d32033be66174d501b4d483f0e3da6ac7a0f95274c379308d7d170b829db53019f89a911e5c37b4ddbdaad9f022fa187efba7f51

Download Submit
C:\Users\Admin\AppData\Local\Temp\e6b96aa2b1d768aec3f6c19f52926b79deeaff920bc733397cb2345221bd3c0f.exe.exe
Filesize
684KB

MD5
50f289df0c19484e970849aac4e6f977

SHA1
3dc77c8830836ab844975eb002149b66da2e10be

SHA256
b9b179b305c5268ad428b6ae59de10b4fe99cf0199bbc89b7017181905e97305

SHA512
877d852ea1062b90e2fd2f3c4dc7d05d9697e9a9b2929c830a770b62741f6a11e06de73275eb871113f11143faf1cb40d99f7c247862ffb778d26833ed5d7e38

Download Submit
C:\Windows\Logo1_.exe
Filesize
33KB

MD5
beaa56a0e4764dd95329202a0a92e326

SHA1
1e18f4051244e4aa8eabbddc7001ffcdc2adc055

SHA256
02424a4ca6ac65d66c89b79493d30a0c54c46da6ec225ef5ae1c724913451a08

SHA512
fc65d6da1e1f112abbb37c5227823980d644b6436cec5d44a75de9e97ba9e709010fc6edb064c592ce931412612010c7254bc5eb6c4aec004510786525276e25

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3808065738-1666277613-1125846146-1000\_desktop.ini
Filesize
9B

MD5
31874817e0fb055be8d2c971c0e3bbde

SHA1
ee8a35d6a86cb6d13f354d67d912e194bb09c74b

SHA256
94de8b492bc2db9a9592f7c9433547eb7f80826ed67f48d2bb7e22db9d49f544

SHA512
55747c69ae50fa212576d095f60cf33b42e26789cf8c34fc5120a45b1988aae95f91d9e37cb17298c5ac5243b2e4c40e1d0e084ce7fe14bceb4ebb318c65c944

Download Submit
memory/2320-169-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2320-9-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2320-18-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2320-2419-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2320-4665-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2320-7136-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2320-8572-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2320-8824-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4888-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4888-11-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads