cb8f67fd5d2dc9a5a5c06588b8aca4dde03edfd9f5f496c98119399168df4109

General

Target

cb8f67fd5d2dc9a5a5c06588b8aca4dde03edfd9f5f496c98119399168df4109.exe
Size

57KB
MD5

4a6fe179999bf2fc84a435bfcdf6c44f
SHA1

bddb49c7b74e799d3a22347c39a0128d57974e0c
SHA256

cb8f67fd5d2dc9a5a5c06588b8aca4dde03edfd9f5f496c98119399168df4109
SHA512

a82cf4e34f9751e63c4f9e8f9aa6b74b7405780d91ef115510d2cc973dbf7b10d09eab54881b1cb01bfb7c4ab99841a0fbdce2d5293801546d2ac8b6407d9ea9
SSDEEP

1536:rGFaYzMXqtGNtty1yVumRTTQ3hpdBRZEWq:rGFaY46tGNtty1T35jq

Score

8^/10

spyware stealer

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

Processes:

cb8f67fd5d2dc9a5a5c06588b8aca4dde03edfd9f5f496c98119399168df4109.exeLogo1_.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	cb8f67fd5d2dc9a5a5c06588b8aca4dde03edfd9f5f496c98119399168df4109.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	Logo1_.exe

Drops startup file 2 IoCs

Processes:

Logo1_.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe

Executes dropped EXE 2 IoCs

Processes:

Logo1_.execb8f67fd5d2dc9a5a5c06588b8aca4dde03edfd9f5f496c98119399168df4109.exe

pid process

1780 Logo1_.exe
4860 cb8f67fd5d2dc9a5a5c06588b8aca4dde03edfd9f5f496c98119399168df4109.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
1780	Logo1_.exe
4860	cb8f67fd5d2dc9a5a5c06588b8aca4dde03edfd9f5f496c98119399168df4109.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Logo1_.exe

description	ioc	process
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

Processes:

Logo1_.exe

description	ioc	process
File created	C:\Program Files\VideoLAN\VLC\plugins\gui\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\1.1.1\Diagnostics\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\pt-br\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\it-it\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\eu-es\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\zh-tw\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\limited\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\pl-pl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\en-il\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\PlayReadyCdm\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Media Player\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\it\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\demux\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\tr-tr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\uk-ua\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\en-gb\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\en-gb\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\sk-sk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\dotnet\host\fxr\8.0.2\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\it-it\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\ca-es\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\_desktop.ini	Logo1_.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\tt\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\en-gb\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ja-jp\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\hr-hr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\fr-ma\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\es-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ja-jp\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\cs-cz\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\WidevineCdm\_platform_specific\win_x64\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Portal\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\en-gb\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\VBA7.1\1033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\tr\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\ar-ae\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\cs-cz\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\fr-fr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\fr-ma\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\cs-cz\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\he-il\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre-1.8\legal\javafx\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Cultures\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\ENFR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\pt_BR\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\cs-cz\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ro-ro\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\ar-ae\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\da-dk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\ko-kr\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

Processes:

cb8f67fd5d2dc9a5a5c06588b8aca4dde03edfd9f5f496c98119399168df4109.exeLogo1_.exe

description	ioc	process
File created	C:\Windows\rundl132.exe	cb8f67fd5d2dc9a5a5c06588b8aca4dde03edfd9f5f496c98119399168df4109.exe
File created	C:\Windows\Logo1_.exe	cb8f67fd5d2dc9a5a5c06588b8aca4dde03edfd9f5f496c98119399168df4109.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\Dll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

cb8f67fd5d2dc9a5a5c06588b8aca4dde03edfd9f5f496c98119399168df4109.exeLogo1_.exe

pid	process
4560	cb8f67fd5d2dc9a5a5c06588b8aca4dde03edfd9f5f496c98119399168df4109.exe
4560	cb8f67fd5d2dc9a5a5c06588b8aca4dde03edfd9f5f496c98119399168df4109.exe
4560	cb8f67fd5d2dc9a5a5c06588b8aca4dde03edfd9f5f496c98119399168df4109.exe
4560	cb8f67fd5d2dc9a5a5c06588b8aca4dde03edfd9f5f496c98119399168df4109.exe
4560	cb8f67fd5d2dc9a5a5c06588b8aca4dde03edfd9f5f496c98119399168df4109.exe
4560	cb8f67fd5d2dc9a5a5c06588b8aca4dde03edfd9f5f496c98119399168df4109.exe
4560	cb8f67fd5d2dc9a5a5c06588b8aca4dde03edfd9f5f496c98119399168df4109.exe
4560	cb8f67fd5d2dc9a5a5c06588b8aca4dde03edfd9f5f496c98119399168df4109.exe
4560	cb8f67fd5d2dc9a5a5c06588b8aca4dde03edfd9f5f496c98119399168df4109.exe
4560	cb8f67fd5d2dc9a5a5c06588b8aca4dde03edfd9f5f496c98119399168df4109.exe
4560	cb8f67fd5d2dc9a5a5c06588b8aca4dde03edfd9f5f496c98119399168df4109.exe
4560	cb8f67fd5d2dc9a5a5c06588b8aca4dde03edfd9f5f496c98119399168df4109.exe
4560	cb8f67fd5d2dc9a5a5c06588b8aca4dde03edfd9f5f496c98119399168df4109.exe
4560	cb8f67fd5d2dc9a5a5c06588b8aca4dde03edfd9f5f496c98119399168df4109.exe
4560	cb8f67fd5d2dc9a5a5c06588b8aca4dde03edfd9f5f496c98119399168df4109.exe
4560	cb8f67fd5d2dc9a5a5c06588b8aca4dde03edfd9f5f496c98119399168df4109.exe
4560	cb8f67fd5d2dc9a5a5c06588b8aca4dde03edfd9f5f496c98119399168df4109.exe
4560	cb8f67fd5d2dc9a5a5c06588b8aca4dde03edfd9f5f496c98119399168df4109.exe
4560	cb8f67fd5d2dc9a5a5c06588b8aca4dde03edfd9f5f496c98119399168df4109.exe
4560	cb8f67fd5d2dc9a5a5c06588b8aca4dde03edfd9f5f496c98119399168df4109.exe
4560	cb8f67fd5d2dc9a5a5c06588b8aca4dde03edfd9f5f496c98119399168df4109.exe
4560	cb8f67fd5d2dc9a5a5c06588b8aca4dde03edfd9f5f496c98119399168df4109.exe
4560	cb8f67fd5d2dc9a5a5c06588b8aca4dde03edfd9f5f496c98119399168df4109.exe
4560	cb8f67fd5d2dc9a5a5c06588b8aca4dde03edfd9f5f496c98119399168df4109.exe
4560	cb8f67fd5d2dc9a5a5c06588b8aca4dde03edfd9f5f496c98119399168df4109.exe
4560	cb8f67fd5d2dc9a5a5c06588b8aca4dde03edfd9f5f496c98119399168df4109.exe
1780	Logo1_.exe
1780	Logo1_.exe
1780	Logo1_.exe
1780	Logo1_.exe
1780	Logo1_.exe
1780	Logo1_.exe
1780	Logo1_.exe
1780	Logo1_.exe
1780	Logo1_.exe
1780	Logo1_.exe
1780	Logo1_.exe
1780	Logo1_.exe
1780	Logo1_.exe
1780	Logo1_.exe
1780	Logo1_.exe
1780	Logo1_.exe
1780	Logo1_.exe
1780	Logo1_.exe
1780	Logo1_.exe
1780	Logo1_.exe
1780	Logo1_.exe
1780	Logo1_.exe
1780	Logo1_.exe
1780	Logo1_.exe
1780	Logo1_.exe
1780	Logo1_.exe
1780	Logo1_.exe
1780	Logo1_.exe
1780	Logo1_.exe
1780	Logo1_.exe
1780	Logo1_.exe
1780	Logo1_.exe
1780	Logo1_.exe
1780	Logo1_.exe
1780	Logo1_.exe
1780	Logo1_.exe
1780	Logo1_.exe
1780	Logo1_.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

cb8f67fd5d2dc9a5a5c06588b8aca4dde03edfd9f5f496c98119399168df4109.exenet.exeLogo1_.exenet.execmd.exenet.exe

description	pid	process	target process
PID 4560 wrote to memory of 2000	4560	cb8f67fd5d2dc9a5a5c06588b8aca4dde03edfd9f5f496c98119399168df4109.exe	net.exe
PID 4560 wrote to memory of 2000	4560	cb8f67fd5d2dc9a5a5c06588b8aca4dde03edfd9f5f496c98119399168df4109.exe	net.exe
PID 4560 wrote to memory of 2000	4560	cb8f67fd5d2dc9a5a5c06588b8aca4dde03edfd9f5f496c98119399168df4109.exe	net.exe
PID 2000 wrote to memory of 4432	2000	net.exe	net1.exe
PID 2000 wrote to memory of 4432	2000	net.exe	net1.exe
PID 2000 wrote to memory of 4432	2000	net.exe	net1.exe
PID 4560 wrote to memory of 1616	4560	cb8f67fd5d2dc9a5a5c06588b8aca4dde03edfd9f5f496c98119399168df4109.exe	cmd.exe
PID 4560 wrote to memory of 1616	4560	cb8f67fd5d2dc9a5a5c06588b8aca4dde03edfd9f5f496c98119399168df4109.exe	cmd.exe
PID 4560 wrote to memory of 1616	4560	cb8f67fd5d2dc9a5a5c06588b8aca4dde03edfd9f5f496c98119399168df4109.exe	cmd.exe
PID 4560 wrote to memory of 1780	4560	cb8f67fd5d2dc9a5a5c06588b8aca4dde03edfd9f5f496c98119399168df4109.exe	Logo1_.exe
PID 4560 wrote to memory of 1780	4560	cb8f67fd5d2dc9a5a5c06588b8aca4dde03edfd9f5f496c98119399168df4109.exe	Logo1_.exe
PID 4560 wrote to memory of 1780	4560	cb8f67fd5d2dc9a5a5c06588b8aca4dde03edfd9f5f496c98119399168df4109.exe	Logo1_.exe
PID 1780 wrote to memory of 4688	1780	Logo1_.exe	net.exe
PID 1780 wrote to memory of 4688	1780	Logo1_.exe	net.exe
PID 1780 wrote to memory of 4688	1780	Logo1_.exe	net.exe
PID 4688 wrote to memory of 3912	4688	net.exe	net1.exe
PID 4688 wrote to memory of 3912	4688	net.exe	net1.exe
PID 4688 wrote to memory of 3912	4688	net.exe	net1.exe
PID 1616 wrote to memory of 4860	1616	cmd.exe	cb8f67fd5d2dc9a5a5c06588b8aca4dde03edfd9f5f496c98119399168df4109.exe
PID 1616 wrote to memory of 4860	1616	cmd.exe	cb8f67fd5d2dc9a5a5c06588b8aca4dde03edfd9f5f496c98119399168df4109.exe
PID 1616 wrote to memory of 4860	1616	cmd.exe	cb8f67fd5d2dc9a5a5c06588b8aca4dde03edfd9f5f496c98119399168df4109.exe
PID 1780 wrote to memory of 4444	1780	Logo1_.exe	net.exe
PID 1780 wrote to memory of 4444	1780	Logo1_.exe	net.exe
PID 1780 wrote to memory of 4444	1780	Logo1_.exe	net.exe
PID 4444 wrote to memory of 4468	4444	net.exe	net1.exe
PID 4444 wrote to memory of 4468	4444	net.exe	net1.exe
PID 4444 wrote to memory of 4468	4444	net.exe	net1.exe
PID 1780 wrote to memory of 3548	1780	Logo1_.exe	Explorer.EXE
PID 1780 wrote to memory of 3548	1780	Logo1_.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3548

C:\Users\Admin\AppData\Local\Temp\cb8f67fd5d2dc9a5a5c06588b8aca4dde03edfd9f5f496c98119399168df4109.exe
"C:\Users\Admin\AppData\Local\Temp\cb8f67fd5d2dc9a5a5c06588b8aca4dde03edfd9f5f496c98119399168df4109.exe"
2⤵
- Drops file in Drivers directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4560

C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
3⤵
- Suspicious use of WriteProcessMemory
PID:2000

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
4⤵
PID:4432

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a5AB3.bat
3⤵
- Suspicious use of WriteProcessMemory
PID:1616

C:\Users\Admin\AppData\Local\Temp\cb8f67fd5d2dc9a5a5c06588b8aca4dde03edfd9f5f496c98119399168df4109.exe
"C:\Users\Admin\AppData\Local\Temp\cb8f67fd5d2dc9a5a5c06588b8aca4dde03edfd9f5f496c98119399168df4109.exe"
4⤵
- Executes dropped EXE
PID:4860

C:\Windows\Logo1_.exe
C:\Windows\Logo1_.exe
3⤵
- Drops file in Drivers directory
- Drops startup file
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1780

C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
4⤵
- Suspicious use of WriteProcessMemory
PID:4688

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
5⤵
PID:3912

C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
4⤵
- Suspicious use of WriteProcessMemory
PID:4444

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
5⤵
PID:4468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
258KB

MD5
e194e3f599f585b521b00ba7d99c03a5

SHA1
2ade918605a7a60bcc840819b52c6fb5f470921b

SHA256
b70334eb15d0c19fcb70b2d250e32a01f1a17bd230401155d3c4fe3065242aa9

SHA512
b7e3c0741cc3ac540da389b2fa66501e1a6c433ab0b22c99b38f40dc57d940d81979b08859d8daa67cd002b02ead5daac4ad9cafce5186bf35b536f6de4b7957

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
577KB

MD5
cac99ad0161a99e0d6fd07e1843524b7

SHA1
c3d87148ecc623592a8061ce4ad6c88584e115ad

SHA256
62d5cd98103b1dc5452f455a26f2b566812386597eb9cfee2ca3b5e01f0a0f27

SHA512
f479dc0ea615699d832539642d4bd63325e1b47e147fe3e94cc6584fc205fa4a1e454375ea5da87238b8210d3565ab742136c3ce850842b76a1335e626041081

Download Submit
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

Filesize
644KB

MD5
d9b62e4240dd99918ec39a90574fcc1e

SHA1
aca7b6d133487779dad04399979342285ac7ac74

SHA256
3c9be9eeff4911ecb235ec57a0c90c6db74b371d45c7a6fae2afac78a1bf1391

SHA512
8980894349e1d3708f8176fcfc23675061d402126a77af27e6eb61d4d67d41bb2b1e743865f1626a77cca89aff29aa24d21c8cf3f879aba9bd8c0b9a035b8026

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a5AB3.bat

Filesize
722B

MD5
072c94550d2469937f716c10a5d2261f

SHA1
6ddc7c64d82c569dd9cacadd7b2e65683375d28b

SHA256
a8c4bf15207c67e093b6a643a38dd1c47ddf3cfb6d6f0c631aab5f8020b6f74d

SHA512
69a9c86e189d976e48b637728c1476f35b81ec54fbd91c7b3f55caab64e6e9c10bef7dd638922aceeeff42cacdc3a56aad64803e264f7fa92010c4a7bb403cc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb8f67fd5d2dc9a5a5c06588b8aca4dde03edfd9f5f496c98119399168df4109.exe.exe

Filesize
24KB

MD5
31cc94743dd691e9045888e67f19242b

SHA1
aad4bb19d79bd1effab9a9ed48976ed0f4fff376

SHA256
28a7ebc64cb3147da14baef48a4c56ab1204592433380808acdad1bbdbe8dff8

SHA512
e672344af9c689c48dd4ab681f6315047214c945a1ee1732599b9a2fabe9e1df8abbadc3c8975de68487e27195088595e3843fd0611d0bfe94c8e61b7f8af9d2

Download Submit
C:\Windows\Logo1_.exe

Filesize
33KB

MD5
0c024d12adef144def06e6f299357485

SHA1
896f33f1c0bc5c6644094f07d44e2bcc377958bb

SHA256
df70e984201f34822e49a6da9037e738e596a51d3e190cf4b76b8c64ebd3c30d

SHA512
072a920b5fd0373d40947b9410becd9df1bfdff8913bb0650272a3e4c46b29b826b42998b61426b7eb6fa8d081066d0b0aa183dbf0044e9119b10f9a3faae09d

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
842B

MD5
6f4adf207ef402d9ef40c6aa52ffd245

SHA1
4b05b495619c643f02e278dede8f5b1392555a57

SHA256
d9704dab05e988be3e5e7b7c020bb9814906d11bb9c31ad80d4ed1316f6bc94e

SHA512
a6306bd200a26ea78192ae5b00cc49cfab3fba025fe7233709a4e62db0f9ed60030dce22b34afe57aad86a098c9a8c44e080cedc43227cb87ef4690baec35b47

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-4124900551-4068476067-3491212533-1000\_desktop.ini

Filesize
9B

MD5
31874817e0fb055be8d2c971c0e3bbde

SHA1
ee8a35d6a86cb6d13f354d67d912e194bb09c74b

SHA256
94de8b492bc2db9a9592f7c9433547eb7f80826ed67f48d2bb7e22db9d49f544

SHA512
55747c69ae50fa212576d095f60cf33b42e26789cf8c34fc5120a45b1988aae95f91d9e37cb17298c5ac5243b2e4c40e1d0e084ce7fe14bceb4ebb318c65c944

Download Submit
memory/1780-20-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1780-13-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1780-5178-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1780-8646-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4560-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4560-10-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads