7135cde6d5a8c6a917f1e01f954a24172083d4b52ff0c90574119fa2733a4ab3

General

Target

7135cde6d5a8c6a917f1e01f954a24172083d4b52ff0c90574119fa2733a4ab3.exe
Size

265KB
MD5

73088fa86b9a918860cc0768057b7656
SHA1

4671df53172d321cbfe02e5141e056e09f372c45
SHA256

7135cde6d5a8c6a917f1e01f954a24172083d4b52ff0c90574119fa2733a4ab3
SHA512

74af9f3908f18c1755191adfb756d32ddc3b051d8ddbda2b83568b62f5ecd1fb0903cddc3fc578306fa5d9029faa19d6fdb3bae7c94883eec65d321bbf71c31f
SSDEEP

6144:y46tGdy1uGDn98zkeWALevNyQxlT0fD4H7:y3N1pALevNyQxlQ4b

Score

8^/10

spyware stealer

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

Processes:

7135cde6d5a8c6a917f1e01f954a24172083d4b52ff0c90574119fa2733a4ab3.exeLogo1_.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	7135cde6d5a8c6a917f1e01f954a24172083d4b52ff0c90574119fa2733a4ab3.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	Logo1_.exe

Drops startup file 2 IoCs

Processes:

Logo1_.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe

Executes dropped EXE 2 IoCs

Processes:

Logo1_.exe7135cde6d5a8c6a917f1e01f954a24172083d4b52ff0c90574119fa2733a4ab3.exe

pid process

3164 Logo1_.exe
4508 7135cde6d5a8c6a917f1e01f954a24172083d4b52ff0c90574119fa2733a4ab3.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
3164	Logo1_.exe
4508	7135cde6d5a8c6a917f1e01f954a24172083d4b52ff0c90574119fa2733a4ab3.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Logo1_.exe

description	ioc	process
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

Processes:

Logo1_.exe

description	ioc	process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\fi-fi\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\fr-fr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\fr-fr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\hu-hu\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\sv-se\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\PlatformCapabilities\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ro-ro\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\sl-sl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\zh-tw\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\themes\dark\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ro-ro\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\zh-cn\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\sv-se\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\uk-ua\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\fr-ma\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\tool\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bn\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\bn_IN\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\el\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\fi-fi\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\VisualElements\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ie\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\tr-tr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\ro-ro\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-il\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\ja-jp\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\nl-nl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ca-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ar-ae\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\hr-hr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\fr-fr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ga\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\uk-ua\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\ENFR\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\zh-tw\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\fr-fr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\da-dk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\logger\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ru-ru\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\he-il\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\sk-sk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\COMPASS\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ku_IQ\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SATIN\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\sl-si\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\WindowsPowerShell\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\root\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\WidevineCdm\_platform_specific\win_x64\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

Processes:

7135cde6d5a8c6a917f1e01f954a24172083d4b52ff0c90574119fa2733a4ab3.exeLogo1_.exe

description	ioc	process
File created	C:\Windows\rundl132.exe	7135cde6d5a8c6a917f1e01f954a24172083d4b52ff0c90574119fa2733a4ab3.exe
File created	C:\Windows\Logo1_.exe	7135cde6d5a8c6a917f1e01f954a24172083d4b52ff0c90574119fa2733a4ab3.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\Dll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

7135cde6d5a8c6a917f1e01f954a24172083d4b52ff0c90574119fa2733a4ab3.exeLogo1_.exe

pid	process
3768	7135cde6d5a8c6a917f1e01f954a24172083d4b52ff0c90574119fa2733a4ab3.exe
3768	7135cde6d5a8c6a917f1e01f954a24172083d4b52ff0c90574119fa2733a4ab3.exe
3768	7135cde6d5a8c6a917f1e01f954a24172083d4b52ff0c90574119fa2733a4ab3.exe
3768	7135cde6d5a8c6a917f1e01f954a24172083d4b52ff0c90574119fa2733a4ab3.exe
3768	7135cde6d5a8c6a917f1e01f954a24172083d4b52ff0c90574119fa2733a4ab3.exe
3768	7135cde6d5a8c6a917f1e01f954a24172083d4b52ff0c90574119fa2733a4ab3.exe
3768	7135cde6d5a8c6a917f1e01f954a24172083d4b52ff0c90574119fa2733a4ab3.exe
3768	7135cde6d5a8c6a917f1e01f954a24172083d4b52ff0c90574119fa2733a4ab3.exe
3768	7135cde6d5a8c6a917f1e01f954a24172083d4b52ff0c90574119fa2733a4ab3.exe
3768	7135cde6d5a8c6a917f1e01f954a24172083d4b52ff0c90574119fa2733a4ab3.exe
3768	7135cde6d5a8c6a917f1e01f954a24172083d4b52ff0c90574119fa2733a4ab3.exe
3768	7135cde6d5a8c6a917f1e01f954a24172083d4b52ff0c90574119fa2733a4ab3.exe
3768	7135cde6d5a8c6a917f1e01f954a24172083d4b52ff0c90574119fa2733a4ab3.exe
3768	7135cde6d5a8c6a917f1e01f954a24172083d4b52ff0c90574119fa2733a4ab3.exe
3768	7135cde6d5a8c6a917f1e01f954a24172083d4b52ff0c90574119fa2733a4ab3.exe
3768	7135cde6d5a8c6a917f1e01f954a24172083d4b52ff0c90574119fa2733a4ab3.exe
3768	7135cde6d5a8c6a917f1e01f954a24172083d4b52ff0c90574119fa2733a4ab3.exe
3768	7135cde6d5a8c6a917f1e01f954a24172083d4b52ff0c90574119fa2733a4ab3.exe
3768	7135cde6d5a8c6a917f1e01f954a24172083d4b52ff0c90574119fa2733a4ab3.exe
3768	7135cde6d5a8c6a917f1e01f954a24172083d4b52ff0c90574119fa2733a4ab3.exe
3768	7135cde6d5a8c6a917f1e01f954a24172083d4b52ff0c90574119fa2733a4ab3.exe
3768	7135cde6d5a8c6a917f1e01f954a24172083d4b52ff0c90574119fa2733a4ab3.exe
3768	7135cde6d5a8c6a917f1e01f954a24172083d4b52ff0c90574119fa2733a4ab3.exe
3768	7135cde6d5a8c6a917f1e01f954a24172083d4b52ff0c90574119fa2733a4ab3.exe
3768	7135cde6d5a8c6a917f1e01f954a24172083d4b52ff0c90574119fa2733a4ab3.exe
3768	7135cde6d5a8c6a917f1e01f954a24172083d4b52ff0c90574119fa2733a4ab3.exe
3164	Logo1_.exe
3164	Logo1_.exe
3164	Logo1_.exe
3164	Logo1_.exe
3164	Logo1_.exe
3164	Logo1_.exe
3164	Logo1_.exe
3164	Logo1_.exe
3164	Logo1_.exe
3164	Logo1_.exe
3164	Logo1_.exe
3164	Logo1_.exe
3164	Logo1_.exe
3164	Logo1_.exe
3164	Logo1_.exe
3164	Logo1_.exe
3164	Logo1_.exe
3164	Logo1_.exe
3164	Logo1_.exe
3164	Logo1_.exe
3164	Logo1_.exe
3164	Logo1_.exe
3164	Logo1_.exe
3164	Logo1_.exe
3164	Logo1_.exe
3164	Logo1_.exe
3164	Logo1_.exe
3164	Logo1_.exe
3164	Logo1_.exe
3164	Logo1_.exe
3164	Logo1_.exe
3164	Logo1_.exe
3164	Logo1_.exe
3164	Logo1_.exe
3164	Logo1_.exe
3164	Logo1_.exe
3164	Logo1_.exe
3164	Logo1_.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

7135cde6d5a8c6a917f1e01f954a24172083d4b52ff0c90574119fa2733a4ab3.exenet.exeLogo1_.exenet.execmd.exenet.exe

description	pid	process	target process
PID 3768 wrote to memory of 4564	3768	7135cde6d5a8c6a917f1e01f954a24172083d4b52ff0c90574119fa2733a4ab3.exe	net.exe
PID 3768 wrote to memory of 4564	3768	7135cde6d5a8c6a917f1e01f954a24172083d4b52ff0c90574119fa2733a4ab3.exe	net.exe
PID 3768 wrote to memory of 4564	3768	7135cde6d5a8c6a917f1e01f954a24172083d4b52ff0c90574119fa2733a4ab3.exe	net.exe
PID 4564 wrote to memory of 3900	4564	net.exe	net1.exe
PID 4564 wrote to memory of 3900	4564	net.exe	net1.exe
PID 4564 wrote to memory of 3900	4564	net.exe	net1.exe
PID 3768 wrote to memory of 3800	3768	7135cde6d5a8c6a917f1e01f954a24172083d4b52ff0c90574119fa2733a4ab3.exe	cmd.exe
PID 3768 wrote to memory of 3800	3768	7135cde6d5a8c6a917f1e01f954a24172083d4b52ff0c90574119fa2733a4ab3.exe	cmd.exe
PID 3768 wrote to memory of 3800	3768	7135cde6d5a8c6a917f1e01f954a24172083d4b52ff0c90574119fa2733a4ab3.exe	cmd.exe
PID 3768 wrote to memory of 3164	3768	7135cde6d5a8c6a917f1e01f954a24172083d4b52ff0c90574119fa2733a4ab3.exe	Logo1_.exe
PID 3768 wrote to memory of 3164	3768	7135cde6d5a8c6a917f1e01f954a24172083d4b52ff0c90574119fa2733a4ab3.exe	Logo1_.exe
PID 3768 wrote to memory of 3164	3768	7135cde6d5a8c6a917f1e01f954a24172083d4b52ff0c90574119fa2733a4ab3.exe	Logo1_.exe
PID 3164 wrote to memory of 2116	3164	Logo1_.exe	net.exe
PID 3164 wrote to memory of 2116	3164	Logo1_.exe	net.exe
PID 3164 wrote to memory of 2116	3164	Logo1_.exe	net.exe
PID 2116 wrote to memory of 540	2116	net.exe	net1.exe
PID 2116 wrote to memory of 540	2116	net.exe	net1.exe
PID 2116 wrote to memory of 540	2116	net.exe	net1.exe
PID 3800 wrote to memory of 4508	3800	cmd.exe	7135cde6d5a8c6a917f1e01f954a24172083d4b52ff0c90574119fa2733a4ab3.exe
PID 3800 wrote to memory of 4508	3800	cmd.exe	7135cde6d5a8c6a917f1e01f954a24172083d4b52ff0c90574119fa2733a4ab3.exe
PID 3800 wrote to memory of 4508	3800	cmd.exe	7135cde6d5a8c6a917f1e01f954a24172083d4b52ff0c90574119fa2733a4ab3.exe
PID 3164 wrote to memory of 4500	3164	Logo1_.exe	net.exe
PID 3164 wrote to memory of 4500	3164	Logo1_.exe	net.exe
PID 3164 wrote to memory of 4500	3164	Logo1_.exe	net.exe
PID 4500 wrote to memory of 5108	4500	net.exe	net1.exe
PID 4500 wrote to memory of 5108	4500	net.exe	net1.exe
PID 4500 wrote to memory of 5108	4500	net.exe	net1.exe
PID 3164 wrote to memory of 3432	3164	Logo1_.exe	Explorer.EXE
PID 3164 wrote to memory of 3432	3164	Logo1_.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3432

C:\Users\Admin\AppData\Local\Temp\7135cde6d5a8c6a917f1e01f954a24172083d4b52ff0c90574119fa2733a4ab3.exe
"C:\Users\Admin\AppData\Local\Temp\7135cde6d5a8c6a917f1e01f954a24172083d4b52ff0c90574119fa2733a4ab3.exe"
2⤵
- Drops file in Drivers directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3768

C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
3⤵
- Suspicious use of WriteProcessMemory
PID:4564

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
4⤵
PID:3900

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a3623.bat
3⤵
- Suspicious use of WriteProcessMemory
PID:3800

C:\Users\Admin\AppData\Local\Temp\7135cde6d5a8c6a917f1e01f954a24172083d4b52ff0c90574119fa2733a4ab3.exe
"C:\Users\Admin\AppData\Local\Temp\7135cde6d5a8c6a917f1e01f954a24172083d4b52ff0c90574119fa2733a4ab3.exe"
4⤵
- Executes dropped EXE
PID:4508

C:\Windows\Logo1_.exe
C:\Windows\Logo1_.exe
3⤵
- Drops file in Drivers directory
- Drops startup file
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3164

C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
4⤵
- Suspicious use of WriteProcessMemory
PID:2116

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
5⤵
PID:540

C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
4⤵
- Suspicious use of WriteProcessMemory
PID:4500

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
5⤵
PID:5108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
258KB

MD5
e194e3f599f585b521b00ba7d99c03a5

SHA1
2ade918605a7a60bcc840819b52c6fb5f470921b

SHA256
b70334eb15d0c19fcb70b2d250e32a01f1a17bd230401155d3c4fe3065242aa9

SHA512
b7e3c0741cc3ac540da389b2fa66501e1a6c433ab0b22c99b38f40dc57d940d81979b08859d8daa67cd002b02ead5daac4ad9cafce5186bf35b536f6de4b7957

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
577KB

MD5
cac99ad0161a99e0d6fd07e1843524b7

SHA1
c3d87148ecc623592a8061ce4ad6c88584e115ad

SHA256
62d5cd98103b1dc5452f455a26f2b566812386597eb9cfee2ca3b5e01f0a0f27

SHA512
f479dc0ea615699d832539642d4bd63325e1b47e147fe3e94cc6584fc205fa4a1e454375ea5da87238b8210d3565ab742136c3ce850842b76a1335e626041081

Download Submit
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

Filesize
644KB

MD5
d9b62e4240dd99918ec39a90574fcc1e

SHA1
aca7b6d133487779dad04399979342285ac7ac74

SHA256
3c9be9eeff4911ecb235ec57a0c90c6db74b371d45c7a6fae2afac78a1bf1391

SHA512
8980894349e1d3708f8176fcfc23675061d402126a77af27e6eb61d4d67d41bb2b1e743865f1626a77cca89aff29aa24d21c8cf3f879aba9bd8c0b9a035b8026

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a3623.bat

Filesize
722B

MD5
7a935c17a48142bb835c7ef26c370a66

SHA1
b6012d4c2091ba16b3193152b1a4812c88ac9747

SHA256
c6d3bcd100e022f50206aa0622f62b7ad2bebb6a3bf47dfd262fb85c72a24837

SHA512
a51d09f713059c954be296c80d1b4fcf6fa8c2c72405bb6574e786c89f604783ee8b1c0deb16d623c10caa6be24229160f788215ae3bdaabdbecc93ed97d05ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\7135cde6d5a8c6a917f1e01f954a24172083d4b52ff0c90574119fa2733a4ab3.exe.exe

Filesize
231KB

MD5
54e1659ed870df07966e5d60a709f70a

SHA1
0084038fd0baa047e877f122df91358b1fb7bcae

SHA256
a0aa9522d34467bab59c4249adf7765b85448937cdaa789cd32c3c4744fc8c25

SHA512
118f0d286f82f6c88e1b04ee54c54c2aa0e2ba370b63187618d3a9b77f34b9101b5603ea8120a9447005ae14779a396cc7c6db9841ee55839a17d971072df7c3

Download Submit
C:\Windows\Logo1_.exe

Filesize
33KB

MD5
0c024d12adef144def06e6f299357485

SHA1
896f33f1c0bc5c6644094f07d44e2bcc377958bb

SHA256
df70e984201f34822e49a6da9037e738e596a51d3e190cf4b76b8c64ebd3c30d

SHA512
072a920b5fd0373d40947b9410becd9df1bfdff8913bb0650272a3e4c46b29b826b42998b61426b7eb6fa8d081066d0b0aa183dbf0044e9119b10f9a3faae09d

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
842B

MD5
6f4adf207ef402d9ef40c6aa52ffd245

SHA1
4b05b495619c643f02e278dede8f5b1392555a57

SHA256
d9704dab05e988be3e5e7b7c020bb9814906d11bb9c31ad80d4ed1316f6bc94e

SHA512
a6306bd200a26ea78192ae5b00cc49cfab3fba025fe7233709a4e62db0f9ed60030dce22b34afe57aad86a098c9a8c44e080cedc43227cb87ef4690baec35b47

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3906287020-2915474608-1755617787-1000\_desktop.ini

Filesize
9B

MD5
31874817e0fb055be8d2c971c0e3bbde

SHA1
ee8a35d6a86cb6d13f354d67d912e194bb09c74b

SHA256
94de8b492bc2db9a9592f7c9433547eb7f80826ed67f48d2bb7e22db9d49f544

SHA512
55747c69ae50fa212576d095f60cf33b42e26789cf8c34fc5120a45b1988aae95f91d9e37cb17298c5ac5243b2e4c40e1d0e084ce7fe14bceb4ebb318c65c944

Download Submit
memory/3164-20-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3164-11-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3164-2839-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3164-8658-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3768-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3768-13-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads