a475a028012948e78ee5e16c3fc3971ec5f8b47f281a0f2f49c1ce4b8126f491

General

Target

a475a028012948e78ee5e16c3fc3971ec5f8b47f281a0f2f49c1ce4b8126f491.exe
Size

322KB
MD5

166bb278dde1983d4232bf94579c2bfc
SHA1

c4a32c97c6ad523a9d45f5e1bedbe384cd9680b2
SHA256

a475a028012948e78ee5e16c3fc3971ec5f8b47f281a0f2f49c1ce4b8126f491
SHA512

a33c3b0888bdae4cc0ead6e5e56aa0f7fd99cacc2c2a43100537cd953beb6f1356a56b43a77dac91bce7c7f65eca36ea7167942ad9701d8d2ff3274050a5869e
SSDEEP

1536:rGFaYzMXqtGNtty1yVumRTTi9aJfXgY1zUTyr5hVM:rGFaY46tGNtty17+XgTTSje

Score

8^/10

spyware stealer

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

Processes:

Logo1_.exea475a028012948e78ee5e16c3fc3971ec5f8b47f281a0f2f49c1ce4b8126f491.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	Logo1_.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	a475a028012948e78ee5e16c3fc3971ec5f8b47f281a0f2f49c1ce4b8126f491.exe

Drops startup file 2 IoCs

Processes:

Logo1_.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe

Executes dropped EXE 1 IoCs

Processes:

Logo1_.exe

pid process

3016 Logo1_.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
3016	Logo1_.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Logo1_.exe

description	ioc	process
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

Processes:

Logo1_.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\hr-hr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\ar-ae\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\es-es\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\MEIPreload\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\mux\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\es-es\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\ar-ae\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\de-de\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\en-gb\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\VBA\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ja-jp\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\he-il\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\pt-br\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\sl-sl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ja-jp\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\sk-sk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\en-gb\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\gui\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\en-ae\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\eu-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\it-it\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\zh-tw\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-il\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\zh-tw\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\plugins\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\root\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ca-es\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PAPYRUS\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ca\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\_desktop.ini	Logo1_.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\de-de\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Skins\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Configuration\Registration\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sv-se\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\zh-cn\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\sl-sl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\fr-ma\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BOLDSTRI\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ms\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\nb-no\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\br\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\root\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\it-it\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\da-dk\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\nb-no\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\fr-fr\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\eo\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

Processes:

a475a028012948e78ee5e16c3fc3971ec5f8b47f281a0f2f49c1ce4b8126f491.exeLogo1_.exe

description	ioc	process
File created	C:\Windows\rundl132.exe	a475a028012948e78ee5e16c3fc3971ec5f8b47f281a0f2f49c1ce4b8126f491.exe
File created	C:\Windows\Logo1_.exe	a475a028012948e78ee5e16c3fc3971ec5f8b47f281a0f2f49c1ce4b8126f491.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\Dll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

a475a028012948e78ee5e16c3fc3971ec5f8b47f281a0f2f49c1ce4b8126f491.exeLogo1_.exe

pid	process
5104	a475a028012948e78ee5e16c3fc3971ec5f8b47f281a0f2f49c1ce4b8126f491.exe
5104	a475a028012948e78ee5e16c3fc3971ec5f8b47f281a0f2f49c1ce4b8126f491.exe
5104	a475a028012948e78ee5e16c3fc3971ec5f8b47f281a0f2f49c1ce4b8126f491.exe
5104	a475a028012948e78ee5e16c3fc3971ec5f8b47f281a0f2f49c1ce4b8126f491.exe
5104	a475a028012948e78ee5e16c3fc3971ec5f8b47f281a0f2f49c1ce4b8126f491.exe
5104	a475a028012948e78ee5e16c3fc3971ec5f8b47f281a0f2f49c1ce4b8126f491.exe
5104	a475a028012948e78ee5e16c3fc3971ec5f8b47f281a0f2f49c1ce4b8126f491.exe
5104	a475a028012948e78ee5e16c3fc3971ec5f8b47f281a0f2f49c1ce4b8126f491.exe
5104	a475a028012948e78ee5e16c3fc3971ec5f8b47f281a0f2f49c1ce4b8126f491.exe
5104	a475a028012948e78ee5e16c3fc3971ec5f8b47f281a0f2f49c1ce4b8126f491.exe
5104	a475a028012948e78ee5e16c3fc3971ec5f8b47f281a0f2f49c1ce4b8126f491.exe
5104	a475a028012948e78ee5e16c3fc3971ec5f8b47f281a0f2f49c1ce4b8126f491.exe
5104	a475a028012948e78ee5e16c3fc3971ec5f8b47f281a0f2f49c1ce4b8126f491.exe
5104	a475a028012948e78ee5e16c3fc3971ec5f8b47f281a0f2f49c1ce4b8126f491.exe
5104	a475a028012948e78ee5e16c3fc3971ec5f8b47f281a0f2f49c1ce4b8126f491.exe
5104	a475a028012948e78ee5e16c3fc3971ec5f8b47f281a0f2f49c1ce4b8126f491.exe
5104	a475a028012948e78ee5e16c3fc3971ec5f8b47f281a0f2f49c1ce4b8126f491.exe
5104	a475a028012948e78ee5e16c3fc3971ec5f8b47f281a0f2f49c1ce4b8126f491.exe
5104	a475a028012948e78ee5e16c3fc3971ec5f8b47f281a0f2f49c1ce4b8126f491.exe
5104	a475a028012948e78ee5e16c3fc3971ec5f8b47f281a0f2f49c1ce4b8126f491.exe
5104	a475a028012948e78ee5e16c3fc3971ec5f8b47f281a0f2f49c1ce4b8126f491.exe
5104	a475a028012948e78ee5e16c3fc3971ec5f8b47f281a0f2f49c1ce4b8126f491.exe
5104	a475a028012948e78ee5e16c3fc3971ec5f8b47f281a0f2f49c1ce4b8126f491.exe
5104	a475a028012948e78ee5e16c3fc3971ec5f8b47f281a0f2f49c1ce4b8126f491.exe
5104	a475a028012948e78ee5e16c3fc3971ec5f8b47f281a0f2f49c1ce4b8126f491.exe
5104	a475a028012948e78ee5e16c3fc3971ec5f8b47f281a0f2f49c1ce4b8126f491.exe
3016	Logo1_.exe
3016	Logo1_.exe
3016	Logo1_.exe
3016	Logo1_.exe
3016	Logo1_.exe
3016	Logo1_.exe
3016	Logo1_.exe
3016	Logo1_.exe
3016	Logo1_.exe
3016	Logo1_.exe
3016	Logo1_.exe
3016	Logo1_.exe
3016	Logo1_.exe
3016	Logo1_.exe
3016	Logo1_.exe
3016	Logo1_.exe
3016	Logo1_.exe
3016	Logo1_.exe
3016	Logo1_.exe
3016	Logo1_.exe
3016	Logo1_.exe
3016	Logo1_.exe
3016	Logo1_.exe
3016	Logo1_.exe
3016	Logo1_.exe
3016	Logo1_.exe
3016	Logo1_.exe
3016	Logo1_.exe
3016	Logo1_.exe
3016	Logo1_.exe
3016	Logo1_.exe
3016	Logo1_.exe
3016	Logo1_.exe
3016	Logo1_.exe
3016	Logo1_.exe
3016	Logo1_.exe
3016	Logo1_.exe
3016	Logo1_.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

a475a028012948e78ee5e16c3fc3971ec5f8b47f281a0f2f49c1ce4b8126f491.exenet.exeLogo1_.exenet.exenet.exe

description	pid	process	target process
PID 5104 wrote to memory of 3520	5104	a475a028012948e78ee5e16c3fc3971ec5f8b47f281a0f2f49c1ce4b8126f491.exe	net.exe
PID 5104 wrote to memory of 3520	5104	a475a028012948e78ee5e16c3fc3971ec5f8b47f281a0f2f49c1ce4b8126f491.exe	net.exe
PID 5104 wrote to memory of 3520	5104	a475a028012948e78ee5e16c3fc3971ec5f8b47f281a0f2f49c1ce4b8126f491.exe	net.exe
PID 3520 wrote to memory of 3232	3520	net.exe	net1.exe
PID 3520 wrote to memory of 3232	3520	net.exe	net1.exe
PID 3520 wrote to memory of 3232	3520	net.exe	net1.exe
PID 5104 wrote to memory of 1748	5104	a475a028012948e78ee5e16c3fc3971ec5f8b47f281a0f2f49c1ce4b8126f491.exe	cmd.exe
PID 5104 wrote to memory of 1748	5104	a475a028012948e78ee5e16c3fc3971ec5f8b47f281a0f2f49c1ce4b8126f491.exe	cmd.exe
PID 5104 wrote to memory of 1748	5104	a475a028012948e78ee5e16c3fc3971ec5f8b47f281a0f2f49c1ce4b8126f491.exe	cmd.exe
PID 5104 wrote to memory of 3016	5104	a475a028012948e78ee5e16c3fc3971ec5f8b47f281a0f2f49c1ce4b8126f491.exe	Logo1_.exe
PID 5104 wrote to memory of 3016	5104	a475a028012948e78ee5e16c3fc3971ec5f8b47f281a0f2f49c1ce4b8126f491.exe	Logo1_.exe
PID 5104 wrote to memory of 3016	5104	a475a028012948e78ee5e16c3fc3971ec5f8b47f281a0f2f49c1ce4b8126f491.exe	Logo1_.exe
PID 3016 wrote to memory of 896	3016	Logo1_.exe	net.exe
PID 3016 wrote to memory of 896	3016	Logo1_.exe	net.exe
PID 3016 wrote to memory of 896	3016	Logo1_.exe	net.exe
PID 896 wrote to memory of 2152	896	net.exe	net1.exe
PID 896 wrote to memory of 2152	896	net.exe	net1.exe
PID 896 wrote to memory of 2152	896	net.exe	net1.exe
PID 3016 wrote to memory of 4068	3016	Logo1_.exe	net.exe
PID 3016 wrote to memory of 4068	3016	Logo1_.exe	net.exe
PID 3016 wrote to memory of 4068	3016	Logo1_.exe	net.exe
PID 4068 wrote to memory of 4892	4068	net.exe	net1.exe
PID 4068 wrote to memory of 4892	4068	net.exe	net1.exe
PID 4068 wrote to memory of 4892	4068	net.exe	net1.exe
PID 3016 wrote to memory of 3456	3016	Logo1_.exe	Explorer.EXE
PID 3016 wrote to memory of 3456	3016	Logo1_.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3456

C:\Users\Admin\AppData\Local\Temp\a475a028012948e78ee5e16c3fc3971ec5f8b47f281a0f2f49c1ce4b8126f491.exe
"C:\Users\Admin\AppData\Local\Temp\a475a028012948e78ee5e16c3fc3971ec5f8b47f281a0f2f49c1ce4b8126f491.exe"
2⤵
- Drops file in Drivers directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5104

C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
3⤵
- Suspicious use of WriteProcessMemory
PID:3520

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
4⤵
PID:3232

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7CC1.bat
3⤵
PID:1748

C:\Windows\Logo1_.exe
C:\Windows\Logo1_.exe
3⤵
- Drops file in Drivers directory
- Drops startup file
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3016

C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
4⤵
- Suspicious use of WriteProcessMemory
PID:896

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
5⤵
PID:2152

C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
4⤵
- Suspicious use of WriteProcessMemory
PID:4068

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
5⤵
PID:4892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
258KB

MD5
e194e3f599f585b521b00ba7d99c03a5

SHA1
2ade918605a7a60bcc840819b52c6fb5f470921b

SHA256
b70334eb15d0c19fcb70b2d250e32a01f1a17bd230401155d3c4fe3065242aa9

SHA512
b7e3c0741cc3ac540da389b2fa66501e1a6c433ab0b22c99b38f40dc57d940d81979b08859d8daa67cd002b02ead5daac4ad9cafce5186bf35b536f6de4b7957

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
577KB

MD5
cac99ad0161a99e0d6fd07e1843524b7

SHA1
c3d87148ecc623592a8061ce4ad6c88584e115ad

SHA256
62d5cd98103b1dc5452f455a26f2b566812386597eb9cfee2ca3b5e01f0a0f27

SHA512
f479dc0ea615699d832539642d4bd63325e1b47e147fe3e94cc6584fc205fa4a1e454375ea5da87238b8210d3565ab742136c3ce850842b76a1335e626041081

Download Submit
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

Filesize
644KB

MD5
d9b62e4240dd99918ec39a90574fcc1e

SHA1
aca7b6d133487779dad04399979342285ac7ac74

SHA256
3c9be9eeff4911ecb235ec57a0c90c6db74b371d45c7a6fae2afac78a1bf1391

SHA512
8980894349e1d3708f8176fcfc23675061d402126a77af27e6eb61d4d67d41bb2b1e743865f1626a77cca89aff29aa24d21c8cf3f879aba9bd8c0b9a035b8026

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a7CC1.bat

Filesize
722B

MD5
9605ce66a94010f694953e728884febb

SHA1
77c33489bf082f58b2be4f294380210c114a6698

SHA256
1ac46d7d788c5d1524d49e4df8e8d5ddeba557127580e5b75d261244de9f6086

SHA512
205c398cfd51fbe8805f84a1f6701234d9b30797c378923e6a289830006936e8a532efcadcae661b6f43848797aac837e7d997e6c5d7bdd66a27f91318b528f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\a475a028012948e78ee5e16c3fc3971ec5f8b47f281a0f2f49c1ce4b8126f491.exe.exe

Filesize
288KB

MD5
01bbe782a1da233c59881ed2d18f4f06

SHA1
723d4dfdab2b477633455d4775e32bd52f081c7b

SHA256
7ded5e3c9c066789a50305a048639afeab4dffcc9673ae7f1092e5af7c6a91b1

SHA512
492b202ab850c4f120c4ac7854bf7e7acc865505679d8973736ed3ea28f4b77b645c8a15d806805064ebc81ebd1b4bf07e1fd4023307673d3ce4b81d49c7d175

Download Submit
C:\Windows\Logo1_.exe

Filesize
33KB

MD5
0c024d12adef144def06e6f299357485

SHA1
896f33f1c0bc5c6644094f07d44e2bcc377958bb

SHA256
df70e984201f34822e49a6da9037e738e596a51d3e190cf4b76b8c64ebd3c30d

SHA512
072a920b5fd0373d40947b9410becd9df1bfdff8913bb0650272a3e4c46b29b826b42998b61426b7eb6fa8d081066d0b0aa183dbf0044e9119b10f9a3faae09d

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
842B

MD5
6f4adf207ef402d9ef40c6aa52ffd245

SHA1
4b05b495619c643f02e278dede8f5b1392555a57

SHA256
d9704dab05e988be3e5e7b7c020bb9814906d11bb9c31ad80d4ed1316f6bc94e

SHA512
a6306bd200a26ea78192ae5b00cc49cfab3fba025fe7233709a4e62db0f9ed60030dce22b34afe57aad86a098c9a8c44e080cedc43227cb87ef4690baec35b47

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3906287020-2915474608-1755617787-1000\_desktop.ini

Filesize
9B

MD5
31874817e0fb055be8d2c971c0e3bbde

SHA1
ee8a35d6a86cb6d13f354d67d912e194bb09c74b

SHA256
94de8b492bc2db9a9592f7c9433547eb7f80826ed67f48d2bb7e22db9d49f544

SHA512
55747c69ae50fa212576d095f60cf33b42e26789cf8c34fc5120a45b1988aae95f91d9e37cb17298c5ac5243b2e4c40e1d0e084ce7fe14bceb4ebb318c65c944

Download Submit
memory/3016-13-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3016-19-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3016-3011-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3016-8687-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5104-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5104-10-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads