Analysis
-
max time kernel
150s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
23-05-2024 18:18
Static task
static1
Behavioral task
behavioral1
Sample
bdce9dfb061e41db50533c7093d7138c17fdbecf363e0c39e3dbe5a9170087d1.exe
Resource
win7-20240508-en
General
-
Target
bdce9dfb061e41db50533c7093d7138c17fdbecf363e0c39e3dbe5a9170087d1.exe
-
Size
74KB
-
MD5
46d409810632a27f2d92454314d56f36
-
SHA1
b93c3ae289a74ed53aea07dd97b6b1f5dbe39008
-
SHA256
bdce9dfb061e41db50533c7093d7138c17fdbecf363e0c39e3dbe5a9170087d1
-
SHA512
18469877a470e50b74ed00dc734cab0a7456de4c35c670d7d68345cee43217470f4438ebabc30d892a301afc5feeba0f3b2834907ac8d2c4fb3ff5c50ec53015
-
SSDEEP
1536:/tmSe+Zk78NR3dN5nPAEToa9D4ZQKbgZi1dst7x9PxQ:/xe+a+3dN5QlZQKbgZi1St7xQ
Malware Config
Signatures
-
Drops startup file 2 IoCs
Processes:
Logo1_.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini Logo1_.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini Logo1_.exe -
Executes dropped EXE 2 IoCs
Processes:
Logo1_.exebdce9dfb061e41db50533c7093d7138c17fdbecf363e0c39e3dbe5a9170087d1.exepid process 412 Logo1_.exe 3696 bdce9dfb061e41db50533c7093d7138c17fdbecf363e0c39e3dbe5a9170087d1.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
Logo1_.exedescription ioc process File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
Processes:
Logo1_.exedescription ioc process File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\images\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\pl-pl\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ro-ro\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\hr-hr\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\fi-fi\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\lo\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Examples\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\misc\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\hu-hu\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\fi-fi\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\pl-pl\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\_desktop.ini Logo1_.exe File created C:\Program Files\Internet Explorer\ja-JP\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Mozilla Firefox\defaults\pref\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\nb-no\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\pt-br\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\email\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\tr-tr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\fi-fi\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\root\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\en-ae\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\Office15\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\es-es\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\root\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\ja-jp\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\hu-hu\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\ca-es\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\fi-fi\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\nb-no\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Media Player\Network Sharing\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\it-IT\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\en-il\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\ko-kr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\notification_helper.exe Logo1_.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Notifications\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows NT\TableTextService\en-US\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SKY\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\cs-cz\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\en-gb\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\eu-es\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\en-US\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\libs\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account-select\js\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\2.0.1\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\DEEPBLUE\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\he-il\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\da-dk\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\eu-es\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\cs-cz\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\br\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\sk-sk\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
Processes:
bdce9dfb061e41db50533c7093d7138c17fdbecf363e0c39e3dbe5a9170087d1.exeLogo1_.exedescription ioc process File created C:\Windows\rundl132.exe bdce9dfb061e41db50533c7093d7138c17fdbecf363e0c39e3dbe5a9170087d1.exe File created C:\Windows\Logo1_.exe bdce9dfb061e41db50533c7093d7138c17fdbecf363e0c39e3dbe5a9170087d1.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\Dll.dll Logo1_.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
bdce9dfb061e41db50533c7093d7138c17fdbecf363e0c39e3dbe5a9170087d1.exeLogo1_.exepid process 4764 bdce9dfb061e41db50533c7093d7138c17fdbecf363e0c39e3dbe5a9170087d1.exe 4764 bdce9dfb061e41db50533c7093d7138c17fdbecf363e0c39e3dbe5a9170087d1.exe 4764 bdce9dfb061e41db50533c7093d7138c17fdbecf363e0c39e3dbe5a9170087d1.exe 4764 bdce9dfb061e41db50533c7093d7138c17fdbecf363e0c39e3dbe5a9170087d1.exe 4764 bdce9dfb061e41db50533c7093d7138c17fdbecf363e0c39e3dbe5a9170087d1.exe 4764 bdce9dfb061e41db50533c7093d7138c17fdbecf363e0c39e3dbe5a9170087d1.exe 4764 bdce9dfb061e41db50533c7093d7138c17fdbecf363e0c39e3dbe5a9170087d1.exe 4764 bdce9dfb061e41db50533c7093d7138c17fdbecf363e0c39e3dbe5a9170087d1.exe 4764 bdce9dfb061e41db50533c7093d7138c17fdbecf363e0c39e3dbe5a9170087d1.exe 4764 bdce9dfb061e41db50533c7093d7138c17fdbecf363e0c39e3dbe5a9170087d1.exe 4764 bdce9dfb061e41db50533c7093d7138c17fdbecf363e0c39e3dbe5a9170087d1.exe 4764 bdce9dfb061e41db50533c7093d7138c17fdbecf363e0c39e3dbe5a9170087d1.exe 4764 bdce9dfb061e41db50533c7093d7138c17fdbecf363e0c39e3dbe5a9170087d1.exe 4764 bdce9dfb061e41db50533c7093d7138c17fdbecf363e0c39e3dbe5a9170087d1.exe 4764 bdce9dfb061e41db50533c7093d7138c17fdbecf363e0c39e3dbe5a9170087d1.exe 4764 bdce9dfb061e41db50533c7093d7138c17fdbecf363e0c39e3dbe5a9170087d1.exe 4764 bdce9dfb061e41db50533c7093d7138c17fdbecf363e0c39e3dbe5a9170087d1.exe 4764 bdce9dfb061e41db50533c7093d7138c17fdbecf363e0c39e3dbe5a9170087d1.exe 4764 bdce9dfb061e41db50533c7093d7138c17fdbecf363e0c39e3dbe5a9170087d1.exe 4764 bdce9dfb061e41db50533c7093d7138c17fdbecf363e0c39e3dbe5a9170087d1.exe 4764 bdce9dfb061e41db50533c7093d7138c17fdbecf363e0c39e3dbe5a9170087d1.exe 4764 bdce9dfb061e41db50533c7093d7138c17fdbecf363e0c39e3dbe5a9170087d1.exe 4764 bdce9dfb061e41db50533c7093d7138c17fdbecf363e0c39e3dbe5a9170087d1.exe 4764 bdce9dfb061e41db50533c7093d7138c17fdbecf363e0c39e3dbe5a9170087d1.exe 4764 bdce9dfb061e41db50533c7093d7138c17fdbecf363e0c39e3dbe5a9170087d1.exe 4764 bdce9dfb061e41db50533c7093d7138c17fdbecf363e0c39e3dbe5a9170087d1.exe 412 Logo1_.exe 412 Logo1_.exe 412 Logo1_.exe 412 Logo1_.exe 412 Logo1_.exe 412 Logo1_.exe 412 Logo1_.exe 412 Logo1_.exe 412 Logo1_.exe 412 Logo1_.exe 412 Logo1_.exe 412 Logo1_.exe 412 Logo1_.exe 412 Logo1_.exe 412 Logo1_.exe 412 Logo1_.exe 412 Logo1_.exe 412 Logo1_.exe 412 Logo1_.exe 412 Logo1_.exe 412 Logo1_.exe 412 Logo1_.exe 412 Logo1_.exe 412 Logo1_.exe 412 Logo1_.exe 412 Logo1_.exe 412 Logo1_.exe 412 Logo1_.exe 412 Logo1_.exe 412 Logo1_.exe 412 Logo1_.exe 412 Logo1_.exe 412 Logo1_.exe 412 Logo1_.exe 412 Logo1_.exe 412 Logo1_.exe 412 Logo1_.exe 412 Logo1_.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
bdce9dfb061e41db50533c7093d7138c17fdbecf363e0c39e3dbe5a9170087d1.exenet.exeLogo1_.exenet.execmd.exenet.exedescription pid process target process PID 4764 wrote to memory of 4160 4764 bdce9dfb061e41db50533c7093d7138c17fdbecf363e0c39e3dbe5a9170087d1.exe net.exe PID 4764 wrote to memory of 4160 4764 bdce9dfb061e41db50533c7093d7138c17fdbecf363e0c39e3dbe5a9170087d1.exe net.exe PID 4764 wrote to memory of 4160 4764 bdce9dfb061e41db50533c7093d7138c17fdbecf363e0c39e3dbe5a9170087d1.exe net.exe PID 4160 wrote to memory of 2432 4160 net.exe net1.exe PID 4160 wrote to memory of 2432 4160 net.exe net1.exe PID 4160 wrote to memory of 2432 4160 net.exe net1.exe PID 4764 wrote to memory of 4164 4764 bdce9dfb061e41db50533c7093d7138c17fdbecf363e0c39e3dbe5a9170087d1.exe cmd.exe PID 4764 wrote to memory of 4164 4764 bdce9dfb061e41db50533c7093d7138c17fdbecf363e0c39e3dbe5a9170087d1.exe cmd.exe PID 4764 wrote to memory of 4164 4764 bdce9dfb061e41db50533c7093d7138c17fdbecf363e0c39e3dbe5a9170087d1.exe cmd.exe PID 4764 wrote to memory of 412 4764 bdce9dfb061e41db50533c7093d7138c17fdbecf363e0c39e3dbe5a9170087d1.exe Logo1_.exe PID 4764 wrote to memory of 412 4764 bdce9dfb061e41db50533c7093d7138c17fdbecf363e0c39e3dbe5a9170087d1.exe Logo1_.exe PID 4764 wrote to memory of 412 4764 bdce9dfb061e41db50533c7093d7138c17fdbecf363e0c39e3dbe5a9170087d1.exe Logo1_.exe PID 412 wrote to memory of 3612 412 Logo1_.exe net.exe PID 412 wrote to memory of 3612 412 Logo1_.exe net.exe PID 412 wrote to memory of 3612 412 Logo1_.exe net.exe PID 3612 wrote to memory of 2152 3612 net.exe net1.exe PID 3612 wrote to memory of 2152 3612 net.exe net1.exe PID 3612 wrote to memory of 2152 3612 net.exe net1.exe PID 4164 wrote to memory of 3696 4164 cmd.exe bdce9dfb061e41db50533c7093d7138c17fdbecf363e0c39e3dbe5a9170087d1.exe PID 4164 wrote to memory of 3696 4164 cmd.exe bdce9dfb061e41db50533c7093d7138c17fdbecf363e0c39e3dbe5a9170087d1.exe PID 412 wrote to memory of 2928 412 Logo1_.exe net.exe PID 412 wrote to memory of 2928 412 Logo1_.exe net.exe PID 412 wrote to memory of 2928 412 Logo1_.exe net.exe PID 2928 wrote to memory of 4532 2928 net.exe net1.exe PID 2928 wrote to memory of 4532 2928 net.exe net1.exe PID 2928 wrote to memory of 4532 2928 net.exe net1.exe PID 412 wrote to memory of 3532 412 Logo1_.exe Explorer.EXE PID 412 wrote to memory of 3532 412 Logo1_.exe Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3532
-
C:\Users\Admin\AppData\Local\Temp\bdce9dfb061e41db50533c7093d7138c17fdbecf363e0c39e3dbe5a9170087d1.exe"C:\Users\Admin\AppData\Local\Temp\bdce9dfb061e41db50533c7093d7138c17fdbecf363e0c39e3dbe5a9170087d1.exe"2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4764 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"3⤵
- Suspicious use of WriteProcessMemory
PID:4160 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"4⤵PID:2432
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a495D.bat3⤵
- Suspicious use of WriteProcessMemory
PID:4164 -
C:\Users\Admin\AppData\Local\Temp\bdce9dfb061e41db50533c7093d7138c17fdbecf363e0c39e3dbe5a9170087d1.exe"C:\Users\Admin\AppData\Local\Temp\bdce9dfb061e41db50533c7093d7138c17fdbecf363e0c39e3dbe5a9170087d1.exe"4⤵
- Executes dropped EXE
PID:3696 -
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Drops startup file
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:412 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:3612 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:2152
-
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:4532
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exeFilesize
258KB
MD5ce1ebc3c0c328e142eab47b6635f807c
SHA15576885f6e7f2abe82df076a2d27af32eebb4c0a
SHA25658eb636f0448ed27f1c1c30503a7888e2913dec4b408e22e46f7edf574375870
SHA512f3a1be84df1ea85519589ef8b17738bf19202c444992b0d18f802d4e1ca57224a0b2e57371635a21c4cd967cb112eea9c338dbe07eb08d1c44316c5c2379b407
-
C:\Program Files\7-Zip\7z.exeFilesize
577KB
MD5910284bbd7c634fe066813e80f33296d
SHA197399b7586901e6b9e046bf9ef230103c54d2e1f
SHA2567d477e0c4001981ef55282a1d61e5510bb08eedba840ec9df323eda8053c892b
SHA51218dd89ea3ed8f270b71bc756dbd1d9eb406f03de2fb9813bbd7f08289148a28f459b21e8a5fbdab442de6face435cbd51806c8a9caf42906ab653a7d2075b58f
-
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exeFilesize
643KB
MD5b06c23c388c6c6a3219fdaf5efaabccf
SHA1ada13c3c4449d222de774ebd037078ba31d33cd2
SHA2568efeb8be3a4ae59e4106e6c1d9e122d8ecb84b71cf01796f27d94ecfe80e0809
SHA512aefc2fbbf660ee465ac7f174ab8f3de242c352d473a02ee96214d29a5e854e88c7ad842685bdb81698c8d51e0b597d7379c3a039e704839be748fe96a68c23b9
-
C:\Users\Admin\AppData\Local\Temp\$$a495D.batFilesize
722B
MD5480a4bb2d5969be1536777789886d1a8
SHA1344fb5f7b63ae9811236165a3c91736bc93cb953
SHA2564a6b4eb5a61ec4e83747829420a1d5869f71ea169dda98ccf3a78f4326e0e102
SHA512c2ace12d233bdabb7f42482ea67ca5f7f92702146e0d45c52a488e79854c6d836845de8085f27b438f1c984acf86b7915f7782795afb946be92c647ec4aedc9f
-
C:\Users\Admin\AppData\Local\Temp\bdce9dfb061e41db50533c7093d7138c17fdbecf363e0c39e3dbe5a9170087d1.exe.exeFilesize
41KB
MD5977e405c109268909fd24a94cc23d4f0
SHA1af5d032c2b6caa2164cf298e95b09060665c4188
SHA256cd24c61fe7dc3896c6c928c92a2adc58fab0a3ff61ef7ddcac1ba794182ab12f
SHA51212b4b59c1a8e65e72aa07ee4b6b6cd9fdedead01d5ce8e30f16ca26b5d733655e23a71c1d273a950a5b1a6cce810b696612de4a1148ac5f468ddf05d4549eed5
-
C:\Windows\Logo1_.exeFilesize
33KB
MD505ebb4f9455d52366f013e63d099d41f
SHA1f3d867260198c5be6f0f1e796d517e8ad75b2173
SHA25605362547df367881bc8a8956b74adf5e7d0c641ad3a6defce8751787503af3f3
SHA512573fea3c1964ce511986b959789ec3e170ba5d668cab0c201e6ac27c6d23b04250910871b2fd22ad6558d20a2aa2da0380cf9594aa8a33d1315f364a8d697a2f
-
F:\$RECYCLE.BIN\S-1-5-21-2539840389-1261165778-1087677076-1000\_desktop.iniFilesize
9B
MD531874817e0fb055be8d2c971c0e3bbde
SHA1ee8a35d6a86cb6d13f354d67d912e194bb09c74b
SHA25694de8b492bc2db9a9592f7c9433547eb7f80826ed67f48d2bb7e22db9d49f544
SHA51255747c69ae50fa212576d095f60cf33b42e26789cf8c34fc5120a45b1988aae95f91d9e37cb17298c5ac5243b2e4c40e1d0e084ce7fe14bceb4ebb318c65c944
-
memory/412-11-0x0000000000400000-0x000000000043F000-memory.dmpFilesize
252KB
-
memory/412-18-0x0000000000400000-0x000000000043F000-memory.dmpFilesize
252KB
-
memory/412-5210-0x0000000000400000-0x000000000043F000-memory.dmpFilesize
252KB
-
memory/412-8666-0x0000000000400000-0x000000000043F000-memory.dmpFilesize
252KB
-
memory/4764-0-0x0000000000400000-0x000000000043F000-memory.dmpFilesize
252KB
-
memory/4764-10-0x0000000000400000-0x000000000043F000-memory.dmpFilesize
252KB