7d477e0c4001981ef55282a1d61e5510bb08eedba840ec9df323eda8053c892b

General

Target

7d477e0c4001981ef55282a1d61e5510bb08eedba840ec9df323eda8053c892b.exe
Size

577KB
MD5

910284bbd7c634fe066813e80f33296d
SHA1

97399b7586901e6b9e046bf9ef230103c54d2e1f
SHA256

7d477e0c4001981ef55282a1d61e5510bb08eedba840ec9df323eda8053c892b
SHA512

18dd89ea3ed8f270b71bc756dbd1d9eb406f03de2fb9813bbd7f08289148a28f459b21e8a5fbdab442de6face435cbd51806c8a9caf42906ab653a7d2075b58f
SSDEEP

6144:E+aMKE7cV3iwbAFRWAbd4nf0H05yqE6Hl0ChW0+ksllAXBu0lWGWUJJQ4t0BHQQG:E+aMR7a3iwbihym2g7XO3LWUQfh4Co

Score

7^/10

spyware stealer

Malware Config

Signatures

Drops startup file 2 IoCs

Processes:

Logo1_.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe

Executes dropped EXE 2 IoCs

Processes:

Logo1_.exe7d477e0c4001981ef55282a1d61e5510bb08eedba840ec9df323eda8053c892b.exe

pid process

5040 Logo1_.exe
2152 7d477e0c4001981ef55282a1d61e5510bb08eedba840ec9df323eda8053c892b.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
5040	Logo1_.exe
2152	7d477e0c4001981ef55282a1d61e5510bb08eedba840ec9df323eda8053c892b.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Logo1_.exe

description	ioc	process
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

Processes:

Logo1_.exe

description	ioc	process
File created	C:\Program Files\VideoLAN\VLC\locale\co\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\pl-pl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\sl-sl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\nl-nl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\pt-br\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Internet Explorer\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Skins\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\pl\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\nb-no\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\ko-kr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\tr-tr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\versions\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\brx\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-ae\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ru-ru\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\uk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-il\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\hu\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\require\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\root\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\nl-nl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre-1.8\legal\javafx\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fi\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mai\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\ru-ru\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\pt-br\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\hu-hu\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\ca-es\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\ca-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Internet Explorer\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\et\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\my\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Media Player\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\ru-ru\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\da-dk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	Logo1_.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\es-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\sk-sk\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example1.Diagnostics\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Photo Viewer\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\de-de\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\fi-fi\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\amd64\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ne\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sr\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\wa\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\pl-pl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\da-dk\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

Processes:

7d477e0c4001981ef55282a1d61e5510bb08eedba840ec9df323eda8053c892b.exeLogo1_.exe

description	ioc	process
File created	C:\Windows\Logo1_.exe	7d477e0c4001981ef55282a1d61e5510bb08eedba840ec9df323eda8053c892b.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\Dll.dll	Logo1_.exe
File created	C:\Windows\rundl132.exe	7d477e0c4001981ef55282a1d61e5510bb08eedba840ec9df323eda8053c892b.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

7d477e0c4001981ef55282a1d61e5510bb08eedba840ec9df323eda8053c892b.exeLogo1_.exe

pid	process
3492	7d477e0c4001981ef55282a1d61e5510bb08eedba840ec9df323eda8053c892b.exe
3492	7d477e0c4001981ef55282a1d61e5510bb08eedba840ec9df323eda8053c892b.exe
3492	7d477e0c4001981ef55282a1d61e5510bb08eedba840ec9df323eda8053c892b.exe
3492	7d477e0c4001981ef55282a1d61e5510bb08eedba840ec9df323eda8053c892b.exe
3492	7d477e0c4001981ef55282a1d61e5510bb08eedba840ec9df323eda8053c892b.exe
3492	7d477e0c4001981ef55282a1d61e5510bb08eedba840ec9df323eda8053c892b.exe
3492	7d477e0c4001981ef55282a1d61e5510bb08eedba840ec9df323eda8053c892b.exe
3492	7d477e0c4001981ef55282a1d61e5510bb08eedba840ec9df323eda8053c892b.exe
3492	7d477e0c4001981ef55282a1d61e5510bb08eedba840ec9df323eda8053c892b.exe
3492	7d477e0c4001981ef55282a1d61e5510bb08eedba840ec9df323eda8053c892b.exe
3492	7d477e0c4001981ef55282a1d61e5510bb08eedba840ec9df323eda8053c892b.exe
3492	7d477e0c4001981ef55282a1d61e5510bb08eedba840ec9df323eda8053c892b.exe
3492	7d477e0c4001981ef55282a1d61e5510bb08eedba840ec9df323eda8053c892b.exe
3492	7d477e0c4001981ef55282a1d61e5510bb08eedba840ec9df323eda8053c892b.exe
3492	7d477e0c4001981ef55282a1d61e5510bb08eedba840ec9df323eda8053c892b.exe
3492	7d477e0c4001981ef55282a1d61e5510bb08eedba840ec9df323eda8053c892b.exe
3492	7d477e0c4001981ef55282a1d61e5510bb08eedba840ec9df323eda8053c892b.exe
3492	7d477e0c4001981ef55282a1d61e5510bb08eedba840ec9df323eda8053c892b.exe
3492	7d477e0c4001981ef55282a1d61e5510bb08eedba840ec9df323eda8053c892b.exe
3492	7d477e0c4001981ef55282a1d61e5510bb08eedba840ec9df323eda8053c892b.exe
3492	7d477e0c4001981ef55282a1d61e5510bb08eedba840ec9df323eda8053c892b.exe
3492	7d477e0c4001981ef55282a1d61e5510bb08eedba840ec9df323eda8053c892b.exe
3492	7d477e0c4001981ef55282a1d61e5510bb08eedba840ec9df323eda8053c892b.exe
3492	7d477e0c4001981ef55282a1d61e5510bb08eedba840ec9df323eda8053c892b.exe
3492	7d477e0c4001981ef55282a1d61e5510bb08eedba840ec9df323eda8053c892b.exe
3492	7d477e0c4001981ef55282a1d61e5510bb08eedba840ec9df323eda8053c892b.exe
5040	Logo1_.exe
5040	Logo1_.exe
5040	Logo1_.exe
5040	Logo1_.exe
5040	Logo1_.exe
5040	Logo1_.exe
5040	Logo1_.exe
5040	Logo1_.exe
5040	Logo1_.exe
5040	Logo1_.exe
5040	Logo1_.exe
5040	Logo1_.exe
5040	Logo1_.exe
5040	Logo1_.exe
5040	Logo1_.exe
5040	Logo1_.exe
5040	Logo1_.exe
5040	Logo1_.exe
5040	Logo1_.exe
5040	Logo1_.exe
5040	Logo1_.exe
5040	Logo1_.exe
5040	Logo1_.exe
5040	Logo1_.exe
5040	Logo1_.exe
5040	Logo1_.exe
5040	Logo1_.exe
5040	Logo1_.exe
5040	Logo1_.exe
5040	Logo1_.exe
5040	Logo1_.exe
5040	Logo1_.exe
5040	Logo1_.exe
5040	Logo1_.exe
5040	Logo1_.exe
5040	Logo1_.exe
5040	Logo1_.exe
5040	Logo1_.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

7d477e0c4001981ef55282a1d61e5510bb08eedba840ec9df323eda8053c892b.exenet.exeLogo1_.execmd.exenet.exenet.exe

description	pid	process	target process
PID 3492 wrote to memory of 3180	3492	7d477e0c4001981ef55282a1d61e5510bb08eedba840ec9df323eda8053c892b.exe	net.exe
PID 3492 wrote to memory of 3180	3492	7d477e0c4001981ef55282a1d61e5510bb08eedba840ec9df323eda8053c892b.exe	net.exe
PID 3492 wrote to memory of 3180	3492	7d477e0c4001981ef55282a1d61e5510bb08eedba840ec9df323eda8053c892b.exe	net.exe
PID 3180 wrote to memory of 3000	3180	net.exe	net1.exe
PID 3180 wrote to memory of 3000	3180	net.exe	net1.exe
PID 3180 wrote to memory of 3000	3180	net.exe	net1.exe
PID 3492 wrote to memory of 1192	3492	7d477e0c4001981ef55282a1d61e5510bb08eedba840ec9df323eda8053c892b.exe	cmd.exe
PID 3492 wrote to memory of 1192	3492	7d477e0c4001981ef55282a1d61e5510bb08eedba840ec9df323eda8053c892b.exe	cmd.exe
PID 3492 wrote to memory of 1192	3492	7d477e0c4001981ef55282a1d61e5510bb08eedba840ec9df323eda8053c892b.exe	cmd.exe
PID 3492 wrote to memory of 5040	3492	7d477e0c4001981ef55282a1d61e5510bb08eedba840ec9df323eda8053c892b.exe	Logo1_.exe
PID 3492 wrote to memory of 5040	3492	7d477e0c4001981ef55282a1d61e5510bb08eedba840ec9df323eda8053c892b.exe	Logo1_.exe
PID 3492 wrote to memory of 5040	3492	7d477e0c4001981ef55282a1d61e5510bb08eedba840ec9df323eda8053c892b.exe	Logo1_.exe
PID 5040 wrote to memory of 2724	5040	Logo1_.exe	net.exe
PID 5040 wrote to memory of 2724	5040	Logo1_.exe	net.exe
PID 5040 wrote to memory of 2724	5040	Logo1_.exe	net.exe
PID 1192 wrote to memory of 2152	1192	cmd.exe	7d477e0c4001981ef55282a1d61e5510bb08eedba840ec9df323eda8053c892b.exe
PID 1192 wrote to memory of 2152	1192	cmd.exe	7d477e0c4001981ef55282a1d61e5510bb08eedba840ec9df323eda8053c892b.exe
PID 2724 wrote to memory of 1824	2724	net.exe	net1.exe
PID 2724 wrote to memory of 1824	2724	net.exe	net1.exe
PID 2724 wrote to memory of 1824	2724	net.exe	net1.exe
PID 5040 wrote to memory of 4860	5040	Logo1_.exe	net.exe
PID 5040 wrote to memory of 4860	5040	Logo1_.exe	net.exe
PID 5040 wrote to memory of 4860	5040	Logo1_.exe	net.exe
PID 4860 wrote to memory of 2812	4860	net.exe	net1.exe
PID 4860 wrote to memory of 2812	4860	net.exe	net1.exe
PID 4860 wrote to memory of 2812	4860	net.exe	net1.exe
PID 5040 wrote to memory of 3516	5040	Logo1_.exe	Explorer.EXE
PID 5040 wrote to memory of 3516	5040	Logo1_.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3516

C:\Users\Admin\AppData\Local\Temp\7d477e0c4001981ef55282a1d61e5510bb08eedba840ec9df323eda8053c892b.exe
"C:\Users\Admin\AppData\Local\Temp\7d477e0c4001981ef55282a1d61e5510bb08eedba840ec9df323eda8053c892b.exe"
2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3492

C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
3⤵
- Suspicious use of WriteProcessMemory
PID:3180

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
4⤵
PID:3000

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a3E61.bat
3⤵
- Suspicious use of WriteProcessMemory
PID:1192

C:\Users\Admin\AppData\Local\Temp\7d477e0c4001981ef55282a1d61e5510bb08eedba840ec9df323eda8053c892b.exe
"C:\Users\Admin\AppData\Local\Temp\7d477e0c4001981ef55282a1d61e5510bb08eedba840ec9df323eda8053c892b.exe"
4⤵
- Executes dropped EXE
PID:2152

C:\Windows\Logo1_.exe
C:\Windows\Logo1_.exe
3⤵
- Drops startup file
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5040

C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
4⤵
- Suspicious use of WriteProcessMemory
PID:2724

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
5⤵
PID:1824

C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
4⤵
- Suspicious use of WriteProcessMemory
PID:4860

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
5⤵
PID:2812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
Filesize
258KB

MD5
ce1ebc3c0c328e142eab47b6635f807c

SHA1
5576885f6e7f2abe82df076a2d27af32eebb4c0a

SHA256
58eb636f0448ed27f1c1c30503a7888e2913dec4b408e22e46f7edf574375870

SHA512
f3a1be84df1ea85519589ef8b17738bf19202c444992b0d18f802d4e1ca57224a0b2e57371635a21c4cd967cb112eea9c338dbe07eb08d1c44316c5c2379b407

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
577KB

MD5
910284bbd7c634fe066813e80f33296d

SHA1
97399b7586901e6b9e046bf9ef230103c54d2e1f

SHA256
7d477e0c4001981ef55282a1d61e5510bb08eedba840ec9df323eda8053c892b

SHA512
18dd89ea3ed8f270b71bc756dbd1d9eb406f03de2fb9813bbd7f08289148a28f459b21e8a5fbdab442de6face435cbd51806c8a9caf42906ab653a7d2075b58f

Download Submit
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
Filesize
643KB

MD5
b06c23c388c6c6a3219fdaf5efaabccf

SHA1
ada13c3c4449d222de774ebd037078ba31d33cd2

SHA256
8efeb8be3a4ae59e4106e6c1d9e122d8ecb84b71cf01796f27d94ecfe80e0809

SHA512
aefc2fbbf660ee465ac7f174ab8f3de242c352d473a02ee96214d29a5e854e88c7ad842685bdb81698c8d51e0b597d7379c3a039e704839be748fe96a68c23b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a3E61.bat
Filesize
722B

MD5
e5461e106a4eac5f6f79c508777b1f01

SHA1
eb070a10aa3bb9a6512b811af74a3a9832cab9f6

SHA256
7b40ce2a35b8e3184106af097a9d3b5b7a206f357ac2aa8410906c784caca366

SHA512
23eb9e9d986b8eed3793a4fc8f847480fb6e686ce1d29222882ffdc81d73a1f3b365c016ad30200c62e0f02b2a4ac118ba3b5549f023043d1b60531cdb2df8da

Download Submit
C:\Users\Admin\AppData\Local\Temp\7d477e0c4001981ef55282a1d61e5510bb08eedba840ec9df323eda8053c892b.exe.exe
Filesize
544KB

MD5
9a1dd1d96481d61934dcc2d568971d06

SHA1
f136ef9bf8bd2fc753292fb5b7cf173a22675fb3

SHA256
8cebb25e240db3b6986fcaed6bc0b900fa09dad763a56fb71273529266c5c525

SHA512
7ac1581f8a29e778ba1a1220670796c47fa5b838417f8f635e2cb1998a01515cff3ee57045dacb78a8ec70d43754b970743aba600379fe6d9481958d32d8a5aa

Download Submit
C:\Windows\Logo1_.exe
Filesize
33KB

MD5
05ebb4f9455d52366f013e63d099d41f

SHA1
f3d867260198c5be6f0f1e796d517e8ad75b2173

SHA256
05362547df367881bc8a8956b74adf5e7d0c641ad3a6defce8751787503af3f3

SHA512
573fea3c1964ce511986b959789ec3e170ba5d668cab0c201e6ac27c6d23b04250910871b2fd22ad6558d20a2aa2da0380cf9594aa8a33d1315f364a8d697a2f

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-4124900551-4068476067-3491212533-1000\_desktop.ini
Filesize
9B

MD5
31874817e0fb055be8d2c971c0e3bbde

SHA1
ee8a35d6a86cb6d13f354d67d912e194bb09c74b

SHA256
94de8b492bc2db9a9592f7c9433547eb7f80826ed67f48d2bb7e22db9d49f544

SHA512
55747c69ae50fa212576d095f60cf33b42e26789cf8c34fc5120a45b1988aae95f91d9e37cb17298c5ac5243b2e4c40e1d0e084ce7fe14bceb4ebb318c65c944

Download Submit
memory/3492-9-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3492-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5040-11-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5040-4900-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5040-18-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5040-8694-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads