Analysis
-
max time kernel
150s -
max time network
107s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
24-05-2024 20:32
Static task
static1
Behavioral task
behavioral1
Sample
fb421296b9f5c0c3b1c0a6647bd0f491558d853054fef5de4127ce92beddfbaa.exe
Resource
win7-20240221-en
General
-
Target
fb421296b9f5c0c3b1c0a6647bd0f491558d853054fef5de4127ce92beddfbaa.exe
-
Size
497KB
-
MD5
05380234f89e59b6d91e27ed7fcb06a2
-
SHA1
78edcf8422e57ea68f9b76fa23c09d9ed4f6942f
-
SHA256
fb421296b9f5c0c3b1c0a6647bd0f491558d853054fef5de4127ce92beddfbaa
-
SHA512
f3430e6982ce5012bcab5d9bc5ced35cb9cdf865d2ef027072f36abf94d8d40829aa764ebdb8d29f8819d01248f114f6ce9d3e1444250b1b88f469d2057a4abf
-
SSDEEP
12288:Q+azbvb1gL5pRTcAkS/3hzN8qE43fm78V:QBzb+5jcAkSYqyE
Malware Config
Signatures
-
Drops startup file 2 IoCs
Processes:
Logo1_.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini Logo1_.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini Logo1_.exe -
Executes dropped EXE 2 IoCs
Processes:
Logo1_.exefb421296b9f5c0c3b1c0a6647bd0f491558d853054fef5de4127ce92beddfbaa.exepid process 2232 Logo1_.exe 3160 fb421296b9f5c0c3b1c0a6647bd0f491558d853054fef5de4127ce92beddfbaa.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
Logo1_.exedescription ioc process File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
Processes:
Logo1_.exedescription ioc process File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Resources\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\da-dk\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Photo Viewer\en-US\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ro-ro\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\zh-cn\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\si\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\fr-ma\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\en-il\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\fr-fr\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\es-es\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\nb-no\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\sv-se\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\uk-ua\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\it-it\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Media Player\de-DE\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\de-DE\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\sl-si\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\root\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Media Player\fr-FR\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\it-IT\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ja-jp\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\WidevineCdm\_platform_specific\win_x64\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\it\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\logs\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\dc-annotations\js\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\it-it\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\plugins\rhp\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\root\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\sl-si\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ja-jp\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Defender\es-ES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\as_IN\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\es-ES\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\sk-sk\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\nb-no\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\it-it\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\fi-fi\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\zh-cn\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\VBA\VBA7.1\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\fr-fr\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\fr-fr\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\pt-br\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Examples\Validator\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\da-dk\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\fr-ma\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\themes\dark\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\sv-se\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\fi-fi\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\zh-cn\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\ko-kr\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\2.0.1\_desktop.ini Logo1_.exe File created C:\Program Files\Mozilla Firefox\browser\features\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
Processes:
fb421296b9f5c0c3b1c0a6647bd0f491558d853054fef5de4127ce92beddfbaa.exeLogo1_.exedescription ioc process File created C:\Windows\rundl132.exe fb421296b9f5c0c3b1c0a6647bd0f491558d853054fef5de4127ce92beddfbaa.exe File created C:\Windows\Logo1_.exe fb421296b9f5c0c3b1c0a6647bd0f491558d853054fef5de4127ce92beddfbaa.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\Dll.dll Logo1_.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
fb421296b9f5c0c3b1c0a6647bd0f491558d853054fef5de4127ce92beddfbaa.exeLogo1_.exepid process 4128 fb421296b9f5c0c3b1c0a6647bd0f491558d853054fef5de4127ce92beddfbaa.exe 4128 fb421296b9f5c0c3b1c0a6647bd0f491558d853054fef5de4127ce92beddfbaa.exe 4128 fb421296b9f5c0c3b1c0a6647bd0f491558d853054fef5de4127ce92beddfbaa.exe 4128 fb421296b9f5c0c3b1c0a6647bd0f491558d853054fef5de4127ce92beddfbaa.exe 4128 fb421296b9f5c0c3b1c0a6647bd0f491558d853054fef5de4127ce92beddfbaa.exe 4128 fb421296b9f5c0c3b1c0a6647bd0f491558d853054fef5de4127ce92beddfbaa.exe 4128 fb421296b9f5c0c3b1c0a6647bd0f491558d853054fef5de4127ce92beddfbaa.exe 4128 fb421296b9f5c0c3b1c0a6647bd0f491558d853054fef5de4127ce92beddfbaa.exe 4128 fb421296b9f5c0c3b1c0a6647bd0f491558d853054fef5de4127ce92beddfbaa.exe 4128 fb421296b9f5c0c3b1c0a6647bd0f491558d853054fef5de4127ce92beddfbaa.exe 4128 fb421296b9f5c0c3b1c0a6647bd0f491558d853054fef5de4127ce92beddfbaa.exe 4128 fb421296b9f5c0c3b1c0a6647bd0f491558d853054fef5de4127ce92beddfbaa.exe 4128 fb421296b9f5c0c3b1c0a6647bd0f491558d853054fef5de4127ce92beddfbaa.exe 4128 fb421296b9f5c0c3b1c0a6647bd0f491558d853054fef5de4127ce92beddfbaa.exe 4128 fb421296b9f5c0c3b1c0a6647bd0f491558d853054fef5de4127ce92beddfbaa.exe 4128 fb421296b9f5c0c3b1c0a6647bd0f491558d853054fef5de4127ce92beddfbaa.exe 4128 fb421296b9f5c0c3b1c0a6647bd0f491558d853054fef5de4127ce92beddfbaa.exe 4128 fb421296b9f5c0c3b1c0a6647bd0f491558d853054fef5de4127ce92beddfbaa.exe 4128 fb421296b9f5c0c3b1c0a6647bd0f491558d853054fef5de4127ce92beddfbaa.exe 4128 fb421296b9f5c0c3b1c0a6647bd0f491558d853054fef5de4127ce92beddfbaa.exe 4128 fb421296b9f5c0c3b1c0a6647bd0f491558d853054fef5de4127ce92beddfbaa.exe 4128 fb421296b9f5c0c3b1c0a6647bd0f491558d853054fef5de4127ce92beddfbaa.exe 4128 fb421296b9f5c0c3b1c0a6647bd0f491558d853054fef5de4127ce92beddfbaa.exe 4128 fb421296b9f5c0c3b1c0a6647bd0f491558d853054fef5de4127ce92beddfbaa.exe 4128 fb421296b9f5c0c3b1c0a6647bd0f491558d853054fef5de4127ce92beddfbaa.exe 4128 fb421296b9f5c0c3b1c0a6647bd0f491558d853054fef5de4127ce92beddfbaa.exe 2232 Logo1_.exe 2232 Logo1_.exe 2232 Logo1_.exe 2232 Logo1_.exe 2232 Logo1_.exe 2232 Logo1_.exe 2232 Logo1_.exe 2232 Logo1_.exe 2232 Logo1_.exe 2232 Logo1_.exe 2232 Logo1_.exe 2232 Logo1_.exe 2232 Logo1_.exe 2232 Logo1_.exe 2232 Logo1_.exe 2232 Logo1_.exe 2232 Logo1_.exe 2232 Logo1_.exe 2232 Logo1_.exe 2232 Logo1_.exe 2232 Logo1_.exe 2232 Logo1_.exe 2232 Logo1_.exe 2232 Logo1_.exe 2232 Logo1_.exe 2232 Logo1_.exe 2232 Logo1_.exe 2232 Logo1_.exe 2232 Logo1_.exe 2232 Logo1_.exe 2232 Logo1_.exe 2232 Logo1_.exe 2232 Logo1_.exe 2232 Logo1_.exe 2232 Logo1_.exe 2232 Logo1_.exe 2232 Logo1_.exe 2232 Logo1_.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
fb421296b9f5c0c3b1c0a6647bd0f491558d853054fef5de4127ce92beddfbaa.exenet.exeLogo1_.exenet.execmd.exenet.exedescription pid process target process PID 4128 wrote to memory of 4040 4128 fb421296b9f5c0c3b1c0a6647bd0f491558d853054fef5de4127ce92beddfbaa.exe net.exe PID 4128 wrote to memory of 4040 4128 fb421296b9f5c0c3b1c0a6647bd0f491558d853054fef5de4127ce92beddfbaa.exe net.exe PID 4128 wrote to memory of 4040 4128 fb421296b9f5c0c3b1c0a6647bd0f491558d853054fef5de4127ce92beddfbaa.exe net.exe PID 4040 wrote to memory of 3608 4040 net.exe net1.exe PID 4040 wrote to memory of 3608 4040 net.exe net1.exe PID 4040 wrote to memory of 3608 4040 net.exe net1.exe PID 4128 wrote to memory of 2116 4128 fb421296b9f5c0c3b1c0a6647bd0f491558d853054fef5de4127ce92beddfbaa.exe cmd.exe PID 4128 wrote to memory of 2116 4128 fb421296b9f5c0c3b1c0a6647bd0f491558d853054fef5de4127ce92beddfbaa.exe cmd.exe PID 4128 wrote to memory of 2116 4128 fb421296b9f5c0c3b1c0a6647bd0f491558d853054fef5de4127ce92beddfbaa.exe cmd.exe PID 4128 wrote to memory of 2232 4128 fb421296b9f5c0c3b1c0a6647bd0f491558d853054fef5de4127ce92beddfbaa.exe Logo1_.exe PID 4128 wrote to memory of 2232 4128 fb421296b9f5c0c3b1c0a6647bd0f491558d853054fef5de4127ce92beddfbaa.exe Logo1_.exe PID 4128 wrote to memory of 2232 4128 fb421296b9f5c0c3b1c0a6647bd0f491558d853054fef5de4127ce92beddfbaa.exe Logo1_.exe PID 2232 wrote to memory of 5108 2232 Logo1_.exe net.exe PID 2232 wrote to memory of 5108 2232 Logo1_.exe net.exe PID 2232 wrote to memory of 5108 2232 Logo1_.exe net.exe PID 5108 wrote to memory of 1752 5108 net.exe net1.exe PID 5108 wrote to memory of 1752 5108 net.exe net1.exe PID 5108 wrote to memory of 1752 5108 net.exe net1.exe PID 2116 wrote to memory of 3160 2116 cmd.exe fb421296b9f5c0c3b1c0a6647bd0f491558d853054fef5de4127ce92beddfbaa.exe PID 2116 wrote to memory of 3160 2116 cmd.exe fb421296b9f5c0c3b1c0a6647bd0f491558d853054fef5de4127ce92beddfbaa.exe PID 2232 wrote to memory of 2644 2232 Logo1_.exe net.exe PID 2232 wrote to memory of 2644 2232 Logo1_.exe net.exe PID 2232 wrote to memory of 2644 2232 Logo1_.exe net.exe PID 2644 wrote to memory of 776 2644 net.exe net1.exe PID 2644 wrote to memory of 776 2644 net.exe net1.exe PID 2644 wrote to memory of 776 2644 net.exe net1.exe PID 2232 wrote to memory of 3428 2232 Logo1_.exe Explorer.EXE PID 2232 wrote to memory of 3428 2232 Logo1_.exe Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\fb421296b9f5c0c3b1c0a6647bd0f491558d853054fef5de4127ce92beddfbaa.exe"C:\Users\Admin\AppData\Local\Temp\fb421296b9f5c0c3b1c0a6647bd0f491558d853054fef5de4127ce92beddfbaa.exe"2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a5F46.bat3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\fb421296b9f5c0c3b1c0a6647bd0f491558d853054fef5de4127ce92beddfbaa.exe"C:\Users\Admin\AppData\Local\Temp\fb421296b9f5c0c3b1c0a6647bd0f491558d853054fef5de4127ce92beddfbaa.exe"4⤵
- Executes dropped EXE
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Drops startup file
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵
-
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exeFilesize
264KB
MD504d1e854f97e7f347f7dcdb3cb9adc4e
SHA17727eedbe1fcce30bd5e81abd19eb72ef446d38e
SHA25673e08206ac1e2dc53a2c25a4c47c8a24d316db3ac7c48a5b92ee882557549bc4
SHA51285c0e6392aa0830d5f601a745b92bc8857d19c4cc9845e7eb258fef79aa5f304c5e6dc0ba108b8d72cf665ec02260473e2428cf41a8a342a7b1faf83f2677b9c
-
C:\Program Files\7-Zip\7z.exeFilesize
583KB
MD5d0489d1f9bf5bb88d7a6c39e1d4e7270
SHA15ceee3fdb1949eb8d17cc99e7e57c8528290e2bd
SHA25672d7f46cc89b9084ad3c024cd40268042bb8b70066284188b8c388bc4f787af3
SHA512d792d6638cbecbbdbd3acbc5baaf68a5c530cb911b6c06839432e68d0fa319af7f1051d2560bd4857f62c570f217609f7b4484ccb13856af49eb10dc19c0e3a7
-
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exeFilesize
649KB
MD533d1fbbb3236bc3a2843e45b01da9c5d
SHA1c0847581b9a49f6b37cf8e6785578ea96b4de8a1
SHA25648817c256c311abe3645d6b5a56e4c0361b9e781943bf5301951efa87e694ea0
SHA5121e2692e1701ba9ba3d8d8a6420458270526a519eb413d725757e58133abcbd9d5835255d54e4f188da51e01635b974f50fafc5abc558c959f3c43ecb051c9274
-
C:\Users\Admin\AppData\Local\Temp\$$a5F46.batFilesize
722B
MD5a623d91ea2eb7f1fbe042afc275e85b5
SHA1625072e4fe83f73dce14709f0b86e1cd6aa9ab51
SHA2563ccbc5537bc77a193d386b813182a4bc5a3e81b4e3f6bfd525b956b5728d0ff2
SHA51230af4469cebaef80a3749dbf354b8d4c56f02f2eae1d9ed7effe879cc9594cce7372469f07b2b239c01287eca1480a72d114b77b05d279812097142d149aee03
-
C:\Users\Admin\AppData\Local\Temp\fb421296b9f5c0c3b1c0a6647bd0f491558d853054fef5de4127ce92beddfbaa.exe.exeFilesize
458KB
MD5619f7135621b50fd1900ff24aade1524
SHA16c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA5122c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628
-
C:\Windows\Logo1_.exeFilesize
39KB
MD52e37e017a3b74e974e64745682b0d9ff
SHA19cb58a2c621331ee34fb433706db05a3d9953558
SHA256ab1bf4f80870eb86bfc589bf20f514ac3146b4f8e32e5e3f85085952ae448c1a
SHA5129d3be56ded87fabffa7ac2ea39401e776f6723235be4e6d3a7031a77545e0dc38d2a0ca75f8ea689e0ab7885307410bb7e38b16a2a87021b554f8c687b526ece
-
F:\$RECYCLE.BIN\S-1-5-21-3571316656-3665257725-2415531812-1000\_desktop.iniFilesize
9B
MD5304501c003da3bc5756aa53a757c30cc
SHA194dfcea0ef17f89b3a60a85a07edb4c00170cc1c
SHA2569f4b03cbd52378f329bfc7088f8242bbc1a0a2754bc2f8a40e3b74e0dedecd6e
SHA51278cd3c2cb4cb66e41d8947e1231256c2043d71c77f97e92915e938a6c1d9a8c003512027d98bc71bf582875d269e5fbe6e134f57b25f5f79fe16f9a412387dc8
-
memory/2232-18-0x0000000000400000-0x000000000043D000-memory.dmpFilesize
244KB
-
memory/2232-2698-0x0000000000400000-0x000000000043D000-memory.dmpFilesize
244KB
-
memory/2232-11-0x0000000000400000-0x000000000043D000-memory.dmpFilesize
244KB
-
memory/2232-8660-0x0000000000400000-0x000000000043D000-memory.dmpFilesize
244KB
-
memory/2232-8706-0x0000000000400000-0x000000000043D000-memory.dmpFilesize
244KB
-
memory/4128-0-0x0000000000400000-0x000000000043D000-memory.dmpFilesize
244KB
-
memory/4128-10-0x0000000000400000-0x000000000043D000-memory.dmpFilesize
244KB