fb421296b9f5c0c3b1c0a6647bd0f491558d853054fef5de4127ce92beddfbaa

General

Target

fb421296b9f5c0c3b1c0a6647bd0f491558d853054fef5de4127ce92beddfbaa.exe
Size

497KB
MD5

05380234f89e59b6d91e27ed7fcb06a2
SHA1

78edcf8422e57ea68f9b76fa23c09d9ed4f6942f
SHA256

fb421296b9f5c0c3b1c0a6647bd0f491558d853054fef5de4127ce92beddfbaa
SHA512

f3430e6982ce5012bcab5d9bc5ced35cb9cdf865d2ef027072f36abf94d8d40829aa764ebdb8d29f8819d01248f114f6ce9d3e1444250b1b88f469d2057a4abf
SSDEEP

12288:Q+azbvb1gL5pRTcAkS/3hzN8qE43fm78V:QBzb+5jcAkSYqyE

Score

7^/10

spyware stealer

Malware Config

Signatures

Drops startup file 2 IoCs

Processes:

Logo1_.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe

Executes dropped EXE 2 IoCs

Processes:

Logo1_.exefb421296b9f5c0c3b1c0a6647bd0f491558d853054fef5de4127ce92beddfbaa.exe

pid process

2232 Logo1_.exe
3160 fb421296b9f5c0c3b1c0a6647bd0f491558d853054fef5de4127ce92beddfbaa.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2232	Logo1_.exe
3160	fb421296b9f5c0c3b1c0a6647bd0f491558d853054fef5de4127ce92beddfbaa.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Logo1_.exe

description	ioc	process
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

Processes:

Logo1_.exe

description	ioc	process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Resources\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\da-dk\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ro-ro\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\zh-cn\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\si\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\fr-ma\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\en-il\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\fr-fr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\es-es\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\nb-no\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\sv-se\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\uk-ua\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\it-it\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\sl-si\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\root\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Media Player\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ja-jp\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\WidevineCdm\_platform_specific\win_x64\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\it\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\dc-annotations\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\it-it\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\plugins\rhp\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\root\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\sl-si\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ja-jp\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Defender\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\as_IN\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\sk-sk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\nb-no\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\it-it\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\fi-fi\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\zh-cn\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\VBA\VBA7.1\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\fr-fr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\fr-fr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\pt-br\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Examples\Validator\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\da-dk\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\fr-ma\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\themes\dark\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\sv-se\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\fi-fi\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\zh-cn\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\ko-kr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\2.0.1\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

Processes:

fb421296b9f5c0c3b1c0a6647bd0f491558d853054fef5de4127ce92beddfbaa.exeLogo1_.exe

description	ioc	process
File created	C:\Windows\rundl132.exe	fb421296b9f5c0c3b1c0a6647bd0f491558d853054fef5de4127ce92beddfbaa.exe
File created	C:\Windows\Logo1_.exe	fb421296b9f5c0c3b1c0a6647bd0f491558d853054fef5de4127ce92beddfbaa.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\Dll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

fb421296b9f5c0c3b1c0a6647bd0f491558d853054fef5de4127ce92beddfbaa.exeLogo1_.exe

pid	process
4128	fb421296b9f5c0c3b1c0a6647bd0f491558d853054fef5de4127ce92beddfbaa.exe
4128	fb421296b9f5c0c3b1c0a6647bd0f491558d853054fef5de4127ce92beddfbaa.exe
4128	fb421296b9f5c0c3b1c0a6647bd0f491558d853054fef5de4127ce92beddfbaa.exe
4128	fb421296b9f5c0c3b1c0a6647bd0f491558d853054fef5de4127ce92beddfbaa.exe
4128	fb421296b9f5c0c3b1c0a6647bd0f491558d853054fef5de4127ce92beddfbaa.exe
4128	fb421296b9f5c0c3b1c0a6647bd0f491558d853054fef5de4127ce92beddfbaa.exe
4128	fb421296b9f5c0c3b1c0a6647bd0f491558d853054fef5de4127ce92beddfbaa.exe
4128	fb421296b9f5c0c3b1c0a6647bd0f491558d853054fef5de4127ce92beddfbaa.exe
4128	fb421296b9f5c0c3b1c0a6647bd0f491558d853054fef5de4127ce92beddfbaa.exe
4128	fb421296b9f5c0c3b1c0a6647bd0f491558d853054fef5de4127ce92beddfbaa.exe
4128	fb421296b9f5c0c3b1c0a6647bd0f491558d853054fef5de4127ce92beddfbaa.exe
4128	fb421296b9f5c0c3b1c0a6647bd0f491558d853054fef5de4127ce92beddfbaa.exe
4128	fb421296b9f5c0c3b1c0a6647bd0f491558d853054fef5de4127ce92beddfbaa.exe
4128	fb421296b9f5c0c3b1c0a6647bd0f491558d853054fef5de4127ce92beddfbaa.exe
4128	fb421296b9f5c0c3b1c0a6647bd0f491558d853054fef5de4127ce92beddfbaa.exe
4128	fb421296b9f5c0c3b1c0a6647bd0f491558d853054fef5de4127ce92beddfbaa.exe
4128	fb421296b9f5c0c3b1c0a6647bd0f491558d853054fef5de4127ce92beddfbaa.exe
4128	fb421296b9f5c0c3b1c0a6647bd0f491558d853054fef5de4127ce92beddfbaa.exe
4128	fb421296b9f5c0c3b1c0a6647bd0f491558d853054fef5de4127ce92beddfbaa.exe
4128	fb421296b9f5c0c3b1c0a6647bd0f491558d853054fef5de4127ce92beddfbaa.exe
4128	fb421296b9f5c0c3b1c0a6647bd0f491558d853054fef5de4127ce92beddfbaa.exe
4128	fb421296b9f5c0c3b1c0a6647bd0f491558d853054fef5de4127ce92beddfbaa.exe
4128	fb421296b9f5c0c3b1c0a6647bd0f491558d853054fef5de4127ce92beddfbaa.exe
4128	fb421296b9f5c0c3b1c0a6647bd0f491558d853054fef5de4127ce92beddfbaa.exe
4128	fb421296b9f5c0c3b1c0a6647bd0f491558d853054fef5de4127ce92beddfbaa.exe
4128	fb421296b9f5c0c3b1c0a6647bd0f491558d853054fef5de4127ce92beddfbaa.exe
2232	Logo1_.exe
2232	Logo1_.exe
2232	Logo1_.exe
2232	Logo1_.exe
2232	Logo1_.exe
2232	Logo1_.exe
2232	Logo1_.exe
2232	Logo1_.exe
2232	Logo1_.exe
2232	Logo1_.exe
2232	Logo1_.exe
2232	Logo1_.exe
2232	Logo1_.exe
2232	Logo1_.exe
2232	Logo1_.exe
2232	Logo1_.exe
2232	Logo1_.exe
2232	Logo1_.exe
2232	Logo1_.exe
2232	Logo1_.exe
2232	Logo1_.exe
2232	Logo1_.exe
2232	Logo1_.exe
2232	Logo1_.exe
2232	Logo1_.exe
2232	Logo1_.exe
2232	Logo1_.exe
2232	Logo1_.exe
2232	Logo1_.exe
2232	Logo1_.exe
2232	Logo1_.exe
2232	Logo1_.exe
2232	Logo1_.exe
2232	Logo1_.exe
2232	Logo1_.exe
2232	Logo1_.exe
2232	Logo1_.exe
2232	Logo1_.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

fb421296b9f5c0c3b1c0a6647bd0f491558d853054fef5de4127ce92beddfbaa.exenet.exeLogo1_.exenet.execmd.exenet.exe

description	pid	process	target process
PID 4128 wrote to memory of 4040	4128	fb421296b9f5c0c3b1c0a6647bd0f491558d853054fef5de4127ce92beddfbaa.exe	net.exe
PID 4128 wrote to memory of 4040	4128	fb421296b9f5c0c3b1c0a6647bd0f491558d853054fef5de4127ce92beddfbaa.exe	net.exe
PID 4128 wrote to memory of 4040	4128	fb421296b9f5c0c3b1c0a6647bd0f491558d853054fef5de4127ce92beddfbaa.exe	net.exe
PID 4040 wrote to memory of 3608	4040	net.exe	net1.exe
PID 4040 wrote to memory of 3608	4040	net.exe	net1.exe
PID 4040 wrote to memory of 3608	4040	net.exe	net1.exe
PID 4128 wrote to memory of 2116	4128	fb421296b9f5c0c3b1c0a6647bd0f491558d853054fef5de4127ce92beddfbaa.exe	cmd.exe
PID 4128 wrote to memory of 2116	4128	fb421296b9f5c0c3b1c0a6647bd0f491558d853054fef5de4127ce92beddfbaa.exe	cmd.exe
PID 4128 wrote to memory of 2116	4128	fb421296b9f5c0c3b1c0a6647bd0f491558d853054fef5de4127ce92beddfbaa.exe	cmd.exe
PID 4128 wrote to memory of 2232	4128	fb421296b9f5c0c3b1c0a6647bd0f491558d853054fef5de4127ce92beddfbaa.exe	Logo1_.exe
PID 4128 wrote to memory of 2232	4128	fb421296b9f5c0c3b1c0a6647bd0f491558d853054fef5de4127ce92beddfbaa.exe	Logo1_.exe
PID 4128 wrote to memory of 2232	4128	fb421296b9f5c0c3b1c0a6647bd0f491558d853054fef5de4127ce92beddfbaa.exe	Logo1_.exe
PID 2232 wrote to memory of 5108	2232	Logo1_.exe	net.exe
PID 2232 wrote to memory of 5108	2232	Logo1_.exe	net.exe
PID 2232 wrote to memory of 5108	2232	Logo1_.exe	net.exe
PID 5108 wrote to memory of 1752	5108	net.exe	net1.exe
PID 5108 wrote to memory of 1752	5108	net.exe	net1.exe
PID 5108 wrote to memory of 1752	5108	net.exe	net1.exe
PID 2116 wrote to memory of 3160	2116	cmd.exe	fb421296b9f5c0c3b1c0a6647bd0f491558d853054fef5de4127ce92beddfbaa.exe
PID 2116 wrote to memory of 3160	2116	cmd.exe	fb421296b9f5c0c3b1c0a6647bd0f491558d853054fef5de4127ce92beddfbaa.exe
PID 2232 wrote to memory of 2644	2232	Logo1_.exe	net.exe
PID 2232 wrote to memory of 2644	2232	Logo1_.exe	net.exe
PID 2232 wrote to memory of 2644	2232	Logo1_.exe	net.exe
PID 2644 wrote to memory of 776	2644	net.exe	net1.exe
PID 2644 wrote to memory of 776	2644	net.exe	net1.exe
PID 2644 wrote to memory of 776	2644	net.exe	net1.exe
PID 2232 wrote to memory of 3428	2232	Logo1_.exe	Explorer.EXE
PID 2232 wrote to memory of 3428	2232	Logo1_.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3428

C:\Users\Admin\AppData\Local\Temp\fb421296b9f5c0c3b1c0a6647bd0f491558d853054fef5de4127ce92beddfbaa.exe
"C:\Users\Admin\AppData\Local\Temp\fb421296b9f5c0c3b1c0a6647bd0f491558d853054fef5de4127ce92beddfbaa.exe"
2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4128

C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
3⤵
- Suspicious use of WriteProcessMemory
PID:4040

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
4⤵
PID:3608

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a5F46.bat
3⤵
- Suspicious use of WriteProcessMemory
PID:2116

C:\Users\Admin\AppData\Local\Temp\fb421296b9f5c0c3b1c0a6647bd0f491558d853054fef5de4127ce92beddfbaa.exe
"C:\Users\Admin\AppData\Local\Temp\fb421296b9f5c0c3b1c0a6647bd0f491558d853054fef5de4127ce92beddfbaa.exe"
4⤵
- Executes dropped EXE
PID:3160

C:\Windows\Logo1_.exe
C:\Windows\Logo1_.exe
3⤵
- Drops startup file
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2232

C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
4⤵
- Suspicious use of WriteProcessMemory
PID:5108

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
5⤵
PID:1752

C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
4⤵
- Suspicious use of WriteProcessMemory
PID:2644

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
5⤵
PID:776

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
Filesize
264KB

MD5
04d1e854f97e7f347f7dcdb3cb9adc4e

SHA1
7727eedbe1fcce30bd5e81abd19eb72ef446d38e

SHA256
73e08206ac1e2dc53a2c25a4c47c8a24d316db3ac7c48a5b92ee882557549bc4

SHA512
85c0e6392aa0830d5f601a745b92bc8857d19c4cc9845e7eb258fef79aa5f304c5e6dc0ba108b8d72cf665ec02260473e2428cf41a8a342a7b1faf83f2677b9c

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
583KB

MD5
d0489d1f9bf5bb88d7a6c39e1d4e7270

SHA1
5ceee3fdb1949eb8d17cc99e7e57c8528290e2bd

SHA256
72d7f46cc89b9084ad3c024cd40268042bb8b70066284188b8c388bc4f787af3

SHA512
d792d6638cbecbbdbd3acbc5baaf68a5c530cb911b6c06839432e68d0fa319af7f1051d2560bd4857f62c570f217609f7b4484ccb13856af49eb10dc19c0e3a7

Download Submit
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
Filesize
649KB

MD5
33d1fbbb3236bc3a2843e45b01da9c5d

SHA1
c0847581b9a49f6b37cf8e6785578ea96b4de8a1

SHA256
48817c256c311abe3645d6b5a56e4c0361b9e781943bf5301951efa87e694ea0

SHA512
1e2692e1701ba9ba3d8d8a6420458270526a519eb413d725757e58133abcbd9d5835255d54e4f188da51e01635b974f50fafc5abc558c959f3c43ecb051c9274

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a5F46.bat
Filesize
722B

MD5
a623d91ea2eb7f1fbe042afc275e85b5

SHA1
625072e4fe83f73dce14709f0b86e1cd6aa9ab51

SHA256
3ccbc5537bc77a193d386b813182a4bc5a3e81b4e3f6bfd525b956b5728d0ff2

SHA512
30af4469cebaef80a3749dbf354b8d4c56f02f2eae1d9ed7effe879cc9594cce7372469f07b2b239c01287eca1480a72d114b77b05d279812097142d149aee03

Download Submit
C:\Users\Admin\AppData\Local\Temp\fb421296b9f5c0c3b1c0a6647bd0f491558d853054fef5de4127ce92beddfbaa.exe.exe
Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Windows\Logo1_.exe
Filesize
39KB

MD5
2e37e017a3b74e974e64745682b0d9ff

SHA1
9cb58a2c621331ee34fb433706db05a3d9953558

SHA256
ab1bf4f80870eb86bfc589bf20f514ac3146b4f8e32e5e3f85085952ae448c1a

SHA512
9d3be56ded87fabffa7ac2ea39401e776f6723235be4e6d3a7031a77545e0dc38d2a0ca75f8ea689e0ab7885307410bb7e38b16a2a87021b554f8c687b526ece

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3571316656-3665257725-2415531812-1000\_desktop.ini
Filesize
9B

MD5
304501c003da3bc5756aa53a757c30cc

SHA1
94dfcea0ef17f89b3a60a85a07edb4c00170cc1c

SHA256
9f4b03cbd52378f329bfc7088f8242bbc1a0a2754bc2f8a40e3b74e0dedecd6e

SHA512
78cd3c2cb4cb66e41d8947e1231256c2043d71c77f97e92915e938a6c1d9a8c003512027d98bc71bf582875d269e5fbe6e134f57b25f5f79fe16f9a412387dc8

Download Submit
memory/2232-18-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2232-2698-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2232-11-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2232-8660-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2232-8706-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4128-0-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4128-10-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads