Analysis
-
max time kernel
150s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
28-05-2024 06:58
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c383580391fac6b52221a73d95a5b4c289d40454ac86fa0e84a5e3d5292aa37f.exe
Resource
win7-20240220-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
c383580391fac6b52221a73d95a5b4c289d40454ac86fa0e84a5e3d5292aa37f.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
c383580391fac6b52221a73d95a5b4c289d40454ac86fa0e84a5e3d5292aa37f.exe
-
Size
29KB
-
MD5
b5ca8bacca3ef773bdb62800d0598264
-
SHA1
8288970776150108ce27ee6b8041d8597b636901
-
SHA256
c383580391fac6b52221a73d95a5b4c289d40454ac86fa0e84a5e3d5292aa37f
-
SHA512
18e69a447cd15739cbbdf0afb14fc6c06729717890828be7a39a947d804f06d7df9aad11688594d474d80a6cf6b757691f22206022732fa78c7f776584f3fa20
-
SSDEEP
384:NbbA+KIft1Gt5M0zhIV/DZ3KZp7JcTO4yf9Knuf2MqlUV2V9wVfUnfRqOzGOnJh:p6g16GVRu1yK9fMnJG2V9dHS8
Score
6/10
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\H: c383580391fac6b52221a73d95a5b4c289d40454ac86fa0e84a5e3d5292aa37f.exe File opened (read-only) \??\P: c383580391fac6b52221a73d95a5b4c289d40454ac86fa0e84a5e3d5292aa37f.exe File opened (read-only) \??\L: c383580391fac6b52221a73d95a5b4c289d40454ac86fa0e84a5e3d5292aa37f.exe File opened (read-only) \??\K: c383580391fac6b52221a73d95a5b4c289d40454ac86fa0e84a5e3d5292aa37f.exe File opened (read-only) \??\I: c383580391fac6b52221a73d95a5b4c289d40454ac86fa0e84a5e3d5292aa37f.exe File opened (read-only) \??\J: c383580391fac6b52221a73d95a5b4c289d40454ac86fa0e84a5e3d5292aa37f.exe File opened (read-only) \??\Z: c383580391fac6b52221a73d95a5b4c289d40454ac86fa0e84a5e3d5292aa37f.exe File opened (read-only) \??\U: c383580391fac6b52221a73d95a5b4c289d40454ac86fa0e84a5e3d5292aa37f.exe File opened (read-only) \??\T: c383580391fac6b52221a73d95a5b4c289d40454ac86fa0e84a5e3d5292aa37f.exe File opened (read-only) \??\M: c383580391fac6b52221a73d95a5b4c289d40454ac86fa0e84a5e3d5292aa37f.exe File opened (read-only) \??\N: c383580391fac6b52221a73d95a5b4c289d40454ac86fa0e84a5e3d5292aa37f.exe File opened (read-only) \??\G: c383580391fac6b52221a73d95a5b4c289d40454ac86fa0e84a5e3d5292aa37f.exe File opened (read-only) \??\Y: c383580391fac6b52221a73d95a5b4c289d40454ac86fa0e84a5e3d5292aa37f.exe File opened (read-only) \??\X: c383580391fac6b52221a73d95a5b4c289d40454ac86fa0e84a5e3d5292aa37f.exe File opened (read-only) \??\V: c383580391fac6b52221a73d95a5b4c289d40454ac86fa0e84a5e3d5292aa37f.exe File opened (read-only) \??\R: c383580391fac6b52221a73d95a5b4c289d40454ac86fa0e84a5e3d5292aa37f.exe File opened (read-only) \??\E: c383580391fac6b52221a73d95a5b4c289d40454ac86fa0e84a5e3d5292aa37f.exe File opened (read-only) \??\W: c383580391fac6b52221a73d95a5b4c289d40454ac86fa0e84a5e3d5292aa37f.exe File opened (read-only) \??\S: c383580391fac6b52221a73d95a5b4c289d40454ac86fa0e84a5e3d5292aa37f.exe File opened (read-only) \??\Q: c383580391fac6b52221a73d95a5b4c289d40454ac86fa0e84a5e3d5292aa37f.exe File opened (read-only) \??\O: c383580391fac6b52221a73d95a5b4c289d40454ac86fa0e84a5e3d5292aa37f.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\da-dk\_desktop.ini c383580391fac6b52221a73d95a5b4c289d40454ac86fa0e84a5e3d5292aa37f.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\fi-fi\_desktop.ini c383580391fac6b52221a73d95a5b4c289d40454ac86fa0e84a5e3d5292aa37f.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\ja-jp\_desktop.ini c383580391fac6b52221a73d95a5b4c289d40454ac86fa0e84a5e3d5292aa37f.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ms\LC_MESSAGES\_desktop.ini c383580391fac6b52221a73d95a5b4c289d40454ac86fa0e84a5e3d5292aa37f.exe File created C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini c383580391fac6b52221a73d95a5b4c289d40454ac86fa0e84a5e3d5292aa37f.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\zh-cn\_desktop.ini c383580391fac6b52221a73d95a5b4c289d40454ac86fa0e84a5e3d5292aa37f.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\misc\_desktop.ini c383580391fac6b52221a73d95a5b4c289d40454ac86fa0e84a5e3d5292aa37f.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\fr-fr\_desktop.ini c383580391fac6b52221a73d95a5b4c289d40454ac86fa0e84a5e3d5292aa37f.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\_desktop.ini c383580391fac6b52221a73d95a5b4c289d40454ac86fa0e84a5e3d5292aa37f.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{125326D0-F6C3-409C-BC6D-35A6D8D3AF5D}\chrome_installer.exe c383580391fac6b52221a73d95a5b4c289d40454ac86fa0e84a5e3d5292aa37f.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\EBWebView\x86\_desktop.ini c383580391fac6b52221a73d95a5b4c289d40454ac86fa0e84a5e3d5292aa37f.exe File created C:\Program Files\Windows Defender\it-IT\_desktop.ini c383580391fac6b52221a73d95a5b4c289d40454ac86fa0e84a5e3d5292aa37f.exe File created C:\Program Files\WindowsApps\Microsoft.VCLibs.140.00_14.0.27323.0_x64__8wekyb3d8bbwe\AppxMetadata\_desktop.ini c383580391fac6b52221a73d95a5b4c289d40454ac86fa0e84a5e3d5292aa37f.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\_desktop.ini c383580391fac6b52221a73d95a5b4c289d40454ac86fa0e84a5e3d5292aa37f.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ar-ae\_desktop.ini c383580391fac6b52221a73d95a5b4c289d40454ac86fa0e84a5e3d5292aa37f.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sl-si\_desktop.ini c383580391fac6b52221a73d95a5b4c289d40454ac86fa0e84a5e3d5292aa37f.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\fr-ma\_desktop.ini c383580391fac6b52221a73d95a5b4c289d40454ac86fa0e84a5e3d5292aa37f.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\xjc.exe c383580391fac6b52221a73d95a5b4c289d40454ac86fa0e84a5e3d5292aa37f.exe File created C:\Program Files\VideoLAN\VLC\locale\et\LC_MESSAGES\_desktop.ini c383580391fac6b52221a73d95a5b4c289d40454ac86fa0e84a5e3d5292aa37f.exe File created C:\Program Files\VideoLAN\VLC\locale\fur\_desktop.ini c383580391fac6b52221a73d95a5b4c289d40454ac86fa0e84a5e3d5292aa37f.exe File created C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\AppxMetadata\_desktop.ini c383580391fac6b52221a73d95a5b4c289d40454ac86fa0e84a5e3d5292aa37f.exe File created C:\Program Files\VideoLAN\VLC\locale\sr\_desktop.ini c383580391fac6b52221a73d95a5b4c289d40454ac86fa0e84a5e3d5292aa37f.exe File created C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\PhotosApp\Assets\_desktop.ini c383580391fac6b52221a73d95a5b4c289d40454ac86fa0e84a5e3d5292aa37f.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\fr-fr\_desktop.ini c383580391fac6b52221a73d95a5b4c289d40454ac86fa0e84a5e3d5292aa37f.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\sk-sk\_desktop.ini c383580391fac6b52221a73d95a5b4c289d40454ac86fa0e84a5e3d5292aa37f.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\zh-tw\_desktop.ini c383580391fac6b52221a73d95a5b4c289d40454ac86fa0e84a5e3d5292aa37f.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\_desktop.ini c383580391fac6b52221a73d95a5b4c289d40454ac86fa0e84a5e3d5292aa37f.exe File created C:\Program Files\Windows Photo Viewer\es-ES\_desktop.ini c383580391fac6b52221a73d95a5b4c289d40454ac86fa0e84a5e3d5292aa37f.exe File created C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\_desktop.ini c383580391fac6b52221a73d95a5b4c289d40454ac86fa0e84a5e3d5292aa37f.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\pl-pl\_desktop.ini c383580391fac6b52221a73d95a5b4c289d40454ac86fa0e84a5e3d5292aa37f.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\_desktop.ini c383580391fac6b52221a73d95a5b4c289d40454ac86fa0e84a5e3d5292aa37f.exe File created C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_neutral_split.scale-125_8wekyb3d8bbwe\images\_desktop.ini c383580391fac6b52221a73d95a5b4c289d40454ac86fa0e84a5e3d5292aa37f.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.exe c383580391fac6b52221a73d95a5b4c289d40454ac86fa0e84a5e3d5292aa37f.exe File created C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\en-US\_desktop.ini c383580391fac6b52221a73d95a5b4c289d40454ac86fa0e84a5e3d5292aa37f.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\themes\_desktop.ini c383580391fac6b52221a73d95a5b4c289d40454ac86fa0e84a5e3d5292aa37f.exe File created C:\Program Files\Java\jre-1.8\lib\security\policy\unlimited\_desktop.ini c383580391fac6b52221a73d95a5b4c289d40454ac86fa0e84a5e3d5292aa37f.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\af\_desktop.ini c383580391fac6b52221a73d95a5b4c289d40454ac86fa0e84a5e3d5292aa37f.exe File created C:\Program Files\WindowsApps\Microsoft.Advertising.Xaml_10.1808.3.0_x64__8wekyb3d8bbwe\AppxMetadata\_desktop.ini c383580391fac6b52221a73d95a5b4c289d40454ac86fa0e84a5e3d5292aa37f.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\ro-RO\View3d\_desktop.ini c383580391fac6b52221a73d95a5b4c289d40454ac86fa0e84a5e3d5292aa37f.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\124.0.2478.80\Trust Protection Lists\Sigma\_desktop.ini c383580391fac6b52221a73d95a5b4c289d40454ac86fa0e84a5e3d5292aa37f.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\css\_desktop.ini c383580391fac6b52221a73d95a5b4c289d40454ac86fa0e84a5e3d5292aa37f.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\fr-ma\_desktop.ini c383580391fac6b52221a73d95a5b4c289d40454ac86fa0e84a5e3d5292aa37f.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\sl-si\_desktop.ini c383580391fac6b52221a73d95a5b4c289d40454ac86fa0e84a5e3d5292aa37f.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\_desktop.ini c383580391fac6b52221a73d95a5b4c289d40454ac86fa0e84a5e3d5292aa37f.exe File created C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\_desktop.ini c383580391fac6b52221a73d95a5b4c289d40454ac86fa0e84a5e3d5292aa37f.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\mk-MK\View3d\_desktop.ini c383580391fac6b52221a73d95a5b4c289d40454ac86fa0e84a5e3d5292aa37f.exe File created C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\_desktop.ini c383580391fac6b52221a73d95a5b4c289d40454ac86fa0e84a5e3d5292aa37f.exe File created C:\Program Files\WindowsApps\Microsoft.YourPhone_2019.430.2026.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini c383580391fac6b52221a73d95a5b4c289d40454ac86fa0e84a5e3d5292aa37f.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\sv-se\_desktop.ini c383580391fac6b52221a73d95a5b4c289d40454ac86fa0e84a5e3d5292aa37f.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\_desktop.ini c383580391fac6b52221a73d95a5b4c289d40454ac86fa0e84a5e3d5292aa37f.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\themes\dark\_desktop.ini c383580391fac6b52221a73d95a5b4c289d40454ac86fa0e84a5e3d5292aa37f.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\fr-ma\_desktop.ini c383580391fac6b52221a73d95a5b4c289d40454ac86fa0e84a5e3d5292aa37f.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\es-es\_desktop.ini c383580391fac6b52221a73d95a5b4c289d40454ac86fa0e84a5e3d5292aa37f.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\_desktop.ini c383580391fac6b52221a73d95a5b4c289d40454ac86fa0e84a5e3d5292aa37f.exe File created C:\Program Files\Java\jre-1.8\lib\management\_desktop.ini c383580391fac6b52221a73d95a5b4c289d40454ac86fa0e84a5e3d5292aa37f.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Home\contrast-white\_desktop.ini c383580391fac6b52221a73d95a5b4c289d40454ac86fa0e84a5e3d5292aa37f.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\_desktop.ini c383580391fac6b52221a73d95a5b4c289d40454ac86fa0e84a5e3d5292aa37f.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\es-es\_desktop.ini c383580391fac6b52221a73d95a5b4c289d40454ac86fa0e84a5e3d5292aa37f.exe File created C:\Program Files\WindowsApps\Microsoft.NET.Native.Runtime.1.7_1.7.25531.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\Autogen\_desktop.ini c383580391fac6b52221a73d95a5b4c289d40454ac86fa0e84a5e3d5292aa37f.exe File created C:\Program Files (x86)\Common Files\Microsoft Shared\ink\HWRCustomization\_desktop.ini c383580391fac6b52221a73d95a5b4c289d40454ac86fa0e84a5e3d5292aa37f.exe File opened for modification C:\Program Files\dotnet\swidtag\_desktop.ini c383580391fac6b52221a73d95a5b4c289d40454ac86fa0e84a5e3d5292aa37f.exe File created C:\Program Files\WindowsApps\Microsoft.People_2019.305.632.0_neutral_~_8wekyb3d8bbwe\_desktop.ini c383580391fac6b52221a73d95a5b4c289d40454ac86fa0e84a5e3d5292aa37f.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\_desktop.ini c383580391fac6b52221a73d95a5b4c289d40454ac86fa0e84a5e3d5292aa37f.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\he-il\_desktop.ini c383580391fac6b52221a73d95a5b4c289d40454ac86fa0e84a5e3d5292aa37f.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\rundl132.exe c383580391fac6b52221a73d95a5b4c289d40454ac86fa0e84a5e3d5292aa37f.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
pid Process 1308 c383580391fac6b52221a73d95a5b4c289d40454ac86fa0e84a5e3d5292aa37f.exe 1308 c383580391fac6b52221a73d95a5b4c289d40454ac86fa0e84a5e3d5292aa37f.exe 1308 c383580391fac6b52221a73d95a5b4c289d40454ac86fa0e84a5e3d5292aa37f.exe 1308 c383580391fac6b52221a73d95a5b4c289d40454ac86fa0e84a5e3d5292aa37f.exe 1308 c383580391fac6b52221a73d95a5b4c289d40454ac86fa0e84a5e3d5292aa37f.exe 1308 c383580391fac6b52221a73d95a5b4c289d40454ac86fa0e84a5e3d5292aa37f.exe 1308 c383580391fac6b52221a73d95a5b4c289d40454ac86fa0e84a5e3d5292aa37f.exe 1308 c383580391fac6b52221a73d95a5b4c289d40454ac86fa0e84a5e3d5292aa37f.exe 1308 c383580391fac6b52221a73d95a5b4c289d40454ac86fa0e84a5e3d5292aa37f.exe 1308 c383580391fac6b52221a73d95a5b4c289d40454ac86fa0e84a5e3d5292aa37f.exe 1308 c383580391fac6b52221a73d95a5b4c289d40454ac86fa0e84a5e3d5292aa37f.exe 1308 c383580391fac6b52221a73d95a5b4c289d40454ac86fa0e84a5e3d5292aa37f.exe 1308 c383580391fac6b52221a73d95a5b4c289d40454ac86fa0e84a5e3d5292aa37f.exe 1308 c383580391fac6b52221a73d95a5b4c289d40454ac86fa0e84a5e3d5292aa37f.exe 1308 c383580391fac6b52221a73d95a5b4c289d40454ac86fa0e84a5e3d5292aa37f.exe 1308 c383580391fac6b52221a73d95a5b4c289d40454ac86fa0e84a5e3d5292aa37f.exe 1308 c383580391fac6b52221a73d95a5b4c289d40454ac86fa0e84a5e3d5292aa37f.exe 1308 c383580391fac6b52221a73d95a5b4c289d40454ac86fa0e84a5e3d5292aa37f.exe 1308 c383580391fac6b52221a73d95a5b4c289d40454ac86fa0e84a5e3d5292aa37f.exe 1308 c383580391fac6b52221a73d95a5b4c289d40454ac86fa0e84a5e3d5292aa37f.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1308 wrote to memory of 2376 1308 c383580391fac6b52221a73d95a5b4c289d40454ac86fa0e84a5e3d5292aa37f.exe 90 PID 1308 wrote to memory of 2376 1308 c383580391fac6b52221a73d95a5b4c289d40454ac86fa0e84a5e3d5292aa37f.exe 90 PID 1308 wrote to memory of 2376 1308 c383580391fac6b52221a73d95a5b4c289d40454ac86fa0e84a5e3d5292aa37f.exe 90 PID 2376 wrote to memory of 1912 2376 net.exe 92 PID 2376 wrote to memory of 1912 2376 net.exe 92 PID 2376 wrote to memory of 1912 2376 net.exe 92 PID 1308 wrote to memory of 3532 1308 c383580391fac6b52221a73d95a5b4c289d40454ac86fa0e84a5e3d5292aa37f.exe 56 PID 1308 wrote to memory of 3532 1308 c383580391fac6b52221a73d95a5b4c289d40454ac86fa0e84a5e3d5292aa37f.exe 56
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3532
-
C:\Users\Admin\AppData\Local\Temp\c383580391fac6b52221a73d95a5b4c289d40454ac86fa0e84a5e3d5292aa37f.exe"C:\Users\Admin\AppData\Local\Temp\c383580391fac6b52221a73d95a5b4c289d40454ac86fa0e84a5e3d5292aa37f.exe"2⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1308 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"3⤵
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"4⤵PID:1912
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4500,i,9746875443948590908,1444894342962555245,262144 --variations-seed-version --mojo-platform-channel-handle=4216 /prefetch:81⤵PID:4312
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
254KB
MD54358b42e9a78a50138303db5e5195b70
SHA1f0e679f67f5d345a60f041afced3b7d66f99ccc5
SHA256f65048220efb299ef26c562a13a956605d59848f3cceb00c7ced0ea9e447226c
SHA512008b89656992b04ba27b365c42f3daa6b0b21b9804d53a6e4b41907a653f4093086c2c4a2088081e04ef4f9a29d64a4e5138aee23ae75a3e6458eba8819fdbf3
-
Filesize
173KB
MD5ef26dd6c4f6b62774e524d1704cac0d7
SHA1f352342cd6ee85243bfd1deaeb3f5a4b82b79820
SHA25644fc47eda68a2ce7b426dcc1345add6a5a5fb4a7616a9c663c05724d22994d1b
SHA512af715d9150a286068308f91261e85960e5a61f4d43e5cae5631a412b84eaedd16fcb318de9aa7fdec62c36a92192ff71641533fa71d390cf8ef29b2fed16076a
-
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
Filesize639KB
MD51010b22672d60223d3449e34e742de82
SHA1d2b0717b5d13bce7540ef284eaaaaec0d43e54ff
SHA25663d148b4110e4050b82cacdb7be0a004eba84c33c971f56873998ec59ac354fc
SHA5121fb0fffed9f5de2551f8fb7821588f7c7773bb89f34bf8708833888cdbcd3da7c8b0301599aad129774ab272b7fd8cfb39ea361c23491aaa8bdbf6ccb1333e1e
-
Filesize
9B
MD5e850d9ceb7ebcc619d731dc2f1377b2b
SHA1a45553c9057075c02e28f90d5e8ea57a0dddbacc
SHA256b682a6e85069777ca22f84b99607acd09640eaa80029d74363c0a5aabddead4c
SHA512be92bd8393d0fe69559ec55e1068fcd77ccc699361a9cb98d467bd51a029c371852b7a1196ad53fa8865e956582e6a4d35f6ac6fea3832058b7a427133b0048c