Analysis
-
max time kernel
150s -
max time network
104s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
02/06/2024, 22:29
Static task
static1
Behavioral task
behavioral1
Sample
10b71c1e29e505566b0c3894ebc30a9363a3fc5a6ffd875a4dff7f762155b3ef.exe
Resource
win7-20231129-en
General
-
Target
10b71c1e29e505566b0c3894ebc30a9363a3fc5a6ffd875a4dff7f762155b3ef.exe
-
Size
491KB
-
MD5
5eabd48682e009f3956c6740cfd9e393
-
SHA1
54ad6044b7db8a7f43edbed592fe42ad60c694ce
-
SHA256
10b71c1e29e505566b0c3894ebc30a9363a3fc5a6ffd875a4dff7f762155b3ef
-
SHA512
6c14299744431ebe2573e10c2ca0117b063933e61a0f3c5d5102011d1ad0fe7fa8c0100f97700cfd4ed13a18868114c44f74662c6a18ba4ed91b157466fbf44a
-
SSDEEP
6144:k46tGdyPz1gL5pRTMTTjMkId/BynSx7dEe6XwzRaktNP08NhKs39zo43fTtl1fa2:k3Nb1gL5pRTcAkS/3hzN8qE43fm78V
Malware Config
Signatures
-
Drops file in Drivers directory 2 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts Logo1_.exe File opened for modification C:\Windows\system32\drivers\etc\hosts 10b71c1e29e505566b0c3894ebc30a9363a3fc5a6ffd875a4dff7f762155b3ef.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini Logo1_.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini Logo1_.exe -
Executes dropped EXE 2 IoCs
pid Process 1240 Logo1_.exe 3388 10b71c1e29e505566b0c3894ebc30a9363a3fc5a6ffd875a4dff7f762155b3ef.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\hr-hr\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\zh-tw\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\fr-FR\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ar-ae\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\nb-no\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.185.29\MicrosoftEdgeUpdate.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\it-it\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\fi-fi\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\nl-nl\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Multimedia Platform\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\it-it\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe Logo1_.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\is\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\Mozilla Firefox\browser\features\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\ru-ru\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Internet Explorer\en-US\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\PlayReadyCdm\_platform_specific\win_x64\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\WidevineCdm\_platform_specific\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example2.Diagnostics\1.0.1\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SLATE\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fr-fr\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\en-gb\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\fr-ma\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\nl-nl\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\it-it\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\pl-pl\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\en-gb\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\en-il\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\sl-si\_desktop.ini Logo1_.exe File created C:\Program Files\Google\Chrome\Application\110.0.5481.104\default_apps\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\plugins\mux\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\pl-pl\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\ro-ro\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\nl-nl\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Examples\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Defender\uk-UA\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\themes\dark\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\pl-pl\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\da-dk\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\fr-ma\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\pl-pl\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\fi-fi\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\it-it\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\plugins\rhp\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\tr-tr\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\de-de\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\en-gb\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\sv-se\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\it-it\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\cs-cz\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\skins\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\zh-cn\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\tr-tr\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\rundl132.exe 10b71c1e29e505566b0c3894ebc30a9363a3fc5a6ffd875a4dff7f762155b3ef.exe File created C:\Windows\Logo1_.exe 10b71c1e29e505566b0c3894ebc30a9363a3fc5a6ffd875a4dff7f762155b3ef.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\Dll.dll Logo1_.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2748 10b71c1e29e505566b0c3894ebc30a9363a3fc5a6ffd875a4dff7f762155b3ef.exe 2748 10b71c1e29e505566b0c3894ebc30a9363a3fc5a6ffd875a4dff7f762155b3ef.exe 2748 10b71c1e29e505566b0c3894ebc30a9363a3fc5a6ffd875a4dff7f762155b3ef.exe 2748 10b71c1e29e505566b0c3894ebc30a9363a3fc5a6ffd875a4dff7f762155b3ef.exe 2748 10b71c1e29e505566b0c3894ebc30a9363a3fc5a6ffd875a4dff7f762155b3ef.exe 2748 10b71c1e29e505566b0c3894ebc30a9363a3fc5a6ffd875a4dff7f762155b3ef.exe 2748 10b71c1e29e505566b0c3894ebc30a9363a3fc5a6ffd875a4dff7f762155b3ef.exe 2748 10b71c1e29e505566b0c3894ebc30a9363a3fc5a6ffd875a4dff7f762155b3ef.exe 2748 10b71c1e29e505566b0c3894ebc30a9363a3fc5a6ffd875a4dff7f762155b3ef.exe 2748 10b71c1e29e505566b0c3894ebc30a9363a3fc5a6ffd875a4dff7f762155b3ef.exe 2748 10b71c1e29e505566b0c3894ebc30a9363a3fc5a6ffd875a4dff7f762155b3ef.exe 2748 10b71c1e29e505566b0c3894ebc30a9363a3fc5a6ffd875a4dff7f762155b3ef.exe 2748 10b71c1e29e505566b0c3894ebc30a9363a3fc5a6ffd875a4dff7f762155b3ef.exe 2748 10b71c1e29e505566b0c3894ebc30a9363a3fc5a6ffd875a4dff7f762155b3ef.exe 2748 10b71c1e29e505566b0c3894ebc30a9363a3fc5a6ffd875a4dff7f762155b3ef.exe 2748 10b71c1e29e505566b0c3894ebc30a9363a3fc5a6ffd875a4dff7f762155b3ef.exe 2748 10b71c1e29e505566b0c3894ebc30a9363a3fc5a6ffd875a4dff7f762155b3ef.exe 2748 10b71c1e29e505566b0c3894ebc30a9363a3fc5a6ffd875a4dff7f762155b3ef.exe 2748 10b71c1e29e505566b0c3894ebc30a9363a3fc5a6ffd875a4dff7f762155b3ef.exe 2748 10b71c1e29e505566b0c3894ebc30a9363a3fc5a6ffd875a4dff7f762155b3ef.exe 2748 10b71c1e29e505566b0c3894ebc30a9363a3fc5a6ffd875a4dff7f762155b3ef.exe 2748 10b71c1e29e505566b0c3894ebc30a9363a3fc5a6ffd875a4dff7f762155b3ef.exe 2748 10b71c1e29e505566b0c3894ebc30a9363a3fc5a6ffd875a4dff7f762155b3ef.exe 2748 10b71c1e29e505566b0c3894ebc30a9363a3fc5a6ffd875a4dff7f762155b3ef.exe 2748 10b71c1e29e505566b0c3894ebc30a9363a3fc5a6ffd875a4dff7f762155b3ef.exe 2748 10b71c1e29e505566b0c3894ebc30a9363a3fc5a6ffd875a4dff7f762155b3ef.exe 1240 Logo1_.exe 1240 Logo1_.exe 1240 Logo1_.exe 1240 Logo1_.exe 1240 Logo1_.exe 1240 Logo1_.exe 1240 Logo1_.exe 1240 Logo1_.exe 1240 Logo1_.exe 1240 Logo1_.exe 1240 Logo1_.exe 1240 Logo1_.exe 1240 Logo1_.exe 1240 Logo1_.exe 1240 Logo1_.exe 1240 Logo1_.exe 1240 Logo1_.exe 1240 Logo1_.exe 1240 Logo1_.exe 1240 Logo1_.exe 1240 Logo1_.exe 1240 Logo1_.exe 1240 Logo1_.exe 1240 Logo1_.exe 1240 Logo1_.exe 1240 Logo1_.exe 1240 Logo1_.exe 1240 Logo1_.exe 1240 Logo1_.exe 1240 Logo1_.exe 1240 Logo1_.exe 1240 Logo1_.exe 1240 Logo1_.exe 1240 Logo1_.exe 1240 Logo1_.exe 1240 Logo1_.exe 1240 Logo1_.exe 1240 Logo1_.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2748 wrote to memory of 3840 2748 10b71c1e29e505566b0c3894ebc30a9363a3fc5a6ffd875a4dff7f762155b3ef.exe 83 PID 2748 wrote to memory of 3840 2748 10b71c1e29e505566b0c3894ebc30a9363a3fc5a6ffd875a4dff7f762155b3ef.exe 83 PID 2748 wrote to memory of 3840 2748 10b71c1e29e505566b0c3894ebc30a9363a3fc5a6ffd875a4dff7f762155b3ef.exe 83 PID 3840 wrote to memory of 4808 3840 net.exe 85 PID 3840 wrote to memory of 4808 3840 net.exe 85 PID 3840 wrote to memory of 4808 3840 net.exe 85 PID 2748 wrote to memory of 2240 2748 10b71c1e29e505566b0c3894ebc30a9363a3fc5a6ffd875a4dff7f762155b3ef.exe 88 PID 2748 wrote to memory of 2240 2748 10b71c1e29e505566b0c3894ebc30a9363a3fc5a6ffd875a4dff7f762155b3ef.exe 88 PID 2748 wrote to memory of 2240 2748 10b71c1e29e505566b0c3894ebc30a9363a3fc5a6ffd875a4dff7f762155b3ef.exe 88 PID 2748 wrote to memory of 1240 2748 10b71c1e29e505566b0c3894ebc30a9363a3fc5a6ffd875a4dff7f762155b3ef.exe 89 PID 2748 wrote to memory of 1240 2748 10b71c1e29e505566b0c3894ebc30a9363a3fc5a6ffd875a4dff7f762155b3ef.exe 89 PID 2748 wrote to memory of 1240 2748 10b71c1e29e505566b0c3894ebc30a9363a3fc5a6ffd875a4dff7f762155b3ef.exe 89 PID 1240 wrote to memory of 3340 1240 Logo1_.exe 90 PID 1240 wrote to memory of 3340 1240 Logo1_.exe 90 PID 1240 wrote to memory of 3340 1240 Logo1_.exe 90 PID 3340 wrote to memory of 2456 3340 net.exe 92 PID 3340 wrote to memory of 2456 3340 net.exe 92 PID 3340 wrote to memory of 2456 3340 net.exe 92 PID 2240 wrote to memory of 3388 2240 cmd.exe 94 PID 2240 wrote to memory of 3388 2240 cmd.exe 94 PID 1240 wrote to memory of 2904 1240 Logo1_.exe 95 PID 1240 wrote to memory of 2904 1240 Logo1_.exe 95 PID 1240 wrote to memory of 2904 1240 Logo1_.exe 95 PID 2904 wrote to memory of 2848 2904 net.exe 97 PID 2904 wrote to memory of 2848 2904 net.exe 97 PID 2904 wrote to memory of 2848 2904 net.exe 97 PID 1240 wrote to memory of 3416 1240 Logo1_.exe 56 PID 1240 wrote to memory of 3416 1240 Logo1_.exe 56
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3416
-
C:\Users\Admin\AppData\Local\Temp\10b71c1e29e505566b0c3894ebc30a9363a3fc5a6ffd875a4dff7f762155b3ef.exe"C:\Users\Admin\AppData\Local\Temp\10b71c1e29e505566b0c3894ebc30a9363a3fc5a6ffd875a4dff7f762155b3ef.exe"2⤵
- Drops file in Drivers directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"3⤵
- Suspicious use of WriteProcessMemory
PID:3840 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"4⤵PID:4808
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a3662.bat3⤵
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Users\Admin\AppData\Local\Temp\10b71c1e29e505566b0c3894ebc30a9363a3fc5a6ffd875a4dff7f762155b3ef.exe"C:\Users\Admin\AppData\Local\Temp\10b71c1e29e505566b0c3894ebc30a9363a3fc5a6ffd875a4dff7f762155b3ef.exe"4⤵
- Executes dropped EXE
PID:3388
-
-
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Drops file in Drivers directory
- Drops startup file
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1240 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:3340 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:2456
-
-
-
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:2848
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
258KB
MD5dabffb38234f007c501cf88551471dfe
SHA1ea9f4c4f46ffd3cb73b767b729c62cfcca6a065c
SHA256f4126de53afbb2a68dead67d01bae1d52b38ae711b06d94629f952099e691d32
SHA51202229668f14c8057849b6e0babac2a5369e904178d8ac2ae5ac5dcff2ea659f4765b1590a4fe482165a4b2de7da43cb80c040befdf0410b3837ef7dfc915b6cf
-
Filesize
577KB
MD5f265293c315bc70d499702dcea4b1ac7
SHA1dbd3e1030298ee731025e776c46948adb9bb5c12
SHA256521c916702966b6f1ba4ac9acea1e88e6af1f0f4a5c5c2af86c19a9b04e3dd52
SHA512bf6d6616b6f632adfda964d650c6ee66c03a019dc9343b03e2dcd16ab975809f27cd03982d308a84200fa221e31bf8c2f4c25df4597efd17af204ef839796a37
-
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
Filesize643KB
MD5c68e034d324260384602839c6e3295de
SHA1add6ebe18274a2afd7756fcb2b5be590125eff7f
SHA2568317babad7376315f76f48454d7f4057d60f2a13f0e469a7c877473b220af74f
SHA5127c956a76088bae2a425fc13f8484027ae04bc9995b7ca85a92125801e0676ff660c2a1fcb4640424883455bc10a84d39788032d884e7b64178693b1a2a0885cb
-
Filesize
722B
MD5680726d970d83fafe3b9c7f08dfb7cae
SHA1763d591cdf6707e51892e7e9f665ec71bdf673e4
SHA256dcc85df225d0f662ba2d1ea31ac8411d5a15365fa7b63be89de5b25a52b63dbf
SHA512a243d08697b14b353c1a2d078ba35b701be9cf6b9f54dc7c8e5deeae314277de0b4c62c6cd6001ac9e73bc6b9ba15b39f68f96ea86054d611b61eadd1d8ac852
-
C:\Users\Admin\AppData\Local\Temp\10b71c1e29e505566b0c3894ebc30a9363a3fc5a6ffd875a4dff7f762155b3ef.exe.exe
Filesize458KB
MD5619f7135621b50fd1900ff24aade1524
SHA16c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA5122c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628
-
Filesize
33KB
MD57514021d14a754dd434e4b38cb87ae3d
SHA13ea156bdfea7751e851cf281b20783f3f9a4784d
SHA256cf2ba6f24373f440531b5ad69cf882e8ffa80a9c556124b944dad25a0d0e35bf
SHA51278ccfd339f3d905c1e8cb072951164f6b66407b1928fa2879b53c015a89c5027e2e10f81912bf21464b35d650750da811f0975084cf91b710dd6ead8a1d90308
-
Filesize
842B
MD56f4adf207ef402d9ef40c6aa52ffd245
SHA14b05b495619c643f02e278dede8f5b1392555a57
SHA256d9704dab05e988be3e5e7b7c020bb9814906d11bb9c31ad80d4ed1316f6bc94e
SHA512a6306bd200a26ea78192ae5b00cc49cfab3fba025fe7233709a4e62db0f9ed60030dce22b34afe57aad86a098c9a8c44e080cedc43227cb87ef4690baec35b47
-
Filesize
8B
MD5af485d3db9f82d3e5bdc8c6d87fb742e
SHA1f879c3dbd3d34e9789ff73896508bfbeabbf7468
SHA2567a7b688ede50bbaf08d4579fbd8c6b6c99d9dd1206d95ab24d8174eb9be98759
SHA512d5fe5155948320ef6d3f80c01c9a81f0d4f60bab381d921ab2e06b62475618b973b34346bd41b40af24f2b5aff64bba68710f405f7ff21a58f369acbaaee9360