Analysis
-
max time kernel
150s -
max time network
104s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
02/06/2024, 22:32
Static task
static1
Behavioral task
behavioral1
Sample
9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe
Resource
win10v2004-20240508-en
General
-
Target
9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe
-
Size
27KB
-
MD5
3262af3b3175a752b3dc89d5befd082f
-
SHA1
e21b1e0a8298ce207987bf3479d995516ffb1c4a
-
SHA256
9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788
-
SHA512
c2a167c48d803b206f5235cd61ab0f165241fe50d31f0471a117d692d7b3cd87a546ed2e03c7e6c261d0887ea77960e69ae48788cd5289c8142a1ba97a60b720
-
SSDEEP
384:MYV1Gt5M0zhIV/DZ3KZp7JcTO4yf9KFL/KaUUqd3qR+FlYTj9QTN0wpD9p5Cs:l16GVRu1yK9fMFLKaTxsujCT7pZpY
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\V: 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File opened (read-only) \??\K: 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File opened (read-only) \??\I: 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File opened (read-only) \??\G: 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File opened (read-only) \??\Z: 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File opened (read-only) \??\Y: 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File opened (read-only) \??\X: 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File opened (read-only) \??\W: 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File opened (read-only) \??\R: 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File opened (read-only) \??\O: 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File opened (read-only) \??\H: 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File opened (read-only) \??\U: 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File opened (read-only) \??\P: 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File opened (read-only) \??\M: 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File opened (read-only) \??\L: 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File opened (read-only) \??\T: 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File opened (read-only) \??\S: 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File opened (read-only) \??\Q: 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File opened (read-only) \??\N: 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File opened (read-only) \??\J: 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File opened (read-only) \??\E: 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\fr-FR\_desktop.ini 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\uk-ua\_desktop.ini 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\images\themes\dark\_desktop.ini 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\de-de\_desktop.ini 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\_desktop.ini 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\pl-pl\_desktop.ini 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\en-ae\_desktop.ini 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File created C:\Program Files\Java\jre-1.8\legal\_desktop.ini 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\_desktop.ini 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File created C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\SmartSelect\_desktop.ini 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File created C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\node_modules\reactxp-experimental-navigation\NavigationExperimental\_desktop.ini 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\_desktop.ini 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\de-de\_desktop.ini 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\ro-ro\_desktop.ini 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\es-es\_desktop.ini 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\ja-jp\_desktop.ini 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\_desktop.ini 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\AppCore\Location\Shifter\_desktop.ini 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files-select\css\_desktop.ini 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\da-dk\_desktop.ini 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File opened for modification C:\Program Files\VideoLAN\VLC\_desktop.ini 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\sr-Latn-RS\_desktop.ini 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File created C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Toolkit\Images\_desktop.ini 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\uk-ua\_desktop.ini 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\pt-br\_desktop.ini 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\pl-pl\_desktop.ini 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File created C:\Program Files\VideoLAN\VLC\locale\br\_desktop.ini 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File created C:\Program Files\VideoLAN\VLC\locale\en_GB\LC_MESSAGES\_desktop.ini 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\hy\_desktop.ini 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\_desktop.ini 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\ja-jp\_desktop.ini 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\GetHelp.exe 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Microsoft.Membership.MeControl\Assets\OfflinePages\Scripts\Me\_desktop.ini 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\en-US\_desktop.ini 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\nl-nl\_desktop.ini 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\da-dk\_desktop.ini 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\_desktop.ini 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\en-il\_desktop.ini 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\it-it\_desktop.ini 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File created C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\_desktop.ini 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File created C:\Program Files (x86)\Internet Explorer\_desktop.ini 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\_desktop.ini 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\contrast-black\_desktop.ini 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\jquery.ui.touch-punch\0.2.2\_desktop.ini 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\ko-kr\_desktop.ini 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\en-il\_desktop.ini 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\ru-ru\_desktop.ini 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\ro-ro\_desktop.ini 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\da-DK\View3d\_desktop.ini 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ro-ro\_desktop.ini 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\ro-ro\_desktop.ini 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File created C:\Program Files\VideoLAN\VLC\locale\eo\_desktop.ini 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File created C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\Square150x150\_desktop.ini 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\_desktop.ini 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\de-DE\_desktop.ini 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fi-fi\_desktop.ini 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ru-ru\_desktop.ini 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\_desktop.ini 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\fr-fr\_desktop.ini 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\zh-cn\_desktop.ini 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\_desktop.ini 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\sk-SK\View3d\_desktop.ini 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Resources\RetailDemo\strings\_desktop.ini 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\rundl132.exe 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
pid Process 3092 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe 3092 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe 3092 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe 3092 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe 3092 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe 3092 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe 3092 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe 3092 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe 3092 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe 3092 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe 3092 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe 3092 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe 3092 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe 3092 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe 3092 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe 3092 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe 3092 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe 3092 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe 3092 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe 3092 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 3092 wrote to memory of 3436 3092 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe 83 PID 3092 wrote to memory of 3436 3092 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe 83 PID 3092 wrote to memory of 3436 3092 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe 83 PID 3436 wrote to memory of 2016 3436 net.exe 85 PID 3436 wrote to memory of 2016 3436 net.exe 85 PID 3436 wrote to memory of 2016 3436 net.exe 85 PID 3092 wrote to memory of 3556 3092 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe 56 PID 3092 wrote to memory of 3556 3092 9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe 56
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3556
-
C:\Users\Admin\AppData\Local\Temp\9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe"C:\Users\Admin\AppData\Local\Temp\9760f2e8aa488761a0086d8c1d015d250d11c9c2b468c0c6786502c5f48bf788.exe"2⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3092 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"3⤵
- Suspicious use of WriteProcessMemory
PID:3436 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"4⤵PID:2016
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
170KB
MD50948f26e6c4513c2342d45e440b05f5a
SHA1183002a8beb85f38d06f785208acf6e01b1f5950
SHA256ac6431080732324beda7b0e02c50c186f137d579342029bba1a7ce4d345222f6
SHA512d8220af1af295f9e144e0b1e5220706e12d9236cd45d390cedf255565657a492173659f666f50be70482490cde74632329b72d55d2ecbc23c23c3ca32a67c7fd
-
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
Filesize637KB
MD59cba1e86016b20490fff38fb45ff4963
SHA1378720d36869d50d06e9ffeef87488fbc2a8c8f7
SHA256a22e6d0f5c7d44fefc2204e0f7c7b048e1684f6cf249ba98c006bbf791c22d19
SHA5122f3737d29ea3925d10ea5c717786425f6434be732974586328f03691a35cd1539828e3301685749e5c4135b8094f15b87fb9659915de63678a25749e2f8f5765
-
Filesize
8B
MD5af485d3db9f82d3e5bdc8c6d87fb742e
SHA1f879c3dbd3d34e9789ff73896508bfbeabbf7468
SHA2567a7b688ede50bbaf08d4579fbd8c6b6c99d9dd1206d95ab24d8174eb9be98759
SHA512d5fe5155948320ef6d3f80c01c9a81f0d4f60bab381d921ab2e06b62475618b973b34346bd41b40af24f2b5aff64bba68710f405f7ff21a58f369acbaaee9360