520eec92d440b2950ca7e16d81f5b779accadccf14c28a2ff9ce08bc4f8bdd2b

Analysis

max time kernel
150s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
02/06/2024, 10:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

520eec92d440b2950ca7e16d81f5b779accadccf14c28a2ff9ce08bc4f8bdd2b.exe
Size

27KB
MD5

bb27255c2ad0322ea91f78075c91a67b
SHA1

cd7e9b4a8cb7030f2ae2f595113580c36ffe6b8e
SHA256

520eec92d440b2950ca7e16d81f5b779accadccf14c28a2ff9ce08bc4f8bdd2b
SHA512

e4d9226d13927482b289c6e3148605db0ddd5b3bd6e402bf074775b7ce2995b8aa7dab7a65f49b62a3466b0781b1f9af93613b1f123aee018327f630147ed229
SSDEEP

768:hrSw16GVRu1yK9fMFLKaTxsujCT7pZpY:hrX3SHmLKarIpY

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Z:	520eec92d440b2950ca7e16d81f5b779accadccf14c28a2ff9ce08bc4f8bdd2b.exe
File opened (read-only)	\??\Y:	520eec92d440b2950ca7e16d81f5b779accadccf14c28a2ff9ce08bc4f8bdd2b.exe
File opened (read-only)	\??\X:	520eec92d440b2950ca7e16d81f5b779accadccf14c28a2ff9ce08bc4f8bdd2b.exe
File opened (read-only)	\??\R:	520eec92d440b2950ca7e16d81f5b779accadccf14c28a2ff9ce08bc4f8bdd2b.exe
File opened (read-only)	\??\P:	520eec92d440b2950ca7e16d81f5b779accadccf14c28a2ff9ce08bc4f8bdd2b.exe
File opened (read-only)	\??\H:	520eec92d440b2950ca7e16d81f5b779accadccf14c28a2ff9ce08bc4f8bdd2b.exe
File opened (read-only)	\??\U:	520eec92d440b2950ca7e16d81f5b779accadccf14c28a2ff9ce08bc4f8bdd2b.exe
File opened (read-only)	\??\T:	520eec92d440b2950ca7e16d81f5b779accadccf14c28a2ff9ce08bc4f8bdd2b.exe
File opened (read-only)	\??\S:	520eec92d440b2950ca7e16d81f5b779accadccf14c28a2ff9ce08bc4f8bdd2b.exe
File opened (read-only)	\??\O:	520eec92d440b2950ca7e16d81f5b779accadccf14c28a2ff9ce08bc4f8bdd2b.exe
File opened (read-only)	\??\N:	520eec92d440b2950ca7e16d81f5b779accadccf14c28a2ff9ce08bc4f8bdd2b.exe
File opened (read-only)	\??\L:	520eec92d440b2950ca7e16d81f5b779accadccf14c28a2ff9ce08bc4f8bdd2b.exe
File opened (read-only)	\??\E:	520eec92d440b2950ca7e16d81f5b779accadccf14c28a2ff9ce08bc4f8bdd2b.exe
File opened (read-only)	\??\W:	520eec92d440b2950ca7e16d81f5b779accadccf14c28a2ff9ce08bc4f8bdd2b.exe
File opened (read-only)	\??\V:	520eec92d440b2950ca7e16d81f5b779accadccf14c28a2ff9ce08bc4f8bdd2b.exe
File opened (read-only)	\??\Q:	520eec92d440b2950ca7e16d81f5b779accadccf14c28a2ff9ce08bc4f8bdd2b.exe
File opened (read-only)	\??\M:	520eec92d440b2950ca7e16d81f5b779accadccf14c28a2ff9ce08bc4f8bdd2b.exe
File opened (read-only)	\??\J:	520eec92d440b2950ca7e16d81f5b779accadccf14c28a2ff9ce08bc4f8bdd2b.exe
File opened (read-only)	\??\I:	520eec92d440b2950ca7e16d81f5b779accadccf14c28a2ff9ce08bc4f8bdd2b.exe
File opened (read-only)	\??\G:	520eec92d440b2950ca7e16d81f5b779accadccf14c28a2ff9ce08bc4f8bdd2b.exe
File opened (read-only)	\??\K:	520eec92d440b2950ca7e16d81f5b779accadccf14c28a2ff9ce08bc4f8bdd2b.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	520eec92d440b2950ca7e16d81f5b779accadccf14c28a2ff9ce08bc4f8bdd2b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\en-ae\_desktop.ini	520eec92d440b2950ca7e16d81f5b779accadccf14c28a2ff9ce08bc4f8bdd2b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\it-it\_desktop.ini	520eec92d440b2950ca7e16d81f5b779accadccf14c28a2ff9ce08bc4f8bdd2b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	520eec92d440b2950ca7e16d81f5b779accadccf14c28a2ff9ce08bc4f8bdd2b.exe
File created	C:\Program Files\VideoLAN\VLC\locale\eo\_desktop.ini	520eec92d440b2950ca7e16d81f5b779accadccf14c28a2ff9ce08bc4f8bdd2b.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ml\LC_MESSAGES\_desktop.ini	520eec92d440b2950ca7e16d81f5b779accadccf14c28a2ff9ce08bc4f8bdd2b.exe
File created	C:\Program Files\Windows Mail\_desktop.ini	520eec92d440b2950ca7e16d81f5b779accadccf14c28a2ff9ce08bc4f8bdd2b.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-white\_desktop.ini	520eec92d440b2950ca7e16d81f5b779accadccf14c28a2ff9ce08bc4f8bdd2b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\root\_desktop.ini	520eec92d440b2950ca7e16d81f5b779accadccf14c28a2ff9ce08bc4f8bdd2b.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ja-JP\_desktop.ini	520eec92d440b2950ca7e16d81f5b779accadccf14c28a2ff9ce08bc4f8bdd2b.exe
File created	C:\Program Files\VideoLAN\VLC\locale\am\_desktop.ini	520eec92d440b2950ca7e16d81f5b779accadccf14c28a2ff9ce08bc4f8bdd2b.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\hi-IN\_desktop.ini	520eec92d440b2950ca7e16d81f5b779accadccf14c28a2ff9ce08bc4f8bdd2b.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-125_8wekyb3d8bbwe\_desktop.ini	520eec92d440b2950ca7e16d81f5b779accadccf14c28a2ff9ce08bc4f8bdd2b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\_desktop.ini	520eec92d440b2950ca7e16d81f5b779accadccf14c28a2ff9ce08bc4f8bdd2b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\hr-hr\_desktop.ini	520eec92d440b2950ca7e16d81f5b779accadccf14c28a2ff9ce08bc4f8bdd2b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\pt-br\_desktop.ini	520eec92d440b2950ca7e16d81f5b779accadccf14c28a2ff9ce08bc4f8bdd2b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\_desktop.ini	520eec92d440b2950ca7e16d81f5b779accadccf14c28a2ff9ce08bc4f8bdd2b.exe
File created	C:\Program Files\WindowsApps\Microsoft.NET.Native.Framework.2.2_2.2.27405.0_x64__8wekyb3d8bbwe\_desktop.ini	520eec92d440b2950ca7e16d81f5b779accadccf14c28a2ff9ce08bc4f8bdd2b.exe
File created	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\_desktop.ini	520eec92d440b2950ca7e16d81f5b779accadccf14c28a2ff9ce08bc4f8bdd2b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-il\_desktop.ini	520eec92d440b2950ca7e16d81f5b779accadccf14c28a2ff9ce08bc4f8bdd2b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\fr-fr\_desktop.ini	520eec92d440b2950ca7e16d81f5b779accadccf14c28a2ff9ce08bc4f8bdd2b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\he-il\_desktop.ini	520eec92d440b2950ca7e16d81f5b779accadccf14c28a2ff9ce08bc4f8bdd2b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\fi-fi\_desktop.ini	520eec92d440b2950ca7e16d81f5b779accadccf14c28a2ff9ce08bc4f8bdd2b.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\swiftshader\_desktop.ini	520eec92d440b2950ca7e16d81f5b779accadccf14c28a2ff9ce08bc4f8bdd2b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\_desktop.ini	520eec92d440b2950ca7e16d81f5b779accadccf14c28a2ff9ce08bc4f8bdd2b.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\_desktop.ini	520eec92d440b2950ca7e16d81f5b779accadccf14c28a2ff9ce08bc4f8bdd2b.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\si\_desktop.ini	520eec92d440b2950ca7e16d81f5b779accadccf14c28a2ff9ce08bc4f8bdd2b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\pt-br\_desktop.ini	520eec92d440b2950ca7e16d81f5b779accadccf14c28a2ff9ce08bc4f8bdd2b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\de-de\_desktop.ini	520eec92d440b2950ca7e16d81f5b779accadccf14c28a2ff9ce08bc4f8bdd2b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\fr-fr\_desktop.ini	520eec92d440b2950ca7e16d81f5b779accadccf14c28a2ff9ce08bc4f8bdd2b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\fi-fi\_desktop.ini	520eec92d440b2950ca7e16d81f5b779accadccf14c28a2ff9ce08bc4f8bdd2b.exe
File created	C:\Program Files\7-Zip\Lang\_desktop.ini	520eec92d440b2950ca7e16d81f5b779accadccf14c28a2ff9ce08bc4f8bdd2b.exe
File created	C:\Program Files\VideoLAN\VLC\locale\de\_desktop.ini	520eec92d440b2950ca7e16d81f5b779accadccf14c28a2ff9ce08bc4f8bdd2b.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sk\LC_MESSAGES\_desktop.ini	520eec92d440b2950ca7e16d81f5b779accadccf14c28a2ff9ce08bc4f8bdd2b.exe
File created	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\StoreLogo\_desktop.ini	520eec92d440b2950ca7e16d81f5b779accadccf14c28a2ff9ce08bc4f8bdd2b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\_desktop.ini	520eec92d440b2950ca7e16d81f5b779accadccf14c28a2ff9ce08bc4f8bdd2b.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\cgg\LC_MESSAGES\_desktop.ini	520eec92d440b2950ca7e16d81f5b779accadccf14c28a2ff9ce08bc4f8bdd2b.exe
File created	C:\Program Files\Windows Security\BrowserCore\_desktop.ini	520eec92d440b2950ca7e16d81f5b779accadccf14c28a2ff9ce08bc4f8bdd2b.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_neutral_split.scale-125_8wekyb3d8bbwe\_desktop.ini	520eec92d440b2950ca7e16d81f5b779accadccf14c28a2ff9ce08bc4f8bdd2b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\tr-tr\_desktop.ini	520eec92d440b2950ca7e16d81f5b779accadccf14c28a2ff9ce08bc4f8bdd2b.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Snippets\_desktop.ini	520eec92d440b2950ca7e16d81f5b779accadccf14c28a2ff9ce08bc4f8bdd2b.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ja\LC_MESSAGES\_desktop.ini	520eec92d440b2950ca7e16d81f5b779accadccf14c28a2ff9ce08bc4f8bdd2b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\en-ae\_desktop.ini	520eec92d440b2950ca7e16d81f5b779accadccf14c28a2ff9ce08bc4f8bdd2b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\fr-fr\_desktop.ini	520eec92d440b2950ca7e16d81f5b779accadccf14c28a2ff9ce08bc4f8bdd2b.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\_desktop.ini	520eec92d440b2950ca7e16d81f5b779accadccf14c28a2ff9ce08bc4f8bdd2b.exe
File opened for modification	C:\Program Files\Windows Mail\_desktop.ini	520eec92d440b2950ca7e16d81f5b779accadccf14c28a2ff9ce08bc4f8bdd2b.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Speech\en-US\_desktop.ini	520eec92d440b2950ca7e16d81f5b779accadccf14c28a2ff9ce08bc4f8bdd2b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\_desktop.ini	520eec92d440b2950ca7e16d81f5b779accadccf14c28a2ff9ce08bc4f8bdd2b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\uk-ua\_desktop.ini	520eec92d440b2950ca7e16d81f5b779accadccf14c28a2ff9ce08bc4f8bdd2b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\root\_desktop.ini	520eec92d440b2950ca7e16d81f5b779accadccf14c28a2ff9ce08bc4f8bdd2b.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\_desktop.ini	520eec92d440b2950ca7e16d81f5b779accadccf14c28a2ff9ce08bc4f8bdd2b.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sq\LC_MESSAGES\_desktop.ini	520eec92d440b2950ca7e16d81f5b779accadccf14c28a2ff9ce08bc4f8bdd2b.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-125_8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini	520eec92d440b2950ca7e16d81f5b779accadccf14c28a2ff9ce08bc4f8bdd2b.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\fr-FR\View3d\_desktop.ini	520eec92d440b2950ca7e16d81f5b779accadccf14c28a2ff9ce08bc4f8bdd2b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\it-it\_desktop.ini	520eec92d440b2950ca7e16d81f5b779accadccf14c28a2ff9ce08bc4f8bdd2b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\hu-hu\_desktop.ini	520eec92d440b2950ca7e16d81f5b779accadccf14c28a2ff9ce08bc4f8bdd2b.exe
File created	C:\Program Files\Java\jre8\_desktop.ini	520eec92d440b2950ca7e16d81f5b779accadccf14c28a2ff9ce08bc4f8bdd2b.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\_desktop.ini	520eec92d440b2950ca7e16d81f5b779accadccf14c28a2ff9ce08bc4f8bdd2b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\_desktop.ini	520eec92d440b2950ca7e16d81f5b779accadccf14c28a2ff9ce08bc4f8bdd2b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\sl-sl\_desktop.ini	520eec92d440b2950ca7e16d81f5b779accadccf14c28a2ff9ce08bc4f8bdd2b.exe
File created	C:\Program Files\WindowsApps\Microsoft.Advertising.Xaml_10.1808.3.0_x64__8wekyb3d8bbwe\AppxMetadata\_desktop.ini	520eec92d440b2950ca7e16d81f5b779accadccf14c28a2ff9ce08bc4f8bdd2b.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\ko-KR\View3d\_desktop.ini	520eec92d440b2950ca7e16d81f5b779accadccf14c28a2ff9ce08bc4f8bdd2b.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_neutral_split.scale-125_8wekyb3d8bbwe\images\_desktop.ini	520eec92d440b2950ca7e16d81f5b779accadccf14c28a2ff9ce08bc4f8bdd2b.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\en-us\styles\_desktop.ini	520eec92d440b2950ca7e16d81f5b779accadccf14c28a2ff9ce08bc4f8bdd2b.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	520eec92d440b2950ca7e16d81f5b779accadccf14c28a2ff9ce08bc4f8bdd2b.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
4676	520eec92d440b2950ca7e16d81f5b779accadccf14c28a2ff9ce08bc4f8bdd2b.exe
4676	520eec92d440b2950ca7e16d81f5b779accadccf14c28a2ff9ce08bc4f8bdd2b.exe
4676	520eec92d440b2950ca7e16d81f5b779accadccf14c28a2ff9ce08bc4f8bdd2b.exe
4676	520eec92d440b2950ca7e16d81f5b779accadccf14c28a2ff9ce08bc4f8bdd2b.exe
4676	520eec92d440b2950ca7e16d81f5b779accadccf14c28a2ff9ce08bc4f8bdd2b.exe
4676	520eec92d440b2950ca7e16d81f5b779accadccf14c28a2ff9ce08bc4f8bdd2b.exe
4676	520eec92d440b2950ca7e16d81f5b779accadccf14c28a2ff9ce08bc4f8bdd2b.exe
4676	520eec92d440b2950ca7e16d81f5b779accadccf14c28a2ff9ce08bc4f8bdd2b.exe
4676	520eec92d440b2950ca7e16d81f5b779accadccf14c28a2ff9ce08bc4f8bdd2b.exe
4676	520eec92d440b2950ca7e16d81f5b779accadccf14c28a2ff9ce08bc4f8bdd2b.exe
4676	520eec92d440b2950ca7e16d81f5b779accadccf14c28a2ff9ce08bc4f8bdd2b.exe
4676	520eec92d440b2950ca7e16d81f5b779accadccf14c28a2ff9ce08bc4f8bdd2b.exe
4676	520eec92d440b2950ca7e16d81f5b779accadccf14c28a2ff9ce08bc4f8bdd2b.exe
4676	520eec92d440b2950ca7e16d81f5b779accadccf14c28a2ff9ce08bc4f8bdd2b.exe
4676	520eec92d440b2950ca7e16d81f5b779accadccf14c28a2ff9ce08bc4f8bdd2b.exe
4676	520eec92d440b2950ca7e16d81f5b779accadccf14c28a2ff9ce08bc4f8bdd2b.exe
4676	520eec92d440b2950ca7e16d81f5b779accadccf14c28a2ff9ce08bc4f8bdd2b.exe
4676	520eec92d440b2950ca7e16d81f5b779accadccf14c28a2ff9ce08bc4f8bdd2b.exe
4676	520eec92d440b2950ca7e16d81f5b779accadccf14c28a2ff9ce08bc4f8bdd2b.exe
4676	520eec92d440b2950ca7e16d81f5b779accadccf14c28a2ff9ce08bc4f8bdd2b.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4676 wrote to memory of 1696	4676	520eec92d440b2950ca7e16d81f5b779accadccf14c28a2ff9ce08bc4f8bdd2b.exe	81
PID 4676 wrote to memory of 1696	4676	520eec92d440b2950ca7e16d81f5b779accadccf14c28a2ff9ce08bc4f8bdd2b.exe	81
PID 4676 wrote to memory of 1696	4676	520eec92d440b2950ca7e16d81f5b779accadccf14c28a2ff9ce08bc4f8bdd2b.exe	81
PID 1696 wrote to memory of 3932	1696	net.exe	83
PID 1696 wrote to memory of 3932	1696	net.exe	83
PID 1696 wrote to memory of 3932	1696	net.exe	83
PID 4676 wrote to memory of 3472	4676	520eec92d440b2950ca7e16d81f5b779accadccf14c28a2ff9ce08bc4f8bdd2b.exe	56
PID 4676 wrote to memory of 3472	4676	520eec92d440b2950ca7e16d81f5b779accadccf14c28a2ff9ce08bc4f8bdd2b.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3472
- C:\Users\Admin\AppData\Local\Temp\520eec92d440b2950ca7e16d81f5b779accadccf14c28a2ff9ce08bc4f8bdd2b.exe
  "C:\Users\Admin\AppData\Local\Temp\520eec92d440b2950ca7e16d81f5b779accadccf14c28a2ff9ce08bc4f8bdd2b.exe"
  2⤵
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4676
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1696
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      PID:3932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\dotnet\dotnet.exe

Filesize
170KB

MD5
aa78caa9612b344d008573d41eeecc6f

SHA1
a291dc1ac01093b476f9d8d50d2424ae3e0a7c63

SHA256
d28e45cce9209552f3505371dd4a543080c8ebef6b9adaa8507180cab2f8a7c5

SHA512
446cb909f4d46b1591e54583aef008b2dd78a223a156899869a5c4fed600d2a70f76ce1b08960a4db89a6ac12600f695a15fcc9c7c59d89607e88613f0b6a43c

Download Submit
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

Filesize
637KB

MD5
9cba1e86016b20490fff38fb45ff4963

SHA1
378720d36869d50d06e9ffeef87488fbc2a8c8f7

SHA256
a22e6d0f5c7d44fefc2204e0f7c7b048e1684f6cf249ba98c006bbf791c22d19

SHA512
2f3737d29ea3925d10ea5c717786425f6434be732974586328f03691a35cd1539828e3301685749e5c4135b8094f15b87fb9659915de63678a25749e2f8f5765

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-1162180587-977231257-2194346871-1000\_desktop.ini

Filesize
8B

MD5
af485d3db9f82d3e5bdc8c6d87fb742e

SHA1
f879c3dbd3d34e9789ff73896508bfbeabbf7468

SHA256
7a7b688ede50bbaf08d4579fbd8c6b6c99d9dd1206d95ab24d8174eb9be98759

SHA512
d5fe5155948320ef6d3f80c01c9a81f0d4f60bab381d921ab2e06b62475618b973b34346bd41b40af24f2b5aff64bba68710f405f7ff21a58f369acbaaee9360

Download Submit
memory/4676-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4676-5-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4676-12-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4676-18-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4676-22-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4676-1216-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4676-4782-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4676-5221-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download