Analysis
-
max time kernel
149s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
03-06-2024 09:32
Static task
static1
Behavioral task
behavioral1
Sample
335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe
Resource
win7-20240220-en
General
-
Target
335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe
-
Size
33KB
-
MD5
9331307acc6ea0119adac27759d11956
-
SHA1
10cc3b729963eaf37ece65bfb77e4baf37a47003
-
SHA256
335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d
-
SHA512
9da4e4b2a124a3d1f25e22efe0681edb9ca900b03ae907fca9f320ef64ff05cac5cf6598c8c3f3af7bba561d927158de2362d8100e62081482c19af40fa118a8
-
SSDEEP
768:FlSTRgpQFJFKZj1PVs9Ag1vzbExhU1GBRSkji:F4Tncx1aeg1vye1MRS
Malware Config
Signatures
-
Drops startup file 2 IoCs
Processes:
335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exedescription ioc process File opened (read-only) \??\I: 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe File opened (read-only) \??\G: 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe File opened (read-only) \??\E: 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe File opened (read-only) \??\W: 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe File opened (read-only) \??\S: 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe File opened (read-only) \??\Q: 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe File opened (read-only) \??\L: 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe File opened (read-only) \??\K: 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe File opened (read-only) \??\M: 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe File opened (read-only) \??\H: 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe File opened (read-only) \??\X: 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe File opened (read-only) \??\V: 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe File opened (read-only) \??\U: 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe File opened (read-only) \??\R: 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe File opened (read-only) \??\N: 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe File opened (read-only) \??\Z: 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe File opened (read-only) \??\Y: 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe File opened (read-only) \??\J: 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe File opened (read-only) \??\T: 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe File opened (read-only) \??\P: 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe File opened (read-only) \??\O: 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe -
Drops file in Program Files directory 64 IoCs
Processes:
335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exedescription ioc process File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\cs-cz\_desktop.ini 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe File created C:\Program Files (x86)\Windows Media Player\Skins\_desktop.ini 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\_desktop.ini 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\_desktop.ini 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe File created C:\Program Files\Java\jre-1.8\lib\security\policy\unlimited\_desktop.ini 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\nl-nl\_desktop.ini 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\_desktop.ini 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\zh-tw\_desktop.ini 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\fr-fr\_desktop.ini 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe File created C:\Program Files\VideoLAN\VLC\locale\is\_desktop.ini 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\zh-cn\_desktop.ini 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\nb-no\_desktop.ini 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\_desktop.ini 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\cs-cz\_desktop.ini 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\zh-cn\_desktop.ini 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\de-de\_desktop.ini 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\css\_desktop.ini 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\en-US\_desktop.ini 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\nb\_desktop.ini 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\tr-tr\_desktop.ini 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\it-IT\_desktop.ini 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\da-dk\_desktop.ini 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\eu-es\_desktop.ini 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\fr-ma\_desktop.ini 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\_desktop.ini 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe File created C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\_desktop.ini 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\ru-ru\_desktop.ini 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\_desktop.ini 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\sl-si\_desktop.ini 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe File created C:\Program Files (x86)\Google\Update\Install\_desktop.ini 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\es\_desktop.ini 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\zh_TW\_desktop.ini 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe File opened for modification C:\Program Files\Windows Photo Viewer\it-IT\_desktop.ini 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe File created C:\Program Files (x86)\Windows Media Player\es-ES\_desktop.ini 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\si\LC_MESSAGES\_desktop.ini 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\_desktop.ini 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\nl-nl\_desktop.ini 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\_desktop.ini 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\ko-kr\_desktop.ini 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\sl\_desktop.ini 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\fr-fr\_desktop.ini 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\sk-sk\_desktop.ini 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\he-il\_desktop.ini 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\en-il\_desktop.ini 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\themes\_desktop.ini 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\_desktop.ini 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\_desktop.ini 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_GB\_desktop.ini 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\_desktop.ini 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\fr-ma\_desktop.ini 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\hu-hu\_desktop.ini 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\_desktop.ini 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\pl-pl\_desktop.ini 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe File created C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\_desktop.ini 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ca-es\_desktop.ini 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\zh-cn\_desktop.ini 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\_desktop.ini 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe File created C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Snippets\_desktop.ini 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\pt-br\_desktop.ini 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ca-es\_desktop.ini 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe File created C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\_desktop.ini 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLENDS\_desktop.ini 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\_desktop.ini 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\root\_desktop.ini 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe -
Drops file in Windows directory 2 IoCs
Processes:
335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exedescription ioc process File created C:\Windows\rundl132.exe 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe File created C:\Windows\Dll.dll 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exepid process 4708 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe 4708 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe 4708 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe 4708 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe 4708 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe 4708 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe 4708 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe 4708 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe 4708 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe 4708 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe 4708 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe 4708 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe 4708 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe 4708 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe 4708 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe 4708 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe 4708 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe 4708 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe 4708 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe 4708 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe 4708 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe 4708 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe 4708 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe 4708 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe 4708 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe 4708 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe 4708 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe 4708 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe 4708 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe 4708 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe 4708 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe 4708 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe 4708 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe 4708 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe 4708 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe 4708 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe 4708 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe 4708 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe 4708 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe 4708 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe 4708 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe 4708 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe 4708 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe 4708 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe 4708 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe 4708 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe 4708 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe 4708 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe 4708 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe 4708 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe 4708 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe 4708 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe 4708 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe 4708 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe 4708 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe 4708 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe 4708 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe 4708 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe 4708 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe 4708 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exenet.exenet.exedescription pid process target process PID 4708 wrote to memory of 2272 4708 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe net.exe PID 4708 wrote to memory of 2272 4708 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe net.exe PID 4708 wrote to memory of 2272 4708 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe net.exe PID 2272 wrote to memory of 5064 2272 net.exe net1.exe PID 2272 wrote to memory of 5064 2272 net.exe net1.exe PID 2272 wrote to memory of 5064 2272 net.exe net1.exe PID 4708 wrote to memory of 532 4708 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe net.exe PID 4708 wrote to memory of 532 4708 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe net.exe PID 4708 wrote to memory of 532 4708 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe net.exe PID 532 wrote to memory of 548 532 net.exe net1.exe PID 532 wrote to memory of 548 532 net.exe net1.exe PID 532 wrote to memory of 548 532 net.exe net1.exe PID 4708 wrote to memory of 3552 4708 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe Explorer.EXE PID 4708 wrote to memory of 3552 4708 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3552
-
C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe"C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe"2⤵
- Drops startup file
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4708 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"3⤵
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"4⤵PID:5064
-
-
-
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"3⤵
- Suspicious use of WriteProcessMemory
PID:532 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"4⤵PID:548
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
258KB
MD5faaa09cb2d9197da4a00a0df01ac2e5c
SHA1ce497e70212da947764b054c161a468be867cf1b
SHA25651d9d9203fddf941f10518b44fa657ea3a68c2156ba573b36cbec3c8959992c6
SHA51298feb4b1927fe22b02fa5169dd77b774b8d467ff71ca6b5d6f5244723e6d4ce118d647821db2e1cbc8441316fdbec463bd1d06ce3a398b3ed43c7834ecbf43c6
-
Filesize
717KB
MD52ed78a6c3ceb05a797136801832362d1
SHA192b80be47703bcc757ebd271989a06746bd3136b
SHA256879d0c9b666fdaa2d6d8c75778ff85c5922942dd99eb21ee1e4cef4ada3f9b5a
SHA512547f99bbabca1991c4623a3593e22491a277f53be488abe737152268f1478a5937d6fa3904e2d3b24d964f8422e18e863e49b6c3b766b9f2db7f99b14662bcdb
-
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
Filesize643KB
MD59363a720e098b38389b25a7b18cfbcdd
SHA17b5e835b22262b47e6042e7aadecc67dac05f7db
SHA25610579b661dade8697f252204f241952eb2029ea6978165f9336fd60a72b3205e
SHA512564b873358ebe4d4d194b924e9934cb5c1666df901db2556e8cbab8276f8c4380a5bee157cc8eb2063fe0f48a1d0dc1cf339d3d3040d764c974e1c46b0870f88
-
Filesize
8B
MD5a6f28952c332969f9e6d9f7d1a449737
SHA131c0826adb63cc03162fb9e88781f4b50da8f11b
SHA256d9d875805581110dafdfb2ceb34c5e60f50fe720963f9813c287e4845248d208
SHA5128187572ee8fbb9a42af34a3444be3a4309c5a798e7b1f27fce5b28b7168b72d015b1c10e611ccd3a9361af2aaeab831d2734017f77adff341c3fdb876c296eac