637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad

Resubmissions

10/06/2024, 18:46

240610-xezgaswekc 8

10/06/2024, 18:29

240610-w46q8swbqg 8

Analysis

max time kernel
149s
max time network
118s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
10/06/2024, 18:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
Size

33KB
MD5

00a382a3d6bca076ca3db1809b87a802
SHA1

1d338f8174114c30ca71066b4b5773ede3099cbd
SHA256

637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad
SHA512

5e34f0b6320cd824cd476118946f85e03baf076f06ab627e6e14aae828da7a21d894f9a82c381e286992afbaf5e23af94bb69bef8b84616a86363ad45f2488ea
SSDEEP

768:JUMUElOIEvzMXqtwp/lDTJg/MFksCRsd2u9C9MFWoVaZel:JKaYzMXqtGN/CstC9qVF

Score

8^/10

spyware stealer

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\O:	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File opened (read-only)	\??\W:	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File opened (read-only)	\??\T:	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File opened (read-only)	\??\S:	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File opened (read-only)	\??\Q:	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File opened (read-only)	\??\R:	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File opened (read-only)	\??\L:	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File opened (read-only)	\??\K:	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File opened (read-only)	\??\I:	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File opened (read-only)	\??\H:	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File opened (read-only)	\??\E:	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File opened (read-only)	\??\Z:	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File opened (read-only)	\??\Y:	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File opened (read-only)	\??\P:	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File opened (read-only)	\??\N:	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File opened (read-only)	\??\J:	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File opened (read-only)	\??\G:	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File opened (read-only)	\??\X:	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File opened (read-only)	\??\V:	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File opened (read-only)	\??\U:	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File opened (read-only)	\??\M:	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hu\_desktop.ini	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\css\_desktop.ini	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\_desktop.ini	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PublicAssemblies\_desktop.ini	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator\_desktop.ini	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\_desktop.ini	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File opened for modification	C:\Program Files\VideoLAN\_desktop.ini	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\eu\LC_MESSAGES\_desktop.ini	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\_desktop.ini	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\fr\_desktop.ini	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\intf\_desktop.ini	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\css\_desktop.ini	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\js\_desktop.ini	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File opened for modification	C:\Program Files\DVD Maker\en-US\_desktop.ini	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File created	C:\Program Files\Microsoft Games\FreeCell\es-ES\_desktop.ini	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File created	C:\Program Files\Mozilla Firefox\browser\_desktop.ini	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\_desktop.ini	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\_desktop.ini	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File created	C:\Program Files\Mozilla Firefox\_desktop.ini	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mai\LC_MESSAGES\_desktop.ini	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\_desktop.ini	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\_desktop.ini	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File created	C:\Program Files\Microsoft Games\Mahjong\fr-FR\_desktop.ini	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File created	C:\Program Files\Windows Defender\it-IT\_desktop.ini	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\css\_desktop.ini	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\1033\_desktop.ini	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File created	C:\Program Files (x86)\Microsoft Office\MEDIA\_desktop.ini	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\es-ES\_desktop.ini	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\_desktop.ini	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\oc\_desktop.ini	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\de-DE\_desktop.ini	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File created	C:\Program Files (x86)\Google\Update\Install\{7ADE9966-696F-4996-9E1A-1D7786573DA1}\_desktop.ini	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File created	C:\Program Files\Windows Defender\de-DE\_desktop.ini	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\css\_desktop.ini	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\js\_desktop.ini	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\js\_desktop.ini	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\_desktop.ini	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\de-DE\_desktop.ini	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\_desktop.ini	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\_desktop.ini	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\_desktop.ini	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File opened for modification	C:\Program Files\Microsoft Games\More Games\fr-FR\_desktop.ini	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\intf\modules\_desktop.ini	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\HostSideAdapters\_desktop.ini	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\_desktop.ini	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\_desktop.ini	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Indian\_desktop.ini	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\_desktop.ini	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\_desktop.ini	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\de-DE\_desktop.ini	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\_desktop.ini	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\en-US\_desktop.ini	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\css\_desktop.ini	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File created	C:\Program Files\VideoLAN\VLC\locale\as_IN\_desktop.ini	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\_desktop.ini	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File created	C:\Program Files (x86)\Google\Update\Offline\_desktop.ini	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\ja-JP\_desktop.ini	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale\_desktop.ini	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\_desktop.ini	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File created	C:\Program Files\Java\jre7\lib\jfr\_desktop.ini	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File created	C:\Windows\Dll.dll	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
2988	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
2988	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
2988	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
2988	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
2988	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
2988	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
2988	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
2988	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
2988	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
2988	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
2988	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
2988	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
2988	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
2988	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
2988	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
2988	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
2988	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
2988	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
2988	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
2988	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
2988	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
2988	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
2988	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
2988	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
2988	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
2988	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
2988	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
2988	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
2988	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
2988	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2988 wrote to memory of 1516	2988	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe	28
PID 2988 wrote to memory of 1516	2988	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe	28
PID 2988 wrote to memory of 1516	2988	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe	28
PID 2988 wrote to memory of 1516	2988	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe	28
PID 1516 wrote to memory of 2912	1516	net.exe	30
PID 1516 wrote to memory of 2912	1516	net.exe	30
PID 1516 wrote to memory of 2912	1516	net.exe	30
PID 1516 wrote to memory of 2912	1516	net.exe	30
PID 2988 wrote to memory of 1884	2988	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe	31
PID 2988 wrote to memory of 1884	2988	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe	31
PID 2988 wrote to memory of 1884	2988	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe	31
PID 2988 wrote to memory of 1884	2988	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe	31
PID 1884 wrote to memory of 2392	1884	net.exe	33
PID 1884 wrote to memory of 2392	1884	net.exe	33
PID 1884 wrote to memory of 2392	1884	net.exe	33
PID 1884 wrote to memory of 2392	1884	net.exe	33
PID 2988 wrote to memory of 1208	2988	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe	21
PID 2988 wrote to memory of 1208	2988	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1208
- C:\Users\Admin\AppData\Local\Temp\637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
  "C:\Users\Admin\AppData\Local\Temp\637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe"
  2⤵
  - Drops file in Drivers directory
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2988
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1516
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      PID:2912
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1884
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      PID:2392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
258KB

MD5
01196a131bf7435155d876df98c6986b

SHA1
fa98fab5791b17b8709d81979ec2002bb64191c3

SHA256
ea03f24817b7d8b6748a188883522dc57d90265fcb709eb640b9df11b6c99a76

SHA512
2b7ad3abbe6af547424e8128d1d5e00b5b30eea5bd7fc7325a85553b6b99a3d2011a14ac8ca6e3779bcd97e939c28f0df9bf377eac1a7267ec2692a01eca51c4

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
717KB

MD5
4a195e430df972e9f9ed3b6c61e368a1

SHA1
f35d1aaa45d6f6e0d2a1324f176a3ae990924b68

SHA256
9d365279fb64c7e7aa490ed3ee8ad6f09ff4309cf25625f40c6b63b105f9c147

SHA512
60e9cdd842239ca92eb34df3e26935ae23b7be1a52a69506357b9cfd81e44acb6c208dc31082d84edf0f9a38a5f180749050084f274a900775378a8509722022

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
478KB

MD5
77ec999dc753d70d4a8fbc32a98efb2f

SHA1
172ba524961356c8cf218baf27e14c66a07ffefc

SHA256
7178ea26cd9a2cd05e48e5d856a330d3e276d798d14aa10852df737f141dfbc5

SHA512
67d6a5f5034c44c4dbd5df9f61dc7754a1981040f04e2bd8159b8311f9b57009d731ac051a7751ff4674817f3d6f2c3fb5537046a289f45ca038d10084b6bd58

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-268080393-3149932598-1824759070-1000\_desktop.ini

Filesize
9B

MD5
60b1ffe4d5892b7ae054738eec1fd425

SHA1
80d4e944617f4132b1c6917345b158f3693f35c8

SHA256
5e9944cc48c7ec641cf7b1b0125f47f26102c371a973612f0583f604bc3900d4

SHA512
7f5c200924dbb5531df997e6a35cb94f36b54f5651284b0d6404f0576301125ef72b410a170fca889d46c033063663cfc7791f9e4c3c30695af069053eee66cc

Download Submit
memory/1208-5-0x0000000002EA0000-0x0000000002EA1000-memory.dmp

Filesize
4KB

Download
memory/2988-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2988-9-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2988-3280-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2988-4108-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download