637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad

Resubmissions

10-06-2024 18:46

240610-xezgaswekc 8

10-06-2024 18:29

240610-w46q8swbqg 8

Analysis

max time kernel
150s
max time network
135s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
10-06-2024 18:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
Size

33KB
MD5

00a382a3d6bca076ca3db1809b87a802
SHA1

1d338f8174114c30ca71066b4b5773ede3099cbd
SHA256

637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad
SHA512

5e34f0b6320cd824cd476118946f85e03baf076f06ab627e6e14aae828da7a21d894f9a82c381e286992afbaf5e23af94bb69bef8b84616a86363ad45f2488ea
SSDEEP

768:JUMUElOIEvzMXqtwp/lDTJg/MFksCRsd2u9C9MFWoVaZel:JKaYzMXqtGN/CstC9qVF

Score

8^/10

spyware stealer

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File opened (read-only)	\??\W:	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File opened (read-only)	\??\Q:	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File opened (read-only)	\??\O:	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File opened (read-only)	\??\I:	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File opened (read-only)	\??\H:	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File opened (read-only)	\??\G:	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File opened (read-only)	\??\Z:	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File opened (read-only)	\??\T:	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File opened (read-only)	\??\M:	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File opened (read-only)	\??\K:	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File opened (read-only)	\??\J:	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File opened (read-only)	\??\Y:	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File opened (read-only)	\??\U:	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File opened (read-only)	\??\S:	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File opened (read-only)	\??\P:	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File opened (read-only)	\??\N:	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File opened (read-only)	\??\L:	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File opened (read-only)	\??\X:	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File opened (read-only)	\??\V:	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File opened (read-only)	\??\R:	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\VideoLAN\VLC\locale\ca@valencia\_desktop.ini	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mai\_desktop.ini	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\it-it\_desktop.ini	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\sk-sk\_desktop.ini	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SLATE\_desktop.ini	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\packetizer\_desktop.ini	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\_desktop.ini	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\en-il\_desktop.ini	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\tr-tr\_desktop.ini	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\_desktop.ini	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ca-es\_desktop.ini	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\tr-tr\_desktop.ini	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\da-dk\_desktop.ini	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\fi-fi\_desktop.ini	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SUMIPNTG\_desktop.ini	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\fr-fr\_desktop.ini	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\zh-cn\_desktop.ini	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\uk-ua\_desktop.ini	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\he-il\_desktop.ini	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\plugins\_desktop.ini	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\fr-fr\_desktop.ini	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\root\_desktop.ini	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\security\_desktop.ini	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\_desktop.ini	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ms\_desktop.ini	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\home-view\_desktop.ini	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\uk-UA\_desktop.ini	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\_desktop.ini	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\images\_desktop.ini	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\sl-sl\_desktop.ini	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\en-ae\_desktop.ini	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\fr\_desktop.ini	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File created	C:\Program Files (x86)\Windows Media Player\_desktop.ini	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File created	C:\Program Files\Mozilla Firefox\uninstall\_desktop.ini	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\_desktop.ini	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\da-dk\_desktop.ini	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\eu-es\_desktop.ini	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\_desktop.ini	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\lib\_desktop.ini	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\nl-nl\_desktop.ini	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files-select\css\_desktop.ini	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\_desktop.ini	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\nl-nl\_desktop.ini	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\he-il\_desktop.ini	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\uk-ua\_desktop.ini	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\_desktop.ini	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\css\_desktop.ini	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\it-it\_desktop.ini	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\en-ae\_desktop.ini	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\es-es\_desktop.ini	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\ar-ae\_desktop.ini	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\PlatformCapabilities\_desktop.ini	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\_desktop.ini	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\ImagingDevices.exe	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File created	C:\Program Files (x86)\Windows Media Player\Icons\_desktop.ini	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fa\LC_MESSAGES\_desktop.ini	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\pt-br\_desktop.ini	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\_desktop.ini	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\_desktop.ini	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
File created	C:\Windows\Dll.dll	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 60 IoCs

pid	Process
5116	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
5116	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
5116	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
5116	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
5116	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
5116	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
5116	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
5116	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
5116	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
5116	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
5116	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
5116	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
5116	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
5116	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
5116	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
5116	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
5116	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
5116	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
5116	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
5116	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
5116	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
5116	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
5116	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
5116	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
5116	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
5116	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
5116	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
5116	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
5116	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
5116	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
5116	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
5116	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
5116	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
5116	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
5116	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
5116	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
5116	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
5116	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
5116	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
5116	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
5116	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
5116	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
5116	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
5116	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
5116	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
5116	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
5116	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
5116	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
5116	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
5116	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
5116	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
5116	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
5116	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
5116	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
5116	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
5116	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
5116	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
5116	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
5116	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
5116	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 5116 wrote to memory of 192	5116	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe	74
PID 5116 wrote to memory of 192	5116	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe	74
PID 5116 wrote to memory of 192	5116	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe	74
PID 192 wrote to memory of 4576	192	net.exe	76
PID 192 wrote to memory of 4576	192	net.exe	76
PID 192 wrote to memory of 4576	192	net.exe	76
PID 5116 wrote to memory of 1372	5116	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe	77
PID 5116 wrote to memory of 1372	5116	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe	77
PID 5116 wrote to memory of 1372	5116	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe	77
PID 1372 wrote to memory of 2184	1372	net.exe	79
PID 1372 wrote to memory of 2184	1372	net.exe	79
PID 1372 wrote to memory of 2184	1372	net.exe	79
PID 5116 wrote to memory of 3444	5116	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe	54
PID 5116 wrote to memory of 3444	5116	637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe	54

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3444
- C:\Users\Admin\AppData\Local\Temp\637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe
  "C:\Users\Admin\AppData\Local\Temp\637bd4ff0d6480af5586a0b8eac52cdb618627f7ed02e87d2950e090d48203ad.exe"
  2⤵
  - Drops file in Drivers directory
  - Drops startup file
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:5116
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:192
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      PID:4576
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1372
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      PID:2184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
258KB

MD5
01196a131bf7435155d876df98c6986b

SHA1
fa98fab5791b17b8709d81979ec2002bb64191c3

SHA256
ea03f24817b7d8b6748a188883522dc57d90265fcb709eb640b9df11b6c99a76

SHA512
2b7ad3abbe6af547424e8128d1d5e00b5b30eea5bd7fc7325a85553b6b99a3d2011a14ac8ca6e3779bcd97e939c28f0df9bf377eac1a7267ec2692a01eca51c4

Download Submit
C:\Program Files\Google\Chrome\Application\chrome.exe

Filesize
2.8MB

MD5
f9406c83e559cbee3b9c4fe7a4c7875c

SHA1
a3998b97def575bc65956db177d92a5c558318c8

SHA256
bfecf326289fe336e723b15dcb2b1ab4fd29d0c933623e13f28f27d86318fe6f

SHA512
73b03f461df3f149858a4be5d64dca524a255184f9d8e76093645dc72e5db0f4395b31208f01fde519a90918d23c096c26e24aa77b6822bcc3edc2ef283690fe

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
478KB

MD5
77ec999dc753d70d4a8fbc32a98efb2f

SHA1
172ba524961356c8cf218baf27e14c66a07ffefc

SHA256
7178ea26cd9a2cd05e48e5d856a330d3e276d798d14aa10852df737f141dfbc5

SHA512
67d6a5f5034c44c4dbd5df9f61dc7754a1981040f04e2bd8159b8311f9b57009d731ac051a7751ff4674817f3d6f2c3fb5537046a289f45ca038d10084b6bd58

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3699363923-1875576828-3287151903-1000\_desktop.ini

Filesize
9B

MD5
60b1ffe4d5892b7ae054738eec1fd425

SHA1
80d4e944617f4132b1c6917345b158f3693f35c8

SHA256
5e9944cc48c7ec641cf7b1b0125f47f26102c371a973612f0583f604bc3900d4

SHA512
7f5c200924dbb5531df997e6a35cb94f36b54f5651284b0d6404f0576301125ef72b410a170fca889d46c033063663cfc7791f9e4c3c30695af069053eee66cc

Download Submit
memory/5116-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5116-5-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5116-4879-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5116-8279-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download