bd801ec767786092b2b82051c673a9779cc3698b8b15b10146b90f4928d9f9a8

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
24-06-2024 01:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

03f80b7dba1209d54298ffee6dd7d6c5.exe
Size

387KB
MD5

03f80b7dba1209d54298ffee6dd7d6c5
SHA1

2dd649fcbafa9ef687995150e0f29592e5109320
SHA256

bd801ec767786092b2b82051c673a9779cc3698b8b15b10146b90f4928d9f9a8
SHA512

25f3520ff60ee0616933f1afef7432c02fc635f4f2f5ee847b4dbbaabddfa0095fc5d58253b56eb3b19cc3cf71f655b76284c712f405b70a311225ac0cc1f589
SSDEEP

6144:vrQ7XBrQ7XBrQ7XlrQ7XzdyctYrT7/PsW8EZd40seWs9Zxip:vrEBrEBrElrEzbtYLPsfEHlWs9ap

Score

7^/10

spyware stealer upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2620	cmd.exe

Executes dropped EXE 4 IoCs

pid	Process
2684	Logo1_.exe
2668	03f80b7dba1209d54298ffee6dd7d6c5.exe
2476	03f80b7dba1209d54298ffee6dd7d6c5.exe
2212	03f80b7dba1209d54298ffee6dd7d6c5.exe

Loads dropped DLL 11 IoCs

pid	Process
2620	cmd.exe
2620	cmd.exe
2728	cmd.exe
2728	cmd.exe
2520	cmd.exe
2520	cmd.exe
1916	WerFault.exe
1916	WerFault.exe
1916	WerFault.exe
1916	WerFault.exe
1916	WerFault.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2244-0-0x0000000000400000-0x0000000000439000-memory.dmp	upx
behavioral1/files/0x0008000000015c78-12.dat	upx
behavioral1/memory/2244-16-0x0000000000400000-0x0000000000439000-memory.dmp	upx
behavioral1/files/0x0008000000015c6b-21.dat	upx
behavioral1/memory/2668-33-0x0000000000400000-0x0000000000439000-memory.dmp	upx
behavioral1/files/0x0008000000015c83-35.dat	upx
behavioral1/memory/2476-48-0x0000000000400000-0x0000000000439000-memory.dmp	upx
behavioral1/files/0x0009000000015c6b-50.dat	upx
behavioral1/memory/2520-52-0x0000000000170000-0x00000000001DA000-memory.dmp	upx
behavioral1/memory/2684-68-0x0000000000400000-0x0000000000439000-memory.dmp	upx
behavioral1/memory/2212-70-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2684-2615-0x0000000000400000-0x0000000000439000-memory.dmp	upx
behavioral1/memory/2684-4329-0x0000000000400000-0x0000000000439000-memory.dmp	upx

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\VideoLAN\VLC\locale\te\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\tl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Triedit\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\Services\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Internet Explorer\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Kentucky\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\nb\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Web Folders\1033\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Lime\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\an\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fur\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ESEN\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Biscay\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Defender\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\_desktop.ini	Logo1_.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\1046\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\7-Zip\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ko\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\nb\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\BORDERS\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\1040\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Access.en-us\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Media Player\Skins\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BrightYellow\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\d3d9\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BabyBlue\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Sort\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\el\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proofing.en-us\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Internet Explorer\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\STARTUP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\it\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\_desktop.ini	Logo1_.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\Dll.dll	Logo1_.exe
File created	C:\Windows\rundl132.exe	03f80b7dba1209d54298ffee6dd7d6c5.exe
File created	C:\Windows\Logo1_.exe	03f80b7dba1209d54298ffee6dd7d6c5.exe
File created	C:\Windows\Logo1_.exe	03f80b7dba1209d54298ffee6dd7d6c5.exe
File created	C:\Windows\Logo1_.exe	03f80b7dba1209d54298ffee6dd7d6c5.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1916	2212	WerFault.exe	43

Runs net.exe

Suspicious behavior: EnumeratesProcesses 43 IoCs

pid	Process
2244	03f80b7dba1209d54298ffee6dd7d6c5.exe
2244	03f80b7dba1209d54298ffee6dd7d6c5.exe
2244	03f80b7dba1209d54298ffee6dd7d6c5.exe
2244	03f80b7dba1209d54298ffee6dd7d6c5.exe
2244	03f80b7dba1209d54298ffee6dd7d6c5.exe
2244	03f80b7dba1209d54298ffee6dd7d6c5.exe
2244	03f80b7dba1209d54298ffee6dd7d6c5.exe
2244	03f80b7dba1209d54298ffee6dd7d6c5.exe
2244	03f80b7dba1209d54298ffee6dd7d6c5.exe
2244	03f80b7dba1209d54298ffee6dd7d6c5.exe
2244	03f80b7dba1209d54298ffee6dd7d6c5.exe
2244	03f80b7dba1209d54298ffee6dd7d6c5.exe
2244	03f80b7dba1209d54298ffee6dd7d6c5.exe
2684	Logo1_.exe
2684	Logo1_.exe
2684	Logo1_.exe
2684	Logo1_.exe
2684	Logo1_.exe
2684	Logo1_.exe
2684	Logo1_.exe
2684	Logo1_.exe
2684	Logo1_.exe
2684	Logo1_.exe
2684	Logo1_.exe
2684	Logo1_.exe
2684	Logo1_.exe
2684	Logo1_.exe
2684	Logo1_.exe
2684	Logo1_.exe
2684	Logo1_.exe
2684	Logo1_.exe
2684	Logo1_.exe
2684	Logo1_.exe
2684	Logo1_.exe
2684	Logo1_.exe
2684	Logo1_.exe
2684	Logo1_.exe
2684	Logo1_.exe
2684	Logo1_.exe
2684	Logo1_.exe
2684	Logo1_.exe
2684	Logo1_.exe
2684	Logo1_.exe

Suspicious use of WriteProcessMemory 58 IoCs

description	pid	Process	procid_target
PID 2244 wrote to memory of 2352	2244	03f80b7dba1209d54298ffee6dd7d6c5.exe	28
PID 2244 wrote to memory of 2352	2244	03f80b7dba1209d54298ffee6dd7d6c5.exe	28
PID 2244 wrote to memory of 2352	2244	03f80b7dba1209d54298ffee6dd7d6c5.exe	28
PID 2244 wrote to memory of 2352	2244	03f80b7dba1209d54298ffee6dd7d6c5.exe	28
PID 2352 wrote to memory of 2000	2352	net.exe	30
PID 2352 wrote to memory of 2000	2352	net.exe	30
PID 2352 wrote to memory of 2000	2352	net.exe	30
PID 2352 wrote to memory of 2000	2352	net.exe	30
PID 2244 wrote to memory of 2620	2244	03f80b7dba1209d54298ffee6dd7d6c5.exe	31
PID 2244 wrote to memory of 2620	2244	03f80b7dba1209d54298ffee6dd7d6c5.exe	31
PID 2244 wrote to memory of 2620	2244	03f80b7dba1209d54298ffee6dd7d6c5.exe	31
PID 2244 wrote to memory of 2620	2244	03f80b7dba1209d54298ffee6dd7d6c5.exe	31
PID 2244 wrote to memory of 2684	2244	03f80b7dba1209d54298ffee6dd7d6c5.exe	33
PID 2244 wrote to memory of 2684	2244	03f80b7dba1209d54298ffee6dd7d6c5.exe	33
PID 2244 wrote to memory of 2684	2244	03f80b7dba1209d54298ffee6dd7d6c5.exe	33
PID 2244 wrote to memory of 2684	2244	03f80b7dba1209d54298ffee6dd7d6c5.exe	33
PID 2684 wrote to memory of 2480	2684	Logo1_.exe	34
PID 2684 wrote to memory of 2480	2684	Logo1_.exe	34
PID 2684 wrote to memory of 2480	2684	Logo1_.exe	34
PID 2684 wrote to memory of 2480	2684	Logo1_.exe	34
PID 2480 wrote to memory of 2632	2480	net.exe	36
PID 2480 wrote to memory of 2632	2480	net.exe	36
PID 2480 wrote to memory of 2632	2480	net.exe	36
PID 2480 wrote to memory of 2632	2480	net.exe	36
PID 2620 wrote to memory of 2668	2620	cmd.exe	37
PID 2620 wrote to memory of 2668	2620	cmd.exe	37
PID 2620 wrote to memory of 2668	2620	cmd.exe	37
PID 2620 wrote to memory of 2668	2620	cmd.exe	37
PID 2668 wrote to memory of 2728	2668	03f80b7dba1209d54298ffee6dd7d6c5.exe	38
PID 2668 wrote to memory of 2728	2668	03f80b7dba1209d54298ffee6dd7d6c5.exe	38
PID 2668 wrote to memory of 2728	2668	03f80b7dba1209d54298ffee6dd7d6c5.exe	38
PID 2668 wrote to memory of 2728	2668	03f80b7dba1209d54298ffee6dd7d6c5.exe	38
PID 2728 wrote to memory of 2476	2728	cmd.exe	40
PID 2728 wrote to memory of 2476	2728	cmd.exe	40
PID 2728 wrote to memory of 2476	2728	cmd.exe	40
PID 2728 wrote to memory of 2476	2728	cmd.exe	40
PID 2476 wrote to memory of 2520	2476	03f80b7dba1209d54298ffee6dd7d6c5.exe	41
PID 2476 wrote to memory of 2520	2476	03f80b7dba1209d54298ffee6dd7d6c5.exe	41
PID 2476 wrote to memory of 2520	2476	03f80b7dba1209d54298ffee6dd7d6c5.exe	41
PID 2476 wrote to memory of 2520	2476	03f80b7dba1209d54298ffee6dd7d6c5.exe	41
PID 2520 wrote to memory of 2212	2520	cmd.exe	43
PID 2520 wrote to memory of 2212	2520	cmd.exe	43
PID 2520 wrote to memory of 2212	2520	cmd.exe	43
PID 2520 wrote to memory of 2212	2520	cmd.exe	43
PID 2212 wrote to memory of 1916	2212	03f80b7dba1209d54298ffee6dd7d6c5.exe	44
PID 2212 wrote to memory of 1916	2212	03f80b7dba1209d54298ffee6dd7d6c5.exe	44
PID 2212 wrote to memory of 1916	2212	03f80b7dba1209d54298ffee6dd7d6c5.exe	44
PID 2212 wrote to memory of 1916	2212	03f80b7dba1209d54298ffee6dd7d6c5.exe	44
PID 2684 wrote to memory of 940	2684	Logo1_.exe	45
PID 2684 wrote to memory of 940	2684	Logo1_.exe	45
PID 2684 wrote to memory of 940	2684	Logo1_.exe	45
PID 2684 wrote to memory of 940	2684	Logo1_.exe	45
PID 940 wrote to memory of 808	940	net.exe	47
PID 940 wrote to memory of 808	940	net.exe	47
PID 940 wrote to memory of 808	940	net.exe	47
PID 940 wrote to memory of 808	940	net.exe	47
PID 2684 wrote to memory of 1336	2684	Logo1_.exe	21
PID 2684 wrote to memory of 1336	2684	Logo1_.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1336
- C:\Users\Admin\AppData\Local\Temp\03f80b7dba1209d54298ffee6dd7d6c5.exe
  "C:\Users\Admin\AppData\Local\Temp\03f80b7dba1209d54298ffee6dd7d6c5.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2244
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2352
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      PID:2000
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$a11DC.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2620
  - - C:\Users\Admin\AppData\Local\Temp\03f80b7dba1209d54298ffee6dd7d6c5.exe
      "C:\Users\Admin\AppData\Local\Temp\03f80b7dba1209d54298ffee6dd7d6c5.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of WriteProcessMemory
      PID:2668
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$a1297.bat
        5⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2728
      - C:\Users\Admin\AppData\Local\Temp\03f80b7dba1209d54298ffee6dd7d6c5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03f80b7dba1209d54298ffee6dd7d6c5.exe"
        6⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:2476
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$a1314.bat
        7⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2520
        
        C:\Users\Admin\AppData\Local\Temp\03f80b7dba1209d54298ffee6dd7d6c5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03f80b7dba1209d54298ffee6dd7d6c5.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2212
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2212 -s 148
        9⤵
        Loads dropped DLL
        Program crash
        
        PID:1916
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2684
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2480
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2632
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:940
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\$$a11DC.bat

Filesize
530B

MD5
3aa3c34897effee172ce085bd1c22112

SHA1
028df9624f1e83c4ed1449c14b767ad7ae5b1254

SHA256
6102af2e084222a48f588b9613a569720e0cc6e972a745bd81aa63b45dcf6359

SHA512
4a67a1576767bb805d8e06ef6477b43f22472e75192c4eb7b555c138cf48e139274f12e90d9327dfdd0c9a2856e293a2640951ee85af1a472d712235cb1f61a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a1297.bat

Filesize
530B

MD5
bb275867408fbbfbf8bbfd4ae3df8c2e

SHA1
fb9dac2fd8062811682eeed4ac98dcc9e134f45a

SHA256
c096f73fd3ac134dcb8bec9be974b9ee9e013b31786b35a2af38134d97f42497

SHA512
3c0bb388ac7c784a3011f861622d41bfe7339f230c5184f11f13a27898277f3ae02d9afc4a5e25e13744ed4955dfeb9cef9109ad364ac970f83c18e8c19b879d

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a1314.bat

Filesize
530B

MD5
76673f56f96735c015e7eee1069a7ec8

SHA1
a80017655a144817553b4fd6019753903d2e9aeb

SHA256
c99e3f5222ae36f975801b945650292f3044c3a23c1d78e4f98f6632cdcff430

SHA512
f4b56edce0e58d0a07a10cddaae91d81485a8365da42104c017a2567a90a588517904291e197299f5c475c2563adf2a90877fc2b69751a4496fc9018644e604a

Download Submit
C:\Users\Admin\AppData\Local\Temp\03f80b7dba1209d54298ffee6dd7d6c5.exe.exe

Filesize
339KB

MD5
e290e3f05888c41b183b1b0ccf5a78e8

SHA1
fe1959dddfce6f7e87234165eea8d6eff33fc513

SHA256
7a19b98cbf1996794029692a052528cf14fc63363a1cd82b8e97c50a346ed83e

SHA512
039f807436ffe44334fb4ab97d32dafce031b628bf849c65b43a2735d79cf75b034ac5cf16c9ed106c2f699677aed8ad4ea3df6a0b6faecaf5f9b6aa8475f9ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\03f80b7dba1209d54298ffee6dd7d6c5.exe.exe

Filesize
291KB

MD5
db56329ce568e2d9a024fb904725e037

SHA1
7401f6ec77dc4f8b7e4ed0b18098a25288484a01

SHA256
4176a9e93eab3c08ca0d833521d619a36b70284b2fa0fbcb371305976cc2dbe6

SHA512
b618dc53e84db8e6d55c7986afc9574d462a833d0a411b0233b36f8e76082e3b1eb769f79d60babeab6650b3e28c3ad92485fe5b3123ce2b43fd381c9d000ab0

Download Submit
C:\Users\Admin\AppData\Local\Temp\03f80b7dba1209d54298ffee6dd7d6c5.exe.exe

Filesize
243KB

MD5
b7ee473ea670df0f7ca4370ab87b8d4a

SHA1
f04f50f4ed202fac2d4bdd4672ed6a2389695a24

SHA256
a7489a46923034f0088dfaf200ccd66674438a091a99b1039bd5619e8e7f8e60

SHA512
ce1219a65e7a268150cfde043f693eb9c8173f78ef5aec67577517c57d80af665e013071b4f470c4ad233cbe7818d8a10678955344320d0f8286ecfb329e3e9d

Download Submit
C:\Windows\Logo1_.exe

Filesize
48KB

MD5
88fedeec237fd85692523e1fc470a43f

SHA1
fe93b1c009682a49a48ed40f1f1e31ac026b16d9

SHA256
541cf3e519b509f16eb92b24da4bdb73af9873d5df9ceaa3400590de350d1858

SHA512
af1e1aa3c93166c5ab23243fed131415203f77ec4f34474522b35e646dcadd3ab5ca6243ef9eaa8236a071d4a69593c3f79e9297fab51c0a75f3093ce9ae08e5

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3627615824-4061627003-3019543961-1000\_desktop.ini

Filesize
9B

MD5
f0a92d08416cb87dc153ea387c708411

SHA1
37c1e98506bdb3d5ea2e7fcb62bb91c9bf5b4fb1

SHA256
478ccf01e44e5bd446e37007b199568a73c0452e34ce917945fd820710107464

SHA512
1dd7d96307c01abb2985ed1d39617787563174f5b90df9786106259ea12a08bdf39662c440bdc4b3ac4f6bb499a4aaf058ed18e06ef72be5f82f01b7150ec9a5

Download Submit
memory/1336-64-0x0000000002E70000-0x0000000002E71000-memory.dmp

Filesize
4KB

Download
memory/2212-70-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2244-16-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2244-0-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2244-67-0x00000000003B0000-0x00000000003E9000-memory.dmp

Filesize
228KB

Download
memory/2244-17-0x00000000003B0000-0x00000000003E9000-memory.dmp

Filesize
228KB

Download
memory/2476-48-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2520-52-0x0000000000170000-0x00000000001DA000-memory.dmp

Filesize
424KB

Download
memory/2520-55-0x0000000000170000-0x00000000001DA000-memory.dmp

Filesize
424KB

Download
memory/2668-33-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2684-68-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2684-2615-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2684-4329-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2728-39-0x0000000000280000-0x00000000002B9000-memory.dmp

Filesize
228KB

Download