b1ad890621e9427eb8f95da838a501eef8890a7d6e5dddfd5df9f11627fc3630

Analysis

max time kernel
150s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
23/07/2024, 18:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b1ad890621e9427eb8f95da838a501eef8890a7d6e5dddfd5df9f11627fc3630.exe
Size

583KB
MD5

2ccd558eb7c5ee9bf5a6f0ceb8bebbaa
SHA1

d22d6b46dc81e1c4b2e23bb279d9560343ef794f
SHA256

b1ad890621e9427eb8f95da838a501eef8890a7d6e5dddfd5df9f11627fc3630
SHA512

4214cc12140f1dca4f461678284ca73920fbc9da17e0a9e092c7f9243e59467910f27cf920fa5a624a81f4c74cb67488d23c10774ecf417072d64bef69200dc0
SSDEEP

6144:Vb+aezDE7cV3iwbAFRWAbd4nf0H05yqE6Hl0ChW0+ksllAXBu0lWGWUJJQ4t0BHk:Vb+aB7a3iwbihym2g7XO3LWUQfh4Co

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe

Executes dropped EXE 2 IoCs

pid	Process
4628	Logo1_.exe
440	b1ad890621e9427eb8f95da838a501eef8890a7d6e5dddfd5df9f11627fc3630.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Office Setup Controller\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\plugins\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\pt-br\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\en-il\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\fr-fr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\nb-no\_desktop.ini	Logo1_.exe
File created	C:\Program Files\MSBuild\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\es_MX\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Photo Viewer\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fi-fi\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\pl-pl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\tr-tr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\nl-nl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\sk-sk\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\themes\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\Licenses\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fi-fi\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\nl-nl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\he-il\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Cartridges\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office 15\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\sv-se\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\{1FAB8CFE-9860-415C-A6CA-AA7D12021940}\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files-select\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\it-it\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ga\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\en-ae\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\cs-cz\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ko-kr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fa\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Media Player\wmlaunch.exe	Logo1_.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sv-se\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\hu-hu\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\zh-cn\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\nb-no\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\es-es\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\ko-kr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\es-es\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\images\themeless\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\fr-fr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\pt-br\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe	Logo1_.exe
File created	C:\Program Files\Internet Explorer\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\it-it\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\uk-ua\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	b1ad890621e9427eb8f95da838a501eef8890a7d6e5dddfd5df9f11627fc3630.exe
File created	C:\Windows\Logo1_.exe	b1ad890621e9427eb8f95da838a501eef8890a7d6e5dddfd5df9f11627fc3630.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\Dll.dll	Logo1_.exe

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b1ad890621e9427eb8f95da838a501eef8890a7d6e5dddfd5df9f11627fc3630.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Logo1_.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5076	b1ad890621e9427eb8f95da838a501eef8890a7d6e5dddfd5df9f11627fc3630.exe
5076	b1ad890621e9427eb8f95da838a501eef8890a7d6e5dddfd5df9f11627fc3630.exe
5076	b1ad890621e9427eb8f95da838a501eef8890a7d6e5dddfd5df9f11627fc3630.exe
5076	b1ad890621e9427eb8f95da838a501eef8890a7d6e5dddfd5df9f11627fc3630.exe
5076	b1ad890621e9427eb8f95da838a501eef8890a7d6e5dddfd5df9f11627fc3630.exe
5076	b1ad890621e9427eb8f95da838a501eef8890a7d6e5dddfd5df9f11627fc3630.exe
5076	b1ad890621e9427eb8f95da838a501eef8890a7d6e5dddfd5df9f11627fc3630.exe
5076	b1ad890621e9427eb8f95da838a501eef8890a7d6e5dddfd5df9f11627fc3630.exe
5076	b1ad890621e9427eb8f95da838a501eef8890a7d6e5dddfd5df9f11627fc3630.exe
5076	b1ad890621e9427eb8f95da838a501eef8890a7d6e5dddfd5df9f11627fc3630.exe
5076	b1ad890621e9427eb8f95da838a501eef8890a7d6e5dddfd5df9f11627fc3630.exe
5076	b1ad890621e9427eb8f95da838a501eef8890a7d6e5dddfd5df9f11627fc3630.exe
5076	b1ad890621e9427eb8f95da838a501eef8890a7d6e5dddfd5df9f11627fc3630.exe
5076	b1ad890621e9427eb8f95da838a501eef8890a7d6e5dddfd5df9f11627fc3630.exe
5076	b1ad890621e9427eb8f95da838a501eef8890a7d6e5dddfd5df9f11627fc3630.exe
5076	b1ad890621e9427eb8f95da838a501eef8890a7d6e5dddfd5df9f11627fc3630.exe
5076	b1ad890621e9427eb8f95da838a501eef8890a7d6e5dddfd5df9f11627fc3630.exe
5076	b1ad890621e9427eb8f95da838a501eef8890a7d6e5dddfd5df9f11627fc3630.exe
5076	b1ad890621e9427eb8f95da838a501eef8890a7d6e5dddfd5df9f11627fc3630.exe
5076	b1ad890621e9427eb8f95da838a501eef8890a7d6e5dddfd5df9f11627fc3630.exe
5076	b1ad890621e9427eb8f95da838a501eef8890a7d6e5dddfd5df9f11627fc3630.exe
5076	b1ad890621e9427eb8f95da838a501eef8890a7d6e5dddfd5df9f11627fc3630.exe
5076	b1ad890621e9427eb8f95da838a501eef8890a7d6e5dddfd5df9f11627fc3630.exe
5076	b1ad890621e9427eb8f95da838a501eef8890a7d6e5dddfd5df9f11627fc3630.exe
5076	b1ad890621e9427eb8f95da838a501eef8890a7d6e5dddfd5df9f11627fc3630.exe
5076	b1ad890621e9427eb8f95da838a501eef8890a7d6e5dddfd5df9f11627fc3630.exe
4628	Logo1_.exe
4628	Logo1_.exe
4628	Logo1_.exe
4628	Logo1_.exe
4628	Logo1_.exe
4628	Logo1_.exe
4628	Logo1_.exe
4628	Logo1_.exe
4628	Logo1_.exe
4628	Logo1_.exe
4628	Logo1_.exe
4628	Logo1_.exe
4628	Logo1_.exe
4628	Logo1_.exe
4628	Logo1_.exe
4628	Logo1_.exe
4628	Logo1_.exe
4628	Logo1_.exe
4628	Logo1_.exe
4628	Logo1_.exe
4628	Logo1_.exe
4628	Logo1_.exe
4628	Logo1_.exe
4628	Logo1_.exe
4628	Logo1_.exe
4628	Logo1_.exe
4628	Logo1_.exe
4628	Logo1_.exe
4628	Logo1_.exe
4628	Logo1_.exe
4628	Logo1_.exe
4628	Logo1_.exe
4628	Logo1_.exe
4628	Logo1_.exe
4628	Logo1_.exe
4628	Logo1_.exe
4628	Logo1_.exe
4628	Logo1_.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 5076 wrote to memory of 4936	5076	b1ad890621e9427eb8f95da838a501eef8890a7d6e5dddfd5df9f11627fc3630.exe	84
PID 5076 wrote to memory of 4936	5076	b1ad890621e9427eb8f95da838a501eef8890a7d6e5dddfd5df9f11627fc3630.exe	84
PID 5076 wrote to memory of 4936	5076	b1ad890621e9427eb8f95da838a501eef8890a7d6e5dddfd5df9f11627fc3630.exe	84
PID 4936 wrote to memory of 3180	4936	net.exe	86
PID 4936 wrote to memory of 3180	4936	net.exe	86
PID 4936 wrote to memory of 3180	4936	net.exe	86
PID 5076 wrote to memory of 3476	5076	b1ad890621e9427eb8f95da838a501eef8890a7d6e5dddfd5df9f11627fc3630.exe	90
PID 5076 wrote to memory of 3476	5076	b1ad890621e9427eb8f95da838a501eef8890a7d6e5dddfd5df9f11627fc3630.exe	90
PID 5076 wrote to memory of 3476	5076	b1ad890621e9427eb8f95da838a501eef8890a7d6e5dddfd5df9f11627fc3630.exe	90
PID 5076 wrote to memory of 4628	5076	b1ad890621e9427eb8f95da838a501eef8890a7d6e5dddfd5df9f11627fc3630.exe	91
PID 5076 wrote to memory of 4628	5076	b1ad890621e9427eb8f95da838a501eef8890a7d6e5dddfd5df9f11627fc3630.exe	91
PID 5076 wrote to memory of 4628	5076	b1ad890621e9427eb8f95da838a501eef8890a7d6e5dddfd5df9f11627fc3630.exe	91
PID 4628 wrote to memory of 396	4628	Logo1_.exe	92
PID 4628 wrote to memory of 396	4628	Logo1_.exe	92
PID 4628 wrote to memory of 396	4628	Logo1_.exe	92
PID 396 wrote to memory of 3008	396	net.exe	95
PID 396 wrote to memory of 3008	396	net.exe	95
PID 396 wrote to memory of 3008	396	net.exe	95
PID 3476 wrote to memory of 440	3476	cmd.exe	96
PID 3476 wrote to memory of 440	3476	cmd.exe	96
PID 4628 wrote to memory of 4532	4628	Logo1_.exe	98
PID 4628 wrote to memory of 4532	4628	Logo1_.exe	98
PID 4628 wrote to memory of 4532	4628	Logo1_.exe	98
PID 4532 wrote to memory of 4496	4532	net.exe	100
PID 4532 wrote to memory of 4496	4532	net.exe	100
PID 4532 wrote to memory of 4496	4532	net.exe	100
PID 4628 wrote to memory of 3444	4628	Logo1_.exe	56
PID 4628 wrote to memory of 3444	4628	Logo1_.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3444
- C:\Users\Admin\AppData\Local\Temp\b1ad890621e9427eb8f95da838a501eef8890a7d6e5dddfd5df9f11627fc3630.exe
  "C:\Users\Admin\AppData\Local\Temp\b1ad890621e9427eb8f95da838a501eef8890a7d6e5dddfd5df9f11627fc3630.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:5076
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4936
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3180
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a9E34.bat
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3476
  - - C:\Users\Admin\AppData\Local\Temp\b1ad890621e9427eb8f95da838a501eef8890a7d6e5dddfd5df9f11627fc3630.exe
      "C:\Users\Admin\AppData\Local\Temp\b1ad890621e9427eb8f95da838a501eef8890a7d6e5dddfd5df9f11627fc3630.exe"
      4⤵
      Executes dropped EXE
      PID:440
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4628
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:396
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3008
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4532
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe

Filesize
257KB

MD5
bbea7c85d68ae61edffcd20544c9dc3b

SHA1
2b54b260d133bdd36156454cbe3dae7f35fc7e5e

SHA256
d69ffb4c50ed4adb369daf318f3fb6ad9f2df7d8e7296dfd0c30c43bf767a9a1

SHA512
f8471749d74f60d5e0adc682c9203a94784ee65319ee70a8716930aca5daec6db39df1b245f7c41d8c4450f55b6e96931bd7e8591de71049b531cd5ef9c00f0a

Download Submit
C:\Program Files\RequestPing.exe

Filesize
459KB

MD5
bd60ee5b0ec24513197745c415a9305f

SHA1
1965174735cc78e12d4aadea8c753eda23d843e8

SHA256
de1a3452c47e5eb120ab1903f88751513d95d26d32d5b482743762d09d6b086f

SHA512
fcf90a688d4079d9cfd0359fb59447934ab781382fed1ddf2088581f1125dffaadce8e223a0f9298a3cefd133e3e7b983d72fd7c1820a9be87a5b86f61958a97

Download Submit
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

Filesize
649KB

MD5
1ad09ab121869e9bedf81b1e82331d05

SHA1
21270e52207071b7d304acb7d776c9abba38c15c

SHA256
834cd914a6bc7c3eadf3b23bacc01433aa6a32411ab547d958604a1c434518b7

SHA512
4b1f28d726ec031fd0350a21ea7091087ae2688818716f7add7524fdf06a07d5937a4aa53c6029d2fab093714b1b48b8032927b56e2c207158946f6c71e6646b

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a9E34.bat

Filesize
722B

MD5
1595403b97c16a5516f4bd7e6010f16a

SHA1
973b753d016bc40ffd265bd48748586132ff47f5

SHA256
36161876536fb74efef15cf352e4d88bf1f5b5a0aaa900f763821c1b4da8ae47

SHA512
d25eaac861af6edd7c39546bfb65ac52402838d5c706c5839d5eeee351d964118c5539ee63e85c995b769caba974071ae98813438f0f6c86f2d41594c0fb2a8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\b1ad890621e9427eb8f95da838a501eef8890a7d6e5dddfd5df9f11627fc3630.exe.exe

Filesize
544KB

MD5
9a1dd1d96481d61934dcc2d568971d06

SHA1
f136ef9bf8bd2fc753292fb5b7cf173a22675fb3

SHA256
8cebb25e240db3b6986fcaed6bc0b900fa09dad763a56fb71273529266c5c525

SHA512
7ac1581f8a29e778ba1a1220670796c47fa5b838417f8f635e2cb1998a01515cff3ee57045dacb78a8ec70d43754b970743aba600379fe6d9481958d32d8a5aa

Download Submit
C:\Windows\Logo1_.exe

Filesize
39KB

MD5
8067976b5797adc4f22a601edf127c8a

SHA1
754973f0bc0049a15c8ebc51b352fafb3c62267c

SHA256
f38c559179c287a66d00b49998bc6b00e26339f8cbd3e26f9b044ac533775ffd

SHA512
f747e28511b12900daffc0c6db4605e6721eb052542d2eaaa36a939b67cdf123e784f69c2f50f0a02418c264f281ad6de18775ee1ebfb3314eb2b1aef54a1e15

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-464762018-485119342-1613148473-1000\_desktop.ini

Filesize
9B

MD5
ece8e24737d1957fb4e94d8890ee8d02

SHA1
6c79bfb99f560a2102a903116f5a0c195f7885e4

SHA256
d920366b3c62a677cf0cf1f267a7c2f3dd693f2ff60ee023091bf9c39c5e30b8

SHA512
ccf58b4da1ad1379a546f307bca8dc4452a61a3cb443814f4d9566b8d8d35cc9d794ada4d1a13296ed5bc0248ba5ef538e5dc5e22861c2ead3f479beeb5c2d37

Download Submit
memory/4628-18-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4628-2541-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4628-9-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4628-8836-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/5076-0-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/5076-10-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download