b064850af1e35a56f6243ecbe8835d31ca4cd1bf9f437765c8589f8911f3e7d1

Analysis

max time kernel
149s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
23/07/2024, 19:01

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b064850af1e35a56f6243ecbe8835d31ca4cd1bf9f437765c8589f8911f3e7d1.exe
Size

88KB
MD5

f2669978d5f4898f94c36890bc71f311
SHA1

e6022c5df293b115f231a393b2a22d462e653eab
SHA256

b064850af1e35a56f6243ecbe8835d31ca4cd1bf9f437765c8589f8911f3e7d1
SHA512

781ae9b9e28ccaf6752289f0bbbd93dc9ce8444f330ac8bf766ef1479bb280ade11741702303703cf9d73f34dc8a28cfdb1a1205c75d927e0f530b7b76da5ad5
SSDEEP

1536:Hsae+Zk7qzUJBeLkbiT29dX42zHxvuS6YGJYjilZrPMC5V:Hsae+aezUDbHXR6Y0ZIC5V

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe

Executes dropped EXE 2 IoCs

pid	Process
2992	Logo1_.exe
4656	b064850af1e35a56f6243ecbe8835d31ca4cd1bf9f437765c8589f8911f3e7d1.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\en-ae\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\nl-nl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\ru-ru\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\hrtfs\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sv\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\cs-cz\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\nl-nl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\it-it\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ku_IQ\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Configuration\Schema\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ko-kr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\fi-fi\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\sl-si\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\th\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ar-ae\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\cs-cz\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\de-de\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Examples\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\pl-pl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\tr-tr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\hu-hu\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ug\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\gui\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\cef\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ja-jp\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\sl-si\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ie\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\zh_CN\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\1033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\lv\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Security\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\en-il\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\sl-si\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	Logo1_.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\hr-hr\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ie\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ar-ae\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\fr-fr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Media Player\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\hu\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\nb-no\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ko-kr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\vi\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\da-dk\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\en-il\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\zh-tw\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	b064850af1e35a56f6243ecbe8835d31ca4cd1bf9f437765c8589f8911f3e7d1.exe
File created	C:\Windows\Logo1_.exe	b064850af1e35a56f6243ecbe8835d31ca4cd1bf9f437765c8589f8911f3e7d1.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\Dll.dll	Logo1_.exe

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b064850af1e35a56f6243ecbe8835d31ca4cd1bf9f437765c8589f8911f3e7d1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b064850af1e35a56f6243ecbe8835d31ca4cd1bf9f437765c8589f8911f3e7d1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Logo1_.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2260	b064850af1e35a56f6243ecbe8835d31ca4cd1bf9f437765c8589f8911f3e7d1.exe
2260	b064850af1e35a56f6243ecbe8835d31ca4cd1bf9f437765c8589f8911f3e7d1.exe
2260	b064850af1e35a56f6243ecbe8835d31ca4cd1bf9f437765c8589f8911f3e7d1.exe
2260	b064850af1e35a56f6243ecbe8835d31ca4cd1bf9f437765c8589f8911f3e7d1.exe
2260	b064850af1e35a56f6243ecbe8835d31ca4cd1bf9f437765c8589f8911f3e7d1.exe
2260	b064850af1e35a56f6243ecbe8835d31ca4cd1bf9f437765c8589f8911f3e7d1.exe
2260	b064850af1e35a56f6243ecbe8835d31ca4cd1bf9f437765c8589f8911f3e7d1.exe
2260	b064850af1e35a56f6243ecbe8835d31ca4cd1bf9f437765c8589f8911f3e7d1.exe
2260	b064850af1e35a56f6243ecbe8835d31ca4cd1bf9f437765c8589f8911f3e7d1.exe
2260	b064850af1e35a56f6243ecbe8835d31ca4cd1bf9f437765c8589f8911f3e7d1.exe
2260	b064850af1e35a56f6243ecbe8835d31ca4cd1bf9f437765c8589f8911f3e7d1.exe
2260	b064850af1e35a56f6243ecbe8835d31ca4cd1bf9f437765c8589f8911f3e7d1.exe
2260	b064850af1e35a56f6243ecbe8835d31ca4cd1bf9f437765c8589f8911f3e7d1.exe
2260	b064850af1e35a56f6243ecbe8835d31ca4cd1bf9f437765c8589f8911f3e7d1.exe
2260	b064850af1e35a56f6243ecbe8835d31ca4cd1bf9f437765c8589f8911f3e7d1.exe
2260	b064850af1e35a56f6243ecbe8835d31ca4cd1bf9f437765c8589f8911f3e7d1.exe
2260	b064850af1e35a56f6243ecbe8835d31ca4cd1bf9f437765c8589f8911f3e7d1.exe
2260	b064850af1e35a56f6243ecbe8835d31ca4cd1bf9f437765c8589f8911f3e7d1.exe
2260	b064850af1e35a56f6243ecbe8835d31ca4cd1bf9f437765c8589f8911f3e7d1.exe
2260	b064850af1e35a56f6243ecbe8835d31ca4cd1bf9f437765c8589f8911f3e7d1.exe
2260	b064850af1e35a56f6243ecbe8835d31ca4cd1bf9f437765c8589f8911f3e7d1.exe
2260	b064850af1e35a56f6243ecbe8835d31ca4cd1bf9f437765c8589f8911f3e7d1.exe
2260	b064850af1e35a56f6243ecbe8835d31ca4cd1bf9f437765c8589f8911f3e7d1.exe
2260	b064850af1e35a56f6243ecbe8835d31ca4cd1bf9f437765c8589f8911f3e7d1.exe
2260	b064850af1e35a56f6243ecbe8835d31ca4cd1bf9f437765c8589f8911f3e7d1.exe
2260	b064850af1e35a56f6243ecbe8835d31ca4cd1bf9f437765c8589f8911f3e7d1.exe
2992	Logo1_.exe
2992	Logo1_.exe
2992	Logo1_.exe
2992	Logo1_.exe
2992	Logo1_.exe
2992	Logo1_.exe
2992	Logo1_.exe
2992	Logo1_.exe
2992	Logo1_.exe
2992	Logo1_.exe
2992	Logo1_.exe
2992	Logo1_.exe
2992	Logo1_.exe
2992	Logo1_.exe
2992	Logo1_.exe
2992	Logo1_.exe
2992	Logo1_.exe
2992	Logo1_.exe
2992	Logo1_.exe
2992	Logo1_.exe
2992	Logo1_.exe
2992	Logo1_.exe
2992	Logo1_.exe
2992	Logo1_.exe
2992	Logo1_.exe
2992	Logo1_.exe
2992	Logo1_.exe
2992	Logo1_.exe
2992	Logo1_.exe
2992	Logo1_.exe
2992	Logo1_.exe
2992	Logo1_.exe
2992	Logo1_.exe
2992	Logo1_.exe
2992	Logo1_.exe
2992	Logo1_.exe
2992	Logo1_.exe
2992	Logo1_.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 2260 wrote to memory of 3472	2260	b064850af1e35a56f6243ecbe8835d31ca4cd1bf9f437765c8589f8911f3e7d1.exe	84
PID 2260 wrote to memory of 3472	2260	b064850af1e35a56f6243ecbe8835d31ca4cd1bf9f437765c8589f8911f3e7d1.exe	84
PID 2260 wrote to memory of 3472	2260	b064850af1e35a56f6243ecbe8835d31ca4cd1bf9f437765c8589f8911f3e7d1.exe	84
PID 3472 wrote to memory of 4200	3472	net.exe	86
PID 3472 wrote to memory of 4200	3472	net.exe	86
PID 3472 wrote to memory of 4200	3472	net.exe	86
PID 2260 wrote to memory of 1076	2260	b064850af1e35a56f6243ecbe8835d31ca4cd1bf9f437765c8589f8911f3e7d1.exe	90
PID 2260 wrote to memory of 1076	2260	b064850af1e35a56f6243ecbe8835d31ca4cd1bf9f437765c8589f8911f3e7d1.exe	90
PID 2260 wrote to memory of 1076	2260	b064850af1e35a56f6243ecbe8835d31ca4cd1bf9f437765c8589f8911f3e7d1.exe	90
PID 2260 wrote to memory of 2992	2260	b064850af1e35a56f6243ecbe8835d31ca4cd1bf9f437765c8589f8911f3e7d1.exe	91
PID 2260 wrote to memory of 2992	2260	b064850af1e35a56f6243ecbe8835d31ca4cd1bf9f437765c8589f8911f3e7d1.exe	91
PID 2260 wrote to memory of 2992	2260	b064850af1e35a56f6243ecbe8835d31ca4cd1bf9f437765c8589f8911f3e7d1.exe	91
PID 2992 wrote to memory of 4764	2992	Logo1_.exe	92
PID 2992 wrote to memory of 4764	2992	Logo1_.exe	92
PID 2992 wrote to memory of 4764	2992	Logo1_.exe	92
PID 4764 wrote to memory of 5104	4764	net.exe	95
PID 4764 wrote to memory of 5104	4764	net.exe	95
PID 4764 wrote to memory of 5104	4764	net.exe	95
PID 1076 wrote to memory of 4656	1076	cmd.exe	97
PID 1076 wrote to memory of 4656	1076	cmd.exe	97
PID 1076 wrote to memory of 4656	1076	cmd.exe	97
PID 2992 wrote to memory of 2968	2992	Logo1_.exe	99
PID 2992 wrote to memory of 2968	2992	Logo1_.exe	99
PID 2992 wrote to memory of 2968	2992	Logo1_.exe	99
PID 2968 wrote to memory of 3184	2968	net.exe	101
PID 2968 wrote to memory of 3184	2968	net.exe	101
PID 2968 wrote to memory of 3184	2968	net.exe	101
PID 2992 wrote to memory of 3564	2992	Logo1_.exe	56
PID 2992 wrote to memory of 3564	2992	Logo1_.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3564
- C:\Users\Admin\AppData\Local\Temp\b064850af1e35a56f6243ecbe8835d31ca4cd1bf9f437765c8589f8911f3e7d1.exe
  "C:\Users\Admin\AppData\Local\Temp\b064850af1e35a56f6243ecbe8835d31ca4cd1bf9f437765c8589f8911f3e7d1.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2260
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3472
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4200
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a90C6.bat
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1076
  - - C:\Users\Admin\AppData\Local\Temp\b064850af1e35a56f6243ecbe8835d31ca4cd1bf9f437765c8589f8911f3e7d1.exe
      "C:\Users\Admin\AppData\Local\Temp\b064850af1e35a56f6243ecbe8835d31ca4cd1bf9f437765c8589f8911f3e7d1.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4656
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2992
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4764
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5104
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2968
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe

Filesize
257KB

MD5
9650ed78debcd79b8f4e5437297bbd81

SHA1
0087f5d3fe8221d62addade22b600824f8818421

SHA256
4e8693622b732fdaf953b7ca5192466ac524201740945d849bd6afd0404817e3

SHA512
9c66a42d83f9e132d09db322c00ca7404b6f7285f5d6cf4848aa7c1b4b82d35e8a0ad319780c38aa3f504d091b918d89a5bd683c85d24724c079ba9d2e58f658

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
583KB

MD5
3ba4190218dc871fa2a4c0387d0d3a00

SHA1
a4d60147752e2d668583e2be441a228f72b80fa7

SHA256
2506e369572544475c9fb47de4280dcd91678c168936b1d0afebe7fd8acc0c78

SHA512
6142ef886894937dd7e95de25d28fc272c0fcccead142b8439958616877cd1cad9f86626ea51e7e73b6442d98f7d2006a7f5ec47bbb8a8683332f728584bc95d

Download Submit
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

Filesize
649KB

MD5
1ad09ab121869e9bedf81b1e82331d05

SHA1
21270e52207071b7d304acb7d776c9abba38c15c

SHA256
834cd914a6bc7c3eadf3b23bacc01433aa6a32411ab547d958604a1c434518b7

SHA512
4b1f28d726ec031fd0350a21ea7091087ae2688818716f7add7524fdf06a07d5937a4aa53c6029d2fab093714b1b48b8032927b56e2c207158946f6c71e6646b

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a90C6.bat

Filesize
722B

MD5
22d93b9e27da4cc02a958cb9c252dcbf

SHA1
6a95bdeca1f31b4227544edccba14419d0456baa

SHA256
2a776a475814b770fcbcade8dd851b3df95ba332aaa2008796b22227b84f486d

SHA512
6df60b879aa978e42215ba7e50d7584f5d30e40ad5a5a7bb081ef0ea635a30921019aaeb1819b52b9c059557a7aef2663e4bef6c2a99cfeafa7c029b94ab3181

Download Submit
C:\Users\Admin\AppData\Local\Temp\b064850af1e35a56f6243ecbe8835d31ca4cd1bf9f437765c8589f8911f3e7d1.exe.exe

Filesize
48KB

MD5
422a02111fabd3e229ffd105d6054f56

SHA1
7930d07dbc89c1113eec7cbd492daf3a025939b2

SHA256
2d6bd317e34216f318ce9fb34fbc24e6260b1472930a8c0f126792f8ff821a9e

SHA512
a46b5f8b6cb3cf2cb9714a0708ff63dfe4b543ab4a651f2b8ab93ce54ae77e8c7f6d67a8d9d4481957ada966f778ac6d1cceb24b1d8bbad2a6bca77b0bc9ea59

Download Submit
C:\Windows\Logo1_.exe

Filesize
39KB

MD5
dd45e175b084f3e7b3923cb8fcb3833b

SHA1
e44896aa2e3e4a8ba6677fd10c4eac8315b3939c

SHA256
cff2b960d67366aedaec8aaa4388a3537000a7253a3eeef378d24e1a171a4f13

SHA512
562284581292c3965df7e1f95bcffa2047d9a9e42e863e32b9cfc7b289270db24ca1ecb004f26d499d9901c49c11844cf3868b93b4b704f30a98ba4b52824fba

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-1176886754-713327781-2233697964-1000\_desktop.ini

Filesize
9B

MD5
ece8e24737d1957fb4e94d8890ee8d02

SHA1
6c79bfb99f560a2102a903116f5a0c195f7885e4

SHA256
d920366b3c62a677cf0cf1f267a7c2f3dd693f2ff60ee023091bf9c39c5e30b8

SHA512
ccf58b4da1ad1379a546f307bca8dc4452a61a3cb443814f4d9566b8d8d35cc9d794ada4d1a13296ed5bc0248ba5ef538e5dc5e22861c2ead3f479beeb5c2d37

Download Submit
memory/2260-8-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2260-0-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2992-10-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2992-5222-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2992-17-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2992-8760-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download