052b99aee95b2b0dce5d96922b6c575d42e7479037fa10c20b3652bef0919ba6

Analysis

max time kernel
121s
max time network
124s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
25/07/2024, 16:55

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

052b99aee95b2b0dce5d96922b6c575d42e7479037fa10c20b3652bef0919ba6.exe
Size

382KB
MD5

ca5a8abe7a4d13dd7967d7c855e51ea1
SHA1

bdc40bea95ce72f439d2d6cd80e7b008f367c25c
SHA256

052b99aee95b2b0dce5d96922b6c575d42e7479037fa10c20b3652bef0919ba6
SHA512

35a74db4ddb4dc315114ed755d66beb9a7771e3b61536bcdd1c63d981db14a2dc14b76649a644a32d8ef40b2e78f944eaaf26146465e8a3d619481a01cd91cde
SSDEEP

6144:Fj9iaj9iaj9iaj9iaj9iaj9iaj9iaj9i8:FjEajEajEajEajEajEajEajE8

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2096	cmd.exe

Executes dropped EXE 9 IoCs

pid	Process
2652	Logo1_.exe
2832	052b99aee95b2b0dce5d96922b6c575d42e7479037fa10c20b3652bef0919ba6.exe
2608	052b99aee95b2b0dce5d96922b6c575d42e7479037fa10c20b3652bef0919ba6.exe
2588	052b99aee95b2b0dce5d96922b6c575d42e7479037fa10c20b3652bef0919ba6.exe
292	052b99aee95b2b0dce5d96922b6c575d42e7479037fa10c20b3652bef0919ba6.exe
2032	052b99aee95b2b0dce5d96922b6c575d42e7479037fa10c20b3652bef0919ba6.exe
2480	052b99aee95b2b0dce5d96922b6c575d42e7479037fa10c20b3652bef0919ba6.exe
1084	052b99aee95b2b0dce5d96922b6c575d42e7479037fa10c20b3652bef0919ba6.exe
2928	052b99aee95b2b0dce5d96922b6c575d42e7479037fa10c20b3652bef0919ba6.exe

Loads dropped DLL 16 IoCs

pid	Process
2096	cmd.exe
2096	cmd.exe
2704	cmd.exe
2704	cmd.exe
2492	cmd.exe
2492	cmd.exe
3032	cmd.exe
3032	cmd.exe
1136	cmd.exe
1136	cmd.exe
1852	cmd.exe
1852	cmd.exe
2504	cmd.exe
2504	cmd.exe
2796	cmd.exe
2796	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RADIAL\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Slate\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\IRIS\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\14\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\North_Dakota\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Esl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SKY\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\kab\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Media Player\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\lt\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\bg\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\SubsetList\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\14\BIN\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LEVEL\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightOrange\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Triedit\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\brx\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Mail\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Help\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fi\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre7\bin\server\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\bg\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BrightYellow\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Internet Explorer\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\_desktop.ini	Logo1_.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\Dll.dll	Logo1_.exe
File created	C:\Windows\Logo1_.exe	052b99aee95b2b0dce5d96922b6c575d42e7479037fa10c20b3652bef0919ba6.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\Logo1_.exe	052b99aee95b2b0dce5d96922b6c575d42e7479037fa10c20b3652bef0919ba6.exe
File created	C:\Windows\Logo1_.exe	052b99aee95b2b0dce5d96922b6c575d42e7479037fa10c20b3652bef0919ba6.exe
File created	C:\Windows\Logo1_.exe	052b99aee95b2b0dce5d96922b6c575d42e7479037fa10c20b3652bef0919ba6.exe
File created	C:\Windows\Logo1_.exe	052b99aee95b2b0dce5d96922b6c575d42e7479037fa10c20b3652bef0919ba6.exe
File created	C:\Windows\Logo1_.exe	052b99aee95b2b0dce5d96922b6c575d42e7479037fa10c20b3652bef0919ba6.exe
File created	C:\Windows\rundl132.exe	052b99aee95b2b0dce5d96922b6c575d42e7479037fa10c20b3652bef0919ba6.exe
File created	C:\Windows\Logo1_.exe	052b99aee95b2b0dce5d96922b6c575d42e7479037fa10c20b3652bef0919ba6.exe
File created	C:\Windows\Logo1_.exe	052b99aee95b2b0dce5d96922b6c575d42e7479037fa10c20b3652bef0919ba6.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	052b99aee95b2b0dce5d96922b6c575d42e7479037fa10c20b3652bef0919ba6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	052b99aee95b2b0dce5d96922b6c575d42e7479037fa10c20b3652bef0919ba6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	052b99aee95b2b0dce5d96922b6c575d42e7479037fa10c20b3652bef0919ba6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	052b99aee95b2b0dce5d96922b6c575d42e7479037fa10c20b3652bef0919ba6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	052b99aee95b2b0dce5d96922b6c575d42e7479037fa10c20b3652bef0919ba6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Logo1_.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	052b99aee95b2b0dce5d96922b6c575d42e7479037fa10c20b3652bef0919ba6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	052b99aee95b2b0dce5d96922b6c575d42e7479037fa10c20b3652bef0919ba6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	052b99aee95b2b0dce5d96922b6c575d42e7479037fa10c20b3652bef0919ba6.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
2324	052b99aee95b2b0dce5d96922b6c575d42e7479037fa10c20b3652bef0919ba6.exe
2324	052b99aee95b2b0dce5d96922b6c575d42e7479037fa10c20b3652bef0919ba6.exe
2324	052b99aee95b2b0dce5d96922b6c575d42e7479037fa10c20b3652bef0919ba6.exe
2324	052b99aee95b2b0dce5d96922b6c575d42e7479037fa10c20b3652bef0919ba6.exe
2324	052b99aee95b2b0dce5d96922b6c575d42e7479037fa10c20b3652bef0919ba6.exe
2324	052b99aee95b2b0dce5d96922b6c575d42e7479037fa10c20b3652bef0919ba6.exe
2324	052b99aee95b2b0dce5d96922b6c575d42e7479037fa10c20b3652bef0919ba6.exe
2324	052b99aee95b2b0dce5d96922b6c575d42e7479037fa10c20b3652bef0919ba6.exe
2324	052b99aee95b2b0dce5d96922b6c575d42e7479037fa10c20b3652bef0919ba6.exe
2652	Logo1_.exe
2652	Logo1_.exe
2652	Logo1_.exe
2652	Logo1_.exe
2652	Logo1_.exe
2652	Logo1_.exe
2652	Logo1_.exe
2652	Logo1_.exe
2652	Logo1_.exe
2652	Logo1_.exe
2652	Logo1_.exe
2652	Logo1_.exe
2652	Logo1_.exe
2652	Logo1_.exe
2652	Logo1_.exe
2652	Logo1_.exe
2652	Logo1_.exe
2652	Logo1_.exe
2652	Logo1_.exe
2652	Logo1_.exe
2652	Logo1_.exe
2652	Logo1_.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2324 wrote to memory of 2096	2324	052b99aee95b2b0dce5d96922b6c575d42e7479037fa10c20b3652bef0919ba6.exe	31
PID 2324 wrote to memory of 2096	2324	052b99aee95b2b0dce5d96922b6c575d42e7479037fa10c20b3652bef0919ba6.exe	31
PID 2324 wrote to memory of 2096	2324	052b99aee95b2b0dce5d96922b6c575d42e7479037fa10c20b3652bef0919ba6.exe	31
PID 2324 wrote to memory of 2096	2324	052b99aee95b2b0dce5d96922b6c575d42e7479037fa10c20b3652bef0919ba6.exe	31
PID 2324 wrote to memory of 2652	2324	052b99aee95b2b0dce5d96922b6c575d42e7479037fa10c20b3652bef0919ba6.exe	33
PID 2324 wrote to memory of 2652	2324	052b99aee95b2b0dce5d96922b6c575d42e7479037fa10c20b3652bef0919ba6.exe	33
PID 2324 wrote to memory of 2652	2324	052b99aee95b2b0dce5d96922b6c575d42e7479037fa10c20b3652bef0919ba6.exe	33
PID 2324 wrote to memory of 2652	2324	052b99aee95b2b0dce5d96922b6c575d42e7479037fa10c20b3652bef0919ba6.exe	33
PID 2652 wrote to memory of 2188	2652	Logo1_.exe	34
PID 2652 wrote to memory of 2188	2652	Logo1_.exe	34
PID 2652 wrote to memory of 2188	2652	Logo1_.exe	34
PID 2652 wrote to memory of 2188	2652	Logo1_.exe	34
PID 2096 wrote to memory of 2832	2096	cmd.exe	36
PID 2096 wrote to memory of 2832	2096	cmd.exe	36
PID 2096 wrote to memory of 2832	2096	cmd.exe	36
PID 2096 wrote to memory of 2832	2096	cmd.exe	36
PID 2188 wrote to memory of 2820	2188	net.exe	37
PID 2188 wrote to memory of 2820	2188	net.exe	37
PID 2188 wrote to memory of 2820	2188	net.exe	37
PID 2188 wrote to memory of 2820	2188	net.exe	37
PID 2832 wrote to memory of 2704	2832	052b99aee95b2b0dce5d96922b6c575d42e7479037fa10c20b3652bef0919ba6.exe	38
PID 2832 wrote to memory of 2704	2832	052b99aee95b2b0dce5d96922b6c575d42e7479037fa10c20b3652bef0919ba6.exe	38
PID 2832 wrote to memory of 2704	2832	052b99aee95b2b0dce5d96922b6c575d42e7479037fa10c20b3652bef0919ba6.exe	38
PID 2832 wrote to memory of 2704	2832	052b99aee95b2b0dce5d96922b6c575d42e7479037fa10c20b3652bef0919ba6.exe	38
PID 2704 wrote to memory of 2608	2704	cmd.exe	40
PID 2704 wrote to memory of 2608	2704	cmd.exe	40
PID 2704 wrote to memory of 2608	2704	cmd.exe	40
PID 2704 wrote to memory of 2608	2704	cmd.exe	40
PID 2608 wrote to memory of 2492	2608	052b99aee95b2b0dce5d96922b6c575d42e7479037fa10c20b3652bef0919ba6.exe	41
PID 2608 wrote to memory of 2492	2608	052b99aee95b2b0dce5d96922b6c575d42e7479037fa10c20b3652bef0919ba6.exe	41
PID 2608 wrote to memory of 2492	2608	052b99aee95b2b0dce5d96922b6c575d42e7479037fa10c20b3652bef0919ba6.exe	41
PID 2608 wrote to memory of 2492	2608	052b99aee95b2b0dce5d96922b6c575d42e7479037fa10c20b3652bef0919ba6.exe	41
PID 2492 wrote to memory of 2588	2492	cmd.exe	43
PID 2492 wrote to memory of 2588	2492	cmd.exe	43
PID 2492 wrote to memory of 2588	2492	cmd.exe	43
PID 2492 wrote to memory of 2588	2492	cmd.exe	43
PID 2588 wrote to memory of 3032	2588	052b99aee95b2b0dce5d96922b6c575d42e7479037fa10c20b3652bef0919ba6.exe	44
PID 2588 wrote to memory of 3032	2588	052b99aee95b2b0dce5d96922b6c575d42e7479037fa10c20b3652bef0919ba6.exe	44
PID 2588 wrote to memory of 3032	2588	052b99aee95b2b0dce5d96922b6c575d42e7479037fa10c20b3652bef0919ba6.exe	44
PID 2588 wrote to memory of 3032	2588	052b99aee95b2b0dce5d96922b6c575d42e7479037fa10c20b3652bef0919ba6.exe	44
PID 3032 wrote to memory of 292	3032	cmd.exe	46
PID 3032 wrote to memory of 292	3032	cmd.exe	46
PID 3032 wrote to memory of 292	3032	cmd.exe	46
PID 3032 wrote to memory of 292	3032	cmd.exe	46
PID 292 wrote to memory of 1136	292	052b99aee95b2b0dce5d96922b6c575d42e7479037fa10c20b3652bef0919ba6.exe	47
PID 292 wrote to memory of 1136	292	052b99aee95b2b0dce5d96922b6c575d42e7479037fa10c20b3652bef0919ba6.exe	47
PID 292 wrote to memory of 1136	292	052b99aee95b2b0dce5d96922b6c575d42e7479037fa10c20b3652bef0919ba6.exe	47
PID 292 wrote to memory of 1136	292	052b99aee95b2b0dce5d96922b6c575d42e7479037fa10c20b3652bef0919ba6.exe	47
PID 1136 wrote to memory of 2032	1136	cmd.exe	49
PID 1136 wrote to memory of 2032	1136	cmd.exe	49
PID 1136 wrote to memory of 2032	1136	cmd.exe	49
PID 1136 wrote to memory of 2032	1136	cmd.exe	49
PID 2032 wrote to memory of 1852	2032	052b99aee95b2b0dce5d96922b6c575d42e7479037fa10c20b3652bef0919ba6.exe	50
PID 2032 wrote to memory of 1852	2032	052b99aee95b2b0dce5d96922b6c575d42e7479037fa10c20b3652bef0919ba6.exe	50
PID 2032 wrote to memory of 1852	2032	052b99aee95b2b0dce5d96922b6c575d42e7479037fa10c20b3652bef0919ba6.exe	50
PID 2032 wrote to memory of 1852	2032	052b99aee95b2b0dce5d96922b6c575d42e7479037fa10c20b3652bef0919ba6.exe	50
PID 1852 wrote to memory of 2480	1852	cmd.exe	52
PID 1852 wrote to memory of 2480	1852	cmd.exe	52
PID 1852 wrote to memory of 2480	1852	cmd.exe	52
PID 1852 wrote to memory of 2480	1852	cmd.exe	52
PID 2480 wrote to memory of 2504	2480	052b99aee95b2b0dce5d96922b6c575d42e7479037fa10c20b3652bef0919ba6.exe	53
PID 2480 wrote to memory of 2504	2480	052b99aee95b2b0dce5d96922b6c575d42e7479037fa10c20b3652bef0919ba6.exe	53
PID 2480 wrote to memory of 2504	2480	052b99aee95b2b0dce5d96922b6c575d42e7479037fa10c20b3652bef0919ba6.exe	53
PID 2480 wrote to memory of 2504	2480	052b99aee95b2b0dce5d96922b6c575d42e7479037fa10c20b3652bef0919ba6.exe	53

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1232
- C:\Users\Admin\AppData\Local\Temp\052b99aee95b2b0dce5d96922b6c575d42e7479037fa10c20b3652bef0919ba6.exe
  "C:\Users\Admin\AppData\Local\Temp\052b99aee95b2b0dce5d96922b6c575d42e7479037fa10c20b3652bef0919ba6.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2324
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$aDAC5.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2096
  - - C:\Users\Admin\AppData\Local\Temp\052b99aee95b2b0dce5d96922b6c575d42e7479037fa10c20b3652bef0919ba6.exe
      "C:\Users\Admin\AppData\Local\Temp\052b99aee95b2b0dce5d96922b6c575d42e7479037fa10c20b3652bef0919ba6.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2832
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aDC1C.bat
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2704
      - C:\Users\Admin\AppData\Local\Temp\052b99aee95b2b0dce5d96922b6c575d42e7479037fa10c20b3652bef0919ba6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\052b99aee95b2b0dce5d96922b6c575d42e7479037fa10c20b3652bef0919ba6.exe"
        6⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2608
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aDCE7.bat
        7⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2492
        
        C:\Users\Admin\AppData\Local\Temp\052b99aee95b2b0dce5d96922b6c575d42e7479037fa10c20b3652bef0919ba6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\052b99aee95b2b0dce5d96922b6c575d42e7479037fa10c20b3652bef0919ba6.exe"
        8⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2588
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aDD73.bat
        9⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3032
        
        C:\Users\Admin\AppData\Local\Temp\052b99aee95b2b0dce5d96922b6c575d42e7479037fa10c20b3652bef0919ba6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\052b99aee95b2b0dce5d96922b6c575d42e7479037fa10c20b3652bef0919ba6.exe"
        10⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:292
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aDE2F.bat
        11⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1136
        
        C:\Users\Admin\AppData\Local\Temp\052b99aee95b2b0dce5d96922b6c575d42e7479037fa10c20b3652bef0919ba6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\052b99aee95b2b0dce5d96922b6c575d42e7479037fa10c20b3652bef0919ba6.exe"
        12⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2032
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aDEAC.bat
        13⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1852
        
        C:\Users\Admin\AppData\Local\Temp\052b99aee95b2b0dce5d96922b6c575d42e7479037fa10c20b3652bef0919ba6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\052b99aee95b2b0dce5d96922b6c575d42e7479037fa10c20b3652bef0919ba6.exe"
        14⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2480
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aDF38.bat
        15⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2504
        
        C:\Users\Admin\AppData\Local\Temp\052b99aee95b2b0dce5d96922b6c575d42e7479037fa10c20b3652bef0919ba6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\052b99aee95b2b0dce5d96922b6c575d42e7479037fa10c20b3652bef0919ba6.exe"
        16⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1084
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aDFB5.bat
        17⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2796
        
        C:\Users\Admin\AppData\Local\Temp\052b99aee95b2b0dce5d96922b6c575d42e7479037fa10c20b3652bef0919ba6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\052b99aee95b2b0dce5d96922b6c575d42e7479037fa10c20b3652bef0919ba6.exe"
        18⤵
        Executes dropped EXE
        
        PID:2928
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2652
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2188
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\$$aDAC5.bat

Filesize
722B

MD5
4062a508f0b35f98ed2f617e8a4ef1ee

SHA1
f359e0677a622c707b3e04fd79cfb8d75b1b98e8

SHA256
7747356099f88c01f17b64a1396c20fd58b837fd2928a75db4936f58ea3c6feb

SHA512
1d4bf8e50561c404728286b0271a56c70d2aa4f505ab2c6000735e0b3ce4d9bb6386d2ff8130f4abe3de73750004f44dd4557cb006c55427cd48834fe16c8e74

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aDC1C.bat

Filesize
722B

MD5
fb81eda076ba176ea0e6c620954a2a4b

SHA1
ea80d5441028a3a457aa9efcdd1329d46b936547

SHA256
5d8ed385b7bda8685687fe72e322295622be9c3e7dbf6324b420cfc684bb3708

SHA512
bf5684757ce3cbc7e80392a14bcf2b0fbfa8b66455c79d96eff2c6392865f97326149c301e92bfbdf989915fa853c6ee141eb6d3617d80b7ddc0f8951072df22

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aDCE7.bat

Filesize
722B

MD5
53576ae3fc990b419af8797ef25b4544

SHA1
55fc22a7b4c4ce19e23ebf3f68551ab3db7e4112

SHA256
ace86a49d97bd55ceff86a99537216a74755cadc47673229e556034691d35810

SHA512
ac41261fea95cc731841ca24d41be9eddba97de3b924fb3d87d014f18b3b5e0133a2bc0c26229961b9b9269baff646ef68da1e01b2759f5b70618027b2bb1ae6

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aDD73.bat

Filesize
722B

MD5
984c9eb8532431a2883bbba5496b0461

SHA1
aac35501b2e9e300600738bb98f8ba6b635d34c4

SHA256
a4fa0e5280f272cc9e3b861530ebb0db17ecdf72ab2f43820b926f865e8ccc1e

SHA512
82ca36fd4737b060d23468bb303c503b849975ee8fd238bf9420413ce0ad21ea13415e40b9850c56ceea7a27cffcb26b31a7d5d7752b4f943721a5edb3a1358c

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aDE2F.bat

Filesize
722B

MD5
3699575879aaad5cb26a307d5d2f6fb3

SHA1
0ba0383a98f9309a37a9c350e8f73e9738ef711b

SHA256
9b545d58bb637817f6f4eba95f0eb3a297cc9b24ba76c81e8f2f3352be394462

SHA512
f15606c77f6c8ef2ccffa6d6cf0c62618878b83e5008dc6d50ffaac5b94b6e69e787a6d23518f40372c8814a3edd609e7152cb87e534b411a721f896bec8c030

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aDEAC.bat

Filesize
722B

MD5
358c613c4328699e91f21052e638bdc3

SHA1
c3bf4287a810a25976aa6e6c4c3d283e374ad192

SHA256
0137b613ff2a956c603193bd1a93336a8947b54b753bc9e1f82586adb12876f3

SHA512
712b90d30d0f7759c516c879c40661e5add7d161150a197288fa56442d12116fe4b8f270213d86c006d22b4ba6be8cb7cc0a174dc833675ae87a19ac653dfeb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aDF38.bat

Filesize
722B

MD5
c9319f331d8774c39a04aac2c6930ca0

SHA1
2dfde76a8fac9fe93318cac996c163bdaa84f20b

SHA256
096874936fcb2b91bb95e5c417d8cb7449590b24cb257a14484efcbf9b6deff3

SHA512
b0e10b04322d100433819f9a068109298fdfce8d4c5388e8f3f246057e14cd33c36163673ad849bd115240b9af35fc7c6bd4ae8a7d2d50171e01f9c4740a2e52

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aDFB5.bat

Filesize
722B

MD5
7613c746b2e8e71b3756e3df358d00c7

SHA1
7e7e4c21ccf45a107472db5f15356dac08f917e6

SHA256
1e8040bc9b8801d8c15a4b6155e5a9f8278c4fa3cc580d41be2c6689ce0ffc81

SHA512
5980cf70a6ab8c0e551d3cf4431e2dea89e3c2926cced9e1bb6300a84ffafab71ee7791232cfb98965f96c5df122640762c30f22799b89a653b2d2fff35db8f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\052b99aee95b2b0dce5d96922b6c575d42e7479037fa10c20b3652bef0919ba6.exe.exe

Filesize
337KB

MD5
a1f1b1fb12d33c8fd7dbc7db6db1a54e

SHA1
2d030ca7fb7a4ce2f2e5fcab3a285ca5058f060a

SHA256
e8c9fac2f128fe96154ca9920b2d5d4ee5b61eb9b4e53ff5d403edfd060b9544

SHA512
427ac368931c05d55f62ef4aa944d74085bbff7856c2ae71102ad06f3ad844a9df2d7bb42819c099ace1d7f3d39f6dccbac610c6f20b6ba0f8b2927171d31e91

Download Submit
C:\Users\Admin\AppData\Local\Temp\052b99aee95b2b0dce5d96922b6c575d42e7479037fa10c20b3652bef0919ba6.exe.exe

Filesize
293KB

MD5
596954e1b17b022a34f4123cf54fe7b2

SHA1
601771feeecfc995d6f6224ea80b153cecfe4628

SHA256
321c1d4b31a4d8addc9eac1eae206675718d41236095f304800144b0c2b9253d

SHA512
b589be16fd7b83ebb8e6512ab1cb80a9a186791f96ba0bf81f01c1a01b88e2a9b7c50f29201e88a412fd5804c091869a2b4bdd639b112d4fcfafd9227951a685

Download Submit
C:\Users\Admin\AppData\Local\Temp\052b99aee95b2b0dce5d96922b6c575d42e7479037fa10c20b3652bef0919ba6.exe.exe

Filesize
249KB

MD5
6f3257b3fc036dfb2c8eac18efdb3311

SHA1
3911997784a46f3f11013425af90956399d80d8e

SHA256
b4941ff8933cea786e5742c5ca07d612bfc3465e9987f52529a6f25ce6d5efaf

SHA512
f5a13c9e99ca2b5cf6ff22bd238d15ad4be9cabaa68bced30ace76f0fa70e10b61e2006f9f5a15b612d152f79e00a481cdbd7809b366ea7e958317f37f05555d

Download Submit
C:\Users\Admin\AppData\Local\Temp\052b99aee95b2b0dce5d96922b6c575d42e7479037fa10c20b3652bef0919ba6.exe.exe

Filesize
117KB

MD5
b2dc6cf07758334b16c885c941f89f62

SHA1
9a5c1727b938cd36faf38b588d72ff1fe7ca5140

SHA256
b047bfca893fffc31e870a58e09ced2a828f4dc97ea4c397f239484ef8805fe5

SHA512
ba2ca6a333c203cae3eb2eb66214f721d21e991f73723bf680b49973937d16532993899bc60246b94c396942191c60a359b8fcfa55680633847112d065adc6ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\052b99aee95b2b0dce5d96922b6c575d42e7479037fa10c20b3652bef0919ba6.exe.exe

Filesize
205KB

MD5
63390cc30dbd9a6d0a44e4ba52fa43e7

SHA1
afbea2dd6e8fb26c623a5c4d8758e06638171159

SHA256
eb88542590e3ebf3746d76f93716552aa6dfb18a7ba1d2528555b130cc01b99c

SHA512
4a561f9a41fe33d3385feef82a59e6b106ecccfaf6c86d402ab323503b56510d05868e33c7ab25e5fe5ebe2f8f99139ccae26af51160ba196ac402be55edfffd

Download Submit
C:\Users\Admin\AppData\Local\Temp\052b99aee95b2b0dce5d96922b6c575d42e7479037fa10c20b3652bef0919ba6.exe.exe

Filesize
161KB

MD5
775d8ccf5dc2f318945f582e80e9ec59

SHA1
dffa9e696d96391f9762796080c48d57b425ec9a

SHA256
dc0662e695991cb7656cc51c20f0ee5d84776972b1d3a3d22e0a09faafd3f3eb

SHA512
d2636868e2c33a4a9067ca96b5a503dbf50c94968428e50510d187b0426e053a871801eadf6d20d01b9e1cad6e96fce876bdbc5faebf61707da567bee4d4c473

Download Submit
C:\Users\Admin\AppData\Local\Temp\052b99aee95b2b0dce5d96922b6c575d42e7479037fa10c20b3652bef0919ba6.exe.exe

Filesize
29KB

MD5
ef5334ac59f3c2392fdf24f6802c2d17

SHA1
3e147fbcfa62b409aa1f33a5a5dbafd5139fec74

SHA256
2e43415aa19f473a27ea3aed0645cf0bcc1780424a570ef618e41e12ff59e5f3

SHA512
5ea4e427adb1c7b943fa0d705e06242901cca36ef357feb1eedd36ee29a57a4ae682d2f499401b42a83f14a172b705782f244f2497c2a96dd1e599bece391b14

Download Submit
C:\Users\Admin\AppData\Local\Temp\052b99aee95b2b0dce5d96922b6c575d42e7479037fa10c20b3652bef0919ba6.exe.exe

Filesize
73KB

MD5
a0887469194fc099a8519c7aa7cc56c2

SHA1
324134a1d9153f44531291d8d5cb16145c1e891c

SHA256
d1add27aaadd199b6e5a1006b084427d9cf5dd63fee5eae083b8645366ad5d03

SHA512
3797d8ce9401c0826a6237688b023958356c28dc2a8ecdf099cf5e0c542294061a6254573ff1fa6f6c2412706aff819124f5d385a361ba41c56a2ef95b362467

Download Submit
C:\Windows\Logo1_.exe

Filesize
44KB

MD5
f08bab75689e233f6e2bb382a15d0eee

SHA1
5f548a141d419746e528f866b398935c97efbcd8

SHA256
b801d0455bcff8eba1a4ba26f6c2244213ab6b5839db0435d50a453e3fba765c

SHA512
e949fd904251c7e158ffe300fb31a17a3e530b30e68dfb7d7cf389238c32ae697f3c9884506be94eb68f0195485ce3b1d3316a1da07c384cd18c7fe8967c4c4e

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-940600906-3464502421-4240639183-1000\_desktop.ini

Filesize
9B

MD5
c20162cff0e529974834e150d7e6691f

SHA1
512e9821581354bd8078227ddf386b17e771ff38

SHA256
82f2070eb6138ab12ec2a1f0c3ca7b3b97db75cc19a5076ed382b017f309bdd6

SHA512
c2c414232ac5fc3d7ff195523c49610795d0ea4d95c69748ef9ddd4a42203ace52a7da8594cb20102743a21b6eb5bd9e7ee5915513a9c11a0db319323538d744

Download Submit
memory/292-74-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/292-83-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1084-131-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1084-121-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1232-138-0x0000000002E10000-0x0000000002E11000-memory.dmp

Filesize
4KB

Download
memory/1852-104-0x0000000000170000-0x00000000001BF000-memory.dmp

Filesize
316KB

Download
memory/2032-98-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2096-28-0x0000000000180000-0x00000000001CF000-memory.dmp

Filesize
316KB

Download
memory/2096-25-0x0000000000180000-0x00000000001CF000-memory.dmp

Filesize
316KB

Download
memory/2324-0-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2324-17-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2480-115-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2588-67-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2608-53-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2652-18-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2652-151-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2652-3278-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2652-3279-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2704-44-0x0000000000130000-0x000000000017F000-memory.dmp

Filesize
316KB

Download
memory/2832-38-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/3032-73-0x0000000000140000-0x000000000018F000-memory.dmp

Filesize
316KB

Download