4f56321f98044b7cb756620164511bf9cd274ecd62f9370164ec68b9516bd36d

Analysis

max time kernel
149s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05/08/2024, 07:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4f56321f98044b7cb756620164511bf9cd274ecd62f9370164ec68b9516bd36d.exe
Size

48KB
MD5

bb7f50dd8622ffa73d3c9267cd099fcc
SHA1

0360191b3e957422c37f35683586a66cc8f0dc43
SHA256

4f56321f98044b7cb756620164511bf9cd274ecd62f9370164ec68b9516bd36d
SHA512

04bc045ef7b98e8be5f1077893ff08feea4ea4c2aa8dcdd104bacea05085328f632949cb4dab75d86bf2a64d438333e5ab31fe18f4ef8b03371e3a644b40580c
SSDEEP

1536:2jFUaYzMXqtGNttyeiZnZLYm1pHqaNrFd:2BUaY46tGNttyeQLYm1gaNpd

Score

8^/10

discovery spyware stealer

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	4f56321f98044b7cb756620164511bf9cd274ecd62f9370164ec68b9516bd36d.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	Logo1_.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe

Executes dropped EXE 2 IoCs

pid	Process
4160	Logo1_.exe
548	4f56321f98044b7cb756620164511bf9cd274ecd62f9370164ec68b9516bd36d.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\collect_feedback\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk-1.8\lib\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\fr-ma\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\it-it\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\hr-hr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\sv-se\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\sv-se\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\themes\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\sv-se\_desktop.ini	Logo1_.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example2.Diagnostics\1.0.1\Diagnostics\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\es-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\nb-no\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\sl-sl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\nb\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\fr-fr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Configuration\Registration\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\fr-ma\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\en-il\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bn\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\en-gb\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\da-dk\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\ko-kr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\PlayReadyCdm\_platform_specific\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\an\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\fr-fr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\te\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\nb-no\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\zh-cn\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Trust Protection Lists\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\pl-pl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\uk-ua\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TEXTCONV\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RIPPLE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\uk-UA\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\it-it\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\da-dk\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\pt-br\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\sv-se\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Mail\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre-1.8\bin\server\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Reference Assemblies\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\co\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\meta_engine\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\zh-tw\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\ko-kr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\_desktop.ini	Logo1_.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Resources\1033\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\zu\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prc\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ro-ro\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Google\Temp\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\misc\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\pt-br\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\WidevineCdm\_platform_specific\win_x64\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Dll.dll	Logo1_.exe
File created	C:\Windows\rundl132.exe	4f56321f98044b7cb756620164511bf9cd274ecd62f9370164ec68b9516bd36d.exe
File created	C:\Windows\Logo1_.exe	4f56321f98044b7cb756620164511bf9cd274ecd62f9370164ec68b9516bd36d.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Logo1_.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4f56321f98044b7cb756620164511bf9cd274ecd62f9370164ec68b9516bd36d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4f56321f98044b7cb756620164511bf9cd274ecd62f9370164ec68b9516bd36d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3796	4f56321f98044b7cb756620164511bf9cd274ecd62f9370164ec68b9516bd36d.exe
3796	4f56321f98044b7cb756620164511bf9cd274ecd62f9370164ec68b9516bd36d.exe
3796	4f56321f98044b7cb756620164511bf9cd274ecd62f9370164ec68b9516bd36d.exe
3796	4f56321f98044b7cb756620164511bf9cd274ecd62f9370164ec68b9516bd36d.exe
3796	4f56321f98044b7cb756620164511bf9cd274ecd62f9370164ec68b9516bd36d.exe
3796	4f56321f98044b7cb756620164511bf9cd274ecd62f9370164ec68b9516bd36d.exe
3796	4f56321f98044b7cb756620164511bf9cd274ecd62f9370164ec68b9516bd36d.exe
3796	4f56321f98044b7cb756620164511bf9cd274ecd62f9370164ec68b9516bd36d.exe
3796	4f56321f98044b7cb756620164511bf9cd274ecd62f9370164ec68b9516bd36d.exe
3796	4f56321f98044b7cb756620164511bf9cd274ecd62f9370164ec68b9516bd36d.exe
3796	4f56321f98044b7cb756620164511bf9cd274ecd62f9370164ec68b9516bd36d.exe
3796	4f56321f98044b7cb756620164511bf9cd274ecd62f9370164ec68b9516bd36d.exe
3796	4f56321f98044b7cb756620164511bf9cd274ecd62f9370164ec68b9516bd36d.exe
3796	4f56321f98044b7cb756620164511bf9cd274ecd62f9370164ec68b9516bd36d.exe
3796	4f56321f98044b7cb756620164511bf9cd274ecd62f9370164ec68b9516bd36d.exe
3796	4f56321f98044b7cb756620164511bf9cd274ecd62f9370164ec68b9516bd36d.exe
3796	4f56321f98044b7cb756620164511bf9cd274ecd62f9370164ec68b9516bd36d.exe
3796	4f56321f98044b7cb756620164511bf9cd274ecd62f9370164ec68b9516bd36d.exe
3796	4f56321f98044b7cb756620164511bf9cd274ecd62f9370164ec68b9516bd36d.exe
3796	4f56321f98044b7cb756620164511bf9cd274ecd62f9370164ec68b9516bd36d.exe
3796	4f56321f98044b7cb756620164511bf9cd274ecd62f9370164ec68b9516bd36d.exe
3796	4f56321f98044b7cb756620164511bf9cd274ecd62f9370164ec68b9516bd36d.exe
3796	4f56321f98044b7cb756620164511bf9cd274ecd62f9370164ec68b9516bd36d.exe
3796	4f56321f98044b7cb756620164511bf9cd274ecd62f9370164ec68b9516bd36d.exe
3796	4f56321f98044b7cb756620164511bf9cd274ecd62f9370164ec68b9516bd36d.exe
3796	4f56321f98044b7cb756620164511bf9cd274ecd62f9370164ec68b9516bd36d.exe
4160	Logo1_.exe
4160	Logo1_.exe
4160	Logo1_.exe
4160	Logo1_.exe
4160	Logo1_.exe
4160	Logo1_.exe
4160	Logo1_.exe
4160	Logo1_.exe
4160	Logo1_.exe
4160	Logo1_.exe
4160	Logo1_.exe
4160	Logo1_.exe
4160	Logo1_.exe
4160	Logo1_.exe
4160	Logo1_.exe
4160	Logo1_.exe
4160	Logo1_.exe
4160	Logo1_.exe
4160	Logo1_.exe
4160	Logo1_.exe
4160	Logo1_.exe
4160	Logo1_.exe
4160	Logo1_.exe
4160	Logo1_.exe
4160	Logo1_.exe
4160	Logo1_.exe
4160	Logo1_.exe
4160	Logo1_.exe
4160	Logo1_.exe
4160	Logo1_.exe
4160	Logo1_.exe
4160	Logo1_.exe
4160	Logo1_.exe
4160	Logo1_.exe
4160	Logo1_.exe
4160	Logo1_.exe
4160	Logo1_.exe
4160	Logo1_.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 3796 wrote to memory of 3404	3796	4f56321f98044b7cb756620164511bf9cd274ecd62f9370164ec68b9516bd36d.exe	84
PID 3796 wrote to memory of 3404	3796	4f56321f98044b7cb756620164511bf9cd274ecd62f9370164ec68b9516bd36d.exe	84
PID 3796 wrote to memory of 3404	3796	4f56321f98044b7cb756620164511bf9cd274ecd62f9370164ec68b9516bd36d.exe	84
PID 3404 wrote to memory of 3464	3404	net.exe	86
PID 3404 wrote to memory of 3464	3404	net.exe	86
PID 3404 wrote to memory of 3464	3404	net.exe	86
PID 3796 wrote to memory of 1716	3796	4f56321f98044b7cb756620164511bf9cd274ecd62f9370164ec68b9516bd36d.exe	89
PID 3796 wrote to memory of 1716	3796	4f56321f98044b7cb756620164511bf9cd274ecd62f9370164ec68b9516bd36d.exe	89
PID 3796 wrote to memory of 1716	3796	4f56321f98044b7cb756620164511bf9cd274ecd62f9370164ec68b9516bd36d.exe	89
PID 3796 wrote to memory of 4160	3796	4f56321f98044b7cb756620164511bf9cd274ecd62f9370164ec68b9516bd36d.exe	90
PID 3796 wrote to memory of 4160	3796	4f56321f98044b7cb756620164511bf9cd274ecd62f9370164ec68b9516bd36d.exe	90
PID 3796 wrote to memory of 4160	3796	4f56321f98044b7cb756620164511bf9cd274ecd62f9370164ec68b9516bd36d.exe	90
PID 4160 wrote to memory of 4184	4160	Logo1_.exe	91
PID 4160 wrote to memory of 4184	4160	Logo1_.exe	91
PID 4160 wrote to memory of 4184	4160	Logo1_.exe	91
PID 4184 wrote to memory of 4072	4184	net.exe	94
PID 4184 wrote to memory of 4072	4184	net.exe	94
PID 4184 wrote to memory of 4072	4184	net.exe	94
PID 1716 wrote to memory of 548	1716	cmd.exe	95
PID 1716 wrote to memory of 548	1716	cmd.exe	95
PID 1716 wrote to memory of 548	1716	cmd.exe	95
PID 4160 wrote to memory of 4192	4160	Logo1_.exe	96
PID 4160 wrote to memory of 4192	4160	Logo1_.exe	96
PID 4160 wrote to memory of 4192	4160	Logo1_.exe	96
PID 4192 wrote to memory of 4504	4192	net.exe	98
PID 4192 wrote to memory of 4504	4192	net.exe	98
PID 4192 wrote to memory of 4504	4192	net.exe	98
PID 4160 wrote to memory of 3412	4160	Logo1_.exe	56
PID 4160 wrote to memory of 3412	4160	Logo1_.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3412
- C:\Users\Admin\AppData\Local\Temp\4f56321f98044b7cb756620164511bf9cd274ecd62f9370164ec68b9516bd36d.exe
  "C:\Users\Admin\AppData\Local\Temp\4f56321f98044b7cb756620164511bf9cd274ecd62f9370164ec68b9516bd36d.exe"
  2⤵
  - Drops file in Drivers directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3796
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3404
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3464
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aADE3.bat
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1716
  - - C:\Users\Admin\AppData\Local\Temp\4f56321f98044b7cb756620164511bf9cd274ecd62f9370164ec68b9516bd36d.exe
      "C:\Users\Admin\AppData\Local\Temp\4f56321f98044b7cb756620164511bf9cd274ecd62f9370164ec68b9516bd36d.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:548
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Drops file in Drivers directory
    - Drops startup file
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4160
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4184
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4072
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4192
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe

Filesize
251KB

MD5
7187e57bf6587e0290c84666729a4f1a

SHA1
4113616d1b705e5c0f5fbfdca64e3ea00cd6446d

SHA256
12214e60a1bd2b22a68f22b9701d6020e3b191c4e6000388818d34b579a9926f

SHA512
aec22d2804ae1eea1d2413679b67dad9d9eec46fe8e6d52dad03d89b150bddd0eb01c75e2c43535bf7e85804eaca8c17e5fe3885e27a56e3c1b230472b3b90c7

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
577KB

MD5
ca45241ab37d2543ec7e865257a6624b

SHA1
c6215f9c480f74878da305b17df038e6e774fcf8

SHA256
2f38dbe7083d17a2607ee4130d0f6bc380c2772c2b0d84f497204152a54aebd1

SHA512
510d48ab18aec437fa7a58307e36e4431b5ea293ceafeedefcab1bdd935956bbc388f10ba566a7857f8030df2abb702b5428693c049efef28918e2032417f11f

Download Submit
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

Filesize
644KB

MD5
3f08938180b1d62adcbb9a592dda8e0d

SHA1
8a110f259b0562c92fdc196c60e372cca20950a7

SHA256
500b0c913216781eddc33bc4392c55fd67f4d8ddbd91d4dafef0dd4bdda0120f

SHA512
361f3daefe3343536455c5dd102faea05f4ac13a9ba9b92ad93e73fcaf42dc4fc09190de8cb3fad9125fbc57501d94f500022e4d75eacdb5e3370569d91eb2af

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aADE3.bat

Filesize
722B

MD5
1823b860e868ececfbe7116a5a2d06d0

SHA1
546d76efefbe712fcef9b9d01b49990a593f0c3e

SHA256
907f237efea755976d49bf2269dd30491fe6625b93d8b67c30e3018fa3f1def2

SHA512
f8e92a161a974b8d9c827ce97a198664af0859851353580ed99c8842afba8029c3c270856a9e1582807a5ffed27443d9eab62fd09de1c6b0eb065c5ae17a7f9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\4f56321f98044b7cb756620164511bf9cd274ecd62f9370164ec68b9516bd36d.exe.exe

Filesize
14KB

MD5
ad782ffac62e14e2269bf1379bccbaae

SHA1
9539773b550e902a35764574a2be2d05bc0d8afc

SHA256
1c8a77db924ebeb952052334dc95add388700c02b073b07973cd8fe0a0a360b8

SHA512
a1e9d6316ffc55f4751090961733e98c93b2a391666ff50b50e9dea39783746e501d14127e7ee9343926976d7e3cd224f13736530354d8466ea995dab35c8dc2

Download Submit
C:\Windows\Logo1_.exe

Filesize
33KB

MD5
6b991b77278ff3e0361d675bd3545282

SHA1
965fd57d2c91da1fa4cd0a8531ba7ffc53c8b01d

SHA256
3ea8d208c122a64757df03291c0eeb363644ce491bd963cc73b4e5c654c15d1d

SHA512
df8595c245ea1c52dc0b8b70ffcfd3f8ce5c2fe445926b26336a0692980a97cef9e7574158bc862f5990070367565f786fa915cfec24d0d39b68a8985c5fce8a

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
842B

MD5
6f4adf207ef402d9ef40c6aa52ffd245

SHA1
4b05b495619c643f02e278dede8f5b1392555a57

SHA256
d9704dab05e988be3e5e7b7c020bb9814906d11bb9c31ad80d4ed1316f6bc94e

SHA512
a6306bd200a26ea78192ae5b00cc49cfab3fba025fe7233709a4e62db0f9ed60030dce22b34afe57aad86a098c9a8c44e080cedc43227cb87ef4690baec35b47

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-523280732-2327480845-3730041215-1000\_desktop.ini

Filesize
8B

MD5
0eba530c95ed92c62635372036e559bf

SHA1
d24bedd9e198e4f71f8e9d0dc36351d486609337

SHA256
fdac71b01088c649a174d112f28b274807c720c98d39c8ea678b0832f8cd4b39

SHA512
7bf606115d882198ab92ff5d7f9f92f83e2e8bb4c2be9601ace2de9d7613938a56ffd51331ae22ff62b47fcc8bb54e9007a0375348a4a37b3b82e59d8ca1f3b1

Download Submit
memory/3796-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3796-13-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4160-20-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4160-5166-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4160-10-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4160-8847-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download