acbb97a69cb3a2e91bdf8419c3bc17d2324c64ca1d3abdae46d2092b8461be19

Analysis

max time kernel
149s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
09/08/2024, 18:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

acbb97a69cb3a2e91bdf8419c3bc17d2324c64ca1d3abdae46d2092b8461be19.exe
Size

26KB
MD5

99f0fc02c36fcf6a20f2d4a1458a98ec
SHA1

29ed1d40f3861d9feb481c656efeff8544923a60
SHA256

acbb97a69cb3a2e91bdf8419c3bc17d2324c64ca1d3abdae46d2092b8461be19
SHA512

b27054906827e87bf9928c8f5addcc49f0e585220c0a80dfa1cd2bbeff3be6150cf10b8cef31e32e2fd5868dd5b72e67cd9629302f2493ddf2229065c4bf912f
SSDEEP

768:g1ODKAaDMG8H92RwZNQSw+IlJIJJREIOAEeF1:yfgLdQAQfhJIJ0IO61

Score

6^/10

discovery

Malware Config

Signatures

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Y:	acbb97a69cb3a2e91bdf8419c3bc17d2324c64ca1d3abdae46d2092b8461be19.exe
File opened (read-only)	\??\L:	acbb97a69cb3a2e91bdf8419c3bc17d2324c64ca1d3abdae46d2092b8461be19.exe
File opened (read-only)	\??\K:	acbb97a69cb3a2e91bdf8419c3bc17d2324c64ca1d3abdae46d2092b8461be19.exe
File opened (read-only)	\??\E:	acbb97a69cb3a2e91bdf8419c3bc17d2324c64ca1d3abdae46d2092b8461be19.exe
File opened (read-only)	\??\P:	acbb97a69cb3a2e91bdf8419c3bc17d2324c64ca1d3abdae46d2092b8461be19.exe
File opened (read-only)	\??\N:	acbb97a69cb3a2e91bdf8419c3bc17d2324c64ca1d3abdae46d2092b8461be19.exe
File opened (read-only)	\??\W:	acbb97a69cb3a2e91bdf8419c3bc17d2324c64ca1d3abdae46d2092b8461be19.exe
File opened (read-only)	\??\V:	acbb97a69cb3a2e91bdf8419c3bc17d2324c64ca1d3abdae46d2092b8461be19.exe
File opened (read-only)	\??\U:	acbb97a69cb3a2e91bdf8419c3bc17d2324c64ca1d3abdae46d2092b8461be19.exe
File opened (read-only)	\??\T:	acbb97a69cb3a2e91bdf8419c3bc17d2324c64ca1d3abdae46d2092b8461be19.exe
File opened (read-only)	\??\R:	acbb97a69cb3a2e91bdf8419c3bc17d2324c64ca1d3abdae46d2092b8461be19.exe
File opened (read-only)	\??\Q:	acbb97a69cb3a2e91bdf8419c3bc17d2324c64ca1d3abdae46d2092b8461be19.exe
File opened (read-only)	\??\M:	acbb97a69cb3a2e91bdf8419c3bc17d2324c64ca1d3abdae46d2092b8461be19.exe
File opened (read-only)	\??\I:	acbb97a69cb3a2e91bdf8419c3bc17d2324c64ca1d3abdae46d2092b8461be19.exe
File opened (read-only)	\??\Z:	acbb97a69cb3a2e91bdf8419c3bc17d2324c64ca1d3abdae46d2092b8461be19.exe
File opened (read-only)	\??\O:	acbb97a69cb3a2e91bdf8419c3bc17d2324c64ca1d3abdae46d2092b8461be19.exe
File opened (read-only)	\??\H:	acbb97a69cb3a2e91bdf8419c3bc17d2324c64ca1d3abdae46d2092b8461be19.exe
File opened (read-only)	\??\X:	acbb97a69cb3a2e91bdf8419c3bc17d2324c64ca1d3abdae46d2092b8461be19.exe
File opened (read-only)	\??\S:	acbb97a69cb3a2e91bdf8419c3bc17d2324c64ca1d3abdae46d2092b8461be19.exe
File opened (read-only)	\??\J:	acbb97a69cb3a2e91bdf8419c3bc17d2324c64ca1d3abdae46d2092b8461be19.exe
File opened (read-only)	\??\G:	acbb97a69cb3a2e91bdf8419c3bc17d2324c64ca1d3abdae46d2092b8461be19.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\fi-fi\_desktop.ini	acbb97a69cb3a2e91bdf8419c3bc17d2324c64ca1d3abdae46d2092b8461be19.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\_desktop.ini	acbb97a69cb3a2e91bdf8419c3bc17d2324c64ca1d3abdae46d2092b8461be19.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\_desktop.ini	acbb97a69cb3a2e91bdf8419c3bc17d2324c64ca1d3abdae46d2092b8461be19.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sv-se\_desktop.ini	acbb97a69cb3a2e91bdf8419c3bc17d2324c64ca1d3abdae46d2092b8461be19.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\cs-cz\_desktop.ini	acbb97a69cb3a2e91bdf8419c3bc17d2324c64ca1d3abdae46d2092b8461be19.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ja-jp\_desktop.ini	acbb97a69cb3a2e91bdf8419c3bc17d2324c64ca1d3abdae46d2092b8461be19.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\contrast-black\_desktop.ini	acbb97a69cb3a2e91bdf8419c3bc17d2324c64ca1d3abdae46d2092b8461be19.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\uk-UA\_desktop.ini	acbb97a69cb3a2e91bdf8419c3bc17d2324c64ca1d3abdae46d2092b8461be19.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\sl-si\_desktop.ini	acbb97a69cb3a2e91bdf8419c3bc17d2324c64ca1d3abdae46d2092b8461be19.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\cs-cz\_desktop.ini	acbb97a69cb3a2e91bdf8419c3bc17d2324c64ca1d3abdae46d2092b8461be19.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\_desktop.ini	acbb97a69cb3a2e91bdf8419c3bc17d2324c64ca1d3abdae46d2092b8461be19.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\nl\LC_MESSAGES\_desktop.ini	acbb97a69cb3a2e91bdf8419c3bc17d2324c64ca1d3abdae46d2092b8461be19.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\tt\LC_MESSAGES\_desktop.ini	acbb97a69cb3a2e91bdf8419c3bc17d2324c64ca1d3abdae46d2092b8461be19.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\contrast-black\_desktop.ini	acbb97a69cb3a2e91bdf8419c3bc17d2324c64ca1d3abdae46d2092b8461be19.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\en-ae\_desktop.ini	acbb97a69cb3a2e91bdf8419c3bc17d2324c64ca1d3abdae46d2092b8461be19.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\uk-ua\_desktop.ini	acbb97a69cb3a2e91bdf8419c3bc17d2324c64ca1d3abdae46d2092b8461be19.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\identity_proxy\_desktop.ini	acbb97a69cb3a2e91bdf8419c3bc17d2324c64ca1d3abdae46d2092b8461be19.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ne\_desktop.ini	acbb97a69cb3a2e91bdf8419c3bc17d2324c64ca1d3abdae46d2092b8461be19.exe
File created	C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\AppxMetadata\_desktop.ini	acbb97a69cb3a2e91bdf8419c3bc17d2324c64ca1d3abdae46d2092b8461be19.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini	acbb97a69cb3a2e91bdf8419c3bc17d2324c64ca1d3abdae46d2092b8461be19.exe
File created	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Snippets\_desktop.ini	acbb97a69cb3a2e91bdf8419c3bc17d2324c64ca1d3abdae46d2092b8461be19.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\tr-tr\_desktop.ini	acbb97a69cb3a2e91bdf8419c3bc17d2324c64ca1d3abdae46d2092b8461be19.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ar-ae\_desktop.ini	acbb97a69cb3a2e91bdf8419c3bc17d2324c64ca1d3abdae46d2092b8461be19.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\uk-ua\_desktop.ini	acbb97a69cb3a2e91bdf8419c3bc17d2324c64ca1d3abdae46d2092b8461be19.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\_desktop.ini	acbb97a69cb3a2e91bdf8419c3bc17d2324c64ca1d3abdae46d2092b8461be19.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\_desktop.ini	acbb97a69cb3a2e91bdf8419c3bc17d2324c64ca1d3abdae46d2092b8461be19.exe
File created	C:\Program Files\Windows Defender\ja-JP\_desktop.ini	acbb97a69cb3a2e91bdf8419c3bc17d2324c64ca1d3abdae46d2092b8461be19.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini	acbb97a69cb3a2e91bdf8419c3bc17d2324c64ca1d3abdae46d2092b8461be19.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\it-IT\_desktop.ini	acbb97a69cb3a2e91bdf8419c3bc17d2324c64ca1d3abdae46d2092b8461be19.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\_desktop.ini	acbb97a69cb3a2e91bdf8419c3bc17d2324c64ca1d3abdae46d2092b8461be19.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\_desktop.ini	acbb97a69cb3a2e91bdf8419c3bc17d2324c64ca1d3abdae46d2092b8461be19.exe
File created	C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_x64__8wekyb3d8bbwe\AppxMetadata\_desktop.ini	acbb97a69cb3a2e91bdf8419c3bc17d2324c64ca1d3abdae46d2092b8461be19.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\ro-ro\_desktop.ini	acbb97a69cb3a2e91bdf8419c3bc17d2324c64ca1d3abdae46d2092b8461be19.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\da-dk\_desktop.ini	acbb97a69cb3a2e91bdf8419c3bc17d2324c64ca1d3abdae46d2092b8461be19.exe
File created	C:\Program Files (x86)\Common Files\Java\Java Update\_desktop.ini	acbb97a69cb3a2e91bdf8419c3bc17d2324c64ca1d3abdae46d2092b8461be19.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Microsoft.Msn.Shell\Themes\_desktop.ini	acbb97a69cb3a2e91bdf8419c3bc17d2324c64ca1d3abdae46d2092b8461be19.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\zh-cn\_desktop.ini	acbb97a69cb3a2e91bdf8419c3bc17d2324c64ca1d3abdae46d2092b8461be19.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\sl-si\_desktop.ini	acbb97a69cb3a2e91bdf8419c3bc17d2324c64ca1d3abdae46d2092b8461be19.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\ca-es\_desktop.ini	acbb97a69cb3a2e91bdf8419c3bc17d2324c64ca1d3abdae46d2092b8461be19.exe
File created	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\_desktop.ini	acbb97a69cb3a2e91bdf8419c3bc17d2324c64ca1d3abdae46d2092b8461be19.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\es-ES\_desktop.ini	acbb97a69cb3a2e91bdf8419c3bc17d2324c64ca1d3abdae46d2092b8461be19.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\it-IT\_desktop.ini	acbb97a69cb3a2e91bdf8419c3bc17d2324c64ca1d3abdae46d2092b8461be19.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ar-ae\_desktop.ini	acbb97a69cb3a2e91bdf8419c3bc17d2324c64ca1d3abdae46d2092b8461be19.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ro-ro\_desktop.ini	acbb97a69cb3a2e91bdf8419c3bc17d2324c64ca1d3abdae46d2092b8461be19.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\_desktop.ini	acbb97a69cb3a2e91bdf8419c3bc17d2324c64ca1d3abdae46d2092b8461be19.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RedistList\_desktop.ini	acbb97a69cb3a2e91bdf8419c3bc17d2324c64ca1d3abdae46d2092b8461be19.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\fi-fi\_desktop.ini	acbb97a69cb3a2e91bdf8419c3bc17d2324c64ca1d3abdae46d2092b8461be19.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\fr-ma\_desktop.ini	acbb97a69cb3a2e91bdf8419c3bc17d2324c64ca1d3abdae46d2092b8461be19.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\he-il\_desktop.ini	acbb97a69cb3a2e91bdf8419c3bc17d2324c64ca1d3abdae46d2092b8461be19.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\nb-no\_desktop.ini	acbb97a69cb3a2e91bdf8419c3bc17d2324c64ca1d3abdae46d2092b8461be19.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sv\LC_MESSAGES\_desktop.ini	acbb97a69cb3a2e91bdf8419c3bc17d2324c64ca1d3abdae46d2092b8461be19.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\sr-Latn-RS\_desktop.ini	acbb97a69cb3a2e91bdf8419c3bc17d2324c64ca1d3abdae46d2092b8461be19.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\_desktop.ini	acbb97a69cb3a2e91bdf8419c3bc17d2324c64ca1d3abdae46d2092b8461be19.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ar-ae\_desktop.ini	acbb97a69cb3a2e91bdf8419c3bc17d2324c64ca1d3abdae46d2092b8461be19.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\it-IT\_desktop.ini	acbb97a69cb3a2e91bdf8419c3bc17d2324c64ca1d3abdae46d2092b8461be19.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	acbb97a69cb3a2e91bdf8419c3bc17d2324c64ca1d3abdae46d2092b8461be19.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\_desktop.ini	acbb97a69cb3a2e91bdf8419c3bc17d2324c64ca1d3abdae46d2092b8461be19.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\de-de\_desktop.ini	acbb97a69cb3a2e91bdf8419c3bc17d2324c64ca1d3abdae46d2092b8461be19.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\tr-tr\_desktop.ini	acbb97a69cb3a2e91bdf8419c3bc17d2324c64ca1d3abdae46d2092b8461be19.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mr\_desktop.ini	acbb97a69cb3a2e91bdf8419c3bc17d2324c64ca1d3abdae46d2092b8461be19.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\_desktop.ini	acbb97a69cb3a2e91bdf8419c3bc17d2324c64ca1d3abdae46d2092b8461be19.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\StoreExperienceHost.exe	acbb97a69cb3a2e91bdf8419c3bc17d2324c64ca1d3abdae46d2092b8461be19.exe
File created	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\AppxMetadata\_desktop.ini	acbb97a69cb3a2e91bdf8419c3bc17d2324c64ca1d3abdae46d2092b8461be19.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\ja-jp\_desktop.ini	acbb97a69cb3a2e91bdf8419c3bc17d2324c64ca1d3abdae46d2092b8461be19.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	acbb97a69cb3a2e91bdf8419c3bc17d2324c64ca1d3abdae46d2092b8461be19.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	acbb97a69cb3a2e91bdf8419c3bc17d2324c64ca1d3abdae46d2092b8461be19.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
4384	acbb97a69cb3a2e91bdf8419c3bc17d2324c64ca1d3abdae46d2092b8461be19.exe
4384	acbb97a69cb3a2e91bdf8419c3bc17d2324c64ca1d3abdae46d2092b8461be19.exe
4384	acbb97a69cb3a2e91bdf8419c3bc17d2324c64ca1d3abdae46d2092b8461be19.exe
4384	acbb97a69cb3a2e91bdf8419c3bc17d2324c64ca1d3abdae46d2092b8461be19.exe
4384	acbb97a69cb3a2e91bdf8419c3bc17d2324c64ca1d3abdae46d2092b8461be19.exe
4384	acbb97a69cb3a2e91bdf8419c3bc17d2324c64ca1d3abdae46d2092b8461be19.exe
4384	acbb97a69cb3a2e91bdf8419c3bc17d2324c64ca1d3abdae46d2092b8461be19.exe
4384	acbb97a69cb3a2e91bdf8419c3bc17d2324c64ca1d3abdae46d2092b8461be19.exe
4384	acbb97a69cb3a2e91bdf8419c3bc17d2324c64ca1d3abdae46d2092b8461be19.exe
4384	acbb97a69cb3a2e91bdf8419c3bc17d2324c64ca1d3abdae46d2092b8461be19.exe
4384	acbb97a69cb3a2e91bdf8419c3bc17d2324c64ca1d3abdae46d2092b8461be19.exe
4384	acbb97a69cb3a2e91bdf8419c3bc17d2324c64ca1d3abdae46d2092b8461be19.exe
4384	acbb97a69cb3a2e91bdf8419c3bc17d2324c64ca1d3abdae46d2092b8461be19.exe
4384	acbb97a69cb3a2e91bdf8419c3bc17d2324c64ca1d3abdae46d2092b8461be19.exe
4384	acbb97a69cb3a2e91bdf8419c3bc17d2324c64ca1d3abdae46d2092b8461be19.exe
4384	acbb97a69cb3a2e91bdf8419c3bc17d2324c64ca1d3abdae46d2092b8461be19.exe
4384	acbb97a69cb3a2e91bdf8419c3bc17d2324c64ca1d3abdae46d2092b8461be19.exe
4384	acbb97a69cb3a2e91bdf8419c3bc17d2324c64ca1d3abdae46d2092b8461be19.exe
4384	acbb97a69cb3a2e91bdf8419c3bc17d2324c64ca1d3abdae46d2092b8461be19.exe
4384	acbb97a69cb3a2e91bdf8419c3bc17d2324c64ca1d3abdae46d2092b8461be19.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4384 wrote to memory of 368	4384	acbb97a69cb3a2e91bdf8419c3bc17d2324c64ca1d3abdae46d2092b8461be19.exe	83
PID 4384 wrote to memory of 368	4384	acbb97a69cb3a2e91bdf8419c3bc17d2324c64ca1d3abdae46d2092b8461be19.exe	83
PID 4384 wrote to memory of 368	4384	acbb97a69cb3a2e91bdf8419c3bc17d2324c64ca1d3abdae46d2092b8461be19.exe	83
PID 368 wrote to memory of 1188	368	net.exe	86
PID 368 wrote to memory of 1188	368	net.exe	86
PID 368 wrote to memory of 1188	368	net.exe	86
PID 4384 wrote to memory of 3516	4384	acbb97a69cb3a2e91bdf8419c3bc17d2324c64ca1d3abdae46d2092b8461be19.exe	56
PID 4384 wrote to memory of 3516	4384	acbb97a69cb3a2e91bdf8419c3bc17d2324c64ca1d3abdae46d2092b8461be19.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3516
- C:\Users\Admin\AppData\Local\Temp\acbb97a69cb3a2e91bdf8419c3bc17d2324c64ca1d3abdae46d2092b8461be19.exe
  "C:\Users\Admin\AppData\Local\Temp\acbb97a69cb3a2e91bdf8419c3bc17d2324c64ca1d3abdae46d2092b8461be19.exe"
  2⤵
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4384
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:368
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe

Filesize
244KB

MD5
0258ef2c233a51a16266a4fe7fd171b2

SHA1
40a8b8f31d16dab2b1d0e80a1dd366ca8add6236

SHA256
c51c97fd8e20b709a1b68c5b25ae47f850457cb77e779fe76b23a985a0a1f298

SHA512
4065675ae9cc2c28fa401adcba16d62d24c1c001c344061a049c077387cdfd66172ecd0e119d2687b15d4d1eab359ca67db067ff59e89d3bdba8e5eed759a9e3

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
170KB

MD5
b77ad33b477cef3b424e4e9e65753ea9

SHA1
5330533f566e9d147722bd5e785a9e6f16f594b1

SHA256
778b8e8bbe41a9a6f168aa318453876d2abce2e122399e1e5ee8ec89099702e3

SHA512
f3e3b7b5c1ab37daf78c11ccfa97596409c35720c770ba0d12e2b2c27eae34ec98917ba45ee4fc68ea1659b9987e8f62c538584243d0d51d1b8312263541d3bf

Download Submit
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

Filesize
636KB

MD5
d82ffc872aed7c85cf936dcdcc2e6372

SHA1
50ca56cb4a429ce1532afaa2732f61833fc2b54f

SHA256
a487733710d946abff1a93a23ae6bbafd6c0800bc78e4d5e3cac36e2a14ddace

SHA512
0b0031418275c6be01f7757111058cd5bd3e5f4862e0631e2e28c5e7ffbb271446abdc2a88a7953ae55112799bc4a051becc2b14491e0d1760e336498665cc8b

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2718105630-359604950-2820636825-1000\_desktop.ini

Filesize
8B

MD5
fcbaf0a2c3988ef775359f94d545ab42

SHA1
174ccd98ff87b8e6f46eebc493f379beafeb3b08

SHA256
895aaa8dac57f2bb76ddc8c2681e0480bf57dbf3f62cda3840cb448b8615612f

SHA512
7c81b6445708b1c482599bfb808e90462d6111e885691dd947d9cdf95ba028d580b20027575814a310a81f310261b649792b65153ce43063da063b5005561d20

Download Submit
memory/4384-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4384-5-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4384-12-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4384-19-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4384-22-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4384-1219-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4384-4777-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4384-5222-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download