2b992dbb3e1520f201b49cad00f0b44d3e3824a09d4e15cce81e9a2b4362b72d

Analysis

max time kernel
149s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13/08/2024, 19:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2b992dbb3e1520f201b49cad00f0b44d3e3824a09d4e15cce81e9a2b4362b72d.exe
Size

491KB
MD5

65dd19564cf8d9136999784be998dffc
SHA1

923b2520746c20ba98d0c47d273cb52a1c76a59c
SHA256

2b992dbb3e1520f201b49cad00f0b44d3e3824a09d4e15cce81e9a2b4362b72d
SHA512

7a1bd7162258a2c4d49569f2134242b9e271b9a53962c3954988925d777a5f05bb64fe59d727c4169403c32e3279b9bfb2d1871db85c21c3348a38f65245752e
SSDEEP

12288:J21quIf1gL5pRTcAkS/3hzN8qE43fm78V:s1q45jcAkSYqyE

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe

Executes dropped EXE 2 IoCs

pid	Process
3280	Logo1_.exe
1136	2b992dbb3e1520f201b49cad00f0b44d3e3824a09d4e15cce81e9a2b4362b72d.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bn_IN\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\en-ae\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ko-kr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\sl-si\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\fi-fi\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BOLDSTRI\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Configuration\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\en_GB\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\da-dk\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\hr-hr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\en-ae\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\nb-no\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ru-ru\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\it-it\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\hu-hu\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\root\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\pl-pl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\nb-no\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Acrobat\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ru\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\en-il\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\ResiliencyLinks\Trust Protection Lists\Mu\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\zh_TW\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\zh-tw\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\127.0.2651.86\copilot_provider_msix\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ca-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BOLDSTRI\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Mozilla Firefox\browser\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\nb-no\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\root\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Fonts\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\de-de\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\sl-si\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\sv-se\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLUEPRNT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\oc\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\collect_feedback\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\da-dk\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ca-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\it-it\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\da-dk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\images\cursors\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\da-dk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\sk-sk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\en-gb\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Dll.dll	Logo1_.exe
File created	C:\Windows\rundl132.exe	2b992dbb3e1520f201b49cad00f0b44d3e3824a09d4e15cce81e9a2b4362b72d.exe
File created	C:\Windows\Logo1_.exe	2b992dbb3e1520f201b49cad00f0b44d3e3824a09d4e15cce81e9a2b4362b72d.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2b992dbb3e1520f201b49cad00f0b44d3e3824a09d4e15cce81e9a2b4362b72d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Logo1_.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3528	2b992dbb3e1520f201b49cad00f0b44d3e3824a09d4e15cce81e9a2b4362b72d.exe
3528	2b992dbb3e1520f201b49cad00f0b44d3e3824a09d4e15cce81e9a2b4362b72d.exe
3528	2b992dbb3e1520f201b49cad00f0b44d3e3824a09d4e15cce81e9a2b4362b72d.exe
3528	2b992dbb3e1520f201b49cad00f0b44d3e3824a09d4e15cce81e9a2b4362b72d.exe
3528	2b992dbb3e1520f201b49cad00f0b44d3e3824a09d4e15cce81e9a2b4362b72d.exe
3528	2b992dbb3e1520f201b49cad00f0b44d3e3824a09d4e15cce81e9a2b4362b72d.exe
3528	2b992dbb3e1520f201b49cad00f0b44d3e3824a09d4e15cce81e9a2b4362b72d.exe
3528	2b992dbb3e1520f201b49cad00f0b44d3e3824a09d4e15cce81e9a2b4362b72d.exe
3528	2b992dbb3e1520f201b49cad00f0b44d3e3824a09d4e15cce81e9a2b4362b72d.exe
3528	2b992dbb3e1520f201b49cad00f0b44d3e3824a09d4e15cce81e9a2b4362b72d.exe
3528	2b992dbb3e1520f201b49cad00f0b44d3e3824a09d4e15cce81e9a2b4362b72d.exe
3528	2b992dbb3e1520f201b49cad00f0b44d3e3824a09d4e15cce81e9a2b4362b72d.exe
3528	2b992dbb3e1520f201b49cad00f0b44d3e3824a09d4e15cce81e9a2b4362b72d.exe
3528	2b992dbb3e1520f201b49cad00f0b44d3e3824a09d4e15cce81e9a2b4362b72d.exe
3528	2b992dbb3e1520f201b49cad00f0b44d3e3824a09d4e15cce81e9a2b4362b72d.exe
3528	2b992dbb3e1520f201b49cad00f0b44d3e3824a09d4e15cce81e9a2b4362b72d.exe
3528	2b992dbb3e1520f201b49cad00f0b44d3e3824a09d4e15cce81e9a2b4362b72d.exe
3528	2b992dbb3e1520f201b49cad00f0b44d3e3824a09d4e15cce81e9a2b4362b72d.exe
3528	2b992dbb3e1520f201b49cad00f0b44d3e3824a09d4e15cce81e9a2b4362b72d.exe
3528	2b992dbb3e1520f201b49cad00f0b44d3e3824a09d4e15cce81e9a2b4362b72d.exe
3528	2b992dbb3e1520f201b49cad00f0b44d3e3824a09d4e15cce81e9a2b4362b72d.exe
3528	2b992dbb3e1520f201b49cad00f0b44d3e3824a09d4e15cce81e9a2b4362b72d.exe
3528	2b992dbb3e1520f201b49cad00f0b44d3e3824a09d4e15cce81e9a2b4362b72d.exe
3528	2b992dbb3e1520f201b49cad00f0b44d3e3824a09d4e15cce81e9a2b4362b72d.exe
3528	2b992dbb3e1520f201b49cad00f0b44d3e3824a09d4e15cce81e9a2b4362b72d.exe
3528	2b992dbb3e1520f201b49cad00f0b44d3e3824a09d4e15cce81e9a2b4362b72d.exe
3280	Logo1_.exe
3280	Logo1_.exe
3280	Logo1_.exe
3280	Logo1_.exe
3280	Logo1_.exe
3280	Logo1_.exe
3280	Logo1_.exe
3280	Logo1_.exe
3280	Logo1_.exe
3280	Logo1_.exe
3280	Logo1_.exe
3280	Logo1_.exe
3280	Logo1_.exe
3280	Logo1_.exe
3280	Logo1_.exe
3280	Logo1_.exe
3280	Logo1_.exe
3280	Logo1_.exe
3280	Logo1_.exe
3280	Logo1_.exe
3280	Logo1_.exe
3280	Logo1_.exe
3280	Logo1_.exe
3280	Logo1_.exe
3280	Logo1_.exe
3280	Logo1_.exe
3280	Logo1_.exe
3280	Logo1_.exe
3280	Logo1_.exe
3280	Logo1_.exe
3280	Logo1_.exe
3280	Logo1_.exe
3280	Logo1_.exe
3280	Logo1_.exe
3280	Logo1_.exe
3280	Logo1_.exe
3280	Logo1_.exe
3280	Logo1_.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 3528 wrote to memory of 5092	3528	2b992dbb3e1520f201b49cad00f0b44d3e3824a09d4e15cce81e9a2b4362b72d.exe	89
PID 3528 wrote to memory of 5092	3528	2b992dbb3e1520f201b49cad00f0b44d3e3824a09d4e15cce81e9a2b4362b72d.exe	89
PID 3528 wrote to memory of 5092	3528	2b992dbb3e1520f201b49cad00f0b44d3e3824a09d4e15cce81e9a2b4362b72d.exe	89
PID 5092 wrote to memory of 5064	5092	net.exe	91
PID 5092 wrote to memory of 5064	5092	net.exe	91
PID 5092 wrote to memory of 5064	5092	net.exe	91
PID 3528 wrote to memory of 3692	3528	2b992dbb3e1520f201b49cad00f0b44d3e3824a09d4e15cce81e9a2b4362b72d.exe	95
PID 3528 wrote to memory of 3692	3528	2b992dbb3e1520f201b49cad00f0b44d3e3824a09d4e15cce81e9a2b4362b72d.exe	95
PID 3528 wrote to memory of 3692	3528	2b992dbb3e1520f201b49cad00f0b44d3e3824a09d4e15cce81e9a2b4362b72d.exe	95
PID 3528 wrote to memory of 3280	3528	2b992dbb3e1520f201b49cad00f0b44d3e3824a09d4e15cce81e9a2b4362b72d.exe	96
PID 3528 wrote to memory of 3280	3528	2b992dbb3e1520f201b49cad00f0b44d3e3824a09d4e15cce81e9a2b4362b72d.exe	96
PID 3528 wrote to memory of 3280	3528	2b992dbb3e1520f201b49cad00f0b44d3e3824a09d4e15cce81e9a2b4362b72d.exe	96
PID 3280 wrote to memory of 3392	3280	Logo1_.exe	97
PID 3280 wrote to memory of 3392	3280	Logo1_.exe	97
PID 3280 wrote to memory of 3392	3280	Logo1_.exe	97
PID 3392 wrote to memory of 4732	3392	net.exe	99
PID 3392 wrote to memory of 4732	3392	net.exe	99
PID 3392 wrote to memory of 4732	3392	net.exe	99
PID 3692 wrote to memory of 1136	3692	cmd.exe	101
PID 3692 wrote to memory of 1136	3692	cmd.exe	101
PID 3280 wrote to memory of 3008	3280	Logo1_.exe	102
PID 3280 wrote to memory of 3008	3280	Logo1_.exe	102
PID 3280 wrote to memory of 3008	3280	Logo1_.exe	102
PID 3008 wrote to memory of 2800	3008	net.exe	104
PID 3008 wrote to memory of 2800	3008	net.exe	104
PID 3008 wrote to memory of 2800	3008	net.exe	104
PID 3280 wrote to memory of 3480	3280	Logo1_.exe	56
PID 3280 wrote to memory of 3480	3280	Logo1_.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3480
- C:\Users\Admin\AppData\Local\Temp\2b992dbb3e1520f201b49cad00f0b44d3e3824a09d4e15cce81e9a2b4362b72d.exe
  "C:\Users\Admin\AppData\Local\Temp\2b992dbb3e1520f201b49cad00f0b44d3e3824a09d4e15cce81e9a2b4362b72d.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3528
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5092
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5064
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4ACF.bat
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3692
  - - C:\Users\Admin\AppData\Local\Temp\2b992dbb3e1520f201b49cad00f0b44d3e3824a09d4e15cce81e9a2b4362b72d.exe
      "C:\Users\Admin\AppData\Local\Temp\2b992dbb3e1520f201b49cad00f0b44d3e3824a09d4e15cce81e9a2b4362b72d.exe"
      4⤵
      Executes dropped EXE
      PID:1136
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3280
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3392
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4732
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3008
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2800

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4084,i,12470628711992022444,7767535593390851522,262144 --variations-seed-version --mojo-platform-channel-handle=3780 /prefetch:8
1⤵
PID:1956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7z.exe

Filesize
577KB

MD5
b61fd429ec4dd833027ee350d29a6b86

SHA1
461913fac689f43c8bf3c61816f1356df5e1aa44

SHA256
9e0da4c7ee18e135b4231e94e3ca5347e981ef8300c5f616947dda5116a45d85

SHA512
773c28692b61651fa22d3ccea8628570bfc3450ce7c0f8b7b705bbc553631bc1ef8c28d948958cc254a65b3f56b57a03f2775e22c6ec07c15de8d981ec082467

Download Submit
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

Filesize
643KB

MD5
93043fdb2b33ea3444f295c346cd812f

SHA1
316f738d2aa19f92fcc8f6fc2845aeb43fde3094

SHA256
d0cebe6e543e28953862cf49dafd11cc1fa416a610d1f1813a9db9162d7b6c61

SHA512
708867acd4a154fe76d4e0e536942e8f067b189a84de8c80bb9647bce9b42f8cca212903bb727ba6ecaa96470662196615b34bb81e54336f834a49acedf19408

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a4ACF.bat

Filesize
722B

MD5
863e75f4a4a4050a83b346e3d1fb5e4c

SHA1
e88b3a5c5f922bbd5e35226541b26c102dfe9098

SHA256
a9677766d310937fe6d616af49b12b95a7f621e87a6e034c068b522cb4065ddd

SHA512
80cb7369b65f05a514f629246c0a582d9f4cff143fde1fd8ca88563d132438f400b3ccbb2747e990bcf63ec8832c121324bb9bbb659603f935a883ded05f040c

Download Submit
C:\Users\Admin\AppData\Local\Temp\2b992dbb3e1520f201b49cad00f0b44d3e3824a09d4e15cce81e9a2b4362b72d.exe.exe

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Windows\Logo1_.exe

Filesize
33KB

MD5
d9f4f8b3dccefdc485c02f1f0952a7bf

SHA1
fbc2711d2f6a163d04d61f501d5f80e79bb5da94

SHA256
c0ac58af88165336a655cc0a6353e2824cac0f5731d4458b50fce9a6266f891c

SHA512
cf4d794c9c21abda4cf00f11804bff10d1214e15c161aa8ab8821d32bb282f471db0f51e3a9e492d99315e4ff9e9f4cdeb0b8037bf357564d7ca269154dd2165

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2170637797-568393320-3232933035-1000\_desktop.ini

Filesize
9B

MD5
b7beb43f344015405dc34dab081d8434

SHA1
f194ae965145f76e4825c67337ef69da96f3954f

SHA256
d069f2206a0ca683611b357b347af3abd4c559602b5617591232512e6c0e1b02

SHA512
ee85ee5a36f6fe3381a853d2e0a0209e3d83271f29a9f980d1cbfb0309430f26b2658eedc501c0639d0dd6c929b093b8f9bf1e1a3ff1179e581fc07ae635a678

Download Submit
memory/3280-10-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3280-18-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3280-2096-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3280-9236-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3528-0-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3528-9-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download