39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525

Analysis

max time kernel
149s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29-08-2024 00:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe
Size

33KB
MD5

a5817ced46296620f62b49e66c0e0b7e
SHA1

56446bbb1855257d094cb44e4e216b64bcd25fe0
SHA256

39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525
SHA512

8b7ebb7fbb377450ddddcf447afe8cd0d67f422f101c8f6f8f81746e027084ce1c8a7e01da7311ba4ceb6d4e1dacf9220dd471970833cd32bfa241691d03b5b2
SSDEEP

768:JMTuUjElOIEvzMXqtwp/lDTJg/MFksCRsd2u9C9MFWoVaZel:JMraYzMXqtGN/CstC9qVF

Score

8^/10

discovery spyware stealer

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Y:	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe
File opened (read-only)	\??\W:	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe
File opened (read-only)	\??\T:	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe
File opened (read-only)	\??\P:	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe
File opened (read-only)	\??\I:	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe
File opened (read-only)	\??\G:	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe
File opened (read-only)	\??\X:	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe
File opened (read-only)	\??\V:	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe
File opened (read-only)	\??\S:	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe
File opened (read-only)	\??\Q:	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe
File opened (read-only)	\??\J:	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe
File opened (read-only)	\??\Z:	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe
File opened (read-only)	\??\U:	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe
File opened (read-only)	\??\R:	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe
File opened (read-only)	\??\M:	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe
File opened (read-only)	\??\O:	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe
File opened (read-only)	\??\N:	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe
File opened (read-only)	\??\L:	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe
File opened (read-only)	\??\K:	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe
File opened (read-only)	\??\H:	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe
File opened (read-only)	\??\E:	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\co\_desktop.ini	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\tr-tr\_desktop.ini	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\nb-no\_desktop.ini	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\ro-ro\_desktop.ini	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\_desktop.ini	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe
File created	C:\Program Files\Mozilla Firefox\gmp-clearkey\_desktop.ini	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\tr-tr\_desktop.ini	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\sl-sl\_desktop.ini	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\_desktop.ini	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\uk-ua\_desktop.ini	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\de-de\_desktop.ini	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\nl-nl\_desktop.ini	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Extensions\_desktop.ini	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\dtplugin\_desktop.ini	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe
File created	C:\Program Files\WindowsPowerShell\_desktop.ini	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\nb-no\_desktop.ini	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\1.1.1\Diagnostics\_desktop.ini	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe
File created	C:\Program Files\Microsoft Office\root\vfs\_desktop.ini	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOICONS.EXE	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\MSOHTMED.EXE	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\images\_desktop.ini	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ko-kr\_desktop.ini	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\_desktop.ini	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\_desktop.ini	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\NETWORK\_desktop.ini	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\dc-annotations\js\_desktop.ini	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\eu-es\_desktop.ini	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\_desktop.ini	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\tr-tr\_desktop.ini	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\ca-es\_desktop.ini	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\_desktop.ini	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe
File created	C:\Program Files\Windows Defender\fr-FR\_desktop.ini	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe
File opened for modification	C:\Program Files\Windows Sidebar\Shared Gadgets\_desktop.ini	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\en-US\_desktop.ini	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\eu-es\_desktop.ini	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ca-es\_desktop.ini	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\_desktop.ini	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\_desktop.ini	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\ar-ae\_desktop.ini	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\_desktop.ini	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe
File created	C:\Program Files\Windows Defender\it-IT\_desktop.ini	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\nl-nl\_desktop.ini	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\fr-ma\_desktop.ini	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\hu-hu\_desktop.ini	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\PROOF\_desktop.ini	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\he-il\_desktop.ini	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\pt-br\_desktop.ini	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\ca-es\_desktop.ini	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\cs-cz\_desktop.ini	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe
File created	C:\Program Files\Mozilla Firefox\defaults\_desktop.ini	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe
File created	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\_desktop.ini	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app-api\_desktop.ini	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\de-de\_desktop.ini	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\fi-fi\_desktop.ini	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\_desktop.ini	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\en-gb\_desktop.ini	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\nl-nl\_desktop.ini	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\_desktop.ini	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\_desktop.ini	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\SmartTagInstall.exe	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\es-es\_desktop.ini	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\da-dk\_desktop.ini	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe
File created	C:\Windows\Dll.dll	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 60 IoCs

pid	Process
1908	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe
1908	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe
1908	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe
1908	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe
1908	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe
1908	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe
1908	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe
1908	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe
1908	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe
1908	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe
1908	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe
1908	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe
1908	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe
1908	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe
1908	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe
1908	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe
1908	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe
1908	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe
1908	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe
1908	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe
1908	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe
1908	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe
1908	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe
1908	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe
1908	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe
1908	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe
1908	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe
1908	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe
1908	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe
1908	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe
1908	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe
1908	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe
1908	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe
1908	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe
1908	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe
1908	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe
1908	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe
1908	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe
1908	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe
1908	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe
1908	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe
1908	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe
1908	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe
1908	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe
1908	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe
1908	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe
1908	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe
1908	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe
1908	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe
1908	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe
1908	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe
1908	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe
1908	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe
1908	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe
1908	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe
1908	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe
1908	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe
1908	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe
1908	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe
1908	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1908 wrote to memory of 3280	1908	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe	84
PID 1908 wrote to memory of 3280	1908	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe	84
PID 1908 wrote to memory of 3280	1908	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe	84
PID 3280 wrote to memory of 3364	3280	net.exe	86
PID 3280 wrote to memory of 3364	3280	net.exe	86
PID 3280 wrote to memory of 3364	3280	net.exe	86
PID 1908 wrote to memory of 1556	1908	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe	90
PID 1908 wrote to memory of 1556	1908	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe	90
PID 1908 wrote to memory of 1556	1908	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe	90
PID 1556 wrote to memory of 2400	1556	net.exe	92
PID 1556 wrote to memory of 2400	1556	net.exe	92
PID 1556 wrote to memory of 2400	1556	net.exe	92
PID 1908 wrote to memory of 3392	1908	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe	56
PID 1908 wrote to memory of 3392	1908	39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3392
- C:\Users\Admin\AppData\Local\Temp\39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe
  "C:\Users\Admin\AppData\Local\Temp\39a0b0f9c415f548da5c361e1c56a2fa903e8093994b972df58ec29e35af7525.exe"
  2⤵
  - Drops file in Drivers directory
  - Drops startup file
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1908
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3280
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3364
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1556
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe

Filesize
251KB

MD5
b98375ef67a25cbbe3b07b73db06fd5f

SHA1
13982700453cdb9eea2f379ddaaf1190fbec416f

SHA256
133098863ca68149323c479a8f4c4c21982cee4d8c3668b1b0f58dbb7775e6f0

SHA512
e5c003b4a6c5dced6d4102913ba9715bcf99b29daeacd041a5b8cb31b4642cd668ef9d5723f1ddfd653a9627f4d09ad097d12896f58307b860c6e715fb6ee6ab

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
177KB

MD5
b3a28c6142db5f9e1b45802cd2188f20

SHA1
fa998e67663cd687b41aaf6ff9c78a666b0e91a0

SHA256
1de350b8490a631cc104c79b5c19097be44d55ab6541fcff5e3d6f9f997fcbc5

SHA512
7f8fa0fb7ea724252cabfc5e8a8fc16f260594f870a8d7b22b272edd9cc888c2a80ec0af198b028b8f428f93c9f89c73f313c820e2d1ef8bd26015ff202fed0a

Download Submit
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

Filesize
644KB

MD5
b683d08031e54ea6942378775fcacdf7

SHA1
a2e7e8911ab44ce6e768058d02e2d68a8b093c7d

SHA256
7d2c375e7c1e52dfb0254cab9fb3816c5a1ba987b44910dcbbc5f0b3b8294070

SHA512
68d53577071249f8e4a5a70713c9b82a295bde488e00cb5c5287ed7c78a5195829eb65c83ddee6f64f6da085d3c0b0723249464044f20088b76aa631dff72599

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-1302416131-1437503476-2806442725-1000\_desktop.ini

Filesize
9B

MD5
9810b812fea5407a7c6a6b912eab6de9

SHA1
653710a103c34c6d87e85d547de48561b1579927

SHA256
497dc92fb09ed6740a1e704ddf5f45daf1d330f0977aaf1142604be15753e7ef

SHA512
a23126d1624a391a08931a8f98ec9c26bc5bbe75de0f111bcdbf17b5bbe9bc6e748ca58e52c96fb9ea80509d5ad1c90bf1d92e472b08b2532321106ba1aca2cd

Download Submit
memory/1908-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1908-5-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1908-3009-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1908-8805-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download