Analysis
-
max time kernel
150s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
03/09/2024, 19:08
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b6227408df6a45bb24ae89b2cbf4aa6e387334a612532ce80828dd150f104226.exe
Resource
win7-20240903-en
windows7-x64
15 signatures
150 seconds
General
-
Target
b6227408df6a45bb24ae89b2cbf4aa6e387334a612532ce80828dd150f104226.exe
-
Size
963KB
-
MD5
05856185e19e9591005fbc3b1b71c064
-
SHA1
fb53f199268d0cb1a9dd2b0358062dcd33a46928
-
SHA256
b6227408df6a45bb24ae89b2cbf4aa6e387334a612532ce80828dd150f104226
-
SHA512
14559d721cedbd62473dabb7c0117fb12199cc22f71f3e2f9497621e50b0e15cc0a49254aa64f8be7a1c3f25e5628c23a2ca04d33a610dd35dd760da18ca86a1
-
SSDEEP
12288:v+aWRKcv8Nh7py6Rmi78gkPH3aPI9vyVg/0paQuj3IdD02fKBjtp/:vBPBpDRmi78gkPXlyo0G/jr
Malware Config
Signatures
-
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini Logo1_.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini Logo1_.exe -
Executes dropped EXE 2 IoCs
pid Process 4776 Logo1_.exe 2168 b6227408df6a45bb24ae89b2cbf4aa6e387334a612532ce80828dd150f104226.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\cs-cz\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\hr-hr\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\fi-fi\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\he-il\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\tr-tr\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\ja-jp\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\lt\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Media Player\Network Sharing\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\pl-pl\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\tr-tr\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\pl-pl\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\LISTS\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\intf\modules\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\it-it\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\root\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Media Player\Skins\_desktop.ini Logo1_.exe File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ar-ae\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\oc\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\css\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\nl-nl\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Trust Protection Lists\Mu\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Media Player\Visualizations\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jre-1.8\lib\applet\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\eu-es\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\cy\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ru-ru\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\es-es\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\MLModels\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\fi\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\WindowsPowerShell\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\nl-nl\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\nl-nl\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\hu-hu\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\root\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\sl-sl\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\dotnet\host\fxr\7.0.16\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\be\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\hr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Web Server Extensions\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Examples\Calculator\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\ar-ae\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\fr-ma\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\th\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\es-es\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\he-il\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\fi-fi\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\ink\es-ES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\root\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Diagnostics\_desktop.ini Logo1_.exe File created C:\Program Files\Reference Assemblies\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\fi-fi\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\uk-ua\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\rundl132.exe b6227408df6a45bb24ae89b2cbf4aa6e387334a612532ce80828dd150f104226.exe File created C:\Windows\Logo1_.exe b6227408df6a45bb24ae89b2cbf4aa6e387334a612532ce80828dd150f104226.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\Dll.dll Logo1_.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b6227408df6a45bb24ae89b2cbf4aa6e387334a612532ce80828dd150f104226.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Logo1_.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2200 b6227408df6a45bb24ae89b2cbf4aa6e387334a612532ce80828dd150f104226.exe 2200 b6227408df6a45bb24ae89b2cbf4aa6e387334a612532ce80828dd150f104226.exe 2200 b6227408df6a45bb24ae89b2cbf4aa6e387334a612532ce80828dd150f104226.exe 2200 b6227408df6a45bb24ae89b2cbf4aa6e387334a612532ce80828dd150f104226.exe 2200 b6227408df6a45bb24ae89b2cbf4aa6e387334a612532ce80828dd150f104226.exe 2200 b6227408df6a45bb24ae89b2cbf4aa6e387334a612532ce80828dd150f104226.exe 2200 b6227408df6a45bb24ae89b2cbf4aa6e387334a612532ce80828dd150f104226.exe 2200 b6227408df6a45bb24ae89b2cbf4aa6e387334a612532ce80828dd150f104226.exe 2200 b6227408df6a45bb24ae89b2cbf4aa6e387334a612532ce80828dd150f104226.exe 2200 b6227408df6a45bb24ae89b2cbf4aa6e387334a612532ce80828dd150f104226.exe 2200 b6227408df6a45bb24ae89b2cbf4aa6e387334a612532ce80828dd150f104226.exe 2200 b6227408df6a45bb24ae89b2cbf4aa6e387334a612532ce80828dd150f104226.exe 2200 b6227408df6a45bb24ae89b2cbf4aa6e387334a612532ce80828dd150f104226.exe 2200 b6227408df6a45bb24ae89b2cbf4aa6e387334a612532ce80828dd150f104226.exe 2200 b6227408df6a45bb24ae89b2cbf4aa6e387334a612532ce80828dd150f104226.exe 2200 b6227408df6a45bb24ae89b2cbf4aa6e387334a612532ce80828dd150f104226.exe 2200 b6227408df6a45bb24ae89b2cbf4aa6e387334a612532ce80828dd150f104226.exe 2200 b6227408df6a45bb24ae89b2cbf4aa6e387334a612532ce80828dd150f104226.exe 2200 b6227408df6a45bb24ae89b2cbf4aa6e387334a612532ce80828dd150f104226.exe 2200 b6227408df6a45bb24ae89b2cbf4aa6e387334a612532ce80828dd150f104226.exe 2200 b6227408df6a45bb24ae89b2cbf4aa6e387334a612532ce80828dd150f104226.exe 2200 b6227408df6a45bb24ae89b2cbf4aa6e387334a612532ce80828dd150f104226.exe 2200 b6227408df6a45bb24ae89b2cbf4aa6e387334a612532ce80828dd150f104226.exe 2200 b6227408df6a45bb24ae89b2cbf4aa6e387334a612532ce80828dd150f104226.exe 2200 b6227408df6a45bb24ae89b2cbf4aa6e387334a612532ce80828dd150f104226.exe 2200 b6227408df6a45bb24ae89b2cbf4aa6e387334a612532ce80828dd150f104226.exe 4776 Logo1_.exe 4776 Logo1_.exe 4776 Logo1_.exe 4776 Logo1_.exe 4776 Logo1_.exe 4776 Logo1_.exe 4776 Logo1_.exe 4776 Logo1_.exe 4776 Logo1_.exe 4776 Logo1_.exe 4776 Logo1_.exe 4776 Logo1_.exe 4776 Logo1_.exe 4776 Logo1_.exe 4776 Logo1_.exe 4776 Logo1_.exe 4776 Logo1_.exe 4776 Logo1_.exe 4776 Logo1_.exe 4776 Logo1_.exe 4776 Logo1_.exe 4776 Logo1_.exe 4776 Logo1_.exe 4776 Logo1_.exe 4776 Logo1_.exe 4776 Logo1_.exe 4776 Logo1_.exe 4776 Logo1_.exe 4776 Logo1_.exe 4776 Logo1_.exe 4776 Logo1_.exe 4776 Logo1_.exe 4776 Logo1_.exe 4776 Logo1_.exe 4776 Logo1_.exe 4776 Logo1_.exe 4776 Logo1_.exe 4776 Logo1_.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeRestorePrivilege 2168 b6227408df6a45bb24ae89b2cbf4aa6e387334a612532ce80828dd150f104226.exe Token: 35 2168 b6227408df6a45bb24ae89b2cbf4aa6e387334a612532ce80828dd150f104226.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2200 wrote to memory of 3364 2200 b6227408df6a45bb24ae89b2cbf4aa6e387334a612532ce80828dd150f104226.exe 85 PID 2200 wrote to memory of 3364 2200 b6227408df6a45bb24ae89b2cbf4aa6e387334a612532ce80828dd150f104226.exe 85 PID 2200 wrote to memory of 3364 2200 b6227408df6a45bb24ae89b2cbf4aa6e387334a612532ce80828dd150f104226.exe 85 PID 3364 wrote to memory of 888 3364 net.exe 88 PID 3364 wrote to memory of 888 3364 net.exe 88 PID 3364 wrote to memory of 888 3364 net.exe 88 PID 2200 wrote to memory of 4920 2200 b6227408df6a45bb24ae89b2cbf4aa6e387334a612532ce80828dd150f104226.exe 91 PID 2200 wrote to memory of 4920 2200 b6227408df6a45bb24ae89b2cbf4aa6e387334a612532ce80828dd150f104226.exe 91 PID 2200 wrote to memory of 4920 2200 b6227408df6a45bb24ae89b2cbf4aa6e387334a612532ce80828dd150f104226.exe 91 PID 2200 wrote to memory of 4776 2200 b6227408df6a45bb24ae89b2cbf4aa6e387334a612532ce80828dd150f104226.exe 93 PID 2200 wrote to memory of 4776 2200 b6227408df6a45bb24ae89b2cbf4aa6e387334a612532ce80828dd150f104226.exe 93 PID 2200 wrote to memory of 4776 2200 b6227408df6a45bb24ae89b2cbf4aa6e387334a612532ce80828dd150f104226.exe 93 PID 4776 wrote to memory of 4164 4776 Logo1_.exe 94 PID 4776 wrote to memory of 4164 4776 Logo1_.exe 94 PID 4776 wrote to memory of 4164 4776 Logo1_.exe 94 PID 4164 wrote to memory of 4060 4164 net.exe 96 PID 4164 wrote to memory of 4060 4164 net.exe 96 PID 4164 wrote to memory of 4060 4164 net.exe 96 PID 4920 wrote to memory of 2168 4920 cmd.exe 97 PID 4920 wrote to memory of 2168 4920 cmd.exe 97 PID 4776 wrote to memory of 4524 4776 Logo1_.exe 98 PID 4776 wrote to memory of 4524 4776 Logo1_.exe 98 PID 4776 wrote to memory of 4524 4776 Logo1_.exe 98 PID 4524 wrote to memory of 4480 4524 net.exe 100 PID 4524 wrote to memory of 4480 4524 net.exe 100 PID 4524 wrote to memory of 4480 4524 net.exe 100 PID 4776 wrote to memory of 3452 4776 Logo1_.exe 56 PID 4776 wrote to memory of 3452 4776 Logo1_.exe 56
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3452
-
C:\Users\Admin\AppData\Local\Temp\b6227408df6a45bb24ae89b2cbf4aa6e387334a612532ce80828dd150f104226.exe"C:\Users\Admin\AppData\Local\Temp\b6227408df6a45bb24ae89b2cbf4aa6e387334a612532ce80828dd150f104226.exe"2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3364 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"4⤵
- System Location Discovery: System Language Discovery
PID:888
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aBB70.bat3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4920 -
C:\Users\Admin\AppData\Local\Temp\b6227408df6a45bb24ae89b2cbf4aa6e387334a612532ce80828dd150f104226.exe"C:\Users\Admin\AppData\Local\Temp\b6227408df6a45bb24ae89b2cbf4aa6e387334a612532ce80828dd150f104226.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2168
-
-
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Drops startup file
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4776 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4164 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵
- System Location Discovery: System Language Discovery
PID:4060
-
-
-
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4524 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵
- System Location Discovery: System Language Discovery
PID:4480
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
250KB
MD534bed1754d18866317944f88b9a13c9f
SHA1c9774fe369bc0edbb99a6e999bafb5a4f280d8cb
SHA2563a7342b0c06602627cfeea77a6028b6d9a9f5c67a26f0569c3045ee83fa1a913
SHA512120f42e83af30aa17637646de8e1a71e0ba35d2ccfdcd4f784a78c32f1b71014ebfa5fbe8e940bdad49de55f8c2c03d35de4eccc2122fca6bd50b830d0822fec
-
Filesize
577KB
MD52f496ad343c36da3dc6ffa51ac2da7b1
SHA1a6af11506b717df5b91760caafd380b8ccb2c7fc
SHA256ef49d4788538d4f0785387e4a63634a54a7e39a7176da544202fe189e50be7fd
SHA512eb9e7318f0a464d9284a3d4629f9808180f09df312bc0223eb3bf89177fb1783f956b00de3a6b98af3c23bd3deb72556fd09c3fe160ee9f93e56571013bb68e8
-
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
Filesize643KB
MD5408712704306e27135339f85cf53d4e6
SHA19e76febdb633e7fe4d841b3319104a459e7260d4
SHA256f5c5383d16bc30c38d4ffd13cfa81a8c91577ef9624ebe20571b5ba457e3e573
SHA512381d9955ef1ad6d5f01220aac314ba56d33a312a00c45bd24609769036bedd9d223981352a289dcff6bf4b97728eff03efb75696e4829d4e7d0aa40bf53ea7d8
-
Filesize
722B
MD5b6e4f775294d8e75e5353959439182d3
SHA118c0abdb5da7dae014c5470fd2c20f5963eec9b7
SHA256208b2d1d5a3a016fe5b3c6c07397014dea6fa71e03c06f0b0daeb98526e9fa05
SHA512110b84d0f27c2b462afb7a92722e48b8ee5ce66511555b276c2043382bd3c70d2aada75e76c50743a32ba3a0eee1c944eea03d9a16cb2dd07f692ecadaecd2c8
-
C:\Users\Admin\AppData\Local\Temp\b6227408df6a45bb24ae89b2cbf4aa6e387334a612532ce80828dd150f104226.exe.exe
Filesize930KB
MD530ac0b832d75598fb3ec37b6f2a8c86a
SHA16f47dbfd6ff36df7ba581a4cef024da527dc3046
SHA2561ea0839c8dc95ad2c060af7d042c40c0daed58ce8e4524c0fba12fd73e4afb74
SHA512505870601a4389b7ed2c8fecf85835adfd2944cbc10801f74bc4e08f5a0d6ecc9a52052fc37e216304cd1655129021862294a698ed36b3b43d428698f7263057
-
Filesize
33KB
MD57e619692b53866243cf3f4bcd669d555
SHA15a8429b110acd43c0ddb3f101eac0bf55afb402b
SHA256d33a86247c1731fc2f4acd320bd281542e708ae43ffdb05ee62a89f50bf034ff
SHA512e7d65a2f4fa9e54b2f3445cc3c51d2e442e42ea1132b77c8fe0abf67052eb75a32414e02b10cd172e62b84996898c7dffa1e88496a1b5441dd3fb5059a320421
-
Filesize
8B
MD55894100cc85ef83f995c15a4d7fce813
SHA155d61ce36a76e549348eff08abae3e32e96b8123
SHA2564912abab5bf4a890230f6c060bcae7827f96d9ffcf6025852967b53a65fc315d
SHA512248346b25ea49cbaaa8bbd25f2fb26ad59c3f1ba650efd4e9eda9b32d1e918292bab3e5f1b19d92543d416cfe9d8a0b49d09f1eebcdca085a031e8238d461655