19d861f4519f308858ddf7eb097bf85b77690c43cf8de3088dc742b44ffb9a84

Analysis

max time kernel
150s
max time network
18s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07/09/2024, 17:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

19d861f4519f308858ddf7eb097bf85b77690c43cf8de3088dc742b44ffb9a84.exe
Size

10.6MB
MD5

97a32a01a45873ebda7a43e6f53957d7
SHA1

34c492d2edbd2be2ee78baa67215216c2cae0f67
SHA256

19d861f4519f308858ddf7eb097bf85b77690c43cf8de3088dc742b44ffb9a84
SHA512

535fc37bd0ecd9eb6756e7c4df56d028f590c1e9d85b4fde9eeb3516a56f1a31005f4f35175322b294b6f9d3422323b036a97c9308d4eb8fa920c0d087630101
SSDEEP

196608:zbkeCT3rE8blQabAxLDoj4878Sx209LOv6Yhc1GShD9IJjc:47E8B7Ux3in78SxOFhc1GID9IK

Score

8^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	19d861f4519f308858ddf7eb097bf85b77690c43cf8de3088dc742b44ffb9a84.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	Logo1_.exe

Deletes itself 1 IoCs

pid	Process
2656	cmd.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe

Executes dropped EXE 3 IoCs

pid	Process
2388	Logo1_.exe
2560	19d861f4519f308858ddf7eb097bf85b77690c43cf8de3088dc742b44ffb9a84.exe
856	msnsetup.exe

Loads dropped DLL 4 IoCs

pid	Process
2656	cmd.exe
2656	cmd.exe
2560	19d861f4519f308858ddf7eb097bf85b77690c43cf8de3088dc742b44ffb9a84.exe
2560	19d861f4519f308858ddf7eb097bf85b77690c43cf8de3088dc742b44ffb9a84.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	19d861f4519f308858ddf7eb097bf85b77690c43cf8de3088dc742b44ffb9a84.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\bckgzm.exe	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\gu\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\am_ET\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ca\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Help\1049\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BREEZE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\lo\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Mail\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\lv\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Defender\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\1.0\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\setup_wm.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Minesweeper\MineSweeper.exe	Logo1_.exe
File created	C:\Program Files\Windows Defender\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Shared Gadgets\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\1031\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\META-INF\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Web Folders\1033\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\SubsetList\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\es_MX\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access_output\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\More Games\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\an\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\MSBuild\Microsoft\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\fr-FR\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	19d861f4519f308858ddf7eb097bf85b77690c43cf8de3088dc742b44ffb9a84.exe
File created	C:\Windows\Logo1_.exe	19d861f4519f308858ddf7eb097bf85b77690c43cf8de3088dc742b44ffb9a84.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\Dll.dll	Logo1_.exe

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	19d861f4519f308858ddf7eb097bf85b77690c43cf8de3088dc742b44ffb9a84.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msnsetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	19d861f4519f308858ddf7eb097bf85b77690c43cf8de3088dc742b44ffb9a84.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Logo1_.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 43 IoCs

pid	Process
2400	19d861f4519f308858ddf7eb097bf85b77690c43cf8de3088dc742b44ffb9a84.exe
2400	19d861f4519f308858ddf7eb097bf85b77690c43cf8de3088dc742b44ffb9a84.exe
2400	19d861f4519f308858ddf7eb097bf85b77690c43cf8de3088dc742b44ffb9a84.exe
2400	19d861f4519f308858ddf7eb097bf85b77690c43cf8de3088dc742b44ffb9a84.exe
2400	19d861f4519f308858ddf7eb097bf85b77690c43cf8de3088dc742b44ffb9a84.exe
2400	19d861f4519f308858ddf7eb097bf85b77690c43cf8de3088dc742b44ffb9a84.exe
2400	19d861f4519f308858ddf7eb097bf85b77690c43cf8de3088dc742b44ffb9a84.exe
2400	19d861f4519f308858ddf7eb097bf85b77690c43cf8de3088dc742b44ffb9a84.exe
2400	19d861f4519f308858ddf7eb097bf85b77690c43cf8de3088dc742b44ffb9a84.exe
2400	19d861f4519f308858ddf7eb097bf85b77690c43cf8de3088dc742b44ffb9a84.exe
2400	19d861f4519f308858ddf7eb097bf85b77690c43cf8de3088dc742b44ffb9a84.exe
2400	19d861f4519f308858ddf7eb097bf85b77690c43cf8de3088dc742b44ffb9a84.exe
2400	19d861f4519f308858ddf7eb097bf85b77690c43cf8de3088dc742b44ffb9a84.exe
2388	Logo1_.exe
2388	Logo1_.exe
2388	Logo1_.exe
2388	Logo1_.exe
2388	Logo1_.exe
2388	Logo1_.exe
2388	Logo1_.exe
2388	Logo1_.exe
2388	Logo1_.exe
2388	Logo1_.exe
2388	Logo1_.exe
2388	Logo1_.exe
2388	Logo1_.exe
2388	Logo1_.exe
2388	Logo1_.exe
2388	Logo1_.exe
2388	Logo1_.exe
2388	Logo1_.exe
2388	Logo1_.exe
2388	Logo1_.exe
2388	Logo1_.exe
2388	Logo1_.exe
2388	Logo1_.exe
2388	Logo1_.exe
2388	Logo1_.exe
2388	Logo1_.exe
2388	Logo1_.exe
2388	Logo1_.exe
2388	Logo1_.exe
2388	Logo1_.exe

Suspicious use of WriteProcessMemory 55 IoCs

description	pid	Process	procid_target
PID 2400 wrote to memory of 2972	2400	19d861f4519f308858ddf7eb097bf85b77690c43cf8de3088dc742b44ffb9a84.exe	30
PID 2400 wrote to memory of 2972	2400	19d861f4519f308858ddf7eb097bf85b77690c43cf8de3088dc742b44ffb9a84.exe	30
PID 2400 wrote to memory of 2972	2400	19d861f4519f308858ddf7eb097bf85b77690c43cf8de3088dc742b44ffb9a84.exe	30
PID 2400 wrote to memory of 2972	2400	19d861f4519f308858ddf7eb097bf85b77690c43cf8de3088dc742b44ffb9a84.exe	30
PID 2972 wrote to memory of 2776	2972	net.exe	32
PID 2972 wrote to memory of 2776	2972	net.exe	32
PID 2972 wrote to memory of 2776	2972	net.exe	32
PID 2972 wrote to memory of 2776	2972	net.exe	32
PID 2400 wrote to memory of 2656	2400	19d861f4519f308858ddf7eb097bf85b77690c43cf8de3088dc742b44ffb9a84.exe	33
PID 2400 wrote to memory of 2656	2400	19d861f4519f308858ddf7eb097bf85b77690c43cf8de3088dc742b44ffb9a84.exe	33
PID 2400 wrote to memory of 2656	2400	19d861f4519f308858ddf7eb097bf85b77690c43cf8de3088dc742b44ffb9a84.exe	33
PID 2400 wrote to memory of 2656	2400	19d861f4519f308858ddf7eb097bf85b77690c43cf8de3088dc742b44ffb9a84.exe	33
PID 2400 wrote to memory of 2388	2400	19d861f4519f308858ddf7eb097bf85b77690c43cf8de3088dc742b44ffb9a84.exe	35
PID 2400 wrote to memory of 2388	2400	19d861f4519f308858ddf7eb097bf85b77690c43cf8de3088dc742b44ffb9a84.exe	35
PID 2400 wrote to memory of 2388	2400	19d861f4519f308858ddf7eb097bf85b77690c43cf8de3088dc742b44ffb9a84.exe	35
PID 2400 wrote to memory of 2388	2400	19d861f4519f308858ddf7eb097bf85b77690c43cf8de3088dc742b44ffb9a84.exe	35
PID 2388 wrote to memory of 2568	2388	Logo1_.exe	36
PID 2388 wrote to memory of 2568	2388	Logo1_.exe	36
PID 2388 wrote to memory of 2568	2388	Logo1_.exe	36
PID 2388 wrote to memory of 2568	2388	Logo1_.exe	36
PID 2568 wrote to memory of 2544	2568	net.exe	38
PID 2568 wrote to memory of 2544	2568	net.exe	38
PID 2568 wrote to memory of 2544	2568	net.exe	38
PID 2568 wrote to memory of 2544	2568	net.exe	38
PID 2656 wrote to memory of 2560	2656	cmd.exe	39
PID 2656 wrote to memory of 2560	2656	cmd.exe	39
PID 2656 wrote to memory of 2560	2656	cmd.exe	39
PID 2656 wrote to memory of 2560	2656	cmd.exe	39
PID 2656 wrote to memory of 2560	2656	cmd.exe	39
PID 2656 wrote to memory of 2560	2656	cmd.exe	39
PID 2656 wrote to memory of 2560	2656	cmd.exe	39
PID 2560 wrote to memory of 856	2560	19d861f4519f308858ddf7eb097bf85b77690c43cf8de3088dc742b44ffb9a84.exe	40
PID 2560 wrote to memory of 856	2560	19d861f4519f308858ddf7eb097bf85b77690c43cf8de3088dc742b44ffb9a84.exe	40
PID 2560 wrote to memory of 856	2560	19d861f4519f308858ddf7eb097bf85b77690c43cf8de3088dc742b44ffb9a84.exe	40
PID 2560 wrote to memory of 856	2560	19d861f4519f308858ddf7eb097bf85b77690c43cf8de3088dc742b44ffb9a84.exe	40
PID 2560 wrote to memory of 856	2560	19d861f4519f308858ddf7eb097bf85b77690c43cf8de3088dc742b44ffb9a84.exe	40
PID 2560 wrote to memory of 856	2560	19d861f4519f308858ddf7eb097bf85b77690c43cf8de3088dc742b44ffb9a84.exe	40
PID 2560 wrote to memory of 856	2560	19d861f4519f308858ddf7eb097bf85b77690c43cf8de3088dc742b44ffb9a84.exe	40
PID 856 wrote to memory of 1800	856	msnsetup.exe	41
PID 856 wrote to memory of 1800	856	msnsetup.exe	41
PID 856 wrote to memory of 1800	856	msnsetup.exe	41
PID 856 wrote to memory of 1800	856	msnsetup.exe	41
PID 856 wrote to memory of 1800	856	msnsetup.exe	41
PID 856 wrote to memory of 1800	856	msnsetup.exe	41
PID 856 wrote to memory of 1800	856	msnsetup.exe	41
PID 2388 wrote to memory of 2416	2388	Logo1_.exe	42
PID 2388 wrote to memory of 2416	2388	Logo1_.exe	42
PID 2388 wrote to memory of 2416	2388	Logo1_.exe	42
PID 2388 wrote to memory of 2416	2388	Logo1_.exe	42
PID 2416 wrote to memory of 2228	2416	net.exe	44
PID 2416 wrote to memory of 2228	2416	net.exe	44
PID 2416 wrote to memory of 2228	2416	net.exe	44
PID 2416 wrote to memory of 2228	2416	net.exe	44
PID 2388 wrote to memory of 1204	2388	Logo1_.exe	21
PID 2388 wrote to memory of 1204	2388	Logo1_.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1204
- C:\Users\Admin\AppData\Local\Temp\19d861f4519f308858ddf7eb097bf85b77690c43cf8de3088dc742b44ffb9a84.exe
  "C:\Users\Admin\AppData\Local\Temp\19d861f4519f308858ddf7eb097bf85b77690c43cf8de3088dc742b44ffb9a84.exe"
  2⤵
  - Drops file in Drivers directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2400
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2972
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2776
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$a5DF8.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2656
  - - C:\Users\Admin\AppData\Local\Temp\19d861f4519f308858ddf7eb097bf85b77690c43cf8de3088dc742b44ffb9a84.exe
      "C:\Users\Admin\AppData\Local\Temp\19d861f4519f308858ddf7eb097bf85b77690c43cf8de3088dc742b44ffb9a84.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2560
    - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\msnsetup.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\msnsetup.exe /q:a /R:N
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:856
      - C:\Windows\System32\pcaui.exe
        
        "C:\Windows\System32\pcaui.exe" /g {11111111-1111-1111-1111-111111111111} /x {8164dbb2-ed0b-44db-8a22-270d5acf2c2a} /a "MSN Explorer" /v "Microsoft" /s "MSN Explorer has a known compatibility issue with this version of Windows. For an update that is compatible with this version of Windows, contact Microsoft." /b 1 /e "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\msnsetup.exe"
        6⤵
        
        PID:1800
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Drops file in Drivers directory
    - Drops startup file
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2388
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2568
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2544
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2416
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
258KB

MD5
7d74210f8bdd61aaeb5bee83a54d8042

SHA1
b9a8f1bea48dcf08c4a4931a6531972cce566974

SHA256
eed56cf7ea98a049c722930ee85ff60dd6eb8fdb036af7209c61b41e5ef42cd1

SHA512
8373588092b7f384bcfb90da34e88fac877659e773dee112735e267c1b63a520be0378900759d21fa1a63a3a23fd8e5735f7dae4106a11e9841c5590e1a32872

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
478KB

MD5
8946ede24dbb0a09273835b81bca5c29

SHA1
45cc0a51b49e8e610ac07ed744c032a415bf1879

SHA256
890edb9b5439143ef057fa0c0d07e87a912deaf745219681c768f22c42943803

SHA512
5c387fa3dcf210e0160d39ac980fb0081f97aec78bcfd6e9c78e33e6117192a7d718c1c82c62b9bd51ce72fe5543890d1039365de67daa82d3281d9b83e85c7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a5DF8.bat

Filesize
722B

MD5
d438ad3cad3cf44b1bdd94e999832aa7

SHA1
9fc1e2be5a6edbdb6b8ae11b5128e6b59c5f9acc

SHA256
606a9a29dbf18b294cc2a8222b05cbc73b1220079de34f4cdad3ad1a460198a0

SHA512
cb94082377ef6c77c7c7dc4f25b4f50cba3350410f0753a27c365a05e6fe18f285cf3dd858a49b5512c5be4c8c269ab09e8d8e41f6baaebd30e9eb52185f2450

Download Submit
C:\Users\Admin\AppData\Local\Temp\19d861f4519f308858ddf7eb097bf85b77690c43cf8de3088dc742b44ffb9a84.exe.exe

Filesize
10.5MB

MD5
c010ec2378bfbed7d652cf9982a34ae2

SHA1
aa412374d2f889e352f7eb171ea31295d8f58bb4

SHA256
e7937ce7374fc1f198b56e75b8bb6344a4776d33d89b8a1aea2ab94506c2e258

SHA512
1ea7312acfe005f1860989945603286bcd77dd6a0bc7c3920b3e6eb1e51250a4c3b17108ddd5a47e0466aa88dfdd976f7a0a53862b598cad0539234d0b257f17

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\copymar.exe

Filesize
258KB

MD5
525ba9aa8b2d8884899116695d63b5b3

SHA1
04547076348b2c5e46ceb67a70088914e6928c35

SHA256
4a7d43110cf2ea3def1e32b2ca8274bf7f8ddd1e7a91aa496ca182a5a3a1a956

SHA512
70d5206b2462086a4febf64cff578bb17e734383077d6b99665e20536b70d3987da186c013930bdd555cef0450bdf0c092351667779c514022954a00788e05c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dw.exe

Filesize
191KB

MD5
05dc059be01252359d41bd8f425a23e7

SHA1
7ee8a1ecb2d72929919ab0cb55e1ad3671b500e0

SHA256
e4f4f59efaf3efa4ad29c14b468c6fe838e8a12bfb3feec3bd9895c5755eac73

SHA512
e2005541f245df8d632b1a9e60b4277d01faa0594db03b0ba9a8a153f7135ea96de2bbc5ef8df99f9f49f3cf74b066d7b4fcbc5a437f408df2b7f362a5416c1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dw15.exe

Filesize
216KB

MD5
cbee613206f8ccacc222c51434db716d

SHA1
7c1e1d71df8d4b6be110c7e18d8531cbf180be5f

SHA256
f1a4e4eba295bfa72988056bf2e1378e4eab1ac43407c0694265fcf18c5dfaae

SHA512
545dc541f1a1f3a4911fcd724c94302e3f1f65587b16cc6ef19ce5684fb49229990260b0dda4713ca797308fc959444b8f4e2590c0accf18503a1d94d56a0f95

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fontinst.exe

Filesize
78KB

MD5
683a84a714b7d191eb9cd89a703d3b0b

SHA1
1057ac1a1f9e70fe478b5fd6e3e7c365d76712dc

SHA256
c864382b1879daa41f1d01dfa9cc7e43bb3510531e55c36fb9ac4fbe115acd73

SHA512
ce24146e702fbd057bdc8375b97e86faa196a327a61753ba8a6ed2f50f2c6e54f8338a109c32851ab56841dc99b39d7fac695c92572d562b92550b655592d3d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\msn.exe

Filesize
120KB

MD5
ba3fbe9c79a2e72cc146f06266313502

SHA1
95f6bd17c0653d5eb4e13895fcbcd833cd17d65e

SHA256
eea9e09f1d1938912ce05a0440ebeb827cf8c0c460b910e2ffda2a7dc0fb8b8a

SHA512
8c4b93fd54cf13b1204da9fe268022fe0d9114c78c8be507747c2b295ebe8f6f41c20a4f43c3de968ef29ea849592cc69b2a8201f6233f1cdfdf00c2abc0e98a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\msnunin.exe

Filesize
65KB

MD5
147263f26babede59de80b411bd12e7f

SHA1
0ff3610e04812a37fc9f578a617ce68e2277d0d4

SHA256
36749c82345fef958528015d7821fa8a7935941536f02362515683c372f1034a

SHA512
5525e77252294e150024132c4f36ad67b78defaad23892615a1c7028515868a41e502e784c89bee70c73fbfb9251c7d6736e7c7f37f4d3190f56de7229f4430e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\update.exe

Filesize
93KB

MD5
723217640b78dbf33b91e89c9283e221

SHA1
eb56511a78f57bb3be04ccbd8783dcfd40e0c2f5

SHA256
0c45c5e9b744d8922725b81757ab28733b40e7414c703f7df60ac7217e1b82a0

SHA512
ad694f1001925c4b23980fe1cdcef2b5592f522d5440251499a2a9db47adcbe858074c3dcc0d6b649108cbd7fd77b104ef8a3ca26a04d9cb489d216313a17d2a

Download Submit
C:\Windows\Logo1_.exe

Filesize
33KB

MD5
c23483257bd0dc2013776381c4e1dcf1

SHA1
f6d2391510ba7aeb29d7bd120a9e089df25a9f9a

SHA256
8482eb31ba445a1ac45b2eff321ac2a6ff7d42dc2b152dc508c774e4fe9496d8

SHA512
31b156cbde5cba72723494f4474fbe0cef39be8dbc69d239bae2b3d0cb28d756743d8a63f2763d73dc5a4e1b7968548e7587f22e1e0f7b4a1a32c93ab544db4e

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
832B

MD5
7e3a0edd0c6cd8316f4b6c159d5167a1

SHA1
753428b4736ffb2c9e3eb50f89255b212768c55a

SHA256
1965854dfa54c72529c88c7d9f41fa31b4140cad04cf03d3f0f2e7601fcbdc6c

SHA512
9c68f7f72dfa109fcfba6472a1cced85bc6c2a5481232c6d1d039c88b2f65fb86070aeb26ac23e420c6255daca02ea6e698892f7670298d2c4f741b9e9415c7f

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-1846800975-3917212583-2893086201-1000\_desktop.ini

Filesize
8B

MD5
24cfb7e9169e3ecbcdf34395dff5aed0

SHA1
64061d8b0afd788fb3d2990e90e61f14010896dd

SHA256
e11477f26e6139dabba6ad5dab927732c6a3785db78f82194ad7ae20323c6578

SHA512
a315d4ab14f15f8df115e35134f0a1eff8018b0c35c5a0283928f2d3f3014215d683973b9aeba1bc74c49437cc929ea4e2fb847b4305da6d5abca235c750e299

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\msnsetup.exe

Filesize
1.5MB

MD5
5e2de5e80d528b271f60020fd054790e

SHA1
d2c9c5ce0c6b2f504e09a8928ba659c7437a03c9

SHA256
2338b3b17f5380fd891834ebc75fb9fb6a1c55a4929668218ce921c19d9c4a6f

SHA512
2464983a6df13bcc48b8e97baa0787f15b2e6cebfa5c92da9ed2857b3424dcd5be41c845696b11687f91d5f3980e11dcfdd72d3cf4628a57b73f5b07f527c50f

Download Submit
memory/1204-237-0x0000000002D60000-0x0000000002D61000-memory.dmp

Filesize
4KB

Download
memory/2388-3169-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2388-240-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2388-23-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2388-4378-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2400-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2400-16-0x0000000000230000-0x000000000026E000-memory.dmp

Filesize
248KB

Download
memory/2400-18-0x0000000000230000-0x000000000026E000-memory.dmp

Filesize
248KB

Download
memory/2400-19-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download