0f9f1199ab94594f132138a461a2b8fc17cbf512a0b194c4b8f845bbe1ab96de

Analysis

max time kernel
149s
max time network
114s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
09/09/2024, 12:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0f9f1199ab94594f132138a461a2b8fc17cbf512a0b194c4b8f845bbe1ab96de.exe
Size

162KB
MD5

fdc4ccf051dfa97ad0cd53aaf0c9e2c2
SHA1

ccba52a6bce96ee82a1dce6af087c44f76d3b9b7
SHA256

0f9f1199ab94594f132138a461a2b8fc17cbf512a0b194c4b8f845bbe1ab96de
SHA512

97945528870a899a33231900a361ff971b9b7cc7d5cbb7b241b826d37b5162dc68538e0e3bfe208e49d51098c9cf2d03c30dc00ffee9be108cea41b0444e9400
SSDEEP

3072:KCwe+a0QekqnwLD9m0WjfuRRfEdj4E3f90bC:Tl+a0Qek9if1Vv+W

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe

Executes dropped EXE 2 IoCs

pid	Process
3800	Logo1_.exe
4968	0f9f1199ab94594f132138a461a2b8fc17cbf512a0b194c4b8f845bbe1ab96de.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\zh-tw\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\uk-ua\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Media Player\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\da-dk\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\sv-se\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\uk-ua\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\he-il\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\fi-fi\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SUMIPNTG\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\zh-tw\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\zh-cn\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\pl-pl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\it-it\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Security\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\defaults\pref\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_splitter\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Security\BrowserCore\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\en-gb\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\ko-kr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\fi-fi\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\en-il\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Source Engine\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Acrobat\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\cs-cz\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\ru-ru\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ar-ae\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\ca-es\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\af\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\uz\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\ko-kr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\ro-ro\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\zh-cn\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\fr-ma\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\it-it\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\nb-no\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsPowerShell\Modules\Pester\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\nb-no\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\eu-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\he-il\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\root\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\cs-cz\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\uk-ua\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\cs-cz\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\fi-fi\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Resources\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\hu-hu\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\nb-no\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\nl-nl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\fonts\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\jfr\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\Dll.dll	Logo1_.exe
File created	C:\Windows\rundl132.exe	0f9f1199ab94594f132138a461a2b8fc17cbf512a0b194c4b8f845bbe1ab96de.exe
File created	C:\Windows\Logo1_.exe	0f9f1199ab94594f132138a461a2b8fc17cbf512a0b194c4b8f845bbe1ab96de.exe

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0f9f1199ab94594f132138a461a2b8fc17cbf512a0b194c4b8f845bbe1ab96de.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Logo1_.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2224	0f9f1199ab94594f132138a461a2b8fc17cbf512a0b194c4b8f845bbe1ab96de.exe
2224	0f9f1199ab94594f132138a461a2b8fc17cbf512a0b194c4b8f845bbe1ab96de.exe
2224	0f9f1199ab94594f132138a461a2b8fc17cbf512a0b194c4b8f845bbe1ab96de.exe
2224	0f9f1199ab94594f132138a461a2b8fc17cbf512a0b194c4b8f845bbe1ab96de.exe
2224	0f9f1199ab94594f132138a461a2b8fc17cbf512a0b194c4b8f845bbe1ab96de.exe
2224	0f9f1199ab94594f132138a461a2b8fc17cbf512a0b194c4b8f845bbe1ab96de.exe
2224	0f9f1199ab94594f132138a461a2b8fc17cbf512a0b194c4b8f845bbe1ab96de.exe
2224	0f9f1199ab94594f132138a461a2b8fc17cbf512a0b194c4b8f845bbe1ab96de.exe
2224	0f9f1199ab94594f132138a461a2b8fc17cbf512a0b194c4b8f845bbe1ab96de.exe
2224	0f9f1199ab94594f132138a461a2b8fc17cbf512a0b194c4b8f845bbe1ab96de.exe
2224	0f9f1199ab94594f132138a461a2b8fc17cbf512a0b194c4b8f845bbe1ab96de.exe
2224	0f9f1199ab94594f132138a461a2b8fc17cbf512a0b194c4b8f845bbe1ab96de.exe
2224	0f9f1199ab94594f132138a461a2b8fc17cbf512a0b194c4b8f845bbe1ab96de.exe
2224	0f9f1199ab94594f132138a461a2b8fc17cbf512a0b194c4b8f845bbe1ab96de.exe
2224	0f9f1199ab94594f132138a461a2b8fc17cbf512a0b194c4b8f845bbe1ab96de.exe
2224	0f9f1199ab94594f132138a461a2b8fc17cbf512a0b194c4b8f845bbe1ab96de.exe
2224	0f9f1199ab94594f132138a461a2b8fc17cbf512a0b194c4b8f845bbe1ab96de.exe
2224	0f9f1199ab94594f132138a461a2b8fc17cbf512a0b194c4b8f845bbe1ab96de.exe
2224	0f9f1199ab94594f132138a461a2b8fc17cbf512a0b194c4b8f845bbe1ab96de.exe
2224	0f9f1199ab94594f132138a461a2b8fc17cbf512a0b194c4b8f845bbe1ab96de.exe
2224	0f9f1199ab94594f132138a461a2b8fc17cbf512a0b194c4b8f845bbe1ab96de.exe
2224	0f9f1199ab94594f132138a461a2b8fc17cbf512a0b194c4b8f845bbe1ab96de.exe
2224	0f9f1199ab94594f132138a461a2b8fc17cbf512a0b194c4b8f845bbe1ab96de.exe
2224	0f9f1199ab94594f132138a461a2b8fc17cbf512a0b194c4b8f845bbe1ab96de.exe
2224	0f9f1199ab94594f132138a461a2b8fc17cbf512a0b194c4b8f845bbe1ab96de.exe
2224	0f9f1199ab94594f132138a461a2b8fc17cbf512a0b194c4b8f845bbe1ab96de.exe
3800	Logo1_.exe
3800	Logo1_.exe
3800	Logo1_.exe
3800	Logo1_.exe
3800	Logo1_.exe
3800	Logo1_.exe
3800	Logo1_.exe
3800	Logo1_.exe
3800	Logo1_.exe
3800	Logo1_.exe
3800	Logo1_.exe
3800	Logo1_.exe
3800	Logo1_.exe
3800	Logo1_.exe
3800	Logo1_.exe
3800	Logo1_.exe
3800	Logo1_.exe
3800	Logo1_.exe
3800	Logo1_.exe
3800	Logo1_.exe
3800	Logo1_.exe
3800	Logo1_.exe
3800	Logo1_.exe
3800	Logo1_.exe
3800	Logo1_.exe
3800	Logo1_.exe
3800	Logo1_.exe
3800	Logo1_.exe
3800	Logo1_.exe
3800	Logo1_.exe
3800	Logo1_.exe
3800	Logo1_.exe
3800	Logo1_.exe
3800	Logo1_.exe
3800	Logo1_.exe
3800	Logo1_.exe
3800	Logo1_.exe
3800	Logo1_.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 2224 wrote to memory of 4564	2224	0f9f1199ab94594f132138a461a2b8fc17cbf512a0b194c4b8f845bbe1ab96de.exe	83
PID 2224 wrote to memory of 4564	2224	0f9f1199ab94594f132138a461a2b8fc17cbf512a0b194c4b8f845bbe1ab96de.exe	83
PID 2224 wrote to memory of 4564	2224	0f9f1199ab94594f132138a461a2b8fc17cbf512a0b194c4b8f845bbe1ab96de.exe	83
PID 4564 wrote to memory of 5116	4564	net.exe	85
PID 4564 wrote to memory of 5116	4564	net.exe	85
PID 4564 wrote to memory of 5116	4564	net.exe	85
PID 2224 wrote to memory of 2236	2224	0f9f1199ab94594f132138a461a2b8fc17cbf512a0b194c4b8f845bbe1ab96de.exe	89
PID 2224 wrote to memory of 2236	2224	0f9f1199ab94594f132138a461a2b8fc17cbf512a0b194c4b8f845bbe1ab96de.exe	89
PID 2224 wrote to memory of 2236	2224	0f9f1199ab94594f132138a461a2b8fc17cbf512a0b194c4b8f845bbe1ab96de.exe	89
PID 2224 wrote to memory of 3800	2224	0f9f1199ab94594f132138a461a2b8fc17cbf512a0b194c4b8f845bbe1ab96de.exe	91
PID 2224 wrote to memory of 3800	2224	0f9f1199ab94594f132138a461a2b8fc17cbf512a0b194c4b8f845bbe1ab96de.exe	91
PID 2224 wrote to memory of 3800	2224	0f9f1199ab94594f132138a461a2b8fc17cbf512a0b194c4b8f845bbe1ab96de.exe	91
PID 3800 wrote to memory of 1008	3800	Logo1_.exe	92
PID 3800 wrote to memory of 1008	3800	Logo1_.exe	92
PID 3800 wrote to memory of 1008	3800	Logo1_.exe	92
PID 1008 wrote to memory of 2908	1008	net.exe	94
PID 1008 wrote to memory of 2908	1008	net.exe	94
PID 1008 wrote to memory of 2908	1008	net.exe	94
PID 2236 wrote to memory of 4968	2236	cmd.exe	95
PID 2236 wrote to memory of 4968	2236	cmd.exe	95
PID 2236 wrote to memory of 4968	2236	cmd.exe	95
PID 3800 wrote to memory of 1844	3800	Logo1_.exe	97
PID 3800 wrote to memory of 1844	3800	Logo1_.exe	97
PID 3800 wrote to memory of 1844	3800	Logo1_.exe	97
PID 1844 wrote to memory of 2552	1844	net.exe	99
PID 1844 wrote to memory of 2552	1844	net.exe	99
PID 1844 wrote to memory of 2552	1844	net.exe	99
PID 3800 wrote to memory of 3488	3800	Logo1_.exe	56
PID 3800 wrote to memory of 3488	3800	Logo1_.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3488
- C:\Users\Admin\AppData\Local\Temp\0f9f1199ab94594f132138a461a2b8fc17cbf512a0b194c4b8f845bbe1ab96de.exe
  "C:\Users\Admin\AppData\Local\Temp\0f9f1199ab94594f132138a461a2b8fc17cbf512a0b194c4b8f845bbe1ab96de.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2224
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4564
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5116
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a79F3.bat
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2236
  - - C:\Users\Admin\AppData\Local\Temp\0f9f1199ab94594f132138a461a2b8fc17cbf512a0b194c4b8f845bbe1ab96de.exe
      "C:\Users\Admin\AppData\Local\Temp\0f9f1199ab94594f132138a461a2b8fc17cbf512a0b194c4b8f845bbe1ab96de.exe"
      4⤵
      Executes dropped EXE
      PID:4968
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3800
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1008
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2908
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1844
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7z.exe

Filesize
577KB

MD5
2d550858ef40975332a11d37c322fd9d

SHA1
2b8dae63545cf5a8aeaa3db37b2e1fa67c3b43cc

SHA256
b97690f24fe742ce51326dd520f580b5798c35e023c63fea6416a756c356a6b1

SHA512
a46d8fabdaa99e2db4f8f3c2d88aafea655ef544cc2301466e8a09b0c626ea8aac2a9b382e938f90460044306c73005a1cf3f51e7c63dcf8e16f37ec570b49f6

Download Submit
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

Filesize
643KB

MD5
29bab5fa7dbfd951e1c8290a8f4c2ba7

SHA1
7b86728d64cef9686bd45f2ff6fdc818c11a1bbb

SHA256
dda333d8aed86ba750f669280e458ad2fb8d8ad5700a5fe0df584a1c818c481b

SHA512
5bb37bffffe297653f91e0601f17b507659bcfe78567e6e1d10506d3c3bea737e7d6374224ecc01f421cff8f74b299eba8fe3152742b2b1c228966a630de1339

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a79F3.bat

Filesize
722B

MD5
694e8625b5537c0d6be013bb70cdc49a

SHA1
3466fab4a68d0e0e6e33c4f0a38fe4ba9a0b7583

SHA256
d438a01568d700cd1fdda2a32c0869ec26fad3c25fb0d2d96116515760952bc6

SHA512
2b55fb647ad7980f970bea109ab33d81b431a11e6e7f31229b5fd6b921172441a8f5630d8f6d7fc4b2a46918cf61ef988c4385f5ba67178d253dba643762e08e

Download Submit
C:\Users\Admin\AppData\Local\Temp\0f9f1199ab94594f132138a461a2b8fc17cbf512a0b194c4b8f845bbe1ab96de.exe.exe

Filesize
129KB

MD5
11111df26aba5a177fbd3ff2821a9e5d

SHA1
dba82329673e02dd99adbeb2d20538d10b6f484a

SHA256
25e0e882cca2fc89942924ae208abf9059fe3f8bd87a16f788f8aad1f61521df

SHA512
4d814017ce21b06208b5cd6814d40e801283a41216ea27986a88af50d2d61d23e9c54c0aafe6a8c509a94d156c59fb3dc8f46b902bcbc5acd185a712d31b2034

Download Submit
C:\Windows\Logo1_.exe

Filesize
33KB

MD5
1c1a54d9be781116b0eeb13e29df2877

SHA1
27bf3d81ae73403cff58875a67d86e9cd4b83aea

SHA256
b05922fc1a2cf17f5d94a22c68dfff012367469cfc4c601eeba26e9622de0308

SHA512
7490c11f6e66164fe42a8bcc2488fb6d92d492b6eb7b1548d221fe61c9495cad8b740a613041c6bac91c4bc88d4c40155057c03315b5d4c7fe3241b37364703e

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-4182098368-2521458979-3782681353-1000\_desktop.ini

Filesize
8B

MD5
5d65d1288c9ecedfd5f28d17a01a30bc

SHA1
e5bb89b8ad5c73516abf7e3baeaf1855154381dc

SHA256
3501728ad227b52ce4d4f85ddd0e6d28dfa7acce977ae27f1e337be209825a5f

SHA512
6177ce001dd535382c3bae5e8c3cfda85d8d8b76b68bce10fa8e5e1e748fd1512a531ffc93fef1316f2c27d93b5b4a5b60a6391f0e131ccc5cc0a65c2755868e

Download Submit
memory/2224-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2224-9-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3800-8-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3800-17-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3800-3119-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3800-8829-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download