9ff20b9a88231037194ae68ac2ee2fa77c9da20180a67416a9a89bd8a3fd1f9c

Analysis

max time kernel
149s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
09/09/2024, 13:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9ff20b9a88231037194ae68ac2ee2fa77c9da20180a67416a9a89bd8a3fd1f9c.exe
Size

26KB
MD5

74da81c0eebadc189825e2c31950e5be
SHA1

4c59523c588fb5ef5cf9b0b8632a2149e6c40e9e
SHA256

9ff20b9a88231037194ae68ac2ee2fa77c9da20180a67416a9a89bd8a3fd1f9c
SHA512

17a5b8132be558f994082573a08a1d1e9e2147c31b1a52aa652addaf8470f141f3244e6515c5f001a39ea898fdccd58f94601a2fcab66073ce44d62ac63d5420
SSDEEP

768:uc1ODKAaDMG8H92RwZNQSwcfymNBg+g61GoZw:DfgLdQAQfcfymN

Score

6^/10

discovery

Malware Config

Signatures

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\S:	9ff20b9a88231037194ae68ac2ee2fa77c9da20180a67416a9a89bd8a3fd1f9c.exe
File opened (read-only)	\??\O:	9ff20b9a88231037194ae68ac2ee2fa77c9da20180a67416a9a89bd8a3fd1f9c.exe
File opened (read-only)	\??\M:	9ff20b9a88231037194ae68ac2ee2fa77c9da20180a67416a9a89bd8a3fd1f9c.exe
File opened (read-only)	\??\K:	9ff20b9a88231037194ae68ac2ee2fa77c9da20180a67416a9a89bd8a3fd1f9c.exe
File opened (read-only)	\??\J:	9ff20b9a88231037194ae68ac2ee2fa77c9da20180a67416a9a89bd8a3fd1f9c.exe
File opened (read-only)	\??\H:	9ff20b9a88231037194ae68ac2ee2fa77c9da20180a67416a9a89bd8a3fd1f9c.exe
File opened (read-only)	\??\Y:	9ff20b9a88231037194ae68ac2ee2fa77c9da20180a67416a9a89bd8a3fd1f9c.exe
File opened (read-only)	\??\U:	9ff20b9a88231037194ae68ac2ee2fa77c9da20180a67416a9a89bd8a3fd1f9c.exe
File opened (read-only)	\??\P:	9ff20b9a88231037194ae68ac2ee2fa77c9da20180a67416a9a89bd8a3fd1f9c.exe
File opened (read-only)	\??\W:	9ff20b9a88231037194ae68ac2ee2fa77c9da20180a67416a9a89bd8a3fd1f9c.exe
File opened (read-only)	\??\V:	9ff20b9a88231037194ae68ac2ee2fa77c9da20180a67416a9a89bd8a3fd1f9c.exe
File opened (read-only)	\??\R:	9ff20b9a88231037194ae68ac2ee2fa77c9da20180a67416a9a89bd8a3fd1f9c.exe
File opened (read-only)	\??\I:	9ff20b9a88231037194ae68ac2ee2fa77c9da20180a67416a9a89bd8a3fd1f9c.exe
File opened (read-only)	\??\G:	9ff20b9a88231037194ae68ac2ee2fa77c9da20180a67416a9a89bd8a3fd1f9c.exe
File opened (read-only)	\??\E:	9ff20b9a88231037194ae68ac2ee2fa77c9da20180a67416a9a89bd8a3fd1f9c.exe
File opened (read-only)	\??\Z:	9ff20b9a88231037194ae68ac2ee2fa77c9da20180a67416a9a89bd8a3fd1f9c.exe
File opened (read-only)	\??\T:	9ff20b9a88231037194ae68ac2ee2fa77c9da20180a67416a9a89bd8a3fd1f9c.exe
File opened (read-only)	\??\Q:	9ff20b9a88231037194ae68ac2ee2fa77c9da20180a67416a9a89bd8a3fd1f9c.exe
File opened (read-only)	\??\N:	9ff20b9a88231037194ae68ac2ee2fa77c9da20180a67416a9a89bd8a3fd1f9c.exe
File opened (read-only)	\??\L:	9ff20b9a88231037194ae68ac2ee2fa77c9da20180a67416a9a89bd8a3fd1f9c.exe
File opened (read-only)	\??\X:	9ff20b9a88231037194ae68ac2ee2fa77c9da20180a67416a9a89bd8a3fd1f9c.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\nl-nl\_desktop.ini	9ff20b9a88231037194ae68ac2ee2fa77c9da20180a67416a9a89bd8a3fd1f9c.exe
File created	C:\Program Files\VideoLAN\VLC\locale\lo\_desktop.ini	9ff20b9a88231037194ae68ac2ee2fa77c9da20180a67416a9a89bd8a3fd1f9c.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\_desktop.ini	9ff20b9a88231037194ae68ac2ee2fa77c9da20180a67416a9a89bd8a3fd1f9c.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_split.scale-100_8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini	9ff20b9a88231037194ae68ac2ee2fa77c9da20180a67416a9a89bd8a3fd1f9c.exe
File created	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\contrast-high\_desktop.ini	9ff20b9a88231037194ae68ac2ee2fa77c9da20180a67416a9a89bd8a3fd1f9c.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\zh-tw\_desktop.ini	9ff20b9a88231037194ae68ac2ee2fa77c9da20180a67416a9a89bd8a3fd1f9c.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\fonts\_desktop.ini	9ff20b9a88231037194ae68ac2ee2fa77c9da20180a67416a9a89bd8a3fd1f9c.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ar\_desktop.ini	9ff20b9a88231037194ae68ac2ee2fa77c9da20180a67416a9a89bd8a3fd1f9c.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\_desktop.ini	9ff20b9a88231037194ae68ac2ee2fa77c9da20180a67416a9a89bd8a3fd1f9c.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\es-es\_desktop.ini	9ff20b9a88231037194ae68ac2ee2fa77c9da20180a67416a9a89bd8a3fd1f9c.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\ar-ae\_desktop.ini	9ff20b9a88231037194ae68ac2ee2fa77c9da20180a67416a9a89bd8a3fd1f9c.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\tr-tr\_desktop.ini	9ff20b9a88231037194ae68ac2ee2fa77c9da20180a67416a9a89bd8a3fd1f9c.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\pt-br\_desktop.ini	9ff20b9a88231037194ae68ac2ee2fa77c9da20180a67416a9a89bd8a3fd1f9c.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	9ff20b9a88231037194ae68ac2ee2fa77c9da20180a67416a9a89bd8a3fd1f9c.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Microsoft.Msn.Controls\_desktop.ini	9ff20b9a88231037194ae68ac2ee2fa77c9da20180a67416a9a89bd8a3fd1f9c.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\css\_desktop.ini	9ff20b9a88231037194ae68ac2ee2fa77c9da20180a67416a9a89bd8a3fd1f9c.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\_desktop.ini	9ff20b9a88231037194ae68ac2ee2fa77c9da20180a67416a9a89bd8a3fd1f9c.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\de-de\_desktop.ini	9ff20b9a88231037194ae68ac2ee2fa77c9da20180a67416a9a89bd8a3fd1f9c.exe
File created	C:\Program Files\dotnet\_desktop.ini	9ff20b9a88231037194ae68ac2ee2fa77c9da20180a67416a9a89bd8a3fd1f9c.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\tr-tr\_desktop.ini	9ff20b9a88231037194ae68ac2ee2fa77c9da20180a67416a9a89bd8a3fd1f9c.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\_desktop.ini	9ff20b9a88231037194ae68ac2ee2fa77c9da20180a67416a9a89bd8a3fd1f9c.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\zh-tw\_desktop.ini	9ff20b9a88231037194ae68ac2ee2fa77c9da20180a67416a9a89bd8a3fd1f9c.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\_desktop.ini	9ff20b9a88231037194ae68ac2ee2fa77c9da20180a67416a9a89bd8a3fd1f9c.exe
File created	C:\Program Files\MSBuild\Microsoft\_desktop.ini	9ff20b9a88231037194ae68ac2ee2fa77c9da20180a67416a9a89bd8a3fd1f9c.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\contrast-black\_desktop.ini	9ff20b9a88231037194ae68ac2ee2fa77c9da20180a67416a9a89bd8a3fd1f9c.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\XboxApp.UI\Resources\Images\_desktop.ini	9ff20b9a88231037194ae68ac2ee2fa77c9da20180a67416a9a89bd8a3fd1f9c.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Examples\Validator\_desktop.ini	9ff20b9a88231037194ae68ac2ee2fa77c9da20180a67416a9a89bd8a3fd1f9c.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\da-dk\_desktop.ini	9ff20b9a88231037194ae68ac2ee2fa77c9da20180a67416a9a89bd8a3fd1f9c.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\tr-tr\_desktop.ini	9ff20b9a88231037194ae68ac2ee2fa77c9da20180a67416a9a89bd8a3fd1f9c.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\es-es\_desktop.ini	9ff20b9a88231037194ae68ac2ee2fa77c9da20180a67416a9a89bd8a3fd1f9c.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\stream_filter\_desktop.ini	9ff20b9a88231037194ae68ac2ee2fa77c9da20180a67416a9a89bd8a3fd1f9c.exe
File opened for modification	C:\Program Files\Windows Mail\wabmig.exe	9ff20b9a88231037194ae68ac2ee2fa77c9da20180a67416a9a89bd8a3fd1f9c.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\_desktop.ini	9ff20b9a88231037194ae68ac2ee2fa77c9da20180a67416a9a89bd8a3fd1f9c.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\pt-br\_desktop.ini	9ff20b9a88231037194ae68ac2ee2fa77c9da20180a67416a9a89bd8a3fd1f9c.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\ru-ru\_desktop.ini	9ff20b9a88231037194ae68ac2ee2fa77c9da20180a67416a9a89bd8a3fd1f9c.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ky\LC_MESSAGES\_desktop.ini	9ff20b9a88231037194ae68ac2ee2fa77c9da20180a67416a9a89bd8a3fd1f9c.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\zh-cn\_desktop.ini	9ff20b9a88231037194ae68ac2ee2fa77c9da20180a67416a9a89bd8a3fd1f9c.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\_desktop.ini	9ff20b9a88231037194ae68ac2ee2fa77c9da20180a67416a9a89bd8a3fd1f9c.exe
File created	C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\Store.Purchase\Controls\_desktop.ini	9ff20b9a88231037194ae68ac2ee2fa77c9da20180a67416a9a89bd8a3fd1f9c.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\_desktop.ini	9ff20b9a88231037194ae68ac2ee2fa77c9da20180a67416a9a89bd8a3fd1f9c.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\es-es\_desktop.ini	9ff20b9a88231037194ae68ac2ee2fa77c9da20180a67416a9a89bd8a3fd1f9c.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\_desktop.ini	9ff20b9a88231037194ae68ac2ee2fa77c9da20180a67416a9a89bd8a3fd1f9c.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\css\_desktop.ini	9ff20b9a88231037194ae68ac2ee2fa77c9da20180a67416a9a89bd8a3fd1f9c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\_desktop.ini	9ff20b9a88231037194ae68ac2ee2fa77c9da20180a67416a9a89bd8a3fd1f9c.exe
File created	C:\Program Files\WindowsApps\Microsoft.VCLibs.140.00_14.0.27323.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\Autogen\_desktop.ini	9ff20b9a88231037194ae68ac2ee2fa77c9da20180a67416a9a89bd8a3fd1f9c.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\it-it\_desktop.ini	9ff20b9a88231037194ae68ac2ee2fa77c9da20180a67416a9a89bd8a3fd1f9c.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ko-kr\_desktop.ini	9ff20b9a88231037194ae68ac2ee2fa77c9da20180a67416a9a89bd8a3fd1f9c.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\css\_desktop.ini	9ff20b9a88231037194ae68ac2ee2fa77c9da20180a67416a9a89bd8a3fd1f9c.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\es-es\_desktop.ini	9ff20b9a88231037194ae68ac2ee2fa77c9da20180a67416a9a89bd8a3fd1f9c.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\_desktop.ini	9ff20b9a88231037194ae68ac2ee2fa77c9da20180a67416a9a89bd8a3fd1f9c.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\en-US\_desktop.ini	9ff20b9a88231037194ae68ac2ee2fa77c9da20180a67416a9a89bd8a3fd1f9c.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\Retail\_desktop.ini	9ff20b9a88231037194ae68ac2ee2fa77c9da20180a67416a9a89bd8a3fd1f9c.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\fi-fi\_desktop.ini	9ff20b9a88231037194ae68ac2ee2fa77c9da20180a67416a9a89bd8a3fd1f9c.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\it-it\_desktop.ini	9ff20b9a88231037194ae68ac2ee2fa77c9da20180a67416a9a89bd8a3fd1f9c.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\uk-ua\_desktop.ini	9ff20b9a88231037194ae68ac2ee2fa77c9da20180a67416a9a89bd8a3fd1f9c.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\zh-cn\_desktop.ini	9ff20b9a88231037194ae68ac2ee2fa77c9da20180a67416a9a89bd8a3fd1f9c.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ca@valencia\_desktop.ini	9ff20b9a88231037194ae68ac2ee2fa77c9da20180a67416a9a89bd8a3fd1f9c.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\contrast-white\_desktop.ini	9ff20b9a88231037194ae68ac2ee2fa77c9da20180a67416a9a89bd8a3fd1f9c.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Speech\en-GB\_desktop.ini	9ff20b9a88231037194ae68ac2ee2fa77c9da20180a67416a9a89bd8a3fd1f9c.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\uk-ua\_desktop.ini	9ff20b9a88231037194ae68ac2ee2fa77c9da20180a67416a9a89bd8a3fd1f9c.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\de-de\_desktop.ini	9ff20b9a88231037194ae68ac2ee2fa77c9da20180a67416a9a89bd8a3fd1f9c.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\Fonts\_desktop.ini	9ff20b9a88231037194ae68ac2ee2fa77c9da20180a67416a9a89bd8a3fd1f9c.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\he-il\_desktop.ini	9ff20b9a88231037194ae68ac2ee2fa77c9da20180a67416a9a89bd8a3fd1f9c.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\require\2.1.15\_desktop.ini	9ff20b9a88231037194ae68ac2ee2fa77c9da20180a67416a9a89bd8a3fd1f9c.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	9ff20b9a88231037194ae68ac2ee2fa77c9da20180a67416a9a89bd8a3fd1f9c.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9ff20b9a88231037194ae68ac2ee2fa77c9da20180a67416a9a89bd8a3fd1f9c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
1308	9ff20b9a88231037194ae68ac2ee2fa77c9da20180a67416a9a89bd8a3fd1f9c.exe
1308	9ff20b9a88231037194ae68ac2ee2fa77c9da20180a67416a9a89bd8a3fd1f9c.exe
1308	9ff20b9a88231037194ae68ac2ee2fa77c9da20180a67416a9a89bd8a3fd1f9c.exe
1308	9ff20b9a88231037194ae68ac2ee2fa77c9da20180a67416a9a89bd8a3fd1f9c.exe
1308	9ff20b9a88231037194ae68ac2ee2fa77c9da20180a67416a9a89bd8a3fd1f9c.exe
1308	9ff20b9a88231037194ae68ac2ee2fa77c9da20180a67416a9a89bd8a3fd1f9c.exe
1308	9ff20b9a88231037194ae68ac2ee2fa77c9da20180a67416a9a89bd8a3fd1f9c.exe
1308	9ff20b9a88231037194ae68ac2ee2fa77c9da20180a67416a9a89bd8a3fd1f9c.exe
1308	9ff20b9a88231037194ae68ac2ee2fa77c9da20180a67416a9a89bd8a3fd1f9c.exe
1308	9ff20b9a88231037194ae68ac2ee2fa77c9da20180a67416a9a89bd8a3fd1f9c.exe
1308	9ff20b9a88231037194ae68ac2ee2fa77c9da20180a67416a9a89bd8a3fd1f9c.exe
1308	9ff20b9a88231037194ae68ac2ee2fa77c9da20180a67416a9a89bd8a3fd1f9c.exe
1308	9ff20b9a88231037194ae68ac2ee2fa77c9da20180a67416a9a89bd8a3fd1f9c.exe
1308	9ff20b9a88231037194ae68ac2ee2fa77c9da20180a67416a9a89bd8a3fd1f9c.exe
1308	9ff20b9a88231037194ae68ac2ee2fa77c9da20180a67416a9a89bd8a3fd1f9c.exe
1308	9ff20b9a88231037194ae68ac2ee2fa77c9da20180a67416a9a89bd8a3fd1f9c.exe
1308	9ff20b9a88231037194ae68ac2ee2fa77c9da20180a67416a9a89bd8a3fd1f9c.exe
1308	9ff20b9a88231037194ae68ac2ee2fa77c9da20180a67416a9a89bd8a3fd1f9c.exe
1308	9ff20b9a88231037194ae68ac2ee2fa77c9da20180a67416a9a89bd8a3fd1f9c.exe
1308	9ff20b9a88231037194ae68ac2ee2fa77c9da20180a67416a9a89bd8a3fd1f9c.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1308 wrote to memory of 1812	1308	9ff20b9a88231037194ae68ac2ee2fa77c9da20180a67416a9a89bd8a3fd1f9c.exe	82
PID 1308 wrote to memory of 1812	1308	9ff20b9a88231037194ae68ac2ee2fa77c9da20180a67416a9a89bd8a3fd1f9c.exe	82
PID 1308 wrote to memory of 1812	1308	9ff20b9a88231037194ae68ac2ee2fa77c9da20180a67416a9a89bd8a3fd1f9c.exe	82
PID 1812 wrote to memory of 64	1812	net.exe	84
PID 1812 wrote to memory of 64	1812	net.exe	84
PID 1812 wrote to memory of 64	1812	net.exe	84
PID 1308 wrote to memory of 3492	1308	9ff20b9a88231037194ae68ac2ee2fa77c9da20180a67416a9a89bd8a3fd1f9c.exe	56
PID 1308 wrote to memory of 3492	1308	9ff20b9a88231037194ae68ac2ee2fa77c9da20180a67416a9a89bd8a3fd1f9c.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3492
- C:\Users\Admin\AppData\Local\Temp\9ff20b9a88231037194ae68ac2ee2fa77c9da20180a67416a9a89bd8a3fd1f9c.exe
  "C:\Users\Admin\AppData\Local\Temp\9ff20b9a88231037194ae68ac2ee2fa77c9da20180a67416a9a89bd8a3fd1f9c.exe"
  2⤵
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1308
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1812
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      PID:64

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe

Filesize
244KB

MD5
26e744e5260a0b113d63e25c4ca833bf

SHA1
2679b14d95d5f15c375ed8cead4d0f47cfc6fcf3

SHA256
2ab2d58e675acc37aaaabcfeb1cf16956292d1dfcc0e84e3df2f6d1263e0d0d6

SHA512
ae37fc282508d362084a3c35a1f7bf1af0bee0a4dba6fe71d5ab5f096d3336c2b94004a5df4b99856507d8a4741f843fd896ee1ed06705c213f74fc4cbdfaf76

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
170KB

MD5
100f44b5cb9c0c4678257829332da943

SHA1
63e7a54676cd196938cbf8940c4b7b64abd03541

SHA256
0a2d967bd3d61159509be94b52e34190d1be733d22d6855abb308116c35fa99d

SHA512
977e28fca62322032d92063f073b5d1267d2445828b331495f31f04b8946545b4c9c5966793a94b50bd238d59c6db32933b28fd531d5843e132ec937bbd6f8f9

Download Submit
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

Filesize
636KB

MD5
53ee62011469b286a2a1b5658c86b9bf

SHA1
9bdac0b23b0a965947c780c6a6b48fc7122f9ade

SHA256
7125735e4e8595f1c17ff3235bc65dacabc2ec874b29ac7ba8eddd80ad10b3c0

SHA512
c9c24e578da0a38048e71548fac66465bcb624e971f745bba559e8c49fd621752e718d4c983a90a97277407bb23348ca109436e1eeebef030c3b599c712ff236

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2412658365-3084825385-3340777666-1000\_desktop.ini

Filesize
8B

MD5
5d65d1288c9ecedfd5f28d17a01a30bc

SHA1
e5bb89b8ad5c73516abf7e3baeaf1855154381dc

SHA256
3501728ad227b52ce4d4f85ddd0e6d28dfa7acce977ae27f1e337be209825a5f

SHA512
6177ce001dd535382c3bae5e8c3cfda85d8d8b76b68bce10fa8e5e1e748fd1512a531ffc93fef1316f2c27d93b5b4a5b60a6391f0e131ccc5cc0a65c2755868e

Download Submit
memory/1308-12-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1308-18-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1308-22-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1308-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1308-481-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1308-1219-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1308-5-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1308-4777-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1308-5222-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download