29ec28b541b8a3fa310eaf97e9bd3c4a43a1e8dd93814255f3da8d32fb651204

Analysis

max time kernel
149s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
09/09/2024, 13:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

29ec28b541b8a3fa310eaf97e9bd3c4a43a1e8dd93814255f3da8d32fb651204.exe
Size

761KB
MD5

721be930c45d7bee226f8e8e326d6b6b
SHA1

53b405f53e159143483ae5c02712d910f58f3d8a
SHA256

29ec28b541b8a3fa310eaf97e9bd3c4a43a1e8dd93814255f3da8d32fb651204
SHA512

22cf8b5d7b9b38f4f86e38733f4c4fb20573a037127a912c3c7fa4f3b3c2855e657fe13a9172bd661804a8a40142fac586ddb815c4870d5ba1a8f7abbbb2e1f7
SSDEEP

12288:Tl+aFGboup+VHKBX3jbgS/Wg0MIn7ou8XBKsHKZycUQUfXJvA:pBF2kHKlzcS/0MInsu8uZycUfvA

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe

Executes dropped EXE 2 IoCs

pid	Process
1316	Logo1_.exe
1984	29ec28b541b8a3fa310eaf97e9bd3c4a43a1e8dd93814255f3da8d32fb651204.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\pl-pl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\pwahelper.exe	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\af\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\pl-pl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\hr-hr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\sk-sk\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example2.Diagnostics\1.0.1\Diagnostics\_desktop.ini	Logo1_.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\el\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Photo Viewer\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\eu-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ko\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\tr-tr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\ru-ru\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\ja-jp\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office 15\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\es-es\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\fr-ma\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\pa\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\fi-fi\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\pl-pl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\es\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\WATERMAR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ky\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\fr-fr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\ja-jp\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\sl-sl\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\Office16\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ff\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\wab.exe	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\misc\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files-select\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\hu-hu\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\uk-ua\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\VisualElements\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\1.1.1\Diagnostics\Simple\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\ko-kr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\sv-se\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\uk-UA\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\2.0.1\Diagnostics\Simple\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\root\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\root\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\sl-si\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mai\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\it-it\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ca-es\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\fi-fi\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\root\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	29ec28b541b8a3fa310eaf97e9bd3c4a43a1e8dd93814255f3da8d32fb651204.exe
File created	C:\Windows\Logo1_.exe	29ec28b541b8a3fa310eaf97e9bd3c4a43a1e8dd93814255f3da8d32fb651204.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\Dll.dll	Logo1_.exe

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Logo1_.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	29ec28b541b8a3fa310eaf97e9bd3c4a43a1e8dd93814255f3da8d32fb651204.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	29ec28b541b8a3fa310eaf97e9bd3c4a43a1e8dd93814255f3da8d32fb651204.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1100	29ec28b541b8a3fa310eaf97e9bd3c4a43a1e8dd93814255f3da8d32fb651204.exe
1100	29ec28b541b8a3fa310eaf97e9bd3c4a43a1e8dd93814255f3da8d32fb651204.exe
1100	29ec28b541b8a3fa310eaf97e9bd3c4a43a1e8dd93814255f3da8d32fb651204.exe
1100	29ec28b541b8a3fa310eaf97e9bd3c4a43a1e8dd93814255f3da8d32fb651204.exe
1100	29ec28b541b8a3fa310eaf97e9bd3c4a43a1e8dd93814255f3da8d32fb651204.exe
1100	29ec28b541b8a3fa310eaf97e9bd3c4a43a1e8dd93814255f3da8d32fb651204.exe
1100	29ec28b541b8a3fa310eaf97e9bd3c4a43a1e8dd93814255f3da8d32fb651204.exe
1100	29ec28b541b8a3fa310eaf97e9bd3c4a43a1e8dd93814255f3da8d32fb651204.exe
1100	29ec28b541b8a3fa310eaf97e9bd3c4a43a1e8dd93814255f3da8d32fb651204.exe
1100	29ec28b541b8a3fa310eaf97e9bd3c4a43a1e8dd93814255f3da8d32fb651204.exe
1100	29ec28b541b8a3fa310eaf97e9bd3c4a43a1e8dd93814255f3da8d32fb651204.exe
1100	29ec28b541b8a3fa310eaf97e9bd3c4a43a1e8dd93814255f3da8d32fb651204.exe
1100	29ec28b541b8a3fa310eaf97e9bd3c4a43a1e8dd93814255f3da8d32fb651204.exe
1100	29ec28b541b8a3fa310eaf97e9bd3c4a43a1e8dd93814255f3da8d32fb651204.exe
1100	29ec28b541b8a3fa310eaf97e9bd3c4a43a1e8dd93814255f3da8d32fb651204.exe
1100	29ec28b541b8a3fa310eaf97e9bd3c4a43a1e8dd93814255f3da8d32fb651204.exe
1100	29ec28b541b8a3fa310eaf97e9bd3c4a43a1e8dd93814255f3da8d32fb651204.exe
1100	29ec28b541b8a3fa310eaf97e9bd3c4a43a1e8dd93814255f3da8d32fb651204.exe
1100	29ec28b541b8a3fa310eaf97e9bd3c4a43a1e8dd93814255f3da8d32fb651204.exe
1100	29ec28b541b8a3fa310eaf97e9bd3c4a43a1e8dd93814255f3da8d32fb651204.exe
1100	29ec28b541b8a3fa310eaf97e9bd3c4a43a1e8dd93814255f3da8d32fb651204.exe
1100	29ec28b541b8a3fa310eaf97e9bd3c4a43a1e8dd93814255f3da8d32fb651204.exe
1100	29ec28b541b8a3fa310eaf97e9bd3c4a43a1e8dd93814255f3da8d32fb651204.exe
1100	29ec28b541b8a3fa310eaf97e9bd3c4a43a1e8dd93814255f3da8d32fb651204.exe
1100	29ec28b541b8a3fa310eaf97e9bd3c4a43a1e8dd93814255f3da8d32fb651204.exe
1100	29ec28b541b8a3fa310eaf97e9bd3c4a43a1e8dd93814255f3da8d32fb651204.exe
1316	Logo1_.exe
1316	Logo1_.exe
1316	Logo1_.exe
1316	Logo1_.exe
1316	Logo1_.exe
1316	Logo1_.exe
1316	Logo1_.exe
1316	Logo1_.exe
1316	Logo1_.exe
1316	Logo1_.exe
1316	Logo1_.exe
1316	Logo1_.exe
1316	Logo1_.exe
1316	Logo1_.exe
1316	Logo1_.exe
1316	Logo1_.exe
1316	Logo1_.exe
1316	Logo1_.exe
1316	Logo1_.exe
1316	Logo1_.exe
1316	Logo1_.exe
1316	Logo1_.exe
1316	Logo1_.exe
1316	Logo1_.exe
1316	Logo1_.exe
1316	Logo1_.exe
1316	Logo1_.exe
1316	Logo1_.exe
1316	Logo1_.exe
1316	Logo1_.exe
1316	Logo1_.exe
1316	Logo1_.exe
1316	Logo1_.exe
1316	Logo1_.exe
1316	Logo1_.exe
1316	Logo1_.exe
1316	Logo1_.exe
1316	Logo1_.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 1100 wrote to memory of 3852	1100	29ec28b541b8a3fa310eaf97e9bd3c4a43a1e8dd93814255f3da8d32fb651204.exe	83
PID 1100 wrote to memory of 3852	1100	29ec28b541b8a3fa310eaf97e9bd3c4a43a1e8dd93814255f3da8d32fb651204.exe	83
PID 1100 wrote to memory of 3852	1100	29ec28b541b8a3fa310eaf97e9bd3c4a43a1e8dd93814255f3da8d32fb651204.exe	83
PID 3852 wrote to memory of 3012	3852	net.exe	85
PID 3852 wrote to memory of 3012	3852	net.exe	85
PID 3852 wrote to memory of 3012	3852	net.exe	85
PID 1100 wrote to memory of 1424	1100	29ec28b541b8a3fa310eaf97e9bd3c4a43a1e8dd93814255f3da8d32fb651204.exe	89
PID 1100 wrote to memory of 1424	1100	29ec28b541b8a3fa310eaf97e9bd3c4a43a1e8dd93814255f3da8d32fb651204.exe	89
PID 1100 wrote to memory of 1424	1100	29ec28b541b8a3fa310eaf97e9bd3c4a43a1e8dd93814255f3da8d32fb651204.exe	89
PID 1100 wrote to memory of 1316	1100	29ec28b541b8a3fa310eaf97e9bd3c4a43a1e8dd93814255f3da8d32fb651204.exe	90
PID 1100 wrote to memory of 1316	1100	29ec28b541b8a3fa310eaf97e9bd3c4a43a1e8dd93814255f3da8d32fb651204.exe	90
PID 1100 wrote to memory of 1316	1100	29ec28b541b8a3fa310eaf97e9bd3c4a43a1e8dd93814255f3da8d32fb651204.exe	90
PID 1316 wrote to memory of 208	1316	Logo1_.exe	92
PID 1316 wrote to memory of 208	1316	Logo1_.exe	92
PID 1316 wrote to memory of 208	1316	Logo1_.exe	92
PID 208 wrote to memory of 4248	208	net.exe	94
PID 208 wrote to memory of 4248	208	net.exe	94
PID 208 wrote to memory of 4248	208	net.exe	94
PID 1424 wrote to memory of 1984	1424	cmd.exe	96
PID 1424 wrote to memory of 1984	1424	cmd.exe	96
PID 1424 wrote to memory of 1984	1424	cmd.exe	96
PID 1316 wrote to memory of 5092	1316	Logo1_.exe	97
PID 1316 wrote to memory of 5092	1316	Logo1_.exe	97
PID 1316 wrote to memory of 5092	1316	Logo1_.exe	97
PID 5092 wrote to memory of 2512	5092	net.exe	99
PID 5092 wrote to memory of 2512	5092	net.exe	99
PID 5092 wrote to memory of 2512	5092	net.exe	99
PID 1316 wrote to memory of 3480	1316	Logo1_.exe	56
PID 1316 wrote to memory of 3480	1316	Logo1_.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3480
- C:\Users\Admin\AppData\Local\Temp\29ec28b541b8a3fa310eaf97e9bd3c4a43a1e8dd93814255f3da8d32fb651204.exe
  "C:\Users\Admin\AppData\Local\Temp\29ec28b541b8a3fa310eaf97e9bd3c4a43a1e8dd93814255f3da8d32fb651204.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1100
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3852
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3012
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a9D49.bat
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1424
  - - C:\Users\Admin\AppData\Local\Temp\29ec28b541b8a3fa310eaf97e9bd3c4a43a1e8dd93814255f3da8d32fb651204.exe
      "C:\Users\Admin\AppData\Local\Temp\29ec28b541b8a3fa310eaf97e9bd3c4a43a1e8dd93814255f3da8d32fb651204.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1984
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1316
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:208
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4248
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:5092
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7z.exe

Filesize
577KB

MD5
2d550858ef40975332a11d37c322fd9d

SHA1
2b8dae63545cf5a8aeaa3db37b2e1fa67c3b43cc

SHA256
b97690f24fe742ce51326dd520f580b5798c35e023c63fea6416a756c356a6b1

SHA512
a46d8fabdaa99e2db4f8f3c2d88aafea655ef544cc2301466e8a09b0c626ea8aac2a9b382e938f90460044306c73005a1cf3f51e7c63dcf8e16f37ec570b49f6

Download Submit
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

Filesize
643KB

MD5
29bab5fa7dbfd951e1c8290a8f4c2ba7

SHA1
7b86728d64cef9686bd45f2ff6fdc818c11a1bbb

SHA256
dda333d8aed86ba750f669280e458ad2fb8d8ad5700a5fe0df584a1c818c481b

SHA512
5bb37bffffe297653f91e0601f17b507659bcfe78567e6e1d10506d3c3bea737e7d6374224ecc01f421cff8f74b299eba8fe3152742b2b1c228966a630de1339

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a9D49.bat

Filesize
722B

MD5
8352f3bba497de4cb95e67bb1c794e61

SHA1
04e2a8967eac1c0085018b07f410e0aa989f9e9f

SHA256
817990fd9769c875c4226a7bc0d899bc1074deee81e20f2ca51d2d041a14045a

SHA512
deb58ecb53afe8eb1439f952eb9576b47af6754ba39803f6adbb7d89acf25d49f07dbb2672203b61bc6fa694d842e333568ef2ba618a4e671d2a29e96043e54a

Download Submit
C:\Users\Admin\AppData\Local\Temp\29ec28b541b8a3fa310eaf97e9bd3c4a43a1e8dd93814255f3da8d32fb651204.exe.exe

Filesize
728KB

MD5
23e2fc0497edd8195bcae45a1389bf85

SHA1
28d2f99739a49cb707f9348cd3195e234c853b1e

SHA256
92d70a8fc07cee881009026759a8aaa5debfb64069038f610988719ed3630107

SHA512
5ae4c17363aa70cd17532fcf76bdff86d2634956f6e0483e88a14b22ce3e6dd01ad233943409302ab3a858d9d9eddb1a5d6d376f48908b64ed655554abfb2b4c

Download Submit
C:\Windows\Logo1_.exe

Filesize
33KB

MD5
1c1a54d9be781116b0eeb13e29df2877

SHA1
27bf3d81ae73403cff58875a67d86e9cd4b83aea

SHA256
b05922fc1a2cf17f5d94a22c68dfff012367469cfc4c601eeba26e9622de0308

SHA512
7490c11f6e66164fe42a8bcc2488fb6d92d492b6eb7b1548d221fe61c9495cad8b740a613041c6bac91c4bc88d4c40155057c03315b5d4c7fe3241b37364703e

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-656926755-4116854191-210765258-1000\_desktop.ini

Filesize
8B

MD5
5d65d1288c9ecedfd5f28d17a01a30bc

SHA1
e5bb89b8ad5c73516abf7e3baeaf1855154381dc

SHA256
3501728ad227b52ce4d4f85ddd0e6d28dfa7acce977ae27f1e337be209825a5f

SHA512
6177ce001dd535382c3bae5e8c3cfda85d8d8b76b68bce10fa8e5e1e748fd1512a531ffc93fef1316f2c27d93b5b4a5b60a6391f0e131ccc5cc0a65c2755868e

Download Submit
memory/1100-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1100-9-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1316-8-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1316-17-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1316-2655-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1316-8896-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download