56ec518403d910b51e476b1f7be3a9a7e5584a1fb05182aac47d8b0b3a0b2ed8

Analysis

max time kernel
149s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
12/09/2024, 23:24

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

56ec518403d910b51e476b1f7be3a9a7e5584a1fb05182aac47d8b0b3a0b2ed8.exe
Size

26KB
MD5

47a4059e4e96f1dd6b4078106b7b532c
SHA1

db4eb7f4f961170dc3e892ccf7b2b70eac75f080
SHA256

56ec518403d910b51e476b1f7be3a9a7e5584a1fb05182aac47d8b0b3a0b2ed8
SHA512

d25ccf6fbc53aa55c89bb5c0595cb42bbbf704375c2bb00135dbe34e01750b1bed1b08622858e54c44810558c08c86312e5c66d8a07002f0dac975a8d109d7d3
SSDEEP

768:E1ODKAaDMG8H92RwZNQSwcfymNBg+g61GoL:OfgLdQAQfcfymN

Score

6^/10

discovery

Malware Config

Signatures

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Z:	56ec518403d910b51e476b1f7be3a9a7e5584a1fb05182aac47d8b0b3a0b2ed8.exe
File opened (read-only)	\??\P:	56ec518403d910b51e476b1f7be3a9a7e5584a1fb05182aac47d8b0b3a0b2ed8.exe
File opened (read-only)	\??\M:	56ec518403d910b51e476b1f7be3a9a7e5584a1fb05182aac47d8b0b3a0b2ed8.exe
File opened (read-only)	\??\L:	56ec518403d910b51e476b1f7be3a9a7e5584a1fb05182aac47d8b0b3a0b2ed8.exe
File opened (read-only)	\??\K:	56ec518403d910b51e476b1f7be3a9a7e5584a1fb05182aac47d8b0b3a0b2ed8.exe
File opened (read-only)	\??\H:	56ec518403d910b51e476b1f7be3a9a7e5584a1fb05182aac47d8b0b3a0b2ed8.exe
File opened (read-only)	\??\G:	56ec518403d910b51e476b1f7be3a9a7e5584a1fb05182aac47d8b0b3a0b2ed8.exe
File opened (read-only)	\??\W:	56ec518403d910b51e476b1f7be3a9a7e5584a1fb05182aac47d8b0b3a0b2ed8.exe
File opened (read-only)	\??\U:	56ec518403d910b51e476b1f7be3a9a7e5584a1fb05182aac47d8b0b3a0b2ed8.exe
File opened (read-only)	\??\T:	56ec518403d910b51e476b1f7be3a9a7e5584a1fb05182aac47d8b0b3a0b2ed8.exe
File opened (read-only)	\??\O:	56ec518403d910b51e476b1f7be3a9a7e5584a1fb05182aac47d8b0b3a0b2ed8.exe
File opened (read-only)	\??\N:	56ec518403d910b51e476b1f7be3a9a7e5584a1fb05182aac47d8b0b3a0b2ed8.exe
File opened (read-only)	\??\E:	56ec518403d910b51e476b1f7be3a9a7e5584a1fb05182aac47d8b0b3a0b2ed8.exe
File opened (read-only)	\??\Y:	56ec518403d910b51e476b1f7be3a9a7e5584a1fb05182aac47d8b0b3a0b2ed8.exe
File opened (read-only)	\??\X:	56ec518403d910b51e476b1f7be3a9a7e5584a1fb05182aac47d8b0b3a0b2ed8.exe
File opened (read-only)	\??\S:	56ec518403d910b51e476b1f7be3a9a7e5584a1fb05182aac47d8b0b3a0b2ed8.exe
File opened (read-only)	\??\R:	56ec518403d910b51e476b1f7be3a9a7e5584a1fb05182aac47d8b0b3a0b2ed8.exe
File opened (read-only)	\??\I:	56ec518403d910b51e476b1f7be3a9a7e5584a1fb05182aac47d8b0b3a0b2ed8.exe
File opened (read-only)	\??\V:	56ec518403d910b51e476b1f7be3a9a7e5584a1fb05182aac47d8b0b3a0b2ed8.exe
File opened (read-only)	\??\Q:	56ec518403d910b51e476b1f7be3a9a7e5584a1fb05182aac47d8b0b3a0b2ed8.exe
File opened (read-only)	\??\J:	56ec518403d910b51e476b1f7be3a9a7e5584a1fb05182aac47d8b0b3a0b2ed8.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\nb-no\_desktop.ini	56ec518403d910b51e476b1f7be3a9a7e5584a1fb05182aac47d8b0b3a0b2ed8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\pl-pl\_desktop.ini	56ec518403d910b51e476b1f7be3a9a7e5584a1fb05182aac47d8b0b3a0b2ed8.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\ja-JP\_desktop.ini	56ec518403d910b51e476b1f7be3a9a7e5584a1fb05182aac47d8b0b3a0b2ed8.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\SubsetList\_desktop.ini	56ec518403d910b51e476b1f7be3a9a7e5584a1fb05182aac47d8b0b3a0b2ed8.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\cy\_desktop.ini	56ec518403d910b51e476b1f7be3a9a7e5584a1fb05182aac47d8b0b3a0b2ed8.exe
File created	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\_desktop.ini	56ec518403d910b51e476b1f7be3a9a7e5584a1fb05182aac47d8b0b3a0b2ed8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\de-de\_desktop.ini	56ec518403d910b51e476b1f7be3a9a7e5584a1fb05182aac47d8b0b3a0b2ed8.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\tr-tr\_desktop.ini	56ec518403d910b51e476b1f7be3a9a7e5584a1fb05182aac47d8b0b3a0b2ed8.exe
File created	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\_desktop.ini	56ec518403d910b51e476b1f7be3a9a7e5584a1fb05182aac47d8b0b3a0b2ed8.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ar-ae\_desktop.ini	56ec518403d910b51e476b1f7be3a9a7e5584a1fb05182aac47d8b0b3a0b2ed8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\da-dk\_desktop.ini	56ec518403d910b51e476b1f7be3a9a7e5584a1fb05182aac47d8b0b3a0b2ed8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\zh-tw\_desktop.ini	56ec518403d910b51e476b1f7be3a9a7e5584a1fb05182aac47d8b0b3a0b2ed8.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\MixedRealityPortal.Brokered.exe	56ec518403d910b51e476b1f7be3a9a7e5584a1fb05182aac47d8b0b3a0b2ed8.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\root\_desktop.ini	56ec518403d910b51e476b1f7be3a9a7e5584a1fb05182aac47d8b0b3a0b2ed8.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\ru-ru\_desktop.ini	56ec518403d910b51e476b1f7be3a9a7e5584a1fb05182aac47d8b0b3a0b2ed8.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\_desktop.ini	56ec518403d910b51e476b1f7be3a9a7e5584a1fb05182aac47d8b0b3a0b2ed8.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\_desktop.ini	56ec518403d910b51e476b1f7be3a9a7e5584a1fb05182aac47d8b0b3a0b2ed8.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\playlist\_desktop.ini	56ec518403d910b51e476b1f7be3a9a7e5584a1fb05182aac47d8b0b3a0b2ed8.exe
File created	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\Square310x310\_desktop.ini	56ec518403d910b51e476b1f7be3a9a7e5584a1fb05182aac47d8b0b3a0b2ed8.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\en-ae\_desktop.ini	56ec518403d910b51e476b1f7be3a9a7e5584a1fb05182aac47d8b0b3a0b2ed8.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\ro-ro\_desktop.ini	56ec518403d910b51e476b1f7be3a9a7e5584a1fb05182aac47d8b0b3a0b2ed8.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\ko-kr\_desktop.ini	56ec518403d910b51e476b1f7be3a9a7e5584a1fb05182aac47d8b0b3a0b2ed8.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\hu-hu\_desktop.ini	56ec518403d910b51e476b1f7be3a9a7e5584a1fb05182aac47d8b0b3a0b2ed8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\sv-se\_desktop.ini	56ec518403d910b51e476b1f7be3a9a7e5584a1fb05182aac47d8b0b3a0b2ed8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\it-it\_desktop.ini	56ec518403d910b51e476b1f7be3a9a7e5584a1fb05182aac47d8b0b3a0b2ed8.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\_desktop.ini	56ec518403d910b51e476b1f7be3a9a7e5584a1fb05182aac47d8b0b3a0b2ed8.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\en-il\_desktop.ini	56ec518403d910b51e476b1f7be3a9a7e5584a1fb05182aac47d8b0b3a0b2ed8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ja-jp\_desktop.ini	56ec518403d910b51e476b1f7be3a9a7e5584a1fb05182aac47d8b0b3a0b2ed8.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\_desktop.ini	56ec518403d910b51e476b1f7be3a9a7e5584a1fb05182aac47d8b0b3a0b2ed8.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\km\LC_MESSAGES\_desktop.ini	56ec518403d910b51e476b1f7be3a9a7e5584a1fb05182aac47d8b0b3a0b2ed8.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Place\contrast-black\_desktop.ini	56ec518403d910b51e476b1f7be3a9a7e5584a1fb05182aac47d8b0b3a0b2ed8.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Viewpoints\Dark\_desktop.ini	56ec518403d910b51e476b1f7be3a9a7e5584a1fb05182aac47d8b0b3a0b2ed8.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\he-IL\_desktop.ini	56ec518403d910b51e476b1f7be3a9a7e5584a1fb05182aac47d8b0b3a0b2ed8.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\sl-si\_desktop.ini	56ec518403d910b51e476b1f7be3a9a7e5584a1fb05182aac47d8b0b3a0b2ed8.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sv\_desktop.ini	56ec518403d910b51e476b1f7be3a9a7e5584a1fb05182aac47d8b0b3a0b2ed8.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fi-fi\_desktop.ini	56ec518403d910b51e476b1f7be3a9a7e5584a1fb05182aac47d8b0b3a0b2ed8.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\en-il\_desktop.ini	56ec518403d910b51e476b1f7be3a9a7e5584a1fb05182aac47d8b0b3a0b2ed8.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\_desktop.ini	56ec518403d910b51e476b1f7be3a9a7e5584a1fb05182aac47d8b0b3a0b2ed8.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\_desktop.ini	56ec518403d910b51e476b1f7be3a9a7e5584a1fb05182aac47d8b0b3a0b2ed8.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Transit\contrast-black\_desktop.ini	56ec518403d910b51e476b1f7be3a9a7e5584a1fb05182aac47d8b0b3a0b2ed8.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\_desktop.ini	56ec518403d910b51e476b1f7be3a9a7e5584a1fb05182aac47d8b0b3a0b2ed8.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\es-ES\_desktop.ini	56ec518403d910b51e476b1f7be3a9a7e5584a1fb05182aac47d8b0b3a0b2ed8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\_desktop.ini	56ec518403d910b51e476b1f7be3a9a7e5584a1fb05182aac47d8b0b3a0b2ed8.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\ar-ae\_desktop.ini	56ec518403d910b51e476b1f7be3a9a7e5584a1fb05182aac47d8b0b3a0b2ed8.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\es-es\_desktop.ini	56ec518403d910b51e476b1f7be3a9a7e5584a1fb05182aac47d8b0b3a0b2ed8.exe
File opened for modification	C:\Program Files\Google\Chrome\_desktop.ini	56ec518403d910b51e476b1f7be3a9a7e5584a1fb05182aac47d8b0b3a0b2ed8.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	56ec518403d910b51e476b1f7be3a9a7e5584a1fb05182aac47d8b0b3a0b2ed8.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fur\LC_MESSAGES\_desktop.ini	56ec518403d910b51e476b1f7be3a9a7e5584a1fb05182aac47d8b0b3a0b2ed8.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Microsoft.Msn.Shell\Themes\_desktop.ini	56ec518403d910b51e476b1f7be3a9a7e5584a1fb05182aac47d8b0b3a0b2ed8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\ro-ro\_desktop.ini	56ec518403d910b51e476b1f7be3a9a7e5584a1fb05182aac47d8b0b3a0b2ed8.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\_desktop.ini	56ec518403d910b51e476b1f7be3a9a7e5584a1fb05182aac47d8b0b3a0b2ed8.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\css\_desktop.ini	56ec518403d910b51e476b1f7be3a9a7e5584a1fb05182aac47d8b0b3a0b2ed8.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Trust Protection Lists\_desktop.ini	56ec518403d910b51e476b1f7be3a9a7e5584a1fb05182aac47d8b0b3a0b2ed8.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bn_IN\LC_MESSAGES\_desktop.ini	56ec518403d910b51e476b1f7be3a9a7e5584a1fb05182aac47d8b0b3a0b2ed8.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ru-ru\_desktop.ini	56ec518403d910b51e476b1f7be3a9a7e5584a1fb05182aac47d8b0b3a0b2ed8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\sl-sl\_desktop.ini	56ec518403d910b51e476b1f7be3a9a7e5584a1fb05182aac47d8b0b3a0b2ed8.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\en-gb\_desktop.ini	56ec518403d910b51e476b1f7be3a9a7e5584a1fb05182aac47d8b0b3a0b2ed8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\sv-se\_desktop.ini	56ec518403d910b51e476b1f7be3a9a7e5584a1fb05182aac47d8b0b3a0b2ed8.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\de-de\_desktop.ini	56ec518403d910b51e476b1f7be3a9a7e5584a1fb05182aac47d8b0b3a0b2ed8.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ko-kr\_desktop.ini	56ec518403d910b51e476b1f7be3a9a7e5584a1fb05182aac47d8b0b3a0b2ed8.exe
File created	C:\Program Files\VideoLAN\VLC\locale\et\_desktop.ini	56ec518403d910b51e476b1f7be3a9a7e5584a1fb05182aac47d8b0b3a0b2ed8.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\_desktop.ini	56ec518403d910b51e476b1f7be3a9a7e5584a1fb05182aac47d8b0b3a0b2ed8.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\_desktop.ini	56ec518403d910b51e476b1f7be3a9a7e5584a1fb05182aac47d8b0b3a0b2ed8.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.513.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini	56ec518403d910b51e476b1f7be3a9a7e5584a1fb05182aac47d8b0b3a0b2ed8.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	56ec518403d910b51e476b1f7be3a9a7e5584a1fb05182aac47d8b0b3a0b2ed8.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	56ec518403d910b51e476b1f7be3a9a7e5584a1fb05182aac47d8b0b3a0b2ed8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
3352	56ec518403d910b51e476b1f7be3a9a7e5584a1fb05182aac47d8b0b3a0b2ed8.exe
3352	56ec518403d910b51e476b1f7be3a9a7e5584a1fb05182aac47d8b0b3a0b2ed8.exe
3352	56ec518403d910b51e476b1f7be3a9a7e5584a1fb05182aac47d8b0b3a0b2ed8.exe
3352	56ec518403d910b51e476b1f7be3a9a7e5584a1fb05182aac47d8b0b3a0b2ed8.exe
3352	56ec518403d910b51e476b1f7be3a9a7e5584a1fb05182aac47d8b0b3a0b2ed8.exe
3352	56ec518403d910b51e476b1f7be3a9a7e5584a1fb05182aac47d8b0b3a0b2ed8.exe
3352	56ec518403d910b51e476b1f7be3a9a7e5584a1fb05182aac47d8b0b3a0b2ed8.exe
3352	56ec518403d910b51e476b1f7be3a9a7e5584a1fb05182aac47d8b0b3a0b2ed8.exe
3352	56ec518403d910b51e476b1f7be3a9a7e5584a1fb05182aac47d8b0b3a0b2ed8.exe
3352	56ec518403d910b51e476b1f7be3a9a7e5584a1fb05182aac47d8b0b3a0b2ed8.exe
3352	56ec518403d910b51e476b1f7be3a9a7e5584a1fb05182aac47d8b0b3a0b2ed8.exe
3352	56ec518403d910b51e476b1f7be3a9a7e5584a1fb05182aac47d8b0b3a0b2ed8.exe
3352	56ec518403d910b51e476b1f7be3a9a7e5584a1fb05182aac47d8b0b3a0b2ed8.exe
3352	56ec518403d910b51e476b1f7be3a9a7e5584a1fb05182aac47d8b0b3a0b2ed8.exe
3352	56ec518403d910b51e476b1f7be3a9a7e5584a1fb05182aac47d8b0b3a0b2ed8.exe
3352	56ec518403d910b51e476b1f7be3a9a7e5584a1fb05182aac47d8b0b3a0b2ed8.exe
3352	56ec518403d910b51e476b1f7be3a9a7e5584a1fb05182aac47d8b0b3a0b2ed8.exe
3352	56ec518403d910b51e476b1f7be3a9a7e5584a1fb05182aac47d8b0b3a0b2ed8.exe
3352	56ec518403d910b51e476b1f7be3a9a7e5584a1fb05182aac47d8b0b3a0b2ed8.exe
3352	56ec518403d910b51e476b1f7be3a9a7e5584a1fb05182aac47d8b0b3a0b2ed8.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3352 wrote to memory of 316	3352	56ec518403d910b51e476b1f7be3a9a7e5584a1fb05182aac47d8b0b3a0b2ed8.exe	85
PID 3352 wrote to memory of 316	3352	56ec518403d910b51e476b1f7be3a9a7e5584a1fb05182aac47d8b0b3a0b2ed8.exe	85
PID 3352 wrote to memory of 316	3352	56ec518403d910b51e476b1f7be3a9a7e5584a1fb05182aac47d8b0b3a0b2ed8.exe	85
PID 316 wrote to memory of 972	316	net.exe	87
PID 316 wrote to memory of 972	316	net.exe	87
PID 316 wrote to memory of 972	316	net.exe	87
PID 3352 wrote to memory of 3388	3352	56ec518403d910b51e476b1f7be3a9a7e5584a1fb05182aac47d8b0b3a0b2ed8.exe	55
PID 3352 wrote to memory of 3388	3352	56ec518403d910b51e476b1f7be3a9a7e5584a1fb05182aac47d8b0b3a0b2ed8.exe	55

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3388
- C:\Users\Admin\AppData\Local\Temp\56ec518403d910b51e476b1f7be3a9a7e5584a1fb05182aac47d8b0b3a0b2ed8.exe
  "C:\Users\Admin\AppData\Local\Temp\56ec518403d910b51e476b1f7be3a9a7e5584a1fb05182aac47d8b0b3a0b2ed8.exe"
  2⤵
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3352
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:316
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      PID:972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe

Filesize
244KB

MD5
4c49cc2f7373514d103316db61d35a50

SHA1
11d92cd5a5b6e96715e543ef48fc171bc305f0bd

SHA256
71f2b3063314624098e9b5665e31ea474d8b4ff369f0ecf7d29e6c9c657e37b4

SHA512
f5a8ad984ff3da9c5fcc7077e3c80e2a1dfe017c36ea5672ffac35c97b830395ae552c4575b7bbaa220931a38075f07fd20ba0039fa9cd6677e891eee7d1e6b7

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
170KB

MD5
fa40e95c7772b5456c7fe4a2ab029552

SHA1
db188af4b890c3f232550330fbe247c8edce0108

SHA256
aecb020d2142d49f6cc259646628e0a59682e7785711e2c74298aa3232af9dbb

SHA512
e96adc1e514ed391a356a9de7b87263c36c135f8c32d4f9a57aea88abe3ed3deb22984728bcf988e9ad2b7d6cdc4d3b35f704fe3a925fe8dd4b1267595e6858a

Download Submit
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

Filesize
636KB

MD5
2500f702e2b9632127c14e4eaae5d424

SHA1
8726fef12958265214eeb58001c995629834b13a

SHA256
82e5b0001f025ca3b8409c98e4fb06c119c68de1e4ef60a156360cb4ef61d19c

SHA512
f420c62fa1f6897f51dd7a0f0e910fb54ad14d51973a2d4840eeea0448c860bf83493fb1c07be65f731efc39e19f8a99886c8cfd058cee482fe52d255a33a55c

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-656926755-4116854191-210765258-1000\_desktop.ini

Filesize
9B

MD5
cd0bf5c2efb8cc7ddbff2ab5d2cb7e87

SHA1
6830a1817f2055b6beba9063b87af16bbef7fa19

SHA256
d00701a279110fcafdaa6a9dcb36385845f9d2aac5b1ac1c52c015c61718dcbd

SHA512
6fabfd6bced63153d3dd6b376a92e824c95b15ef046607b89376a17c7ac863e92c95770ed86d8ecec3639d280dd6256a7ab1ec2d8119799fb3a479fbce96254a

Download Submit
memory/3352-22-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3352-18-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3352-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3352-13-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3352-583-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3352-1219-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3352-6-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3352-4777-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3352-5-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3352-5222-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download