3550f493dc5f2f6b0a61b8a02b419382efd6f175da82dd4296b6531564b02aa1

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14/09/2024, 22:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3550f493dc5f2f6b0a61b8a02b419382efd6f175da82dd4296b6531564b02aa1.exe
Size

1.3MB
MD5

d97b94e65f03e12e9cda0ba06ac6731e
SHA1

ff27078795b25c6f241d6cfcb103380168d7bbec
SHA256

3550f493dc5f2f6b0a61b8a02b419382efd6f175da82dd4296b6531564b02aa1
SHA512

84360f892fa1d956a994698ee0be506023d6edc5dd64778f54a53daf55ce3171e1f40a58b847761f0a0ceb28d96ab8bab3ed7b78ed412653f1c4e9beb4ef96d5
SSDEEP

24576:/UUR5kbjnCciOinOjLldsBjt8t2R8jpfZIg4mw6Ns/pZmBZOlnLyAuvTkM0XMXgl:/UGILDcO/fsBmLjRw6qpZmBZWyLaXMXQ

Score

7^/10

defense_evasion discovery spyware stealer

Malware Config

Signatures

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe

Executes dropped EXE 3 IoCs

pid	Process
116	Logo1_.exe
4820	3550f493dc5f2f6b0a61b8a02b419382efd6f175da82dd4296b6531564b02aa1.exe
3804	msninst.exe

Loads dropped DLL 1 IoCs

pid	Process
4820	3550f493dc5f2f6b0a61b8a02b419382efd6f175da82dd4296b6531564b02aa1.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

System Binary Proxy Execution: Rundll32 1 TTPs 1 IoCs

Abuse Rundll32 to proxy execution of malicious code.

defense_evasion

Rundll32

T1218.011

pid	Process
3428	rundll32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\es-es\_desktop.ini	Logo1_.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\de\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\WidevineCdm\_platform_specific\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\GRPHFLT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\pa\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\themes\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\en-gb\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Reader\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\hr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\hu-hu\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\ro-ro\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\hu-hu\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\fr-ma\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\pt-br\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\MSN\MsnInstaller\SETB73C.tmp	3550f493dc5f2f6b0a61b8a02b419382efd6f175da82dd4296b6531564b02aa1.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXE	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\am_ET\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\ko-kr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\themes\dark\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\MSN\MsnInstaller\SETB74F.tmp	3550f493dc5f2f6b0a61b8a02b419382efd6f175da82dd4296b6531564b02aa1.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BREEZE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\ca-es\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\de\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\A64CD22E-7976-4E35-AF61-1C7DBC1F5743\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\sl-sl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\ro-ro\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\tr-tr\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Cartridges\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Web Server Extensions\16\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ko-kr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ko-kr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\es-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\fr-ma\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft\Temp\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\en-ae\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Defender\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\uk-ua\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ja-jp\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\_desktop.ini	Logo1_.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ko\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ro-ro\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\en-il\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Examples\Validator\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\uk-UA\_desktop.ini	Logo1_.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\ext\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Diagnostics\Simple\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\hr-hr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\sl-si\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\hu-hu\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\kab\LC_MESSAGES\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Dll.dll	Logo1_.exe
File created	C:\Windows\rundl132.exe	3550f493dc5f2f6b0a61b8a02b419382efd6f175da82dd4296b6531564b02aa1.exe
File created	C:\Windows\Logo1_.exe	3550f493dc5f2f6b0a61b8a02b419382efd6f175da82dd4296b6531564b02aa1.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3550f493dc5f2f6b0a61b8a02b419382efd6f175da82dd4296b6531564b02aa1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3550f493dc5f2f6b0a61b8a02b419382efd6f175da82dd4296b6531564b02aa1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Logo1_.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msninst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4544	3550f493dc5f2f6b0a61b8a02b419382efd6f175da82dd4296b6531564b02aa1.exe
4544	3550f493dc5f2f6b0a61b8a02b419382efd6f175da82dd4296b6531564b02aa1.exe
4544	3550f493dc5f2f6b0a61b8a02b419382efd6f175da82dd4296b6531564b02aa1.exe
4544	3550f493dc5f2f6b0a61b8a02b419382efd6f175da82dd4296b6531564b02aa1.exe
4544	3550f493dc5f2f6b0a61b8a02b419382efd6f175da82dd4296b6531564b02aa1.exe
4544	3550f493dc5f2f6b0a61b8a02b419382efd6f175da82dd4296b6531564b02aa1.exe
4544	3550f493dc5f2f6b0a61b8a02b419382efd6f175da82dd4296b6531564b02aa1.exe
4544	3550f493dc5f2f6b0a61b8a02b419382efd6f175da82dd4296b6531564b02aa1.exe
4544	3550f493dc5f2f6b0a61b8a02b419382efd6f175da82dd4296b6531564b02aa1.exe
4544	3550f493dc5f2f6b0a61b8a02b419382efd6f175da82dd4296b6531564b02aa1.exe
4544	3550f493dc5f2f6b0a61b8a02b419382efd6f175da82dd4296b6531564b02aa1.exe
4544	3550f493dc5f2f6b0a61b8a02b419382efd6f175da82dd4296b6531564b02aa1.exe
4544	3550f493dc5f2f6b0a61b8a02b419382efd6f175da82dd4296b6531564b02aa1.exe
4544	3550f493dc5f2f6b0a61b8a02b419382efd6f175da82dd4296b6531564b02aa1.exe
4544	3550f493dc5f2f6b0a61b8a02b419382efd6f175da82dd4296b6531564b02aa1.exe
4544	3550f493dc5f2f6b0a61b8a02b419382efd6f175da82dd4296b6531564b02aa1.exe
4544	3550f493dc5f2f6b0a61b8a02b419382efd6f175da82dd4296b6531564b02aa1.exe
4544	3550f493dc5f2f6b0a61b8a02b419382efd6f175da82dd4296b6531564b02aa1.exe
4544	3550f493dc5f2f6b0a61b8a02b419382efd6f175da82dd4296b6531564b02aa1.exe
4544	3550f493dc5f2f6b0a61b8a02b419382efd6f175da82dd4296b6531564b02aa1.exe
4544	3550f493dc5f2f6b0a61b8a02b419382efd6f175da82dd4296b6531564b02aa1.exe
4544	3550f493dc5f2f6b0a61b8a02b419382efd6f175da82dd4296b6531564b02aa1.exe
4544	3550f493dc5f2f6b0a61b8a02b419382efd6f175da82dd4296b6531564b02aa1.exe
4544	3550f493dc5f2f6b0a61b8a02b419382efd6f175da82dd4296b6531564b02aa1.exe
4544	3550f493dc5f2f6b0a61b8a02b419382efd6f175da82dd4296b6531564b02aa1.exe
4544	3550f493dc5f2f6b0a61b8a02b419382efd6f175da82dd4296b6531564b02aa1.exe
116	Logo1_.exe
116	Logo1_.exe
116	Logo1_.exe
116	Logo1_.exe
116	Logo1_.exe
116	Logo1_.exe
116	Logo1_.exe
116	Logo1_.exe
116	Logo1_.exe
116	Logo1_.exe
116	Logo1_.exe
116	Logo1_.exe
116	Logo1_.exe
116	Logo1_.exe
116	Logo1_.exe
116	Logo1_.exe
116	Logo1_.exe
116	Logo1_.exe
116	Logo1_.exe
116	Logo1_.exe
116	Logo1_.exe
116	Logo1_.exe
116	Logo1_.exe
116	Logo1_.exe
116	Logo1_.exe
116	Logo1_.exe
116	Logo1_.exe
116	Logo1_.exe
116	Logo1_.exe
116	Logo1_.exe
116	Logo1_.exe
116	Logo1_.exe
116	Logo1_.exe
116	Logo1_.exe
116	Logo1_.exe
116	Logo1_.exe
116	Logo1_.exe
116	Logo1_.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 4544 wrote to memory of 3948	4544	3550f493dc5f2f6b0a61b8a02b419382efd6f175da82dd4296b6531564b02aa1.exe	83
PID 4544 wrote to memory of 3948	4544	3550f493dc5f2f6b0a61b8a02b419382efd6f175da82dd4296b6531564b02aa1.exe	83
PID 4544 wrote to memory of 3948	4544	3550f493dc5f2f6b0a61b8a02b419382efd6f175da82dd4296b6531564b02aa1.exe	83
PID 3948 wrote to memory of 4988	3948	net.exe	85
PID 3948 wrote to memory of 4988	3948	net.exe	85
PID 3948 wrote to memory of 4988	3948	net.exe	85
PID 4544 wrote to memory of 3280	4544	3550f493dc5f2f6b0a61b8a02b419382efd6f175da82dd4296b6531564b02aa1.exe	89
PID 4544 wrote to memory of 3280	4544	3550f493dc5f2f6b0a61b8a02b419382efd6f175da82dd4296b6531564b02aa1.exe	89
PID 4544 wrote to memory of 3280	4544	3550f493dc5f2f6b0a61b8a02b419382efd6f175da82dd4296b6531564b02aa1.exe	89
PID 4544 wrote to memory of 116	4544	3550f493dc5f2f6b0a61b8a02b419382efd6f175da82dd4296b6531564b02aa1.exe	91
PID 4544 wrote to memory of 116	4544	3550f493dc5f2f6b0a61b8a02b419382efd6f175da82dd4296b6531564b02aa1.exe	91
PID 4544 wrote to memory of 116	4544	3550f493dc5f2f6b0a61b8a02b419382efd6f175da82dd4296b6531564b02aa1.exe	91
PID 116 wrote to memory of 3004	116	Logo1_.exe	92
PID 116 wrote to memory of 3004	116	Logo1_.exe	92
PID 116 wrote to memory of 3004	116	Logo1_.exe	92
PID 3280 wrote to memory of 4820	3280	cmd.exe	94
PID 3280 wrote to memory of 4820	3280	cmd.exe	94
PID 3280 wrote to memory of 4820	3280	cmd.exe	94
PID 3004 wrote to memory of 2368	3004	net.exe	96
PID 3004 wrote to memory of 2368	3004	net.exe	96
PID 3004 wrote to memory of 2368	3004	net.exe	96
PID 4820 wrote to memory of 3428	4820	3550f493dc5f2f6b0a61b8a02b419382efd6f175da82dd4296b6531564b02aa1.exe	99
PID 4820 wrote to memory of 3428	4820	3550f493dc5f2f6b0a61b8a02b419382efd6f175da82dd4296b6531564b02aa1.exe	99
PID 4820 wrote to memory of 3428	4820	3550f493dc5f2f6b0a61b8a02b419382efd6f175da82dd4296b6531564b02aa1.exe	99
PID 4820 wrote to memory of 3804	4820	3550f493dc5f2f6b0a61b8a02b419382efd6f175da82dd4296b6531564b02aa1.exe	100
PID 4820 wrote to memory of 3804	4820	3550f493dc5f2f6b0a61b8a02b419382efd6f175da82dd4296b6531564b02aa1.exe	100
PID 4820 wrote to memory of 3804	4820	3550f493dc5f2f6b0a61b8a02b419382efd6f175da82dd4296b6531564b02aa1.exe	100
PID 116 wrote to memory of 2496	116	Logo1_.exe	101
PID 116 wrote to memory of 2496	116	Logo1_.exe	101
PID 116 wrote to memory of 2496	116	Logo1_.exe	101
PID 2496 wrote to memory of 1420	2496	net.exe	103
PID 2496 wrote to memory of 1420	2496	net.exe	103
PID 2496 wrote to memory of 1420	2496	net.exe	103
PID 116 wrote to memory of 3588	116	Logo1_.exe	56
PID 116 wrote to memory of 3588	116	Logo1_.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3588
- C:\Users\Admin\AppData\Local\Temp\3550f493dc5f2f6b0a61b8a02b419382efd6f175da82dd4296b6531564b02aa1.exe
  "C:\Users\Admin\AppData\Local\Temp\3550f493dc5f2f6b0a61b8a02b419382efd6f175da82dd4296b6531564b02aa1.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4544
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3948
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4988
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB3B0.bat
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3280
  - - C:\Users\Admin\AppData\Local\Temp\3550f493dc5f2f6b0a61b8a02b419382efd6f175da82dd4296b6531564b02aa1.exe
      "C:\Users\Admin\AppData\Local\Temp\3550f493dc5f2f6b0a61b8a02b419382efd6f175da82dd4296b6531564b02aa1.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4820
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe advpack.dll,LaunchINFSection campaign.inf,DefaultInstall
        5⤵
        System Binary Proxy Execution: Rundll32
        System Location Discovery: System Language Discovery
        
        PID:3428
    - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\msninst.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\msninst.exe /Action:Wait
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3804
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:116
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3004
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2368
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2496
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

System Binary Proxy Execution

T1218

Rundll32

T1218.011

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe

Filesize
251KB

MD5
60268b7b1db590bd8be291cd1cbecd45

SHA1
2b734b43bc488992dddcfdc6d8c218a3573e1e8e

SHA256
f9161f95dd8e9275df931e118b856b98b0cb9364a879a8e3da1e05e2af9b3589

SHA512
ac4188bbeef37afc9aadbc3a87920dd6548b88dd7544eba6f3b6e81c867a9c390a9e8de2814ef5e4d30652faebb807eec01bc44acccf48fc63cc2b79762b4f07

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
577KB

MD5
25ca0916c72125a8313ba64b101fd969

SHA1
9395d8a9e44400208b8479b23521b69478e5441e

SHA256
24ca419f3ef5d9b126e5c8a8dd04493de280adbda0a9f14e8a694d7ee6b6222b

SHA512
de5482d5dd6fd7a00452ffbb5eb1b4c29d9f18d150092f8e610b51a70f9b9a71ab1576bfac267a6c5ae1656055f6ddf2e7c436b366f75800edeb5e08bba7c26c

Download Submit
C:\Program Files\MSN\MsnInstaller\msninst.exe

Filesize
163KB

MD5
2aa9bd585f047d9f981d634a3c7dec2c

SHA1
42b63e544ca6e579eea9d43e90281682af126696

SHA256
44598a1a4d88df3728b80db7b2cb3b3f355429fc2fc6d41d3ec1ee0b1508860d

SHA512
8e202682169cb43b42bff5edb5f7ec8dedabd47400859ecc66a1770deec53597d10a3935d1f7bc981d8a62dd481e22f79ac3ee70ed14b142b14a099be8ff3d2a

Download Submit
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

Filesize
644KB

MD5
9044b8cb7dee805474f46fdff328cebb

SHA1
1cabc4c6c2c86cbb78765bc9dbc34fb343a473d2

SHA256
62fedddac5d2bc0012582f6d5c8a62f1cfeb146338ded33892f3e2e9a3080618

SHA512
4c3baf797abb9745bd194cb39da4f7541273d5ceb694929e562b3823118a8851a9b5dde4379d3936ca8fc233339560f7716518a62b421a2fcfe228d1037d9753

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aB3B0.bat

Filesize
722B

MD5
d9936b82eb383e61588bffeeaa53c0e3

SHA1
7a5424606c2bf3d12adb7ad76b1ca0b52cddbf72

SHA256
4e3b9ef59f4be1f6d897d3b145a21d28a93808ad96c5fe714411c66847842dca

SHA512
979b9d99db45073cf0e56749bdb4b8257e1f4244ad375bdfc2d1ec9b4ff0e9bb7d2b390d6c009b31b0d86696717f82db102066b73704ae4e8e745b0ea8217a92

Download Submit
C:\Users\Admin\AppData\Local\Temp\3550f493dc5f2f6b0a61b8a02b419382efd6f175da82dd4296b6531564b02aa1.exe.exe

Filesize
1.3MB

MD5
14a1e5a8cfef5f18b96540c1fb52ccb2

SHA1
5a0014e4a255c8be2fe3548bb32767bb05408ff0

SHA256
4ecd3f8b60c60870cdd67abf319b373c3438bb7bceac46209b2c87bd5e73a3f6

SHA512
dc5113345692c1d6ad46fcade300d0e69613e37c6ff5a1cc5cf83bda2a5605f24890de89c22d218d319d9145dcddb37c4c50fcfd7e1cabd3750f18e9a4ce9096

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ADVPACK.DLL

Filesize
90KB

MD5
0ac28de5e930e8a52ad6b163c5473412

SHA1
25371c9d876959cb58b50c25ad709cf98dde45bb

SHA256
06eed244d89f6e15205d5beb8085ac33c0de486dfe30eec9fb73b91de07e5f62

SHA512
c2c82449927cac953668142a3f597c06626b0b3a26e8036de34e4ca1042a572fa3befa799d43fb24a1d23c821b5ed7994e3d211b6aaced15ba31d4639e96d877

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MsnInst.dll

Filesize
244KB

MD5
8d26ec464de935561c221407c40cd4ac

SHA1
d7a729baa54a2aa8de08e0fe478c5c07cc490e55

SHA256
30714be137b7b648b0c3aa2a7410467289b53a8e2601f8c208a3613e1d31d0f0

SHA512
7d92bf3527c896b48f1e14e318fe086276cbd271b1d212965c87a75ad4ad4560c9e48d58f5138599695489bd3d759c577bedd4e9d7413522c7a16219dfb21de2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\campaign.inf

Filesize
1KB

MD5
c4fb756abc97776beeb4ffa65303c843

SHA1
12b4e5c25a718020086608b72bf96b5bb513f8ed

SHA256
80ed31ae5890469ee38fe7b950149e2f488344d892f1ef5ac3dc3e7ff3de2d6c

SHA512
7695f79d44eb84fc08b2b7d8911916661db5ac4dbef91e77c9730ba84c576a1474cbcf18d9f155cd9ae2e74a0a33c88ed413c662a598dc045e1a6d246821be1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iasvcstb.dll

Filesize
26KB

MD5
de63b3678f314fd74da0cf343c5860ae

SHA1
389bc0a0004feec9b089f993b1f9084716874b44

SHA256
ace81690c98cb396758dc016a76b77706924dd3a8598b3a0492bc12edb9af153

SHA512
43d63cdfcb5d2d96df0d0715ce24fdeed4fb8ef7e4530a640b5472c444a57e2045c3ef044a1f0c693c40d5c8d40eee4263010895d6c3b9101bd08c60baa76710

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\install.mar

Filesize
516KB

MD5
9229c34063391d37c7643ba38b5c4f09

SHA1
512b0b599b92fdcd35fc9571713947dd5978592f

SHA256
2143c7a5aa2f9d321fbd902d80ac43f4fe9c684d2e5a55fbc686820e06261d9f

SHA512
96847f62f94b2527ee03ae4699f219e1a1575190f622d98aee83c48a92839c49c188bf005b46bae49232376b59b39b5397d3569c64559def85b98582d1e00c62

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\msdbxi.dll

Filesize
82KB

MD5
d44eb3849bd5bab21356a41a94c8f868

SHA1
88273eb0af7657655df71d608fe93734b112559a

SHA256
2c2b10bb87662d1d61916784106a82cff510add0972112a9a14c03927b2d0846

SHA512
d8d9f5ad1de64b584dc06cf683f8b83b2af99c57768898ed7b627c3ee9fbe13b17e7166e556378806026e7b2d21e1a299431044bac6e7125f0f090b7a26d3a57

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\msnihc.mar

Filesize
21KB

MD5
64ec522096f2fd6f6258745e72215d8f

SHA1
471fc3fd3728b649beb4f4a8e4010f48846b834c

SHA256
65118f920c6912e6a7dc6325698570fc7fa79beeb64d6204e6ca93f68ae0f692

SHA512
691bd4e9016d97a87ac974d2ea8a6d6fd62bb3de6bceb257dad59df3a27c8d67b4b9524572a3ab9e9dd09c667a75e4a809fa83c2335900d58255edface015c93

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\msnilc.dll

Filesize
31KB

MD5
82836e35011754a1738b25c4904e1137

SHA1
79e7b001ac214d9551562f8a1f4883b441a59502

SHA256
3f0e18479c7f8f75045d88605bbfa290663092464816739080b21b02d61f2588

SHA512
66aaef095440129d79c858e362241bd63f64a8074a08cadda37835ae91399bc490c490278bf51e84be1b7f427f8a11a2a20f97f6c969d431962f8719d1bcaeaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\msninst.exe

Filesize
129KB

MD5
c8e284efba3b50c9216dbe552d24f5b0

SHA1
c76b65dd211e03a2a53f57d87cc90df61b0ab10f

SHA256
66d7811a891b614f7fc174ae5a3ea1d29d1edde50b12fcaf51c0dc5b54a20b4a

SHA512
42db8c59820836fee76ffc877983f72d639d9e30171943ae04d8cd8bcd4ac61730a5e0f4b80a905f4f59c03fa8ba62e1c8f4c1e9095eca65f17a2f122a688ef5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\msnitd.mar

Filesize
62KB

MD5
1ecf3b523c89ba2eb75c5ad8af347ebe

SHA1
d890967ddd05585c742d2ef18e4b0c5795db1334

SHA256
35f135fd9c04cdaf78bad191872cc1aa9cc38056f7c76ba29f0669be9e07210d

SHA512
5fb8ca6245a033b12f234960223e146e743ccae7af73ecacb1a7d3826db656219f78242d49b5ee6d51cd5ae6f178b10c27ba3f6d6cdd9336590e4b1ccb5ad065

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\msnms.ico

Filesize
24KB

MD5
bca0ee599ffc56c533585e9026b3b58c

SHA1
ae5849eac5db2a69f09350fb455d50f16774290e

SHA256
090ee05cef8113594959c4ba3d992eb1e5d2effb7f71ba8854adee27b8b6cf95

SHA512
5f7384af5a527f6cba3e8f04b5ab9314f1e8abbcbe4a3b57d2c8fa9939f926e8f7d64529dabd3912b1e41a95671ec4504f6a9c9ad341ef8e455371997863f2ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\msnsign.dll

Filesize
746KB

MD5
ffb0a9a7208b773c1fd469bec18a9185

SHA1
26a15559f6139eab67b76446f36d2ebdb87e569c

SHA256
ccec6240c7a188e55156476d1bfcd06722c36bd7555f28845d747493529093d5

SHA512
9a019efb4d62f24ef979102e889c7aed6f49d213dbc362990ea2af8ec5957687e887883c234ee1026ebd20b4095209dfffa62da5f998d8ba0d29e75ed0a77bad

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\msnsusi.inf

Filesize
5KB

MD5
9433366f4264f97cd01e7b29bb00bd94

SHA1
b064e88c8030cc986ac59c690e7eabc889541ce4

SHA256
581a7e5bcf20a47f55e980b3b35e3881d72bb8c65f380857831906c9e6e332fd

SHA512
aae48f610cdf02e30527a02ac83891505683e42ad5131029a18a4b1076912b10ddacee499ffecf5b24f95facb174afb920eb3de7ee4559a0250b0686da64404f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unicows.dll

Filesize
239KB

MD5
e1102cedf0c818984c2aca2a666d4c5f

SHA1
d8d88ea7083aee9c40f6fdc6c56451a018d21a83

SHA256
22f23cc65698741184ec34f46e6f69717644e0b5aabf5d5bd015101f2d72e56e

SHA512
e58b35815801d6d3797f95c986834d2ca5450ccc3f1fa1d27d127a8d1d36f8e21279173715a00686c9c831d22d7c5b5b9cc5874170223a4d78f09c4eefa390a2

Download Submit
C:\Windows\Logo1_.exe

Filesize
33KB

MD5
9fd9ba751e949c130d66fe9a3ea6248d

SHA1
c39ed606f3afb966b21147079c8c7407732cd29a

SHA256
1b6840fc07e4e63f663e72e82e7d6dfbcead0894ad5103a500b1689cc9d4eac6

SHA512
f2fca4862e5abd737f4b8d2b43246b15f4e0029159e90a100baa44a54468734bdbaf3b348dea18ed8c4d953183a4b9fd42c5918b71263d6ae8bea6f7305b17f0

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-1194130065-3471212556-1656947724-1000\_desktop.ini

Filesize
9B

MD5
e2a14c19421b289cbd51a76363b166bd

SHA1
5d0621d68da5a444f49c090b0725c7044d47fdb7

SHA256
844af243be560dc4e478aa7ea28f4959f9df45f204006bade7ae52398d651835

SHA512
8c49bec05605c4d2b8f07f00a7a39e70f5bd4f7c84ba221c615447f947053bf3bb0496c38e2bf8b15235c493cc5a0b41f34285fed1adb4c13572f25b67e178e5

Download Submit
memory/116-201-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/116-3375-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/116-8-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/116-9019-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4544-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4544-11-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download