cf1cef37a2dc88c45ea3bff621d54a69f25b497fa59798342aca4c39561ccb27

Analysis

max time kernel
149s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14/09/2024, 00:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cf1cef37a2dc88c45ea3bff621d54a69f25b497fa59798342aca4c39561ccb27.exe
Size

70KB
MD5

5ce42790dbbc572aa1d68eea3fbf2645
SHA1

60a2d8518748855afc1a408d2fb288dafb7a4a3b
SHA256

cf1cef37a2dc88c45ea3bff621d54a69f25b497fa59798342aca4c39561ccb27
SHA512

00d4975aab0b13bbfb6ffbcce5df485a926bb3efeab95af0595abaf146c5be1573fe8b735ab4713d98a5d89e3bff841cf2bbee4e78a0841fbbc38f978a0a4d80
SSDEEP

1536:2HvaYzMXqtGNttyeiZnZLYm1vriw+d9bHrkT5gUHz7FxtJ:2HvaY46tGNttyeQLYm1vrBkfkT5xHzD

Score

8^/10

discovery spyware stealer

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	cf1cef37a2dc88c45ea3bff621d54a69f25b497fa59798342aca4c39561ccb27.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	Logo1_.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe

Executes dropped EXE 2 IoCs

pid	Process
1412	Logo1_.exe
2900	cf1cef37a2dc88c45ea3bff621d54a69f25b497fa59798342aca4c39561ccb27.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\es-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\pl-pl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PAPYRUS\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\ja\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\zh-tw\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x64\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft.NET\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\uk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\sk-sk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\eu-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\sl-sl\_desktop.ini	Logo1_.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RADIAL\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\gd\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\eu-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\en-gb\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example2.Diagnostics\1.0.1\Diagnostics\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Extensions\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\zu\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\fi-fi\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\zh-cn\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\ko-kr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\en-gb\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\libs\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\hr-hr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\tr-tr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\es-es\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\hr-hr\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Media Player\Icons\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files-select\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\en-ae\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\id\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Media Player\Visualizations\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\be\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsPowerShell\Configuration\Schema\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\eu-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ro-ro\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\he-il\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\tr-tr\_desktop.ini	Logo1_.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\si\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\sl-si\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ca-es\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Mozilla Firefox\uninstall\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ko-kr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ko-kr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\de-de\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\WidevineCdm\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	cf1cef37a2dc88c45ea3bff621d54a69f25b497fa59798342aca4c39561ccb27.exe
File created	C:\Windows\Logo1_.exe	cf1cef37a2dc88c45ea3bff621d54a69f25b497fa59798342aca4c39561ccb27.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\Dll.dll	Logo1_.exe

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cf1cef37a2dc88c45ea3bff621d54a69f25b497fa59798342aca4c39561ccb27.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Logo1_.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3736	cf1cef37a2dc88c45ea3bff621d54a69f25b497fa59798342aca4c39561ccb27.exe
3736	cf1cef37a2dc88c45ea3bff621d54a69f25b497fa59798342aca4c39561ccb27.exe
3736	cf1cef37a2dc88c45ea3bff621d54a69f25b497fa59798342aca4c39561ccb27.exe
3736	cf1cef37a2dc88c45ea3bff621d54a69f25b497fa59798342aca4c39561ccb27.exe
3736	cf1cef37a2dc88c45ea3bff621d54a69f25b497fa59798342aca4c39561ccb27.exe
3736	cf1cef37a2dc88c45ea3bff621d54a69f25b497fa59798342aca4c39561ccb27.exe
3736	cf1cef37a2dc88c45ea3bff621d54a69f25b497fa59798342aca4c39561ccb27.exe
3736	cf1cef37a2dc88c45ea3bff621d54a69f25b497fa59798342aca4c39561ccb27.exe
3736	cf1cef37a2dc88c45ea3bff621d54a69f25b497fa59798342aca4c39561ccb27.exe
3736	cf1cef37a2dc88c45ea3bff621d54a69f25b497fa59798342aca4c39561ccb27.exe
3736	cf1cef37a2dc88c45ea3bff621d54a69f25b497fa59798342aca4c39561ccb27.exe
3736	cf1cef37a2dc88c45ea3bff621d54a69f25b497fa59798342aca4c39561ccb27.exe
3736	cf1cef37a2dc88c45ea3bff621d54a69f25b497fa59798342aca4c39561ccb27.exe
3736	cf1cef37a2dc88c45ea3bff621d54a69f25b497fa59798342aca4c39561ccb27.exe
3736	cf1cef37a2dc88c45ea3bff621d54a69f25b497fa59798342aca4c39561ccb27.exe
3736	cf1cef37a2dc88c45ea3bff621d54a69f25b497fa59798342aca4c39561ccb27.exe
3736	cf1cef37a2dc88c45ea3bff621d54a69f25b497fa59798342aca4c39561ccb27.exe
3736	cf1cef37a2dc88c45ea3bff621d54a69f25b497fa59798342aca4c39561ccb27.exe
3736	cf1cef37a2dc88c45ea3bff621d54a69f25b497fa59798342aca4c39561ccb27.exe
3736	cf1cef37a2dc88c45ea3bff621d54a69f25b497fa59798342aca4c39561ccb27.exe
3736	cf1cef37a2dc88c45ea3bff621d54a69f25b497fa59798342aca4c39561ccb27.exe
3736	cf1cef37a2dc88c45ea3bff621d54a69f25b497fa59798342aca4c39561ccb27.exe
3736	cf1cef37a2dc88c45ea3bff621d54a69f25b497fa59798342aca4c39561ccb27.exe
3736	cf1cef37a2dc88c45ea3bff621d54a69f25b497fa59798342aca4c39561ccb27.exe
3736	cf1cef37a2dc88c45ea3bff621d54a69f25b497fa59798342aca4c39561ccb27.exe
3736	cf1cef37a2dc88c45ea3bff621d54a69f25b497fa59798342aca4c39561ccb27.exe
1412	Logo1_.exe
1412	Logo1_.exe
1412	Logo1_.exe
1412	Logo1_.exe
1412	Logo1_.exe
1412	Logo1_.exe
1412	Logo1_.exe
1412	Logo1_.exe
1412	Logo1_.exe
1412	Logo1_.exe
1412	Logo1_.exe
1412	Logo1_.exe
1412	Logo1_.exe
1412	Logo1_.exe
1412	Logo1_.exe
1412	Logo1_.exe
1412	Logo1_.exe
1412	Logo1_.exe
1412	Logo1_.exe
1412	Logo1_.exe
1412	Logo1_.exe
1412	Logo1_.exe
1412	Logo1_.exe
1412	Logo1_.exe
1412	Logo1_.exe
1412	Logo1_.exe
1412	Logo1_.exe
1412	Logo1_.exe
1412	Logo1_.exe
1412	Logo1_.exe
1412	Logo1_.exe
1412	Logo1_.exe
1412	Logo1_.exe
1412	Logo1_.exe
1412	Logo1_.exe
1412	Logo1_.exe
1412	Logo1_.exe
1412	Logo1_.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 3736 wrote to memory of 5004	3736	cf1cef37a2dc88c45ea3bff621d54a69f25b497fa59798342aca4c39561ccb27.exe	83
PID 3736 wrote to memory of 5004	3736	cf1cef37a2dc88c45ea3bff621d54a69f25b497fa59798342aca4c39561ccb27.exe	83
PID 3736 wrote to memory of 5004	3736	cf1cef37a2dc88c45ea3bff621d54a69f25b497fa59798342aca4c39561ccb27.exe	83
PID 5004 wrote to memory of 1860	5004	net.exe	86
PID 5004 wrote to memory of 1860	5004	net.exe	86
PID 5004 wrote to memory of 1860	5004	net.exe	86
PID 3736 wrote to memory of 3560	3736	cf1cef37a2dc88c45ea3bff621d54a69f25b497fa59798342aca4c39561ccb27.exe	89
PID 3736 wrote to memory of 3560	3736	cf1cef37a2dc88c45ea3bff621d54a69f25b497fa59798342aca4c39561ccb27.exe	89
PID 3736 wrote to memory of 3560	3736	cf1cef37a2dc88c45ea3bff621d54a69f25b497fa59798342aca4c39561ccb27.exe	89
PID 3736 wrote to memory of 1412	3736	cf1cef37a2dc88c45ea3bff621d54a69f25b497fa59798342aca4c39561ccb27.exe	90
PID 3736 wrote to memory of 1412	3736	cf1cef37a2dc88c45ea3bff621d54a69f25b497fa59798342aca4c39561ccb27.exe	90
PID 3736 wrote to memory of 1412	3736	cf1cef37a2dc88c45ea3bff621d54a69f25b497fa59798342aca4c39561ccb27.exe	90
PID 1412 wrote to memory of 4900	1412	Logo1_.exe	92
PID 1412 wrote to memory of 4900	1412	Logo1_.exe	92
PID 1412 wrote to memory of 4900	1412	Logo1_.exe	92
PID 4900 wrote to memory of 4392	4900	net.exe	94
PID 4900 wrote to memory of 4392	4900	net.exe	94
PID 4900 wrote to memory of 4392	4900	net.exe	94
PID 3560 wrote to memory of 2900	3560	cmd.exe	96
PID 3560 wrote to memory of 2900	3560	cmd.exe	96
PID 1412 wrote to memory of 728	1412	Logo1_.exe	97
PID 1412 wrote to memory of 728	1412	Logo1_.exe	97
PID 1412 wrote to memory of 728	1412	Logo1_.exe	97
PID 728 wrote to memory of 2388	728	net.exe	99
PID 728 wrote to memory of 2388	728	net.exe	99
PID 728 wrote to memory of 2388	728	net.exe	99
PID 1412 wrote to memory of 3408	1412	Logo1_.exe	56
PID 1412 wrote to memory of 3408	1412	Logo1_.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3408
- C:\Users\Admin\AppData\Local\Temp\cf1cef37a2dc88c45ea3bff621d54a69f25b497fa59798342aca4c39561ccb27.exe
  "C:\Users\Admin\AppData\Local\Temp\cf1cef37a2dc88c45ea3bff621d54a69f25b497fa59798342aca4c39561ccb27.exe"
  2⤵
  - Drops file in Drivers directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3736
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5004
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1860
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB65F.bat
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3560
  - - C:\Users\Admin\AppData\Local\Temp\cf1cef37a2dc88c45ea3bff621d54a69f25b497fa59798342aca4c39561ccb27.exe
      "C:\Users\Admin\AppData\Local\Temp\cf1cef37a2dc88c45ea3bff621d54a69f25b497fa59798342aca4c39561ccb27.exe"
      4⤵
      Executes dropped EXE
      PID:2900
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Drops file in Drivers directory
    - Drops startup file
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1412
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4900
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4392
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:728
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe

Filesize
251KB

MD5
ad49cc293adc3202b706d4f7127d628d

SHA1
4660eed68d5c97632885a8bd75890aca547cbee0

SHA256
5591244c79a8e0e04bbc4e36e6bf4a55ec59b3d3f4b20d027a668c7f60125dcb

SHA512
bf1923dfbcb6657d1c6a2a7d7043f51232ae7e148f02f15bc99f458b60c8a3080a1882c8232f598b259b953f8a8ef019d0fc9268af802e42de216645cd3ad1b0

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
577KB

MD5
3ef47512091981bb9d1603c421a688d9

SHA1
72eba11625662084d535aa4fa2fc4bc86da61fd6

SHA256
980fec6a47516939fa753290022964acb7a90e205d0ea14af1d94ca20b37c570

SHA512
ac16134d4c065ed8770c8ded8c60a6a142c21fb52a1e7f05f4534a7ff1bae4e27380785231b954b1c6b7f5e91eed18bb81df340912368b264129a82bc76f89f2

Download Submit
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

Filesize
644KB

MD5
74f614352141ac4f78c3e59955ed2258

SHA1
179465d798ce029d20b16601530037ca9d87563f

SHA256
e33cff13b2b5307aaa06fc8f6d15ebe31eeb5ac6ad8d12b4b5c877eb34cca70c

SHA512
af736346b2a298b653dccc43a44d852001584bc22c5e00cb959246a0544044587e27ae3af6c253bf68b3dbe24a0badbe0bf55784f704d8e2f703afaed49ae6ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aB65F.bat

Filesize
722B

MD5
6f806a111654215d405e78d5a4a0835b

SHA1
96226fda5a749cddd09fc30fb0bceb66d3de7ea2

SHA256
652a2fa3f6dcf543df90aa679e74a9d6da2c75443f947b1079a3769fc19dfa77

SHA512
461f7853a617d00ff3fd986ab140608405d7ae74225d74ac877e42a8189e5702bbb79e5108404221b512669960c129c34e78c31fcd33703f348a92cb5b8dc2b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\cf1cef37a2dc88c45ea3bff621d54a69f25b497fa59798342aca4c39561ccb27.exe.exe

Filesize
36KB

MD5
9f498971cbe636662f3d210747d619e1

SHA1
44b8e2732fa1e2f204fc70eaa1cb406616250085

SHA256
8adf6748981c3e7b62f5dbca992be6675574fffbce7673743f2d7fe787d56a41

SHA512
b73083c2f7b028d2946cb8f7b4fe2289fedaa4175364a2aac37db0aeff4602aede772ccc9eba7e6dcfcb7276e52604ca45d8021952201b5834485b48bca3dc93

Download Submit
C:\Windows\Logo1_.exe

Filesize
33KB

MD5
bee6df131a9c9bccab2c2e85139f6842

SHA1
d7d095b827384b3b5f4e0cf9b8afb543998f1796

SHA256
1a8911fd47aa3e98991935402374717b26afeed5d8eb431edcd4625f1a16f962

SHA512
2457aa406a3010ce789237d55fa17fc0f5694c847699af8044f21ea935179ffc69056c0c2ba4ba3eee3158c51afb2d11d2c372eca3e1ca77c44545cb74cd4812

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
842B

MD5
6f4adf207ef402d9ef40c6aa52ffd245

SHA1
4b05b495619c643f02e278dede8f5b1392555a57

SHA256
d9704dab05e988be3e5e7b7c020bb9814906d11bb9c31ad80d4ed1316f6bc94e

SHA512
a6306bd200a26ea78192ae5b00cc49cfab3fba025fe7233709a4e62db0f9ed60030dce22b34afe57aad86a098c9a8c44e080cedc43227cb87ef4690baec35b47

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-786284298-625481688-3210388970-1000\_desktop.ini

Filesize
9B

MD5
e2a14c19421b289cbd51a76363b166bd

SHA1
5d0621d68da5a444f49c090b0725c7044d47fdb7

SHA256
844af243be560dc4e478aa7ea28f4959f9df45f204006bade7ae52398d651835

SHA512
8c49bec05605c4d2b8f07f00a7a39e70f5bd4f7c84ba221c615447f947053bf3bb0496c38e2bf8b15235c493cc5a0b41f34285fed1adb4c13572f25b67e178e5

Download Submit
memory/1412-19-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1412-9-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1412-2657-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1412-8837-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3736-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3736-10-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download