558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4

Analysis

max time kernel
150s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2024 06:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe
Size

39KB
MD5

c1c4393bd2098d79eefa6ac914668e70
SHA1

5f18df44f05b51013ec8334a23b8f036638245a1
SHA256

558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4
SHA512

596a0f6d205d3cfdec032ec9dfbd3f660debf0917ee65c5d19f9f0e6e68e82e354730c0992b177b00419f516ae762568fff873e5e4b32ce4c91b17ff07933f76
SSDEEP

768:8RO5RroZJ76739/dZVdfpULiAYXjPrN+8WEjrZMYjV8mp8w:8Re+Zk7VJbwlYXjPrsqrZMYR5p8w

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\T:	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe
File opened (read-only)	\??\Q:	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe
File opened (read-only)	\??\O:	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe
File opened (read-only)	\??\N:	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe
File opened (read-only)	\??\M:	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe
File opened (read-only)	\??\Z:	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe
File opened (read-only)	\??\W:	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe
File opened (read-only)	\??\V:	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe
File opened (read-only)	\??\R:	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe
File opened (read-only)	\??\E:	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe
File opened (read-only)	\??\K:	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe
File opened (read-only)	\??\I:	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe
File opened (read-only)	\??\H:	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe
File opened (read-only)	\??\Y:	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe
File opened (read-only)	\??\X:	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe
File opened (read-only)	\??\U:	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe
File opened (read-only)	\??\P:	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe
File opened (read-only)	\??\S:	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe
File opened (read-only)	\??\L:	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe
File opened (read-only)	\??\J:	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe
File opened (read-only)	\??\G:	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CAPSULES\_desktop.ini	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft.NET\ADOMD.NET\_desktop.ini	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\zh-cn\_desktop.ini	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\en-gb\_desktop.ini	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\eu-es\_desktop.ini	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\identity_proxy\_desktop.ini	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\_desktop.ini	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\_desktop.ini	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\_desktop.ini	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\css\_desktop.ini	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\nl-nl\_desktop.ini	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\JOURNAL\_desktop.ini	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\zh-cn\_desktop.ini	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\_desktop.ini	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft.NET\ADOMD.NET\130\_desktop.ini	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\tr-tr\_desktop.ini	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\fi-fi\_desktop.ini	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\fr-FR\_desktop.ini	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe
File created	C:\Program Files\Java\jdk-1.8\legal\_desktop.ini	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RICEPAPR\_desktop.ini	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe
File opened for modification	C:\Program Files\Windows Media Player\Skins\_desktop.ini	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\_desktop.ini	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\_desktop.ini	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fi-fi\_desktop.ini	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\cs-cz\_desktop.ini	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\hr-hr\_desktop.ini	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\_desktop.ini	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.195.15\_desktop.ini	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\_desktop.ini	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\_desktop.ini	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\_desktop.ini	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\hr-hr\_desktop.ini	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\sv-se\_desktop.ini	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\_desktop.ini	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\_desktop.ini	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ca-es\_desktop.ini	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ast\_desktop.ini	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe
File created	C:\Program Files\VideoLAN\VLC\locale\bs\_desktop.ini	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe
File created	C:\Program Files\VideoLAN\VLC\locale\my\LC_MESSAGES\_desktop.ini	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\sl-si\_desktop.ini	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\eu-es\_desktop.ini	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\pl-pl\_desktop.ini	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\_desktop.ini	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\es-ES\_desktop.ini	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\fi-fi\_desktop.ini	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\ru-ru\_desktop.ini	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\MEIPreload\_desktop.ini	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe
File created	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\_desktop.ini	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\_desktop.ini	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\he-il\_desktop.ini	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\themes\dark\_desktop.ini	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe
File created	C:\Program Files (x86)\Common Files\Adobe\ARM\_desktop.ini	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe
File created	C:\Program Files\Microsoft Office\root\loc\_desktop.ini	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\as_IN\_desktop.ini	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\_desktop.ini	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\_desktop.ini	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\_desktop.ini	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\en-gb\_desktop.ini	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\_desktop.ini	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\wmplayer.exe	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Dll.dll	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe
File created	C:\Windows\rundl132.exe	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 60 IoCs

pid	Process
3296	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe
3296	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe
3296	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe
3296	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe
3296	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe
3296	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe
3296	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe
3296	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe
3296	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe
3296	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe
3296	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe
3296	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe
3296	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe
3296	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe
3296	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe
3296	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe
3296	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe
3296	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe
3296	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe
3296	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe
3296	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe
3296	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe
3296	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe
3296	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe
3296	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe
3296	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe
3296	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe
3296	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe
3296	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe
3296	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe
3296	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe
3296	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe
3296	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe
3296	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe
3296	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe
3296	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe
3296	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe
3296	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe
3296	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe
3296	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe
3296	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe
3296	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe
3296	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe
3296	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe
3296	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe
3296	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe
3296	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe
3296	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe
3296	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe
3296	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe
3296	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe
3296	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe
3296	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe
3296	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe
3296	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe
3296	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe
3296	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe
3296	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe
3296	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe
3296	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 3296 wrote to memory of 2856	3296	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe	82
PID 3296 wrote to memory of 2856	3296	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe	82
PID 3296 wrote to memory of 2856	3296	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe	82
PID 2856 wrote to memory of 1436	2856	net.exe	84
PID 2856 wrote to memory of 1436	2856	net.exe	84
PID 2856 wrote to memory of 1436	2856	net.exe	84
PID 3296 wrote to memory of 1420	3296	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe	85
PID 3296 wrote to memory of 1420	3296	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe	85
PID 3296 wrote to memory of 1420	3296	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe	85
PID 1420 wrote to memory of 424	1420	net.exe	87
PID 1420 wrote to memory of 424	1420	net.exe	87
PID 1420 wrote to memory of 424	1420	net.exe	87
PID 3296 wrote to memory of 3380	3296	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe	55
PID 3296 wrote to memory of 3380	3296	558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe	55

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3380
- C:\Users\Admin\AppData\Local\Temp\558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe
  "C:\Users\Admin\AppData\Local\Temp\558c26ce0acd42db3a916cb557de680fd6f7733e9355b5daf950fe3b1dd53be4.exe"
  2⤵
  - Drops startup file
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3296
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2856
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1436
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1420
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      PID:424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\dotnet\dotnet.exe

Filesize
183KB

MD5
5dab1c803b61aa0a39161aa211544f1a

SHA1
b78facb591dd2d4aad1b521af2bd0b8c48ec32bb

SHA256
0d89216047e3937d8cfc7f9d48cba16c65f341b37e94c6f763b98c3d22d5e9b2

SHA512
1c581a483998450e2c06674eed65b8788184b5ba20a15938c350fed44e7d39ec6281241de33f3c90df7788d35f659da4dd6a0f80a8ef744930551ac87e9dd9cf

Download Submit
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

Filesize
649KB

MD5
3e7cc0550b3e262224a01196dcffca48

SHA1
84b97784946a4f4edc8528690aee26cff4a5c35d

SHA256
df205fe7ab5dd6c98547afe872f5b3bb66028f2cb14696fbc45610b0ef4723bf

SHA512
864943da2a29d2e8aaca17a10ed791f22b3387c85fe19c19dea1ab3b89b3d6540dbd187f867742967a696ba0b76ce6e576a2825cc9147d77ab79f3a4f2a4ab6a

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-355097885-2402257403-2971294179-1000\_desktop.ini

Filesize
9B

MD5
82fa69b12ac2df558c85e86426eb13eb

SHA1
ad90b8756e3bebe04450f6950419c761844d7b7e

SHA256
f7622a3740b818722e46a36b5aeb1c0ba6bec25bec811e3dcfe0b5ba1d728775

SHA512
3c4da39d3b0d68ade3ff8ded69bf1e78a1ef88f7ed70c85572ae06e6be78155ffc2f557f577208e579191be2d8be2a1fa833b9ca74a35bb69cf9c32c23f4d99f

Download Submit
memory/3296-0-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3296-3-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3296-3081-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3296-8865-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download