e631dc2840c529d8dd7c5e188f87e0a70ae7f3bda7a61767f78c14ac2c2807bc

Analysis

max time kernel
149s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2024 06:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e631dc2840c529d8dd7c5e188f87e0a70ae7f3bda7a61767f78c14ac2c2807bc.exe
Size

176KB
MD5

7c6dfa10c7d8d55255b969b7f6582da0
SHA1

116fcea646b242fa467095a20ba6950bed9c57cf
SHA256

e631dc2840c529d8dd7c5e188f87e0a70ae7f3bda7a61767f78c14ac2c2807bc
SHA512

4318b51d6b63b4ba70c4194d0e2ff30d78baf522a9076a2b60a78e91206b7bfe5205aeb1995079b1c23c9978d67f057dc3d4154b60ec38e38b94b4a7143475b0
SSDEEP

3072:K4we+a1DfByOpGjAvb3eLG2FmDDSrDVTFooWZet3:Jl+appyOpGcj3UFmDDSrDVTSBQ3

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe

Executes dropped EXE 2 IoCs

pid	Process
2288	Logo1_.exe
3936	e631dc2840c529d8dd7c5e188f87e0a70ae7f3bda7a61767f78c14ac2c2807bc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\default_apps\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ks_IN\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fr-fr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\nb-no\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\swiftshader\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\sk-sk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\pt-br\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ja-jp\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Media Renderer\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\sv-se\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\amd64\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\fi-fi\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\hr-hr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\ja-jp\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\defaults\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\nb-no\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\it-it\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\pt-br\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\ar-ae\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\SystemX86\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\eu\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\kab\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ru\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\root\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ro-ro\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ko-kr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\nl-nl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\he-il\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\skins\fonts\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\de-de\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ja-jp\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\email\dummy\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{63FECC1B-8F0C-4431-8BCF-116FCD47AD2C}\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\it-it\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\1033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ja-jp\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\de-de\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\nl-nl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Extensions\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\nb-no\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\uk-ua\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\fr-fr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\zh-cn\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\he-il\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\home-view\_desktop.ini	Logo1_.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	e631dc2840c529d8dd7c5e188f87e0a70ae7f3bda7a61767f78c14ac2c2807bc.exe
File created	C:\Windows\Logo1_.exe	e631dc2840c529d8dd7c5e188f87e0a70ae7f3bda7a61767f78c14ac2c2807bc.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\Dll.dll	Logo1_.exe

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e631dc2840c529d8dd7c5e188f87e0a70ae7f3bda7a61767f78c14ac2c2807bc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Logo1_.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3436	e631dc2840c529d8dd7c5e188f87e0a70ae7f3bda7a61767f78c14ac2c2807bc.exe
3436	e631dc2840c529d8dd7c5e188f87e0a70ae7f3bda7a61767f78c14ac2c2807bc.exe
3436	e631dc2840c529d8dd7c5e188f87e0a70ae7f3bda7a61767f78c14ac2c2807bc.exe
3436	e631dc2840c529d8dd7c5e188f87e0a70ae7f3bda7a61767f78c14ac2c2807bc.exe
3436	e631dc2840c529d8dd7c5e188f87e0a70ae7f3bda7a61767f78c14ac2c2807bc.exe
3436	e631dc2840c529d8dd7c5e188f87e0a70ae7f3bda7a61767f78c14ac2c2807bc.exe
3436	e631dc2840c529d8dd7c5e188f87e0a70ae7f3bda7a61767f78c14ac2c2807bc.exe
3436	e631dc2840c529d8dd7c5e188f87e0a70ae7f3bda7a61767f78c14ac2c2807bc.exe
3436	e631dc2840c529d8dd7c5e188f87e0a70ae7f3bda7a61767f78c14ac2c2807bc.exe
3436	e631dc2840c529d8dd7c5e188f87e0a70ae7f3bda7a61767f78c14ac2c2807bc.exe
3436	e631dc2840c529d8dd7c5e188f87e0a70ae7f3bda7a61767f78c14ac2c2807bc.exe
3436	e631dc2840c529d8dd7c5e188f87e0a70ae7f3bda7a61767f78c14ac2c2807bc.exe
3436	e631dc2840c529d8dd7c5e188f87e0a70ae7f3bda7a61767f78c14ac2c2807bc.exe
3436	e631dc2840c529d8dd7c5e188f87e0a70ae7f3bda7a61767f78c14ac2c2807bc.exe
3436	e631dc2840c529d8dd7c5e188f87e0a70ae7f3bda7a61767f78c14ac2c2807bc.exe
3436	e631dc2840c529d8dd7c5e188f87e0a70ae7f3bda7a61767f78c14ac2c2807bc.exe
3436	e631dc2840c529d8dd7c5e188f87e0a70ae7f3bda7a61767f78c14ac2c2807bc.exe
3436	e631dc2840c529d8dd7c5e188f87e0a70ae7f3bda7a61767f78c14ac2c2807bc.exe
3436	e631dc2840c529d8dd7c5e188f87e0a70ae7f3bda7a61767f78c14ac2c2807bc.exe
3436	e631dc2840c529d8dd7c5e188f87e0a70ae7f3bda7a61767f78c14ac2c2807bc.exe
3436	e631dc2840c529d8dd7c5e188f87e0a70ae7f3bda7a61767f78c14ac2c2807bc.exe
3436	e631dc2840c529d8dd7c5e188f87e0a70ae7f3bda7a61767f78c14ac2c2807bc.exe
3436	e631dc2840c529d8dd7c5e188f87e0a70ae7f3bda7a61767f78c14ac2c2807bc.exe
3436	e631dc2840c529d8dd7c5e188f87e0a70ae7f3bda7a61767f78c14ac2c2807bc.exe
3436	e631dc2840c529d8dd7c5e188f87e0a70ae7f3bda7a61767f78c14ac2c2807bc.exe
3436	e631dc2840c529d8dd7c5e188f87e0a70ae7f3bda7a61767f78c14ac2c2807bc.exe
2288	Logo1_.exe
2288	Logo1_.exe
2288	Logo1_.exe
2288	Logo1_.exe
2288	Logo1_.exe
2288	Logo1_.exe
2288	Logo1_.exe
2288	Logo1_.exe
2288	Logo1_.exe
2288	Logo1_.exe
2288	Logo1_.exe
2288	Logo1_.exe
2288	Logo1_.exe
2288	Logo1_.exe
2288	Logo1_.exe
2288	Logo1_.exe
2288	Logo1_.exe
2288	Logo1_.exe
2288	Logo1_.exe
2288	Logo1_.exe
2288	Logo1_.exe
2288	Logo1_.exe
2288	Logo1_.exe
2288	Logo1_.exe
2288	Logo1_.exe
2288	Logo1_.exe
2288	Logo1_.exe
2288	Logo1_.exe
2288	Logo1_.exe
2288	Logo1_.exe
2288	Logo1_.exe
2288	Logo1_.exe
2288	Logo1_.exe
2288	Logo1_.exe
2288	Logo1_.exe
2288	Logo1_.exe
2288	Logo1_.exe
2288	Logo1_.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 3436 wrote to memory of 4576	3436	e631dc2840c529d8dd7c5e188f87e0a70ae7f3bda7a61767f78c14ac2c2807bc.exe	83
PID 3436 wrote to memory of 4576	3436	e631dc2840c529d8dd7c5e188f87e0a70ae7f3bda7a61767f78c14ac2c2807bc.exe	83
PID 3436 wrote to memory of 4576	3436	e631dc2840c529d8dd7c5e188f87e0a70ae7f3bda7a61767f78c14ac2c2807bc.exe	83
PID 4576 wrote to memory of 3244	4576	net.exe	85
PID 4576 wrote to memory of 3244	4576	net.exe	85
PID 4576 wrote to memory of 3244	4576	net.exe	85
PID 3436 wrote to memory of 3028	3436	e631dc2840c529d8dd7c5e188f87e0a70ae7f3bda7a61767f78c14ac2c2807bc.exe	86
PID 3436 wrote to memory of 3028	3436	e631dc2840c529d8dd7c5e188f87e0a70ae7f3bda7a61767f78c14ac2c2807bc.exe	86
PID 3436 wrote to memory of 3028	3436	e631dc2840c529d8dd7c5e188f87e0a70ae7f3bda7a61767f78c14ac2c2807bc.exe	86
PID 3436 wrote to memory of 2288	3436	e631dc2840c529d8dd7c5e188f87e0a70ae7f3bda7a61767f78c14ac2c2807bc.exe	88
PID 3436 wrote to memory of 2288	3436	e631dc2840c529d8dd7c5e188f87e0a70ae7f3bda7a61767f78c14ac2c2807bc.exe	88
PID 3436 wrote to memory of 2288	3436	e631dc2840c529d8dd7c5e188f87e0a70ae7f3bda7a61767f78c14ac2c2807bc.exe	88
PID 2288 wrote to memory of 1312	2288	Logo1_.exe	89
PID 2288 wrote to memory of 1312	2288	Logo1_.exe	89
PID 2288 wrote to memory of 1312	2288	Logo1_.exe	89
PID 1312 wrote to memory of 3384	1312	net.exe	92
PID 1312 wrote to memory of 3384	1312	net.exe	92
PID 1312 wrote to memory of 3384	1312	net.exe	92
PID 3028 wrote to memory of 3936	3028	cmd.exe	91
PID 3028 wrote to memory of 3936	3028	cmd.exe	91
PID 2288 wrote to memory of 1540	2288	Logo1_.exe	93
PID 2288 wrote to memory of 1540	2288	Logo1_.exe	93
PID 2288 wrote to memory of 1540	2288	Logo1_.exe	93
PID 1540 wrote to memory of 3884	1540	net.exe	95
PID 1540 wrote to memory of 3884	1540	net.exe	95
PID 1540 wrote to memory of 3884	1540	net.exe	95
PID 2288 wrote to memory of 3448	2288	Logo1_.exe	56
PID 2288 wrote to memory of 3448	2288	Logo1_.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3448
- C:\Users\Admin\AppData\Local\Temp\e631dc2840c529d8dd7c5e188f87e0a70ae7f3bda7a61767f78c14ac2c2807bc.exe
  "C:\Users\Admin\AppData\Local\Temp\e631dc2840c529d8dd7c5e188f87e0a70ae7f3bda7a61767f78c14ac2c2807bc.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3436
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4576
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3244
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a61B7.bat
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3028
  - - C:\Users\Admin\AppData\Local\Temp\e631dc2840c529d8dd7c5e188f87e0a70ae7f3bda7a61767f78c14ac2c2807bc.exe
      "C:\Users\Admin\AppData\Local\Temp\e631dc2840c529d8dd7c5e188f87e0a70ae7f3bda7a61767f78c14ac2c2807bc.exe"
      4⤵
      Executes dropped EXE
      PID:3936
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2288
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1312
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3384
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1540
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe

Filesize
250KB

MD5
85288899f47f812de0920f0415e414f1

SHA1
08e9d96816a8f396b304e69edaf65972ca8fad20

SHA256
9cabae29a7cf9d995268c718d32dcee7e8d3d8965ebc6b561eba6db24de2d0bb

SHA512
bbd4b0a0faf889098fee026e3a68ca2c1739079559c7bed1c90c36a453b8ddac08a0887279f9d13a5f2520fd13535bd71ee77e6129e016aaa5d29199984572a7

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
577KB

MD5
a6001b34878a0c9038926295609aeb20

SHA1
de581a97239e5e2729f3569e4150955ca29d9777

SHA256
147f7b327359fbef3ecd9197f0fb6cd7776e5b2de23ec6eef6c3043e1db2b36d

SHA512
167207ceabe2c9605fb2da9dea09ea723d766f7237769e0124abdbc2e62272300db493a60efeeafd07f39828ed2386661949b0e05e91bd77109ad275cc7be05d

Download Submit
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

Filesize
643KB

MD5
29bab5fa7dbfd951e1c8290a8f4c2ba7

SHA1
7b86728d64cef9686bd45f2ff6fdc818c11a1bbb

SHA256
dda333d8aed86ba750f669280e458ad2fb8d8ad5700a5fe0df584a1c818c481b

SHA512
5bb37bffffe297653f91e0601f17b507659bcfe78567e6e1d10506d3c3bea737e7d6374224ecc01f421cff8f74b299eba8fe3152742b2b1c228966a630de1339

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a61B7.bat

Filesize
722B

MD5
9d4849a413eb8a36e72d96a51fe430f4

SHA1
42a6c562ad0bdf842f26b5b42dc59648d64f1ed6

SHA256
fc1bc41f7ea34fded8bc9fc3f95716bf039c1c7f038e3ab7199c3c2f97b840df

SHA512
980d20fd2b8c87f4785fabff454336cbcca4d1faf82783fde80d6dd49ea05aa8fbde355146c454996c1bd3688b8af0ddcaf24c2f6deb9c74171f7a859371f48d

Download Submit
C:\Users\Admin\AppData\Local\Temp\e631dc2840c529d8dd7c5e188f87e0a70ae7f3bda7a61767f78c14ac2c2807bc.exe.exe

Filesize
143KB

MD5
33b4c87f18b4c49114d7a8980241657a

SHA1
254c67b915e45ad8584434a4af5e06ca730baa3b

SHA256
587296f3ff624295079471e529104385e5c30ddc46462096d343c76515e1d662

SHA512
42b48b4dcd76a8b2200cfafddc064c053a9d1a4b91b81dee9153322c0b2269e4d75f340c1bf7e7750351fb656445efaf1e1fe0f7e543497b247dd3f83f0c86f9

Download Submit
C:\Windows\Logo1_.exe

Filesize
33KB

MD5
0fa99b8acf13f45b95bacb99fad6efef

SHA1
d6271ca22be5d6bbfba2ef4229dca71182d43892

SHA256
c41ba3c322874847191377fd1671808aff7f2aac06b0ad1a8d1e81679e498b01

SHA512
efdbb5b56a621d6bffe454cf860483a21a64d59ece212cbc42f45f6a2259f5afd99621b88253b8808af5429b7e67d69136dc5fa63b304389e3e2ac090495cc31

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-355097885-2402257403-2971294179-1000\_desktop.ini

Filesize
9B

MD5
82fa69b12ac2df558c85e86426eb13eb

SHA1
ad90b8756e3bebe04450f6950419c761844d7b7e

SHA256
f7622a3740b818722e46a36b5aeb1c0ba6bec25bec811e3dcfe0b5ba1d728775

SHA512
3c4da39d3b0d68ade3ff8ded69bf1e78a1ef88f7ed70c85572ae06e6be78155ffc2f557f577208e579191be2d8be2a1fa833b9ca74a35bb69cf9c32c23f4d99f

Download Submit
memory/2288-3978-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2288-18-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2288-8-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2288-8755-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3436-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3436-11-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download