Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
19-09-2024 06:09
Static task
static1
Behavioral task
behavioral1
Sample
b21d5e1730fe1df803a2a2ff950204447e280f670d63581fd9b7ccd6020e7230.exe
Resource
win7-20240903-en
General
-
Target
b21d5e1730fe1df803a2a2ff950204447e280f670d63581fd9b7ccd6020e7230.exe
-
Size
251KB
-
MD5
8310c43cfe4ed25e7ee8be6b81e4c156
-
SHA1
9701a8d8c4e20f668bc320d91736653c782534c7
-
SHA256
b21d5e1730fe1df803a2a2ff950204447e280f670d63581fd9b7ccd6020e7230
-
SHA512
08bdbcd2dc4d1fab3c0f9b3f1062c798da64c9d4ff88b31471c90026bdbed8ca7acd33723c45e56d6bd0a4be95a4fd4b5113a54fe76dc545fee1d4dad5006075
-
SSDEEP
6144:SYqml5a6EdkQxiUmRQColKGAOPQK2GwIgfx+qSfF0:SVml5a6EdkQgUmR7G9QK3wJx+qSfF0
Malware Config
Signatures
-
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini Logo1_.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini Logo1_.exe -
Executes dropped EXE 2 IoCs
pid Process 1840 Logo1_.exe 4932 b21d5e1730fe1df803a2a2ff950204447e280f670d63581fd9b7ccd6020e7230.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ru-ru\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\nl-nl\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows NT\Accessories\en-US\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\nb-no\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\plugins\rhp\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\cs-cz\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\ko-kr\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\eu-es\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\images\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\da-dk\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\keystore\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\hr-hr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\themes\dark\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\nb-no\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\ko-kr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\EQUATION\eqnedt32.exe Logo1_.exe File created C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\it-IT\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Examples\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\plugins\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\hu\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\en-gb\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ru-ru\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\hu-hu\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\dark\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\it-it\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\fi-fi\_desktop.ini Logo1_.exe File created C:\Program Files\Mozilla Firefox\defaults\pref\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\sm\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Cartridges\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\ca-es\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\Temp\_desktop.ini Logo1_.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\LAYERS\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\or_IN\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\lua\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\nl-nl\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\themes\dark\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ca-es\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\_desktop.ini Logo1_.exe File created C:\Program Files\Crashpad\attachments\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ca\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\sk-sk\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\da-dk\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\ja-jp\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\nl-nl\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.exe Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\ku_IQ\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\pl-pl\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Photo Viewer\de-DE\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Portable Devices\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\plugins\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\sv-se\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Web Server Extensions\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\root\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-gb\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\rundl132.exe b21d5e1730fe1df803a2a2ff950204447e280f670d63581fd9b7ccd6020e7230.exe File created C:\Windows\Logo1_.exe b21d5e1730fe1df803a2a2ff950204447e280f670d63581fd9b7ccd6020e7230.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\Dll.dll Logo1_.exe -
System Location Discovery: System Language Discovery 1 TTPs 10 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b21d5e1730fe1df803a2a2ff950204447e280f670d63581fd9b7ccd6020e7230.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Logo1_.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b21d5e1730fe1df803a2a2ff950204447e280f670d63581fd9b7ccd6020e7230.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1412 b21d5e1730fe1df803a2a2ff950204447e280f670d63581fd9b7ccd6020e7230.exe 1412 b21d5e1730fe1df803a2a2ff950204447e280f670d63581fd9b7ccd6020e7230.exe 1412 b21d5e1730fe1df803a2a2ff950204447e280f670d63581fd9b7ccd6020e7230.exe 1412 b21d5e1730fe1df803a2a2ff950204447e280f670d63581fd9b7ccd6020e7230.exe 1412 b21d5e1730fe1df803a2a2ff950204447e280f670d63581fd9b7ccd6020e7230.exe 1412 b21d5e1730fe1df803a2a2ff950204447e280f670d63581fd9b7ccd6020e7230.exe 1412 b21d5e1730fe1df803a2a2ff950204447e280f670d63581fd9b7ccd6020e7230.exe 1412 b21d5e1730fe1df803a2a2ff950204447e280f670d63581fd9b7ccd6020e7230.exe 1412 b21d5e1730fe1df803a2a2ff950204447e280f670d63581fd9b7ccd6020e7230.exe 1412 b21d5e1730fe1df803a2a2ff950204447e280f670d63581fd9b7ccd6020e7230.exe 1412 b21d5e1730fe1df803a2a2ff950204447e280f670d63581fd9b7ccd6020e7230.exe 1412 b21d5e1730fe1df803a2a2ff950204447e280f670d63581fd9b7ccd6020e7230.exe 1412 b21d5e1730fe1df803a2a2ff950204447e280f670d63581fd9b7ccd6020e7230.exe 1412 b21d5e1730fe1df803a2a2ff950204447e280f670d63581fd9b7ccd6020e7230.exe 1412 b21d5e1730fe1df803a2a2ff950204447e280f670d63581fd9b7ccd6020e7230.exe 1412 b21d5e1730fe1df803a2a2ff950204447e280f670d63581fd9b7ccd6020e7230.exe 1412 b21d5e1730fe1df803a2a2ff950204447e280f670d63581fd9b7ccd6020e7230.exe 1412 b21d5e1730fe1df803a2a2ff950204447e280f670d63581fd9b7ccd6020e7230.exe 1412 b21d5e1730fe1df803a2a2ff950204447e280f670d63581fd9b7ccd6020e7230.exe 1412 b21d5e1730fe1df803a2a2ff950204447e280f670d63581fd9b7ccd6020e7230.exe 1412 b21d5e1730fe1df803a2a2ff950204447e280f670d63581fd9b7ccd6020e7230.exe 1412 b21d5e1730fe1df803a2a2ff950204447e280f670d63581fd9b7ccd6020e7230.exe 1412 b21d5e1730fe1df803a2a2ff950204447e280f670d63581fd9b7ccd6020e7230.exe 1412 b21d5e1730fe1df803a2a2ff950204447e280f670d63581fd9b7ccd6020e7230.exe 1412 b21d5e1730fe1df803a2a2ff950204447e280f670d63581fd9b7ccd6020e7230.exe 1412 b21d5e1730fe1df803a2a2ff950204447e280f670d63581fd9b7ccd6020e7230.exe 1840 Logo1_.exe 1840 Logo1_.exe 1840 Logo1_.exe 1840 Logo1_.exe 1840 Logo1_.exe 1840 Logo1_.exe 1840 Logo1_.exe 1840 Logo1_.exe 1840 Logo1_.exe 1840 Logo1_.exe 1840 Logo1_.exe 1840 Logo1_.exe 1840 Logo1_.exe 1840 Logo1_.exe 1840 Logo1_.exe 1840 Logo1_.exe 1840 Logo1_.exe 1840 Logo1_.exe 1840 Logo1_.exe 1840 Logo1_.exe 1840 Logo1_.exe 1840 Logo1_.exe 1840 Logo1_.exe 1840 Logo1_.exe 1840 Logo1_.exe 1840 Logo1_.exe 1840 Logo1_.exe 1840 Logo1_.exe 1840 Logo1_.exe 1840 Logo1_.exe 1840 Logo1_.exe 1840 Logo1_.exe 1840 Logo1_.exe 1840 Logo1_.exe 1840 Logo1_.exe 1840 Logo1_.exe 1840 Logo1_.exe 1840 Logo1_.exe -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 1412 wrote to memory of 2756 1412 b21d5e1730fe1df803a2a2ff950204447e280f670d63581fd9b7ccd6020e7230.exe 82 PID 1412 wrote to memory of 2756 1412 b21d5e1730fe1df803a2a2ff950204447e280f670d63581fd9b7ccd6020e7230.exe 82 PID 1412 wrote to memory of 2756 1412 b21d5e1730fe1df803a2a2ff950204447e280f670d63581fd9b7ccd6020e7230.exe 82 PID 2756 wrote to memory of 1748 2756 net.exe 84 PID 2756 wrote to memory of 1748 2756 net.exe 84 PID 2756 wrote to memory of 1748 2756 net.exe 84 PID 1412 wrote to memory of 2624 1412 b21d5e1730fe1df803a2a2ff950204447e280f670d63581fd9b7ccd6020e7230.exe 85 PID 1412 wrote to memory of 2624 1412 b21d5e1730fe1df803a2a2ff950204447e280f670d63581fd9b7ccd6020e7230.exe 85 PID 1412 wrote to memory of 2624 1412 b21d5e1730fe1df803a2a2ff950204447e280f670d63581fd9b7ccd6020e7230.exe 85 PID 1412 wrote to memory of 1840 1412 b21d5e1730fe1df803a2a2ff950204447e280f670d63581fd9b7ccd6020e7230.exe 87 PID 1412 wrote to memory of 1840 1412 b21d5e1730fe1df803a2a2ff950204447e280f670d63581fd9b7ccd6020e7230.exe 87 PID 1412 wrote to memory of 1840 1412 b21d5e1730fe1df803a2a2ff950204447e280f670d63581fd9b7ccd6020e7230.exe 87 PID 1840 wrote to memory of 3640 1840 Logo1_.exe 88 PID 1840 wrote to memory of 3640 1840 Logo1_.exe 88 PID 1840 wrote to memory of 3640 1840 Logo1_.exe 88 PID 3640 wrote to memory of 4856 3640 net.exe 90 PID 3640 wrote to memory of 4856 3640 net.exe 90 PID 3640 wrote to memory of 4856 3640 net.exe 90 PID 2624 wrote to memory of 4932 2624 cmd.exe 91 PID 2624 wrote to memory of 4932 2624 cmd.exe 91 PID 2624 wrote to memory of 4932 2624 cmd.exe 91 PID 1840 wrote to memory of 3876 1840 Logo1_.exe 94 PID 1840 wrote to memory of 3876 1840 Logo1_.exe 94 PID 1840 wrote to memory of 3876 1840 Logo1_.exe 94 PID 3876 wrote to memory of 3100 3876 net.exe 96 PID 3876 wrote to memory of 3100 3876 net.exe 96 PID 3876 wrote to memory of 3100 3876 net.exe 96 PID 1840 wrote to memory of 3416 1840 Logo1_.exe 56 PID 1840 wrote to memory of 3416 1840 Logo1_.exe 56
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3416
-
C:\Users\Admin\AppData\Local\Temp\b21d5e1730fe1df803a2a2ff950204447e280f670d63581fd9b7ccd6020e7230.exe"C:\Users\Admin\AppData\Local\Temp\b21d5e1730fe1df803a2a2ff950204447e280f670d63581fd9b7ccd6020e7230.exe"2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1412 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"4⤵
- System Location Discovery: System Language Discovery
PID:1748
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a688D.bat3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Users\Admin\AppData\Local\Temp\b21d5e1730fe1df803a2a2ff950204447e280f670d63581fd9b7ccd6020e7230.exe"C:\Users\Admin\AppData\Local\Temp\b21d5e1730fe1df803a2a2ff950204447e280f670d63581fd9b7ccd6020e7230.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4932
-
-
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Drops startup file
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1840 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3640 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵
- System Location Discovery: System Language Discovery
PID:4856
-
-
-
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3876 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵
- System Location Discovery: System Language Discovery
PID:3100
-
-
-
-
Network
-
Remote address:8.8.8.8:53Request232.168.11.51.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request73.144.22.2.in-addr.arpaIN PTRResponse73.144.22.2.in-addr.arpaIN PTRa2-22-144-73deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request134.32.126.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request86.23.85.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request56.126.166.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request73.190.18.2.in-addr.arpaIN PTRResponse73.190.18.2.in-addr.arpaIN PTRa2-18-190-73deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request81.144.22.2.in-addr.arpaIN PTRResponse81.144.22.2.in-addr.arpaIN PTRa2-22-144-81deploystaticakamaitechnologiescom
-
72 B 158 B 1 1
DNS Request
232.168.11.51.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
73.144.22.2.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
134.32.126.40.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
70 B 144 B 1 1
DNS Request
86.23.85.13.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
56.126.166.20.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
73.190.18.2.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
81.144.22.2.in-addr.arpa
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
577KB
MD57864a3f777019c73ad26ab282fdaba77
SHA1c46f6b0c3503911395a1d13ac2f7884a20a76382
SHA256f3117732a9955b7a81629f8f4e3feba53ff1f1491c2c49c6b2d76a1fa64b0545
SHA51294191a3fde694d248ace8d212253821f502d5e592ab2f4cb1d137c7c55645d218b48839a00e8a87a6e5ef31138e700e3e56c2b6d84e0c4e8291394df45261645
-
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
Filesize644KB
MD59044b8cb7dee805474f46fdff328cebb
SHA11cabc4c6c2c86cbb78765bc9dbc34fb343a473d2
SHA25662fedddac5d2bc0012582f6d5c8a62f1cfeb146338ded33892f3e2e9a3080618
SHA5124c3baf797abb9745bd194cb39da4f7541273d5ceb694929e562b3823118a8851a9b5dde4379d3936ca8fc233339560f7716518a62b421a2fcfe228d1037d9753
-
Filesize
722B
MD5ca353bf9cb107528437a08d3f27bd763
SHA15461650d2789e76705e99e0237b78a4e7da2c5da
SHA25627d831bab37e71756c478f8f121f3f9f8de0ca3f3101208c0aaf738cbc8ef1a2
SHA512ccb2c169c75ac45b80063fabd2d984c81faf610ac7e64a21fd39476e701861f58e4f3a50fe7fc7aa1288de0578f97d16b2392db447af0e49cfd26a3c671e7ec1
-
C:\Users\Admin\AppData\Local\Temp\b21d5e1730fe1df803a2a2ff950204447e280f670d63581fd9b7ccd6020e7230.exe.exe
Filesize217KB
MD5021c57c74de40f7c3b4fcf58a54d3649
SHA1ef363ab45b6fe3dd5b768655adc4188aadf6b6fd
SHA25604adf40ba58d0ab892091c188822191f2597bc47dab8b92423e8fc546dc437ef
SHA51277e3bbb08c661285a49a66e8090a54f535727731c44b7253ea09ffe9548bae9d120ef38a67dfa8a5d8da170dde3e9c1928b96c64dfc07b7f67f93b478937c018
-
Filesize
33KB
MD53253bf7588138d1e39d3105c7b5dc8b9
SHA1b26c43ff51ce241d473aa3efa30cd3b3bc68e43a
SHA25663554e061f95eb7f63c9d50e7c14fc88c1cbf4db277efaefe1bea2388f9ed5e0
SHA512cd45a96ada3daa5d2386ef9d5ded03a7e1e6f5c800bf01d02c1289c2e5234b8ed2b430ad0438837b32da22a753d07b0d1ee918dca8567a8c6c3619a8050c3bd5
-
Filesize
9B
MD582fa69b12ac2df558c85e86426eb13eb
SHA1ad90b8756e3bebe04450f6950419c761844d7b7e
SHA256f7622a3740b818722e46a36b5aeb1c0ba6bec25bec811e3dcfe0b5ba1d728775
SHA5123c4da39d3b0d68ade3ff8ded69bf1e78a1ef88f7ed70c85572ae06e6be78155ffc2f557f577208e579191be2d8be2a1fa833b9ca74a35bb69cf9c32c23f4d99f