a9f241143fd476d42bed70ab3fb7dfb31fda59ceaec2eca9dabe136fb432adb1

Analysis

max time kernel
149s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25/09/2024, 17:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a9f241143fd476d42bed70ab3fb7dfb31fda59ceaec2eca9dabe136fb432adb1.exe
Size

66KB
MD5

9a769a66705076525660d751ac973f10
SHA1

84c2e6fcc5e44a94a3c70e72d3c58476ef8fe344
SHA256

a9f241143fd476d42bed70ab3fb7dfb31fda59ceaec2eca9dabe136fb432adb1
SHA512

e105b5ecb8864e34c573a2696c2a3653c84e2225430e4bcbdc92da6106c1550171dc782097c45c07784526015970a937d8591cd2fd78db735aab6e8177ae0a9d
SSDEEP

1536:JEaYzMXqtGN/CstC9qVFuiS4qz0XSW3iDhy3:JEaY46tGNFC0VFPS4qz3DhO

Score

8^/10

discovery spyware stealer

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	a9f241143fd476d42bed70ab3fb7dfb31fda59ceaec2eca9dabe136fb432adb1.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	Logo1_.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe

Executes dropped EXE 2 IoCs

pid	Process
4192	Logo1_.exe
4980	a9f241143fd476d42bed70ab3fb7dfb31fda59ceaec2eca9dabe136fb432adb1.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\themes\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\sl-si\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\fr-fr\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ff\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ja-jp\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\pl-pl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\eu-es\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-il\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\es-es\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\es-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\de-de\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\images\cursors\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\GRPHFLT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\sv-se\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\de-de\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\ar-ae\_desktop.ini	Logo1_.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_chroma\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\fi-fi\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\cs-cz\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk-1.8\include\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\en-ae\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\sk-sk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\pt-br\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\ja-jp\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\zh-cn\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Crashpad\reports\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ja-jp\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\zh-cn\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.195.15\MicrosoftEdgeUpdateSetup.exe	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ie\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ro-ro\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\fr-ma\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Snippets\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sl-si\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\fr-fr\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\pt_BR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\ja-jp\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\he-il\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\default_apps\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	a9f241143fd476d42bed70ab3fb7dfb31fda59ceaec2eca9dabe136fb432adb1.exe
File created	C:\Windows\Logo1_.exe	a9f241143fd476d42bed70ab3fb7dfb31fda59ceaec2eca9dabe136fb432adb1.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\Dll.dll	Logo1_.exe

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a9f241143fd476d42bed70ab3fb7dfb31fda59ceaec2eca9dabe136fb432adb1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2600	a9f241143fd476d42bed70ab3fb7dfb31fda59ceaec2eca9dabe136fb432adb1.exe
2600	a9f241143fd476d42bed70ab3fb7dfb31fda59ceaec2eca9dabe136fb432adb1.exe
2600	a9f241143fd476d42bed70ab3fb7dfb31fda59ceaec2eca9dabe136fb432adb1.exe
2600	a9f241143fd476d42bed70ab3fb7dfb31fda59ceaec2eca9dabe136fb432adb1.exe
2600	a9f241143fd476d42bed70ab3fb7dfb31fda59ceaec2eca9dabe136fb432adb1.exe
2600	a9f241143fd476d42bed70ab3fb7dfb31fda59ceaec2eca9dabe136fb432adb1.exe
2600	a9f241143fd476d42bed70ab3fb7dfb31fda59ceaec2eca9dabe136fb432adb1.exe
2600	a9f241143fd476d42bed70ab3fb7dfb31fda59ceaec2eca9dabe136fb432adb1.exe
2600	a9f241143fd476d42bed70ab3fb7dfb31fda59ceaec2eca9dabe136fb432adb1.exe
2600	a9f241143fd476d42bed70ab3fb7dfb31fda59ceaec2eca9dabe136fb432adb1.exe
2600	a9f241143fd476d42bed70ab3fb7dfb31fda59ceaec2eca9dabe136fb432adb1.exe
2600	a9f241143fd476d42bed70ab3fb7dfb31fda59ceaec2eca9dabe136fb432adb1.exe
2600	a9f241143fd476d42bed70ab3fb7dfb31fda59ceaec2eca9dabe136fb432adb1.exe
2600	a9f241143fd476d42bed70ab3fb7dfb31fda59ceaec2eca9dabe136fb432adb1.exe
2600	a9f241143fd476d42bed70ab3fb7dfb31fda59ceaec2eca9dabe136fb432adb1.exe
2600	a9f241143fd476d42bed70ab3fb7dfb31fda59ceaec2eca9dabe136fb432adb1.exe
2600	a9f241143fd476d42bed70ab3fb7dfb31fda59ceaec2eca9dabe136fb432adb1.exe
2600	a9f241143fd476d42bed70ab3fb7dfb31fda59ceaec2eca9dabe136fb432adb1.exe
2600	a9f241143fd476d42bed70ab3fb7dfb31fda59ceaec2eca9dabe136fb432adb1.exe
2600	a9f241143fd476d42bed70ab3fb7dfb31fda59ceaec2eca9dabe136fb432adb1.exe
2600	a9f241143fd476d42bed70ab3fb7dfb31fda59ceaec2eca9dabe136fb432adb1.exe
2600	a9f241143fd476d42bed70ab3fb7dfb31fda59ceaec2eca9dabe136fb432adb1.exe
2600	a9f241143fd476d42bed70ab3fb7dfb31fda59ceaec2eca9dabe136fb432adb1.exe
2600	a9f241143fd476d42bed70ab3fb7dfb31fda59ceaec2eca9dabe136fb432adb1.exe
2600	a9f241143fd476d42bed70ab3fb7dfb31fda59ceaec2eca9dabe136fb432adb1.exe
2600	a9f241143fd476d42bed70ab3fb7dfb31fda59ceaec2eca9dabe136fb432adb1.exe
4192	Logo1_.exe
4192	Logo1_.exe
4192	Logo1_.exe
4192	Logo1_.exe
4192	Logo1_.exe
4192	Logo1_.exe
4192	Logo1_.exe
4192	Logo1_.exe
4192	Logo1_.exe
4192	Logo1_.exe
4192	Logo1_.exe
4192	Logo1_.exe
4192	Logo1_.exe
4192	Logo1_.exe
4192	Logo1_.exe
4192	Logo1_.exe
4192	Logo1_.exe
4192	Logo1_.exe
4192	Logo1_.exe
4192	Logo1_.exe
4192	Logo1_.exe
4192	Logo1_.exe
4192	Logo1_.exe
4192	Logo1_.exe
4192	Logo1_.exe
4192	Logo1_.exe
4192	Logo1_.exe
4192	Logo1_.exe
4192	Logo1_.exe
4192	Logo1_.exe
4192	Logo1_.exe
4192	Logo1_.exe
4192	Logo1_.exe
4192	Logo1_.exe
4192	Logo1_.exe
4192	Logo1_.exe
4192	Logo1_.exe
4192	Logo1_.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 2600 wrote to memory of 2980	2600	a9f241143fd476d42bed70ab3fb7dfb31fda59ceaec2eca9dabe136fb432adb1.exe	82
PID 2600 wrote to memory of 2980	2600	a9f241143fd476d42bed70ab3fb7dfb31fda59ceaec2eca9dabe136fb432adb1.exe	82
PID 2600 wrote to memory of 2980	2600	a9f241143fd476d42bed70ab3fb7dfb31fda59ceaec2eca9dabe136fb432adb1.exe	82
PID 2980 wrote to memory of 3512	2980	net.exe	84
PID 2980 wrote to memory of 3512	2980	net.exe	84
PID 2980 wrote to memory of 3512	2980	net.exe	84
PID 2600 wrote to memory of 2292	2600	a9f241143fd476d42bed70ab3fb7dfb31fda59ceaec2eca9dabe136fb432adb1.exe	85
PID 2600 wrote to memory of 2292	2600	a9f241143fd476d42bed70ab3fb7dfb31fda59ceaec2eca9dabe136fb432adb1.exe	85
PID 2600 wrote to memory of 2292	2600	a9f241143fd476d42bed70ab3fb7dfb31fda59ceaec2eca9dabe136fb432adb1.exe	85
PID 2600 wrote to memory of 4192	2600	a9f241143fd476d42bed70ab3fb7dfb31fda59ceaec2eca9dabe136fb432adb1.exe	86
PID 2600 wrote to memory of 4192	2600	a9f241143fd476d42bed70ab3fb7dfb31fda59ceaec2eca9dabe136fb432adb1.exe	86
PID 2600 wrote to memory of 4192	2600	a9f241143fd476d42bed70ab3fb7dfb31fda59ceaec2eca9dabe136fb432adb1.exe	86
PID 4192 wrote to memory of 692	4192	Logo1_.exe	87
PID 4192 wrote to memory of 692	4192	Logo1_.exe	87
PID 4192 wrote to memory of 692	4192	Logo1_.exe	87
PID 692 wrote to memory of 3304	692	net.exe	90
PID 692 wrote to memory of 3304	692	net.exe	90
PID 692 wrote to memory of 3304	692	net.exe	90
PID 2292 wrote to memory of 4980	2292	cmd.exe	91
PID 2292 wrote to memory of 4980	2292	cmd.exe	91
PID 2292 wrote to memory of 4980	2292	cmd.exe	91
PID 4192 wrote to memory of 2060	4192	Logo1_.exe	92
PID 4192 wrote to memory of 2060	4192	Logo1_.exe	92
PID 4192 wrote to memory of 2060	4192	Logo1_.exe	92
PID 2060 wrote to memory of 4800	2060	net.exe	94
PID 2060 wrote to memory of 4800	2060	net.exe	94
PID 2060 wrote to memory of 4800	2060	net.exe	94
PID 4192 wrote to memory of 3532	4192	Logo1_.exe	56
PID 4192 wrote to memory of 3532	4192	Logo1_.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3532
- C:\Users\Admin\AppData\Local\Temp\a9f241143fd476d42bed70ab3fb7dfb31fda59ceaec2eca9dabe136fb432adb1.exe
  "C:\Users\Admin\AppData\Local\Temp\a9f241143fd476d42bed70ab3fb7dfb31fda59ceaec2eca9dabe136fb432adb1.exe"
  2⤵
  - Drops file in Drivers directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2600
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2980
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3512
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a705D.bat
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2292
  - - C:\Users\Admin\AppData\Local\Temp\a9f241143fd476d42bed70ab3fb7dfb31fda59ceaec2eca9dabe136fb432adb1.exe
      "C:\Users\Admin\AppData\Local\Temp\a9f241143fd476d42bed70ab3fb7dfb31fda59ceaec2eca9dabe136fb432adb1.exe"
      4⤵
      Executes dropped EXE
      PID:4980
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Drops file in Drivers directory
    - Drops startup file
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4192
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:692
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3304
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2060
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe

Filesize
251KB

MD5
5ca9e8b7545a05fc5e64d531cd019824

SHA1
5de7b8bdc13ca961c18bc121ae38285ac27ca982

SHA256
75383cef3c9a81f719e5a9c048f339681e8664eb1aa01379f5753b13c83eb173

SHA512
957dd4239ff5a46df373aafe728ef16c5a345a91545b6435328c67d470cb1ea163b4d88e4faa4377c6bf6453452287fa8097efcec3bf9fd209fd4dca44871319

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
577KB

MD5
c2fe4f6b862991214548a6e7d9148737

SHA1
072bd4a0b34741a2a182cdb8d81d134b09d44ceb

SHA256
24bc895a6b6b00adc5f63d4947e421e12bec3072aa51ccc9a534b16c4bda65d2

SHA512
24c69c5fef51897883d0da0da56577b76ca55f48b6df4b9ca12ef2b3a5636d72a6251366f8bc52215e9e993bdbf3bd6c1ca90cf90d91bb3ab748a6d5038dd9a2

Download Submit
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

Filesize
644KB

MD5
b683d08031e54ea6942378775fcacdf7

SHA1
a2e7e8911ab44ce6e768058d02e2d68a8b093c7d

SHA256
7d2c375e7c1e52dfb0254cab9fb3816c5a1ba987b44910dcbbc5f0b3b8294070

SHA512
68d53577071249f8e4a5a70713c9b82a295bde488e00cb5c5287ed7c78a5195829eb65c83ddee6f64f6da085d3c0b0723249464044f20088b76aa631dff72599

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a705D.bat

Filesize
722B

MD5
9b9c8b5988b038a343900019464bbcae

SHA1
0a71a2bd6d42eb4e75087f994f47332d325535ad

SHA256
25b42f6206300bed2eb351beafadc3628f97b4a93d9bb04765742e4ac5566d75

SHA512
d98490f9148a6249a5c7abc93190aee5d780eca9de063031d5abf12625fa12774c09ec204126c64d05eebd7cc6237b8ded6b2cd43a42dc33bd37efa2d976e32b

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9f241143fd476d42bed70ab3fb7dfb31fda59ceaec2eca9dabe136fb432adb1.exe.exe

Filesize
33KB

MD5
e23f654ce94c5fea4bc1d10bac9e1705

SHA1
8bf96eb96181339a2c0f261768045546503d7545

SHA256
74d75e8cd9f52cd9b294bd8203d21c83009824890811174af2601795a2bffe6c

SHA512
c9021cec17d19bfea97d6c038747f6c0a387934d3700e058b4ffad41f9d4805771c52739c5f9efdf69db099a52fc48040e7fed692acbea0398b3ffe843f9fce6

Download Submit
C:\Windows\Logo1_.exe

Filesize
33KB

MD5
59da86273cbde98e3fb6274e3181834b

SHA1
24b2e7d415d7f4e40ec6420f0e88cb401165b64a

SHA256
853e0659e3f3c5fd81de6edcebb97b388b0006f7c78b514cd2aa93aa1d97f724

SHA512
3534114ac7de80b2f6c5794109a7f89386b86df095799844353530384f113e63bffa6a85f445f5c1a825d45740631b95c80a0612d8a2a1964469207df6615f41

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
842B

MD5
6f4adf207ef402d9ef40c6aa52ffd245

SHA1
4b05b495619c643f02e278dede8f5b1392555a57

SHA256
d9704dab05e988be3e5e7b7c020bb9814906d11bb9c31ad80d4ed1316f6bc94e

SHA512
a6306bd200a26ea78192ae5b00cc49cfab3fba025fe7233709a4e62db0f9ed60030dce22b34afe57aad86a098c9a8c44e080cedc43227cb87ef4690baec35b47

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-1194130065-3471212556-1656947724-1000\_desktop.ini

Filesize
9B

MD5
e02899454c67c7d6d1af854fdcb53b67

SHA1
26fb213f7c299c2a4d8c4afd234ee0b751d7a30e

SHA256
0e67e90646d3ba7b46f935b205c9f89e8bff2dca7aeda3cd5dfb93868b262315

SHA512
e1519bebf62ab4cb28e630a201312812e04f815ec0663f7b68b478da97c0bf7c7c2238a8632540d3d1f37acbe83919fb198b39ebeb222c19faa2130ab65ffffa

Download Submit
memory/2600-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2600-9-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4192-20-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4192-11-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4192-3124-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4192-8811-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download