4568b24e7bd0c68578b3d44c7fa5c9dedade7d17c923ea85a4f084c9c2927afe

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25/09/2024, 19:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4568b24e7bd0c68578b3d44c7fa5c9dedade7d17c923ea85a4f084c9c2927afe.exe
Size

570KB
MD5

9de344775c6314140afb433a5e603a14
SHA1

5048e550ec5e48a203585727b683d0c3d5172778
SHA256

4568b24e7bd0c68578b3d44c7fa5c9dedade7d17c923ea85a4f084c9c2927afe
SHA512

11a49b9620d3d8a27b85ce9fc10781d6de30e3a05cafb63e372ce3001db12d5701c00e0a3663e2b7dbac5ee3f8fa07984bf2cdf673a0b8229f3460cf477bd792
SSDEEP

12288:J+azULc+Gl3DflwlLrfw+fZdI+eN9K61cNiSvSGtTnOmyMcp7YJhne:JBz2c+qILkOdIdcN/vvtTObMceJhe

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe

Executes dropped EXE 2 IoCs

pid	Process
2772	Logo1_.exe
4448	4568b24e7bd0c68578b3d44c7fa5c9dedade7d17c923ea85a4f084c9c2927afe.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Resources\1033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ko-kr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\cs-cz\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk-1.8\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\en-il\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\ja-jp\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\fr-ma\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Google\Update\Install\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\de-de\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\root\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\cmm\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sv-se\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ro-ro\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\extensions\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\zh-cn\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\dark\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\ja-jp\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ku_IQ\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\es-es\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\es-es\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sl-si\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\ru-ru\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\sl-si\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\sl-sl\_desktop.ini	Logo1_.exe
File created	C:\Program Files\dotnet\host\fxr\7.0.16\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\zh_CN\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\nl-nl\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\ja-jp\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\fi-fi\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PROFILE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\defaults\pref\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account-select\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.195.15\MicrosoftEdgeUpdateBroker.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ca@valencia\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\si\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\en-ae\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\wmpshare.exe	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RICEPAPR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\lua\intf\modules\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\2.0.1\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\it-it\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\pt-br\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Dll.dll	Logo1_.exe
File created	C:\Windows\rundl132.exe	4568b24e7bd0c68578b3d44c7fa5c9dedade7d17c923ea85a4f084c9c2927afe.exe
File created	C:\Windows\Logo1_.exe	4568b24e7bd0c68578b3d44c7fa5c9dedade7d17c923ea85a4f084c9c2927afe.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Logo1_.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4568b24e7bd0c68578b3d44c7fa5c9dedade7d17c923ea85a4f084c9c2927afe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
528	4568b24e7bd0c68578b3d44c7fa5c9dedade7d17c923ea85a4f084c9c2927afe.exe
528	4568b24e7bd0c68578b3d44c7fa5c9dedade7d17c923ea85a4f084c9c2927afe.exe
528	4568b24e7bd0c68578b3d44c7fa5c9dedade7d17c923ea85a4f084c9c2927afe.exe
528	4568b24e7bd0c68578b3d44c7fa5c9dedade7d17c923ea85a4f084c9c2927afe.exe
528	4568b24e7bd0c68578b3d44c7fa5c9dedade7d17c923ea85a4f084c9c2927afe.exe
528	4568b24e7bd0c68578b3d44c7fa5c9dedade7d17c923ea85a4f084c9c2927afe.exe
528	4568b24e7bd0c68578b3d44c7fa5c9dedade7d17c923ea85a4f084c9c2927afe.exe
528	4568b24e7bd0c68578b3d44c7fa5c9dedade7d17c923ea85a4f084c9c2927afe.exe
528	4568b24e7bd0c68578b3d44c7fa5c9dedade7d17c923ea85a4f084c9c2927afe.exe
528	4568b24e7bd0c68578b3d44c7fa5c9dedade7d17c923ea85a4f084c9c2927afe.exe
528	4568b24e7bd0c68578b3d44c7fa5c9dedade7d17c923ea85a4f084c9c2927afe.exe
528	4568b24e7bd0c68578b3d44c7fa5c9dedade7d17c923ea85a4f084c9c2927afe.exe
528	4568b24e7bd0c68578b3d44c7fa5c9dedade7d17c923ea85a4f084c9c2927afe.exe
528	4568b24e7bd0c68578b3d44c7fa5c9dedade7d17c923ea85a4f084c9c2927afe.exe
528	4568b24e7bd0c68578b3d44c7fa5c9dedade7d17c923ea85a4f084c9c2927afe.exe
528	4568b24e7bd0c68578b3d44c7fa5c9dedade7d17c923ea85a4f084c9c2927afe.exe
528	4568b24e7bd0c68578b3d44c7fa5c9dedade7d17c923ea85a4f084c9c2927afe.exe
528	4568b24e7bd0c68578b3d44c7fa5c9dedade7d17c923ea85a4f084c9c2927afe.exe
528	4568b24e7bd0c68578b3d44c7fa5c9dedade7d17c923ea85a4f084c9c2927afe.exe
528	4568b24e7bd0c68578b3d44c7fa5c9dedade7d17c923ea85a4f084c9c2927afe.exe
528	4568b24e7bd0c68578b3d44c7fa5c9dedade7d17c923ea85a4f084c9c2927afe.exe
528	4568b24e7bd0c68578b3d44c7fa5c9dedade7d17c923ea85a4f084c9c2927afe.exe
528	4568b24e7bd0c68578b3d44c7fa5c9dedade7d17c923ea85a4f084c9c2927afe.exe
528	4568b24e7bd0c68578b3d44c7fa5c9dedade7d17c923ea85a4f084c9c2927afe.exe
528	4568b24e7bd0c68578b3d44c7fa5c9dedade7d17c923ea85a4f084c9c2927afe.exe
528	4568b24e7bd0c68578b3d44c7fa5c9dedade7d17c923ea85a4f084c9c2927afe.exe
2772	Logo1_.exe
2772	Logo1_.exe
2772	Logo1_.exe
2772	Logo1_.exe
2772	Logo1_.exe
2772	Logo1_.exe
2772	Logo1_.exe
2772	Logo1_.exe
2772	Logo1_.exe
2772	Logo1_.exe
2772	Logo1_.exe
2772	Logo1_.exe
2772	Logo1_.exe
2772	Logo1_.exe
2772	Logo1_.exe
2772	Logo1_.exe
2772	Logo1_.exe
2772	Logo1_.exe
2772	Logo1_.exe
2772	Logo1_.exe
2772	Logo1_.exe
2772	Logo1_.exe
2772	Logo1_.exe
2772	Logo1_.exe
2772	Logo1_.exe
2772	Logo1_.exe
2772	Logo1_.exe
2772	Logo1_.exe
2772	Logo1_.exe
2772	Logo1_.exe
2772	Logo1_.exe
2772	Logo1_.exe
2772	Logo1_.exe
2772	Logo1_.exe
2772	Logo1_.exe
2772	Logo1_.exe
2772	Logo1_.exe
2772	Logo1_.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 528 wrote to memory of 4288	528	4568b24e7bd0c68578b3d44c7fa5c9dedade7d17c923ea85a4f084c9c2927afe.exe	82
PID 528 wrote to memory of 4288	528	4568b24e7bd0c68578b3d44c7fa5c9dedade7d17c923ea85a4f084c9c2927afe.exe	82
PID 528 wrote to memory of 4288	528	4568b24e7bd0c68578b3d44c7fa5c9dedade7d17c923ea85a4f084c9c2927afe.exe	82
PID 4288 wrote to memory of 4592	4288	net.exe	84
PID 4288 wrote to memory of 4592	4288	net.exe	84
PID 4288 wrote to memory of 4592	4288	net.exe	84
PID 528 wrote to memory of 944	528	4568b24e7bd0c68578b3d44c7fa5c9dedade7d17c923ea85a4f084c9c2927afe.exe	85
PID 528 wrote to memory of 944	528	4568b24e7bd0c68578b3d44c7fa5c9dedade7d17c923ea85a4f084c9c2927afe.exe	85
PID 528 wrote to memory of 944	528	4568b24e7bd0c68578b3d44c7fa5c9dedade7d17c923ea85a4f084c9c2927afe.exe	85
PID 528 wrote to memory of 2772	528	4568b24e7bd0c68578b3d44c7fa5c9dedade7d17c923ea85a4f084c9c2927afe.exe	86
PID 528 wrote to memory of 2772	528	4568b24e7bd0c68578b3d44c7fa5c9dedade7d17c923ea85a4f084c9c2927afe.exe	86
PID 528 wrote to memory of 2772	528	4568b24e7bd0c68578b3d44c7fa5c9dedade7d17c923ea85a4f084c9c2927afe.exe	86
PID 2772 wrote to memory of 3480	2772	Logo1_.exe	88
PID 2772 wrote to memory of 3480	2772	Logo1_.exe	88
PID 2772 wrote to memory of 3480	2772	Logo1_.exe	88
PID 3480 wrote to memory of 1832	3480	net.exe	90
PID 3480 wrote to memory of 1832	3480	net.exe	90
PID 3480 wrote to memory of 1832	3480	net.exe	90
PID 944 wrote to memory of 4448	944	cmd.exe	91
PID 944 wrote to memory of 4448	944	cmd.exe	91
PID 2772 wrote to memory of 3396	2772	Logo1_.exe	92
PID 2772 wrote to memory of 3396	2772	Logo1_.exe	92
PID 2772 wrote to memory of 3396	2772	Logo1_.exe	92
PID 3396 wrote to memory of 4872	3396	net.exe	94
PID 3396 wrote to memory of 4872	3396	net.exe	94
PID 3396 wrote to memory of 4872	3396	net.exe	94
PID 2772 wrote to memory of 3504	2772	Logo1_.exe	56
PID 2772 wrote to memory of 3504	2772	Logo1_.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3504
- C:\Users\Admin\AppData\Local\Temp\4568b24e7bd0c68578b3d44c7fa5c9dedade7d17c923ea85a4f084c9c2927afe.exe
  "C:\Users\Admin\AppData\Local\Temp\4568b24e7bd0c68578b3d44c7fa5c9dedade7d17c923ea85a4f084c9c2927afe.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:528
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4288
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4592
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a88F6.bat
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:944
  - - C:\Users\Admin\AppData\Local\Temp\4568b24e7bd0c68578b3d44c7fa5c9dedade7d17c923ea85a4f084c9c2927afe.exe
      "C:\Users\Admin\AppData\Local\Temp\4568b24e7bd0c68578b3d44c7fa5c9dedade7d17c923ea85a4f084c9c2927afe.exe"
      4⤵
      Executes dropped EXE
      PID:4448
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2772
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3480
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1832
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3396
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe

Filesize
250KB

MD5
840173981d2ba75901597df7ff09d290

SHA1
58decafb28186e894d8269e7f75425e0c4ffc260

SHA256
078d54c2f6ea7c831eb62e72168e63c76643da6e750829fc37c0952803a3af76

SHA512
4dcacea5c850b8bf03ace3e144ea7a1a3c7793af51a9bc633157d2db8fb52cdebcdfd0203168975f50865050995949af6139d7124acdda751bfa1d178bd79d70

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
577KB

MD5
ce6e6e569bde6b52c03f80f4a3616c8f

SHA1
67ec814b7f0a51b51f17dbee1f2d83b2dbf653c0

SHA256
d662cbbbc30b035911b1514528d8ea7348cbb7bef694c87f4b027d38da9d368a

SHA512
210cf36bf8b8ee781f359841be20a164e6bfa063dc8642408e5bfa2736eb0c28bd046369b0685f78d5b03c829f99d70f52c7314ad725e8f51999a1110f4fe39f

Download Submit
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

Filesize
643KB

MD5
47b415cc62fdf73b49f65176bb89c477

SHA1
4f0e377558d7d72bcc67bbca7d0b26142e1d4023

SHA256
253952cf8a974e389835fc7b448d2d87ec5a2e6239952dc83050e4d307964ebc

SHA512
8af6c493210052450a75dc6e1e3276c7409bab9407f0a2808000e83fa6649b04573e39023218472a332f574762d626c124dc665805131bb97022e94f51029d1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a88F6.bat

Filesize
722B

MD5
3b99565a4d59e1cfa4c44d1bafe8f8f4

SHA1
1bd9c8f183b2a962932c1ea9cc2ebd64f978dbaa

SHA256
af47c7df6d08c27116e50fa5740b59a80eee421189c204adf093a65dca7fce76

SHA512
da0c8fcbc5aee922bfc4addb1e9ddeb7541cc07dbc7d4da38a0d41eee82a930d5e4953b062c1f9489e06a82b1ed0f28874f27af7d05a05f7ddd632f97fb61329

Download Submit
C:\Users\Admin\AppData\Local\Temp\4568b24e7bd0c68578b3d44c7fa5c9dedade7d17c923ea85a4f084c9c2927afe.exe.exe

Filesize
537KB

MD5
1693ec6b9172f769440a61f39dc4ec23

SHA1
784211d8def7e5047b16858773c1f898e853c761

SHA256
d03eb23ef9eaf78e92d7db8febdd0c58bba0c8fa180af3ecb9112d7b5e02ddaa

SHA512
059903839564e19b17d9e096db365c643079a68ace6e78b704810e81c57c04788621f987932c2947821ebda01cc3319c646dcde0d04f8cb736128debaade4df0

Download Submit
C:\Windows\Logo1_.exe

Filesize
33KB

MD5
cf70ad5b232894139c13926bbfc8016a

SHA1
51c049d318d7057bec21cc3ca4816459eeb6dbfa

SHA256
9c9d2c25a7133bde9f6a58b09961fd6400c418a3e3c44723c54bdbb5d55a6bed

SHA512
77f77d508c2ad49089767ae264f3addc1b0f2d039d07af5b9be9afc9f89ab919b511fd1580a7ac1d084b0f8ce03a056d50a85e5646ab6b19fde124bb107e7ccb

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2718105630-359604950-2820636825-1000\_desktop.ini

Filesize
9B

MD5
e02899454c67c7d6d1af854fdcb53b67

SHA1
26fb213f7c299c2a4d8c4afd234ee0b751d7a30e

SHA256
0e67e90646d3ba7b46f935b205c9f89e8bff2dca7aeda3cd5dfb93868b262315

SHA512
e1519bebf62ab4cb28e630a201312812e04f815ec0663f7b68b478da97c0bf7c7c2238a8632540d3d1f37acbe83919fb198b39ebeb222c19faa2130ab65ffffa

Download Submit
memory/528-11-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/528-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2772-18-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2772-3994-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2772-9-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2772-8731-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download