c20d58731ea9f8d62c0e7d5c47810d795e1342aa334d97ac0e9742218e29bc9e

Analysis

max time kernel
149s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
04/10/2024, 03:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c20d58731ea9f8d62c0e7d5c47810d795e1342aa334d97ac0e9742218e29bc9e.exe
Size

5.7MB
MD5

40f7b3ec38608ed7c4c95b51991d9d51
SHA1

d3065aa488142c6d88908507a30ccd9f2de2abb0
SHA256

c20d58731ea9f8d62c0e7d5c47810d795e1342aa334d97ac0e9742218e29bc9e
SHA512

62ba4b506e5dca8026b22fb9c48aea154994ce65bb6b027a1c1389404ac13ad05e65af3b6bbfe4daa463680a0571f1ee530b9256073152aa301f75c61ec8ca75
SSDEEP

49152:Hd+Pv94AEsKU8ggw1g+1CART5eBiyKS3EI3wybn20DCYIHvc8ixuZm9+fWsw6dTP:HdAKUgTH2M2m9UMpu1QfLczqssnKSk

Score

8^/10

discovery spyware stealer

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	c20d58731ea9f8d62c0e7d5c47810d795e1342aa334d97ac0e9742218e29bc9e.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	Logo1_.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe

Executes dropped EXE 2 IoCs

pid	Process
2644	Logo1_.exe
3032	c20d58731ea9f8d62c0e7d5c47810d795e1342aa334d97ac0e9742218e29bc9e.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\en-us\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\tr-tr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\fr-fr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files-select\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\root\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\es-es\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\zh-cn\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\jfr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\en-il\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\sv-se\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PROFILE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\he-il\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\ru-ru\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\WidevineCdm\_desktop.ini	Logo1_.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\cmm\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CASCADE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Examples\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\zh-tw\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\tr-tr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\Triedit\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\nl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\uk-ua\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ro-ro\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\uk-UA\_desktop.ini	Logo1_.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\EQUATION\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hi\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\fi-fi\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\de-de\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\it-it\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\de-de\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\nl-nl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\tr-tr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\fr-ma\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Google\Update\Download\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\Addons\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\pt_PT\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ru-ru\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\he-il\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\en-gb\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SONORA\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\bs\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\nb\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Portable Devices\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\it-it\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\ca-es\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\he-il\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Portal\1033\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\gl\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\uz\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\css\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	c20d58731ea9f8d62c0e7d5c47810d795e1342aa334d97ac0e9742218e29bc9e.exe
File created	C:\Windows\Logo1_.exe	c20d58731ea9f8d62c0e7d5c47810d795e1342aa334d97ac0e9742218e29bc9e.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\Dll.dll	Logo1_.exe

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c20d58731ea9f8d62c0e7d5c47810d795e1342aa334d97ac0e9742218e29bc9e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Logo1_.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4316	c20d58731ea9f8d62c0e7d5c47810d795e1342aa334d97ac0e9742218e29bc9e.exe
4316	c20d58731ea9f8d62c0e7d5c47810d795e1342aa334d97ac0e9742218e29bc9e.exe
4316	c20d58731ea9f8d62c0e7d5c47810d795e1342aa334d97ac0e9742218e29bc9e.exe
4316	c20d58731ea9f8d62c0e7d5c47810d795e1342aa334d97ac0e9742218e29bc9e.exe
4316	c20d58731ea9f8d62c0e7d5c47810d795e1342aa334d97ac0e9742218e29bc9e.exe
4316	c20d58731ea9f8d62c0e7d5c47810d795e1342aa334d97ac0e9742218e29bc9e.exe
4316	c20d58731ea9f8d62c0e7d5c47810d795e1342aa334d97ac0e9742218e29bc9e.exe
4316	c20d58731ea9f8d62c0e7d5c47810d795e1342aa334d97ac0e9742218e29bc9e.exe
4316	c20d58731ea9f8d62c0e7d5c47810d795e1342aa334d97ac0e9742218e29bc9e.exe
4316	c20d58731ea9f8d62c0e7d5c47810d795e1342aa334d97ac0e9742218e29bc9e.exe
4316	c20d58731ea9f8d62c0e7d5c47810d795e1342aa334d97ac0e9742218e29bc9e.exe
4316	c20d58731ea9f8d62c0e7d5c47810d795e1342aa334d97ac0e9742218e29bc9e.exe
4316	c20d58731ea9f8d62c0e7d5c47810d795e1342aa334d97ac0e9742218e29bc9e.exe
4316	c20d58731ea9f8d62c0e7d5c47810d795e1342aa334d97ac0e9742218e29bc9e.exe
4316	c20d58731ea9f8d62c0e7d5c47810d795e1342aa334d97ac0e9742218e29bc9e.exe
4316	c20d58731ea9f8d62c0e7d5c47810d795e1342aa334d97ac0e9742218e29bc9e.exe
4316	c20d58731ea9f8d62c0e7d5c47810d795e1342aa334d97ac0e9742218e29bc9e.exe
4316	c20d58731ea9f8d62c0e7d5c47810d795e1342aa334d97ac0e9742218e29bc9e.exe
4316	c20d58731ea9f8d62c0e7d5c47810d795e1342aa334d97ac0e9742218e29bc9e.exe
4316	c20d58731ea9f8d62c0e7d5c47810d795e1342aa334d97ac0e9742218e29bc9e.exe
4316	c20d58731ea9f8d62c0e7d5c47810d795e1342aa334d97ac0e9742218e29bc9e.exe
4316	c20d58731ea9f8d62c0e7d5c47810d795e1342aa334d97ac0e9742218e29bc9e.exe
4316	c20d58731ea9f8d62c0e7d5c47810d795e1342aa334d97ac0e9742218e29bc9e.exe
4316	c20d58731ea9f8d62c0e7d5c47810d795e1342aa334d97ac0e9742218e29bc9e.exe
4316	c20d58731ea9f8d62c0e7d5c47810d795e1342aa334d97ac0e9742218e29bc9e.exe
4316	c20d58731ea9f8d62c0e7d5c47810d795e1342aa334d97ac0e9742218e29bc9e.exe
2644	Logo1_.exe
2644	Logo1_.exe
2644	Logo1_.exe
2644	Logo1_.exe
2644	Logo1_.exe
2644	Logo1_.exe
2644	Logo1_.exe
2644	Logo1_.exe
2644	Logo1_.exe
2644	Logo1_.exe
2644	Logo1_.exe
2644	Logo1_.exe
2644	Logo1_.exe
2644	Logo1_.exe
2644	Logo1_.exe
2644	Logo1_.exe
2644	Logo1_.exe
2644	Logo1_.exe
2644	Logo1_.exe
2644	Logo1_.exe
2644	Logo1_.exe
2644	Logo1_.exe
2644	Logo1_.exe
2644	Logo1_.exe
2644	Logo1_.exe
2644	Logo1_.exe
2644	Logo1_.exe
2644	Logo1_.exe
2644	Logo1_.exe
2644	Logo1_.exe
2644	Logo1_.exe
2644	Logo1_.exe
2644	Logo1_.exe
2644	Logo1_.exe
2644	Logo1_.exe
2644	Logo1_.exe
2644	Logo1_.exe
2644	Logo1_.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 4316 wrote to memory of 4040	4316	c20d58731ea9f8d62c0e7d5c47810d795e1342aa334d97ac0e9742218e29bc9e.exe	82
PID 4316 wrote to memory of 4040	4316	c20d58731ea9f8d62c0e7d5c47810d795e1342aa334d97ac0e9742218e29bc9e.exe	82
PID 4316 wrote to memory of 4040	4316	c20d58731ea9f8d62c0e7d5c47810d795e1342aa334d97ac0e9742218e29bc9e.exe	82
PID 4040 wrote to memory of 1816	4040	net.exe	84
PID 4040 wrote to memory of 1816	4040	net.exe	84
PID 4040 wrote to memory of 1816	4040	net.exe	84
PID 4316 wrote to memory of 316	4316	c20d58731ea9f8d62c0e7d5c47810d795e1342aa334d97ac0e9742218e29bc9e.exe	85
PID 4316 wrote to memory of 316	4316	c20d58731ea9f8d62c0e7d5c47810d795e1342aa334d97ac0e9742218e29bc9e.exe	85
PID 4316 wrote to memory of 316	4316	c20d58731ea9f8d62c0e7d5c47810d795e1342aa334d97ac0e9742218e29bc9e.exe	85
PID 4316 wrote to memory of 2644	4316	c20d58731ea9f8d62c0e7d5c47810d795e1342aa334d97ac0e9742218e29bc9e.exe	86
PID 4316 wrote to memory of 2644	4316	c20d58731ea9f8d62c0e7d5c47810d795e1342aa334d97ac0e9742218e29bc9e.exe	86
PID 4316 wrote to memory of 2644	4316	c20d58731ea9f8d62c0e7d5c47810d795e1342aa334d97ac0e9742218e29bc9e.exe	86
PID 2644 wrote to memory of 4180	2644	Logo1_.exe	88
PID 2644 wrote to memory of 4180	2644	Logo1_.exe	88
PID 2644 wrote to memory of 4180	2644	Logo1_.exe	88
PID 4180 wrote to memory of 3264	4180	net.exe	90
PID 4180 wrote to memory of 3264	4180	net.exe	90
PID 4180 wrote to memory of 3264	4180	net.exe	90
PID 2644 wrote to memory of 2428	2644	Logo1_.exe	92
PID 2644 wrote to memory of 2428	2644	Logo1_.exe	92
PID 2644 wrote to memory of 2428	2644	Logo1_.exe	92
PID 2428 wrote to memory of 4672	2428	net.exe	94
PID 2428 wrote to memory of 4672	2428	net.exe	94
PID 2428 wrote to memory of 4672	2428	net.exe	94
PID 2644 wrote to memory of 3340	2644	Logo1_.exe	56
PID 2644 wrote to memory of 3340	2644	Logo1_.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3340
- C:\Users\Admin\AppData\Local\Temp\c20d58731ea9f8d62c0e7d5c47810d795e1342aa334d97ac0e9742218e29bc9e.exe
  "C:\Users\Admin\AppData\Local\Temp\c20d58731ea9f8d62c0e7d5c47810d795e1342aa334d97ac0e9742218e29bc9e.exe"
  2⤵
  - Drops file in Drivers directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4316
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4040
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1816
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a783D.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:316
  - - C:\Users\Admin\AppData\Local\Temp\c20d58731ea9f8d62c0e7d5c47810d795e1342aa334d97ac0e9742218e29bc9e.exe
      "C:\Users\Admin\AppData\Local\Temp\c20d58731ea9f8d62c0e7d5c47810d795e1342aa334d97ac0e9742218e29bc9e.exe"
      4⤵
      Executes dropped EXE
      PID:3032
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Drops file in Drivers directory
    - Drops startup file
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2644
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4180
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3264
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2428
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\StopClose.exe

Filesize
369KB

MD5
8f3121f45172d1d4f635eaa3c3e1145c

SHA1
2fedc1c587317eb8cb83eacc8c30e3bdb50284b4

SHA256
fb01af3a5bf1ef3e4a8363dac5dfbb57cd8bf58567c315ef6bc9d9ed71dc699b

SHA512
38eb092e6d07bd5bb33867b36c823c509783f1333519632dce8636bea240691c069b31be2dec1a4976c311586829d34e1b005193bccd7e4d6092c298341154a3

Download Submit
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

Filesize
644KB

MD5
74f614352141ac4f78c3e59955ed2258

SHA1
179465d798ce029d20b16601530037ca9d87563f

SHA256
e33cff13b2b5307aaa06fc8f6d15ebe31eeb5ac6ad8d12b4b5c877eb34cca70c

SHA512
af736346b2a298b653dccc43a44d852001584bc22c5e00cb959246a0544044587e27ae3af6c253bf68b3dbe24a0badbe0bf55784f704d8e2f703afaed49ae6ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a783D.bat

Filesize
722B

MD5
6ad8998563c57b7749da1b8a1a11778b

SHA1
1355b329dbeb8ec322424fb4846c19032a251963

SHA256
9e198de29da0d8eac7dd19aa9b9e43ae92148b3375fce234566baf7fb1f67f85

SHA512
f76869eb8758ed199f48dc5ba3773bc5676e47a5bf805707688735668661bff49ce3d4c7f5dce48995559a43935ee91c1fd72705a58bfb097ce1c4b48400253a

Download Submit
C:\Users\Admin\AppData\Local\Temp\c20d58731ea9f8d62c0e7d5c47810d795e1342aa334d97ac0e9742218e29bc9e.exe.exe

Filesize
5.7MB

MD5
ba18e99b3e17adb5b029eaebc457dd89

SHA1
ec0458f3c00d35b323f08d4e1cc2e72899429c38

SHA256
f5ee36de8edf9be2ac2752b219cfdcb7ca1677071b8e116cb876306e9f1b6628

SHA512
1f41929e6f5b555b60c411c7810cbf14e3af26100df5ac4533ec3739a278c1b925687284660efb4868e3741305098e2737836229efc9fe46c97a6057c10e677c

Download Submit
C:\Windows\Logo1_.exe

Filesize
33KB

MD5
228292b85e0720fbeee49799c069d347

SHA1
a987cdff2b93fa83d2b760ba1c92296494292a8e

SHA256
0c30eeac64ca154562874960504b7ec78c6548d25b44f218f36999de9550ac8b

SHA512
cb1563d487bd1bb8b1dd1dc1d9ad192d91b4a8c9b2970f5b5afda8b8c33b5dedb4a30f143f236a6379fe49f2a421e0644de9d957068f531da0afe651376491ec

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
842B

MD5
6f4adf207ef402d9ef40c6aa52ffd245

SHA1
4b05b495619c643f02e278dede8f5b1392555a57

SHA256
d9704dab05e988be3e5e7b7c020bb9814906d11bb9c31ad80d4ed1316f6bc94e

SHA512
a6306bd200a26ea78192ae5b00cc49cfab3fba025fe7233709a4e62db0f9ed60030dce22b34afe57aad86a098c9a8c44e080cedc43227cb87ef4690baec35b47

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-355097885-2402257403-2971294179-1000\_desktop.ini

Filesize
9B

MD5
9d7f3edb5e2cdb73e4fc8851e6ea812e

SHA1
080a9d7c6e3e34eeec65587e5727dc360fa82a1a

SHA256
cd2cd126bb370ff3cfc54d3031ca8d9639ca1c8e74a496cef6ed80723fa909b6

SHA512
07aa99922cb51be03779a4fe934dbed547ba23a19b9cfe05859dd87da95b1e54bf6bb7924bce3bcc2f8a29290d4c4703996f1e0d7837b233fd7da1374868632e

Download Submit
memory/2644-20-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2644-9-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2644-3547-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2644-8714-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4316-12-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4316-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download