Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
06/10/2024, 03:58
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d3fb9e376020fafcb32c23aa3bf24f477139b0a3975ebd9f0230f984b76bac60.exe
Resource
win7-20240903-en
windows7-x64
12 signatures
150 seconds
General
-
Target
d3fb9e376020fafcb32c23aa3bf24f477139b0a3975ebd9f0230f984b76bac60.exe
-
Size
11.1MB
-
MD5
ed123a2573e3e6086e7c3d6d6bc49950
-
SHA1
9f8bbf1891f17762b22e95c152328b759e57b1b4
-
SHA256
d3fb9e376020fafcb32c23aa3bf24f477139b0a3975ebd9f0230f984b76bac60
-
SHA512
10bc7e6134ed30b723f8b619d669ca5d98457e153d7e1b513cbd5e85cead25872ea28bc7ee0a0bd97bf0360b134ccb91569a4f11d839509840884874262fa24c
-
SSDEEP
98304:4b+0ChEPIGiq3y3vx+w9TbfjJ+kdfpK46Tle36jknz9Y:y+kIGv3y/x+KTbfjJ+kdnAlejY
Malware Config
Signatures
-
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini Logo1_.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini Logo1_.exe -
Executes dropped EXE 3 IoCs
pid Process 1388 Logo1_.exe 3144 d3fb9e376020fafcb32c23aa3bf24f477139b0a3975ebd9f0230f984b76bac60.exe 3456 d3fb9e376020fafcb32c23aa3bf24f477139b0a3975ebd9f0230f984b76bac60.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\fr-ma\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\en-ae\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\Updates\Download\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example1.Diagnostics\Diagnostics\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\fi-fi\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\ro-ro\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\ja-JP\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\require\2.1.15\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\tr-tr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\fi-fi\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\fre\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\mai\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\plugins\rhp\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\plugins\visualization\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\root\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\da-dk\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jps.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-il\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\da-dk\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\fr-ma\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\it-IT\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\gd\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\root\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk-1.8\jre\lib\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\eu-es\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\sv-se\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\ru-ru\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Diagnostics\Simple\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\sk-sk\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\fi-fi\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\eu-es\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\it-it\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\PublicAssemblies\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Cartridges\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\en-il\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\fr-ma\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\hu-hu\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\themes\dark\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\hr-hr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\ink\es-ES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Examples\Calculator\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\tt\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Security\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ja-jp\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\security\policy\limited\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\mai\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\en-il\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.195.15\MicrosoftEdgeUpdateOnDemand.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\da-dk\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\rundl132.exe d3fb9e376020fafcb32c23aa3bf24f477139b0a3975ebd9f0230f984b76bac60.exe File created C:\Windows\Logo1_.exe d3fb9e376020fafcb32c23aa3bf24f477139b0a3975ebd9f0230f984b76bac60.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\Dll.dll Logo1_.exe -
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Logo1_.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d3fb9e376020fafcb32c23aa3bf24f477139b0a3975ebd9f0230f984b76bac60.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2560 d3fb9e376020fafcb32c23aa3bf24f477139b0a3975ebd9f0230f984b76bac60.exe 2560 d3fb9e376020fafcb32c23aa3bf24f477139b0a3975ebd9f0230f984b76bac60.exe 2560 d3fb9e376020fafcb32c23aa3bf24f477139b0a3975ebd9f0230f984b76bac60.exe 2560 d3fb9e376020fafcb32c23aa3bf24f477139b0a3975ebd9f0230f984b76bac60.exe 2560 d3fb9e376020fafcb32c23aa3bf24f477139b0a3975ebd9f0230f984b76bac60.exe 2560 d3fb9e376020fafcb32c23aa3bf24f477139b0a3975ebd9f0230f984b76bac60.exe 2560 d3fb9e376020fafcb32c23aa3bf24f477139b0a3975ebd9f0230f984b76bac60.exe 2560 d3fb9e376020fafcb32c23aa3bf24f477139b0a3975ebd9f0230f984b76bac60.exe 2560 d3fb9e376020fafcb32c23aa3bf24f477139b0a3975ebd9f0230f984b76bac60.exe 2560 d3fb9e376020fafcb32c23aa3bf24f477139b0a3975ebd9f0230f984b76bac60.exe 2560 d3fb9e376020fafcb32c23aa3bf24f477139b0a3975ebd9f0230f984b76bac60.exe 2560 d3fb9e376020fafcb32c23aa3bf24f477139b0a3975ebd9f0230f984b76bac60.exe 2560 d3fb9e376020fafcb32c23aa3bf24f477139b0a3975ebd9f0230f984b76bac60.exe 2560 d3fb9e376020fafcb32c23aa3bf24f477139b0a3975ebd9f0230f984b76bac60.exe 2560 d3fb9e376020fafcb32c23aa3bf24f477139b0a3975ebd9f0230f984b76bac60.exe 2560 d3fb9e376020fafcb32c23aa3bf24f477139b0a3975ebd9f0230f984b76bac60.exe 2560 d3fb9e376020fafcb32c23aa3bf24f477139b0a3975ebd9f0230f984b76bac60.exe 2560 d3fb9e376020fafcb32c23aa3bf24f477139b0a3975ebd9f0230f984b76bac60.exe 2560 d3fb9e376020fafcb32c23aa3bf24f477139b0a3975ebd9f0230f984b76bac60.exe 2560 d3fb9e376020fafcb32c23aa3bf24f477139b0a3975ebd9f0230f984b76bac60.exe 2560 d3fb9e376020fafcb32c23aa3bf24f477139b0a3975ebd9f0230f984b76bac60.exe 2560 d3fb9e376020fafcb32c23aa3bf24f477139b0a3975ebd9f0230f984b76bac60.exe 2560 d3fb9e376020fafcb32c23aa3bf24f477139b0a3975ebd9f0230f984b76bac60.exe 2560 d3fb9e376020fafcb32c23aa3bf24f477139b0a3975ebd9f0230f984b76bac60.exe 2560 d3fb9e376020fafcb32c23aa3bf24f477139b0a3975ebd9f0230f984b76bac60.exe 2560 d3fb9e376020fafcb32c23aa3bf24f477139b0a3975ebd9f0230f984b76bac60.exe 1388 Logo1_.exe 1388 Logo1_.exe 1388 Logo1_.exe 1388 Logo1_.exe 1388 Logo1_.exe 1388 Logo1_.exe 1388 Logo1_.exe 1388 Logo1_.exe 1388 Logo1_.exe 1388 Logo1_.exe 1388 Logo1_.exe 1388 Logo1_.exe 1388 Logo1_.exe 1388 Logo1_.exe 1388 Logo1_.exe 1388 Logo1_.exe 1388 Logo1_.exe 1388 Logo1_.exe 1388 Logo1_.exe 1388 Logo1_.exe 1388 Logo1_.exe 1388 Logo1_.exe 1388 Logo1_.exe 1388 Logo1_.exe 1388 Logo1_.exe 1388 Logo1_.exe 1388 Logo1_.exe 1388 Logo1_.exe 1388 Logo1_.exe 1388 Logo1_.exe 1388 Logo1_.exe 1388 Logo1_.exe 1388 Logo1_.exe 1388 Logo1_.exe 1388 Logo1_.exe 1388 Logo1_.exe 1388 Logo1_.exe 1388 Logo1_.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3144 d3fb9e376020fafcb32c23aa3bf24f477139b0a3975ebd9f0230f984b76bac60.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 3144 d3fb9e376020fafcb32c23aa3bf24f477139b0a3975ebd9f0230f984b76bac60.exe -
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 2560 wrote to memory of 4980 2560 d3fb9e376020fafcb32c23aa3bf24f477139b0a3975ebd9f0230f984b76bac60.exe 82 PID 2560 wrote to memory of 4980 2560 d3fb9e376020fafcb32c23aa3bf24f477139b0a3975ebd9f0230f984b76bac60.exe 82 PID 2560 wrote to memory of 4980 2560 d3fb9e376020fafcb32c23aa3bf24f477139b0a3975ebd9f0230f984b76bac60.exe 82 PID 4980 wrote to memory of 3344 4980 net.exe 84 PID 4980 wrote to memory of 3344 4980 net.exe 84 PID 4980 wrote to memory of 3344 4980 net.exe 84 PID 2560 wrote to memory of 4848 2560 d3fb9e376020fafcb32c23aa3bf24f477139b0a3975ebd9f0230f984b76bac60.exe 85 PID 2560 wrote to memory of 4848 2560 d3fb9e376020fafcb32c23aa3bf24f477139b0a3975ebd9f0230f984b76bac60.exe 85 PID 2560 wrote to memory of 4848 2560 d3fb9e376020fafcb32c23aa3bf24f477139b0a3975ebd9f0230f984b76bac60.exe 85 PID 2560 wrote to memory of 1388 2560 d3fb9e376020fafcb32c23aa3bf24f477139b0a3975ebd9f0230f984b76bac60.exe 87 PID 2560 wrote to memory of 1388 2560 d3fb9e376020fafcb32c23aa3bf24f477139b0a3975ebd9f0230f984b76bac60.exe 87 PID 2560 wrote to memory of 1388 2560 d3fb9e376020fafcb32c23aa3bf24f477139b0a3975ebd9f0230f984b76bac60.exe 87 PID 1388 wrote to memory of 1004 1388 Logo1_.exe 88 PID 1388 wrote to memory of 1004 1388 Logo1_.exe 88 PID 1388 wrote to memory of 1004 1388 Logo1_.exe 88 PID 4848 wrote to memory of 3144 4848 cmd.exe 90 PID 4848 wrote to memory of 3144 4848 cmd.exe 90 PID 3144 wrote to memory of 3456 3144 d3fb9e376020fafcb32c23aa3bf24f477139b0a3975ebd9f0230f984b76bac60.exe 91 PID 3144 wrote to memory of 3456 3144 d3fb9e376020fafcb32c23aa3bf24f477139b0a3975ebd9f0230f984b76bac60.exe 91 PID 1004 wrote to memory of 1152 1004 net.exe 92 PID 1004 wrote to memory of 1152 1004 net.exe 92 PID 1004 wrote to memory of 1152 1004 net.exe 92 PID 1388 wrote to memory of 4596 1388 Logo1_.exe 93 PID 1388 wrote to memory of 4596 1388 Logo1_.exe 93 PID 1388 wrote to memory of 4596 1388 Logo1_.exe 93 PID 4596 wrote to memory of 4796 4596 net.exe 95 PID 4596 wrote to memory of 4796 4596 net.exe 95 PID 4596 wrote to memory of 4796 4596 net.exe 95 PID 1388 wrote to memory of 3428 1388 Logo1_.exe 56 PID 1388 wrote to memory of 3428 1388 Logo1_.exe 56
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3428
-
C:\Users\Admin\AppData\Local\Temp\d3fb9e376020fafcb32c23aa3bf24f477139b0a3975ebd9f0230f984b76bac60.exe"C:\Users\Admin\AppData\Local\Temp\d3fb9e376020fafcb32c23aa3bf24f477139b0a3975ebd9f0230f984b76bac60.exe"2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4980 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"4⤵
- System Location Discovery: System Language Discovery
PID:3344
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7E48.bat3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4848 -
C:\Users\Admin\AppData\Local\Temp\d3fb9e376020fafcb32c23aa3bf24f477139b0a3975ebd9f0230f984b76bac60.exe"C:\Users\Admin\AppData\Local\Temp\d3fb9e376020fafcb32c23aa3bf24f477139b0a3975ebd9f0230f984b76bac60.exe"4⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3144 -
C:\Users\Admin\AppData\Local\Temp\d3fb9e376020fafcb32c23aa3bf24f477139b0a3975ebd9f0230f984b76bac60.exe"C:\Users\Admin\AppData\Local\Temp\d3fb9e376020fafcb32c23aa3bf24f477139b0a3975ebd9f0230f984b76bac60.exe" --type=collab-renderer --proc=31445⤵
- Executes dropped EXE
PID:3456
-
-
-
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Drops startup file
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1388 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1004 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵
- System Location Discovery: System Language Discovery
PID:1152
-
-
-
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4596 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵
- System Location Discovery: System Language Discovery
PID:4796
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
584KB
MD567d7e6cf7aed74f7691c574b384a136d
SHA1dbe1104bc4730caa943d97162a5c1ac66c80dace
SHA256d36e5d6ac949eafddcab2ac72b37e21c643cbc651bd17eb68b4826eb37662817
SHA51254a55205d5d7c9cef943fbe4e75ae503a3266c3a35cdacb70d9cb273c04e436152abfce3a39ad9e8f3cbcb826b12792554faebada33166d3af24cfe85a3db33f
-
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
Filesize650KB
MD5278994ea44c90109b34535a2f167ee27
SHA1c035d1606ce9f8dbfea2906995ec5ab678f99b05
SHA256c42840f9fc85f325582af1db90179974d80e3879364da16e2ac26c16addb5955
SHA5123a990679ffe6446dd11e0b2a8fd4d0273d4e8ace61280d5a02970a33cbcceb072fd52d5c3712c5b8edcc314152f9b2069835a53f7a7857a00659c68bee0ea051
-
Filesize
722B
MD5246f7ee8e931897525f51aba87c26661
SHA1ca9255103036843b69c78e4469089612a6fe3fbc
SHA256bf138546639eac7648628fc4a8934ca71ab9620b197a32fe6a3490f74d73ca81
SHA5121d118e3b76324bf2e826cf1aa7e3573361d92c9e9e45dd674c8c7079f591d490753f778465f07c46284be759e965265ff8db5a72cd1fed91dddbae6d2318cd86
-
C:\Users\Admin\AppData\Local\Temp\d3fb9e376020fafcb32c23aa3bf24f477139b0a3975ebd9f0230f984b76bac60.exe.exe
Filesize11.0MB
MD5b45b7bd6eb92c5b65378d8d0a0964747
SHA15ca6f198ac83c90496110259b57ff4a5f47b64bb
SHA2565f1d9218f9735a763ffecc47c7b6f0c342b7f1a5da835733e0b3b73903f864a0
SHA512bde39c4b6d04caae8280bdd53e6036c53ed394a72f0d4d1273c149175570e8a87f87c8963869c96834fef7e82893da38c49ce4aaa1851e65c055dbbcac7c1708
-
Filesize
40KB
MD59ae17c14a91b8bdf6a83ef198fdbd729
SHA100f7e10bdea77650c2dfb5e94cf2b5a45e660cef
SHA256d8d5c4b344590da9b3932b357a251794c8bde0c995f69dcf822f320c425f9c46
SHA5126a0cd4e6112e343dac34eab21833589f59719de05e3ee9f807f831a9b27cc4cf23c9b7a5cfda455f305389322228d719caefd32d17609bd1a9016f1e4751ad0b
-
Filesize
9B
MD5b8eb46e1bdf11b43e775bc46642c7950
SHA11c08b422249f0a0fa1d7d2c3946f6aaa8b669da5
SHA2561760d532341817f2887d51e6a9b5fcc53a69eb75e3591356c5b25c40d6b04f60
SHA512d947832ba4e2593b7d04760d9e285d10021b0dcf3040fa0aeb82cde089afaf6384865d482ac9acd6ae5473d57e79b8d242254b6372f7d759cd00e95fe339c37c