4930e47c1bdf1e07c1693f1d61888d894c5b6dd2a362de4b1a87219bdeda3cbc

Analysis

max time kernel
149s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13-10-2024 07:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4930e47c1bdf1e07c1693f1d61888d894c5b6dd2a362de4b1a87219bdeda3cbc.exe
Size

69KB
MD5

2feb676c5f153761ef3769e1d9747c6b
SHA1

41c88ca92198c8f54dc7b3c6af6bed0076561558
SHA256

4930e47c1bdf1e07c1693f1d61888d894c5b6dd2a362de4b1a87219bdeda3cbc
SHA512

eb16f6cb4e89214df38cc30f37c9ca2361ebab150df3fd0be75eef52369d56dda3dce176fa1517817763967b179952068e34fe89043fedfea424c7e36cadb92c
SSDEEP

1536:8qGKFe+Zk7VJbwlYXjPrsqrZMYR5p8wZq9khDRGadegghOgmgk:85Ye+azbRPrlr9RXFI9k9dehhOgo

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe

Executes dropped EXE 2 IoCs

pid	Process
3276	Logo1_.exe
4008	4930e47c1bdf1e07c1693f1d61888d894c5b6dd2a362de4b1a87219bdeda3cbc.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\cs-cz\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example2.Diagnostics\1.0.1\Diagnostics\Simple\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files-select\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\nl-nl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sm\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\lua\playlist\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\tr-tr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\it-it\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeUpdateOnDemand.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ar-ae\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\sv-se\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\sl-sl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\zh-cn\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\hr-hr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\hr-hr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ca-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\eu-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\zh-tw\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\tr-tr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\pt-br\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ru\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\zh-tw\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\hu-hu\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Office Setup Controller\Office.en-us\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ms\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\da-dk\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\da-dk\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\themes\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\en-gb\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\en-gb\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\sl-si\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\root\_desktop.ini	Logo1_.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sl-si\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\ja-jp\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\pt-br\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\nb-no\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Trust Protection Lists\Mu\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Diagnostics\Simple\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\fonts\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\zh-cn\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\fi-fi\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\ru-ru\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\tr-tr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre-1.8\lib\amd64\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\be\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	4930e47c1bdf1e07c1693f1d61888d894c5b6dd2a362de4b1a87219bdeda3cbc.exe
File created	C:\Windows\Logo1_.exe	4930e47c1bdf1e07c1693f1d61888d894c5b6dd2a362de4b1a87219bdeda3cbc.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\Dll.dll	Logo1_.exe

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4930e47c1bdf1e07c1693f1d61888d894c5b6dd2a362de4b1a87219bdeda3cbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Logo1_.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2068	4930e47c1bdf1e07c1693f1d61888d894c5b6dd2a362de4b1a87219bdeda3cbc.exe
2068	4930e47c1bdf1e07c1693f1d61888d894c5b6dd2a362de4b1a87219bdeda3cbc.exe
2068	4930e47c1bdf1e07c1693f1d61888d894c5b6dd2a362de4b1a87219bdeda3cbc.exe
2068	4930e47c1bdf1e07c1693f1d61888d894c5b6dd2a362de4b1a87219bdeda3cbc.exe
2068	4930e47c1bdf1e07c1693f1d61888d894c5b6dd2a362de4b1a87219bdeda3cbc.exe
2068	4930e47c1bdf1e07c1693f1d61888d894c5b6dd2a362de4b1a87219bdeda3cbc.exe
2068	4930e47c1bdf1e07c1693f1d61888d894c5b6dd2a362de4b1a87219bdeda3cbc.exe
2068	4930e47c1bdf1e07c1693f1d61888d894c5b6dd2a362de4b1a87219bdeda3cbc.exe
2068	4930e47c1bdf1e07c1693f1d61888d894c5b6dd2a362de4b1a87219bdeda3cbc.exe
2068	4930e47c1bdf1e07c1693f1d61888d894c5b6dd2a362de4b1a87219bdeda3cbc.exe
2068	4930e47c1bdf1e07c1693f1d61888d894c5b6dd2a362de4b1a87219bdeda3cbc.exe
2068	4930e47c1bdf1e07c1693f1d61888d894c5b6dd2a362de4b1a87219bdeda3cbc.exe
2068	4930e47c1bdf1e07c1693f1d61888d894c5b6dd2a362de4b1a87219bdeda3cbc.exe
2068	4930e47c1bdf1e07c1693f1d61888d894c5b6dd2a362de4b1a87219bdeda3cbc.exe
2068	4930e47c1bdf1e07c1693f1d61888d894c5b6dd2a362de4b1a87219bdeda3cbc.exe
2068	4930e47c1bdf1e07c1693f1d61888d894c5b6dd2a362de4b1a87219bdeda3cbc.exe
2068	4930e47c1bdf1e07c1693f1d61888d894c5b6dd2a362de4b1a87219bdeda3cbc.exe
2068	4930e47c1bdf1e07c1693f1d61888d894c5b6dd2a362de4b1a87219bdeda3cbc.exe
2068	4930e47c1bdf1e07c1693f1d61888d894c5b6dd2a362de4b1a87219bdeda3cbc.exe
2068	4930e47c1bdf1e07c1693f1d61888d894c5b6dd2a362de4b1a87219bdeda3cbc.exe
2068	4930e47c1bdf1e07c1693f1d61888d894c5b6dd2a362de4b1a87219bdeda3cbc.exe
2068	4930e47c1bdf1e07c1693f1d61888d894c5b6dd2a362de4b1a87219bdeda3cbc.exe
2068	4930e47c1bdf1e07c1693f1d61888d894c5b6dd2a362de4b1a87219bdeda3cbc.exe
2068	4930e47c1bdf1e07c1693f1d61888d894c5b6dd2a362de4b1a87219bdeda3cbc.exe
2068	4930e47c1bdf1e07c1693f1d61888d894c5b6dd2a362de4b1a87219bdeda3cbc.exe
2068	4930e47c1bdf1e07c1693f1d61888d894c5b6dd2a362de4b1a87219bdeda3cbc.exe
3276	Logo1_.exe
3276	Logo1_.exe
3276	Logo1_.exe
3276	Logo1_.exe
3276	Logo1_.exe
3276	Logo1_.exe
3276	Logo1_.exe
3276	Logo1_.exe
3276	Logo1_.exe
3276	Logo1_.exe
3276	Logo1_.exe
3276	Logo1_.exe
3276	Logo1_.exe
3276	Logo1_.exe
3276	Logo1_.exe
3276	Logo1_.exe
3276	Logo1_.exe
3276	Logo1_.exe
3276	Logo1_.exe
3276	Logo1_.exe
3276	Logo1_.exe
3276	Logo1_.exe
3276	Logo1_.exe
3276	Logo1_.exe
3276	Logo1_.exe
3276	Logo1_.exe
3276	Logo1_.exe
3276	Logo1_.exe
3276	Logo1_.exe
3276	Logo1_.exe
3276	Logo1_.exe
3276	Logo1_.exe
3276	Logo1_.exe
3276	Logo1_.exe
3276	Logo1_.exe
3276	Logo1_.exe
3276	Logo1_.exe
3276	Logo1_.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 2068 wrote to memory of 896	2068	4930e47c1bdf1e07c1693f1d61888d894c5b6dd2a362de4b1a87219bdeda3cbc.exe	84
PID 2068 wrote to memory of 896	2068	4930e47c1bdf1e07c1693f1d61888d894c5b6dd2a362de4b1a87219bdeda3cbc.exe	84
PID 2068 wrote to memory of 896	2068	4930e47c1bdf1e07c1693f1d61888d894c5b6dd2a362de4b1a87219bdeda3cbc.exe	84
PID 896 wrote to memory of 4148	896	net.exe	87
PID 896 wrote to memory of 4148	896	net.exe	87
PID 896 wrote to memory of 4148	896	net.exe	87
PID 2068 wrote to memory of 3444	2068	4930e47c1bdf1e07c1693f1d61888d894c5b6dd2a362de4b1a87219bdeda3cbc.exe	89
PID 2068 wrote to memory of 3444	2068	4930e47c1bdf1e07c1693f1d61888d894c5b6dd2a362de4b1a87219bdeda3cbc.exe	89
PID 2068 wrote to memory of 3444	2068	4930e47c1bdf1e07c1693f1d61888d894c5b6dd2a362de4b1a87219bdeda3cbc.exe	89
PID 2068 wrote to memory of 3276	2068	4930e47c1bdf1e07c1693f1d61888d894c5b6dd2a362de4b1a87219bdeda3cbc.exe	91
PID 2068 wrote to memory of 3276	2068	4930e47c1bdf1e07c1693f1d61888d894c5b6dd2a362de4b1a87219bdeda3cbc.exe	91
PID 2068 wrote to memory of 3276	2068	4930e47c1bdf1e07c1693f1d61888d894c5b6dd2a362de4b1a87219bdeda3cbc.exe	91
PID 3276 wrote to memory of 4052	3276	Logo1_.exe	92
PID 3276 wrote to memory of 4052	3276	Logo1_.exe	92
PID 3276 wrote to memory of 4052	3276	Logo1_.exe	92
PID 3444 wrote to memory of 4008	3444	cmd.exe	94
PID 3444 wrote to memory of 4008	3444	cmd.exe	94
PID 3444 wrote to memory of 4008	3444	cmd.exe	94
PID 4052 wrote to memory of 2280	4052	net.exe	95
PID 4052 wrote to memory of 2280	4052	net.exe	95
PID 4052 wrote to memory of 2280	4052	net.exe	95
PID 3276 wrote to memory of 3572	3276	Logo1_.exe	96
PID 3276 wrote to memory of 3572	3276	Logo1_.exe	96
PID 3276 wrote to memory of 3572	3276	Logo1_.exe	96
PID 3572 wrote to memory of 5028	3572	net.exe	98
PID 3572 wrote to memory of 5028	3572	net.exe	98
PID 3572 wrote to memory of 5028	3572	net.exe	98
PID 3276 wrote to memory of 3432	3276	Logo1_.exe	56
PID 3276 wrote to memory of 3432	3276	Logo1_.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3432
- C:\Users\Admin\AppData\Local\Temp\4930e47c1bdf1e07c1693f1d61888d894c5b6dd2a362de4b1a87219bdeda3cbc.exe
  "C:\Users\Admin\AppData\Local\Temp\4930e47c1bdf1e07c1693f1d61888d894c5b6dd2a362de4b1a87219bdeda3cbc.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2068
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:896
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4148
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB287.bat
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3444
  - - C:\Users\Admin\AppData\Local\Temp\4930e47c1bdf1e07c1693f1d61888d894c5b6dd2a362de4b1a87219bdeda3cbc.exe
      "C:\Users\Admin\AppData\Local\Temp\4930e47c1bdf1e07c1693f1d61888d894c5b6dd2a362de4b1a87219bdeda3cbc.exe"
      4⤵
      Executes dropped EXE
      PID:4008
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3276
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4052
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2280
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3572
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7z.exe

Filesize
583KB

MD5
cf672a43ecd9d5729a2d3a806b791839

SHA1
6c58b982bf3b4b6313f6ad6ae37aa84ee34c9aad

SHA256
829d2d385155ef46902b7f5fc4feeeda6c71b08b5b0df19bc058091024312cea

SHA512
8f09ee20f4441bad8234d3db097c3806ddac2068af9c549a40b86b827fbbed453548cac03917f5036628145a417fdf4981e389f3a5893f26efd752be0cae18dc

Download Submit
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

Filesize
649KB

MD5
e4b4c486987a76abb8a18c33b36514b5

SHA1
1c83216295cfc852c1a35198e31d8d385efd373a

SHA256
30f0474b455caa56bfb989bfcc04bb4db00f81857c28657f3fecf1dbcc6eb5dc

SHA512
f8532180a32b17153626d9879a93159132b2e10708e81aec83c995a8e9b642d5b6ccdd1db676c92302bdd5bb97726e670876490e97d65b27865ea7e72c8c4515

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aB287.bat

Filesize
722B

MD5
8f5f87192b56acef433b482e07a7f80b

SHA1
e5357f28aae0b5cb27fee8cd8acaabcf4875c8ff

SHA256
81ab6392c760bd3e8d7f7e2a1cc6d720a062b7af5b50bf089f2d2280677a8af7

SHA512
56d3e34a0913a1ba02672c23d49b222332df6ad79dd4ada75811635a80846b5687a0980ec1b99be6d7f202fdd0246ec1a864ff74a5ffb2bff70196d745f0179d

Download Submit
C:\Users\Admin\AppData\Local\Temp\4930e47c1bdf1e07c1693f1d61888d894c5b6dd2a362de4b1a87219bdeda3cbc.exe.exe

Filesize
29KB

MD5
0cac659cc68e68ed44223ddb7343275a

SHA1
cb75dd7034e31eb575668f7c69b7d990653c0248

SHA256
7c32fe8ec1851e273763a2742a67a1f9c09a3725c9eaec76e22fcfc92dda7c88

SHA512
1c0c3b170bed3a3cbd7821dfa008e776df675f620afe85905f84f7d86b68b487206af0c6acf8207ae346b8ae7deb71a756128cb5c199bf648952d2c582aa9023

Download Submit
C:\Windows\Logo1_.exe

Filesize
39KB

MD5
f5426c6a2885c53c2d5c827f28eb4906

SHA1
29f3d57f5f10d288fe190c14447b39ceed97c27b

SHA256
f23391169ad3906bdc57d7ed47696ab57cf8e83c33d11c2a230145ccee980236

SHA512
fffa2083d6dc26230b3febfc923b0e74c4a13bc87b6f933dfba8c9ea7f444d37eb5c1e14f7540e8b7106e4e60a7365da6dcc0388a80bbb72259d3ea397443fce

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2437139445-1151884604-3026847218-1000\_desktop.ini

Filesize
10B

MD5
dce9bef24921d1fb94c029be04b911db

SHA1
d5ff43d520d5df3ee58c947db0b2ac3a039667b6

SHA256
c09fceb912fc9cf0f284d9d24ab0029af67d3a3bf08b81d9c0d8a7681b82c157

SHA512
cefdb984819b6b058b8d7747c2a9a74c94f6acf2728e884520154f2ffe42776f19b5a5b22b43b61acbb679acefb8489318c7be92e360a3b239ffaae445d6d97b

Download Submit
memory/2068-0-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2068-11-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3276-9-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3276-18-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3276-3656-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3276-8916-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download