9dccc37950a931f71fa882637bae0a24433ed442735041a34aae64180390ea14

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13/10/2024, 09:17

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

9dccc37950a931f71fa882637bae0a24433ed442735041a34aae64180390ea14.exe
Size

1.3MB
MD5

1bbf95a7df851e922b359f8b27b12a48
SHA1

8b1fd38c50ccadb7af35b6d00dd5ab47285808d7
SHA256

9dccc37950a931f71fa882637bae0a24433ed442735041a34aae64180390ea14
SHA512

6f0700adcf29422f56fb895e2b4bef25b3b00883db242af0e7e245425462e08c008b1fa79be4531534f6041b3266655f02ed35553305f4683fa3db8cf24a359f
SSDEEP

24576:e3NYUR5kbjnCciOinOjLldsBjt8t2R8jpfZIg4mw6Ns/pZmBZOlnLyAuvTkM0XMA:edYGILDcO/fsBmLjRw6qpZmBZWyLaXMA

Score

8^/10

defense_evasion discovery spyware stealer

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	9dccc37950a931f71fa882637bae0a24433ed442735041a34aae64180390ea14.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	Logo1_.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe

Executes dropped EXE 3 IoCs

pid	Process
220	Logo1_.exe
4344	9dccc37950a931f71fa882637bae0a24433ed442735041a34aae64180390ea14.exe
2020	msninst.exe

Loads dropped DLL 1 IoCs

pid	Process
4344	9dccc37950a931f71fa882637bae0a24433ed442735041a34aae64180390ea14.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

System Binary Proxy Execution: Rundll32 1 TTPs 1 IoCs

Abuse Rundll32 to proxy execution of malicious code.

defense_evasion

Rundll32

T1218.011

pid	Process
4364	rundll32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\nl\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\misc\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\de-de\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\fr-ma\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\sv-se\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\FREN\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\hu-hu\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Media Player\Media Renderer\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fi\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sl-si\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\de-de\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\zh-cn\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\da-dk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\hu\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\en-gb\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\nl-nl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\nl-nl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\it-it\_desktop.ini	Logo1_.exe
File created	C:\Program Files\dotnet\host\fxr\7.0.16\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\rsod\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\tr-tr\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Snippets\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\da-dk\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\en-ae\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\de-de\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	Logo1_.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\ImagingDevices.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ar-ae\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\en-ae\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\1.1.1\Diagnostics\Simple\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\nb-no\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\sl-si\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\ar-ae\_desktop.ini	Logo1_.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ff\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\pt-br\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\el\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\nn\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\cs-cz\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\da-dk\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\da-dk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\fr-fr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\dark\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\ko-kr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Trust Protection Lists\Mu\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	9dccc37950a931f71fa882637bae0a24433ed442735041a34aae64180390ea14.exe
File created	C:\Windows\Logo1_.exe	9dccc37950a931f71fa882637bae0a24433ed442735041a34aae64180390ea14.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\Dll.dll	Logo1_.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9dccc37950a931f71fa882637bae0a24433ed442735041a34aae64180390ea14.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msninst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Logo1_.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9dccc37950a931f71fa882637bae0a24433ed442735041a34aae64180390ea14.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4100	9dccc37950a931f71fa882637bae0a24433ed442735041a34aae64180390ea14.exe
4100	9dccc37950a931f71fa882637bae0a24433ed442735041a34aae64180390ea14.exe
4100	9dccc37950a931f71fa882637bae0a24433ed442735041a34aae64180390ea14.exe
4100	9dccc37950a931f71fa882637bae0a24433ed442735041a34aae64180390ea14.exe
4100	9dccc37950a931f71fa882637bae0a24433ed442735041a34aae64180390ea14.exe
4100	9dccc37950a931f71fa882637bae0a24433ed442735041a34aae64180390ea14.exe
4100	9dccc37950a931f71fa882637bae0a24433ed442735041a34aae64180390ea14.exe
4100	9dccc37950a931f71fa882637bae0a24433ed442735041a34aae64180390ea14.exe
4100	9dccc37950a931f71fa882637bae0a24433ed442735041a34aae64180390ea14.exe
4100	9dccc37950a931f71fa882637bae0a24433ed442735041a34aae64180390ea14.exe
4100	9dccc37950a931f71fa882637bae0a24433ed442735041a34aae64180390ea14.exe
4100	9dccc37950a931f71fa882637bae0a24433ed442735041a34aae64180390ea14.exe
4100	9dccc37950a931f71fa882637bae0a24433ed442735041a34aae64180390ea14.exe
4100	9dccc37950a931f71fa882637bae0a24433ed442735041a34aae64180390ea14.exe
4100	9dccc37950a931f71fa882637bae0a24433ed442735041a34aae64180390ea14.exe
4100	9dccc37950a931f71fa882637bae0a24433ed442735041a34aae64180390ea14.exe
4100	9dccc37950a931f71fa882637bae0a24433ed442735041a34aae64180390ea14.exe
4100	9dccc37950a931f71fa882637bae0a24433ed442735041a34aae64180390ea14.exe
4100	9dccc37950a931f71fa882637bae0a24433ed442735041a34aae64180390ea14.exe
4100	9dccc37950a931f71fa882637bae0a24433ed442735041a34aae64180390ea14.exe
4100	9dccc37950a931f71fa882637bae0a24433ed442735041a34aae64180390ea14.exe
4100	9dccc37950a931f71fa882637bae0a24433ed442735041a34aae64180390ea14.exe
4100	9dccc37950a931f71fa882637bae0a24433ed442735041a34aae64180390ea14.exe
4100	9dccc37950a931f71fa882637bae0a24433ed442735041a34aae64180390ea14.exe
4100	9dccc37950a931f71fa882637bae0a24433ed442735041a34aae64180390ea14.exe
4100	9dccc37950a931f71fa882637bae0a24433ed442735041a34aae64180390ea14.exe
220	Logo1_.exe
220	Logo1_.exe
220	Logo1_.exe
220	Logo1_.exe
220	Logo1_.exe
220	Logo1_.exe
220	Logo1_.exe
220	Logo1_.exe
220	Logo1_.exe
220	Logo1_.exe
220	Logo1_.exe
220	Logo1_.exe
220	Logo1_.exe
220	Logo1_.exe
220	Logo1_.exe
220	Logo1_.exe
220	Logo1_.exe
220	Logo1_.exe
220	Logo1_.exe
220	Logo1_.exe
220	Logo1_.exe
220	Logo1_.exe
220	Logo1_.exe
220	Logo1_.exe
220	Logo1_.exe
220	Logo1_.exe
220	Logo1_.exe
220	Logo1_.exe
220	Logo1_.exe
220	Logo1_.exe
220	Logo1_.exe
220	Logo1_.exe
220	Logo1_.exe
220	Logo1_.exe
220	Logo1_.exe
220	Logo1_.exe
220	Logo1_.exe
220	Logo1_.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 4100 wrote to memory of 5000	4100	9dccc37950a931f71fa882637bae0a24433ed442735041a34aae64180390ea14.exe	85
PID 4100 wrote to memory of 5000	4100	9dccc37950a931f71fa882637bae0a24433ed442735041a34aae64180390ea14.exe	85
PID 4100 wrote to memory of 5000	4100	9dccc37950a931f71fa882637bae0a24433ed442735041a34aae64180390ea14.exe	85
PID 5000 wrote to memory of 3512	5000	net.exe	87
PID 5000 wrote to memory of 3512	5000	net.exe	87
PID 5000 wrote to memory of 3512	5000	net.exe	87
PID 4100 wrote to memory of 1692	4100	9dccc37950a931f71fa882637bae0a24433ed442735041a34aae64180390ea14.exe	89
PID 4100 wrote to memory of 1692	4100	9dccc37950a931f71fa882637bae0a24433ed442735041a34aae64180390ea14.exe	89
PID 4100 wrote to memory of 1692	4100	9dccc37950a931f71fa882637bae0a24433ed442735041a34aae64180390ea14.exe	89
PID 4100 wrote to memory of 220	4100	9dccc37950a931f71fa882637bae0a24433ed442735041a34aae64180390ea14.exe	90
PID 4100 wrote to memory of 220	4100	9dccc37950a931f71fa882637bae0a24433ed442735041a34aae64180390ea14.exe	90
PID 4100 wrote to memory of 220	4100	9dccc37950a931f71fa882637bae0a24433ed442735041a34aae64180390ea14.exe	90
PID 220 wrote to memory of 3044	220	Logo1_.exe	92
PID 220 wrote to memory of 3044	220	Logo1_.exe	92
PID 220 wrote to memory of 3044	220	Logo1_.exe	92
PID 3044 wrote to memory of 1912	3044	net.exe	94
PID 3044 wrote to memory of 1912	3044	net.exe	94
PID 3044 wrote to memory of 1912	3044	net.exe	94
PID 1692 wrote to memory of 4344	1692	cmd.exe	95
PID 1692 wrote to memory of 4344	1692	cmd.exe	95
PID 1692 wrote to memory of 4344	1692	cmd.exe	95
PID 4344 wrote to memory of 4364	4344	9dccc37950a931f71fa882637bae0a24433ed442735041a34aae64180390ea14.exe	96
PID 4344 wrote to memory of 4364	4344	9dccc37950a931f71fa882637bae0a24433ed442735041a34aae64180390ea14.exe	96
PID 4344 wrote to memory of 4364	4344	9dccc37950a931f71fa882637bae0a24433ed442735041a34aae64180390ea14.exe	96
PID 4344 wrote to memory of 2020	4344	9dccc37950a931f71fa882637bae0a24433ed442735041a34aae64180390ea14.exe	97
PID 4344 wrote to memory of 2020	4344	9dccc37950a931f71fa882637bae0a24433ed442735041a34aae64180390ea14.exe	97
PID 4344 wrote to memory of 2020	4344	9dccc37950a931f71fa882637bae0a24433ed442735041a34aae64180390ea14.exe	97
PID 220 wrote to memory of 3176	220	Logo1_.exe	98
PID 220 wrote to memory of 3176	220	Logo1_.exe	98
PID 220 wrote to memory of 3176	220	Logo1_.exe	98
PID 3176 wrote to memory of 4380	3176	net.exe	100
PID 3176 wrote to memory of 4380	3176	net.exe	100
PID 3176 wrote to memory of 4380	3176	net.exe	100
PID 220 wrote to memory of 3392	220	Logo1_.exe	56
PID 220 wrote to memory of 3392	220	Logo1_.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3392
- C:\Users\Admin\AppData\Local\Temp\9dccc37950a931f71fa882637bae0a24433ed442735041a34aae64180390ea14.exe
  "C:\Users\Admin\AppData\Local\Temp\9dccc37950a931f71fa882637bae0a24433ed442735041a34aae64180390ea14.exe"
  2⤵
  - Drops file in Drivers directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4100
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5000
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3512
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a9913.bat
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1692
  - - C:\Users\Admin\AppData\Local\Temp\9dccc37950a931f71fa882637bae0a24433ed442735041a34aae64180390ea14.exe
      "C:\Users\Admin\AppData\Local\Temp\9dccc37950a931f71fa882637bae0a24433ed442735041a34aae64180390ea14.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4344
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe advpack.dll,LaunchINFSection campaign.inf,DefaultInstall
        5⤵
        System Binary Proxy Execution: Rundll32
        System Location Discovery: System Language Discovery
        
        PID:4364
    - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\msninst.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\msninst.exe /Action:Wait
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2020
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Drops file in Drivers directory
    - Drops startup file
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:220
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3044
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1912
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3176
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

System Binary Proxy Execution

T1218

Rundll32

T1218.011

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe

Filesize
251KB

MD5
2d56e4b7161799316f610019b017cb57

SHA1
99fa812e5baa286a11bcbfe7eb9ae5ad09c8578b

SHA256
966aaa0286885db2b7414602b75e0dc4258f38c75709a69cb367b7ce331346cb

SHA512
e4e88137680b4197166aa5c33f919f9a7bced3dbd9f47eaee16155b00eb30e79eaa44a49319604fc8c35305b5c5f4b3e64947f522597d5bd831f74f0668cd0be

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
577KB

MD5
8b760c359c606c6af57d9818a4577f2d

SHA1
fe32e3930d9afb7039fff83e90b590934984f82a

SHA256
c36af7076f56439314ad93f3d40d10d7b0537d85e4416f8d1fb19209a49573e7

SHA512
f577cbdbeadd9a4f7ac5bb5ad4075793b4aff99186771fb694538ed0000da2ee1b694df1353fec49cd5687b447472cec33956ac083c415daf780f5022500f86d

Download Submit
C:\Program Files\MSN\MsnInstaller\msninst.exe

Filesize
163KB

MD5
2485015258c469ddc4ab3ccda98cc9f5

SHA1
17e854ad716472693a74e925828036ac763c1759

SHA256
90d847548781ffc10fbc80ca36ae6ffa1116bf747f31623cc23cb94207953eac

SHA512
3ae2ab11e8ef4db45e9225ac2cedd5b30d01d777339f7a79d5f35e5bd1eb2c698313eabbe78e7a7c5624a81578a7b3d2a61b79f0d756538bc556dd87fc696397

Download Submit
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

Filesize
644KB

MD5
51c1eb02821359551eae62ff451ccbb4

SHA1
917e11eb8a26a033a330a9cee5c5207d0da1109a

SHA256
9afbb3fd781ea931d8bc856c768fe7af7e440e9f7a29950b5dca44593f0ef04f

SHA512
062f0c32d3d9b46fc670512a818c88919bcc90a2f7f5bd4910f917a96c42527fd6c28117c366cb66cd6bfa3ec64f5a43aadcaa4bdad01c8d45eb2bfe2c85f5ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a9913.bat

Filesize
722B

MD5
6247936c31f159236ec683715ee00665

SHA1
75d912ff0e1390646f2f3df86cd04013935bc989

SHA256
ad5f8266e369b9b79ada80d3461e0ba32c6edb31e5a39d1f29aae02e445e3bb8

SHA512
83b401d549f6c866e4fd345780c2966135fb1cdbae30deb460d38191eb6912e37c74e80ad751c25f0e788dd4d78e787445824277515f387bbca873d2804d2b53

Download Submit
C:\Users\Admin\AppData\Local\Temp\9dccc37950a931f71fa882637bae0a24433ed442735041a34aae64180390ea14.exe.exe

Filesize
1.3MB

MD5
14a1e5a8cfef5f18b96540c1fb52ccb2

SHA1
5a0014e4a255c8be2fe3548bb32767bb05408ff0

SHA256
4ecd3f8b60c60870cdd67abf319b373c3438bb7bceac46209b2c87bd5e73a3f6

SHA512
dc5113345692c1d6ad46fcade300d0e69613e37c6ff5a1cc5cf83bda2a5605f24890de89c22d218d319d9145dcddb37c4c50fcfd7e1cabd3750f18e9a4ce9096

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ADVPACK.DLL

Filesize
90KB

MD5
0ac28de5e930e8a52ad6b163c5473412

SHA1
25371c9d876959cb58b50c25ad709cf98dde45bb

SHA256
06eed244d89f6e15205d5beb8085ac33c0de486dfe30eec9fb73b91de07e5f62

SHA512
c2c82449927cac953668142a3f597c06626b0b3a26e8036de34e4ca1042a572fa3befa799d43fb24a1d23c821b5ed7994e3d211b6aaced15ba31d4639e96d877

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MsnInst.dll

Filesize
244KB

MD5
8d26ec464de935561c221407c40cd4ac

SHA1
d7a729baa54a2aa8de08e0fe478c5c07cc490e55

SHA256
30714be137b7b648b0c3aa2a7410467289b53a8e2601f8c208a3613e1d31d0f0

SHA512
7d92bf3527c896b48f1e14e318fe086276cbd271b1d212965c87a75ad4ad4560c9e48d58f5138599695489bd3d759c577bedd4e9d7413522c7a16219dfb21de2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\campaign.inf

Filesize
1KB

MD5
c4fb756abc97776beeb4ffa65303c843

SHA1
12b4e5c25a718020086608b72bf96b5bb513f8ed

SHA256
80ed31ae5890469ee38fe7b950149e2f488344d892f1ef5ac3dc3e7ff3de2d6c

SHA512
7695f79d44eb84fc08b2b7d8911916661db5ac4dbef91e77c9730ba84c576a1474cbcf18d9f155cd9ae2e74a0a33c88ed413c662a598dc045e1a6d246821be1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iasvcstb.dll

Filesize
26KB

MD5
de63b3678f314fd74da0cf343c5860ae

SHA1
389bc0a0004feec9b089f993b1f9084716874b44

SHA256
ace81690c98cb396758dc016a76b77706924dd3a8598b3a0492bc12edb9af153

SHA512
43d63cdfcb5d2d96df0d0715ce24fdeed4fb8ef7e4530a640b5472c444a57e2045c3ef044a1f0c693c40d5c8d40eee4263010895d6c3b9101bd08c60baa76710

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\install.mar

Filesize
516KB

MD5
9229c34063391d37c7643ba38b5c4f09

SHA1
512b0b599b92fdcd35fc9571713947dd5978592f

SHA256
2143c7a5aa2f9d321fbd902d80ac43f4fe9c684d2e5a55fbc686820e06261d9f

SHA512
96847f62f94b2527ee03ae4699f219e1a1575190f622d98aee83c48a92839c49c188bf005b46bae49232376b59b39b5397d3569c64559def85b98582d1e00c62

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\msdbxi.dll

Filesize
82KB

MD5
d44eb3849bd5bab21356a41a94c8f868

SHA1
88273eb0af7657655df71d608fe93734b112559a

SHA256
2c2b10bb87662d1d61916784106a82cff510add0972112a9a14c03927b2d0846

SHA512
d8d9f5ad1de64b584dc06cf683f8b83b2af99c57768898ed7b627c3ee9fbe13b17e7166e556378806026e7b2d21e1a299431044bac6e7125f0f090b7a26d3a57

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\msnihc.mar

Filesize
21KB

MD5
64ec522096f2fd6f6258745e72215d8f

SHA1
471fc3fd3728b649beb4f4a8e4010f48846b834c

SHA256
65118f920c6912e6a7dc6325698570fc7fa79beeb64d6204e6ca93f68ae0f692

SHA512
691bd4e9016d97a87ac974d2ea8a6d6fd62bb3de6bceb257dad59df3a27c8d67b4b9524572a3ab9e9dd09c667a75e4a809fa83c2335900d58255edface015c93

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\msnilc.dll

Filesize
31KB

MD5
82836e35011754a1738b25c4904e1137

SHA1
79e7b001ac214d9551562f8a1f4883b441a59502

SHA256
3f0e18479c7f8f75045d88605bbfa290663092464816739080b21b02d61f2588

SHA512
66aaef095440129d79c858e362241bd63f64a8074a08cadda37835ae91399bc490c490278bf51e84be1b7f427f8a11a2a20f97f6c969d431962f8719d1bcaeaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\msninst.exe

Filesize
129KB

MD5
c8e284efba3b50c9216dbe552d24f5b0

SHA1
c76b65dd211e03a2a53f57d87cc90df61b0ab10f

SHA256
66d7811a891b614f7fc174ae5a3ea1d29d1edde50b12fcaf51c0dc5b54a20b4a

SHA512
42db8c59820836fee76ffc877983f72d639d9e30171943ae04d8cd8bcd4ac61730a5e0f4b80a905f4f59c03fa8ba62e1c8f4c1e9095eca65f17a2f122a688ef5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\msnitd.mar

Filesize
62KB

MD5
1ecf3b523c89ba2eb75c5ad8af347ebe

SHA1
d890967ddd05585c742d2ef18e4b0c5795db1334

SHA256
35f135fd9c04cdaf78bad191872cc1aa9cc38056f7c76ba29f0669be9e07210d

SHA512
5fb8ca6245a033b12f234960223e146e743ccae7af73ecacb1a7d3826db656219f78242d49b5ee6d51cd5ae6f178b10c27ba3f6d6cdd9336590e4b1ccb5ad065

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\msnms.ico

Filesize
24KB

MD5
bca0ee599ffc56c533585e9026b3b58c

SHA1
ae5849eac5db2a69f09350fb455d50f16774290e

SHA256
090ee05cef8113594959c4ba3d992eb1e5d2effb7f71ba8854adee27b8b6cf95

SHA512
5f7384af5a527f6cba3e8f04b5ab9314f1e8abbcbe4a3b57d2c8fa9939f926e8f7d64529dabd3912b1e41a95671ec4504f6a9c9ad341ef8e455371997863f2ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\msnsign.dll

Filesize
746KB

MD5
ffb0a9a7208b773c1fd469bec18a9185

SHA1
26a15559f6139eab67b76446f36d2ebdb87e569c

SHA256
ccec6240c7a188e55156476d1bfcd06722c36bd7555f28845d747493529093d5

SHA512
9a019efb4d62f24ef979102e889c7aed6f49d213dbc362990ea2af8ec5957687e887883c234ee1026ebd20b4095209dfffa62da5f998d8ba0d29e75ed0a77bad

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\msnsusi.inf

Filesize
5KB

MD5
9433366f4264f97cd01e7b29bb00bd94

SHA1
b064e88c8030cc986ac59c690e7eabc889541ce4

SHA256
581a7e5bcf20a47f55e980b3b35e3881d72bb8c65f380857831906c9e6e332fd

SHA512
aae48f610cdf02e30527a02ac83891505683e42ad5131029a18a4b1076912b10ddacee499ffecf5b24f95facb174afb920eb3de7ee4559a0250b0686da64404f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unicows.dll

Filesize
239KB

MD5
e1102cedf0c818984c2aca2a666d4c5f

SHA1
d8d88ea7083aee9c40f6fdc6c56451a018d21a83

SHA256
22f23cc65698741184ec34f46e6f69717644e0b5aabf5d5bd015101f2d72e56e

SHA512
e58b35815801d6d3797f95c986834d2ca5450ccc3f1fa1d27d127a8d1d36f8e21279173715a00686c9c831d22d7c5b5b9cc5874170223a4d78f09c4eefa390a2

Download Submit
C:\Windows\Logo1_.exe

Filesize
33KB

MD5
e208f6af1dc1a3edd66c624e077cec40

SHA1
bea784e13ccc99e7c57f3d0da9fabce84490f096

SHA256
03786976836eba0a156710c1cf4a214a7d41f3cff15720c68e9f7802b988bec6

SHA512
37b21ab071472f5b51b36dbd71b04e307bafd576d50eaba91540aae737f3fcf5741ccce975b5386a9438e6c4d9ae5039681e821511b50534b37fdc8220bf6707

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
842B

MD5
6f4adf207ef402d9ef40c6aa52ffd245

SHA1
4b05b495619c643f02e278dede8f5b1392555a57

SHA256
d9704dab05e988be3e5e7b7c020bb9814906d11bb9c31ad80d4ed1316f6bc94e

SHA512
a6306bd200a26ea78192ae5b00cc49cfab3fba025fe7233709a4e62db0f9ed60030dce22b34afe57aad86a098c9a8c44e080cedc43227cb87ef4690baec35b47

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3756129449-3121373848-4276368241-1000\_desktop.ini

Filesize
10B

MD5
dce9bef24921d1fb94c029be04b911db

SHA1
d5ff43d520d5df3ee58c947db0b2ac3a039667b6

SHA256
c09fceb912fc9cf0f284d9d24ab0029af67d3a3bf08b81d9c0d8a7681b82c157

SHA512
cefdb984819b6b058b8d7747c2a9a74c94f6acf2728e884520154f2ffe42776f19b5a5b22b43b61acbb679acefb8489318c7be92e360a3b239ffaae445d6d97b

Download Submit
memory/220-203-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/220-3535-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/220-9-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/220-9061-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4100-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4100-12-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download