0407b4435298fd6accedf181a003a74b7abd31a879bbaab0b57c61fc4d89e02c

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18/10/2024, 00:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0407b4435298fd6accedf181a003a74b7abd31a879bbaab0b57c61fc4d89e02c.exe
Size

577KB
MD5

2594548b32cc51cf2f9d32033cbff157
SHA1

0a2f78755c0fe25d1729d1bc38be80617aa16e38
SHA256

0407b4435298fd6accedf181a003a74b7abd31a879bbaab0b57c61fc4d89e02c
SHA512

7a5a798b2166a4f7ecf1b12efc0dfb536694255fa1aa8fb5779b7adb21a15d01865a230752a0ef5804a52101bac654c9c0ac8ae223d834509a67a11cdcb03f69
SSDEEP

6144:Z13TE7cV3iwbAFRWAbd4nf0H05yqE6Hl0ChW0+ksllAXBu0lWGWUJJQ4t0BHQQfu:Z13A7a3iwbihym2g7XO3LWUQfh4Co

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe

Executes dropped EXE 2 IoCs

pid	Process
1080	Logo1_.exe
4616	0407b4435298fd6accedf181a003a74b7abd31a879bbaab0b57c61fc4d89e02c.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\root\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\en-ae\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\uk-ua\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\cs-cz\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\en-ae\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\es_MX\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\en-ae\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\nb-no\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\images\themes\dark\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\pt-br\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hu\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\it-it\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\fi-fi\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\include\win32\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\libs\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\de-de\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft.NET\ADOMD.NET\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ml\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\nl-nl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\pl-pl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\ro-ro\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Source Engine\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\uk-ua\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Mozilla Firefox\fonts\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\tr-tr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\he-il\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\2.0.1\Diagnostics\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\kk\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\hu-hu\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\sl-si\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\nl-nl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ko-kr\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\gd\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example2.Diagnostics\1.0.1\Diagnostics\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\pt-br\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\fr-ma\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\it-it\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CANYON\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\fr-ma\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\tr-tr\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\zh-cn\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\zh-cn\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\fi-fi\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\es-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\en-gb\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\fi-fi\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files-select\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SONORA\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Defender\fr-FR\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\Dll.dll	Logo1_.exe
File created	C:\Windows\rundl132.exe	0407b4435298fd6accedf181a003a74b7abd31a879bbaab0b57c61fc4d89e02c.exe
File created	C:\Windows\Logo1_.exe	0407b4435298fd6accedf181a003a74b7abd31a879bbaab0b57c61fc4d89e02c.exe

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Logo1_.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0407b4435298fd6accedf181a003a74b7abd31a879bbaab0b57c61fc4d89e02c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2352	0407b4435298fd6accedf181a003a74b7abd31a879bbaab0b57c61fc4d89e02c.exe
2352	0407b4435298fd6accedf181a003a74b7abd31a879bbaab0b57c61fc4d89e02c.exe
2352	0407b4435298fd6accedf181a003a74b7abd31a879bbaab0b57c61fc4d89e02c.exe
2352	0407b4435298fd6accedf181a003a74b7abd31a879bbaab0b57c61fc4d89e02c.exe
2352	0407b4435298fd6accedf181a003a74b7abd31a879bbaab0b57c61fc4d89e02c.exe
2352	0407b4435298fd6accedf181a003a74b7abd31a879bbaab0b57c61fc4d89e02c.exe
2352	0407b4435298fd6accedf181a003a74b7abd31a879bbaab0b57c61fc4d89e02c.exe
2352	0407b4435298fd6accedf181a003a74b7abd31a879bbaab0b57c61fc4d89e02c.exe
2352	0407b4435298fd6accedf181a003a74b7abd31a879bbaab0b57c61fc4d89e02c.exe
2352	0407b4435298fd6accedf181a003a74b7abd31a879bbaab0b57c61fc4d89e02c.exe
2352	0407b4435298fd6accedf181a003a74b7abd31a879bbaab0b57c61fc4d89e02c.exe
2352	0407b4435298fd6accedf181a003a74b7abd31a879bbaab0b57c61fc4d89e02c.exe
2352	0407b4435298fd6accedf181a003a74b7abd31a879bbaab0b57c61fc4d89e02c.exe
2352	0407b4435298fd6accedf181a003a74b7abd31a879bbaab0b57c61fc4d89e02c.exe
2352	0407b4435298fd6accedf181a003a74b7abd31a879bbaab0b57c61fc4d89e02c.exe
2352	0407b4435298fd6accedf181a003a74b7abd31a879bbaab0b57c61fc4d89e02c.exe
2352	0407b4435298fd6accedf181a003a74b7abd31a879bbaab0b57c61fc4d89e02c.exe
2352	0407b4435298fd6accedf181a003a74b7abd31a879bbaab0b57c61fc4d89e02c.exe
2352	0407b4435298fd6accedf181a003a74b7abd31a879bbaab0b57c61fc4d89e02c.exe
2352	0407b4435298fd6accedf181a003a74b7abd31a879bbaab0b57c61fc4d89e02c.exe
2352	0407b4435298fd6accedf181a003a74b7abd31a879bbaab0b57c61fc4d89e02c.exe
2352	0407b4435298fd6accedf181a003a74b7abd31a879bbaab0b57c61fc4d89e02c.exe
2352	0407b4435298fd6accedf181a003a74b7abd31a879bbaab0b57c61fc4d89e02c.exe
2352	0407b4435298fd6accedf181a003a74b7abd31a879bbaab0b57c61fc4d89e02c.exe
2352	0407b4435298fd6accedf181a003a74b7abd31a879bbaab0b57c61fc4d89e02c.exe
2352	0407b4435298fd6accedf181a003a74b7abd31a879bbaab0b57c61fc4d89e02c.exe
1080	Logo1_.exe
1080	Logo1_.exe
1080	Logo1_.exe
1080	Logo1_.exe
1080	Logo1_.exe
1080	Logo1_.exe
1080	Logo1_.exe
1080	Logo1_.exe
1080	Logo1_.exe
1080	Logo1_.exe
1080	Logo1_.exe
1080	Logo1_.exe
1080	Logo1_.exe
1080	Logo1_.exe
1080	Logo1_.exe
1080	Logo1_.exe
1080	Logo1_.exe
1080	Logo1_.exe
1080	Logo1_.exe
1080	Logo1_.exe
1080	Logo1_.exe
1080	Logo1_.exe
1080	Logo1_.exe
1080	Logo1_.exe
1080	Logo1_.exe
1080	Logo1_.exe
1080	Logo1_.exe
1080	Logo1_.exe
1080	Logo1_.exe
1080	Logo1_.exe
1080	Logo1_.exe
1080	Logo1_.exe
1080	Logo1_.exe
1080	Logo1_.exe
1080	Logo1_.exe
1080	Logo1_.exe
1080	Logo1_.exe
1080	Logo1_.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2352 wrote to memory of 3608	2352	0407b4435298fd6accedf181a003a74b7abd31a879bbaab0b57c61fc4d89e02c.exe	84
PID 2352 wrote to memory of 3608	2352	0407b4435298fd6accedf181a003a74b7abd31a879bbaab0b57c61fc4d89e02c.exe	84
PID 2352 wrote to memory of 3608	2352	0407b4435298fd6accedf181a003a74b7abd31a879bbaab0b57c61fc4d89e02c.exe	84
PID 3608 wrote to memory of 1944	3608	net.exe	86
PID 3608 wrote to memory of 1944	3608	net.exe	86
PID 3608 wrote to memory of 1944	3608	net.exe	86
PID 2352 wrote to memory of 1392	2352	0407b4435298fd6accedf181a003a74b7abd31a879bbaab0b57c61fc4d89e02c.exe	90
PID 2352 wrote to memory of 1392	2352	0407b4435298fd6accedf181a003a74b7abd31a879bbaab0b57c61fc4d89e02c.exe	90
PID 2352 wrote to memory of 1392	2352	0407b4435298fd6accedf181a003a74b7abd31a879bbaab0b57c61fc4d89e02c.exe	90
PID 2352 wrote to memory of 1080	2352	0407b4435298fd6accedf181a003a74b7abd31a879bbaab0b57c61fc4d89e02c.exe	91
PID 2352 wrote to memory of 1080	2352	0407b4435298fd6accedf181a003a74b7abd31a879bbaab0b57c61fc4d89e02c.exe	91
PID 2352 wrote to memory of 1080	2352	0407b4435298fd6accedf181a003a74b7abd31a879bbaab0b57c61fc4d89e02c.exe	91
PID 1080 wrote to memory of 3752	1080	Logo1_.exe	93
PID 1080 wrote to memory of 3752	1080	Logo1_.exe	93
PID 1080 wrote to memory of 3752	1080	Logo1_.exe	93
PID 3752 wrote to memory of 2308	3752	net.exe	95
PID 3752 wrote to memory of 2308	3752	net.exe	95
PID 3752 wrote to memory of 2308	3752	net.exe	95
PID 1392 wrote to memory of 4616	1392	cmd.exe	96
PID 1392 wrote to memory of 4616	1392	cmd.exe	96
PID 1080 wrote to memory of 648	1080	Logo1_.exe	97
PID 1080 wrote to memory of 648	1080	Logo1_.exe	97
PID 1080 wrote to memory of 648	1080	Logo1_.exe	97
PID 648 wrote to memory of 1592	648	net.exe	99
PID 648 wrote to memory of 1592	648	net.exe	99
PID 648 wrote to memory of 1592	648	net.exe	99
PID 1080 wrote to memory of 3408	1080	Logo1_.exe	55
PID 1080 wrote to memory of 3408	1080	Logo1_.exe	55

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3408
- C:\Users\Admin\AppData\Local\Temp\0407b4435298fd6accedf181a003a74b7abd31a879bbaab0b57c61fc4d89e02c.exe
  "C:\Users\Admin\AppData\Local\Temp\0407b4435298fd6accedf181a003a74b7abd31a879bbaab0b57c61fc4d89e02c.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2352
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3608
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1944
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aAB34.bat
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1392
  - - C:\Users\Admin\AppData\Local\Temp\0407b4435298fd6accedf181a003a74b7abd31a879bbaab0b57c61fc4d89e02c.exe
      "C:\Users\Admin\AppData\Local\Temp\0407b4435298fd6accedf181a003a74b7abd31a879bbaab0b57c61fc4d89e02c.exe"
      4⤵
      Executes dropped EXE
      PID:4616
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1080
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3752
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2308
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:648
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\OutCompress.exe

Filesize
648KB

MD5
9cf7b07dd06628796ff4e62fb9045745

SHA1
0bf672cd5d15e03dc0825573de2a664691f6157d

SHA256
1d0318fb8c24be5255c342d956996c5dd60d9f9a4e34456db4ef9c13731b6338

SHA512
fa5f74279d4090242a472b27436ef77a7da59141479c22a1714389d490dc6fe550cc227903360caf9951407fb6e9ff27102b797b6ed3a7b158710bf745936c9c

Download Submit
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

Filesize
643KB

MD5
d986668b051bea5787f946062c7b130b

SHA1
5bbc40ce89577fa48bfc3035ff79cd79fd2da41f

SHA256
fed2637beb19ec4b49c608e95b97cec22c1b1ac48b7c69401d0de845f7625d46

SHA512
d64420bb532d70433bb76db7d91968c517f89e05946c3f6c7a561afebb9764b0af74be1667d9aefc4563f7cb8c1551f81f479f17bcc9315d80ae2c3134759a4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aAB34.bat

Filesize
722B

MD5
e885aee87b69cacf0df85d8a6bba75b0

SHA1
57697be1e72ec58e02576753a88a5ab534c1668f

SHA256
b9303b9bb3ff0282c798f142230fc8794ef4cf590351bbd933f202113e465542

SHA512
9a2b7cfdec3f052894351362f3bc2f6204d41dc41462264d85768ec7bcea08871f9b2b4d2f115ab02ade14ed4e34940b48ec081355ffb6b26621eab4c0689cc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\0407b4435298fd6accedf181a003a74b7abd31a879bbaab0b57c61fc4d89e02c.exe.exe

Filesize
544KB

MD5
9a1dd1d96481d61934dcc2d568971d06

SHA1
f136ef9bf8bd2fc753292fb5b7cf173a22675fb3

SHA256
8cebb25e240db3b6986fcaed6bc0b900fa09dad763a56fb71273529266c5c525

SHA512
7ac1581f8a29e778ba1a1220670796c47fa5b838417f8f635e2cb1998a01515cff3ee57045dacb78a8ec70d43754b970743aba600379fe6d9481958d32d8a5aa

Download Submit
C:\Windows\Logo1_.exe

Filesize
33KB

MD5
828e2b4217fa5d1af64ed5e53cc9c32f

SHA1
c4c9897302233cb01f5297a474273b9fc3dfe8b0

SHA256
dab472637885b769458d9bca73a6d7d43708337a651658029b6be881c0770123

SHA512
577324c9ff48421ce990fe851c0c0ae772cff4456c8a2afcbb9cdc4ab33921a6135f3a18599c8302277ca419a6897859544765ac6496519c3a998190b00c78e2

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3442511616-637977696-3186306149-1000\_desktop.ini

Filesize
10B

MD5
2c51e5c30f050245287a14eb60e30d30

SHA1
b59cbcb7f2c8f7f05c0fa80fd351595af1996f0e

SHA256
9310f08a28e46a620f4a99b4e12bf599760f5229b2ef0eb6c8e0be72b4197b88

SHA512
fb572888fe5c33c9d5f2ee5d138172a57b57e8b3e8b8eca76dea964e99f72692fe4fea9da946d4e5a4871f3c004571a9ea11ef77e3ef100d45f4a806ce2eb5c5

Download Submit
memory/1080-8-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1080-18-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1080-2699-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1080-8916-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2352-0-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2352-10-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download