Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18/10/2024, 00:13 UTC
Static task
static1
Behavioral task
behavioral1
Sample
0407b4435298fd6accedf181a003a74b7abd31a879bbaab0b57c61fc4d89e02c.exe
Resource
win7-20241010-en
General
-
Target
0407b4435298fd6accedf181a003a74b7abd31a879bbaab0b57c61fc4d89e02c.exe
-
Size
577KB
-
MD5
2594548b32cc51cf2f9d32033cbff157
-
SHA1
0a2f78755c0fe25d1729d1bc38be80617aa16e38
-
SHA256
0407b4435298fd6accedf181a003a74b7abd31a879bbaab0b57c61fc4d89e02c
-
SHA512
7a5a798b2166a4f7ecf1b12efc0dfb536694255fa1aa8fb5779b7adb21a15d01865a230752a0ef5804a52101bac654c9c0ac8ae223d834509a67a11cdcb03f69
-
SSDEEP
6144:Z13TE7cV3iwbAFRWAbd4nf0H05yqE6Hl0ChW0+ksllAXBu0lWGWUJJQ4t0BHQQfu:Z13A7a3iwbihym2g7XO3LWUQfh4Co
Malware Config
Signatures
-
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini Logo1_.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini Logo1_.exe -
Executes dropped EXE 2 IoCs
pid Process 1080 Logo1_.exe 4616 0407b4435298fd6accedf181a003a74b7abd31a879bbaab0b57c61fc4d89e02c.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\sl\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\root\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\en-ae\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\uk-ua\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\cs-cz\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\deploy\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\en-ae\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\es_MX\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\en-ae\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\nb-no\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\images\themes\dark\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\pt-br\_desktop.ini Logo1_.exe File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\hu\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\it-it\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\fi-fi\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\include\win32\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\libs\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\de-de\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft.NET\ADOMD.NET\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\ml\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\nl-nl\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\pl-pl\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\ro-ro\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Source Engine\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\uk-ua\_desktop.ini Logo1_.exe File created C:\Program Files\Mozilla Firefox\fonts\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\tr-tr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\he-il\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\2.0.1\Diagnostics\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\kk\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\hu-hu\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\sl-si\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\nl-nl\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ko-kr\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\gd\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example2.Diagnostics\1.0.1\Diagnostics\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\pt-br\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\fr-ma\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\it-it\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CANYON\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\fr-ma\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\tr-tr\_desktop.ini Logo1_.exe File created C:\Program Files\Google\Chrome\Application\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\zh-cn\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\zh-cn\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\fi-fi\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\es-es\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\en-gb\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\it-IT\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\fi-fi\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files-select\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SONORA\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Defender\fr-FR\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\Dll.dll Logo1_.exe File created C:\Windows\rundl132.exe 0407b4435298fd6accedf181a003a74b7abd31a879bbaab0b57c61fc4d89e02c.exe File created C:\Windows\Logo1_.exe 0407b4435298fd6accedf181a003a74b7abd31a879bbaab0b57c61fc4d89e02c.exe -
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Logo1_.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0407b4435298fd6accedf181a003a74b7abd31a879bbaab0b57c61fc4d89e02c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2352 0407b4435298fd6accedf181a003a74b7abd31a879bbaab0b57c61fc4d89e02c.exe 2352 0407b4435298fd6accedf181a003a74b7abd31a879bbaab0b57c61fc4d89e02c.exe 2352 0407b4435298fd6accedf181a003a74b7abd31a879bbaab0b57c61fc4d89e02c.exe 2352 0407b4435298fd6accedf181a003a74b7abd31a879bbaab0b57c61fc4d89e02c.exe 2352 0407b4435298fd6accedf181a003a74b7abd31a879bbaab0b57c61fc4d89e02c.exe 2352 0407b4435298fd6accedf181a003a74b7abd31a879bbaab0b57c61fc4d89e02c.exe 2352 0407b4435298fd6accedf181a003a74b7abd31a879bbaab0b57c61fc4d89e02c.exe 2352 0407b4435298fd6accedf181a003a74b7abd31a879bbaab0b57c61fc4d89e02c.exe 2352 0407b4435298fd6accedf181a003a74b7abd31a879bbaab0b57c61fc4d89e02c.exe 2352 0407b4435298fd6accedf181a003a74b7abd31a879bbaab0b57c61fc4d89e02c.exe 2352 0407b4435298fd6accedf181a003a74b7abd31a879bbaab0b57c61fc4d89e02c.exe 2352 0407b4435298fd6accedf181a003a74b7abd31a879bbaab0b57c61fc4d89e02c.exe 2352 0407b4435298fd6accedf181a003a74b7abd31a879bbaab0b57c61fc4d89e02c.exe 2352 0407b4435298fd6accedf181a003a74b7abd31a879bbaab0b57c61fc4d89e02c.exe 2352 0407b4435298fd6accedf181a003a74b7abd31a879bbaab0b57c61fc4d89e02c.exe 2352 0407b4435298fd6accedf181a003a74b7abd31a879bbaab0b57c61fc4d89e02c.exe 2352 0407b4435298fd6accedf181a003a74b7abd31a879bbaab0b57c61fc4d89e02c.exe 2352 0407b4435298fd6accedf181a003a74b7abd31a879bbaab0b57c61fc4d89e02c.exe 2352 0407b4435298fd6accedf181a003a74b7abd31a879bbaab0b57c61fc4d89e02c.exe 2352 0407b4435298fd6accedf181a003a74b7abd31a879bbaab0b57c61fc4d89e02c.exe 2352 0407b4435298fd6accedf181a003a74b7abd31a879bbaab0b57c61fc4d89e02c.exe 2352 0407b4435298fd6accedf181a003a74b7abd31a879bbaab0b57c61fc4d89e02c.exe 2352 0407b4435298fd6accedf181a003a74b7abd31a879bbaab0b57c61fc4d89e02c.exe 2352 0407b4435298fd6accedf181a003a74b7abd31a879bbaab0b57c61fc4d89e02c.exe 2352 0407b4435298fd6accedf181a003a74b7abd31a879bbaab0b57c61fc4d89e02c.exe 2352 0407b4435298fd6accedf181a003a74b7abd31a879bbaab0b57c61fc4d89e02c.exe 1080 Logo1_.exe 1080 Logo1_.exe 1080 Logo1_.exe 1080 Logo1_.exe 1080 Logo1_.exe 1080 Logo1_.exe 1080 Logo1_.exe 1080 Logo1_.exe 1080 Logo1_.exe 1080 Logo1_.exe 1080 Logo1_.exe 1080 Logo1_.exe 1080 Logo1_.exe 1080 Logo1_.exe 1080 Logo1_.exe 1080 Logo1_.exe 1080 Logo1_.exe 1080 Logo1_.exe 1080 Logo1_.exe 1080 Logo1_.exe 1080 Logo1_.exe 1080 Logo1_.exe 1080 Logo1_.exe 1080 Logo1_.exe 1080 Logo1_.exe 1080 Logo1_.exe 1080 Logo1_.exe 1080 Logo1_.exe 1080 Logo1_.exe 1080 Logo1_.exe 1080 Logo1_.exe 1080 Logo1_.exe 1080 Logo1_.exe 1080 Logo1_.exe 1080 Logo1_.exe 1080 Logo1_.exe 1080 Logo1_.exe 1080 Logo1_.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2352 wrote to memory of 3608 2352 0407b4435298fd6accedf181a003a74b7abd31a879bbaab0b57c61fc4d89e02c.exe 84 PID 2352 wrote to memory of 3608 2352 0407b4435298fd6accedf181a003a74b7abd31a879bbaab0b57c61fc4d89e02c.exe 84 PID 2352 wrote to memory of 3608 2352 0407b4435298fd6accedf181a003a74b7abd31a879bbaab0b57c61fc4d89e02c.exe 84 PID 3608 wrote to memory of 1944 3608 net.exe 86 PID 3608 wrote to memory of 1944 3608 net.exe 86 PID 3608 wrote to memory of 1944 3608 net.exe 86 PID 2352 wrote to memory of 1392 2352 0407b4435298fd6accedf181a003a74b7abd31a879bbaab0b57c61fc4d89e02c.exe 90 PID 2352 wrote to memory of 1392 2352 0407b4435298fd6accedf181a003a74b7abd31a879bbaab0b57c61fc4d89e02c.exe 90 PID 2352 wrote to memory of 1392 2352 0407b4435298fd6accedf181a003a74b7abd31a879bbaab0b57c61fc4d89e02c.exe 90 PID 2352 wrote to memory of 1080 2352 0407b4435298fd6accedf181a003a74b7abd31a879bbaab0b57c61fc4d89e02c.exe 91 PID 2352 wrote to memory of 1080 2352 0407b4435298fd6accedf181a003a74b7abd31a879bbaab0b57c61fc4d89e02c.exe 91 PID 2352 wrote to memory of 1080 2352 0407b4435298fd6accedf181a003a74b7abd31a879bbaab0b57c61fc4d89e02c.exe 91 PID 1080 wrote to memory of 3752 1080 Logo1_.exe 93 PID 1080 wrote to memory of 3752 1080 Logo1_.exe 93 PID 1080 wrote to memory of 3752 1080 Logo1_.exe 93 PID 3752 wrote to memory of 2308 3752 net.exe 95 PID 3752 wrote to memory of 2308 3752 net.exe 95 PID 3752 wrote to memory of 2308 3752 net.exe 95 PID 1392 wrote to memory of 4616 1392 cmd.exe 96 PID 1392 wrote to memory of 4616 1392 cmd.exe 96 PID 1080 wrote to memory of 648 1080 Logo1_.exe 97 PID 1080 wrote to memory of 648 1080 Logo1_.exe 97 PID 1080 wrote to memory of 648 1080 Logo1_.exe 97 PID 648 wrote to memory of 1592 648 net.exe 99 PID 648 wrote to memory of 1592 648 net.exe 99 PID 648 wrote to memory of 1592 648 net.exe 99 PID 1080 wrote to memory of 3408 1080 Logo1_.exe 55 PID 1080 wrote to memory of 3408 1080 Logo1_.exe 55
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3408
-
C:\Users\Admin\AppData\Local\Temp\0407b4435298fd6accedf181a003a74b7abd31a879bbaab0b57c61fc4d89e02c.exe"C:\Users\Admin\AppData\Local\Temp\0407b4435298fd6accedf181a003a74b7abd31a879bbaab0b57c61fc4d89e02c.exe"2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3608 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"4⤵
- System Location Discovery: System Language Discovery
PID:1944
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aAB34.bat3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1392 -
C:\Users\Admin\AppData\Local\Temp\0407b4435298fd6accedf181a003a74b7abd31a879bbaab0b57c61fc4d89e02c.exe"C:\Users\Admin\AppData\Local\Temp\0407b4435298fd6accedf181a003a74b7abd31a879bbaab0b57c61fc4d89e02c.exe"4⤵
- Executes dropped EXE
PID:4616
-
-
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Drops startup file
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1080 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3752 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵
- System Location Discovery: System Language Discovery
PID:2308
-
-
-
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:648 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵
- System Location Discovery: System Language Discovery
PID:1592
-
-
-
-
Network
-
Remote address:8.8.8.8:53Request97.17.167.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request172.210.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request71.159.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request68.159.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request133.211.185.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request200.163.202.172.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request15.164.165.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request98.117.19.2.in-addr.arpaIN PTRResponse98.117.19.2.in-addr.arpaIN PTRa2-19-117-98deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request55.36.223.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request43.229.111.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requesttse1.mm.bing.netIN AResponsetse1.mm.bing.netIN CNAMEmm-mm.bing.net.trafficmanager.netmm-mm.bing.net.trafficmanager.netIN CNAMEax-0001.ax-msedge.netax-0001.ax-msedge.netIN A150.171.27.10ax-0001.ax-msedge.netIN A150.171.28.10
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239360264291_1OMXAE3VFGJI9A76K&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90Remote address:150.171.27.10:443RequestGET /th?id=OADD2.10239360264291_1OMXAE3VFGJI9A76K&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 560459
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 76DA3F3228644B66ABCD5F596935997A Ref B: LON601060103036 Ref C: 2024-10-18T00:15:28Z
date: Fri, 18 Oct 2024 00:15:28 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239317301182_15RUNGDSFF0MLDKK2&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90Remote address:150.171.27.10:443RequestGET /th?id=OADD2.10239317301182_15RUNGDSFF0MLDKK2&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 1310684
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: B67631D2107B491D8F2AD7A87A03E55B Ref B: LON601060103036 Ref C: 2024-10-18T00:15:28Z
date: Fri, 18 Oct 2024 00:15:28 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239340418561_1E2KGQS8IVJEZ1891&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90Remote address:150.171.27.10:443RequestGET /th?id=OADD2.10239340418561_1E2KGQS8IVJEZ1891&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 585223
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: F1294CF8FB7A4AE0B77345B16BECA385 Ref B: LON601060103036 Ref C: 2024-10-18T00:15:28Z
date: Fri, 18 Oct 2024 00:15:28 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239340418562_1168Q5I7J0C0R4GX2&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90Remote address:150.171.27.10:443RequestGET /th?id=OADD2.10239340418562_1168Q5I7J0C0R4GX2&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 1374508
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: C29CC0F19AC94FB6AF2CC958C466DE8C Ref B: LON601060103036 Ref C: 2024-10-18T00:15:28Z
date: Fri, 18 Oct 2024 00:15:28 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239317301591_1PGV0364HK4XMTTCN&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90Remote address:150.171.27.10:443RequestGET /th?id=OADD2.10239317301591_1PGV0364HK4XMTTCN&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 531119
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: C8D4F02428D24C40B83A8BFB1F832B34 Ref B: LON601060103036 Ref C: 2024-10-18T00:15:28Z
date: Fri, 18 Oct 2024 00:15:28 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239360264303_1FV8HLP8B8WOIRSCV&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90Remote address:150.171.27.10:443RequestGET /th?id=OADD2.10239360264303_1FV8HLP8B8WOIRSCV&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 401499
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 9C945137C5E34124B3BFC243691A1EFD Ref B: LON601060103036 Ref C: 2024-10-18T00:15:28Z
date: Fri, 18 Oct 2024 00:15:28 GMT
-
Remote address:8.8.8.8:53Request27.173.189.20.in-addr.arpaIN PTRResponse
-
150.171.27.10:443https://tse1.mm.bing.net/th?id=OADD2.10239360264303_1FV8HLP8B8WOIRSCV&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90tls, http2172.7kB 4.9MB 3598 3592
HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239360264291_1OMXAE3VFGJI9A76K&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239317301182_15RUNGDSFF0MLDKK2&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239340418561_1E2KGQS8IVJEZ1891&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239340418562_1168Q5I7J0C0R4GX2&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239317301591_1PGV0364HK4XMTTCN&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90HTTP Response
200HTTP Response
200HTTP Response
200HTTP Response
200HTTP Response
200HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239360264303_1FV8HLP8B8WOIRSCV&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90HTTP Response
200 -
1.2kB 6.9kB 15 13
-
1.2kB 6.9kB 15 13
-
1.2kB 6.9kB 15 13
-
1.2kB 6.9kB 15 13
-
71 B 145 B 1 1
DNS Request
97.17.167.52.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.210.232.199.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
71.159.190.20.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
68.159.190.20.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
133.211.185.52.in-addr.arpa
-
74 B 160 B 1 1
DNS Request
200.163.202.172.in-addr.arpa
-
72 B 146 B 1 1
DNS Request
15.164.165.52.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
98.117.19.2.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
55.36.223.20.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
43.229.111.52.in-addr.arpa
-
62 B 170 B 1 1
DNS Request
tse1.mm.bing.net
DNS Response
150.171.27.10150.171.28.10
-
72 B 158 B 1 1
DNS Request
27.173.189.20.in-addr.arpa
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
648KB
MD59cf7b07dd06628796ff4e62fb9045745
SHA10bf672cd5d15e03dc0825573de2a664691f6157d
SHA2561d0318fb8c24be5255c342d956996c5dd60d9f9a4e34456db4ef9c13731b6338
SHA512fa5f74279d4090242a472b27436ef77a7da59141479c22a1714389d490dc6fe550cc227903360caf9951407fb6e9ff27102b797b6ed3a7b158710bf745936c9c
-
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
Filesize643KB
MD5d986668b051bea5787f946062c7b130b
SHA15bbc40ce89577fa48bfc3035ff79cd79fd2da41f
SHA256fed2637beb19ec4b49c608e95b97cec22c1b1ac48b7c69401d0de845f7625d46
SHA512d64420bb532d70433bb76db7d91968c517f89e05946c3f6c7a561afebb9764b0af74be1667d9aefc4563f7cb8c1551f81f479f17bcc9315d80ae2c3134759a4a
-
Filesize
722B
MD5e885aee87b69cacf0df85d8a6bba75b0
SHA157697be1e72ec58e02576753a88a5ab534c1668f
SHA256b9303b9bb3ff0282c798f142230fc8794ef4cf590351bbd933f202113e465542
SHA5129a2b7cfdec3f052894351362f3bc2f6204d41dc41462264d85768ec7bcea08871f9b2b4d2f115ab02ade14ed4e34940b48ec081355ffb6b26621eab4c0689cc2
-
C:\Users\Admin\AppData\Local\Temp\0407b4435298fd6accedf181a003a74b7abd31a879bbaab0b57c61fc4d89e02c.exe.exe
Filesize544KB
MD59a1dd1d96481d61934dcc2d568971d06
SHA1f136ef9bf8bd2fc753292fb5b7cf173a22675fb3
SHA2568cebb25e240db3b6986fcaed6bc0b900fa09dad763a56fb71273529266c5c525
SHA5127ac1581f8a29e778ba1a1220670796c47fa5b838417f8f635e2cb1998a01515cff3ee57045dacb78a8ec70d43754b970743aba600379fe6d9481958d32d8a5aa
-
Filesize
33KB
MD5828e2b4217fa5d1af64ed5e53cc9c32f
SHA1c4c9897302233cb01f5297a474273b9fc3dfe8b0
SHA256dab472637885b769458d9bca73a6d7d43708337a651658029b6be881c0770123
SHA512577324c9ff48421ce990fe851c0c0ae772cff4456c8a2afcbb9cdc4ab33921a6135f3a18599c8302277ca419a6897859544765ac6496519c3a998190b00c78e2
-
Filesize
10B
MD52c51e5c30f050245287a14eb60e30d30
SHA1b59cbcb7f2c8f7f05c0fa80fd351595af1996f0e
SHA2569310f08a28e46a620f4a99b4e12bf599760f5229b2ef0eb6c8e0be72b4197b88
SHA512fb572888fe5c33c9d5f2ee5d138172a57b57e8b3e8b8eca76dea964e99f72692fe4fea9da946d4e5a4871f3c004571a9ea11ef77e3ef100d45f4a806ce2eb5c5