Analysis
-
max time kernel
149s -
max time network
136s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-10-2024 03:38
Static task
static1
Behavioral task
behavioral1
Sample
d8209175ad5e4d695b0df7fdd26bfdb20a430d48c77233c3b6c1417c84727dff.exe
Resource
win7-20241010-en
General
-
Target
d8209175ad5e4d695b0df7fdd26bfdb20a430d48c77233c3b6c1417c84727dff.exe
-
Size
145KB
-
MD5
557c99ce56321eb3ce941b29451ad500
-
SHA1
9b0f1f52c88a3b6901ac846b30525bcc340a86fd
-
SHA256
d8209175ad5e4d695b0df7fdd26bfdb20a430d48c77233c3b6c1417c84727dff
-
SHA512
99bcf9d181426d77e0b723a34e4a724314e8f491ee7f456485d74c89433d8329457a85a99344f119cc9523032187229fbfb84aacc977190782e5b7552589c0ee
-
SSDEEP
3072:I4we+aX3zvOmZWXyaiedMbrN6pnoXPBsr5ZrR:fl+aX3LOSNaPM4loo5Zd
Malware Config
Signatures
-
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini Logo1_.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini Logo1_.exe -
Executes dropped EXE 2 IoCs
pid Process 5000 Logo1_.exe 4396 d8209175ad5e4d695b0df7fdd26bfdb20a430d48c77233c3b6c1417c84727dff.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\ff\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\en-ae\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\hr-hr\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\uk-UA\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\Licenses\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\vfs\SystemX86\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\skins\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsPowerShell\Modules\Pester\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\hu-hu\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\ca-es\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\da-dk\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\MEIPreload\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\ja-JP\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\sl-si\_desktop.ini Logo1_.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example2.Diagnostics\1.0.1\Diagnostics\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\de-de\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\eu-es\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\libs\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\de-de\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\uk-ua\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\hu-hu\_desktop.ini Logo1_.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Internet Explorer\it-IT\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\en-US\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\sv-se\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\fr-FR\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RICEPAPR\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\ja\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\it-it\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\nb-no\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\ar-ae\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\it-it\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example1.Diagnostics\Diagnostics\Simple\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\gu\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\ja\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\he-il\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\tr-tr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\en-gb\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\cs-cz\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ru-ru\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\createdump.exe Logo1_.exe File opened for modification C:\Program Files\Google\Chrome\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\fi\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sv-se\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\en-ae\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\sk-sk\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\es-es\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Media Player\uk-UA\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\kn\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\da-dk\_desktop.ini Logo1_.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\Dll.dll Logo1_.exe File created C:\Windows\rundl132.exe d8209175ad5e4d695b0df7fdd26bfdb20a430d48c77233c3b6c1417c84727dff.exe File created C:\Windows\Logo1_.exe d8209175ad5e4d695b0df7fdd26bfdb20a430d48c77233c3b6c1417c84727dff.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe -
System Location Discovery: System Language Discovery 1 TTPs 10 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d8209175ad5e4d695b0df7fdd26bfdb20a430d48c77233c3b6c1417c84727dff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d8209175ad5e4d695b0df7fdd26bfdb20a430d48c77233c3b6c1417c84727dff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Logo1_.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3348 d8209175ad5e4d695b0df7fdd26bfdb20a430d48c77233c3b6c1417c84727dff.exe 3348 d8209175ad5e4d695b0df7fdd26bfdb20a430d48c77233c3b6c1417c84727dff.exe 3348 d8209175ad5e4d695b0df7fdd26bfdb20a430d48c77233c3b6c1417c84727dff.exe 3348 d8209175ad5e4d695b0df7fdd26bfdb20a430d48c77233c3b6c1417c84727dff.exe 3348 d8209175ad5e4d695b0df7fdd26bfdb20a430d48c77233c3b6c1417c84727dff.exe 3348 d8209175ad5e4d695b0df7fdd26bfdb20a430d48c77233c3b6c1417c84727dff.exe 3348 d8209175ad5e4d695b0df7fdd26bfdb20a430d48c77233c3b6c1417c84727dff.exe 3348 d8209175ad5e4d695b0df7fdd26bfdb20a430d48c77233c3b6c1417c84727dff.exe 3348 d8209175ad5e4d695b0df7fdd26bfdb20a430d48c77233c3b6c1417c84727dff.exe 3348 d8209175ad5e4d695b0df7fdd26bfdb20a430d48c77233c3b6c1417c84727dff.exe 3348 d8209175ad5e4d695b0df7fdd26bfdb20a430d48c77233c3b6c1417c84727dff.exe 3348 d8209175ad5e4d695b0df7fdd26bfdb20a430d48c77233c3b6c1417c84727dff.exe 3348 d8209175ad5e4d695b0df7fdd26bfdb20a430d48c77233c3b6c1417c84727dff.exe 3348 d8209175ad5e4d695b0df7fdd26bfdb20a430d48c77233c3b6c1417c84727dff.exe 3348 d8209175ad5e4d695b0df7fdd26bfdb20a430d48c77233c3b6c1417c84727dff.exe 3348 d8209175ad5e4d695b0df7fdd26bfdb20a430d48c77233c3b6c1417c84727dff.exe 3348 d8209175ad5e4d695b0df7fdd26bfdb20a430d48c77233c3b6c1417c84727dff.exe 3348 d8209175ad5e4d695b0df7fdd26bfdb20a430d48c77233c3b6c1417c84727dff.exe 3348 d8209175ad5e4d695b0df7fdd26bfdb20a430d48c77233c3b6c1417c84727dff.exe 3348 d8209175ad5e4d695b0df7fdd26bfdb20a430d48c77233c3b6c1417c84727dff.exe 3348 d8209175ad5e4d695b0df7fdd26bfdb20a430d48c77233c3b6c1417c84727dff.exe 3348 d8209175ad5e4d695b0df7fdd26bfdb20a430d48c77233c3b6c1417c84727dff.exe 3348 d8209175ad5e4d695b0df7fdd26bfdb20a430d48c77233c3b6c1417c84727dff.exe 3348 d8209175ad5e4d695b0df7fdd26bfdb20a430d48c77233c3b6c1417c84727dff.exe 3348 d8209175ad5e4d695b0df7fdd26bfdb20a430d48c77233c3b6c1417c84727dff.exe 3348 d8209175ad5e4d695b0df7fdd26bfdb20a430d48c77233c3b6c1417c84727dff.exe 5000 Logo1_.exe 5000 Logo1_.exe 5000 Logo1_.exe 5000 Logo1_.exe 5000 Logo1_.exe 5000 Logo1_.exe 5000 Logo1_.exe 5000 Logo1_.exe 5000 Logo1_.exe 5000 Logo1_.exe 5000 Logo1_.exe 5000 Logo1_.exe 5000 Logo1_.exe 5000 Logo1_.exe 5000 Logo1_.exe 5000 Logo1_.exe 5000 Logo1_.exe 5000 Logo1_.exe 5000 Logo1_.exe 5000 Logo1_.exe 5000 Logo1_.exe 5000 Logo1_.exe 5000 Logo1_.exe 5000 Logo1_.exe 5000 Logo1_.exe 5000 Logo1_.exe 5000 Logo1_.exe 5000 Logo1_.exe 5000 Logo1_.exe 5000 Logo1_.exe 5000 Logo1_.exe 5000 Logo1_.exe 5000 Logo1_.exe 5000 Logo1_.exe 5000 Logo1_.exe 5000 Logo1_.exe 5000 Logo1_.exe 5000 Logo1_.exe -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 3348 wrote to memory of 2400 3348 d8209175ad5e4d695b0df7fdd26bfdb20a430d48c77233c3b6c1417c84727dff.exe 84 PID 3348 wrote to memory of 2400 3348 d8209175ad5e4d695b0df7fdd26bfdb20a430d48c77233c3b6c1417c84727dff.exe 84 PID 3348 wrote to memory of 2400 3348 d8209175ad5e4d695b0df7fdd26bfdb20a430d48c77233c3b6c1417c84727dff.exe 84 PID 2400 wrote to memory of 3848 2400 net.exe 86 PID 2400 wrote to memory of 3848 2400 net.exe 86 PID 2400 wrote to memory of 3848 2400 net.exe 86 PID 3348 wrote to memory of 4364 3348 d8209175ad5e4d695b0df7fdd26bfdb20a430d48c77233c3b6c1417c84727dff.exe 90 PID 3348 wrote to memory of 4364 3348 d8209175ad5e4d695b0df7fdd26bfdb20a430d48c77233c3b6c1417c84727dff.exe 90 PID 3348 wrote to memory of 4364 3348 d8209175ad5e4d695b0df7fdd26bfdb20a430d48c77233c3b6c1417c84727dff.exe 90 PID 3348 wrote to memory of 5000 3348 d8209175ad5e4d695b0df7fdd26bfdb20a430d48c77233c3b6c1417c84727dff.exe 91 PID 3348 wrote to memory of 5000 3348 d8209175ad5e4d695b0df7fdd26bfdb20a430d48c77233c3b6c1417c84727dff.exe 91 PID 3348 wrote to memory of 5000 3348 d8209175ad5e4d695b0df7fdd26bfdb20a430d48c77233c3b6c1417c84727dff.exe 91 PID 5000 wrote to memory of 3476 5000 Logo1_.exe 93 PID 5000 wrote to memory of 3476 5000 Logo1_.exe 93 PID 5000 wrote to memory of 3476 5000 Logo1_.exe 93 PID 3476 wrote to memory of 440 3476 net.exe 95 PID 3476 wrote to memory of 440 3476 net.exe 95 PID 3476 wrote to memory of 440 3476 net.exe 95 PID 4364 wrote to memory of 4396 4364 cmd.exe 96 PID 4364 wrote to memory of 4396 4364 cmd.exe 96 PID 4364 wrote to memory of 4396 4364 cmd.exe 96 PID 5000 wrote to memory of 368 5000 Logo1_.exe 97 PID 5000 wrote to memory of 368 5000 Logo1_.exe 97 PID 5000 wrote to memory of 368 5000 Logo1_.exe 97 PID 368 wrote to memory of 5084 368 net.exe 99 PID 368 wrote to memory of 5084 368 net.exe 99 PID 368 wrote to memory of 5084 368 net.exe 99 PID 5000 wrote to memory of 3468 5000 Logo1_.exe 56 PID 5000 wrote to memory of 3468 5000 Logo1_.exe 56
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3468
-
C:\Users\Admin\AppData\Local\Temp\d8209175ad5e4d695b0df7fdd26bfdb20a430d48c77233c3b6c1417c84727dff.exe"C:\Users\Admin\AppData\Local\Temp\d8209175ad5e4d695b0df7fdd26bfdb20a430d48c77233c3b6c1417c84727dff.exe"2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3348 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"4⤵
- System Location Discovery: System Language Discovery
PID:3848
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aBF77.bat3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4364 -
C:\Users\Admin\AppData\Local\Temp\d8209175ad5e4d695b0df7fdd26bfdb20a430d48c77233c3b6c1417c84727dff.exe"C:\Users\Admin\AppData\Local\Temp\d8209175ad5e4d695b0df7fdd26bfdb20a430d48c77233c3b6c1417c84727dff.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4396
-
-
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Drops startup file
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5000 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3476 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵
- System Location Discovery: System Language Discovery
PID:440
-
-
-
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:368 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵
- System Location Discovery: System Language Discovery
PID:5084
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
250KB
MD5f1e098dbb74b7c2096521dca1c6eb4cc
SHA1ba104c77f746c3840759283bca1d9eb0a5efa31f
SHA2565bd886fcd7d8d45626cfceb2fbbf92818cb960acfd96ed124641ed1943f3ea0a
SHA512a00facee10bb7cb961d01cc0ff6b185bcda39d9f34b49cc80f50f527fee918fdc34df8c9c73bf4257d231a9c178a23620f02617c0387f30e6e090dd1274b34e7
-
Filesize
577KB
MD5afb82271e04d2a0073e4e2a750fac715
SHA181d1f5dd6577d5bd3c59c334a6845f4e2e2df9e1
SHA2566958b58f48d0c3e90e733eba366c0ead7e90f8ace80aff25884536b54d3e8048
SHA512a499430d02d1fbd05ef49c2ee58477815aa9361f028e914aaab419e7bf0a4d617eade94ba206307d621ec65751731cbb1d35f17e22d2baa15550bdbe34bab069
-
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
Filesize643KB
MD5e0725f04ef2eb236cf23dbdc14d512a5
SHA1ef9875c8bd15d6c9cdcb0a4025470fae9e0d00b2
SHA256ca3e9560c3c22fbb4efc142647d6918fe315dda96b5e00c9f0431f55ca97bcaa
SHA5122dacc3b71e320017826ef563affec0c895cdda9cd293b6814df20aefa5d936e6fbed1d387f9224e533f473243ecb6ea5865d0919f56459c6c3e014e07d241a4e
-
Filesize
722B
MD5fa2544b1c42e17444ef2f68fb37a3331
SHA11b5f68f9237d73e70d8ac0970f6ea92f6a7d2fb8
SHA256604d655162db9b67aca7a873ca6554354368337c979bafb10695aac0b9282f65
SHA512afe59bd14b5843d072dd6b066cea00627fb737539a50d9fd8c35fe9c786837b666f0e2887bf6de48b2159f38fb46c42f7f0cee2fdbe3d746a8be21902d3e5337
-
C:\Users\Admin\AppData\Local\Temp\d8209175ad5e4d695b0df7fdd26bfdb20a430d48c77233c3b6c1417c84727dff.exe.exe
Filesize112KB
MD5e9cc8c20b0e682c77b97e6787de16e5d
SHA18be674dec4fcf14ae853a5c20a9288bff3e0520a
SHA256ef854d21cbf297ee267f22049b773ffeb4c1ff1a3e55227cc2a260754699d644
SHA5121a3b9b2d16a4404b29675ab1132ad542840058fd356e0f145afe5d0c1d9e1653de28314cd24406b85f09a9ec874c4339967d9e7acb327065448096c5734502c7
-
Filesize
33KB
MD5680e1d68d1c18cdb5e1fddd097cd0056
SHA13679880b26ab1a994375a7aa9ead9b17025ef30e
SHA2569f250d09197e2a3e5f063b06c9995f5802b48852f9d98af43419e119698ccbc3
SHA51215b9dfc38a515ab4ee8e9eca27a5a2d223b55ec5ab517e14a94a4da32ecfcba8b9f7589c429d92472617033f757c7843119ac1ec28f373600545a66e9873553b
-
Filesize
10B
MD528a582403dbb209b6c5cb7bada9c918d
SHA1db58560be63032a4cbd738d2d639e5bf764d6277
SHA256b5a9fa3acde4d9499ea08a6d9ff193fc9cda57f04141f82d2422a4008f451200
SHA512511b4d3886d671d01c66d2509b784a199e68a00f2597d311d8d0770f0b1030680136ee450343a8d6c4b51d9de8448bafdde44dc1a1c6e62bccde47d5af03fbae