Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-10-2024 04:14
Static task
static1
Behavioral task
behavioral1
Sample
296f2807a21a04297d54ffd6ed3930ce06bf959d0e8c7ea7f8d8d2c471b3a674.exe
Resource
win7-20241010-en
General
-
Target
296f2807a21a04297d54ffd6ed3930ce06bf959d0e8c7ea7f8d8d2c471b3a674.exe
-
Size
6.9MB
-
MD5
d3cf3c033abfe78b61f54db44392dfa1
-
SHA1
413305dd293e3073ac3e73b9c75c432e50cee863
-
SHA256
296f2807a21a04297d54ffd6ed3930ce06bf959d0e8c7ea7f8d8d2c471b3a674
-
SHA512
02c3b903a1620512d2ab141e3eaf6a7d1b9ef86e60119adf2289d70668db2c6f6ccee32e40c3714966943fedf1ae75b801787f00e0903cade718eed2ff6f4eaa
-
SSDEEP
98304:nxC3ud6MOIvysiWCQKzo5qphIHVruP3WpF3UdE1hZHEdLF9:sGQnMkhgJuP32+dmhZk/9
Malware Config
Signatures
-
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini Logo1_.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini Logo1_.exe -
Executes dropped EXE 2 IoCs
pid Process 3132 Logo1_.exe 3552 296f2807a21a04297d54ffd6ed3930ce06bf959d0e8c7ea7f8d8d2c471b3a674.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\VideoLAN\VLC\locale\bg\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\eu\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\fi-fi\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\nl-nl\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\tr-tr\_desktop.ini Logo1_.exe File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\fr\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ca-es\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ca-es\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\hr-hr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft.NET\RedistList\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example1.Diagnostics\Diagnostics\Simple\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\de-de\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk-1.8\jre\lib\jfr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLENDS\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\da\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sv-se\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\it-it\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\fr-ma\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\hu-hu\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\STUDIO\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ja\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\sv-se\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\cs-cz\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\sl-si\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\Adobe\Acrobat\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\swiftshader\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\de\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\ks_IN\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\hu-hu\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\es-es\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Multimedia Platform\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example2.Diagnostics\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\sk-sk\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\pl-pl\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\images\themes\dark\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\es-es\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\pl-pl\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\uk-ua\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\hr-hr\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\root\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\ko-kr\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\nl-nl\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jre-1.8\lib\jfr\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\fre\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\oc\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\ext\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ko-kr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\themes\dark\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\en-gb\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\root\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\co\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example2.Diagnostics\1.0.1\Diagnostics\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\nb-no\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\root\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\es-es\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\nb-no\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\fi-fi\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\rundl132.exe 296f2807a21a04297d54ffd6ed3930ce06bf959d0e8c7ea7f8d8d2c471b3a674.exe File created C:\Windows\Logo1_.exe 296f2807a21a04297d54ffd6ed3930ce06bf959d0e8c7ea7f8d8d2c471b3a674.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\Dll.dll Logo1_.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3960 3552 WerFault.exe 96 -
System Location Discovery: System Language Discovery 1 TTPs 10 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Logo1_.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 296f2807a21a04297d54ffd6ed3930ce06bf959d0e8c7ea7f8d8d2c471b3a674.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 296f2807a21a04297d54ffd6ed3930ce06bf959d0e8c7ea7f8d8d2c471b3a674.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1460 296f2807a21a04297d54ffd6ed3930ce06bf959d0e8c7ea7f8d8d2c471b3a674.exe 1460 296f2807a21a04297d54ffd6ed3930ce06bf959d0e8c7ea7f8d8d2c471b3a674.exe 1460 296f2807a21a04297d54ffd6ed3930ce06bf959d0e8c7ea7f8d8d2c471b3a674.exe 1460 296f2807a21a04297d54ffd6ed3930ce06bf959d0e8c7ea7f8d8d2c471b3a674.exe 1460 296f2807a21a04297d54ffd6ed3930ce06bf959d0e8c7ea7f8d8d2c471b3a674.exe 1460 296f2807a21a04297d54ffd6ed3930ce06bf959d0e8c7ea7f8d8d2c471b3a674.exe 1460 296f2807a21a04297d54ffd6ed3930ce06bf959d0e8c7ea7f8d8d2c471b3a674.exe 1460 296f2807a21a04297d54ffd6ed3930ce06bf959d0e8c7ea7f8d8d2c471b3a674.exe 1460 296f2807a21a04297d54ffd6ed3930ce06bf959d0e8c7ea7f8d8d2c471b3a674.exe 1460 296f2807a21a04297d54ffd6ed3930ce06bf959d0e8c7ea7f8d8d2c471b3a674.exe 1460 296f2807a21a04297d54ffd6ed3930ce06bf959d0e8c7ea7f8d8d2c471b3a674.exe 1460 296f2807a21a04297d54ffd6ed3930ce06bf959d0e8c7ea7f8d8d2c471b3a674.exe 1460 296f2807a21a04297d54ffd6ed3930ce06bf959d0e8c7ea7f8d8d2c471b3a674.exe 1460 296f2807a21a04297d54ffd6ed3930ce06bf959d0e8c7ea7f8d8d2c471b3a674.exe 1460 296f2807a21a04297d54ffd6ed3930ce06bf959d0e8c7ea7f8d8d2c471b3a674.exe 1460 296f2807a21a04297d54ffd6ed3930ce06bf959d0e8c7ea7f8d8d2c471b3a674.exe 1460 296f2807a21a04297d54ffd6ed3930ce06bf959d0e8c7ea7f8d8d2c471b3a674.exe 1460 296f2807a21a04297d54ffd6ed3930ce06bf959d0e8c7ea7f8d8d2c471b3a674.exe 1460 296f2807a21a04297d54ffd6ed3930ce06bf959d0e8c7ea7f8d8d2c471b3a674.exe 1460 296f2807a21a04297d54ffd6ed3930ce06bf959d0e8c7ea7f8d8d2c471b3a674.exe 1460 296f2807a21a04297d54ffd6ed3930ce06bf959d0e8c7ea7f8d8d2c471b3a674.exe 1460 296f2807a21a04297d54ffd6ed3930ce06bf959d0e8c7ea7f8d8d2c471b3a674.exe 1460 296f2807a21a04297d54ffd6ed3930ce06bf959d0e8c7ea7f8d8d2c471b3a674.exe 1460 296f2807a21a04297d54ffd6ed3930ce06bf959d0e8c7ea7f8d8d2c471b3a674.exe 1460 296f2807a21a04297d54ffd6ed3930ce06bf959d0e8c7ea7f8d8d2c471b3a674.exe 1460 296f2807a21a04297d54ffd6ed3930ce06bf959d0e8c7ea7f8d8d2c471b3a674.exe 3132 Logo1_.exe 3132 Logo1_.exe 3132 Logo1_.exe 3132 Logo1_.exe 3132 Logo1_.exe 3132 Logo1_.exe 3132 Logo1_.exe 3132 Logo1_.exe 3132 Logo1_.exe 3132 Logo1_.exe 3132 Logo1_.exe 3132 Logo1_.exe 3132 Logo1_.exe 3132 Logo1_.exe 3132 Logo1_.exe 3132 Logo1_.exe 3132 Logo1_.exe 3132 Logo1_.exe 3132 Logo1_.exe 3132 Logo1_.exe 3132 Logo1_.exe 3132 Logo1_.exe 3132 Logo1_.exe 3132 Logo1_.exe 3132 Logo1_.exe 3132 Logo1_.exe 3132 Logo1_.exe 3132 Logo1_.exe 3132 Logo1_.exe 3132 Logo1_.exe 3132 Logo1_.exe 3132 Logo1_.exe 3132 Logo1_.exe 3132 Logo1_.exe 3132 Logo1_.exe 3132 Logo1_.exe 3132 Logo1_.exe 3132 Logo1_.exe -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 1460 wrote to memory of 4660 1460 296f2807a21a04297d54ffd6ed3930ce06bf959d0e8c7ea7f8d8d2c471b3a674.exe 84 PID 1460 wrote to memory of 4660 1460 296f2807a21a04297d54ffd6ed3930ce06bf959d0e8c7ea7f8d8d2c471b3a674.exe 84 PID 1460 wrote to memory of 4660 1460 296f2807a21a04297d54ffd6ed3930ce06bf959d0e8c7ea7f8d8d2c471b3a674.exe 84 PID 4660 wrote to memory of 4828 4660 net.exe 86 PID 4660 wrote to memory of 4828 4660 net.exe 86 PID 4660 wrote to memory of 4828 4660 net.exe 86 PID 1460 wrote to memory of 1732 1460 296f2807a21a04297d54ffd6ed3930ce06bf959d0e8c7ea7f8d8d2c471b3a674.exe 90 PID 1460 wrote to memory of 1732 1460 296f2807a21a04297d54ffd6ed3930ce06bf959d0e8c7ea7f8d8d2c471b3a674.exe 90 PID 1460 wrote to memory of 1732 1460 296f2807a21a04297d54ffd6ed3930ce06bf959d0e8c7ea7f8d8d2c471b3a674.exe 90 PID 1460 wrote to memory of 3132 1460 296f2807a21a04297d54ffd6ed3930ce06bf959d0e8c7ea7f8d8d2c471b3a674.exe 91 PID 1460 wrote to memory of 3132 1460 296f2807a21a04297d54ffd6ed3930ce06bf959d0e8c7ea7f8d8d2c471b3a674.exe 91 PID 1460 wrote to memory of 3132 1460 296f2807a21a04297d54ffd6ed3930ce06bf959d0e8c7ea7f8d8d2c471b3a674.exe 91 PID 3132 wrote to memory of 1736 3132 Logo1_.exe 93 PID 3132 wrote to memory of 1736 3132 Logo1_.exe 93 PID 3132 wrote to memory of 1736 3132 Logo1_.exe 93 PID 1736 wrote to memory of 4644 1736 net.exe 95 PID 1736 wrote to memory of 4644 1736 net.exe 95 PID 1736 wrote to memory of 4644 1736 net.exe 95 PID 1732 wrote to memory of 3552 1732 cmd.exe 96 PID 1732 wrote to memory of 3552 1732 cmd.exe 96 PID 1732 wrote to memory of 3552 1732 cmd.exe 96 PID 3132 wrote to memory of 1256 3132 Logo1_.exe 102 PID 3132 wrote to memory of 1256 3132 Logo1_.exe 102 PID 3132 wrote to memory of 1256 3132 Logo1_.exe 102 PID 1256 wrote to memory of 1280 1256 net.exe 104 PID 1256 wrote to memory of 1280 1256 net.exe 104 PID 1256 wrote to memory of 1280 1256 net.exe 104 PID 3132 wrote to memory of 3408 3132 Logo1_.exe 55 PID 3132 wrote to memory of 3408 3132 Logo1_.exe 55
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3408
-
C:\Users\Admin\AppData\Local\Temp\296f2807a21a04297d54ffd6ed3930ce06bf959d0e8c7ea7f8d8d2c471b3a674.exe"C:\Users\Admin\AppData\Local\Temp\296f2807a21a04297d54ffd6ed3930ce06bf959d0e8c7ea7f8d8d2c471b3a674.exe"2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1460 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4660 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"4⤵
- System Location Discovery: System Language Discovery
PID:4828
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aACAB.bat3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Users\Admin\AppData\Local\Temp\296f2807a21a04297d54ffd6ed3930ce06bf959d0e8c7ea7f8d8d2c471b3a674.exe"C:\Users\Admin\AppData\Local\Temp\296f2807a21a04297d54ffd6ed3930ce06bf959d0e8c7ea7f8d8d2c471b3a674.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3552 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3552 -s 4245⤵
- Program crash
PID:3960
-
-
-
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Drops startup file
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3132 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵
- System Location Discovery: System Language Discovery
PID:4644
-
-
-
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1256 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵
- System Location Discovery: System Language Discovery
PID:1280
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3552 -ip 35521⤵PID:2272
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
251KB
MD5cb0376e100c5fabb8fd4a1bc56586aaa
SHA1a4911bc430a25cc0bc12d8bd1ec3951acb189a93
SHA256bd9cffa3e795e1bcbf898944e16fc342cd1194013f794bac72e43c96d48c395a
SHA51261960694907542e18a7bd248fe0c8bd560b0d11c6b2c89fe7516cf6397b6c0f1465956c0c1e7f16515a4331dd6f9c8e305f343bcaf1bde125b92bebbe94bca1a
-
Filesize
648KB
MD52459ec56df7204c9ea75865f3edaf357
SHA11db0c61c9453472f4b137fbf77e21acd6c46d281
SHA256d434334ba4bd8d947ada8eb1ea0802cb33b316e2a4c400adcbe339385d577ad3
SHA512283dabbb2360a5cb3cecbf063effded0d0dcbad5372a1ec03269db2c1a490db782187f1191fbfb036853682d223c60e012807f7fd19d2c5552c01d3c751e67ff
-
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
Filesize643KB
MD5db9bddad546005d48ce18fe972246201
SHA1b0dd981322e1c1c0b5c252f47fa13264938de8b6
SHA2569075cd2193d88bc34006b3ca296da52903a6cdcc326f7dc9fbe08d5ce3e653c3
SHA51208c030dcad263220c4593eae14e5b7c5731df7ed8ae5f4ab454d8b981ef28caf35508ddd1ce93063dea8ad3b47b65780349db4c17bb0abdb4e930749c9c365e0
-
Filesize
722B
MD5312ff4d68570fee46638bce9a6195b58
SHA1bd46876bf58870490427c6541804dfb6f65600e5
SHA256edc8114f88e57767b2b338540f9017cce4139fc2b05e68e50c047798a84838b8
SHA512ede6edf2623903711c717f399fce1024a3312965e977e23d037297735c908dafc0a8423b1fd3412a26af34c075a22e44a927b308782af10203387fb251b592db
-
C:\Users\Admin\AppData\Local\Temp\296f2807a21a04297d54ffd6ed3930ce06bf959d0e8c7ea7f8d8d2c471b3a674.exe.exe
Filesize6.9MB
MD545e471bd79b7ca6af28422432b9b8f1a
SHA19138450ca0af79896d2145a83692c7fb068c541a
SHA256c539aed1bcff932b77d8d49486156cc0ad5496e6d5480d9ec435d76cad49d73c
SHA5129af63626b790f63c85ab93d17243dd154f56108931609ffa75d174cde0a5feb540b5e7e24209feb7ca2f87088eb0421e6bed1f94c7a4c893b7b84c440c286f4e
-
Filesize
33KB
MD51c53d2c2c1bd364fe7271c3e92d2e3dc
SHA10a8092d4f1129d843f16fc6851c11ed6751fcc7f
SHA2568810ec719639b333cc678599ed64e62c41e94e9998dfd822c8c9d03e542d4c99
SHA5121792ffb0daa68a799a4f9502fd721895934a46bc99f14539bcafb2923ac43b124138f9efd4346cb6a757c4b8de34c2e0544b0580376a343b2607548087aba578
-
Filesize
10B
MD528a582403dbb209b6c5cb7bada9c918d
SHA1db58560be63032a4cbd738d2d639e5bf764d6277
SHA256b5a9fa3acde4d9499ea08a6d9ff193fc9cda57f04141f82d2422a4008f451200
SHA512511b4d3886d671d01c66d2509b784a199e68a00f2597d311d8d0770f0b1030680136ee450343a8d6c4b51d9de8448bafdde44dc1a1c6e62bccde47d5af03fbae