Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-10-2024 04:22
Static task
static1
Behavioral task
behavioral1
Sample
ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe
Resource
win7-20241010-en
General
-
Target
ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe
-
Size
488KB
-
MD5
de4f99d33c3138d156d2227d1b33c300
-
SHA1
539dffd0a2747a2476194ea4622ce811b777d2c9
-
SHA256
ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e
-
SHA512
4db6e5810373d94603df13bbac362ef5e0d76a5b5400aac1d3d132706058fd69b58b5423ecfd811efe2f925d91fdf137b5a009b6d22a0a8d5fbcf9e300d3b7e0
-
SSDEEP
12288:CX1m03qIOkU8AMXE9B7PElZlP41N+4PUWfo:o1meBOkUhMXcBwc04nA
Malware Config
Signatures
-
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini Logo1_.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini Logo1_.exe -
Executes dropped EXE 3 IoCs
pid Process 4444 Logo1_.exe 5000 ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe 404 ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe -
Loads dropped DLL 1 IoCs
pid Process 404 ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\hr-hr\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\uk-ua\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\notification_helper.exe Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ca@valencia\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\sq\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\de-de\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\themes\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\en-ae\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ar-ae\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\cs-cz\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jre-1.8\legal\javafx\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\de-de\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\da-dk\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\root\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Examples\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\en-US\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\ko-kr\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\nb-no\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\es-es\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\dotnet\dotnet.exe Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\pl-pl\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\ca-es\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RMNSQUE\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\themes\dark\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Media Player\fr-FR\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office 15\ClientX64\IntegratedOffice.exe Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\uk-ua\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\root\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\eu-es\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\pl-pl\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\1033\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ku_IQ\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\cpdf\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\ro-ro\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\ka\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\tr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ro-ro\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\root\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\es-es\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\de-DE\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\es-es\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\he-il\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\nl-nl\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\fr-ma\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\epdf\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\hr-hr\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\fr-fr\_desktop.ini Logo1_.exe File created C:\Program Files\Reference Assemblies\Microsoft\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sk-sk\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\sv-se\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\en-ae\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\sk-sk\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\ENFR\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\en-US\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ko-kr\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\en-ae\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\es-es\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\rundl132.exe ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe File created C:\Windows\Logo1_.exe ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\Dll.dll Logo1_.exe -
System Location Discovery: System Language Discovery 1 TTPs 11 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Logo1_.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 924 ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe 924 ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe 924 ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe 924 ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe 924 ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe 924 ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe 924 ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe 924 ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe 924 ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe 924 ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe 924 ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe 924 ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe 924 ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe 924 ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe 924 ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe 924 ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe 924 ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe 924 ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe 924 ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe 924 ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe 924 ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe 924 ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe 924 ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe 924 ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe 924 ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe 924 ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe 4444 Logo1_.exe 4444 Logo1_.exe 4444 Logo1_.exe 4444 Logo1_.exe 4444 Logo1_.exe 4444 Logo1_.exe 4444 Logo1_.exe 4444 Logo1_.exe 4444 Logo1_.exe 4444 Logo1_.exe 4444 Logo1_.exe 4444 Logo1_.exe 4444 Logo1_.exe 4444 Logo1_.exe 4444 Logo1_.exe 4444 Logo1_.exe 4444 Logo1_.exe 4444 Logo1_.exe 4444 Logo1_.exe 4444 Logo1_.exe 4444 Logo1_.exe 4444 Logo1_.exe 4444 Logo1_.exe 4444 Logo1_.exe 4444 Logo1_.exe 4444 Logo1_.exe 4444 Logo1_.exe 4444 Logo1_.exe 4444 Logo1_.exe 4444 Logo1_.exe 4444 Logo1_.exe 4444 Logo1_.exe 4444 Logo1_.exe 4444 Logo1_.exe 4444 Logo1_.exe 4444 Logo1_.exe 4444 Logo1_.exe 4444 Logo1_.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 924 wrote to memory of 1552 924 ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe 84 PID 924 wrote to memory of 1552 924 ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe 84 PID 924 wrote to memory of 1552 924 ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe 84 PID 1552 wrote to memory of 1628 1552 net.exe 86 PID 1552 wrote to memory of 1628 1552 net.exe 86 PID 1552 wrote to memory of 1628 1552 net.exe 86 PID 924 wrote to memory of 2800 924 ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe 90 PID 924 wrote to memory of 2800 924 ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe 90 PID 924 wrote to memory of 2800 924 ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe 90 PID 924 wrote to memory of 4444 924 ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe 91 PID 924 wrote to memory of 4444 924 ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe 91 PID 924 wrote to memory of 4444 924 ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe 91 PID 4444 wrote to memory of 4832 4444 Logo1_.exe 92 PID 4444 wrote to memory of 4832 4444 Logo1_.exe 92 PID 4444 wrote to memory of 4832 4444 Logo1_.exe 92 PID 4832 wrote to memory of 2948 4832 net.exe 95 PID 4832 wrote to memory of 2948 4832 net.exe 95 PID 4832 wrote to memory of 2948 4832 net.exe 95 PID 2800 wrote to memory of 5000 2800 cmd.exe 96 PID 2800 wrote to memory of 5000 2800 cmd.exe 96 PID 2800 wrote to memory of 5000 2800 cmd.exe 96 PID 5000 wrote to memory of 404 5000 ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe 97 PID 5000 wrote to memory of 404 5000 ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe 97 PID 5000 wrote to memory of 404 5000 ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe 97 PID 4444 wrote to memory of 4904 4444 Logo1_.exe 98 PID 4444 wrote to memory of 4904 4444 Logo1_.exe 98 PID 4444 wrote to memory of 4904 4444 Logo1_.exe 98 PID 4904 wrote to memory of 216 4904 net.exe 100 PID 4904 wrote to memory of 216 4904 net.exe 100 PID 4904 wrote to memory of 216 4904 net.exe 100 PID 4444 wrote to memory of 3532 4444 Logo1_.exe 56 PID 4444 wrote to memory of 3532 4444 Logo1_.exe 56
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3532
-
C:\Users\Admin\AppData\Local\Temp\ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe"C:\Users\Admin\AppData\Local\Temp\ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe"2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:924 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1552 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"4⤵
- System Location Discovery: System Language Discovery
PID:1628
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a6EE6.bat3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Users\Admin\AppData\Local\Temp\ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe"C:\Users\Admin\AppData\Local\Temp\ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5000 -
C:\Users\Admin\AppData\Local\Temp\ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe"C:\Users\Admin\AppData\Local\Temp\ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe" -burn.unelevated BurnPipe.{A82C33E8-B55A-445F-BE64-7127AEE3C92E} {DDE9AE8A-290E-4F4C-B2B7-81CEBCD9B74B} 50005⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:404
-
-
-
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Drops startup file
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4444 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4832 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵
- System Location Discovery: System Language Discovery
PID:2948
-
-
-
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4904 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵
- System Location Discovery: System Language Discovery
PID:216
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
251KB
MD510a7fff2e496850370cd3b3ee33cada0
SHA12fbeb0236ab8937b7aa472cae8b3720802e9c764
SHA2563114db136b324064263065317536490601c26e731d3558a7caf6cc7507db4d97
SHA512d714185364cce8be63ecaa6ba4abdd3da5ded059a2df252f9d26e2440cbbcecfc96e0944a84ea3201b0d8b1afa57154053dc814995dbea36bd06dfbfe629ef58
-
Filesize
577KB
MD5c271a86be0a29d90a35fe31a5c49272e
SHA140ce9f85f7a6dda6fe54d36a86a46d131bc120dc
SHA2566865992bfc8198f5af017209cc289eb9d2adee1e4aede750f881fb5cf307523a
SHA512e32d6246ec9c00d8bb8a14793f30b22983f1c03ea418c241bf4c8e22c9992334fe0ab3715b64e3d43d44b9a6cba86e4d75c2ff55d8ff2201fcb1329510b762ae
-
Filesize
722B
MD5837261d9f78481633c5764da0233d2f5
SHA12c40a36213c3deb56a20cd40a2361fa81ccf052b
SHA2568bc469cce08c7b84b57e5256ba8320dfa749cf02d6de639ac26b4d8df07a1f74
SHA51200487d02e82a5c0b126361808016a6adbe8054ee2d5b7e7d852e809f93bd59fe9bac930b853a6fc663267791c21d211661fa3bfbe121a684ce5be079bfdb836b
-
C:\Users\Admin\AppData\Local\Temp\ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe.exe
Filesize455KB
MD56503c081f51457300e9bdef49253b867
SHA19313190893fdb4b732a5890845bd2337ea05366e
SHA2565ebba234b1d2ff66d4797e2334f97e0ed38f066df15403db241ca9feb92730ea
SHA5124477dbcee202971973786d62a8c22f889ea1f95b76a7279f0f11c315216d7e0f9e57018eabf2cf09fda0b58cae2178c14dcb70e2dee7efd3705c8b857f9d3901
-
Filesize
1KB
MD5d6bd210f227442b3362493d046cea233
SHA1ff286ac8370fc655aea0ef35e9cf0bfcb6d698de
SHA256335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef
SHA512464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b
-
Filesize
117KB
MD5a52e5220efb60813b31a82d101a97dcb
SHA156e16e4df0944cb07e73a01301886644f062d79b
SHA256e7c8e7edd9112137895820e789baaaeca41626b01fb99fede82968ddb66d02cf
SHA512d6565ba18b5b9795d6bde3ef94d8f7cd77bf8bb69ba3fe7adefb80fc7c5d888cdfdc79238d86a0839846aea4a1e51fc0caed3d62f7054885e8b15fad9f6c654e
-
Filesize
33KB
MD5dd7de04b7104a93e35fb3a577b5b621b
SHA14d84ff8b82f359e1c303d9d68dda6dc503848ad6
SHA256fc02df6a818f176e9499cda422291726b9e3d37d6e381dd5629295df031cde03
SHA512569116a84fd5d09c06c4967d466de2f6a7be71b77edaa28bef11836d0eb5fa20eef5c9c415540a8f5f785cdbe0e059f21a835952b81ac97b5e620a52bf56a921
-
Filesize
10B
MD528a582403dbb209b6c5cb7bada9c918d
SHA1db58560be63032a4cbd738d2d639e5bf764d6277
SHA256b5a9fa3acde4d9499ea08a6d9ff193fc9cda57f04141f82d2422a4008f451200
SHA512511b4d3886d671d01c66d2509b784a199e68a00f2597d311d8d0770f0b1030680136ee450343a8d6c4b51d9de8448bafdde44dc1a1c6e62bccde47d5af03fbae