bd7b758e72d5ff89c482cef1ad6089da99db0295690003831862ed9505e9c4ad

Analysis

max time kernel
138s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
31-10-2024 08:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bd7b758e72d5ff89c482cef1ad6089da99db0295690003831862ed9505e9c4ad.exe
Size

707KB
MD5

df3e4c6e1524d8a1279654021ca0813e
SHA1

5b2e0ce1062d9aef1ab362d64943f88ea8bf46cc
SHA256

bd7b758e72d5ff89c482cef1ad6089da99db0295690003831862ed9505e9c4ad
SHA512

a431de41cb62a929db2f010a209cc6b5eee220a933d258afcec5e9b851c94b19ce0e3b19334da895e108023512a8d65d1313f68cc56811895c1ef5772dab27f1
SSDEEP

12288:vHXKeC7gWmUFmDDLQJUFmDDLQJUFmDDLQV0J0://NqqY0J0

Score

6^/10

discovery

Malware Config

Signatures

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\W:	bd7b758e72d5ff89c482cef1ad6089da99db0295690003831862ed9505e9c4ad.exe
File opened (read-only)	\??\R:	bd7b758e72d5ff89c482cef1ad6089da99db0295690003831862ed9505e9c4ad.exe
File opened (read-only)	\??\O:	bd7b758e72d5ff89c482cef1ad6089da99db0295690003831862ed9505e9c4ad.exe
File opened (read-only)	\??\N:	bd7b758e72d5ff89c482cef1ad6089da99db0295690003831862ed9505e9c4ad.exe
File opened (read-only)	\??\E:	bd7b758e72d5ff89c482cef1ad6089da99db0295690003831862ed9505e9c4ad.exe
File opened (read-only)	\??\T:	bd7b758e72d5ff89c482cef1ad6089da99db0295690003831862ed9505e9c4ad.exe
File opened (read-only)	\??\S:	bd7b758e72d5ff89c482cef1ad6089da99db0295690003831862ed9505e9c4ad.exe
File opened (read-only)	\??\M:	bd7b758e72d5ff89c482cef1ad6089da99db0295690003831862ed9505e9c4ad.exe
File opened (read-only)	\??\I:	bd7b758e72d5ff89c482cef1ad6089da99db0295690003831862ed9505e9c4ad.exe
File opened (read-only)	\??\H:	bd7b758e72d5ff89c482cef1ad6089da99db0295690003831862ed9505e9c4ad.exe
File opened (read-only)	\??\Y:	bd7b758e72d5ff89c482cef1ad6089da99db0295690003831862ed9505e9c4ad.exe
File opened (read-only)	\??\X:	bd7b758e72d5ff89c482cef1ad6089da99db0295690003831862ed9505e9c4ad.exe
File opened (read-only)	\??\Q:	bd7b758e72d5ff89c482cef1ad6089da99db0295690003831862ed9505e9c4ad.exe
File opened (read-only)	\??\L:	bd7b758e72d5ff89c482cef1ad6089da99db0295690003831862ed9505e9c4ad.exe
File opened (read-only)	\??\K:	bd7b758e72d5ff89c482cef1ad6089da99db0295690003831862ed9505e9c4ad.exe
File opened (read-only)	\??\J:	bd7b758e72d5ff89c482cef1ad6089da99db0295690003831862ed9505e9c4ad.exe
File opened (read-only)	\??\Z:	bd7b758e72d5ff89c482cef1ad6089da99db0295690003831862ed9505e9c4ad.exe
File opened (read-only)	\??\V:	bd7b758e72d5ff89c482cef1ad6089da99db0295690003831862ed9505e9c4ad.exe
File opened (read-only)	\??\U:	bd7b758e72d5ff89c482cef1ad6089da99db0295690003831862ed9505e9c4ad.exe
File opened (read-only)	\??\P:	bd7b758e72d5ff89c482cef1ad6089da99db0295690003831862ed9505e9c4ad.exe
File opened (read-only)	\??\G:	bd7b758e72d5ff89c482cef1ad6089da99db0295690003831862ed9505e9c4ad.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\_desktop.ini	bd7b758e72d5ff89c482cef1ad6089da99db0295690003831862ed9505e9c4ad.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\_desktop.ini	bd7b758e72d5ff89c482cef1ad6089da99db0295690003831862ed9505e9c4ad.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\_desktop.ini	bd7b758e72d5ff89c482cef1ad6089da99db0295690003831862ed9505e9c4ad.exe
File opened for modification	C:\Program Files\dotnet\host\fxr\_desktop.ini	bd7b758e72d5ff89c482cef1ad6089da99db0295690003831862ed9505e9c4ad.exe
File created	C:\Program Files\dotnet\shared\_desktop.ini	bd7b758e72d5ff89c482cef1ad6089da99db0295690003831862ed9505e9c4ad.exe
File created	C:\Program Files\Crashpad\reports\_desktop.ini	bd7b758e72d5ff89c482cef1ad6089da99db0295690003831862ed9505e9c4ad.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\_desktop.ini	bd7b758e72d5ff89c482cef1ad6089da99db0295690003831862ed9505e9c4ad.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\_desktop.ini	bd7b758e72d5ff89c482cef1ad6089da99db0295690003831862ed9505e9c4ad.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\_desktop.ini	bd7b758e72d5ff89c482cef1ad6089da99db0295690003831862ed9505e9c4ad.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\_desktop.ini	bd7b758e72d5ff89c482cef1ad6089da99db0295690003831862ed9505e9c4ad.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\_desktop.ini	bd7b758e72d5ff89c482cef1ad6089da99db0295690003831862ed9505e9c4ad.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\_desktop.ini	bd7b758e72d5ff89c482cef1ad6089da99db0295690003831862ed9505e9c4ad.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\_desktop.ini	bd7b758e72d5ff89c482cef1ad6089da99db0295690003831862ed9505e9c4ad.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\_desktop.ini	bd7b758e72d5ff89c482cef1ad6089da99db0295690003831862ed9505e9c4ad.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\_desktop.ini	bd7b758e72d5ff89c482cef1ad6089da99db0295690003831862ed9505e9c4ad.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\_desktop.ini	bd7b758e72d5ff89c482cef1ad6089da99db0295690003831862ed9505e9c4ad.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\_desktop.ini	bd7b758e72d5ff89c482cef1ad6089da99db0295690003831862ed9505e9c4ad.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\_desktop.ini	bd7b758e72d5ff89c482cef1ad6089da99db0295690003831862ed9505e9c4ad.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\_desktop.ini	bd7b758e72d5ff89c482cef1ad6089da99db0295690003831862ed9505e9c4ad.exe
File opened for modification	C:\Program Files\Crashpad\_desktop.ini	bd7b758e72d5ff89c482cef1ad6089da99db0295690003831862ed9505e9c4ad.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\_desktop.ini	bd7b758e72d5ff89c482cef1ad6089da99db0295690003831862ed9505e9c4ad.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\_desktop.ini	bd7b758e72d5ff89c482cef1ad6089da99db0295690003831862ed9505e9c4ad.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\_desktop.ini	bd7b758e72d5ff89c482cef1ad6089da99db0295690003831862ed9505e9c4ad.exe
File created	C:\Program Files\dotnet\host\fxr\6.0.27\_desktop.ini	bd7b758e72d5ff89c482cef1ad6089da99db0295690003831862ed9505e9c4ad.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\_desktop.ini	bd7b758e72d5ff89c482cef1ad6089da99db0295690003831862ed9505e9c4ad.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\_desktop.ini	bd7b758e72d5ff89c482cef1ad6089da99db0295690003831862ed9505e9c4ad.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\_desktop.ini	bd7b758e72d5ff89c482cef1ad6089da99db0295690003831862ed9505e9c4ad.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\_desktop.ini	bd7b758e72d5ff89c482cef1ad6089da99db0295690003831862ed9505e9c4ad.exe
File created	C:\Program Files\dotnet\host\_desktop.ini	bd7b758e72d5ff89c482cef1ad6089da99db0295690003831862ed9505e9c4ad.exe
File opened for modification	C:\Program Files\dotnet\host\fxr\6.0.27\_desktop.ini	bd7b758e72d5ff89c482cef1ad6089da99db0295690003831862ed9505e9c4ad.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\_desktop.ini	bd7b758e72d5ff89c482cef1ad6089da99db0295690003831862ed9505e9c4ad.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\_desktop.ini	bd7b758e72d5ff89c482cef1ad6089da99db0295690003831862ed9505e9c4ad.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\_desktop.ini	bd7b758e72d5ff89c482cef1ad6089da99db0295690003831862ed9505e9c4ad.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\_desktop.ini	bd7b758e72d5ff89c482cef1ad6089da99db0295690003831862ed9505e9c4ad.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\_desktop.ini	bd7b758e72d5ff89c482cef1ad6089da99db0295690003831862ed9505e9c4ad.exe
File created	C:\Program Files\Crashpad\_desktop.ini	bd7b758e72d5ff89c482cef1ad6089da99db0295690003831862ed9505e9c4ad.exe
File opened for modification	C:\Program Files\dotnet\host\_desktop.ini	bd7b758e72d5ff89c482cef1ad6089da99db0295690003831862ed9505e9c4ad.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\_desktop.ini	bd7b758e72d5ff89c482cef1ad6089da99db0295690003831862ed9505e9c4ad.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\_desktop.ini	bd7b758e72d5ff89c482cef1ad6089da99db0295690003831862ed9505e9c4ad.exe
File created	C:\Program Files\Google\Chrome\Application\_desktop.ini	bd7b758e72d5ff89c482cef1ad6089da99db0295690003831862ed9505e9c4ad.exe
File created	C:\Program Files\dotnet\host\fxr\_desktop.ini	bd7b758e72d5ff89c482cef1ad6089da99db0295690003831862ed9505e9c4ad.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\_desktop.ini	bd7b758e72d5ff89c482cef1ad6089da99db0295690003831862ed9505e9c4ad.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\createdump.exe	bd7b758e72d5ff89c482cef1ad6089da99db0295690003831862ed9505e9c4ad.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\_desktop.ini	bd7b758e72d5ff89c482cef1ad6089da99db0295690003831862ed9505e9c4ad.exe
File opened for modification	C:\Program Files\Crashpad\attachments\_desktop.ini	bd7b758e72d5ff89c482cef1ad6089da99db0295690003831862ed9505e9c4ad.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.exe	bd7b758e72d5ff89c482cef1ad6089da99db0295690003831862ed9505e9c4ad.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\_desktop.ini	bd7b758e72d5ff89c482cef1ad6089da99db0295690003831862ed9505e9c4ad.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\_desktop.ini	bd7b758e72d5ff89c482cef1ad6089da99db0295690003831862ed9505e9c4ad.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\_desktop.ini	bd7b758e72d5ff89c482cef1ad6089da99db0295690003831862ed9505e9c4ad.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\_desktop.ini	bd7b758e72d5ff89c482cef1ad6089da99db0295690003831862ed9505e9c4ad.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\_desktop.ini	bd7b758e72d5ff89c482cef1ad6089da99db0295690003831862ed9505e9c4ad.exe
File created	C:\Program Files\dotnet\_desktop.ini	bd7b758e72d5ff89c482cef1ad6089da99db0295690003831862ed9505e9c4ad.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\_desktop.ini	bd7b758e72d5ff89c482cef1ad6089da99db0295690003831862ed9505e9c4ad.exe
File opened for modification	C:\Program Files\7-Zip\Lang\_desktop.ini	bd7b758e72d5ff89c482cef1ad6089da99db0295690003831862ed9505e9c4ad.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\_desktop.ini	bd7b758e72d5ff89c482cef1ad6089da99db0295690003831862ed9505e9c4ad.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\_desktop.ini	bd7b758e72d5ff89c482cef1ad6089da99db0295690003831862ed9505e9c4ad.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\_desktop.ini	bd7b758e72d5ff89c482cef1ad6089da99db0295690003831862ed9505e9c4ad.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\_desktop.ini	bd7b758e72d5ff89c482cef1ad6089da99db0295690003831862ed9505e9c4ad.exe
File opened for modification	C:\Program Files\dotnet\swidtag\_desktop.ini	bd7b758e72d5ff89c482cef1ad6089da99db0295690003831862ed9505e9c4ad.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	bd7b758e72d5ff89c482cef1ad6089da99db0295690003831862ed9505e9c4ad.exe
File opened for modification	C:\Program Files\dotnet\host\fxr\8.0.2\_desktop.ini	bd7b758e72d5ff89c482cef1ad6089da99db0295690003831862ed9505e9c4ad.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\_desktop.ini	bd7b758e72d5ff89c482cef1ad6089da99db0295690003831862ed9505e9c4ad.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\_desktop.ini	bd7b758e72d5ff89c482cef1ad6089da99db0295690003831862ed9505e9c4ad.exe
File opened for modification	C:\Program Files\7-Zip\_desktop.ini	bd7b758e72d5ff89c482cef1ad6089da99db0295690003831862ed9505e9c4ad.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	bd7b758e72d5ff89c482cef1ad6089da99db0295690003831862ed9505e9c4ad.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4032	2432	WerFault.exe	83

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bd7b758e72d5ff89c482cef1ad6089da99db0295690003831862ed9505e9c4ad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 40 IoCs

pid	Process
2432	bd7b758e72d5ff89c482cef1ad6089da99db0295690003831862ed9505e9c4ad.exe
2432	bd7b758e72d5ff89c482cef1ad6089da99db0295690003831862ed9505e9c4ad.exe
2432	bd7b758e72d5ff89c482cef1ad6089da99db0295690003831862ed9505e9c4ad.exe
2432	bd7b758e72d5ff89c482cef1ad6089da99db0295690003831862ed9505e9c4ad.exe
2432	bd7b758e72d5ff89c482cef1ad6089da99db0295690003831862ed9505e9c4ad.exe
2432	bd7b758e72d5ff89c482cef1ad6089da99db0295690003831862ed9505e9c4ad.exe
2432	bd7b758e72d5ff89c482cef1ad6089da99db0295690003831862ed9505e9c4ad.exe
2432	bd7b758e72d5ff89c482cef1ad6089da99db0295690003831862ed9505e9c4ad.exe
2432	bd7b758e72d5ff89c482cef1ad6089da99db0295690003831862ed9505e9c4ad.exe
2432	bd7b758e72d5ff89c482cef1ad6089da99db0295690003831862ed9505e9c4ad.exe
2432	bd7b758e72d5ff89c482cef1ad6089da99db0295690003831862ed9505e9c4ad.exe
2432	bd7b758e72d5ff89c482cef1ad6089da99db0295690003831862ed9505e9c4ad.exe
2432	bd7b758e72d5ff89c482cef1ad6089da99db0295690003831862ed9505e9c4ad.exe
2432	bd7b758e72d5ff89c482cef1ad6089da99db0295690003831862ed9505e9c4ad.exe
2432	bd7b758e72d5ff89c482cef1ad6089da99db0295690003831862ed9505e9c4ad.exe
2432	bd7b758e72d5ff89c482cef1ad6089da99db0295690003831862ed9505e9c4ad.exe
2432	bd7b758e72d5ff89c482cef1ad6089da99db0295690003831862ed9505e9c4ad.exe
2432	bd7b758e72d5ff89c482cef1ad6089da99db0295690003831862ed9505e9c4ad.exe
2432	bd7b758e72d5ff89c482cef1ad6089da99db0295690003831862ed9505e9c4ad.exe
2432	bd7b758e72d5ff89c482cef1ad6089da99db0295690003831862ed9505e9c4ad.exe
2432	bd7b758e72d5ff89c482cef1ad6089da99db0295690003831862ed9505e9c4ad.exe
2432	bd7b758e72d5ff89c482cef1ad6089da99db0295690003831862ed9505e9c4ad.exe
2432	bd7b758e72d5ff89c482cef1ad6089da99db0295690003831862ed9505e9c4ad.exe
2432	bd7b758e72d5ff89c482cef1ad6089da99db0295690003831862ed9505e9c4ad.exe
2432	bd7b758e72d5ff89c482cef1ad6089da99db0295690003831862ed9505e9c4ad.exe
2432	bd7b758e72d5ff89c482cef1ad6089da99db0295690003831862ed9505e9c4ad.exe
2432	bd7b758e72d5ff89c482cef1ad6089da99db0295690003831862ed9505e9c4ad.exe
2432	bd7b758e72d5ff89c482cef1ad6089da99db0295690003831862ed9505e9c4ad.exe
2432	bd7b758e72d5ff89c482cef1ad6089da99db0295690003831862ed9505e9c4ad.exe
2432	bd7b758e72d5ff89c482cef1ad6089da99db0295690003831862ed9505e9c4ad.exe
2432	bd7b758e72d5ff89c482cef1ad6089da99db0295690003831862ed9505e9c4ad.exe
2432	bd7b758e72d5ff89c482cef1ad6089da99db0295690003831862ed9505e9c4ad.exe
2432	bd7b758e72d5ff89c482cef1ad6089da99db0295690003831862ed9505e9c4ad.exe
2432	bd7b758e72d5ff89c482cef1ad6089da99db0295690003831862ed9505e9c4ad.exe
2432	bd7b758e72d5ff89c482cef1ad6089da99db0295690003831862ed9505e9c4ad.exe
2432	bd7b758e72d5ff89c482cef1ad6089da99db0295690003831862ed9505e9c4ad.exe
2432	bd7b758e72d5ff89c482cef1ad6089da99db0295690003831862ed9505e9c4ad.exe
2432	bd7b758e72d5ff89c482cef1ad6089da99db0295690003831862ed9505e9c4ad.exe
2432	bd7b758e72d5ff89c482cef1ad6089da99db0295690003831862ed9505e9c4ad.exe
2432	bd7b758e72d5ff89c482cef1ad6089da99db0295690003831862ed9505e9c4ad.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2432 wrote to memory of 2972	2432	bd7b758e72d5ff89c482cef1ad6089da99db0295690003831862ed9505e9c4ad.exe	84
PID 2432 wrote to memory of 2972	2432	bd7b758e72d5ff89c482cef1ad6089da99db0295690003831862ed9505e9c4ad.exe	84
PID 2432 wrote to memory of 2972	2432	bd7b758e72d5ff89c482cef1ad6089da99db0295690003831862ed9505e9c4ad.exe	84
PID 2972 wrote to memory of 1332	2972	net.exe	86
PID 2972 wrote to memory of 1332	2972	net.exe	86
PID 2972 wrote to memory of 1332	2972	net.exe	86
PID 2432 wrote to memory of 3460	2432	bd7b758e72d5ff89c482cef1ad6089da99db0295690003831862ed9505e9c4ad.exe	56
PID 2432 wrote to memory of 3460	2432	bd7b758e72d5ff89c482cef1ad6089da99db0295690003831862ed9505e9c4ad.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3460
- C:\Users\Admin\AppData\Local\Temp\bd7b758e72d5ff89c482cef1ad6089da99db0295690003831862ed9505e9c4ad.exe
  "C:\Users\Admin\AppData\Local\Temp\bd7b758e72d5ff89c482cef1ad6089da99db0295690003831862ed9505e9c4ad.exe"
  2⤵
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2432
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2972
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1332
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2432 -s 744
    3⤵
    - Program crash
    PID:4032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 2432 -ip 2432
1⤵
PID:964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7zG.exe

Filesize
1.4MB

MD5
f2fe236b0aa101795ac76906b98bb0d7

SHA1
66959ac3b2628dd1ba6c9045aa805370b089fc5f

SHA256
7168d3aabb13b3f7f71fe2df981a948356e2b3c4702a734187101dd3d68e06f2

SHA512
0adfa1d164ee364eb21e65e2ff5d6a2d05840a858ca24b2ee410c27aab0e2152773bf955ce28201e6af1fce278075a5d1e05e21980f330a459a9139b0347c508

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-493223053-2004649691-1575712786-1000\_desktop.ini

Filesize
10B

MD5
688d58fa5756a393f9472937ef284c25

SHA1
18ee07a5ee8de4fbd046763cd4a55ef2e6c3f808

SHA256
e21f27bdf2d90c77d75658b5217d5af4519a6c1bfc326a109eb4a085a2b83302

SHA512
c84930eb323c71ffc1edac543a2f60e366de40b39a88b18dba09c1272fae0b12262f4fae496bc9546598507fc37729d829f93b101bbec4739a05be33e0010a3f

Download Submit
memory/2432-0-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2432-5-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2432-155-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download