fbdf83323fe53b38402c3a248cf68f9fa99af1d631b87ff1ac238059c6b05fea

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
31-10-2024 08:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fbdf83323fe53b38402c3a248cf68f9fa99af1d631b87ff1ac238059c6b05fea.exe
Size

924KB
MD5

b9c99090d59b1d5df004cc2604725e14
SHA1

c0655d999b447fc339214e0a970c259c85773b4d
SHA256

fbdf83323fe53b38402c3a248cf68f9fa99af1d631b87ff1ac238059c6b05fea
SHA512

47ecdb79c78523471bd937f7091f676293fbc386c41b0a3ad9ad874786305981142904d76e6cce51cb02ef8f7074828006f435520902e2e3f1bf5f931e356aeb
SSDEEP

12288:vHXKeo7gWmUFmDDLQJUFmDDLQJUFmDDLQV0qr1nMLd:/9NqqY0qriLd

Score

6^/10

discovery

Malware Config

Signatures

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\X:	fbdf83323fe53b38402c3a248cf68f9fa99af1d631b87ff1ac238059c6b05fea.exe
File opened (read-only)	\??\V:	fbdf83323fe53b38402c3a248cf68f9fa99af1d631b87ff1ac238059c6b05fea.exe
File opened (read-only)	\??\N:	fbdf83323fe53b38402c3a248cf68f9fa99af1d631b87ff1ac238059c6b05fea.exe
File opened (read-only)	\??\M:	fbdf83323fe53b38402c3a248cf68f9fa99af1d631b87ff1ac238059c6b05fea.exe
File opened (read-only)	\??\L:	fbdf83323fe53b38402c3a248cf68f9fa99af1d631b87ff1ac238059c6b05fea.exe
File opened (read-only)	\??\Z:	fbdf83323fe53b38402c3a248cf68f9fa99af1d631b87ff1ac238059c6b05fea.exe
File opened (read-only)	\??\O:	fbdf83323fe53b38402c3a248cf68f9fa99af1d631b87ff1ac238059c6b05fea.exe
File opened (read-only)	\??\T:	fbdf83323fe53b38402c3a248cf68f9fa99af1d631b87ff1ac238059c6b05fea.exe
File opened (read-only)	\??\S:	fbdf83323fe53b38402c3a248cf68f9fa99af1d631b87ff1ac238059c6b05fea.exe
File opened (read-only)	\??\R:	fbdf83323fe53b38402c3a248cf68f9fa99af1d631b87ff1ac238059c6b05fea.exe
File opened (read-only)	\??\Q:	fbdf83323fe53b38402c3a248cf68f9fa99af1d631b87ff1ac238059c6b05fea.exe
File opened (read-only)	\??\K:	fbdf83323fe53b38402c3a248cf68f9fa99af1d631b87ff1ac238059c6b05fea.exe
File opened (read-only)	\??\J:	fbdf83323fe53b38402c3a248cf68f9fa99af1d631b87ff1ac238059c6b05fea.exe
File opened (read-only)	\??\E:	fbdf83323fe53b38402c3a248cf68f9fa99af1d631b87ff1ac238059c6b05fea.exe
File opened (read-only)	\??\W:	fbdf83323fe53b38402c3a248cf68f9fa99af1d631b87ff1ac238059c6b05fea.exe
File opened (read-only)	\??\U:	fbdf83323fe53b38402c3a248cf68f9fa99af1d631b87ff1ac238059c6b05fea.exe
File opened (read-only)	\??\P:	fbdf83323fe53b38402c3a248cf68f9fa99af1d631b87ff1ac238059c6b05fea.exe
File opened (read-only)	\??\I:	fbdf83323fe53b38402c3a248cf68f9fa99af1d631b87ff1ac238059c6b05fea.exe
File opened (read-only)	\??\H:	fbdf83323fe53b38402c3a248cf68f9fa99af1d631b87ff1ac238059c6b05fea.exe
File opened (read-only)	\??\G:	fbdf83323fe53b38402c3a248cf68f9fa99af1d631b87ff1ac238059c6b05fea.exe
File opened (read-only)	\??\Y:	fbdf83323fe53b38402c3a248cf68f9fa99af1d631b87ff1ac238059c6b05fea.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\SearchCompress.exe	fbdf83323fe53b38402c3a248cf68f9fa99af1d631b87ff1ac238059c6b05fea.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\_desktop.ini	fbdf83323fe53b38402c3a248cf68f9fa99af1d631b87ff1ac238059c6b05fea.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\_desktop.ini	fbdf83323fe53b38402c3a248cf68f9fa99af1d631b87ff1ac238059c6b05fea.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\_desktop.ini	fbdf83323fe53b38402c3a248cf68f9fa99af1d631b87ff1ac238059c6b05fea.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\_desktop.ini	fbdf83323fe53b38402c3a248cf68f9fa99af1d631b87ff1ac238059c6b05fea.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\_desktop.ini	fbdf83323fe53b38402c3a248cf68f9fa99af1d631b87ff1ac238059c6b05fea.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	fbdf83323fe53b38402c3a248cf68f9fa99af1d631b87ff1ac238059c6b05fea.exe
File created	C:\Program Files\dotnet\host\_desktop.ini	fbdf83323fe53b38402c3a248cf68f9fa99af1d631b87ff1ac238059c6b05fea.exe
File opened for modification	C:\Program Files\dotnet\host\fxr\8.0.2\_desktop.ini	fbdf83323fe53b38402c3a248cf68f9fa99af1d631b87ff1ac238059c6b05fea.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\_desktop.ini	fbdf83323fe53b38402c3a248cf68f9fa99af1d631b87ff1ac238059c6b05fea.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\_desktop.ini	fbdf83323fe53b38402c3a248cf68f9fa99af1d631b87ff1ac238059c6b05fea.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\_desktop.ini	fbdf83323fe53b38402c3a248cf68f9fa99af1d631b87ff1ac238059c6b05fea.exe
File opened for modification	C:\Program Files\7-Zip\Lang\_desktop.ini	fbdf83323fe53b38402c3a248cf68f9fa99af1d631b87ff1ac238059c6b05fea.exe
File opened for modification	C:\Program Files\dotnet\_desktop.ini	fbdf83323fe53b38402c3a248cf68f9fa99af1d631b87ff1ac238059c6b05fea.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\_desktop.ini	fbdf83323fe53b38402c3a248cf68f9fa99af1d631b87ff1ac238059c6b05fea.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\_desktop.ini	fbdf83323fe53b38402c3a248cf68f9fa99af1d631b87ff1ac238059c6b05fea.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\_desktop.ini	fbdf83323fe53b38402c3a248cf68f9fa99af1d631b87ff1ac238059c6b05fea.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\_desktop.ini	fbdf83323fe53b38402c3a248cf68f9fa99af1d631b87ff1ac238059c6b05fea.exe
File created	C:\Program Files\_desktop.ini	fbdf83323fe53b38402c3a248cf68f9fa99af1d631b87ff1ac238059c6b05fea.exe
File opened for modification	C:\Program Files\Crashpad\_desktop.ini	fbdf83323fe53b38402c3a248cf68f9fa99af1d631b87ff1ac238059c6b05fea.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.exe	fbdf83323fe53b38402c3a248cf68f9fa99af1d631b87ff1ac238059c6b05fea.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\_desktop.ini	fbdf83323fe53b38402c3a248cf68f9fa99af1d631b87ff1ac238059c6b05fea.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\_desktop.ini	fbdf83323fe53b38402c3a248cf68f9fa99af1d631b87ff1ac238059c6b05fea.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\_desktop.ini	fbdf83323fe53b38402c3a248cf68f9fa99af1d631b87ff1ac238059c6b05fea.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\_desktop.ini	fbdf83323fe53b38402c3a248cf68f9fa99af1d631b87ff1ac238059c6b05fea.exe
File opened for modification	C:\Program Files\7-Zip\_desktop.ini	fbdf83323fe53b38402c3a248cf68f9fa99af1d631b87ff1ac238059c6b05fea.exe
File created	C:\Program Files\7-Zip\Lang\_desktop.ini	fbdf83323fe53b38402c3a248cf68f9fa99af1d631b87ff1ac238059c6b05fea.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\_desktop.ini	fbdf83323fe53b38402c3a248cf68f9fa99af1d631b87ff1ac238059c6b05fea.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\_desktop.ini	fbdf83323fe53b38402c3a248cf68f9fa99af1d631b87ff1ac238059c6b05fea.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	fbdf83323fe53b38402c3a248cf68f9fa99af1d631b87ff1ac238059c6b05fea.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\_desktop.ini	fbdf83323fe53b38402c3a248cf68f9fa99af1d631b87ff1ac238059c6b05fea.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\_desktop.ini	fbdf83323fe53b38402c3a248cf68f9fa99af1d631b87ff1ac238059c6b05fea.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\_desktop.ini	fbdf83323fe53b38402c3a248cf68f9fa99af1d631b87ff1ac238059c6b05fea.exe
File opened for modification	C:\Program Files\Google\_desktop.ini	fbdf83323fe53b38402c3a248cf68f9fa99af1d631b87ff1ac238059c6b05fea.exe
File created	C:\Program Files\Crashpad\reports\_desktop.ini	fbdf83323fe53b38402c3a248cf68f9fa99af1d631b87ff1ac238059c6b05fea.exe
File created	C:\Program Files\dotnet\shared\_desktop.ini	fbdf83323fe53b38402c3a248cf68f9fa99af1d631b87ff1ac238059c6b05fea.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\_desktop.ini	fbdf83323fe53b38402c3a248cf68f9fa99af1d631b87ff1ac238059c6b05fea.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\_desktop.ini	fbdf83323fe53b38402c3a248cf68f9fa99af1d631b87ff1ac238059c6b05fea.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\_desktop.ini	fbdf83323fe53b38402c3a248cf68f9fa99af1d631b87ff1ac238059c6b05fea.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\_desktop.ini	fbdf83323fe53b38402c3a248cf68f9fa99af1d631b87ff1ac238059c6b05fea.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\_desktop.ini	fbdf83323fe53b38402c3a248cf68f9fa99af1d631b87ff1ac238059c6b05fea.exe
File created	C:\Program Files\Google\Chrome\_desktop.ini	fbdf83323fe53b38402c3a248cf68f9fa99af1d631b87ff1ac238059c6b05fea.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\_desktop.ini	fbdf83323fe53b38402c3a248cf68f9fa99af1d631b87ff1ac238059c6b05fea.exe
File opened for modification	C:\Program Files\dotnet\shared\_desktop.ini	fbdf83323fe53b38402c3a248cf68f9fa99af1d631b87ff1ac238059c6b05fea.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\_desktop.ini	fbdf83323fe53b38402c3a248cf68f9fa99af1d631b87ff1ac238059c6b05fea.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\_desktop.ini	fbdf83323fe53b38402c3a248cf68f9fa99af1d631b87ff1ac238059c6b05fea.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\_desktop.ini	fbdf83323fe53b38402c3a248cf68f9fa99af1d631b87ff1ac238059c6b05fea.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\_desktop.ini	fbdf83323fe53b38402c3a248cf68f9fa99af1d631b87ff1ac238059c6b05fea.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\_desktop.ini	fbdf83323fe53b38402c3a248cf68f9fa99af1d631b87ff1ac238059c6b05fea.exe
File created	C:\Program Files\dotnet\host\fxr\_desktop.ini	fbdf83323fe53b38402c3a248cf68f9fa99af1d631b87ff1ac238059c6b05fea.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\_desktop.ini	fbdf83323fe53b38402c3a248cf68f9fa99af1d631b87ff1ac238059c6b05fea.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\_desktop.ini	fbdf83323fe53b38402c3a248cf68f9fa99af1d631b87ff1ac238059c6b05fea.exe
File created	C:\Program Files\Google\_desktop.ini	fbdf83323fe53b38402c3a248cf68f9fa99af1d631b87ff1ac238059c6b05fea.exe
File created	C:\Program Files\7-Zip\_desktop.ini	fbdf83323fe53b38402c3a248cf68f9fa99af1d631b87ff1ac238059c6b05fea.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	fbdf83323fe53b38402c3a248cf68f9fa99af1d631b87ff1ac238059c6b05fea.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\_desktop.ini	fbdf83323fe53b38402c3a248cf68f9fa99af1d631b87ff1ac238059c6b05fea.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\_desktop.ini	fbdf83323fe53b38402c3a248cf68f9fa99af1d631b87ff1ac238059c6b05fea.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\_desktop.ini	fbdf83323fe53b38402c3a248cf68f9fa99af1d631b87ff1ac238059c6b05fea.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\_desktop.ini	fbdf83323fe53b38402c3a248cf68f9fa99af1d631b87ff1ac238059c6b05fea.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\_desktop.ini	fbdf83323fe53b38402c3a248cf68f9fa99af1d631b87ff1ac238059c6b05fea.exe
File opened for modification	C:\Program Files\dotnet\host\_desktop.ini	fbdf83323fe53b38402c3a248cf68f9fa99af1d631b87ff1ac238059c6b05fea.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\createdump.exe	fbdf83323fe53b38402c3a248cf68f9fa99af1d631b87ff1ac238059c6b05fea.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\_desktop.ini	fbdf83323fe53b38402c3a248cf68f9fa99af1d631b87ff1ac238059c6b05fea.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\_desktop.ini	fbdf83323fe53b38402c3a248cf68f9fa99af1d631b87ff1ac238059c6b05fea.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	fbdf83323fe53b38402c3a248cf68f9fa99af1d631b87ff1ac238059c6b05fea.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4988	4620	WerFault.exe	83

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fbdf83323fe53b38402c3a248cf68f9fa99af1d631b87ff1ac238059c6b05fea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 40 IoCs

pid	Process
4620	fbdf83323fe53b38402c3a248cf68f9fa99af1d631b87ff1ac238059c6b05fea.exe
4620	fbdf83323fe53b38402c3a248cf68f9fa99af1d631b87ff1ac238059c6b05fea.exe
4620	fbdf83323fe53b38402c3a248cf68f9fa99af1d631b87ff1ac238059c6b05fea.exe
4620	fbdf83323fe53b38402c3a248cf68f9fa99af1d631b87ff1ac238059c6b05fea.exe
4620	fbdf83323fe53b38402c3a248cf68f9fa99af1d631b87ff1ac238059c6b05fea.exe
4620	fbdf83323fe53b38402c3a248cf68f9fa99af1d631b87ff1ac238059c6b05fea.exe
4620	fbdf83323fe53b38402c3a248cf68f9fa99af1d631b87ff1ac238059c6b05fea.exe
4620	fbdf83323fe53b38402c3a248cf68f9fa99af1d631b87ff1ac238059c6b05fea.exe
4620	fbdf83323fe53b38402c3a248cf68f9fa99af1d631b87ff1ac238059c6b05fea.exe
4620	fbdf83323fe53b38402c3a248cf68f9fa99af1d631b87ff1ac238059c6b05fea.exe
4620	fbdf83323fe53b38402c3a248cf68f9fa99af1d631b87ff1ac238059c6b05fea.exe
4620	fbdf83323fe53b38402c3a248cf68f9fa99af1d631b87ff1ac238059c6b05fea.exe
4620	fbdf83323fe53b38402c3a248cf68f9fa99af1d631b87ff1ac238059c6b05fea.exe
4620	fbdf83323fe53b38402c3a248cf68f9fa99af1d631b87ff1ac238059c6b05fea.exe
4620	fbdf83323fe53b38402c3a248cf68f9fa99af1d631b87ff1ac238059c6b05fea.exe
4620	fbdf83323fe53b38402c3a248cf68f9fa99af1d631b87ff1ac238059c6b05fea.exe
4620	fbdf83323fe53b38402c3a248cf68f9fa99af1d631b87ff1ac238059c6b05fea.exe
4620	fbdf83323fe53b38402c3a248cf68f9fa99af1d631b87ff1ac238059c6b05fea.exe
4620	fbdf83323fe53b38402c3a248cf68f9fa99af1d631b87ff1ac238059c6b05fea.exe
4620	fbdf83323fe53b38402c3a248cf68f9fa99af1d631b87ff1ac238059c6b05fea.exe
4620	fbdf83323fe53b38402c3a248cf68f9fa99af1d631b87ff1ac238059c6b05fea.exe
4620	fbdf83323fe53b38402c3a248cf68f9fa99af1d631b87ff1ac238059c6b05fea.exe
4620	fbdf83323fe53b38402c3a248cf68f9fa99af1d631b87ff1ac238059c6b05fea.exe
4620	fbdf83323fe53b38402c3a248cf68f9fa99af1d631b87ff1ac238059c6b05fea.exe
4620	fbdf83323fe53b38402c3a248cf68f9fa99af1d631b87ff1ac238059c6b05fea.exe
4620	fbdf83323fe53b38402c3a248cf68f9fa99af1d631b87ff1ac238059c6b05fea.exe
4620	fbdf83323fe53b38402c3a248cf68f9fa99af1d631b87ff1ac238059c6b05fea.exe
4620	fbdf83323fe53b38402c3a248cf68f9fa99af1d631b87ff1ac238059c6b05fea.exe
4620	fbdf83323fe53b38402c3a248cf68f9fa99af1d631b87ff1ac238059c6b05fea.exe
4620	fbdf83323fe53b38402c3a248cf68f9fa99af1d631b87ff1ac238059c6b05fea.exe
4620	fbdf83323fe53b38402c3a248cf68f9fa99af1d631b87ff1ac238059c6b05fea.exe
4620	fbdf83323fe53b38402c3a248cf68f9fa99af1d631b87ff1ac238059c6b05fea.exe
4620	fbdf83323fe53b38402c3a248cf68f9fa99af1d631b87ff1ac238059c6b05fea.exe
4620	fbdf83323fe53b38402c3a248cf68f9fa99af1d631b87ff1ac238059c6b05fea.exe
4620	fbdf83323fe53b38402c3a248cf68f9fa99af1d631b87ff1ac238059c6b05fea.exe
4620	fbdf83323fe53b38402c3a248cf68f9fa99af1d631b87ff1ac238059c6b05fea.exe
4620	fbdf83323fe53b38402c3a248cf68f9fa99af1d631b87ff1ac238059c6b05fea.exe
4620	fbdf83323fe53b38402c3a248cf68f9fa99af1d631b87ff1ac238059c6b05fea.exe
4620	fbdf83323fe53b38402c3a248cf68f9fa99af1d631b87ff1ac238059c6b05fea.exe
4620	fbdf83323fe53b38402c3a248cf68f9fa99af1d631b87ff1ac238059c6b05fea.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4620 wrote to memory of 1716	4620	fbdf83323fe53b38402c3a248cf68f9fa99af1d631b87ff1ac238059c6b05fea.exe	84
PID 4620 wrote to memory of 1716	4620	fbdf83323fe53b38402c3a248cf68f9fa99af1d631b87ff1ac238059c6b05fea.exe	84
PID 4620 wrote to memory of 1716	4620	fbdf83323fe53b38402c3a248cf68f9fa99af1d631b87ff1ac238059c6b05fea.exe	84
PID 1716 wrote to memory of 3604	1716	net.exe	86
PID 1716 wrote to memory of 3604	1716	net.exe	86
PID 1716 wrote to memory of 3604	1716	net.exe	86
PID 4620 wrote to memory of 3388	4620	fbdf83323fe53b38402c3a248cf68f9fa99af1d631b87ff1ac238059c6b05fea.exe	56
PID 4620 wrote to memory of 3388	4620	fbdf83323fe53b38402c3a248cf68f9fa99af1d631b87ff1ac238059c6b05fea.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3388
- C:\Users\Admin\AppData\Local\Temp\fbdf83323fe53b38402c3a248cf68f9fa99af1d631b87ff1ac238059c6b05fea.exe
  "C:\Users\Admin\AppData\Local\Temp\fbdf83323fe53b38402c3a248cf68f9fa99af1d631b87ff1ac238059c6b05fea.exe"
  2⤵
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4620
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1716
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3604
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4620 -s 800
    3⤵
    - Program crash
    PID:4988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4620 -ip 4620
1⤵
PID:100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7zG.exe

Filesize
1.6MB

MD5
07dc91c24830535bd4f963980be8ebb6

SHA1
b76b783e87f36414d3036a15855bdf36578db632

SHA256
75910588d1d4c8e5cccd1e5a02f493b05a4cfde869716322306625740b52cca1

SHA512
2465068139295fa42c8932e848a741cee8d952c4001cc2f0a928cfe63ff308cefa385c850d3ac6d391cd5facdbdba25fc284f7b6d0b4de9188066591330a3f77

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3442511616-637977696-3186306149-1000\_desktop.ini

Filesize
10B

MD5
688d58fa5756a393f9472937ef284c25

SHA1
18ee07a5ee8de4fbd046763cd4a55ef2e6c3f808

SHA256
e21f27bdf2d90c77d75658b5217d5af4519a6c1bfc326a109eb4a085a2b83302

SHA512
c84930eb323c71ffc1edac543a2f60e366de40b39a88b18dba09c1272fae0b12262f4fae496bc9546598507fc37729d829f93b101bbec4739a05be33e0010a3f

Download Submit
memory/4620-0-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4620-5-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4620-155-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download