Analysis
-
max time kernel
150s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 00:03
Static task
static1
Behavioral task
behavioral1
Sample
74537b0528ce6c8892e73a92fd4c92bcbb16afae1267b75e655899d104da587e.exe
Resource
win7-20240903-en
General
-
Target
74537b0528ce6c8892e73a92fd4c92bcbb16afae1267b75e655899d104da587e.exe
-
Size
563KB
-
MD5
86bb6b739bb4d22e1810d41cbfe6a29e
-
SHA1
6b9bd695ad29d47ccf580982561586c3a4856ddf
-
SHA256
74537b0528ce6c8892e73a92fd4c92bcbb16afae1267b75e655899d104da587e
-
SHA512
cc78b82d7a7f5c1bc7168262276ea0a419dba339b47e34ebc60bec87298d993b84f982f41104ed86fa0a030783c06aaf953fb768498b410974aa78090f14e165
-
SSDEEP
12288:V3N2rc9iJafmm2VYK+UNo0RweQfoAxHv9sN4A4H9J618UtQ43iUa:V3N2hVm2VZQwy9E1Vf3M
Malware Config
Signatures
-
Drops file in Drivers directory 2 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts 74537b0528ce6c8892e73a92fd4c92bcbb16afae1267b75e655899d104da587e.exe File opened for modification C:\Windows\system32\drivers\etc\hosts Logo1_.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini Logo1_.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini Logo1_.exe -
Executes dropped EXE 2 IoCs
pid Process 5080 Logo1_.exe 5036 74537b0528ce6c8892e73a92fd4c92bcbb16afae1267b75e655899d104da587e.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\en-ae\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows NT\Accessories\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\lua\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\root\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\themeless\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SONORA\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\plugins\logger\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\fr-ma\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\en-il\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\ja-jp\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BREEZE\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\hr-hr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\fr-fr\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\hu-hu\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\css\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\ar-ae\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Media Player\wmprph.exe Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\VBA\VBA7.1\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\uk-UA\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\sl-si\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jre-1.8\lib\cmm\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\PackageManagement\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\tr-tr\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\en-il\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\uk-ua\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Internet Explorer\SIGNUP\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Photo Viewer\en-US\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jre-1.8\legal\jdk\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\sk-sk\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Diagnostics\Simple\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\plugins\demux\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\hu-hu\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\sl\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\en-il\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\es-es\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\plugins\video_chroma\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ar\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\root\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\WidevineCdm\_platform_specific\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\css\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\sl-sl\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\pl-pl\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\tt\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Mail\wabmig.exe Logo1_.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\1.1.1\Diagnostics\Simple\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\cy\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\sl-si\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Defender\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\zh-cn\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Defender\de-DE\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\Document Themes 16\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\rundl132.exe 74537b0528ce6c8892e73a92fd4c92bcbb16afae1267b75e655899d104da587e.exe File created C:\Windows\Logo1_.exe 74537b0528ce6c8892e73a92fd4c92bcbb16afae1267b75e655899d104da587e.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\Dll.dll Logo1_.exe -
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 74537b0528ce6c8892e73a92fd4c92bcbb16afae1267b75e655899d104da587e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Logo1_.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1376 74537b0528ce6c8892e73a92fd4c92bcbb16afae1267b75e655899d104da587e.exe 1376 74537b0528ce6c8892e73a92fd4c92bcbb16afae1267b75e655899d104da587e.exe 1376 74537b0528ce6c8892e73a92fd4c92bcbb16afae1267b75e655899d104da587e.exe 1376 74537b0528ce6c8892e73a92fd4c92bcbb16afae1267b75e655899d104da587e.exe 1376 74537b0528ce6c8892e73a92fd4c92bcbb16afae1267b75e655899d104da587e.exe 1376 74537b0528ce6c8892e73a92fd4c92bcbb16afae1267b75e655899d104da587e.exe 1376 74537b0528ce6c8892e73a92fd4c92bcbb16afae1267b75e655899d104da587e.exe 1376 74537b0528ce6c8892e73a92fd4c92bcbb16afae1267b75e655899d104da587e.exe 1376 74537b0528ce6c8892e73a92fd4c92bcbb16afae1267b75e655899d104da587e.exe 1376 74537b0528ce6c8892e73a92fd4c92bcbb16afae1267b75e655899d104da587e.exe 1376 74537b0528ce6c8892e73a92fd4c92bcbb16afae1267b75e655899d104da587e.exe 1376 74537b0528ce6c8892e73a92fd4c92bcbb16afae1267b75e655899d104da587e.exe 1376 74537b0528ce6c8892e73a92fd4c92bcbb16afae1267b75e655899d104da587e.exe 1376 74537b0528ce6c8892e73a92fd4c92bcbb16afae1267b75e655899d104da587e.exe 1376 74537b0528ce6c8892e73a92fd4c92bcbb16afae1267b75e655899d104da587e.exe 1376 74537b0528ce6c8892e73a92fd4c92bcbb16afae1267b75e655899d104da587e.exe 1376 74537b0528ce6c8892e73a92fd4c92bcbb16afae1267b75e655899d104da587e.exe 1376 74537b0528ce6c8892e73a92fd4c92bcbb16afae1267b75e655899d104da587e.exe 1376 74537b0528ce6c8892e73a92fd4c92bcbb16afae1267b75e655899d104da587e.exe 1376 74537b0528ce6c8892e73a92fd4c92bcbb16afae1267b75e655899d104da587e.exe 1376 74537b0528ce6c8892e73a92fd4c92bcbb16afae1267b75e655899d104da587e.exe 1376 74537b0528ce6c8892e73a92fd4c92bcbb16afae1267b75e655899d104da587e.exe 1376 74537b0528ce6c8892e73a92fd4c92bcbb16afae1267b75e655899d104da587e.exe 1376 74537b0528ce6c8892e73a92fd4c92bcbb16afae1267b75e655899d104da587e.exe 1376 74537b0528ce6c8892e73a92fd4c92bcbb16afae1267b75e655899d104da587e.exe 1376 74537b0528ce6c8892e73a92fd4c92bcbb16afae1267b75e655899d104da587e.exe 5080 Logo1_.exe 5080 Logo1_.exe 5080 Logo1_.exe 5080 Logo1_.exe 5080 Logo1_.exe 5080 Logo1_.exe 5080 Logo1_.exe 5080 Logo1_.exe 5080 Logo1_.exe 5080 Logo1_.exe 5080 Logo1_.exe 5080 Logo1_.exe 5080 Logo1_.exe 5080 Logo1_.exe 5080 Logo1_.exe 5080 Logo1_.exe 5080 Logo1_.exe 5080 Logo1_.exe 5080 Logo1_.exe 5080 Logo1_.exe 5080 Logo1_.exe 5080 Logo1_.exe 5080 Logo1_.exe 5080 Logo1_.exe 5080 Logo1_.exe 5080 Logo1_.exe 5080 Logo1_.exe 5080 Logo1_.exe 5080 Logo1_.exe 5080 Logo1_.exe 5080 Logo1_.exe 5080 Logo1_.exe 5080 Logo1_.exe 5080 Logo1_.exe 5080 Logo1_.exe 5080 Logo1_.exe 5080 Logo1_.exe 5080 Logo1_.exe -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 1376 wrote to memory of 4792 1376 74537b0528ce6c8892e73a92fd4c92bcbb16afae1267b75e655899d104da587e.exe 83 PID 1376 wrote to memory of 4792 1376 74537b0528ce6c8892e73a92fd4c92bcbb16afae1267b75e655899d104da587e.exe 83 PID 1376 wrote to memory of 4792 1376 74537b0528ce6c8892e73a92fd4c92bcbb16afae1267b75e655899d104da587e.exe 83 PID 4792 wrote to memory of 3980 4792 net.exe 85 PID 4792 wrote to memory of 3980 4792 net.exe 85 PID 4792 wrote to memory of 3980 4792 net.exe 85 PID 1376 wrote to memory of 380 1376 74537b0528ce6c8892e73a92fd4c92bcbb16afae1267b75e655899d104da587e.exe 89 PID 1376 wrote to memory of 380 1376 74537b0528ce6c8892e73a92fd4c92bcbb16afae1267b75e655899d104da587e.exe 89 PID 1376 wrote to memory of 380 1376 74537b0528ce6c8892e73a92fd4c92bcbb16afae1267b75e655899d104da587e.exe 89 PID 1376 wrote to memory of 5080 1376 74537b0528ce6c8892e73a92fd4c92bcbb16afae1267b75e655899d104da587e.exe 90 PID 1376 wrote to memory of 5080 1376 74537b0528ce6c8892e73a92fd4c92bcbb16afae1267b75e655899d104da587e.exe 90 PID 1376 wrote to memory of 5080 1376 74537b0528ce6c8892e73a92fd4c92bcbb16afae1267b75e655899d104da587e.exe 90 PID 5080 wrote to memory of 4772 5080 Logo1_.exe 92 PID 5080 wrote to memory of 4772 5080 Logo1_.exe 92 PID 5080 wrote to memory of 4772 5080 Logo1_.exe 92 PID 4772 wrote to memory of 800 4772 net.exe 94 PID 4772 wrote to memory of 800 4772 net.exe 94 PID 4772 wrote to memory of 800 4772 net.exe 94 PID 380 wrote to memory of 5036 380 cmd.exe 95 PID 380 wrote to memory of 5036 380 cmd.exe 95 PID 380 wrote to memory of 5036 380 cmd.exe 95 PID 5080 wrote to memory of 4208 5080 Logo1_.exe 97 PID 5080 wrote to memory of 4208 5080 Logo1_.exe 97 PID 5080 wrote to memory of 4208 5080 Logo1_.exe 97 PID 4208 wrote to memory of 3468 4208 net.exe 99 PID 4208 wrote to memory of 3468 4208 net.exe 99 PID 4208 wrote to memory of 3468 4208 net.exe 99 PID 5080 wrote to memory of 3484 5080 Logo1_.exe 56 PID 5080 wrote to memory of 3484 5080 Logo1_.exe 56
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3484
-
C:\Users\Admin\AppData\Local\Temp\74537b0528ce6c8892e73a92fd4c92bcbb16afae1267b75e655899d104da587e.exe"C:\Users\Admin\AppData\Local\Temp\74537b0528ce6c8892e73a92fd4c92bcbb16afae1267b75e655899d104da587e.exe"2⤵
- Drops file in Drivers directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1376 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4792 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"4⤵
- System Location Discovery: System Language Discovery
PID:3980
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a9FAB.bat3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:380 -
C:\Users\Admin\AppData\Local\Temp\74537b0528ce6c8892e73a92fd4c92bcbb16afae1267b75e655899d104da587e.exe"C:\Users\Admin\AppData\Local\Temp\74537b0528ce6c8892e73a92fd4c92bcbb16afae1267b75e655899d104da587e.exe"4⤵
- Executes dropped EXE
PID:5036
-
-
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Drops file in Drivers directory
- Drops startup file
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5080 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4772 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵
- System Location Discovery: System Language Discovery
PID:800
-
-
-
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4208 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵
- System Location Discovery: System Language Discovery
PID:3468
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
251KB
MD5ddb3a9b2405bde6d9ccd9427ce18bff6
SHA10c8f903ff0b064e31b90da6b59a9f6033769b9c9
SHA256cf2064a9b73904274cd1c61c0f824d090a5cbd9a5780a35a6a0a80012d3cb73c
SHA51293c797e1ea8760bcc082f40619ccdf789ea26618570aa47f2870509708a338462dfcdd874d6c3429c8c14220b3189c9edb66bdf20adea614604a751dce2e86a6
-
Filesize
577KB
MD592efd4b0d561608653e3186a7d3bc8c7
SHA1a048a43bb3732df81a895efbbea2e2cfc27c7f9a
SHA25647a58862f537d2e681127a0b3bd2945b09266343c3ddb548c5fa8edfbd130405
SHA5124d315bd6f23e10bfc5743df12c0f39c572489f70da2cae40af27e34cb3188766ecf396d82378672658757563d76b31599a3f44907243ea58ffe2a8a1e73e1d62
-
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
Filesize644KB
MD5805ba9e4bcfdde2cd41c62cdfa500003
SHA1561ac3c3eea04a2823e08fa73ef4856b2113c164
SHA256ded84e71610908af1b33c0ef1e6b08fd1c84411eb3f7c704267fdf91d0dbe128
SHA512d84c52b4d586632bde823dd0ee73afa0e6cbabca47ed60d2690c7be1befc693b62b5ca5c1e16a57d719cd64d948160870c844c6c8805789a3ce34c1ee3f0c4ab
-
Filesize
722B
MD57f7917bd7f50cec7a12a4c62b5b55d6f
SHA190a37965644768e7f66950a079b2c6e738495aa4
SHA256f1f02e55b476c0e7771020bfb2d172ba5fd7ea0e24ca3f41cc01d63beffeae1c
SHA5126f5bcde71196bb779a7ffa99ae84b4522a94d0d879f8b1d4d3e55bbff263c4b4f9259744b242a0c0c71960d762626b28716b85dc228e6d480fac332e33ce4fee
-
C:\Users\Admin\AppData\Local\Temp\74537b0528ce6c8892e73a92fd4c92bcbb16afae1267b75e655899d104da587e.exe.exe
Filesize529KB
MD5cca0c5482b8a6a275d9d49433f435dfa
SHA1a72ae8621386e13c34055f612ae7612b8a18a39e
SHA2566ea08bbcedf7cb51cfbe4896ef8c589a4568b1d5240265b1dcfda83dc8b55365
SHA512b88f5cdb4bc08429ca40d24cef490128d341e10615d1d93d084b3247c2b28573d177d878c1385d3941e16a8bcc8a9f6b7870c152f4a43d02e69c05defcc9196e
-
Filesize
33KB
MD53dad059e7aec47d7f38f17c930a767d0
SHA1e3d77ab88d5e22af5fd87ae4c9a42c4722197dee
SHA2564303680f3967f272c366da0600b22488a03de4e09f605b8e77ee0b0ba0836ecb
SHA5122a6e399ed54c132c692dc89ead3f330990d9f88ed5afb73fe1b9e5906f30b46d9edf8b34eacd690dafcf1fa380aad934c72fa011f3a3bbd8f1c409d424345a02
-
Filesize
842B
MD56f4adf207ef402d9ef40c6aa52ffd245
SHA14b05b495619c643f02e278dede8f5b1392555a57
SHA256d9704dab05e988be3e5e7b7c020bb9814906d11bb9c31ad80d4ed1316f6bc94e
SHA512a6306bd200a26ea78192ae5b00cc49cfab3fba025fe7233709a4e62db0f9ed60030dce22b34afe57aad86a098c9a8c44e080cedc43227cb87ef4690baec35b47
-
Filesize
9B
MD5577b020fd4f1c33364f7dc1b6a15b5e0
SHA10a39afa020279d2ae46b302efe9dfd550e822709
SHA256e22c9759bcf5bc35063c6c048e109883f070723446b9ed5d16e70c48ca526bb9
SHA512c7b8e4478ddc648c13acd21b16fa7397fad334d7710e3d91f4069fcd7d5a4f3d8c542c46eb3843c4dbc8d862bf03a50d1ad641e725f53382a73a9ac4ec035f48