Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 20:16
Static task
static1
Behavioral task
behavioral1
Sample
6d797d3d0c3a58bf8edfdc6decb692cd4e0a42062e1a93e721fdc35c98a1f790.exe
Resource
win7-20240903-en
General
-
Target
6d797d3d0c3a58bf8edfdc6decb692cd4e0a42062e1a93e721fdc35c98a1f790.exe
-
Size
11.1MB
-
MD5
03e0d68de934dd404d7c5f764e383c3e
-
SHA1
49f2234a66d178a2c11bee3bd4170458220127c5
-
SHA256
6d797d3d0c3a58bf8edfdc6decb692cd4e0a42062e1a93e721fdc35c98a1f790
-
SHA512
dcb61014a102cb71fdec807303b80fe05b3df791cc34689470d7c1d8e0a59851b64373920de64118b9e3e32ad411419e6523b2485a15668e218a667e8a146235
-
SSDEEP
98304:Mdfb+0ChEPIGiq3y3vx+w9TbfjJ+kdfpK46Tle36jknz9Y:MJ+kIGv3y/x+KTbfjJ+kdnAlejY
Malware Config
Signatures
-
Drops file in Drivers directory 2 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts 6d797d3d0c3a58bf8edfdc6decb692cd4e0a42062e1a93e721fdc35c98a1f790.exe File opened for modification C:\Windows\system32\drivers\etc\hosts Logo1_.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini Logo1_.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini Logo1_.exe -
Executes dropped EXE 3 IoCs
pid Process 2940 Logo1_.exe 4700 6d797d3d0c3a58bf8edfdc6decb692cd4e0a42062e1a93e721fdc35c98a1f790.exe 3236 6d797d3d0c3a58bf8edfdc6decb692cd4e0a42062e1a93e721fdc35c98a1f790.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\pl-pl\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\uk-ua\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\zh-cn\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files-select\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ca-es\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\zh-cn\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\pt-br\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ca@valencia\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\en-US\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\jquery.ui.touch-punch\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\zh-cn\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Crashpad\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe Logo1_.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Diagnostics\Comprehensive\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\br\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\es_MX\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\pt_PT\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\de-de\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\pl-pl\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\pt-br\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\nb-no\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\de-de\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\images\themes\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\sl-sl\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Defender\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-gb\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\themes\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\sl-si\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files-select\js\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ar-ae\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\dialogs\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\sl-si\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\cs-cz\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\ru-ru\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\sv-se\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\es-es\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\hu-hu\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\sl-si\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\uk-ua\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\cs-cz\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\el\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\en-gb\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\themeless\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\ar-ae\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\si\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\nl-nl\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\rundl132.exe 6d797d3d0c3a58bf8edfdc6decb692cd4e0a42062e1a93e721fdc35c98a1f790.exe File created C:\Windows\Logo1_.exe 6d797d3d0c3a58bf8edfdc6decb692cd4e0a42062e1a93e721fdc35c98a1f790.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\Dll.dll Logo1_.exe -
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Logo1_.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6d797d3d0c3a58bf8edfdc6decb692cd4e0a42062e1a93e721fdc35c98a1f790.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4360 6d797d3d0c3a58bf8edfdc6decb692cd4e0a42062e1a93e721fdc35c98a1f790.exe 4360 6d797d3d0c3a58bf8edfdc6decb692cd4e0a42062e1a93e721fdc35c98a1f790.exe 4360 6d797d3d0c3a58bf8edfdc6decb692cd4e0a42062e1a93e721fdc35c98a1f790.exe 4360 6d797d3d0c3a58bf8edfdc6decb692cd4e0a42062e1a93e721fdc35c98a1f790.exe 4360 6d797d3d0c3a58bf8edfdc6decb692cd4e0a42062e1a93e721fdc35c98a1f790.exe 4360 6d797d3d0c3a58bf8edfdc6decb692cd4e0a42062e1a93e721fdc35c98a1f790.exe 4360 6d797d3d0c3a58bf8edfdc6decb692cd4e0a42062e1a93e721fdc35c98a1f790.exe 4360 6d797d3d0c3a58bf8edfdc6decb692cd4e0a42062e1a93e721fdc35c98a1f790.exe 4360 6d797d3d0c3a58bf8edfdc6decb692cd4e0a42062e1a93e721fdc35c98a1f790.exe 4360 6d797d3d0c3a58bf8edfdc6decb692cd4e0a42062e1a93e721fdc35c98a1f790.exe 4360 6d797d3d0c3a58bf8edfdc6decb692cd4e0a42062e1a93e721fdc35c98a1f790.exe 4360 6d797d3d0c3a58bf8edfdc6decb692cd4e0a42062e1a93e721fdc35c98a1f790.exe 4360 6d797d3d0c3a58bf8edfdc6decb692cd4e0a42062e1a93e721fdc35c98a1f790.exe 4360 6d797d3d0c3a58bf8edfdc6decb692cd4e0a42062e1a93e721fdc35c98a1f790.exe 4360 6d797d3d0c3a58bf8edfdc6decb692cd4e0a42062e1a93e721fdc35c98a1f790.exe 4360 6d797d3d0c3a58bf8edfdc6decb692cd4e0a42062e1a93e721fdc35c98a1f790.exe 4360 6d797d3d0c3a58bf8edfdc6decb692cd4e0a42062e1a93e721fdc35c98a1f790.exe 4360 6d797d3d0c3a58bf8edfdc6decb692cd4e0a42062e1a93e721fdc35c98a1f790.exe 4360 6d797d3d0c3a58bf8edfdc6decb692cd4e0a42062e1a93e721fdc35c98a1f790.exe 4360 6d797d3d0c3a58bf8edfdc6decb692cd4e0a42062e1a93e721fdc35c98a1f790.exe 4360 6d797d3d0c3a58bf8edfdc6decb692cd4e0a42062e1a93e721fdc35c98a1f790.exe 4360 6d797d3d0c3a58bf8edfdc6decb692cd4e0a42062e1a93e721fdc35c98a1f790.exe 4360 6d797d3d0c3a58bf8edfdc6decb692cd4e0a42062e1a93e721fdc35c98a1f790.exe 4360 6d797d3d0c3a58bf8edfdc6decb692cd4e0a42062e1a93e721fdc35c98a1f790.exe 4360 6d797d3d0c3a58bf8edfdc6decb692cd4e0a42062e1a93e721fdc35c98a1f790.exe 4360 6d797d3d0c3a58bf8edfdc6decb692cd4e0a42062e1a93e721fdc35c98a1f790.exe 2940 Logo1_.exe 2940 Logo1_.exe 2940 Logo1_.exe 2940 Logo1_.exe 2940 Logo1_.exe 2940 Logo1_.exe 2940 Logo1_.exe 2940 Logo1_.exe 2940 Logo1_.exe 2940 Logo1_.exe 2940 Logo1_.exe 2940 Logo1_.exe 2940 Logo1_.exe 2940 Logo1_.exe 2940 Logo1_.exe 2940 Logo1_.exe 2940 Logo1_.exe 2940 Logo1_.exe 2940 Logo1_.exe 2940 Logo1_.exe 2940 Logo1_.exe 2940 Logo1_.exe 2940 Logo1_.exe 2940 Logo1_.exe 2940 Logo1_.exe 2940 Logo1_.exe 2940 Logo1_.exe 2940 Logo1_.exe 2940 Logo1_.exe 2940 Logo1_.exe 2940 Logo1_.exe 2940 Logo1_.exe 2940 Logo1_.exe 2940 Logo1_.exe 2940 Logo1_.exe 2940 Logo1_.exe 2940 Logo1_.exe 2940 Logo1_.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4700 6d797d3d0c3a58bf8edfdc6decb692cd4e0a42062e1a93e721fdc35c98a1f790.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 4700 6d797d3d0c3a58bf8edfdc6decb692cd4e0a42062e1a93e721fdc35c98a1f790.exe -
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 4360 wrote to memory of 4544 4360 6d797d3d0c3a58bf8edfdc6decb692cd4e0a42062e1a93e721fdc35c98a1f790.exe 83 PID 4360 wrote to memory of 4544 4360 6d797d3d0c3a58bf8edfdc6decb692cd4e0a42062e1a93e721fdc35c98a1f790.exe 83 PID 4360 wrote to memory of 4544 4360 6d797d3d0c3a58bf8edfdc6decb692cd4e0a42062e1a93e721fdc35c98a1f790.exe 83 PID 4544 wrote to memory of 1592 4544 net.exe 85 PID 4544 wrote to memory of 1592 4544 net.exe 85 PID 4544 wrote to memory of 1592 4544 net.exe 85 PID 4360 wrote to memory of 1564 4360 6d797d3d0c3a58bf8edfdc6decb692cd4e0a42062e1a93e721fdc35c98a1f790.exe 89 PID 4360 wrote to memory of 1564 4360 6d797d3d0c3a58bf8edfdc6decb692cd4e0a42062e1a93e721fdc35c98a1f790.exe 89 PID 4360 wrote to memory of 1564 4360 6d797d3d0c3a58bf8edfdc6decb692cd4e0a42062e1a93e721fdc35c98a1f790.exe 89 PID 4360 wrote to memory of 2940 4360 6d797d3d0c3a58bf8edfdc6decb692cd4e0a42062e1a93e721fdc35c98a1f790.exe 91 PID 4360 wrote to memory of 2940 4360 6d797d3d0c3a58bf8edfdc6decb692cd4e0a42062e1a93e721fdc35c98a1f790.exe 91 PID 4360 wrote to memory of 2940 4360 6d797d3d0c3a58bf8edfdc6decb692cd4e0a42062e1a93e721fdc35c98a1f790.exe 91 PID 2940 wrote to memory of 4864 2940 Logo1_.exe 92 PID 2940 wrote to memory of 4864 2940 Logo1_.exe 92 PID 2940 wrote to memory of 4864 2940 Logo1_.exe 92 PID 1564 wrote to memory of 4700 1564 cmd.exe 94 PID 1564 wrote to memory of 4700 1564 cmd.exe 94 PID 4864 wrote to memory of 1736 4864 net.exe 96 PID 4864 wrote to memory of 1736 4864 net.exe 96 PID 4864 wrote to memory of 1736 4864 net.exe 96 PID 4700 wrote to memory of 3236 4700 6d797d3d0c3a58bf8edfdc6decb692cd4e0a42062e1a93e721fdc35c98a1f790.exe 95 PID 4700 wrote to memory of 3236 4700 6d797d3d0c3a58bf8edfdc6decb692cd4e0a42062e1a93e721fdc35c98a1f790.exe 95 PID 2940 wrote to memory of 2488 2940 Logo1_.exe 98 PID 2940 wrote to memory of 2488 2940 Logo1_.exe 98 PID 2940 wrote to memory of 2488 2940 Logo1_.exe 98 PID 2488 wrote to memory of 2344 2488 net.exe 100 PID 2488 wrote to memory of 2344 2488 net.exe 100 PID 2488 wrote to memory of 2344 2488 net.exe 100 PID 2940 wrote to memory of 3392 2940 Logo1_.exe 56 PID 2940 wrote to memory of 3392 2940 Logo1_.exe 56
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3392
-
C:\Users\Admin\AppData\Local\Temp\6d797d3d0c3a58bf8edfdc6decb692cd4e0a42062e1a93e721fdc35c98a1f790.exe"C:\Users\Admin\AppData\Local\Temp\6d797d3d0c3a58bf8edfdc6decb692cd4e0a42062e1a93e721fdc35c98a1f790.exe"2⤵
- Drops file in Drivers directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4360 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4544 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"4⤵
- System Location Discovery: System Language Discovery
PID:1592
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a77FF.bat3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1564 -
C:\Users\Admin\AppData\Local\Temp\6d797d3d0c3a58bf8edfdc6decb692cd4e0a42062e1a93e721fdc35c98a1f790.exe"C:\Users\Admin\AppData\Local\Temp\6d797d3d0c3a58bf8edfdc6decb692cd4e0a42062e1a93e721fdc35c98a1f790.exe"4⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4700 -
C:\Users\Admin\AppData\Local\Temp\6d797d3d0c3a58bf8edfdc6decb692cd4e0a42062e1a93e721fdc35c98a1f790.exe"C:\Users\Admin\AppData\Local\Temp\6d797d3d0c3a58bf8edfdc6decb692cd4e0a42062e1a93e721fdc35c98a1f790.exe" --type=collab-renderer --proc=47005⤵
- Executes dropped EXE
PID:3236
-
-
-
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Drops file in Drivers directory
- Drops startup file
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4864 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵
- System Location Discovery: System Language Discovery
PID:1736
-
-
-
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵
- System Location Discovery: System Language Discovery
PID:2344
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
251KB
MD5d1c85aed7ccbf5c8b6b82a6039973bcb
SHA18172aa11225d987b394c5a9668866948d6743e51
SHA2563d6fd770ff32c36c96c617e34adac45614b12daae11da48246c216a5b1d2bef8
SHA5124589b2cc748305a2c28eeaf913c603068af524b61265f52c6b5c1369129f322c8d9f514b6292cff6bc368515d71cafaf644ab360d74a672b205e106b77fa8c19
-
Filesize
577KB
MD53c8d51cfb63666d0a80fb0722b89754a
SHA1588f67f35d30a79e7b809302882a32ab4cf6a943
SHA256c1ae61c35f0286c94dd114441b63eb82fdfd7d322ef46aab92eb73902b17c283
SHA5123c9a60d536c4a9e6b1db3f01167bfdca11d2a5238c1e177578acf4b5b07bb92ad0a15ece46bc7040dbe2a34709777b5a8e4e74fefa24739a8e1df4e243b08f8e
-
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
Filesize644KB
MD5805ba9e4bcfdde2cd41c62cdfa500003
SHA1561ac3c3eea04a2823e08fa73ef4856b2113c164
SHA256ded84e71610908af1b33c0ef1e6b08fd1c84411eb3f7c704267fdf91d0dbe128
SHA512d84c52b4d586632bde823dd0ee73afa0e6cbabca47ed60d2690c7be1befc693b62b5ca5c1e16a57d719cd64d948160870c844c6c8805789a3ce34c1ee3f0c4ab
-
Filesize
722B
MD53e56fca475ed310ec9ebe6ca928c3d7e
SHA1e150c60d3229c75cf14f099a10b8b4fb26140f5a
SHA256d69f7da8e8e6e0c9f265960bb94a561979eba0458153178686ff7d150e10c204
SHA51277a23b1185159bad09f9c4878d893a9e0f34bdedebbb855fbda967e691f53aeb95859a47922f43f4d96c88e3f4580aaeac552c65c5bec1440a87638a14208a2b
-
C:\Users\Admin\AppData\Local\Temp\6d797d3d0c3a58bf8edfdc6decb692cd4e0a42062e1a93e721fdc35c98a1f790.exe.exe
Filesize11.0MB
MD5b45b7bd6eb92c5b65378d8d0a0964747
SHA15ca6f198ac83c90496110259b57ff4a5f47b64bb
SHA2565f1d9218f9735a763ffecc47c7b6f0c342b7f1a5da835733e0b3b73903f864a0
SHA512bde39c4b6d04caae8280bdd53e6036c53ed394a72f0d4d1273c149175570e8a87f87c8963869c96834fef7e82893da38c49ce4aaa1851e65c055dbbcac7c1708
-
Filesize
33KB
MD5dfc4e131e84f5b4aa301491d0d5c735f
SHA1f4efee0061dee53da9d73f70648ae8ad2eeb6473
SHA256f9508caee8e59955142464761783f89d580b4ac080f2d8256d6bf547e1958ba9
SHA51262652d0c21a71e52777c3e929013f838e0907a21259e2947bf46e698fb90597309cdbce5f1c656022e98bf14588386d1c9c5559658392e29c1da2b86ba0221c0
-
Filesize
842B
MD56f4adf207ef402d9ef40c6aa52ffd245
SHA14b05b495619c643f02e278dede8f5b1392555a57
SHA256d9704dab05e988be3e5e7b7c020bb9814906d11bb9c31ad80d4ed1316f6bc94e
SHA512a6306bd200a26ea78192ae5b00cc49cfab3fba025fe7233709a4e62db0f9ed60030dce22b34afe57aad86a098c9a8c44e080cedc43227cb87ef4690baec35b47
-
Filesize
9B
MD5577b020fd4f1c33364f7dc1b6a15b5e0
SHA10a39afa020279d2ae46b302efe9dfd550e822709
SHA256e22c9759bcf5bc35063c6c048e109883f070723446b9ed5d16e70c48ca526bb9
SHA512c7b8e4478ddc648c13acd21b16fa7397fad334d7710e3d91f4069fcd7d5a4f3d8c542c46eb3843c4dbc8d862bf03a50d1ad641e725f53382a73a9ac4ec035f48