Analysis
-
max time kernel
119s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19/01/2025, 18:58
Static task
static1
Behavioral task
behavioral1
Sample
b723df1978bb396a2446ddb583949a977d2cc5bdec5c9c1c4e773c022c46fa52N.exe
Resource
win7-20241010-en
General
-
Target
b723df1978bb396a2446ddb583949a977d2cc5bdec5c9c1c4e773c022c46fa52N.exe
-
Size
101KB
-
MD5
85a23eaf0aa2cae3e1c28d835a4e22f0
-
SHA1
2aa0a585a0c153801da2f855cc61e6fdab7c0830
-
SHA256
b723df1978bb396a2446ddb583949a977d2cc5bdec5c9c1c4e773c022c46fa52
-
SHA512
dca59d457d45e5434a08a3737b085561ff872c38c3eae3e74a09029bc4a37505ebc3737ed7b86316e05dcf8f9b2cba04be9f79b78d6ec1e224231582f924c593
-
SSDEEP
1536:/Bzsrz8VuJlMXaDuiN+WtwXaa8NPI9j+RedcP01ic4Brg:/Bm8ulMXaKdWtwXwKRj1EBrg
Malware Config
Signatures
-
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini Logo1_.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini Logo1_.exe -
Executes dropped EXE 2 IoCs
pid Process 2252 Logo1_.exe 2288 b723df1978bb396a2446ddb583949a977d2cc5bdec5c9c1c4e773c022c46fa52N.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\zh-tw\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\eu-es\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\zh-cn\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\jquery.ui.touch-punch\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\fi-fi\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\sl-sl\_desktop.ini Logo1_.exe File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\_desktop.ini Logo1_.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BREEZE\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\lo\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\pt-br\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\ko-kr\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\en-ae\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\nb-no\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\eu-es\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\hu-hu\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\uz\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\fr-ma\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\he-il\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\ar-ae\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access_output\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\it\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\it-it\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\fi-fi\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\css\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Media Player\fr-FR\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\cs-cz\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\an\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\images\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Defender\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\en-ae\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\sl-si\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Portable Devices\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe Logo1_.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\ext\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\Integration\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sk-sk\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\sk-sk\_desktop.ini Logo1_.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\_desktop.ini Logo1_.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\_desktop.ini Logo1_.exe File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\WidevineCdm\_platform_specific\win_x64\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\sr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\keystore\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\epdf\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\fr-fr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\it-it\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\VisualElements\_desktop.ini Logo1_.exe File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\Extensions\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\rundl132.exe b723df1978bb396a2446ddb583949a977d2cc5bdec5c9c1c4e773c022c46fa52N.exe File created C:\Windows\Logo1_.exe b723df1978bb396a2446ddb583949a977d2cc5bdec5c9c1c4e773c022c46fa52N.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\Dll.dll Logo1_.exe -
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Logo1_.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b723df1978bb396a2446ddb583949a977d2cc5bdec5c9c1c4e773c022c46fa52N.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4244 b723df1978bb396a2446ddb583949a977d2cc5bdec5c9c1c4e773c022c46fa52N.exe 4244 b723df1978bb396a2446ddb583949a977d2cc5bdec5c9c1c4e773c022c46fa52N.exe 4244 b723df1978bb396a2446ddb583949a977d2cc5bdec5c9c1c4e773c022c46fa52N.exe 4244 b723df1978bb396a2446ddb583949a977d2cc5bdec5c9c1c4e773c022c46fa52N.exe 4244 b723df1978bb396a2446ddb583949a977d2cc5bdec5c9c1c4e773c022c46fa52N.exe 4244 b723df1978bb396a2446ddb583949a977d2cc5bdec5c9c1c4e773c022c46fa52N.exe 4244 b723df1978bb396a2446ddb583949a977d2cc5bdec5c9c1c4e773c022c46fa52N.exe 4244 b723df1978bb396a2446ddb583949a977d2cc5bdec5c9c1c4e773c022c46fa52N.exe 4244 b723df1978bb396a2446ddb583949a977d2cc5bdec5c9c1c4e773c022c46fa52N.exe 4244 b723df1978bb396a2446ddb583949a977d2cc5bdec5c9c1c4e773c022c46fa52N.exe 4244 b723df1978bb396a2446ddb583949a977d2cc5bdec5c9c1c4e773c022c46fa52N.exe 4244 b723df1978bb396a2446ddb583949a977d2cc5bdec5c9c1c4e773c022c46fa52N.exe 4244 b723df1978bb396a2446ddb583949a977d2cc5bdec5c9c1c4e773c022c46fa52N.exe 4244 b723df1978bb396a2446ddb583949a977d2cc5bdec5c9c1c4e773c022c46fa52N.exe 4244 b723df1978bb396a2446ddb583949a977d2cc5bdec5c9c1c4e773c022c46fa52N.exe 4244 b723df1978bb396a2446ddb583949a977d2cc5bdec5c9c1c4e773c022c46fa52N.exe 4244 b723df1978bb396a2446ddb583949a977d2cc5bdec5c9c1c4e773c022c46fa52N.exe 4244 b723df1978bb396a2446ddb583949a977d2cc5bdec5c9c1c4e773c022c46fa52N.exe 4244 b723df1978bb396a2446ddb583949a977d2cc5bdec5c9c1c4e773c022c46fa52N.exe 4244 b723df1978bb396a2446ddb583949a977d2cc5bdec5c9c1c4e773c022c46fa52N.exe 4244 b723df1978bb396a2446ddb583949a977d2cc5bdec5c9c1c4e773c022c46fa52N.exe 4244 b723df1978bb396a2446ddb583949a977d2cc5bdec5c9c1c4e773c022c46fa52N.exe 4244 b723df1978bb396a2446ddb583949a977d2cc5bdec5c9c1c4e773c022c46fa52N.exe 4244 b723df1978bb396a2446ddb583949a977d2cc5bdec5c9c1c4e773c022c46fa52N.exe 4244 b723df1978bb396a2446ddb583949a977d2cc5bdec5c9c1c4e773c022c46fa52N.exe 4244 b723df1978bb396a2446ddb583949a977d2cc5bdec5c9c1c4e773c022c46fa52N.exe 2252 Logo1_.exe 2252 Logo1_.exe 2252 Logo1_.exe 2252 Logo1_.exe 2252 Logo1_.exe 2252 Logo1_.exe 2252 Logo1_.exe 2252 Logo1_.exe 2252 Logo1_.exe 2252 Logo1_.exe 2252 Logo1_.exe 2252 Logo1_.exe 2252 Logo1_.exe 2252 Logo1_.exe 2252 Logo1_.exe 2252 Logo1_.exe 2252 Logo1_.exe 2252 Logo1_.exe 2252 Logo1_.exe 2252 Logo1_.exe 2252 Logo1_.exe 2252 Logo1_.exe 2252 Logo1_.exe 2252 Logo1_.exe 2252 Logo1_.exe 2252 Logo1_.exe 2252 Logo1_.exe 2252 Logo1_.exe 2252 Logo1_.exe 2252 Logo1_.exe 2252 Logo1_.exe 2252 Logo1_.exe 2252 Logo1_.exe 2252 Logo1_.exe 2252 Logo1_.exe 2252 Logo1_.exe 2252 Logo1_.exe 2252 Logo1_.exe -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 4244 wrote to memory of 3292 4244 b723df1978bb396a2446ddb583949a977d2cc5bdec5c9c1c4e773c022c46fa52N.exe 85 PID 4244 wrote to memory of 3292 4244 b723df1978bb396a2446ddb583949a977d2cc5bdec5c9c1c4e773c022c46fa52N.exe 85 PID 4244 wrote to memory of 3292 4244 b723df1978bb396a2446ddb583949a977d2cc5bdec5c9c1c4e773c022c46fa52N.exe 85 PID 3292 wrote to memory of 5000 3292 net.exe 87 PID 3292 wrote to memory of 5000 3292 net.exe 87 PID 3292 wrote to memory of 5000 3292 net.exe 87 PID 4244 wrote to memory of 3448 4244 b723df1978bb396a2446ddb583949a977d2cc5bdec5c9c1c4e773c022c46fa52N.exe 88 PID 4244 wrote to memory of 3448 4244 b723df1978bb396a2446ddb583949a977d2cc5bdec5c9c1c4e773c022c46fa52N.exe 88 PID 4244 wrote to memory of 3448 4244 b723df1978bb396a2446ddb583949a977d2cc5bdec5c9c1c4e773c022c46fa52N.exe 88 PID 4244 wrote to memory of 2252 4244 b723df1978bb396a2446ddb583949a977d2cc5bdec5c9c1c4e773c022c46fa52N.exe 89 PID 4244 wrote to memory of 2252 4244 b723df1978bb396a2446ddb583949a977d2cc5bdec5c9c1c4e773c022c46fa52N.exe 89 PID 4244 wrote to memory of 2252 4244 b723df1978bb396a2446ddb583949a977d2cc5bdec5c9c1c4e773c022c46fa52N.exe 89 PID 2252 wrote to memory of 1368 2252 Logo1_.exe 90 PID 2252 wrote to memory of 1368 2252 Logo1_.exe 90 PID 2252 wrote to memory of 1368 2252 Logo1_.exe 90 PID 1368 wrote to memory of 2824 1368 net.exe 93 PID 1368 wrote to memory of 2824 1368 net.exe 93 PID 1368 wrote to memory of 2824 1368 net.exe 93 PID 3448 wrote to memory of 2288 3448 cmd.exe 94 PID 3448 wrote to memory of 2288 3448 cmd.exe 94 PID 3448 wrote to memory of 2288 3448 cmd.exe 94 PID 2252 wrote to memory of 1912 2252 Logo1_.exe 95 PID 2252 wrote to memory of 1912 2252 Logo1_.exe 95 PID 2252 wrote to memory of 1912 2252 Logo1_.exe 95 PID 1912 wrote to memory of 1036 1912 net.exe 97 PID 1912 wrote to memory of 1036 1912 net.exe 97 PID 1912 wrote to memory of 1036 1912 net.exe 97 PID 2252 wrote to memory of 3540 2252 Logo1_.exe 56 PID 2252 wrote to memory of 3540 2252 Logo1_.exe 56
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3540
-
C:\Users\Admin\AppData\Local\Temp\b723df1978bb396a2446ddb583949a977d2cc5bdec5c9c1c4e773c022c46fa52N.exe"C:\Users\Admin\AppData\Local\Temp\b723df1978bb396a2446ddb583949a977d2cc5bdec5c9c1c4e773c022c46fa52N.exe"2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4244 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3292 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"4⤵
- System Location Discovery: System Language Discovery
PID:5000
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aA6FE.bat3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3448 -
C:\Users\Admin\AppData\Local\Temp\b723df1978bb396a2446ddb583949a977d2cc5bdec5c9c1c4e773c022c46fa52N.exe"C:\Users\Admin\AppData\Local\Temp\b723df1978bb396a2446ddb583949a977d2cc5bdec5c9c1c4e773c022c46fa52N.exe"4⤵
- Executes dropped EXE
PID:2288
-
-
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Drops startup file
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵
- System Location Discovery: System Language Discovery
PID:2824
-
-
-
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵
- System Location Discovery: System Language Discovery
PID:1036
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
577KB
MD5df4a3617e8cbc3378d571dff386ef26c
SHA19a3c64a8a6f2e181590ef7d8e1aee17d27978604
SHA256183ac24ebb30c430ddff92d90c7fa08b471bc9a86b7b73153a8e95944d81918f
SHA512a30d190c86021c739cda8c7c9a1a0d73163d18a40260e944139e5cf0cf2c3cfb7c2aaf5d352908c321d9701da35ea637729d172f8e1ef45c46c68b8623cdffe7
-
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
Filesize644KB
MD511e0853d537d2721ecc655c1fc527e91
SHA1c8e23d103e93073ba7c93374878ae9a9f926c944
SHA256f168cda7cfa0f4f1d8dc26f615772410afe41b43fbc3da3cfe2c249b1eadca30
SHA5123e5af85789e480d355053e9ded02108ae53136aec795d5d37faf1d5426275f7f3729e5583b0a95b3434d5b4452c7382405c0f8bc94e8a65275335c62268e0ee2
-
Filesize
728B
MD5a5cac47d07b4d8b281159605700f7bfb
SHA1486140f0545be462807cb13234e0cfcb1804b1c1
SHA256c8b59b9dbe2c337514297c9ffc5aead659bdbb73a9d60e291261c1c1ada87912
SHA512b7c9aba46fed32c7e12f8a827fd2d88da607afc61d1a2862af83c7b03d91271df45266f6dc053fad1ea98e61643b04651f3336ad6c4a8284adda06e16b7e4e28
-
C:\Users\Admin\AppData\Local\Temp\b723df1978bb396a2446ddb583949a977d2cc5bdec5c9c1c4e773c022c46fa52N.exe.exe
Filesize68KB
MD548335cfbe6a9bdaa2492ca1320b70a3a
SHA16d3c3d659e3718a0b56f52c9d4386d55d7672b97
SHA2564ec34f1d893e8cc02f669fb5eb329bbcc5374bd7e7284e8fd86fbc29d2ffeb4d
SHA5129eaf3b380449ab1d2b4b6371336fc71f6a43eee0295de012d0859e7f3b80a87f9d8316b0e65d4ca450630ee17b95c64e79e594bfe27fb3965917b0c5bc2d1b58
-
Filesize
33KB
MD5c553ef4162b4d62dba0f2ddd0b295a33
SHA171537c2536f7a1c17d798a29e95c35bee6437372
SHA256c6b2a32cd1a1c9da4da4adfafdef3b1930c965bc36397f252228b4a5e5a9d822
SHA51248ec749bed872ffb573eb7b5d653cee33272cdeb655f3c084a8382b48007e42326673439f0e51863eb828122a980ff85a4ab7a417c77d6bb47dc2e630d13f7b7
-
Filesize
9B
MD55e0a31b83de656e964e3bafc02e48b44
SHA14ff07638865e3ef91f142612ff2d06a78ce7052a
SHA2563b6f5f8fd2c76049e871847db6282f5567c112f9a793d6571a4bc740c493ba08
SHA512ab728fe3451c71175babdf039c987e3b91d5e48a33e2e41eb9d9e021bbf484d5e701076b8e09e1370ee8267e6fbc7141f3af7a065d44d3d8509d3c55e1ab8efd