6112028771422c85b77046df3dd573463b642e4c1610a7b5552b528645cba21c

Analysis

max time kernel
163s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11-10-2023 15:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6112028771422c85b77046df3dd573463b642e4c1610a7b5552b528645cba21c.exe
Size

3.1MB
MD5

0cbe14e9aca0103b29b6f6b588673be9
SHA1

f2c96166e1a463af5c2a500b5a213a8ff2a8ff43
SHA256

6112028771422c85b77046df3dd573463b642e4c1610a7b5552b528645cba21c
SHA512

2711cb899b9c1dda2fedbbc3b500edee9ab27241638392ef5c859d2e59692b81835264a1d427748b2a684878a870efdfa6ef444a20cba9e49906fbd9a78ec89f
SSDEEP

49152:W7ukCSbbYstGP3jg6hEXJJ1o9FuHje1cnklfu5A3cP:CkvEJ/cuHjeHu

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
248	Logo1_.exe
3668	6112028771422c85b77046df3dd573463b642e4c1610a7b5552b528645cba21c.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\META-INF\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javacpl.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\ssvagent.exe	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\lib\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\pack200.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\core\locale\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\html\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\lib\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jconsole.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jhat.exe	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre1.8.0_66\lib\deploy\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre1.8.0_66\lib\amd64\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office 15\ClientX64\IntegratedOffice.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\kinit.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\ext\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jabswitch.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\pack200.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\javaws.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\plugin2\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\ModuleAutoDeps\_desktop.ini	Logo1_.exe
File created	C:\Program Files\7-Zip\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jp2launcher.exe	Logo1_.exe
File created	C:\Program Files\ModifiableWindowsApps\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\server\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\update_tracking\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\core\locale\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\lib\management\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\lib\deployed\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\db\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\.data\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\ext\locale\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\extcheck.exe	Logo1_.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	6112028771422c85b77046df3dd573463b642e4c1610a7b5552b528645cba21c.exe
File created	C:\Windows\Logo1_.exe	6112028771422c85b77046df3dd573463b642e4c1610a7b5552b528645cba21c.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
248	Logo1_.exe
248	Logo1_.exe
248	Logo1_.exe
248	Logo1_.exe
248	Logo1_.exe
248	Logo1_.exe
248	Logo1_.exe
248	Logo1_.exe
248	Logo1_.exe
248	Logo1_.exe
248	Logo1_.exe
248	Logo1_.exe
248	Logo1_.exe
248	Logo1_.exe
248	Logo1_.exe
248	Logo1_.exe
248	Logo1_.exe
248	Logo1_.exe
248	Logo1_.exe
248	Logo1_.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 3676 wrote to memory of 2184	3676	6112028771422c85b77046df3dd573463b642e4c1610a7b5552b528645cba21c.exe	88
PID 3676 wrote to memory of 2184	3676	6112028771422c85b77046df3dd573463b642e4c1610a7b5552b528645cba21c.exe	88
PID 3676 wrote to memory of 2184	3676	6112028771422c85b77046df3dd573463b642e4c1610a7b5552b528645cba21c.exe	88
PID 3676 wrote to memory of 248	3676	6112028771422c85b77046df3dd573463b642e4c1610a7b5552b528645cba21c.exe	90
PID 3676 wrote to memory of 248	3676	6112028771422c85b77046df3dd573463b642e4c1610a7b5552b528645cba21c.exe	90
PID 3676 wrote to memory of 248	3676	6112028771422c85b77046df3dd573463b642e4c1610a7b5552b528645cba21c.exe	90
PID 248 wrote to memory of 1180	248	Logo1_.exe	91
PID 248 wrote to memory of 1180	248	Logo1_.exe	91
PID 248 wrote to memory of 1180	248	Logo1_.exe	91
PID 1180 wrote to memory of 4100	1180	net.exe	93
PID 1180 wrote to memory of 4100	1180	net.exe	93
PID 1180 wrote to memory of 4100	1180	net.exe	93
PID 248 wrote to memory of 2624	248	Logo1_.exe	46
PID 248 wrote to memory of 2624	248	Logo1_.exe	46

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2624
- C:\Users\Admin\AppData\Local\Temp\6112028771422c85b77046df3dd573463b642e4c1610a7b5552b528645cba21c.exe
  "C:\Users\Admin\AppData\Local\Temp\6112028771422c85b77046df3dd573463b642e4c1610a7b5552b528645cba21c.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:3676
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a2AE3.bat
    3⤵
    PID:2184
  - - C:\Users\Admin\AppData\Local\Temp\6112028771422c85b77046df3dd573463b642e4c1610a7b5552b528645cba21c.exe
      "C:\Users\Admin\AppData\Local\Temp\6112028771422c85b77046df3dd573463b642e4c1610a7b5552b528645cba21c.exe"
      4⤵
      Executes dropped EXE
      PID:3668
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:248
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1180
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:4100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\RepairPop.exe

Filesize
826KB

MD5
117528903e355a4344443a41d364ff60

SHA1
c2ecf1fefc5e413292f651833b87de4df1e42973

SHA256
ae222922bdf99dc58e08580809f60fc570a734d533c9ca663128dd8f2e118339

SHA512
b1252b636a627d699c714bf191d767d07e8a82f981448ae65a732cbbb71515a2729a6c3d510d9642d2bdc07e7dd1823a195a13d578c8a87728adf5c48b9f588a

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a2AE3.bat

Filesize
722B

MD5
58452d44dc8be2ce507c901fead67a5e

SHA1
f9dcd9c6cce187094e22353cf8749bd68db4afb4

SHA256
7ccd875ffc7a741dd0674320f5f7f773346d7b2e28edadf42a71a15ae27bc836

SHA512
94d6d9876f3793a903c3ecddd9c49854c68b773a011c37fab29028d097f346023c4a24c2f40850413ee7a889f05f13348ff96ba438d6f2eaa8ca55b26b4d486f

Download Submit
C:\Users\Admin\AppData\Local\Temp\6112028771422c85b77046df3dd573463b642e4c1610a7b5552b528645cba21c.exe

Filesize
3.1MB

MD5
b17fe656921e74ac23534752dedca872

SHA1
c322cf96e2dee58f1e3c41cf14ac3d9d5887caf7

SHA256
0b7ca2d0761a3725cf7ea652386c3e97cbb97189e09fa4c9607272c371186a8e

SHA512
2b11f1e4471c8212593971916d8a50279566a681220b802d7c5935671b93b1a5eb94c076cd57684c48e948faa1529b4c00cf36d18b6fa08536831ffa6b6a4d3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\6112028771422c85b77046df3dd573463b642e4c1610a7b5552b528645cba21c.exe.exe

Filesize
3.1MB

MD5
b17fe656921e74ac23534752dedca872

SHA1
c322cf96e2dee58f1e3c41cf14ac3d9d5887caf7

SHA256
0b7ca2d0761a3725cf7ea652386c3e97cbb97189e09fa4c9607272c371186a8e

SHA512
2b11f1e4471c8212593971916d8a50279566a681220b802d7c5935671b93b1a5eb94c076cd57684c48e948faa1529b4c00cf36d18b6fa08536831ffa6b6a4d3b

Download Submit
C:\Windows\Logo1_.exe

Filesize
26KB

MD5
72ee62aa96d51b3a02f9cfaf30828cd9

SHA1
6b558f8efffb2126da7bdcc97666231d72468100

SHA256
85adecf849ee286858e3d639c57ee0acab6c4bba12f6cc74ea99ed6dc7941918

SHA512
af28159202957a1dbde14b276333cef978efb0125e913bf1a6838e22d1873271ccec42f7a7b8293b81d73758545c7aa178a3429ec22744719868eed72da05079

Download Submit
C:\Windows\Logo1_.exe

Filesize
26KB

MD5
72ee62aa96d51b3a02f9cfaf30828cd9

SHA1
6b558f8efffb2126da7bdcc97666231d72468100

SHA256
85adecf849ee286858e3d639c57ee0acab6c4bba12f6cc74ea99ed6dc7941918

SHA512
af28159202957a1dbde14b276333cef978efb0125e913bf1a6838e22d1873271ccec42f7a7b8293b81d73758545c7aa178a3429ec22744719868eed72da05079

Download Submit
C:\Windows\rundl132.exe

Filesize
26KB

MD5
72ee62aa96d51b3a02f9cfaf30828cd9

SHA1
6b558f8efffb2126da7bdcc97666231d72468100

SHA256
85adecf849ee286858e3d639c57ee0acab6c4bba12f6cc74ea99ed6dc7941918

SHA512
af28159202957a1dbde14b276333cef978efb0125e913bf1a6838e22d1873271ccec42f7a7b8293b81d73758545c7aa178a3429ec22744719868eed72da05079

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-1574508946-349927670-1185736483-1000\_desktop.ini

Filesize
10B

MD5
dbf19ca54500e964528b156763234c1d

SHA1
05376f86423aec8badf0adbc47887234ac83ef5a

SHA256
bfa0ad2e861e2369dc239edf8f62fbe1c4507d877ec2f76e46e48f1e68fdd5ae

SHA512
fb8ce1253ad6d3c1b7d970614dbc2d21574576336a490b54a8dc705a3d8637c0669747ba821fb2f4da14d7447dc24607aca988b0cd3bd9fc4d9d5988b4b631d0

Download Submit
memory/248-20-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/248-9-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/248-28-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/248-34-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/248-39-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/248-43-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/248-129-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/248-260-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/248-442-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3676-13-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3676-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3676-1-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download