0b5f785a6d61624fb5618c310421f09847d9eeee481a9d15df5d67326f03e4af

Analysis

max time kernel
151s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11-10-2023 15:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0b5f785a6d61624fb5618c310421f09847d9eeee481a9d15df5d67326f03e4af.exe
Size

83KB
MD5

9455b9f6832cdcbac081d594f3b0ffa8
SHA1

de8849aee6c697801be70ee835a88fb0e8e71009
SHA256

0b5f785a6d61624fb5618c310421f09847d9eeee481a9d15df5d67326f03e4af
SHA512

f6b6272af9be6c3eb31228046ae77c6a8efea9c35e4591ff5518c55f297bacf9d13b5179993f301503aa5d92254886f6e9de6a8cbbf9e173541724f36bfffbed
SSDEEP

1536:2fgLdQAQfhJIJ0IO61oPeacurY7Rc/a/ysfq2hltssjWpVCVuM0nm:2ftffhJCuUorcUY7zvhfsGuKuMGm

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3948	Logo1_.exe
4548	0b5f785a6d61624fb5618c310421f09847d9eeee481a9d15df5d67326f03e4af.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\VideoLAN\VLC\locale\cgg\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\en_GB\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\Square150x150\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\skins\fonts\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\lua\modules\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-200_8wekyb3d8bbwe\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Defender\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\te-IN\View3d\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\extensions\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\x64\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\eu\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\lib\deployed\jdk16\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\gu\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\pa\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\oc\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ug\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\control\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fur\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ja\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\en-gb\locimages\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\security\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\lv\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\dtplugin\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\af\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\el\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ug\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\zu\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\ext\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Viewpoints\Light\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\zu\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\ha-Latn-NG\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\pa\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\uk\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.NET.Native.Framework.1.7_1.7.25531.0_x64__8wekyb3d8bbwe\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\keytool.exe	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ky\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\meta\art\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ml\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\co\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\th\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\d3d11\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\lib\cmm\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\locale\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ia\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\FileAssociation\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fy\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ko\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\RTL\contrast-white\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe
File created	C:\Windows\rundl132.exe	0b5f785a6d61624fb5618c310421f09847d9eeee481a9d15df5d67326f03e4af.exe
File created	C:\Windows\Logo1_.exe	0b5f785a6d61624fb5618c310421f09847d9eeee481a9d15df5d67326f03e4af.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
3948	Logo1_.exe
3948	Logo1_.exe
3948	Logo1_.exe
3948	Logo1_.exe
3948	Logo1_.exe
3948	Logo1_.exe
3948	Logo1_.exe
3948	Logo1_.exe
3948	Logo1_.exe
3948	Logo1_.exe
3948	Logo1_.exe
3948	Logo1_.exe
3948	Logo1_.exe
3948	Logo1_.exe
3948	Logo1_.exe
3948	Logo1_.exe
3948	Logo1_.exe
3948	Logo1_.exe
3948	Logo1_.exe
3948	Logo1_.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 4988 wrote to memory of 1268	4988	0b5f785a6d61624fb5618c310421f09847d9eeee481a9d15df5d67326f03e4af.exe	85
PID 4988 wrote to memory of 1268	4988	0b5f785a6d61624fb5618c310421f09847d9eeee481a9d15df5d67326f03e4af.exe	85
PID 4988 wrote to memory of 1268	4988	0b5f785a6d61624fb5618c310421f09847d9eeee481a9d15df5d67326f03e4af.exe	85
PID 4988 wrote to memory of 3948	4988	0b5f785a6d61624fb5618c310421f09847d9eeee481a9d15df5d67326f03e4af.exe	87
PID 4988 wrote to memory of 3948	4988	0b5f785a6d61624fb5618c310421f09847d9eeee481a9d15df5d67326f03e4af.exe	87
PID 4988 wrote to memory of 3948	4988	0b5f785a6d61624fb5618c310421f09847d9eeee481a9d15df5d67326f03e4af.exe	87
PID 3948 wrote to memory of 4856	3948	Logo1_.exe	88
PID 3948 wrote to memory of 4856	3948	Logo1_.exe	88
PID 3948 wrote to memory of 4856	3948	Logo1_.exe	88
PID 4856 wrote to memory of 4920	4856	net.exe	90
PID 4856 wrote to memory of 4920	4856	net.exe	90
PID 4856 wrote to memory of 4920	4856	net.exe	90
PID 1268 wrote to memory of 4548	1268	cmd.exe	91
PID 1268 wrote to memory of 4548	1268	cmd.exe	91
PID 1268 wrote to memory of 4548	1268	cmd.exe	91
PID 3948 wrote to memory of 3156	3948	Logo1_.exe	43
PID 3948 wrote to memory of 3156	3948	Logo1_.exe	43

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3156
- C:\Users\Admin\AppData\Local\Temp\0b5f785a6d61624fb5618c310421f09847d9eeee481a9d15df5d67326f03e4af.exe
  "C:\Users\Admin\AppData\Local\Temp\0b5f785a6d61624fb5618c310421f09847d9eeee481a9d15df5d67326f03e4af.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:4988
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a634E.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1268
  - - C:\Users\Admin\AppData\Local\Temp\0b5f785a6d61624fb5618c310421f09847d9eeee481a9d15df5d67326f03e4af.exe
      "C:\Users\Admin\AppData\Local\Temp\0b5f785a6d61624fb5618c310421f09847d9eeee481a9d15df5d67326f03e4af.exe"
      4⤵
      Executes dropped EXE
      PID:4548
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3948
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4856
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:4920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7z.exe

Filesize
484KB

MD5
21c3de0a87a08c7f79a79abdd775c7fa

SHA1
b9b8fa21b10199aa8d764a7990193df7823d1ea1

SHA256
12deecc2b56b7089af3ccea965a828b51d3e88a0556dca5411d4f14eb3cb9b09

SHA512
599860961b3eb4423e98be92100329670cddf87b80903a950c693c2c07e798bd642a94a64d1e0329040190ff9cc8f323547783e21f78a981f401cee37533d6f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a634E.bat

Filesize
722B

MD5
d3a2a56880baea4b9cf468bf35784f18

SHA1
9ebc569dd2215e4e92ec0a12ab73dd05963d98df

SHA256
2133fc3f684585ead225140102a0dee153769c7edbc65bc29bc6fb8ecf101b8e

SHA512
d838e63ba8f8de0663e47cb5e233f87de949c940d0a4281c485e5a6efacfc9366aa724d3e5068452f92051dbe9448654697d1f1512f93d55a5e56f3dcce5bc7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\0b5f785a6d61624fb5618c310421f09847d9eeee481a9d15df5d67326f03e4af.exe

Filesize
57KB

MD5
f20120319812bf92cffc6a7f5f8134d0

SHA1
7d6b2b23d3e0791ce9f646e1b7c00a815e29ccdf

SHA256
ddc3bc440c3ab581e4968dad35e0f43b15be9c6690c701e702d9f615adf86606

SHA512
820137b5b94676bb1937f68b5947ed7ffbdc5bc15f6e21ccc1cc67c8c2226dd157469dd039a7bbaa04096f46f2c7919c0e5c7d9c53e7343568969ab02785cafa

Download Submit
C:\Users\Admin\AppData\Local\Temp\0b5f785a6d61624fb5618c310421f09847d9eeee481a9d15df5d67326f03e4af.exe.exe

Filesize
57KB

MD5
f20120319812bf92cffc6a7f5f8134d0

SHA1
7d6b2b23d3e0791ce9f646e1b7c00a815e29ccdf

SHA256
ddc3bc440c3ab581e4968dad35e0f43b15be9c6690c701e702d9f615adf86606

SHA512
820137b5b94676bb1937f68b5947ed7ffbdc5bc15f6e21ccc1cc67c8c2226dd157469dd039a7bbaa04096f46f2c7919c0e5c7d9c53e7343568969ab02785cafa

Download Submit
C:\Windows\Logo1_.exe

Filesize
26KB

MD5
8d52fa03a0b7e8a6766b2d769aacd7e6

SHA1
f2b8804c1efd0a2544a5c59dd1d2a0589a336761

SHA256
d3a5d60f78a59fcdfe9f0cc7fd087c0fbccb338a78a193f0da0fe0661cf5a8cd

SHA512
d0771b56e9c8b0a998a9730d68fe5c362512d5ffb8c0e06d4dee8bedd4f455e61ae08d346388ec9abd6350aa26d49298720aea3de112dfaa9687bc6d136a62a2

Download Submit
C:\Windows\Logo1_.exe

Filesize
26KB

MD5
8d52fa03a0b7e8a6766b2d769aacd7e6

SHA1
f2b8804c1efd0a2544a5c59dd1d2a0589a336761

SHA256
d3a5d60f78a59fcdfe9f0cc7fd087c0fbccb338a78a193f0da0fe0661cf5a8cd

SHA512
d0771b56e9c8b0a998a9730d68fe5c362512d5ffb8c0e06d4dee8bedd4f455e61ae08d346388ec9abd6350aa26d49298720aea3de112dfaa9687bc6d136a62a2

Download Submit
C:\Windows\rundl132.exe

Filesize
26KB

MD5
8d52fa03a0b7e8a6766b2d769aacd7e6

SHA1
f2b8804c1efd0a2544a5c59dd1d2a0589a336761

SHA256
d3a5d60f78a59fcdfe9f0cc7fd087c0fbccb338a78a193f0da0fe0661cf5a8cd

SHA512
d0771b56e9c8b0a998a9730d68fe5c362512d5ffb8c0e06d4dee8bedd4f455e61ae08d346388ec9abd6350aa26d49298720aea3de112dfaa9687bc6d136a62a2

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2344688013-2965468717-2034126-1000\_desktop.ini

Filesize
10B

MD5
dbf19ca54500e964528b156763234c1d

SHA1
05376f86423aec8badf0adbc47887234ac83ef5a

SHA256
bfa0ad2e861e2369dc239edf8f62fbe1c4507d877ec2f76e46e48f1e68fdd5ae

SHA512
fb8ce1253ad6d3c1b7d970614dbc2d21574576336a490b54a8dc705a3d8637c0669747ba821fb2f4da14d7447dc24607aca988b0cd3bd9fc4d9d5988b4b631d0

Download Submit
memory/3948-22-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3948-19-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3948-9-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3948-27-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3948-33-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3948-38-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3948-42-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3948-100-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3948-1117-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3948-1119-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4988-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4988-8-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download