43f96e38ac82a0f2b5037abed76ed409842a51a7ac81c7838d9d2ba94999b653

Analysis

max time kernel
221s
max time network
228s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11-10-2023 15:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

43f96e38ac82a0f2b5037abed76ed409842a51a7ac81c7838d9d2ba94999b653.exe
Size

73KB
MD5

65354a3e3647edf1c9a623d24e1120d9
SHA1

594da9e26d775ee874fb1431728bc226d81fdf20
SHA256

43f96e38ac82a0f2b5037abed76ed409842a51a7ac81c7838d9d2ba94999b653
SHA512

4d880146246f282a0ef61a37b4c70909c5e37e22031046ac395391161f51433573885dd5bc0745a2b325ba306f53ef0da4e01ff81ca83a6e5e936793fef1eca1
SSDEEP

1536:UIkfgLdQAQfwt7FZJ92BspuuS2nnggOT/AH2pakpeOInUqUKSHaeK:UIkftffepVPpuuLXUy2pJIOInUqU6F

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4448	Logo1_.exe
768	43f96e38ac82a0f2b5037abed76ed409842a51a7ac81c7838d9d2ba94999b653.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javac.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstat.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\ktab.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\pack200.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\schemagen.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\unpack200.exe	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jarsigner.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javadoc.exe	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\serialver.exe	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\java-rmi.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jjs.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jrunscript.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\orbd.exe	Logo1_.exe
File created	C:\Program Files\Google\Chrome\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javapackager.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jdb.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jmap.exe	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\java.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javah.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jinfo.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstatd.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jvisualvm.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\kinit.exe	Logo1_.exe
File opened for modification	C:\Program Files\_desktop.ini	Logo1_.exe
File created	C:\Program Files\7-Zip\Lang\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe	Logo1_.exe
File opened for modification	C:\Program Files\7-Zip\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	Logo1_.exe
File created	C:\Program Files\Google\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\appletviewer.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jhat.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstack.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmic.exe	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jps.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\klist.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmid.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\tnameserv.exe	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\idlj.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javafxpackager.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jdeps.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jmc.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\native2ascii.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\servertool.exe	Logo1_.exe
File created	C:\Program Files\7-Zip\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Logo1_.exe	43f96e38ac82a0f2b5037abed76ed409842a51a7ac81c7838d9d2ba94999b653.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe
File created	C:\Windows\rundl132.exe	43f96e38ac82a0f2b5037abed76ed409842a51a7ac81c7838d9d2ba94999b653.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2936	768	WerFault.exe	94

Runs net.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
4448	Logo1_.exe
4448	Logo1_.exe
4448	Logo1_.exe
4448	Logo1_.exe
4448	Logo1_.exe
4448	Logo1_.exe
4448	Logo1_.exe
4448	Logo1_.exe
4448	Logo1_.exe
4448	Logo1_.exe
4448	Logo1_.exe
4448	Logo1_.exe
4448	Logo1_.exe
4448	Logo1_.exe
4448	Logo1_.exe
4448	Logo1_.exe
4448	Logo1_.exe
4448	Logo1_.exe
4448	Logo1_.exe
4448	Logo1_.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 880 wrote to memory of 4336	880	43f96e38ac82a0f2b5037abed76ed409842a51a7ac81c7838d9d2ba94999b653.exe	86
PID 880 wrote to memory of 4336	880	43f96e38ac82a0f2b5037abed76ed409842a51a7ac81c7838d9d2ba94999b653.exe	86
PID 880 wrote to memory of 4336	880	43f96e38ac82a0f2b5037abed76ed409842a51a7ac81c7838d9d2ba94999b653.exe	86
PID 880 wrote to memory of 4448	880	43f96e38ac82a0f2b5037abed76ed409842a51a7ac81c7838d9d2ba94999b653.exe	87
PID 880 wrote to memory of 4448	880	43f96e38ac82a0f2b5037abed76ed409842a51a7ac81c7838d9d2ba94999b653.exe	87
PID 880 wrote to memory of 4448	880	43f96e38ac82a0f2b5037abed76ed409842a51a7ac81c7838d9d2ba94999b653.exe	87
PID 4448 wrote to memory of 3880	4448	Logo1_.exe	89
PID 4448 wrote to memory of 3880	4448	Logo1_.exe	89
PID 4448 wrote to memory of 3880	4448	Logo1_.exe	89
PID 4448 wrote to memory of 3272	4448	Logo1_.exe	34
PID 4448 wrote to memory of 3272	4448	Logo1_.exe	34
PID 3880 wrote to memory of 1580	3880	net.exe	92
PID 3880 wrote to memory of 1580	3880	net.exe	92
PID 3880 wrote to memory of 1580	3880	net.exe	92
PID 4336 wrote to memory of 768	4336	cmd.exe	94
PID 4336 wrote to memory of 768	4336	cmd.exe	94
PID 4336 wrote to memory of 768	4336	cmd.exe	94

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3272
- C:\Users\Admin\AppData\Local\Temp\43f96e38ac82a0f2b5037abed76ed409842a51a7ac81c7838d9d2ba94999b653.exe
  "C:\Users\Admin\AppData\Local\Temp\43f96e38ac82a0f2b5037abed76ed409842a51a7ac81c7838d9d2ba94999b653.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:880
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a9E5E.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4336
  - - C:\Users\Admin\AppData\Local\Temp\43f96e38ac82a0f2b5037abed76ed409842a51a7ac81c7838d9d2ba94999b653.exe
      "C:\Users\Admin\AppData\Local\Temp\43f96e38ac82a0f2b5037abed76ed409842a51a7ac81c7838d9d2ba94999b653.exe"
      4⤵
      Executes dropped EXE
      PID:768
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 768 -s 704
        5⤵
        Program crash
        
        PID:2936
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4448
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3880
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:1580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 768 -ip 768
1⤵
PID:3244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7z.exe

Filesize
484KB

MD5
7e1d2fa4fd1da0029d8c0177b3354b49

SHA1
73df859a4c0725e13ef2a6af961e4d3dd60ff41d

SHA256
66df3d7aab28c6d03331123a16d509b02ca545af594eaad56aa195f65897674a

SHA512
2ca6faa8057012bfab403e441c8bf8dc6db50108cbd3753ad3db68dd43e4e92d0841cb909c53715d38b7e51da2b21ca13afa2d51b1aa28c3803935824666ff71

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a9E5E.bat

Filesize
722B

MD5
9084a83d9d4b663f07a2f9104c660172

SHA1
a1f590debf2f4c62f99068e87c2a593b06b4eec6

SHA256
24016955a628bc1ac986a0e85c9f349c31676a17dae05687349b9c963ab70b8b

SHA512
3941b9c9e523e9957a41c22d58d137475063252a50e5d069e2197b551f0fef87c60e149efa22f4eb2c6d35bd8383dc3fbdf21947401cb69ebc8c49ee28760d40

Download Submit
C:\Users\Admin\AppData\Local\Temp\43f96e38ac82a0f2b5037abed76ed409842a51a7ac81c7838d9d2ba94999b653.exe

Filesize
47KB

MD5
493b286f0c41fcc9a44cb2b6a94f6fef

SHA1
2e4a742f01acc2cee315e31a64b176d892ef0022

SHA256
993d2b2fa72dadc7753c62b39d0d35ef1586f00f2eed60eb729057142ad76b4a

SHA512
9f74f38acdb47bc03642631252176f61464d9fbded6aa574af200ff5e436d7d56724548e27470413624842db11760464c376f19c76647388de7ead4c1c838167

Download Submit
C:\Users\Admin\AppData\Local\Temp\43f96e38ac82a0f2b5037abed76ed409842a51a7ac81c7838d9d2ba94999b653.exe.exe

Filesize
47KB

MD5
493b286f0c41fcc9a44cb2b6a94f6fef

SHA1
2e4a742f01acc2cee315e31a64b176d892ef0022

SHA256
993d2b2fa72dadc7753c62b39d0d35ef1586f00f2eed60eb729057142ad76b4a

SHA512
9f74f38acdb47bc03642631252176f61464d9fbded6aa574af200ff5e436d7d56724548e27470413624842db11760464c376f19c76647388de7ead4c1c838167

Download Submit
C:\Windows\Logo1_.exe

Filesize
26KB

MD5
ac3f009050ca5bee947e9c3639175aa0

SHA1
ac3239e5d89830b89396d120fd4fa496cf5f74ad

SHA256
b5437c7559753b61c4a2af8e4fb7a0ab08386babbcfd3ca17d66260488ccb580

SHA512
f785d66eaf14a73bfc29edb407e623dce0da22e6d4e72b234daf4da659e1e151333e0b048a362495f1f1faf3c3a079f73a439d8d7760d077cbaf0ab4657a3ad8

Download Submit
C:\Windows\Logo1_.exe

Filesize
26KB

MD5
ac3f009050ca5bee947e9c3639175aa0

SHA1
ac3239e5d89830b89396d120fd4fa496cf5f74ad

SHA256
b5437c7559753b61c4a2af8e4fb7a0ab08386babbcfd3ca17d66260488ccb580

SHA512
f785d66eaf14a73bfc29edb407e623dce0da22e6d4e72b234daf4da659e1e151333e0b048a362495f1f1faf3c3a079f73a439d8d7760d077cbaf0ab4657a3ad8

Download Submit
C:\Windows\rundl132.exe

Filesize
26KB

MD5
ac3f009050ca5bee947e9c3639175aa0

SHA1
ac3239e5d89830b89396d120fd4fa496cf5f74ad

SHA256
b5437c7559753b61c4a2af8e4fb7a0ab08386babbcfd3ca17d66260488ccb580

SHA512
f785d66eaf14a73bfc29edb407e623dce0da22e6d4e72b234daf4da659e1e151333e0b048a362495f1f1faf3c3a079f73a439d8d7760d077cbaf0ab4657a3ad8

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-1045988481-1457812719-2617974652-1000\_desktop.ini

Filesize
10B

MD5
dbf19ca54500e964528b156763234c1d

SHA1
05376f86423aec8badf0adbc47887234ac83ef5a

SHA256
bfa0ad2e861e2369dc239edf8f62fbe1c4507d877ec2f76e46e48f1e68fdd5ae

SHA512
fb8ce1253ad6d3c1b7d970614dbc2d21574576336a490b54a8dc705a3d8637c0669747ba821fb2f4da14d7447dc24607aca988b0cd3bd9fc4d9d5988b4b631d0

Download Submit
memory/880-8-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/880-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4448-35-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4448-21-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4448-24-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4448-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4448-29-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4448-17-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4448-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4448-44-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4448-9-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4448-91-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4448-107-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4448-146-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download