038b96de10f5663905674f2c6f7b1166abe1eeebefcf19e7b11bb1f0d9e55045

Analysis

max time kernel
217s
max time network
232s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2023, 17:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

038b96de10f5663905674f2c6f7b1166abe1eeebefcf19e7b11bb1f0d9e55045.exe
Size

239KB
MD5

31bddc60c9daeebd1efd4170d02a02a8
SHA1

c68ffa75a7700406caa50131e785f622d354403c
SHA256

038b96de10f5663905674f2c6f7b1166abe1eeebefcf19e7b11bb1f0d9e55045
SHA512

fd40f3c18dc0a6493dae65c34626e4516d1fc012fd89840ffef7732ca590ce7c762233d59a128ebaaa00fb1490165b04a82429ec988f0ecd958d9691b32fe09f
SSDEEP

3072:+bftffjmNbqcVz5fzsTl4dsOc6v2vTzwU+Pho86meq+FaSoB2+vSHrX:aVfjmNecT93PiY+Fa7BdvGX

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4796	Logo1_.exe
4584	038b96de10f5663905674f2c6f7b1166abe1eeebefcf19e7b11bb1f0d9e55045.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jcmd.exe	Logo1_.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jinfo.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jmc.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jsadebugd.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstack.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\java-rmi.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javac.exe	Logo1_.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javafxpackager.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jdb.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\serialver.exe	Logo1_.exe
File created	C:\Program Files\7-Zip\Lang\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstatd.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\wsgen.exe	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\db\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\servertool.exe	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\db\bin\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\appletviewer.exe	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\db\lib\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jmap.exe	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jabswitch.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\java-rmi.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\java.exe	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javaws.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\kinit.exe	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\java.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\keytool.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\ktab.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\native2ascii.exe	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\klist.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\schemagen.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\lib\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\unpack200.exe	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstat.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jvisualvm.exe	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\include\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmid.exe	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	Logo1_.exe
File created	C:\Program Files\Java\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jarsigner.exe	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Logo1_.exe	038b96de10f5663905674f2c6f7b1166abe1eeebefcf19e7b11bb1f0d9e55045.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe
File created	C:\Windows\rundl132.exe	038b96de10f5663905674f2c6f7b1166abe1eeebefcf19e7b11bb1f0d9e55045.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
4796	Logo1_.exe
4796	Logo1_.exe
4796	Logo1_.exe
4796	Logo1_.exe
4796	Logo1_.exe
4796	Logo1_.exe
4796	Logo1_.exe
4796	Logo1_.exe
4796	Logo1_.exe
4796	Logo1_.exe
4796	Logo1_.exe
4796	Logo1_.exe
4796	Logo1_.exe
4796	Logo1_.exe
4796	Logo1_.exe
4796	Logo1_.exe
4796	Logo1_.exe
4796	Logo1_.exe
4796	Logo1_.exe
4796	Logo1_.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1808 wrote to memory of 1708	1808	038b96de10f5663905674f2c6f7b1166abe1eeebefcf19e7b11bb1f0d9e55045.exe	86
PID 1808 wrote to memory of 1708	1808	038b96de10f5663905674f2c6f7b1166abe1eeebefcf19e7b11bb1f0d9e55045.exe	86
PID 1808 wrote to memory of 1708	1808	038b96de10f5663905674f2c6f7b1166abe1eeebefcf19e7b11bb1f0d9e55045.exe	86
PID 1808 wrote to memory of 4796	1808	038b96de10f5663905674f2c6f7b1166abe1eeebefcf19e7b11bb1f0d9e55045.exe	87
PID 1808 wrote to memory of 4796	1808	038b96de10f5663905674f2c6f7b1166abe1eeebefcf19e7b11bb1f0d9e55045.exe	87
PID 1808 wrote to memory of 4796	1808	038b96de10f5663905674f2c6f7b1166abe1eeebefcf19e7b11bb1f0d9e55045.exe	87
PID 4796 wrote to memory of 1156	4796	Logo1_.exe	88
PID 4796 wrote to memory of 1156	4796	Logo1_.exe	88
PID 4796 wrote to memory of 1156	4796	Logo1_.exe	88
PID 1156 wrote to memory of 2220	1156	net.exe	90
PID 1156 wrote to memory of 2220	1156	net.exe	90
PID 1156 wrote to memory of 2220	1156	net.exe	90
PID 1708 wrote to memory of 4584	1708	cmd.exe	92
PID 1708 wrote to memory of 4584	1708	cmd.exe	92
PID 1708 wrote to memory of 4584	1708	cmd.exe	92
PID 4796 wrote to memory of 3172	4796	Logo1_.exe	43
PID 4796 wrote to memory of 3172	4796	Logo1_.exe	43

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3172
- C:\Users\Admin\AppData\Local\Temp\038b96de10f5663905674f2c6f7b1166abe1eeebefcf19e7b11bb1f0d9e55045.exe
  "C:\Users\Admin\AppData\Local\Temp\038b96de10f5663905674f2c6f7b1166abe1eeebefcf19e7b11bb1f0d9e55045.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1808
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aED39.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1708
  - - C:\Users\Admin\AppData\Local\Temp\038b96de10f5663905674f2c6f7b1166abe1eeebefcf19e7b11bb1f0d9e55045.exe
      "C:\Users\Admin\AppData\Local\Temp\038b96de10f5663905674f2c6f7b1166abe1eeebefcf19e7b11bb1f0d9e55045.exe"
      4⤵
      Executes dropped EXE
      PID:4584
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4796
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1156
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7z.exe

Filesize
484KB

MD5
94b66f3e099a5bb2a3297cc3f19b690c

SHA1
0ed7175bdae8352a8eb620992ecb941bbae1cad5

SHA256
d50279ea1ed42b86655de9303d76abebddf8cbe07844939fe42323ab1bf8b1e0

SHA512
29e32824099d66b94a449e1fb9168802c9dac0d08d6648fa0272a89331adcd7946cd843d25b88eca056577cd7fc22fa35e823e4c9008894a2c82607df56bb2b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aED39.bat

Filesize
722B

MD5
a984c5470afc6dcf08f11b3f01aa7e95

SHA1
c82c1203aa5350ff2a0cccb63162d524fedeb0f0

SHA256
277694517ee6b344d674b14ca4c2dd0b7718b85962bc2f2124c6f89f8962f933

SHA512
13e16e04ef835e1656ac2627fa1aa9aa49b87891684429b2383fa2e1f992d5e9416e713e07b2e3fffc757329a040143f0864e9a4e5e4c96889d465d31cdbcb85

Download Submit
C:\Users\Admin\AppData\Local\Temp\038b96de10f5663905674f2c6f7b1166abe1eeebefcf19e7b11bb1f0d9e55045.exe

Filesize
213KB

MD5
20d89d1781cde87db3a8b59da816efcc

SHA1
4f6670c4dcd8d978b21d1db91e081e609f5abcd0

SHA256
4653df6eb852f717ac03d5ecdfdd5e1e2c1ac70b012049f1188e0e7d5b5f8983

SHA512
7b03a2e2c5f94a3e6164e160e3346cf0e8247471c48858dad9747dc17c8bccd20caaf2ea9f15d7e6be3e633a01536caefdeff6b384c4448c861f1e5a5ff6cf0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\038b96de10f5663905674f2c6f7b1166abe1eeebefcf19e7b11bb1f0d9e55045.exe.exe

Filesize
213KB

MD5
20d89d1781cde87db3a8b59da816efcc

SHA1
4f6670c4dcd8d978b21d1db91e081e609f5abcd0

SHA256
4653df6eb852f717ac03d5ecdfdd5e1e2c1ac70b012049f1188e0e7d5b5f8983

SHA512
7b03a2e2c5f94a3e6164e160e3346cf0e8247471c48858dad9747dc17c8bccd20caaf2ea9f15d7e6be3e633a01536caefdeff6b384c4448c861f1e5a5ff6cf0e

Download Submit
C:\Windows\Logo1_.exe

Filesize
26KB

MD5
f7b0ab0aff6aad4bf0ccf0f3b127a9fd

SHA1
4a66a7d02be22cd152d1b1815e7c9a7bca03c909

SHA256
55b1084df5b436dbe01998c2eccceb74f9ef6dad3cbcade949e47d4b340a0365

SHA512
214b61c2e57148d152c7be4dc462d0ba617192b3dc6999b8edc0105ab897d286688f8b4ff1d4e0637a40f25f31d75bf83a75d12a392b6ef68d37d3cc8d0f0a92

Download Submit
C:\Windows\Logo1_.exe

Filesize
26KB

MD5
f7b0ab0aff6aad4bf0ccf0f3b127a9fd

SHA1
4a66a7d02be22cd152d1b1815e7c9a7bca03c909

SHA256
55b1084df5b436dbe01998c2eccceb74f9ef6dad3cbcade949e47d4b340a0365

SHA512
214b61c2e57148d152c7be4dc462d0ba617192b3dc6999b8edc0105ab897d286688f8b4ff1d4e0637a40f25f31d75bf83a75d12a392b6ef68d37d3cc8d0f0a92

Download Submit
C:\Windows\rundl132.exe

Filesize
26KB

MD5
f7b0ab0aff6aad4bf0ccf0f3b127a9fd

SHA1
4a66a7d02be22cd152d1b1815e7c9a7bca03c909

SHA256
55b1084df5b436dbe01998c2eccceb74f9ef6dad3cbcade949e47d4b340a0365

SHA512
214b61c2e57148d152c7be4dc462d0ba617192b3dc6999b8edc0105ab897d286688f8b4ff1d4e0637a40f25f31d75bf83a75d12a392b6ef68d37d3cc8d0f0a92

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-1045988481-1457812719-2617974652-1000\_desktop.ini

Filesize
10B

MD5
dbf19ca54500e964528b156763234c1d

SHA1
05376f86423aec8badf0adbc47887234ac83ef5a

SHA256
bfa0ad2e861e2369dc239edf8f62fbe1c4507d877ec2f76e46e48f1e68fdd5ae

SHA512
fb8ce1253ad6d3c1b7d970614dbc2d21574576336a490b54a8dc705a3d8637c0669747ba821fb2f4da14d7447dc24607aca988b0cd3bd9fc4d9d5988b4b631d0

Download Submit
memory/1808-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1808-11-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4796-22-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4796-19-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4796-28-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4796-34-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4796-38-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4796-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4796-44-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4796-8-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4796-166-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4796-168-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download