d053259ce03aa9c27d47fe776edd5502d90196fcc3823230ceda31257685c82e

Analysis

max time kernel
161s
max time network
170s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
12/10/2023, 05:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d053259ce03aa9c27d47fe776edd5502d90196fcc3823230ceda31257685c82e.exe
Size

616KB
MD5

33316e00fb5ab463eb918a564593ea04
SHA1

5b6b9b8c7e46506c72ae04dcaf8248e1043d37af
SHA256

d053259ce03aa9c27d47fe776edd5502d90196fcc3823230ceda31257685c82e
SHA512

ea81748e14e947b810a2edfa31eb46157939008fd0d48e0ef4167064f3280e136123c8dffe2de72c19da37fb60d628d61e6ac40376124429e37f4c11135b9be9
SSDEEP

12288:iYSDUdaBzi3L0HlqA8qsU+4gN+Pk77CJd8sYk6QxVDpNI1nqvmi:ipDUdaBzib0FqEsU+4hPk7eok7NNIJa

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2160	Logo1_.exe
3368	d053259ce03aa9c27d47fe776edd5502d90196fcc3823230ceda31257685c82e.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jjs.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\rmiregistry.exe	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jrunscript.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\unpack200.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\lib\applet\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\java.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jconsole.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstatd.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\include\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\tnameserv.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\META-INF\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmiregistry.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\applet\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\management\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\lib\management\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\include\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\include\win32\bridge\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jabswitch.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\cmm\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\META-INF\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\schemagen.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jp2launcher.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\META-INF\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\etc\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\native2ascii.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\wsimport.exe	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\META-INF\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\include\win32\bridge\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\html\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\locale\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\vDll.dll	Logo1_.exe
File created	C:\Windows\rundl132.exe	d053259ce03aa9c27d47fe776edd5502d90196fcc3823230ceda31257685c82e.exe
File created	C:\Windows\Logo1_.exe	d053259ce03aa9c27d47fe776edd5502d90196fcc3823230ceda31257685c82e.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2160	Logo1_.exe
2160	Logo1_.exe
2160	Logo1_.exe
2160	Logo1_.exe
2160	Logo1_.exe
2160	Logo1_.exe
2160	Logo1_.exe
2160	Logo1_.exe
2160	Logo1_.exe
2160	Logo1_.exe
2160	Logo1_.exe
2160	Logo1_.exe
2160	Logo1_.exe
2160	Logo1_.exe
2160	Logo1_.exe
2160	Logo1_.exe
2160	Logo1_.exe
2160	Logo1_.exe
2160	Logo1_.exe
2160	Logo1_.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2172 wrote to memory of 4880	2172	d053259ce03aa9c27d47fe776edd5502d90196fcc3823230ceda31257685c82e.exe	89
PID 2172 wrote to memory of 4880	2172	d053259ce03aa9c27d47fe776edd5502d90196fcc3823230ceda31257685c82e.exe	89
PID 2172 wrote to memory of 4880	2172	d053259ce03aa9c27d47fe776edd5502d90196fcc3823230ceda31257685c82e.exe	89
PID 2172 wrote to memory of 2160	2172	d053259ce03aa9c27d47fe776edd5502d90196fcc3823230ceda31257685c82e.exe	91
PID 2172 wrote to memory of 2160	2172	d053259ce03aa9c27d47fe776edd5502d90196fcc3823230ceda31257685c82e.exe	91
PID 2172 wrote to memory of 2160	2172	d053259ce03aa9c27d47fe776edd5502d90196fcc3823230ceda31257685c82e.exe	91
PID 2160 wrote to memory of 4840	2160	Logo1_.exe	94
PID 2160 wrote to memory of 4840	2160	Logo1_.exe	94
PID 2160 wrote to memory of 4840	2160	Logo1_.exe	94
PID 4880 wrote to memory of 3368	4880	cmd.exe	96
PID 4880 wrote to memory of 3368	4880	cmd.exe	96
PID 4880 wrote to memory of 3368	4880	cmd.exe	96
PID 4840 wrote to memory of 1448	4840	net.exe	97
PID 4840 wrote to memory of 1448	4840	net.exe	97
PID 4840 wrote to memory of 1448	4840	net.exe	97
PID 2160 wrote to memory of 3148	2160	Logo1_.exe	54
PID 2160 wrote to memory of 3148	2160	Logo1_.exe	54

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3148
- C:\Users\Admin\AppData\Local\Temp\d053259ce03aa9c27d47fe776edd5502d90196fcc3823230ceda31257685c82e.exe
  "C:\Users\Admin\AppData\Local\Temp\d053259ce03aa9c27d47fe776edd5502d90196fcc3823230ceda31257685c82e.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2172
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a3B9D.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4880
  - - C:\Users\Admin\AppData\Local\Temp\d053259ce03aa9c27d47fe776edd5502d90196fcc3823230ceda31257685c82e.exe
      "C:\Users\Admin\AppData\Local\Temp\d053259ce03aa9c27d47fe776edd5502d90196fcc3823230ceda31257685c82e.exe"
      4⤵
      Executes dropped EXE
      PID:3368
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2160
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4840
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:1448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7z.exe

Filesize
484KB

MD5
5b4fc6d551d8e8fd7469e601fc599528

SHA1
46472e205e8c09be44ca6900b4c7a9bc75b02752

SHA256
a55a7c08d09c718704ee8de19386ed70cdc0fe4e3017d1c6e5cf19c706b1e172

SHA512
fbf798c53e73d394bee22902d94f8b7433c1c485651dd2bddd808321f044b10e9bf5c98c7a54d3a14171e3afc5297c537821fe2c0d04f53a682d9e558c41a7d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a3B9D.bat

Filesize
722B

MD5
eb024ebdb1cb25a117c0836daa1345de

SHA1
f981c036482c7bcd8a67afc490174d59bb196b9c

SHA256
c15016ca392e0558f614a0739ac38de88629dcbbbc6d27148c0fd4b873cd1888

SHA512
d6069f3d3b5f3af2ab225a1bc8157d8b4fe5e0ace04be9a1219baef699eaa1af8f02630c996e80162f01f3558fa837bfbbbf4bf61c4be1b73cbc0dc361b15890

Download Submit
C:\Users\Admin\AppData\Local\Temp\d053259ce03aa9c27d47fe776edd5502d90196fcc3823230ceda31257685c82e.exe

Filesize
589KB

MD5
a9ba1088767ecea1b98bbf307c6f3c33

SHA1
a0a147388dfc3d9301509bc1f1c5dbcb82b28353

SHA256
ef99faa28644a1eab37ad7878dea6a3fe4ee631fefee16b037cf60f200f64122

SHA512
266c3faa9c19213cb74405db0c7efb47113269d570372bf34c63ce1c3e32371a69051c09dbf6f1b4007db3535106c7af6f64077ad13d840a8a0536c1e893a0dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\d053259ce03aa9c27d47fe776edd5502d90196fcc3823230ceda31257685c82e.exe.exe

Filesize
589KB

MD5
a9ba1088767ecea1b98bbf307c6f3c33

SHA1
a0a147388dfc3d9301509bc1f1c5dbcb82b28353

SHA256
ef99faa28644a1eab37ad7878dea6a3fe4ee631fefee16b037cf60f200f64122

SHA512
266c3faa9c19213cb74405db0c7efb47113269d570372bf34c63ce1c3e32371a69051c09dbf6f1b4007db3535106c7af6f64077ad13d840a8a0536c1e893a0dd

Download Submit
C:\Windows\Logo1_.exe

Filesize
26KB

MD5
412b061bccb96f8f7123a5277f964801

SHA1
acd07c2e3ef5ca97d6ee3e8970e8d5202d7b7e86

SHA256
c176fda2bbbae853b6526fa4c5a39565bfdcf2d5cc3fdebef6fee8af451b45ca

SHA512
b60ef2d4408acee1681749b5caaf91af83448edf1eb12753af1598ca0b3b02d531222faa510e254fda8e63313caff05d57a152e55db4321e8df17fccae147d42

Download Submit
C:\Windows\Logo1_.exe

Filesize
26KB

MD5
412b061bccb96f8f7123a5277f964801

SHA1
acd07c2e3ef5ca97d6ee3e8970e8d5202d7b7e86

SHA256
c176fda2bbbae853b6526fa4c5a39565bfdcf2d5cc3fdebef6fee8af451b45ca

SHA512
b60ef2d4408acee1681749b5caaf91af83448edf1eb12753af1598ca0b3b02d531222faa510e254fda8e63313caff05d57a152e55db4321e8df17fccae147d42

Download Submit
C:\Windows\rundl132.exe

Filesize
26KB

MD5
412b061bccb96f8f7123a5277f964801

SHA1
acd07c2e3ef5ca97d6ee3e8970e8d5202d7b7e86

SHA256
c176fda2bbbae853b6526fa4c5a39565bfdcf2d5cc3fdebef6fee8af451b45ca

SHA512
b60ef2d4408acee1681749b5caaf91af83448edf1eb12753af1598ca0b3b02d531222faa510e254fda8e63313caff05d57a152e55db4321e8df17fccae147d42

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-1574508946-349927670-1185736483-1000\_desktop.ini

Filesize
10B

MD5
a592e6708558f3dc0ad1608608da69c5

SHA1
69a1224ba3b2f2ab2f2ce8b8287809f3282d20d0

SHA256
24c83924da516d8acac4cdc96680306f1e34a8a54696bf5bf24106eeb562195a

SHA512
38724fff525de3d5b413bb962c2f81369068403f761f69d00f25cd03b5d8cb83603cd6d23c87faf458f157acf585ca4db031fe6640704a4158cb5ead56ce79f1

Download Submit
memory/2160-10-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2160-22-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2160-30-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2160-36-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2160-41-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2160-45-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2160-105-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2160-273-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2172-15-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2172-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2172-2-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2172-1-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download