182f83b9d943d4c7a5a80cc457035405270e23644616baf0def200995446c3ee

Analysis

max time kernel
163s
max time network
172s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
12/10/2023, 17:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

182f83b9d943d4c7a5a80cc457035405270e23644616baf0def200995446c3ee.exe
Size

50KB
MD5

04b91c8721fd1d2ae1d20328d0787628
SHA1

a29a19c768ed04890c3394b179b063e0c8193e1e
SHA256

182f83b9d943d4c7a5a80cc457035405270e23644616baf0def200995446c3ee
SHA512

7cf1872a0c5b17de367ab37fe4be0523f69492ac7616639d492a0e84fc925a00ed153d5d1f12428cde9d7bc57ad7864a18c42568271a6eb8a545a71487e25bb7
SSDEEP

768:1Hcp1ODKAaDMG8H92RwZNQSwcfymNBg+g61GoLjdzbXjQLiaeB949rwXkAwQ6Ufn:YfgLdQAQfcfymN/ZXkWS9rwXkjUfn

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4632	Logo1_.exe
5016	182f83b9d943d4c7a5a80cc457035405270e23644616baf0def200995446c3ee.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstatd.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ml\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\configuration\org.eclipse.update\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\include\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\ModuleAutoDeps\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\tet\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Uninstall Information\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\zu\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\bn_IN\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\extensions\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\update_tracking\_desktop.ini	Logo1_.exe
File created	C:\Program Files\MSBuild\Microsoft\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jcmd.exe	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\lib\deployed\jdk15\windows-amd64\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\kn\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ps\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ckb\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ps\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\extcheck.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bn_IN\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\cs\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\eu\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\zh_TW\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\dropins\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ckb\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\de\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\fonts\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre1.8.0_66\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\it\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Mozilla Firefox\defaults\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\pack200.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\applet\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\am\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fur\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\nl\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\kinit.exe	Logo1_.exe
File created	C:\Program Files\ModifiableWindowsApps\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\an\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\uz\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jconsole.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	182f83b9d943d4c7a5a80cc457035405270e23644616baf0def200995446c3ee.exe
File created	C:\Windows\Logo1_.exe	182f83b9d943d4c7a5a80cc457035405270e23644616baf0def200995446c3ee.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
4632	Logo1_.exe
4632	Logo1_.exe
4632	Logo1_.exe
4632	Logo1_.exe
4632	Logo1_.exe
4632	Logo1_.exe
4632	Logo1_.exe
4632	Logo1_.exe
4632	Logo1_.exe
4632	Logo1_.exe
4632	Logo1_.exe
4632	Logo1_.exe
4632	Logo1_.exe
4632	Logo1_.exe
4632	Logo1_.exe
4632	Logo1_.exe
4632	Logo1_.exe
4632	Logo1_.exe
4632	Logo1_.exe
4632	Logo1_.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2452 wrote to memory of 1348	2452	182f83b9d943d4c7a5a80cc457035405270e23644616baf0def200995446c3ee.exe	84
PID 2452 wrote to memory of 1348	2452	182f83b9d943d4c7a5a80cc457035405270e23644616baf0def200995446c3ee.exe	84
PID 2452 wrote to memory of 1348	2452	182f83b9d943d4c7a5a80cc457035405270e23644616baf0def200995446c3ee.exe	84
PID 2452 wrote to memory of 4632	2452	182f83b9d943d4c7a5a80cc457035405270e23644616baf0def200995446c3ee.exe	86
PID 2452 wrote to memory of 4632	2452	182f83b9d943d4c7a5a80cc457035405270e23644616baf0def200995446c3ee.exe	86
PID 2452 wrote to memory of 4632	2452	182f83b9d943d4c7a5a80cc457035405270e23644616baf0def200995446c3ee.exe	86
PID 4632 wrote to memory of 2092	4632	Logo1_.exe	87
PID 4632 wrote to memory of 2092	4632	Logo1_.exe	87
PID 4632 wrote to memory of 2092	4632	Logo1_.exe	87
PID 1348 wrote to memory of 5016	1348	cmd.exe	89
PID 1348 wrote to memory of 5016	1348	cmd.exe	89
PID 1348 wrote to memory of 5016	1348	cmd.exe	89
PID 2092 wrote to memory of 544	2092	net.exe	90
PID 2092 wrote to memory of 544	2092	net.exe	90
PID 2092 wrote to memory of 544	2092	net.exe	90
PID 4632 wrote to memory of 3164	4632	Logo1_.exe	40
PID 4632 wrote to memory of 3164	4632	Logo1_.exe	40

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3164
- C:\Users\Admin\AppData\Local\Temp\182f83b9d943d4c7a5a80cc457035405270e23644616baf0def200995446c3ee.exe
  "C:\Users\Admin\AppData\Local\Temp\182f83b9d943d4c7a5a80cc457035405270e23644616baf0def200995446c3ee.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2452
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a751B.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1348
  - - C:\Users\Admin\AppData\Local\Temp\182f83b9d943d4c7a5a80cc457035405270e23644616baf0def200995446c3ee.exe
      "C:\Users\Admin\AppData\Local\Temp\182f83b9d943d4c7a5a80cc457035405270e23644616baf0def200995446c3ee.exe"
      4⤵
      Executes dropped EXE
      PID:5016
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4632
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2092
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7z.exe

Filesize
484KB

MD5
677de80fbcca8d6cf4ba539133d37539

SHA1
725696c6efff345c1a72fc368dc4926e77532263

SHA256
527bd74317d720b2e0ad0d390ffe2f01d3ebf5d7e35bf6a674e3dd0c8b521dd2

SHA512
b1881a72d0d6d3815a2c7ce20ba7b4db6d44ca4423192ce7cfc39b9c023c66a62f168780cc907012f166072fd195694b494c7b288463bd55a77f4820fe726d50

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a751B.bat

Filesize
722B

MD5
65f0763d2f018bcd74345ee89bad82e2

SHA1
3eb19ac7e39fce5612a08f07f917b9a321ce6844

SHA256
12c8f4dd4a7a39682ac7c01c88bd0346ab301b5acaed793fadc42829a7ad2793

SHA512
22579ab47431f5d375fdce75b83646d3482cfa456fa879ea76fc9db38786529e50506ec7a8b572e135d7ddd715abc61bb4d473fdd2678268631cf6b3c3f34de7

Download Submit
C:\Users\Admin\AppData\Local\Temp\182f83b9d943d4c7a5a80cc457035405270e23644616baf0def200995446c3ee.exe

Filesize
23KB

MD5
a5c496552546b7e79d6228a3a419bf5d

SHA1
b29303a2d03d483baa2d5735df359c00aa9aed60

SHA256
2d0b45fa608dd8336722d85be930bb0d271fc407230a6f5082fdb3b058f67119

SHA512
c5d4973387ef18bfaaaf9ccf47fd0cbc485940fb77c59a4212bcf33c5cfc6b969d13bd34c3b7f5199925a7e40b19b4a3ae19cff5559c057fa106414c83775713

Download Submit
C:\Users\Admin\AppData\Local\Temp\182f83b9d943d4c7a5a80cc457035405270e23644616baf0def200995446c3ee.exe.exe

Filesize
23KB

MD5
a5c496552546b7e79d6228a3a419bf5d

SHA1
b29303a2d03d483baa2d5735df359c00aa9aed60

SHA256
2d0b45fa608dd8336722d85be930bb0d271fc407230a6f5082fdb3b058f67119

SHA512
c5d4973387ef18bfaaaf9ccf47fd0cbc485940fb77c59a4212bcf33c5cfc6b969d13bd34c3b7f5199925a7e40b19b4a3ae19cff5559c057fa106414c83775713

Download Submit
C:\Windows\Logo1_.exe

Filesize
26KB

MD5
fdd504678a404fbffc560cd95a4363ff

SHA1
0e8a87142acaeadfe96f00ea117c05758b0514cc

SHA256
4b396f3b3d76cd75e64a47eb652ab93d6239a197fd9b32c66619d6a8ffbdc2da

SHA512
c6e5b506c5988072cbee535f18c89fec46fad599adff83a13ecb819bc157391a527eb5336c9c03392174a6ab345b699602fe9ecb0139a2a10a053f557ccc769f

Download Submit
C:\Windows\Logo1_.exe

Filesize
26KB

MD5
fdd504678a404fbffc560cd95a4363ff

SHA1
0e8a87142acaeadfe96f00ea117c05758b0514cc

SHA256
4b396f3b3d76cd75e64a47eb652ab93d6239a197fd9b32c66619d6a8ffbdc2da

SHA512
c6e5b506c5988072cbee535f18c89fec46fad599adff83a13ecb819bc157391a527eb5336c9c03392174a6ab345b699602fe9ecb0139a2a10a053f557ccc769f

Download Submit
C:\Windows\rundl132.exe

Filesize
26KB

MD5
fdd504678a404fbffc560cd95a4363ff

SHA1
0e8a87142acaeadfe96f00ea117c05758b0514cc

SHA256
4b396f3b3d76cd75e64a47eb652ab93d6239a197fd9b32c66619d6a8ffbdc2da

SHA512
c6e5b506c5988072cbee535f18c89fec46fad599adff83a13ecb819bc157391a527eb5336c9c03392174a6ab345b699602fe9ecb0139a2a10a053f557ccc769f

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-1574508946-349927670-1185736483-1000\_desktop.ini

Filesize
10B

MD5
743754b59d55d26c081d8f839a3662c8

SHA1
8e88e3bda53f58b9122f6f9c9a5f23f80e7be6c7

SHA256
bbb0f1aae4572c821fac1d6b7890df67d9f4a7576af30e70925192dded063e8b

SHA512
1e8d9e5e1651bd2aaef969713d949cc4ddab58c53d0be31392d660aedeb621a0f968196e4938d2ba75e40ebdb7557cee23bf5587877268cb087fdd09a8abba1b

Download Submit
memory/2452-6-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2452-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4632-39-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4632-28-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4632-34-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4632-20-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4632-43-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4632-9-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4632-127-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4632-191-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4632-436-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4632-584-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download