5663ea0a4b252daeb85506d1e43fa10a495ce05cc7861efb28402caa523cabb3

Analysis

max time kernel
199s
max time network
205s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
15-10-2023 00:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5663ea0a4b252daeb85506d1e43fa10a495ce05cc7861efb28402caa523cabb3.exe
Size

131KB
MD5

797a54b56d8d9259eb282b2447f6f9c5
SHA1

185f7f1cae1b12a106783b7755be3e26c8ed25ff
SHA256

5663ea0a4b252daeb85506d1e43fa10a495ce05cc7861efb28402caa523cabb3
SHA512

6d6a6a82a0791c4b1208f380f589de38983d8e7632ab761a44a6fdb9ef93287d0ea24abb95fc85d343a057d8271b22ac55d3c9ccd933fcb3ae0f357751052ac0
SSDEEP

1536:LfgLdQAQfwt7FZJ92Bs+GJUEA4aze/uYYdI4UkHiairSazBZDx5XBNEfvDHDtzLD:LftffepVPJUBzqubdIiqVB32THDtzL

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2640	Logo1_.exe
3744	5663ea0a4b252daeb85506d1e43fa10a495ce05cc7861efb28402caa523cabb3.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe

Drops file in Program Files directory 54 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_desktop.ini	Logo1_.exe
File created	C:\Program Files\_desktop.ini	Logo1_.exe
File created	C:\Program Files\7-Zip\Lang\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\7-Zip\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\extcheck.exe	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\_desktop.ini	Logo1_.exe
File created	C:\Program Files\7-Zip\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jar.exe	Logo1_.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\7-Zip\Lang\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\appletviewer.exe	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\idlj.exe	Logo1_.exe
File created	C:\Program Files\Google\Chrome\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Logo1_.exe	5663ea0a4b252daeb85506d1e43fa10a495ce05cc7861efb28402caa523cabb3.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe
File created	C:\Windows\rundl132.exe	5663ea0a4b252daeb85506d1e43fa10a495ce05cc7861efb28402caa523cabb3.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2640	Logo1_.exe
2640	Logo1_.exe
2640	Logo1_.exe
2640	Logo1_.exe
2640	Logo1_.exe
2640	Logo1_.exe
2640	Logo1_.exe
2640	Logo1_.exe
2640	Logo1_.exe
2640	Logo1_.exe
2640	Logo1_.exe
2640	Logo1_.exe
2640	Logo1_.exe
2640	Logo1_.exe
2640	Logo1_.exe
2640	Logo1_.exe
2640	Logo1_.exe
2640	Logo1_.exe
2640	Logo1_.exe
2640	Logo1_.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1504 wrote to memory of 748	1504	5663ea0a4b252daeb85506d1e43fa10a495ce05cc7861efb28402caa523cabb3.exe	87
PID 1504 wrote to memory of 748	1504	5663ea0a4b252daeb85506d1e43fa10a495ce05cc7861efb28402caa523cabb3.exe	87
PID 1504 wrote to memory of 748	1504	5663ea0a4b252daeb85506d1e43fa10a495ce05cc7861efb28402caa523cabb3.exe	87
PID 1504 wrote to memory of 2640	1504	5663ea0a4b252daeb85506d1e43fa10a495ce05cc7861efb28402caa523cabb3.exe	89
PID 1504 wrote to memory of 2640	1504	5663ea0a4b252daeb85506d1e43fa10a495ce05cc7861efb28402caa523cabb3.exe	89
PID 1504 wrote to memory of 2640	1504	5663ea0a4b252daeb85506d1e43fa10a495ce05cc7861efb28402caa523cabb3.exe	89
PID 2640 wrote to memory of 3248	2640	Logo1_.exe	91
PID 2640 wrote to memory of 3248	2640	Logo1_.exe	91
PID 2640 wrote to memory of 3248	2640	Logo1_.exe	91
PID 3248 wrote to memory of 5096	3248	net.exe	92
PID 3248 wrote to memory of 5096	3248	net.exe	92
PID 3248 wrote to memory of 5096	3248	net.exe	92
PID 748 wrote to memory of 3744	748	cmd.exe	93
PID 748 wrote to memory of 3744	748	cmd.exe	93
PID 748 wrote to memory of 3744	748	cmd.exe	93
PID 2640 wrote to memory of 3240	2640	Logo1_.exe	68
PID 2640 wrote to memory of 3240	2640	Logo1_.exe	68

C:\Users\Admin\AppData\Local\Temp\5663ea0a4b252daeb85506d1e43fa10a495ce05cc7861efb28402caa523cabb3.exe
"C:\Users\Admin\AppData\Local\Temp\5663ea0a4b252daeb85506d1e43fa10a495ce05cc7861efb28402caa523cabb3.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1504
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a9882.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:748
- - C:\Users\Admin\AppData\Local\Temp\5663ea0a4b252daeb85506d1e43fa10a495ce05cc7861efb28402caa523cabb3.exe
    "C:\Users\Admin\AppData\Local\Temp\5663ea0a4b252daeb85506d1e43fa10a495ce05cc7861efb28402caa523cabb3.exe"
    3⤵
    - Executes dropped EXE
    PID:3744
- C:\Windows\Logo1_.exe
  C:\Windows\Logo1_.exe
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2640
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3248
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      PID:5096

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7z.exe

Filesize
484KB

MD5
8a0acd39eb590629c1ae726f29738099

SHA1
b167053a3b6ccc5c651b66c9c5fc7046f502474b

SHA256
c672ffa2807165beea1f549a6ff79e14bd19e79b603c406e392a2b7799cfab3e

SHA512
b5d1f3320d0a7ca1dc241a3e08b1b02f8cdf89afa58db19e0f9539b96e7b00d48e8eaa07652941023439ebf1559c131c5ac90bf5acc5c350b9d2f89c02e0b3ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a9882.bat

Filesize
722B

MD5
d7e78be9891153c6186f89395a8d84c4

SHA1
6ed2c53339ddedca6ac6ffb82616e8a9af3508d4

SHA256
8a4e1d43c2186f36c88b037a3d779ee3b089a4c5e162191bbd3bf17b0d7b5ec1

SHA512
f76dd3a5cbde6cb9158e55b9da74e094fa1a8125c5ac9768e86ad5a93cacb3ed9de0872dd12178e64439252779ae3ca73f4a3494ed2304aca8c46402b18941d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\5663ea0a4b252daeb85506d1e43fa10a495ce05cc7861efb28402caa523cabb3.exe

Filesize
105KB

MD5
44b5c4f2fe8096f7e765e4a01abaf0b6

SHA1
b5a4be1a39fb907fa19721d941e1d282a3287455

SHA256
5460e930ba771c605f4aab4a801877952039b3258ebdca8c0ae0a1a4e262c82b

SHA512
39c58b5665158d42b91a6ea15e3939795cca0b415aff46e7db21ed5c98cb8025ba4835d59745d813e7fc63ae2658ab636960fb877eef233a688b14de89a6c1e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\5663ea0a4b252daeb85506d1e43fa10a495ce05cc7861efb28402caa523cabb3.exe.exe

Filesize
105KB

MD5
44b5c4f2fe8096f7e765e4a01abaf0b6

SHA1
b5a4be1a39fb907fa19721d941e1d282a3287455

SHA256
5460e930ba771c605f4aab4a801877952039b3258ebdca8c0ae0a1a4e262c82b

SHA512
39c58b5665158d42b91a6ea15e3939795cca0b415aff46e7db21ed5c98cb8025ba4835d59745d813e7fc63ae2658ab636960fb877eef233a688b14de89a6c1e2

Download Submit
C:\Windows\Logo1_.exe

Filesize
26KB

MD5
4f89b2193307d4542523bda8155e02f3

SHA1
45ca5157b6ca2b043d65e4d34754a9be7aa83ef5

SHA256
fdd0a26d61eb13743d2f7bf5c8b16760ab3ceb9748bdaa57d33ce682961d1f8b

SHA512
9110a3f2f29cd14872d0ee96a772fb48d4ca26e09298b5a5337dac163f472f3500c1c46936366a08225dc956209807823ecd0ecee041cc10ae135b3abac8586d

Download Submit
C:\Windows\Logo1_.exe

Filesize
26KB

MD5
4f89b2193307d4542523bda8155e02f3

SHA1
45ca5157b6ca2b043d65e4d34754a9be7aa83ef5

SHA256
fdd0a26d61eb13743d2f7bf5c8b16760ab3ceb9748bdaa57d33ce682961d1f8b

SHA512
9110a3f2f29cd14872d0ee96a772fb48d4ca26e09298b5a5337dac163f472f3500c1c46936366a08225dc956209807823ecd0ecee041cc10ae135b3abac8586d

Download Submit
C:\Windows\rundl132.exe

Filesize
26KB

MD5
4f89b2193307d4542523bda8155e02f3

SHA1
45ca5157b6ca2b043d65e4d34754a9be7aa83ef5

SHA256
fdd0a26d61eb13743d2f7bf5c8b16760ab3ceb9748bdaa57d33ce682961d1f8b

SHA512
9110a3f2f29cd14872d0ee96a772fb48d4ca26e09298b5a5337dac163f472f3500c1c46936366a08225dc956209807823ecd0ecee041cc10ae135b3abac8586d

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-1045988481-1457812719-2617974652-1000\_desktop.ini

Filesize
10B

MD5
3fa5f43b227b96d6334e4649982d21b7

SHA1
aaca225fe44f532099d2d7d7b00d80ebc3dd003b

SHA256
d8fdb800da5ad9cc8b64df32df8c6006127fb46c590ee39f84bfd8b4f8912358

SHA512
2bf18238a4b94cb61fdd22c61007bc5cbb7fc712b69685cc03efc548622dc365f07159a6599192b1aed0c2ffa9911fbeb321323f7bf24c8706d52adff07e432e

Download Submit
memory/1504-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1504-6-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2640-11-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2640-20-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2640-27-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2640-34-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2640-39-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2640-43-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2640-49-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2640-83-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2640-100-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2640-103-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download