78619af783c3c8c0d7c41159ac86ff40de9eb94b59ef1842675c8e7a5feee8ca

Analysis

max time kernel
159s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
19/12/2023, 22:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

78619af783c3c8c0d7c41159ac86ff40de9eb94b59ef1842675c8e7a5feee8ca.exe
Size

227KB
MD5

7a539b03e779c57a06383779a014825d
SHA1

87483db2f259d80df45272195436ef6dcbc1eb6d
SHA256

78619af783c3c8c0d7c41159ac86ff40de9eb94b59ef1842675c8e7a5feee8ca
SHA512

a1099082ce9c4b9ce8ef2f7c1ef4d6a95f68b9ff48df1b6c1d92df8cdbe4f0d7829d557f19994728f2e8639b00ca8a5786828e2d344cf5a8484fff517a9613d8
SSDEEP

3072:isftffjmNrHrfzY6c6X/YoW4l/DReos0gXf+EvC6C36eCWdMuIB+NSzx602h9dX+:bVfjmNHAel/DRfkTC3dMnB++Cs

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2760	Logo1_.exe
924	78619af783c3c8c0d7c41159ac86ff40de9eb94b59ef1842675c8e7a5feee8ca.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\be\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\br\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\unlimited\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\kk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\af\_desktop.ini	Logo1_.exe
File created	C:\Program Files\dotnet\shared\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\bg\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\he\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hu\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\pl\_desktop.ini	Logo1_.exe
File created	C:\Program Files\ModifiableWindowsApps\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hy\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ms\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ach\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\mai\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\an\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ta\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\tl\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre-1.8\lib\fonts\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	Logo1_.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\de\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ast\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\az\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\te\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mn\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bg\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ja\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sv\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\th\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	Logo1_.exe
File created	C:\Program Files\Java\jdk-1.8\lib\_desktop.ini	Logo1_.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\de\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\th\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\am\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hi\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\es\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ja\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\kk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ru\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\dotnet\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\ko\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ach\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\nn\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\pt_BR\LC_MESSAGES\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	78619af783c3c8c0d7c41159ac86ff40de9eb94b59ef1842675c8e7a5feee8ca.exe
File created	C:\Windows\Logo1_.exe	78619af783c3c8c0d7c41159ac86ff40de9eb94b59ef1842675c8e7a5feee8ca.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2760	Logo1_.exe
2760	Logo1_.exe
2760	Logo1_.exe
2760	Logo1_.exe
2760	Logo1_.exe
2760	Logo1_.exe
2760	Logo1_.exe
2760	Logo1_.exe
2760	Logo1_.exe
2760	Logo1_.exe
2760	Logo1_.exe
2760	Logo1_.exe
2760	Logo1_.exe
2760	Logo1_.exe
2760	Logo1_.exe
2760	Logo1_.exe
2760	Logo1_.exe
2760	Logo1_.exe
2760	Logo1_.exe
2760	Logo1_.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1664 wrote to memory of 684	1664	78619af783c3c8c0d7c41159ac86ff40de9eb94b59ef1842675c8e7a5feee8ca.exe	92
PID 1664 wrote to memory of 684	1664	78619af783c3c8c0d7c41159ac86ff40de9eb94b59ef1842675c8e7a5feee8ca.exe	92
PID 1664 wrote to memory of 684	1664	78619af783c3c8c0d7c41159ac86ff40de9eb94b59ef1842675c8e7a5feee8ca.exe	92
PID 1664 wrote to memory of 2760	1664	78619af783c3c8c0d7c41159ac86ff40de9eb94b59ef1842675c8e7a5feee8ca.exe	95
PID 1664 wrote to memory of 2760	1664	78619af783c3c8c0d7c41159ac86ff40de9eb94b59ef1842675c8e7a5feee8ca.exe	95
PID 1664 wrote to memory of 2760	1664	78619af783c3c8c0d7c41159ac86ff40de9eb94b59ef1842675c8e7a5feee8ca.exe	95
PID 2760 wrote to memory of 1896	2760	Logo1_.exe	96
PID 2760 wrote to memory of 1896	2760	Logo1_.exe	96
PID 2760 wrote to memory of 1896	2760	Logo1_.exe	96
PID 684 wrote to memory of 924	684	cmd.exe	98
PID 684 wrote to memory of 924	684	cmd.exe	98
PID 684 wrote to memory of 924	684	cmd.exe	98
PID 1896 wrote to memory of 2040	1896	net.exe	99
PID 1896 wrote to memory of 2040	1896	net.exe	99
PID 1896 wrote to memory of 2040	1896	net.exe	99
PID 2760 wrote to memory of 3576	2760	Logo1_.exe	36
PID 2760 wrote to memory of 3576	2760	Logo1_.exe	36

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3576
- C:\Users\Admin\AppData\Local\Temp\78619af783c3c8c0d7c41159ac86ff40de9eb94b59ef1842675c8e7a5feee8ca.exe
  "C:\Users\Admin\AppData\Local\Temp\78619af783c3c8c0d7c41159ac86ff40de9eb94b59ef1842675c8e7a5feee8ca.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1664
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a6647.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:684
  - - C:\Users\Admin\AppData\Local\Temp\78619af783c3c8c0d7c41159ac86ff40de9eb94b59ef1842675c8e7a5feee8ca.exe
      "C:\Users\Admin\AppData\Local\Temp\78619af783c3c8c0d7c41159ac86ff40de9eb94b59ef1842675c8e7a5feee8ca.exe"
      4⤵
      Executes dropped EXE
      PID:924
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2760
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1896
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7z.exe

Filesize
570KB

MD5
ed5a0b25681e2e1db8d2b13e99ddedfa

SHA1
0aa5cadd0b93c41384882657081ec8e8a659a594

SHA256
32e456607ca4d34ffe26c84d05cb8916f5f10bd031fb243713d4a0e87c0c68b5

SHA512
eafe7d69df8e69f2909518c0827756169eec91849a5d5b7b41b0091870697a4821f9635645480bea08348349dc99e68f724f65f62863929520f7d1f7cef3818e

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a6647.bat

Filesize
722B

MD5
5ca020946ece25a5c27fc846d97fd8e1

SHA1
3f3f0e6b826357516aed96d6d3e9f88615d070ed

SHA256
51301879a9af3c95abbcc44d4183bd70fbacea44d6947cc90a98d29fd258db6d

SHA512
574f036c6283797e7018c71a0b96573ffc7c980804dacb75e0746891f2964c4c072ea948c05b6495deaec71bc165c7bfab53410267fef15462b13adc0cfc5f06

Download Submit
C:\Users\Admin\AppData\Local\Temp\78619af783c3c8c0d7c41159ac86ff40de9eb94b59ef1842675c8e7a5feee8ca.exe.exe

Filesize
201KB

MD5
11fe091ace9d03b9ada6d5a22d12c0d0

SHA1
5379ebe84500d425586904e7f9ac0393ab2a9d24

SHA256
50f4ed60a507ce9dd1f3f4e7d53053d923cb71594374a25251746a9b2271e4ee

SHA512
0f39af99697332c697ca62e2708e0a9200552a55f2d3057b64e9b18df2fe2828be750b14b5336ac9518b4c1282e82cd170b64587cf56b45b840ca231108b7fdf

Download Submit
C:\Windows\Logo1_.exe

Filesize
26KB

MD5
6a2fe8366e8c4e599cf0f58addd6dbfb

SHA1
42d87d444f62be53bf6e092aadb030b7f14a8a9b

SHA256
275f0e70263a79d5e1dd80f8aa774b43597bfc3d951ff2785a3b55c38325a340

SHA512
2d2caa6ac1e694a18d02726e4d6a4e9f2179fa5a056c081029d0a6bc5cd2d971eeb17b528edd92a5bfafe3ef8598eaead539d9226e502f984d8be62c5ee94e6e

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3073191680-435865314-2862784915-1000\_desktop.ini

Filesize
10B

MD5
b8fe24fdb9877e9096606f3ec04e8aee

SHA1
195fca588a722e6802e655b3f8a838bf4cbc18a3

SHA256
c73bcb74435008f4d7f5d19e221dfb777624db21cc98dcbf6969e313783b0525

SHA512
bfb98ccb3dc3106bb839319e5f7b3c1b7c67a5f97160ac967b944472eff9da64819daf40809b335bfe08a1610ea9f2ea0fb0bfde86b85a5ba6239b1201615295

Download Submit
memory/1664-11-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1664-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1664-1-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2760-20-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2760-9-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2760-27-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2760-33-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2760-38-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2760-42-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2760-74-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2760-178-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2760-317-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2760-762-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download