4acc8629d16cd0f0fe869b82e4ae6d519353e299afd4aaf602afef675d152d01

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
22/12/2023, 19:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4acc8629d16cd0f0fe869b82e4ae6d519353e299afd4aaf602afef675d152d01.exe
Size

562KB
MD5

d19d9969fff77acc5a5778db30a47161
SHA1

153cc2f2e1e8b5178f1de57fe588589c62fbf8dd
SHA256

4acc8629d16cd0f0fe869b82e4ae6d519353e299afd4aaf602afef675d152d01
SHA512

b1912cb7f9aca0ffd948089eb48693f14545272d3e9bcef1ec851234ccf95385704d68084b6f37e2055f754cbee484a889b652a2b50fc74a57199588334a74a4
SSDEEP

6144:59TuJEvj1UuBYWqkpUbmZDhuN7141r0HiUZSxcApGza:fTj1fYWqkp4mZ241AHBGcAMa

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3400	Logo1_.exe
1480	4acc8629d16cd0f0fe869b82e4ae6d519353e299afd4aaf602afef675d152d01.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\ja\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\he\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hr\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\AppxMetadata\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\x86\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Lumia.MagicEdit\Pages\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\gl\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ast\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\en_GB\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sq\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\cmm\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\AppxMetadata\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\cs-CZ\View3d\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Car\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\tl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\uz\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\LTR\contrast-black\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Snippets\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fur\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sq\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\StoreLogo\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\en-us\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_neutral_~_8wekyb3d8bbwe\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_x64__8wekyb3d8bbwe\GameBar.exe	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Diagnostics\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\uz\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\skins\fonts\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\bg-BG\View3d\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.VCLibs.140.00_14.0.27323.0_x64__8wekyb3d8bbwe\AppxMetadata\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-100_8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_2019.19071.19011.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ms\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk-1.8\include\win32\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\brx\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hu\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-150_8wekyb3d8bbwe\Assets\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_2019.125.2243.0_neutral_~_8wekyb3d8bbwe\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\Assets\AppTiles\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-black\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\fr\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\packetizer\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Images\contrast-standard\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	4acc8629d16cd0f0fe869b82e4ae6d519353e299afd4aaf602afef675d152d01.exe
File created	C:\Windows\Logo1_.exe	4acc8629d16cd0f0fe869b82e4ae6d519353e299afd4aaf602afef675d152d01.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
3400	Logo1_.exe
3400	Logo1_.exe
3400	Logo1_.exe
3400	Logo1_.exe
3400	Logo1_.exe
3400	Logo1_.exe
3400	Logo1_.exe
3400	Logo1_.exe
3400	Logo1_.exe
3400	Logo1_.exe
3400	Logo1_.exe
3400	Logo1_.exe
3400	Logo1_.exe
3400	Logo1_.exe
3400	Logo1_.exe
3400	Logo1_.exe
3400	Logo1_.exe
3400	Logo1_.exe
3400	Logo1_.exe
3400	Logo1_.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 4884 wrote to memory of 3740	4884	4acc8629d16cd0f0fe869b82e4ae6d519353e299afd4aaf602afef675d152d01.exe	88
PID 4884 wrote to memory of 3740	4884	4acc8629d16cd0f0fe869b82e4ae6d519353e299afd4aaf602afef675d152d01.exe	88
PID 4884 wrote to memory of 3740	4884	4acc8629d16cd0f0fe869b82e4ae6d519353e299afd4aaf602afef675d152d01.exe	88
PID 4884 wrote to memory of 3400	4884	4acc8629d16cd0f0fe869b82e4ae6d519353e299afd4aaf602afef675d152d01.exe	89
PID 4884 wrote to memory of 3400	4884	4acc8629d16cd0f0fe869b82e4ae6d519353e299afd4aaf602afef675d152d01.exe	89
PID 4884 wrote to memory of 3400	4884	4acc8629d16cd0f0fe869b82e4ae6d519353e299afd4aaf602afef675d152d01.exe	89
PID 3400 wrote to memory of 5024	3400	Logo1_.exe	91
PID 3400 wrote to memory of 5024	3400	Logo1_.exe	91
PID 3400 wrote to memory of 5024	3400	Logo1_.exe	91
PID 5024 wrote to memory of 1260	5024	net.exe	94
PID 5024 wrote to memory of 1260	5024	net.exe	94
PID 5024 wrote to memory of 1260	5024	net.exe	94
PID 3740 wrote to memory of 1480	3740	cmd.exe	95
PID 3740 wrote to memory of 1480	3740	cmd.exe	95
PID 3400 wrote to memory of 3360	3400	Logo1_.exe	15
PID 3400 wrote to memory of 3360	3400	Logo1_.exe	15

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3360
- C:\Users\Admin\AppData\Local\Temp\4acc8629d16cd0f0fe869b82e4ae6d519353e299afd4aaf602afef675d152d01.exe
  "C:\Users\Admin\AppData\Local\Temp\4acc8629d16cd0f0fe869b82e4ae6d519353e299afd4aaf602afef675d152d01.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:4884
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a733C.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3740
  - - C:\Users\Admin\AppData\Local\Temp\4acc8629d16cd0f0fe869b82e4ae6d519353e299afd4aaf602afef675d152d01.exe
      "C:\Users\Admin\AppData\Local\Temp\4acc8629d16cd0f0fe869b82e4ae6d519353e299afd4aaf602afef675d152d01.exe"
      4⤵
      Executes dropped EXE
      PID:1480
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3400
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5024
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:1260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7z.exe

Filesize
573KB

MD5
c2c80a41cb9387d9d27524b8f4bb22ec

SHA1
a3a3b8c7608f89495665bbbfec8bf2e685da43b7

SHA256
d08b5e77a45ae98f1aca81c23580ed7be298f0dec7a8c84e6db7bcf6775779d7

SHA512
b6c3c4f725508afd04646a1bf61bf6171d74ad58de794fc6b10f09738a128f453966b540d583705d8f5eeb08cbed2249163d0b5d80ef795d0ed34d4453b8ba98

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a733C.bat

Filesize
722B

MD5
7124b880c16bd2644866b632f753e5fc

SHA1
c37905bb337be634f156971318a599b5fc5bdfbe

SHA256
4d3edcdce3f5ea75beaf8d048c6ef372b8fd5955ada4f6da5f032e09b4355556

SHA512
db97def2019065830caff75094e6ae911e94090a65a752d179c2c9cab54c4e8a2160794042be4a6eb9f4a3201ced54027d11515d3c4dd267e108f54f9721dc62

Download Submit
C:\Users\Admin\AppData\Local\Temp\4acc8629d16cd0f0fe869b82e4ae6d519353e299afd4aaf602afef675d152d01.exe.exe

Filesize
533KB

MD5
500f306e161d29a49d47eb046633166f

SHA1
abad3db52ce0463237ca1785545541399075ade3

SHA256
b4d783e2f40e9b3a4da806762367f5e890d5ee8558361aea57b966bd2f891a63

SHA512
fd6fa6af86746866495b07e999cf280aba18c13d1c11ad53782c6515760f5d418ef4d683a3607f842320e853c8ff5e49ad17d7c60b863a910f7885ac8e9dd4ed

Download Submit
C:\Windows\Logo1_.exe

Filesize
29KB

MD5
886eb3bf6157b45d4a041e1e32608c70

SHA1
f476a007366ac0349789b0e803ec46be523f457a

SHA256
a0e9eac517b54fe732db8bf9ceeb76c64a43e2e53bfd18b5a4ab0f8475f3873b

SHA512
6e978385b23d3054695eaf2209e92591a667ccbde747f69cb63ae28f2db3a362d136bf16afb41ceb8eb304161cc698853f9cb825a26cc683e9a693d07c190fca

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-983843758-932321429-1636175382-1000\_desktop.ini

Filesize
10B

MD5
34c7bf8c1e8aa0e76a1cb36da6f3c07f

SHA1
93bff4db65fd067f94ca08ce2654a2675925b27d

SHA256
89ee7da24a1550d124e7ac206a8d49733f819c098eebf27b8c7f28e931a09f53

SHA512
ba8fa54ac2e6eafb524f14c7d286d9910afd808ec561c933af8b72a9cdb813e0e7777dc04a9dfdb6c985f27f123ac34a19782d6c0e734f8ab4e9860c9033139b

Download Submit
memory/3400-42-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3400-19-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3400-33-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3400-37-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3400-26-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3400-8-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3400-1003-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3400-1166-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3400-1179-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4884-10-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4884-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download