c01884085a280918de66dfef276a43131a2cf88fea41faed04557d8219ecf1c0

Analysis

max time kernel
153s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
24/12/2023, 02:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c01884085a280918de66dfef276a43131a2cf88fea41faed04557d8219ecf1c0.exe
Size

46KB
MD5

62834d4a6ba45f5e3fa76c58337b6c70
SHA1

0e545f0980f8345062ec59a3ca609d9ad1cf3f79
SHA256

c01884085a280918de66dfef276a43131a2cf88fea41faed04557d8219ecf1c0
SHA512

d0c9e4156e4b5a52ec69ab89864b2d7ce789c16abe2ea071161c74c88870e070be5c323f18e4f9514ba9a8cae3c241d42b812a102e341770ea9092a9c694123d
SSDEEP

768:pzWIe1ODKAaDMG8H92RwZNQSwcfymNBg+g61GoL3WrbFcpfWDG7vUf2h:afgLdQAQfcfymNSSpftvUf

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4908	Logo1_.exe
3856	c01884085a280918de66dfef276a43131a2cf88fea41faed04557d8219ecf1c0.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\tet\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Resources\Fonts\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Lighting\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Microsoft.Xbox.SmartGlass.Controls\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\StoreLogo\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Lumia.MagicEdit\UserControls\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Resources\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mn\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\lv-LV\View3d\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\th-TH\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\Ratings\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Resources\RetailDemo\strings\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Diagnostics\Comprehensive\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\RTL\contrast-black\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Win10\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\applet\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-white\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Microsoft.Photos.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\brx\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\ms-MY\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\SlowMotionEditor\UserControls\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Place\contrast-white\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Images\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\is-IS\View3d\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\zh_CN\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\misc\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\ImagingDevices.exe	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\en-us\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\te-IN\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_neutral_~_kzf8qxf38zg5c\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\resources\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.UI.Xaml.2.0_2.1810.18004.0_x64__8wekyb3d8bbwe\Microsoft.UI.Xaml\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ta\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\stream_out\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\Square44x44\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\manifests\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\or\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_2019.1111.2029.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\_desktop.ini	Logo1_.exe
File created	C:\Program Files\dotnet\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\am\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\an\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-200_8wekyb3d8bbwe\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\es-ES\View3d\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hu\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\contrast-white\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-100_kzf8qxf38zg5c\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ar\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bn\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Images\contrast-black\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\fil-PH\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	c01884085a280918de66dfef276a43131a2cf88fea41faed04557d8219ecf1c0.exe
File created	C:\Windows\Logo1_.exe	c01884085a280918de66dfef276a43131a2cf88fea41faed04557d8219ecf1c0.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
4908	Logo1_.exe
4908	Logo1_.exe
4908	Logo1_.exe
4908	Logo1_.exe
4908	Logo1_.exe
4908	Logo1_.exe
4908	Logo1_.exe
4908	Logo1_.exe
4908	Logo1_.exe
4908	Logo1_.exe
4908	Logo1_.exe
4908	Logo1_.exe
4908	Logo1_.exe
4908	Logo1_.exe
4908	Logo1_.exe
4908	Logo1_.exe
4908	Logo1_.exe
4908	Logo1_.exe
4908	Logo1_.exe
4908	Logo1_.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 4432 wrote to memory of 2240	4432	c01884085a280918de66dfef276a43131a2cf88fea41faed04557d8219ecf1c0.exe	87
PID 4432 wrote to memory of 2240	4432	c01884085a280918de66dfef276a43131a2cf88fea41faed04557d8219ecf1c0.exe	87
PID 4432 wrote to memory of 2240	4432	c01884085a280918de66dfef276a43131a2cf88fea41faed04557d8219ecf1c0.exe	87
PID 4432 wrote to memory of 4908	4432	c01884085a280918de66dfef276a43131a2cf88fea41faed04557d8219ecf1c0.exe	91
PID 4432 wrote to memory of 4908	4432	c01884085a280918de66dfef276a43131a2cf88fea41faed04557d8219ecf1c0.exe	91
PID 4432 wrote to memory of 4908	4432	c01884085a280918de66dfef276a43131a2cf88fea41faed04557d8219ecf1c0.exe	91
PID 4908 wrote to memory of 4200	4908	Logo1_.exe	89
PID 4908 wrote to memory of 4200	4908	Logo1_.exe	89
PID 4908 wrote to memory of 4200	4908	Logo1_.exe	89
PID 4200 wrote to memory of 2704	4200	net.exe	92
PID 4200 wrote to memory of 2704	4200	net.exe	92
PID 4200 wrote to memory of 2704	4200	net.exe	92
PID 2240 wrote to memory of 3856	2240	cmd.exe	93
PID 2240 wrote to memory of 3856	2240	cmd.exe	93
PID 4908 wrote to memory of 3516	4908	Logo1_.exe	53
PID 4908 wrote to memory of 3516	4908	Logo1_.exe	53

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3516
- C:\Users\Admin\AppData\Local\Temp\c01884085a280918de66dfef276a43131a2cf88fea41faed04557d8219ecf1c0.exe
  "C:\Users\Admin\AppData\Local\Temp\c01884085a280918de66dfef276a43131a2cf88fea41faed04557d8219ecf1c0.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:4432
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a77FF.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2240
  - - C:\Users\Admin\AppData\Local\Temp\c01884085a280918de66dfef276a43131a2cf88fea41faed04557d8219ecf1c0.exe
      "C:\Users\Admin\AppData\Local\Temp\c01884085a280918de66dfef276a43131a2cf88fea41faed04557d8219ecf1c0.exe"
      4⤵
      Executes dropped EXE
      PID:3856
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4908

C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
1⤵
- Suspicious use of WriteProcessMemory
PID:4200
- C:\Windows\SysWOW64\net1.exe
  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
  2⤵
  PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7z.exe

Filesize
448KB

MD5
4877b6712a04475fd7b6cdc496798144

SHA1
7a7b99da73f595ca542f60fe1f28a7d60066c035

SHA256
f8574821dce61d448da38c4c99bad764af09e58b5288be4a38d770729de09939

SHA512
05fc9c3151699714656793cd69b98c665cdd2aec7200c67af2530a195f7c82a687df23b91230227127dc551fa4495eb46de8789cc3dcd4e801b64d7cd8551af5

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a77FF.bat

Filesize
722B

MD5
9c38bf6c46a70924c59dfbc80ac324c1

SHA1
3df030884e037b8a36ff09c3a6bbb91f109e7268

SHA256
450a949f37ff1d075a97c0123469d1544d9ece46537b0425b2a68b65623931fc

SHA512
35cf550d95072fe53e7b4b74b3bd1d984e57a3cbd8334965905f4d1133cde4c85fe123aad7694339da66c43332a98cf779e22dd157025c4897ac417d9ff059ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\c01884085a280918de66dfef276a43131a2cf88fea41faed04557d8219ecf1c0.exe.exe

Filesize
20KB

MD5
7d3213dba093eef6f2cc45a37604c11d

SHA1
e57e860861390f40222ec1d782876b2da58e22f6

SHA256
feb25888429fb3570d1d9b9d9d67116779ee82fa3aa0fcea025e7b283d2c2cb3

SHA512
7ad71a85c0c1578e40e4d9a51604034fbdf339db6248ef4960ee4937d93c54aa2179f4cb9b5a337435b9be8f6dd9f7054873ee8ab0babe1aa28c67f65854a4e9

Download Submit
C:\Windows\Logo1_.exe

Filesize
26KB

MD5
82c5e2eb7e00ec5d7a6433473bdc0f48

SHA1
3495f7daf1bf71c6a9fa8f84a5da3a5a481b1afd

SHA256
65314f3a9bee3f94b0d9a1a7e4e57a0e18a47a90a4e916ddefe3d405145bef17

SHA512
99ae217f18d5a2d442184513a2ac93875ea603322c6d5769f1f316b17886e2d6227484ef2bffb605798ef2fae820ff138426c3433853dacf14fcbeb46a41c62e

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-635608581-3370340891-292606865-1000\_desktop.ini

Filesize
10B

MD5
3fb21251990dd269f80f958b0a71ed77

SHA1
5a505ccb9a59661e62ae104e2ff3ec8f2aa4cf5e

SHA256
cb4d0049abaf6aa0990ec6488c023f61ef8f9bdcd7b82a814db7264271f060ec

SHA512
3d401e86df952aa0bd86740f17df566b9800ce0aea48c9f61623d934436317038aebbcceaed0bc4cf38ce153b9ad8e853bb20aba42267563fc9ad96a99d0c637

Download Submit
memory/4432-9-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4432-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4908-26-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4908-19-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4908-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4908-36-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4908-38-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4908-41-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4908-10-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4908-639-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4908-1166-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4908-1176-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download