a30d02353f12750de0cef614b676478c2a25bd7463f5af704d1e2cee43c7b6b5

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
18/02/2024, 09:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a30d02353f12750de0cef614b676478c2a25bd7463f5af704d1e2cee43c7b6b5.exe
Size

250KB
MD5

e2213852fc8a351313125454150660fd
SHA1

3ccc1537d29fd2f70b45cb658a2b5409da55273a
SHA256

a30d02353f12750de0cef614b676478c2a25bd7463f5af704d1e2cee43c7b6b5
SHA512

50c6cc3557a3aa0cbcbe45093669f29efa527ecba8879253a2b8eb0c369a7795de6b021b7e222f7e03b6d1003d5f30fb4838200743654d08a2953d333aeda373
SSDEEP

3072:UftffjmNR1KwhdmWWKp9pSVLCDJGhyBw948qNYpWdunn4rSpYKOQwq:sVfjmN/Kwhdt9t8LLyBw948kwn4WpgN

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3284	Logo1_.exe
4608	a30d02353f12750de0cef614b676478c2a25bd7463f5af704d1e2cee43c7b6b5.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\VideoLAN\VLC\plugins\access_output\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\visualization\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\fi-fi\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ca-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\pl-pl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\cs-cz\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\fr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\as_IN\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\cs\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Security\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\tr-tr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\az\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ky\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\en-us\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Viewpoints\Light\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\pl-pl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\root\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\en-gb\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\fi-fi\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Defender\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\de\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\pt-br\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\root\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\nl-nl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Multimedia Platform\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\en-il\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office 15\ClientX64\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Config\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_neutral_split.scale-125_8wekyb3d8bbwe\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\he-il\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\themes\dark\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\zh-cn\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\es-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-white\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\fr-ma\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\fi-fi\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\FileAssociation\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sv-se\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sv-se\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ko-kr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\en-gb\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\tr-tr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\en-gb\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_2019.904.1644.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\en-il\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\dtplugin\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	a30d02353f12750de0cef614b676478c2a25bd7463f5af704d1e2cee43c7b6b5.exe
File created	C:\Windows\Logo1_.exe	a30d02353f12750de0cef614b676478c2a25bd7463f5af704d1e2cee43c7b6b5.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
3284	Logo1_.exe
3284	Logo1_.exe
3284	Logo1_.exe
3284	Logo1_.exe
3284	Logo1_.exe
3284	Logo1_.exe
3284	Logo1_.exe
3284	Logo1_.exe
3284	Logo1_.exe
3284	Logo1_.exe
3284	Logo1_.exe
3284	Logo1_.exe
3284	Logo1_.exe
3284	Logo1_.exe
3284	Logo1_.exe
3284	Logo1_.exe
3284	Logo1_.exe
3284	Logo1_.exe
3284	Logo1_.exe
3284	Logo1_.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 4248 wrote to memory of 2876	4248	a30d02353f12750de0cef614b676478c2a25bd7463f5af704d1e2cee43c7b6b5.exe	84
PID 4248 wrote to memory of 2876	4248	a30d02353f12750de0cef614b676478c2a25bd7463f5af704d1e2cee43c7b6b5.exe	84
PID 4248 wrote to memory of 2876	4248	a30d02353f12750de0cef614b676478c2a25bd7463f5af704d1e2cee43c7b6b5.exe	84
PID 4248 wrote to memory of 3284	4248	a30d02353f12750de0cef614b676478c2a25bd7463f5af704d1e2cee43c7b6b5.exe	85
PID 4248 wrote to memory of 3284	4248	a30d02353f12750de0cef614b676478c2a25bd7463f5af704d1e2cee43c7b6b5.exe	85
PID 4248 wrote to memory of 3284	4248	a30d02353f12750de0cef614b676478c2a25bd7463f5af704d1e2cee43c7b6b5.exe	85
PID 3284 wrote to memory of 392	3284	Logo1_.exe	86
PID 3284 wrote to memory of 392	3284	Logo1_.exe	86
PID 3284 wrote to memory of 392	3284	Logo1_.exe	86
PID 392 wrote to memory of 452	392	net.exe	89
PID 392 wrote to memory of 452	392	net.exe	89
PID 392 wrote to memory of 452	392	net.exe	89
PID 2876 wrote to memory of 4608	2876	cmd.exe	90
PID 2876 wrote to memory of 4608	2876	cmd.exe	90
PID 2876 wrote to memory of 4608	2876	cmd.exe	90
PID 3284 wrote to memory of 3304	3284	Logo1_.exe	60
PID 3284 wrote to memory of 3304	3284	Logo1_.exe	60

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3304
- C:\Users\Admin\AppData\Local\Temp\a30d02353f12750de0cef614b676478c2a25bd7463f5af704d1e2cee43c7b6b5.exe
  "C:\Users\Admin\AppData\Local\Temp\a30d02353f12750de0cef614b676478c2a25bd7463f5af704d1e2cee43c7b6b5.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:4248
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a68FB.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2876
  - - C:\Users\Admin\AppData\Local\Temp\a30d02353f12750de0cef614b676478c2a25bd7463f5af704d1e2cee43c7b6b5.exe
      "C:\Users\Admin\AppData\Local\Temp\a30d02353f12750de0cef614b676478c2a25bd7463f5af704d1e2cee43c7b6b5.exe"
      4⤵
      Executes dropped EXE
      PID:4608
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3284
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:392
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
251KB

MD5
99c8f62c614e57d982794cb60ed34dd3

SHA1
ae21b94005dffc23085bfa84938011703cf62341

SHA256
6c8a8a5c788ca6330693c0be9a11a630a7cccfab9a1c2d8270ed9624eb9b4cd3

SHA512
8db3d0754d569b05d9eeba2e83630f0b94d87b809d9918294b8b8920f4ddc4591b08fe3759dad966216174cc308fb7850d84e1b5e6ac17415c6df70b52f871a2

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
570KB

MD5
a7ad07bb23472185908e8eac5309669a

SHA1
2561218460174aef45f7829a4c789f614520422d

SHA256
77f6c0cb76f2b4999887d240e97d813a4f481098f52f597cd9188c31e86cdb07

SHA512
28b3a2319f1c17e28301d0d449bffa8814970bdbbf18bd992d671111d7e50ec840041a2ef5ae432346759eec91c6f97ffc55a64b8929f72dcc2843847d9e51e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a68FB.bat

Filesize
722B

MD5
ed3e868b2adcd7e705350fd7494d0f0f

SHA1
b52c5a05c0ae0398f2887eed77b03904adc27e2c

SHA256
c5520d383bd239a4d99a0d7e2c5bdc01b83336a9bc41f1a627d169f840784197

SHA512
e8d4758ff51905d7f5dc132650136f251e9b89d01df7a701431c3bfa114991543380345f095aedf23e0e757a5e2bafa949afe995c2257f0af92990b2c505dbdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\a30d02353f12750de0cef614b676478c2a25bd7463f5af704d1e2cee43c7b6b5.exe.exe

Filesize
224KB

MD5
7c0ffab1bad3ca02411a7044b11577fa

SHA1
70c83e69d16ce603eef0150670e2d412b5891433

SHA256
52f7c5e40477df6ca3e7a82eab1ae2cc570f7891daeb124649970a1e508d61f0

SHA512
0cf2cc7b522b7b12224b79a05a622b13607d5a0d6afee22b92129a68896c20cbd80c06588ece95bf55a1054b05454ac3a989b109c6c73e832a5c3c2b5c4c8e2e

Download Submit
C:\Windows\Logo1_.exe

Filesize
26KB

MD5
d2a8721a9ab0785cc63008221bed7014

SHA1
b3b61e2dfe21e53c998bae3626cd51babf43ef2c

SHA256
6a54a916b9c41f2aae07186bd293005cd3af983bd85039d4a03b13acca905ccb

SHA512
b6f049f934951051bfc226a43ce3e957d22d44ad15e057b009e76d07f9f00a63c1d4411c77362db7ace866c0d99e46ee9fb56ae810683d783436b4e972c744e0

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-983843758-932321429-1636175382-1000\_desktop.ini

Filesize
9B

MD5
9eb559d99f8f10c8af6f6d1c5624b40d

SHA1
6bd3c9c30ab64be20819ce184dfeb093f664ec68

SHA256
60748c106f2d8f06a3c713e00fab9fc8fd7bd9938dc4f8ee91317dcaaf1bc881

SHA512
7f7a165bbddce5030f223b60a6f968a30458f7be999e6374ae52d4723dbb24ff571a7db89410ce516b17f535b278da436ed35710dab7c8ec1c18b12278ad1e62

Download Submit
memory/3284-33-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3284-19-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3284-26-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3284-37-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3284-41-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3284-9-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3284-377-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3284-1165-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3284-4716-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4248-12-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4248-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download