0014549b07099d35bd02e85b42cf07c36bc289e56d36b3aa3a38d356e2609080

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
20/02/2024, 12:32

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0014549b07099d35bd02e85b42cf07c36bc289e56d36b3aa3a38d356e2609080.exe
Size

209KB
MD5

d46c2e4f139469026284838b2dbc76f8
SHA1

dc7f2fa37c047e93ae1e5c913f0cfd7c03d5ac84
SHA256

0014549b07099d35bd02e85b42cf07c36bc289e56d36b3aa3a38d356e2609080
SHA512

47b225a4b6265521dca53794cb53920802065a46683fbd047c029d13350c14bae263129446843a55481cadc076e3d26ffd63869dec553c67d1e06602f0dae4de
SSDEEP

3072:CMftffjmNi8czzbjwY6c/gnNVitAsCx7nPQOH0uLHNjMl:CUVfjmNOz3wY6c/SN0nuSAy

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1028	Logo1_.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\ru\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\dtplugin\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\pt_PT\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ko-kr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\ko-kr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\tr-tr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x64\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\he\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\AppxMetadata\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\Square310x310\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\winsdkfb\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\1.1.1\Diagnostics\Simple\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\gl\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\el-GR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\da-dk\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\he-il\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\nl-nl\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxIdentityProvider_12.50.6001.0_neutral_~_8wekyb3d8bbwe\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\it-it\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\eu-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\sl-sl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\ar-ae\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\or\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\RTL\contrast-black\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\uk-ua\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\pt-br\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\it-it\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\HostSideAdapters\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\bin\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk-1.8\bin\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\pt_BR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ta\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\ms-MY\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\nl-nl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\en-gb\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.181.5\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\nl-nl\_desktop.ini	Logo1_.exe
File created	C:\Program Files\7-Zip\Lang\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\it\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ks_IN\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ms\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Configuration\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\ru-RU\View3d\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\tr-TR\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\sl-si\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.UI.Xaml.2.0_2.1810.18004.0_x64__8wekyb3d8bbwe\Microsoft.UI.Xaml\Assets\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\es-es\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Logo1_.exe	0014549b07099d35bd02e85b42cf07c36bc289e56d36b3aa3a38d356e2609080.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe
File created	C:\Windows\rundl132.exe	0014549b07099d35bd02e85b42cf07c36bc289e56d36b3aa3a38d356e2609080.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
1028	Logo1_.exe
1028	Logo1_.exe
1028	Logo1_.exe
1028	Logo1_.exe
1028	Logo1_.exe
1028	Logo1_.exe
1028	Logo1_.exe
1028	Logo1_.exe
1028	Logo1_.exe
1028	Logo1_.exe
1028	Logo1_.exe
1028	Logo1_.exe
1028	Logo1_.exe
1028	Logo1_.exe
1028	Logo1_.exe
1028	Logo1_.exe
1028	Logo1_.exe
1028	Logo1_.exe
1028	Logo1_.exe
1028	Logo1_.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 3352 wrote to memory of 3356	3352	0014549b07099d35bd02e85b42cf07c36bc289e56d36b3aa3a38d356e2609080.exe	85
PID 3352 wrote to memory of 3356	3352	0014549b07099d35bd02e85b42cf07c36bc289e56d36b3aa3a38d356e2609080.exe	85
PID 3352 wrote to memory of 3356	3352	0014549b07099d35bd02e85b42cf07c36bc289e56d36b3aa3a38d356e2609080.exe	85
PID 3352 wrote to memory of 1028	3352	0014549b07099d35bd02e85b42cf07c36bc289e56d36b3aa3a38d356e2609080.exe	86
PID 3352 wrote to memory of 1028	3352	0014549b07099d35bd02e85b42cf07c36bc289e56d36b3aa3a38d356e2609080.exe	86
PID 3352 wrote to memory of 1028	3352	0014549b07099d35bd02e85b42cf07c36bc289e56d36b3aa3a38d356e2609080.exe	86
PID 1028 wrote to memory of 3668	1028	Logo1_.exe	88
PID 1028 wrote to memory of 3668	1028	Logo1_.exe	88
PID 1028 wrote to memory of 3668	1028	Logo1_.exe	88
PID 3668 wrote to memory of 3640	3668	net.exe	90
PID 3668 wrote to memory of 3640	3668	net.exe	90
PID 3668 wrote to memory of 3640	3668	net.exe	90
PID 1028 wrote to memory of 3412	1028	Logo1_.exe	53
PID 1028 wrote to memory of 3412	1028	Logo1_.exe	53

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3412
- C:\Users\Admin\AppData\Local\Temp\0014549b07099d35bd02e85b42cf07c36bc289e56d36b3aa3a38d356e2609080.exe
  "C:\Users\Admin\AppData\Local\Temp\0014549b07099d35bd02e85b42cf07c36bc289e56d36b3aa3a38d356e2609080.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:3352
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4508.bat
    3⤵
    PID:3356
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1028
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3668
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:3640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
251KB

MD5
299ab7dbaeb02447f377af6a205c48f8

SHA1
00ca08a1744471210b83edb2dbbd88223fe1edce

SHA256
bd8886ea6cffa00bb88a3bf690aee0944e9c3fbe6a4cbf382c58993381278362

SHA512
82ad942b87226bb545120b3972ad4e90fcf9068e58f61943b4dc447e490a3c5233b55ee8abc9a493b9be13e07cb3662bae2d26f409c6c3b4539d58b940047f7f

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
570KB

MD5
0a47574a00961f1166963120187c99f1

SHA1
2f6f183cee014b3a550ea57e0dd638ac0baf58a4

SHA256
ed855bdbe147fa3b00206fb199a2ce4cdda80507957c794424f8bf46f89bf8fa

SHA512
fd18a2210f05e020a2d154c16b22f5fb4ae9260988fae174cc400f1a012f55809cad0eb507327a71e8ed9cfe41a4669db24d0e9f64e5f31be1c1429866a63609

Download Submit
C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe

Filesize
481KB

MD5
1db5b390daa2d070657fbdb4f5d2cc55

SHA1
77e633e49df484b827080753514cc376749b0ceb

SHA256
d5fbaf5c0d8e313d4dad23b28cac4256c5dbed6ab3b0d797e2971f30c5e095ad

SHA512
68aa0152f5aae79a146c1813915fd16ec5454b285bd1781370923f97d6c147d53684192f7f4161e5c1a340959ec432ecaac127b0abe7d08f70c387e08ee4f617

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a4508.bat

Filesize
722B

MD5
4a1e54693477e60bb31f878803a83704

SHA1
223a7329aab5c397fb7f636efbdb6a65bea59021

SHA256
83e5e4c6b7b0098a73c4798b19efba73c6c000dfaefdec5494327e497b977ad6

SHA512
937ba80d07eb4a60aa1d57a499d47cdc1e8c4cab23294447687a0965896cd4a530307f8fb3b8f0ae61b5c033d04b38490eaca5ae67c2c7e84f822931564b4534

Download Submit
C:\Users\Admin\AppData\Local\Temp\0014549b07099d35bd02e85b42cf07c36bc289e56d36b3aa3a38d356e2609080.exe.exe

Filesize
183KB

MD5
662bdc84d0d9ac70c8534251a5fc6e89

SHA1
42d0b8274a7bf0acedd523675569115b9f6f21ee

SHA256
d5cbdfb3c92db54b8ca4394534b97d8eba0d89a982084617f29359bfdae532dd

SHA512
c1147e2b19d5a64f286b606fde28f2c558ed3353adddd256468b02ceb7dd8a5202c74ac940a9d7f38a8d27028464fa11baa0f732e4371cf56a61b14849aaa842

Download Submit
C:\Windows\Logo1_.exe

Filesize
26KB

MD5
bcba863fad08b47d4a766181d455e05f

SHA1
d155fc0a4769bd10b1bdf2b582c4973dbdb8d15c

SHA256
40cf326f6c0152dc5fa9dfe0b2314e273d858ba3f6b18fd534d924604ddf55f7

SHA512
1dbec3b132c9bd0e5fb8da83d1e567db061eb2362da1fb339c5eef6a464ab4f69d625c2492c237262090f20b7fc2adc11fc362d2540bd955ecbbd85602e8c093

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-1232405761-1209240240-3206092754-1000\_desktop.ini

Filesize
9B

MD5
b347a774e254ac3f0d6aaea35544ac50

SHA1
7f332d15a7648f7a698b3068a428811361f4e9ab

SHA256
1ebd1b85bb264260df3d9fb0a2062b29199c7b6137dcc98486874c1d257c73cd

SHA512
ce8615c90c8794f0aefeb0c6ce5da126732695e6be36b5e625f3a073d55c6f8cd88ca465b07e2c0e87355b5baad887a3f0b26c4eb262484a83d35565e72ba138

Download Submit
memory/1028-36-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1028-25-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1028-31-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1028-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1028-9-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1028-971-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1028-1164-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1028-1460-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1028-4717-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1028-18-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3352-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3352-8-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download