f937ab7db604e62a78e5f2d7c1ecc536df075dc3e4876dc369185149421bcb1a

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10-04-2024 03:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f937ab7db604e62a78e5f2d7c1ecc536df075dc3e4876dc369185149421bcb1a.exe
Size

252KB
MD5

3055d511163bd665e36aa71cf424ff2c
SHA1

100d3231f9f0833ce242b1160ab36eff8aaba9c0
SHA256

f937ab7db604e62a78e5f2d7c1ecc536df075dc3e4876dc369185149421bcb1a
SHA512

39ab63863f2a748c68165f47714c8333182c5ee92bb7fae99cc1d07f0011387dda582509e38b4d079ce8e622d1f0efee168d0e8181c9ff65234142fae4ac5b94
SSDEEP

6144:BFpOgiC4bXqsTk90qC1AOb7eswf1Px++fD8PJ:bplitXqsTkiR7twRx+gD8PJ

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4444	Logo1_.exe
700	f937ab7db604e62a78e5f2d7c1ecc536df075dc3e4876dc369185149421bcb1a.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sl-sl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\cs-cz\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\nb-no\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\sl-si\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Transit\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\AppxMetadata\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Home\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\collect_feedback\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ms\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\fr-fr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\uz\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mr\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\sk-sk\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Media Player\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\mai\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\contrast-white\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\jsaddins\locallaunch\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\nb-no\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre-1.8\legal\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\zh-cn\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Images\contrast-standard\theme-light\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Mozilla Firefox\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\zh-tw\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\pl-pl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\fi-fi\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.151\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\es-ES\View3d\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Microsoft.Membership.MeControl\Assets\Fonts\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\pt-br\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\ja-jp\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\nl-nl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\sl-sl\_desktop.ini	Logo1_.exe
File created	C:\Program Files\dotnet\host\fxr\6.0.25\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\en-gb\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\root\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fa\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\hu\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Images\contrast-white\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\zh-tw\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\nl-nl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\en-il\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Skins\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	f937ab7db604e62a78e5f2d7c1ecc536df075dc3e4876dc369185149421bcb1a.exe
File created	C:\Windows\Logo1_.exe	f937ab7db604e62a78e5f2d7c1ecc536df075dc3e4876dc369185149421bcb1a.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
4444	Logo1_.exe
4444	Logo1_.exe
4444	Logo1_.exe
4444	Logo1_.exe
4444	Logo1_.exe
4444	Logo1_.exe
4444	Logo1_.exe
4444	Logo1_.exe
4444	Logo1_.exe
4444	Logo1_.exe
4444	Logo1_.exe
4444	Logo1_.exe
4444	Logo1_.exe
4444	Logo1_.exe
4444	Logo1_.exe
4444	Logo1_.exe
4444	Logo1_.exe
4444	Logo1_.exe
4444	Logo1_.exe
4444	Logo1_.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2376 wrote to memory of 2564	2376	f937ab7db604e62a78e5f2d7c1ecc536df075dc3e4876dc369185149421bcb1a.exe	86
PID 2376 wrote to memory of 2564	2376	f937ab7db604e62a78e5f2d7c1ecc536df075dc3e4876dc369185149421bcb1a.exe	86
PID 2376 wrote to memory of 2564	2376	f937ab7db604e62a78e5f2d7c1ecc536df075dc3e4876dc369185149421bcb1a.exe	86
PID 2376 wrote to memory of 4444	2376	f937ab7db604e62a78e5f2d7c1ecc536df075dc3e4876dc369185149421bcb1a.exe	87
PID 2376 wrote to memory of 4444	2376	f937ab7db604e62a78e5f2d7c1ecc536df075dc3e4876dc369185149421bcb1a.exe	87
PID 2376 wrote to memory of 4444	2376	f937ab7db604e62a78e5f2d7c1ecc536df075dc3e4876dc369185149421bcb1a.exe	87
PID 4444 wrote to memory of 1632	4444	Logo1_.exe	89
PID 4444 wrote to memory of 1632	4444	Logo1_.exe	89
PID 4444 wrote to memory of 1632	4444	Logo1_.exe	89
PID 1632 wrote to memory of 2080	1632	net.exe	92
PID 1632 wrote to memory of 2080	1632	net.exe	92
PID 1632 wrote to memory of 2080	1632	net.exe	92
PID 2564 wrote to memory of 700	2564	cmd.exe	93
PID 2564 wrote to memory of 700	2564	cmd.exe	93
PID 2564 wrote to memory of 700	2564	cmd.exe	93
PID 4444 wrote to memory of 3500	4444	Logo1_.exe	57
PID 4444 wrote to memory of 3500	4444	Logo1_.exe	57

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3500
- C:\Users\Admin\AppData\Local\Temp\f937ab7db604e62a78e5f2d7c1ecc536df075dc3e4876dc369185149421bcb1a.exe
  "C:\Users\Admin\AppData\Local\Temp\f937ab7db604e62a78e5f2d7c1ecc536df075dc3e4876dc369185149421bcb1a.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2376
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7937.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2564
  - - C:\Users\Admin\AppData\Local\Temp\f937ab7db604e62a78e5f2d7c1ecc536df075dc3e4876dc369185149421bcb1a.exe
      "C:\Users\Admin\AppData\Local\Temp\f937ab7db604e62a78e5f2d7c1ecc536df075dc3e4876dc369185149421bcb1a.exe"
      4⤵
      Executes dropped EXE
      PID:700
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4444
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1632
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7z.exe

Filesize
571KB

MD5
77c7e6ae645974e97e4247c5dd1fd9e7

SHA1
f4eca0277916905ffe255553b14b8342c4637ba3

SHA256
0016d2b8e6e145ae0eeabe5cbc286e5f04671c6e131f385a01c297e9a79b8d6e

SHA512
cf37694b9328115cc552c44f4df98e98539c42303ea03c092b1619e7b936b2bed6776dfaea937db50ce9dd1342f463a7d90c08d017215eb9dec4eb33c2883b2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a7937.bat

Filesize
722B

MD5
c105627458f467cbfd2c09b19e600f9c

SHA1
9f6c32803885c77e7d8c707ad6bc4f5aeddae26e

SHA256
4c4cf56d159bb0c2c32a2e36a90cef39f6b43b9db99c2624d1f63b6fd53d1717

SHA512
f0ca80fa03969d126882e7bea32edc5ffe2e154703d989151b060539a7fdf6210a2873dadf2ed245dca4192bea4422debac1c0c9a76b7ee15d744bb1abbf883f

Download Submit
C:\Users\Admin\AppData\Local\Temp\f937ab7db604e62a78e5f2d7c1ecc536df075dc3e4876dc369185149421bcb1a.exe.exe

Filesize
224KB

MD5
d4b257c01bbaa68d15d8368475a4e227

SHA1
fafae083a882e163cfa8c77258baaab891c17df2

SHA256
dd6dd981c7f1a6673dc8cc3a0fe1fc8a54e059a9fdb0545b0dc9258299c0c546

SHA512
167494ecb32196e8e199d7d14a1c0498eee45ab8e8862e5441539fa569313bb602b9e979935c7cc5ba39300e54e8bdbdf2f502e4ea24b5e8339fd2c3685ca502

Download Submit
C:\Windows\Logo1_.exe

Filesize
27KB

MD5
3848bdda6fa12d57631d2d9cfc0372cd

SHA1
7ad82878104b87dbb4af2236b49c27026fedcfe1

SHA256
b44c38445807ad74329416692d41046f2482b4c8ecc2e9c6d742fd8fa86b76bc

SHA512
7bdd4d23f636085a361b407fdeef87cbc679326468b69b7688b61af78bd726178a4ea25c4d45bfb329b1181eb0fc4b8ca625324aad29ef15402b782f3471fb74

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-513485977-2495024337-1260977654-1000\_desktop.ini

Filesize
9B

MD5
95b3e5fe04e8423c49a7f69a5d13771f

SHA1
615b63fb8bf07dbb0565ffd492067309645064c9

SHA256
1663db9b496c87701f6c8f6721e92994ffdd747f949ab1070fd844c4d63fb916

SHA512
d9a0d342e84c32d4c0aee97be7b9a102963d1aeab7edd87b080548f7dd144d851c558e6706bec441534d8e188938655c2b551e358d342309677511404a34ce81

Download Submit
memory/2376-12-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2376-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4444-33-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4444-26-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4444-19-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4444-37-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4444-42-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4444-9-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4444-360-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4444-1175-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4444-4742-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download