59efd00a32a5aaace06125c207cc33d50b85474d37260f6ef937f335ecbbe92b

Analysis

max time kernel
142s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
17-04-2024 19:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

59efd00a32a5aaace06125c207cc33d50b85474d37260f6ef937f335ecbbe92b.exe
Size

261KB
MD5

c293e885f071d54edbdc3c434c73f093
SHA1

f061ac87a0f974df6d4e95858991ff188b76f151
SHA256

59efd00a32a5aaace06125c207cc33d50b85474d37260f6ef937f335ecbbe92b
SHA512

23c8a84bc8e1c601b96ad7292340883c111a02fd5e3fe5468dd991a2274c06feee46c84753b97bdd5d72233370551c408cb320f91d12a7c2c79b47d011217c71
SSDEEP

6144:WuJXaU0V3teOOdlcwTCN5hDxchFYgqPi2X:OTvEcwTCNwIaI

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1716	Logo1_.exe
2380	59efd00a32a5aaace06125c207cc33d50b85474d37260f6ef937f335ecbbe92b.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	Logo1_.exe
File created	C:\Program Files\dotnet\host\fxr\_desktop.ini	Logo1_.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\_desktop.ini	Logo1_.exe
File created	C:\Program Files\dotnet\host\fxr\8.0.0\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\cs\_desktop.ini	Logo1_.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\de\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\createdump.exe	Logo1_.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\cs\_desktop.ini	Logo1_.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\ru\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\7-Zip\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\7-Zip\Lang\_desktop.ini	Logo1_.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\_desktop.ini	Logo1_.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\cs\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\_desktop.ini	Logo1_.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\zh-Hans\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\dotnet\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\_desktop.ini	Logo1_.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\cs\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\pt-BR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\it\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\ja\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\ru\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\de\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\zh-Hans\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\_desktop.ini	Logo1_.exe
File created	C:\Program Files\dotnet\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\dotnet\host\fxr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\createdump.exe	Logo1_.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\tr\_desktop.ini	Logo1_.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\zh-Hant\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	Logo1_.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\zh-Hans\_desktop.ini	Logo1_.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\it\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\tr\_desktop.ini	Logo1_.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\zh-Hans\_desktop.ini	Logo1_.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\it\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\zh-Hant\_desktop.ini	Logo1_.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\fr\_desktop.ini	Logo1_.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\ja\_desktop.ini	Logo1_.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\ko\_desktop.ini	Logo1_.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\pl\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Logo1_.exe	59efd00a32a5aaace06125c207cc33d50b85474d37260f6ef937f335ecbbe92b.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe
File created	C:\Windows\rundl132.exe	59efd00a32a5aaace06125c207cc33d50b85474d37260f6ef937f335ecbbe92b.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
1716	Logo1_.exe
1716	Logo1_.exe
1716	Logo1_.exe
1716	Logo1_.exe
1716	Logo1_.exe
1716	Logo1_.exe
1716	Logo1_.exe
1716	Logo1_.exe
1716	Logo1_.exe
1716	Logo1_.exe
1716	Logo1_.exe
1716	Logo1_.exe
1716	Logo1_.exe
1716	Logo1_.exe
1716	Logo1_.exe
1716	Logo1_.exe
1716	Logo1_.exe
1716	Logo1_.exe
1716	Logo1_.exe
1716	Logo1_.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1516 wrote to memory of 4088	1516	59efd00a32a5aaace06125c207cc33d50b85474d37260f6ef937f335ecbbe92b.exe	93
PID 1516 wrote to memory of 4088	1516	59efd00a32a5aaace06125c207cc33d50b85474d37260f6ef937f335ecbbe92b.exe	93
PID 1516 wrote to memory of 4088	1516	59efd00a32a5aaace06125c207cc33d50b85474d37260f6ef937f335ecbbe92b.exe	93
PID 1516 wrote to memory of 1716	1516	59efd00a32a5aaace06125c207cc33d50b85474d37260f6ef937f335ecbbe92b.exe	95
PID 1516 wrote to memory of 1716	1516	59efd00a32a5aaace06125c207cc33d50b85474d37260f6ef937f335ecbbe92b.exe	95
PID 1516 wrote to memory of 1716	1516	59efd00a32a5aaace06125c207cc33d50b85474d37260f6ef937f335ecbbe92b.exe	95
PID 1716 wrote to memory of 2444	1716	Logo1_.exe	98
PID 1716 wrote to memory of 2444	1716	Logo1_.exe	98
PID 1716 wrote to memory of 2444	1716	Logo1_.exe	98
PID 4088 wrote to memory of 2380	4088	cmd.exe	100
PID 4088 wrote to memory of 2380	4088	cmd.exe	100
PID 2444 wrote to memory of 4440	2444	net.exe	101
PID 2444 wrote to memory of 4440	2444	net.exe	101
PID 2444 wrote to memory of 4440	2444	net.exe	101
PID 1716 wrote to memory of 3372	1716	Logo1_.exe	57
PID 1716 wrote to memory of 3372	1716	Logo1_.exe	57

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3372
- C:\Users\Admin\AppData\Local\Temp\59efd00a32a5aaace06125c207cc33d50b85474d37260f6ef937f335ecbbe92b.exe
  "C:\Users\Admin\AppData\Local\Temp\59efd00a32a5aaace06125c207cc33d50b85474d37260f6ef937f335ecbbe92b.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1516
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a627E.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4088
  - - C:\Users\Admin\AppData\Local\Temp\59efd00a32a5aaace06125c207cc33d50b85474d37260f6ef937f335ecbbe92b.exe
      "C:\Users\Admin\AppData\Local\Temp\59efd00a32a5aaace06125c207cc33d50b85474d37260f6ef937f335ecbbe92b.exe"
      4⤵
      Executes dropped EXE
      PID:2380
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1716
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2444
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:4440

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4272 --field-trial-handle=2744,i,16362475727591565961,3676688664819797550,262144 --variations-seed-version /prefetch:8
1⤵
PID:2484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7z.exe

Filesize
508KB

MD5
99f5d8ff62e0fc7364d231dc87a16aeb

SHA1
7a1526bc28f543c37673d1562167eb994f6646b9

SHA256
feabf032eabfd2fc24a20ef2cdf30394e2ce4b416d550618ca8a5053aa7cd93b

SHA512
1823c899d8fc6433f24d47b1e15d0b8f13318a39764ba2cfddb240b42fa57eeace1fc793565fa9e442a62da883bea994820d6e2dc06b88f0de9521c9bc74fcc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a627E.bat

Filesize
722B

MD5
f11c857dd401d5f9252b2f34de5eeb73

SHA1
9778d1887679d881a1299efb0632b223f56867fd

SHA256
2ee911ec5383980494bd3c0cc839b8f6b6f5bd47fed1f85fa6d72cd8f05fbd13

SHA512
98402247242881263059634da5c9b9694e66105439a83ccb5d78a380ab1d4581949a18bb7bd1c3032c12f2d33da2d2577de2647c696c52883b21e9fef22fec90

Download Submit
C:\Users\Admin\AppData\Local\Temp\59efd00a32a5aaace06125c207cc33d50b85474d37260f6ef937f335ecbbe92b.exe.exe

Filesize
231KB

MD5
b6098de8baed9ead05827a57ff5cc08d

SHA1
5042f3710a5572aae765637d822d2f222beebdcb

SHA256
b90dd11047629bf672ed515f64311a6a6d468544230570c5ab50284d4084af2c

SHA512
11c96ac7f9a8b6dbc4260afd9dc991c7ad72fc8761572000141a942bb00046e94d32f1d85412483dbafe032a56f693bf8861ac1aec928c3dfd535ea1b9e9f877

Download Submit
C:\Windows\Logo1_.exe

Filesize
29KB

MD5
69f3dc136ebf637ccd58e7686fb263b9

SHA1
41d1241c621782e2edfc5673f4b17a3934382504

SHA256
e205289e0a83f8fd7e26b98ba3967eb96ea390b24a46f4e1e06d8f7d9a377a1a

SHA512
9c118158fdc1f0a41c7b1b0b3f0fbeb5b64100702677d35ba81441afeb8f15aa26f07d8e7e8b290476b51a1f5687449143013dc5c2fada0b4bceb1d7918a57e2

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3808065738-1666277613-1125846146-1000\_desktop.ini

Filesize
9B

MD5
2be02af4dacf3254e321ffba77f0b1c6

SHA1
d8349307ec08d45f2db9c9735bde8f13e27a551d

SHA256
766fe9c47ca710d9a00c08965550ee7de9cba2d32d67e4901e8cec7e33151d16

SHA512
57f61e1b939ed98e6db460ccdbc36a1460b727a99baac0e3b041666dedcef11fcd72a486d91ec7f0ee6e1aec40465719a6a5c22820c28be1066fe12fcd47ddd0

Download Submit
memory/1516-1-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1516-2-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1516-15-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1516-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1716-21-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1716-28-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1716-35-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1716-40-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1716-44-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1716-10-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1716-53-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1716-207-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1716-384-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download