828f580c1211badb61be072c670017c14106332452a3e251a7d8be4d390beda7

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
20/04/2024, 17:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

828f580c1211badb61be072c670017c14106332452a3e251a7d8be4d390beda7.exe
Size

9.3MB
MD5

c66ab64a5441f7efa200e785825278f1
SHA1

051f6fa77c7089481d3fe83c003da2c3fa92d414
SHA256

828f580c1211badb61be072c670017c14106332452a3e251a7d8be4d390beda7
SHA512

01cb059197c25c4e5ba5b1f0e22b5ad7d37dd4a073ca1a1f346380a0ab75cfd6bc9f337ebe35ca434d9ab168c3f9e9a7ee638261062e255af5d5264f52586079
SSDEEP

98304:hxfZeZiONXe0cK7jfI60f8BYNg3kQVLPXnmGLH376+MyUXnby:hNZekOte0cifXmZNg0ILPXnmGDm3

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4824	Logo1_.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\VideoLAN\VLC\locale\uz\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Mail\wabmig.exe	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.513.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ro-ro\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\it\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\nb-no\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\control\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.1813.0_neutral_~_8wekyb3d8bbwe\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\eu-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\ro-ro\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\uk-ua\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\fr-ma\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\hr-hr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\PublicAssemblies\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\WidevineCdm\_platform_specific\win_x64\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Mozilla Firefox\defaults\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\it\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fr-ma\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\da-dk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\fr-ma\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\he-il\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fa\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\pt-PT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ja-jp\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\zh-tw\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\eu-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\cy\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\libs\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account-select\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\nb-no\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\MEIPreload\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example2.Diagnostics\1.0.1\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ko-kr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\zh-cn\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\sk-sk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\sl-sl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\fi-fi\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\de\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ar-ae\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\zh-tw\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\en-ae\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\pt-br\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\hr-hr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\nl-nl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\en-gb\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\he-il\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\themes\dark\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_proxy\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\en-il\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ja\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	828f580c1211badb61be072c670017c14106332452a3e251a7d8be4d390beda7.exe
File created	C:\Windows\Logo1_.exe	828f580c1211badb61be072c670017c14106332452a3e251a7d8be4d390beda7.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
4824	Logo1_.exe
4824	Logo1_.exe
4824	Logo1_.exe
4824	Logo1_.exe
4824	Logo1_.exe
4824	Logo1_.exe
4824	Logo1_.exe
4824	Logo1_.exe
4824	Logo1_.exe
4824	Logo1_.exe
4824	Logo1_.exe
4824	Logo1_.exe
4824	Logo1_.exe
4824	Logo1_.exe
4824	Logo1_.exe
4824	Logo1_.exe
4824	Logo1_.exe
4824	Logo1_.exe
4824	Logo1_.exe
4824	Logo1_.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 912 wrote to memory of 4916	912	828f580c1211badb61be072c670017c14106332452a3e251a7d8be4d390beda7.exe	86
PID 912 wrote to memory of 4916	912	828f580c1211badb61be072c670017c14106332452a3e251a7d8be4d390beda7.exe	86
PID 912 wrote to memory of 4916	912	828f580c1211badb61be072c670017c14106332452a3e251a7d8be4d390beda7.exe	86
PID 912 wrote to memory of 4824	912	828f580c1211badb61be072c670017c14106332452a3e251a7d8be4d390beda7.exe	87
PID 912 wrote to memory of 4824	912	828f580c1211badb61be072c670017c14106332452a3e251a7d8be4d390beda7.exe	87
PID 912 wrote to memory of 4824	912	828f580c1211badb61be072c670017c14106332452a3e251a7d8be4d390beda7.exe	87
PID 4824 wrote to memory of 3880	4824	Logo1_.exe	89
PID 4824 wrote to memory of 3880	4824	Logo1_.exe	89
PID 4824 wrote to memory of 3880	4824	Logo1_.exe	89
PID 3880 wrote to memory of 1036	3880	net.exe	91
PID 3880 wrote to memory of 1036	3880	net.exe	91
PID 3880 wrote to memory of 1036	3880	net.exe	91
PID 4824 wrote to memory of 3484	4824	Logo1_.exe	56
PID 4824 wrote to memory of 3484	4824	Logo1_.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3484
- C:\Users\Admin\AppData\Local\Temp\828f580c1211badb61be072c670017c14106332452a3e251a7d8be4d390beda7.exe
  "C:\Users\Admin\AppData\Local\Temp\828f580c1211badb61be072c670017c14106332452a3e251a7d8be4d390beda7.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:912
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a614A.bat
    3⤵
    PID:4916
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4824
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3880
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:1036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
254KB

MD5
39b85f27d2b6c20f0384207a7503a582

SHA1
a1e7828844f30afda9fdd1772d68985de1d25000

SHA256
66a61efc76780d8590c8286dfde6333cbe18c1be7d65f04ff9fa31b98b4d2362

SHA512
732acd062ad07fabf04e3fc1521af9a6a1401434bee540167989bc3a0e9a220e55dde7112649749592ec77db9d0432b041db0377e06f4aa7d55a974ce9760078

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
573KB

MD5
c1a3081f46596dfd73c0e427760df0ef

SHA1
33177125472e1522e3d1ca8132dee70b9ac855d5

SHA256
3321bdd10e5f7549cbf95a01b6bfd48d968f2eac742b8f63341c78f3d4e22926

SHA512
7182cdd85f5607320be3c910b3668db668a9f50efa587a5d3b192cd749b299d245396290236ec83208ec6bb00c33ad96cf5e6be1a6a1932b588ea7c4bb603bc8

Download Submit
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

Filesize
639KB

MD5
c8d281da4c32df16eef470c27c8cb459

SHA1
00efc9f6844bfaa37c264b6452c6a7356638ab10

SHA256
058c81e5a07f2c6c33cf28dff71d07ad8f179046108d945159957e891bfd9c62

SHA512
e3c79e19f620068f668d4ebaa5097f1a95a30dabb8dce75f3787171dddbea9f684fc7ce8d1011a398f38084d7af96dd1ff9a02d25906aab9b13861b8363d24bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a614A.bat

Filesize
722B

MD5
90d14b04fad5ec0c8e68635e2fcca8ef

SHA1
d9fdbd259489d00d51e3bcaeb08e3394f2d5aeaf

SHA256
036779aac78041c8e7c97f585a2ec0b3dfb1f4bc8cabd4b42c36b3e27030a299

SHA512
7a0c727d3e82d338f532829eecb19445a540163bb105355a0c210f620c29ebe024c79949b5302c11d69226b4c3b9f067988ea728a5032364c1f61767b59b9d3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\828f580c1211badb61be072c670017c14106332452a3e251a7d8be4d390beda7.exe.exe

Filesize
9.3MB

MD5
b86f86ef5c09df3336638ad99b7c0c0f

SHA1
0428ad68c4dd86cebf917582d9de21ad2bdac97f

SHA256
3ef229a273ff767f0dbc891329fa906455e8f696beb5b6611efe9d6f657d7ced

SHA512
cd3ef6725bbc15c2090f3eee10af01766030a428ec39e8dab8f0174961e9aaef1a573fdbba3f7db0e251c5888a83b701cfab8055b28c30474405c2b00e826f97

Download Submit
C:\Windows\Logo1_.exe

Filesize
29KB

MD5
1e4641b3ce0bd749b7ebf353d5af1bfe

SHA1
8f04220b85eea04c9912bfbb69e97f758bc7124f

SHA256
7c28b836573bfa57bb05e0b828a6dcabcc19c3f39aac7e8110ea837299826601

SHA512
0fb47eca033be7695dabb0e819f6f41cfb3fb01f5d8b68e52737850d2ce0bbc5a3c6a003ceb30fba4899e373efb877acf2e216254254a70ea8dec627e118e8ba

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2288054676-1871194608-3559553667-1000\_desktop.ini

Filesize
9B

MD5
27729a3995958245e2d6799df42e26e7

SHA1
dfe386f53277c8387b50122f3fda9bc2467815ba

SHA256
9313041e89d4585b2606afa4809b101e7e8a2c944d063a28c796b0c0f070b5f1

SHA512
ba9157cea7ca5c01b52e2a4a758f4e12e018990e49f1ece5fa6d83423f37a0a4dd5246d9b01e5e212d5e8c36a66a8d0e2645bc73753671295965a855a5028ec6

Download Submit
memory/912-8-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/912-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4824-25-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4824-35-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4824-32-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4824-1059-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4824-1226-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4824-18-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4824-4791-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4824-10-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4824-5230-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download