8f23097b14f5c3ab15b08d3b148921de9d343589ac97a57589d2a47c5c31d830

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
21-04-2024 10:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8f23097b14f5c3ab15b08d3b148921de9d343589ac97a57589d2a47c5c31d830.exe
Size

485KB
MD5

2b9b9836e2617aade99eb3e82a2c2e2c
SHA1

06320eaadb86e86d0d81ead1fba94dae90b21af1
SHA256

8f23097b14f5c3ab15b08d3b148921de9d343589ac97a57589d2a47c5c31d830
SHA512

ca8dc9f3cd696f3f6a1f5d88bb98c819b4040437ad7d95cef7844037698ab56eb8628b421ad4234742123082591cbaf14c880e6ba552fb05e1a775f9e2a964cb
SSDEEP

6144:AFpuz1gL5pRTMTTjMkId/BynSx7dEe6XwzRaktNP08NhKs39zo43fTtl1fayCV7E:mpo1gL5pRTcAkS/3hzN8qE43fm78V

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4632	Logo1_.exe
1124	8f23097b14f5c3ab15b08d3b148921de9d343589ac97a57589d2a47c5c31d830.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\VideoLAN\VLC\plugins\video_output\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-125_kzf8qxf38zg5c\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.513.0_neutral_~_8wekyb3d8bbwe\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre-1.8\bin\plugin2\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\bg\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fur\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\nn\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\pt-br\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\fi-fi\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\cs-cz\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\cs-cz\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\ja-jp\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\nb-no\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\de-de\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\vi\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\ms-MY\View3d\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\MixedRealityPortal.Brokered.exe	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_neutral_~_8wekyb3d8bbwe\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_2019.19071.19011.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\ru-ru\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\1033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sl-si\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Mozilla Firefox\fonts\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\ru-ru\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\nl-nl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\WidevineCdm\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\fr-fr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\cs-cz\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\en-gb\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\en-ae\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\sl-si\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\en-gb\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\sk-sk\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sw\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\AppxMetadata\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\cef\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\nl-nl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\eu-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\en-gb\_desktop.ini	Logo1_.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\da\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\es-es\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\da-dk\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\da-dk\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\sv-se\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	8f23097b14f5c3ab15b08d3b148921de9d343589ac97a57589d2a47c5c31d830.exe
File created	C:\Windows\Logo1_.exe	8f23097b14f5c3ab15b08d3b148921de9d343589ac97a57589d2a47c5c31d830.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
4632	Logo1_.exe
4632	Logo1_.exe
4632	Logo1_.exe
4632	Logo1_.exe
4632	Logo1_.exe
4632	Logo1_.exe
4632	Logo1_.exe
4632	Logo1_.exe
4632	Logo1_.exe
4632	Logo1_.exe
4632	Logo1_.exe
4632	Logo1_.exe
4632	Logo1_.exe
4632	Logo1_.exe
4632	Logo1_.exe
4632	Logo1_.exe
4632	Logo1_.exe
4632	Logo1_.exe
4632	Logo1_.exe
4632	Logo1_.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1592 wrote to memory of 1864	1592	8f23097b14f5c3ab15b08d3b148921de9d343589ac97a57589d2a47c5c31d830.exe	85
PID 1592 wrote to memory of 1864	1592	8f23097b14f5c3ab15b08d3b148921de9d343589ac97a57589d2a47c5c31d830.exe	85
PID 1592 wrote to memory of 1864	1592	8f23097b14f5c3ab15b08d3b148921de9d343589ac97a57589d2a47c5c31d830.exe	85
PID 1592 wrote to memory of 4632	1592	8f23097b14f5c3ab15b08d3b148921de9d343589ac97a57589d2a47c5c31d830.exe	86
PID 1592 wrote to memory of 4632	1592	8f23097b14f5c3ab15b08d3b148921de9d343589ac97a57589d2a47c5c31d830.exe	86
PID 1592 wrote to memory of 4632	1592	8f23097b14f5c3ab15b08d3b148921de9d343589ac97a57589d2a47c5c31d830.exe	86
PID 4632 wrote to memory of 4840	4632	Logo1_.exe	88
PID 4632 wrote to memory of 4840	4632	Logo1_.exe	88
PID 4632 wrote to memory of 4840	4632	Logo1_.exe	88
PID 4840 wrote to memory of 3136	4840	net.exe	90
PID 4840 wrote to memory of 3136	4840	net.exe	90
PID 4840 wrote to memory of 3136	4840	net.exe	90
PID 1864 wrote to memory of 1124	1864	cmd.exe	91
PID 1864 wrote to memory of 1124	1864	cmd.exe	91
PID 4632 wrote to memory of 3488	4632	Logo1_.exe	55
PID 4632 wrote to memory of 3488	4632	Logo1_.exe	55

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3488
- C:\Users\Admin\AppData\Local\Temp\8f23097b14f5c3ab15b08d3b148921de9d343589ac97a57589d2a47c5c31d830.exe
  "C:\Users\Admin\AppData\Local\Temp\8f23097b14f5c3ab15b08d3b148921de9d343589ac97a57589d2a47c5c31d830.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1592
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4779.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1864
  - - C:\Users\Admin\AppData\Local\Temp\8f23097b14f5c3ab15b08d3b148921de9d343589ac97a57589d2a47c5c31d830.exe
      "C:\Users\Admin\AppData\Local\Temp\8f23097b14f5c3ab15b08d3b148921de9d343589ac97a57589d2a47c5c31d830.exe"
      4⤵
      Executes dropped EXE
      PID:1124
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4632
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4840
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:3136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7z.exe

Filesize
571KB

MD5
fb02ebc955503fb229065e449b44e093

SHA1
6effd8f8ace789744f3b2292e69b777c643b6058

SHA256
5b7b092b1b4829e6bb173c1bc62d4eead80c33b5f2482c07de8aeaad80558a82

SHA512
8baa53d803a816228a57e74606d8718d142c9928b63083e8d45e45bd7ff8ea8f9a73a125fa691f919966e6acd8da7df604fd801717b5cdd1b37f552e91b0f4a0

Download Submit
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

Filesize
637KB

MD5
9cba1e86016b20490fff38fb45ff4963

SHA1
378720d36869d50d06e9ffeef87488fbc2a8c8f7

SHA256
a22e6d0f5c7d44fefc2204e0f7c7b048e1684f6cf249ba98c006bbf791c22d19

SHA512
2f3737d29ea3925d10ea5c717786425f6434be732974586328f03691a35cd1539828e3301685749e5c4135b8094f15b87fb9659915de63678a25749e2f8f5765

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a4779.bat

Filesize
722B

MD5
49ed7aee2129397313b748ec58c621c2

SHA1
0cbe59f15c942f2eb08bfdefd75df91674d8aa57

SHA256
c9116641073728e12acce81207f15c06aead09086aa203274961a1df2b1530ff

SHA512
08551bae398367feb215cda5407533f7a77b7762cb7f7476f63064303b96dbc40d1e525e5a4f21fdee27645ceab03976fc19c47cf745c28f4235898c380ed445

Download Submit
C:\Users\Admin\AppData\Local\Temp\8f23097b14f5c3ab15b08d3b148921de9d343589ac97a57589d2a47c5c31d830.exe.exe

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Windows\Logo1_.exe

Filesize
27KB

MD5
18cdebf5c48bd174ed806d906b24d5f9

SHA1
2676a4378da12cadf48210338486ef6b0850db03

SHA256
cd7beecfd604c4fb4f90e04253989d0330c536571ecf001307342c9d7676cd40

SHA512
0094a90cc36c2bdf260af7b467f5765aca2dcf16ec45bbd3cda9be13976ffbf1425e546d4b3d3a1ff2e797e0fda3ee5236816c719a7873d602166f9345412050

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2288054676-1871194608-3559553667-1000\_desktop.ini

Filesize
9B

MD5
8c34dc99037d2222f90612d7a5e52499

SHA1
fda1121fbbb4ed65e2bbf0b7d7c9847d6f47fe7c

SHA256
5b74167b62086b62f2f1540c9601d4c70c005e86ff72d5d514f87c82df3cb468

SHA512
999a3f71583131a044764079e1d6c447190f81bdb3b32d3f423f97ea6f5a4cf431ddf0b5ad61a2f72e9aa280a859555c131c9b89a4713cdaf955a7f90b6258cf

Download Submit
memory/1592-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1592-12-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4632-26-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4632-32-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4632-36-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4632-19-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4632-1060-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4632-1227-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4632-4792-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4632-8-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4632-5231-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download