f89b90bfd0fd96a03e52e09b77c57e7d40542fe5ffe956e745dc37546ccd101c

Analysis

max time kernel
151s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
25/04/2024, 03:24

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

f89b90bfd0fd96a03e52e09b77c57e7d40542fe5ffe956e745dc37546ccd101c.exe
Size

300KB
MD5

230a5fe3eb52007e98f2fe8d52543821
SHA1

acd4cc8ec541c69295262684e5397b0e825066e4
SHA256

f89b90bfd0fd96a03e52e09b77c57e7d40542fe5ffe956e745dc37546ccd101c
SHA512

d5599d39f8fed113b49883e1635946074d6dd87728ee91ba4cdb49c3004001fa0118383b300f222ea77b4b1202672e67a23455a44cbb9bc96dad997baa808de5
SSDEEP

6144:4uJBJxY+FyW3gHY7KmFyD+x4IgF6WvVIUnJn0IfkAM/Doxj:9K6x4JZVIiJ0IXxj

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3768	Logo1_.exe
392	f89b90bfd0fd96a03e52e09b77c57e7d40542fe5ffe956e745dc37546ccd101c.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\VideoLAN\VLC\locale\zu\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ach\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\as_IN\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\ko-KR\View3d\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	Logo1_.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\management\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\ro-RO\View3d\_desktop.ini	Logo1_.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\tr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\zh-Hans\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\uz-Latn-UZ\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\oc\_desktop.ini	Logo1_.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\ja\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\security\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\he-IL\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\ja-JP\View3d\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\fonts\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bn_IN\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\eu\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Shared Gadgets\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\messaging\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Services.Store.Engagement_10.0.18101.0_x64__8wekyb3d8bbwe\AppxMetadata\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\security\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Photo Viewer\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\LTR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\x86\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\CoreEngine\Data\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ast\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\include\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\subscription_intro\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\amd64\_desktop.ini	Logo1_.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\pt-BR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk-1.8\include\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ast\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\lg\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\te\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\AppxMetadata\_desktop.ini	Logo1_.exe
File created	C:\Program Files\dotnet\host\fxr\6.0.25\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\kn\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\be-BY\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\AppxMetadata\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\da\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ks_IN\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ml\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-125_8wekyb3d8bbwe\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Place\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ca\LC_MESSAGES\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	f89b90bfd0fd96a03e52e09b77c57e7d40542fe5ffe956e745dc37546ccd101c.exe
File created	C:\Windows\Logo1_.exe	f89b90bfd0fd96a03e52e09b77c57e7d40542fe5ffe956e745dc37546ccd101c.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
3768	Logo1_.exe
3768	Logo1_.exe
3768	Logo1_.exe
3768	Logo1_.exe
3768	Logo1_.exe
3768	Logo1_.exe
3768	Logo1_.exe
3768	Logo1_.exe
3768	Logo1_.exe
3768	Logo1_.exe
3768	Logo1_.exe
3768	Logo1_.exe
3768	Logo1_.exe
3768	Logo1_.exe
3768	Logo1_.exe
3768	Logo1_.exe
3768	Logo1_.exe
3768	Logo1_.exe
3768	Logo1_.exe
3768	Logo1_.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 5080 wrote to memory of 2860	5080	f89b90bfd0fd96a03e52e09b77c57e7d40542fe5ffe956e745dc37546ccd101c.exe	90
PID 5080 wrote to memory of 2860	5080	f89b90bfd0fd96a03e52e09b77c57e7d40542fe5ffe956e745dc37546ccd101c.exe	90
PID 5080 wrote to memory of 2860	5080	f89b90bfd0fd96a03e52e09b77c57e7d40542fe5ffe956e745dc37546ccd101c.exe	90
PID 5080 wrote to memory of 3768	5080	f89b90bfd0fd96a03e52e09b77c57e7d40542fe5ffe956e745dc37546ccd101c.exe	92
PID 5080 wrote to memory of 3768	5080	f89b90bfd0fd96a03e52e09b77c57e7d40542fe5ffe956e745dc37546ccd101c.exe	92
PID 5080 wrote to memory of 3768	5080	f89b90bfd0fd96a03e52e09b77c57e7d40542fe5ffe956e745dc37546ccd101c.exe	92
PID 3768 wrote to memory of 5084	3768	Logo1_.exe	93
PID 3768 wrote to memory of 5084	3768	Logo1_.exe	93
PID 3768 wrote to memory of 5084	3768	Logo1_.exe	93
PID 5084 wrote to memory of 2880	5084	net.exe	96
PID 5084 wrote to memory of 2880	5084	net.exe	96
PID 5084 wrote to memory of 2880	5084	net.exe	96
PID 3768 wrote to memory of 3364	3768	Logo1_.exe	57
PID 3768 wrote to memory of 3364	3768	Logo1_.exe	57

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3364
- C:\Users\Admin\AppData\Local\Temp\f89b90bfd0fd96a03e52e09b77c57e7d40542fe5ffe956e745dc37546ccd101c.exe
  "C:\Users\Admin\AppData\Local\Temp\f89b90bfd0fd96a03e52e09b77c57e7d40542fe5ffe956e745dc37546ccd101c.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:5080
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a1A69.bat
    3⤵
    PID:2860
  - - C:\Users\Admin\AppData\Local\Temp\f89b90bfd0fd96a03e52e09b77c57e7d40542fe5ffe956e745dc37546ccd101c.exe
      "C:\Users\Admin\AppData\Local\Temp\f89b90bfd0fd96a03e52e09b77c57e7d40542fe5ffe956e745dc37546ccd101c.exe"
      4⤵
      Executes dropped EXE
      PID:392
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3768
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5084
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2880

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3720 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:8
1⤵
PID:1076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7z.exe

Filesize
573KB

MD5
3888ffddbafbbba14619f7feb8539dff

SHA1
f51bf92ee7697f5e93dcb946e35962d48482faef

SHA256
68266f939fe4989bf6c860d512f01f0610a8d0978379a4e3cee18b309a189bf8

SHA512
2bd5374aee1f24205c74ebe97f4dd7a281f67227447a6b84e58e900f3e8dadce0fcb95c47a27648a7630d7eb53e758d6edb590a20fab7667fca442438f1f7271

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a1A69.bat

Filesize
722B

MD5
b49583825322312d12fe271472d7b958

SHA1
b8ca3586d57b944a1784bf58ce50d560c42d3917

SHA256
6e67eaeb50cf27f2aee9e7ca8f80ca6219291a3c36717b925a04ecba878ab9ad

SHA512
ec5e4ad68c64a9c24eab13fdbe5819bbe09fa3a2a18263aa702e5347a35970fb5d6d80588c41be07c44847ee21740f9e06411a9f93c555157caffaf7798ae4ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\f89b90bfd0fd96a03e52e09b77c57e7d40542fe5ffe956e745dc37546ccd101c.exe.exe

Filesize
271KB

MD5
e6370f7f376ddaaf0be5a27c67baf2de

SHA1
92f0f85ee8243e1cca1247ae0fef82d91bb0f948

SHA256
c16776ccf74ee2ff037379d20c53176f8995bde87748e9e2b2dcbce3ff2d7dfe

SHA512
7f79fcb232b6d71dfec31db0647341bce8b7f66a4069b5f6eb585827db4d6afe50f63e2452ede87eed4adb44550cfa3724c388f0850ccd84cbeba8cf250e17c9

Download Submit
C:\Windows\Logo1_.exe

Filesize
29KB

MD5
bc2a08f1fe0430eb261fa12807b391db

SHA1
cfc8edda8d2a0eb6677468da30013b8c54a7a37c

SHA256
7e2c164ef33df9f9c8d4493d7ba3ddffeb8d6a9a6363a76334472f52feb3f5bc

SHA512
36419d572cc6e7f08c401dde59233bb4d50939c1471147572f11f1a4896eeb5a89228a945eb43d94fe0a6c44775a16c3b2f1c49691275d814f86105a1a346a49

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3808065738-1666277613-1125846146-1000\_desktop.ini

Filesize
9B

MD5
7ef570b2b21e58fd906ef1a980d64425

SHA1
18502489f652e74f8972bbfa100d5c163d719ab7

SHA256
c3ce1b9216b58ac7d9ed3b93e5e3a1d6a2473b53b5bc1f008a621def49517055

SHA512
e1175d861a79d62b85cd18661375f1c956dcc97e958765dc225f3aa4b0f0100ca9e17b9c61f5e18fc2a96e5167c0563f60645033aff1be1ec2f372c1b9a8b35f

Download Submit
memory/3768-43-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3768-20-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3768-9-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3768-27-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3768-34-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3768-38-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3768-49-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3768-1016-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3768-1017-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3768-1018-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5080-13-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5080-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5080-1-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download