f48334d323deeec1aa5205e267e913c9547fe190382bed98a7074a29facc284c

Analysis

max time kernel
150s
max time network
54s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
26-04-2024 22:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f48334d323deeec1aa5205e267e913c9547fe190382bed98a7074a29facc284c.exe
Size

364KB
MD5

5020a33dc240eb771f76b7b6a36c2ebd
SHA1

fe2884c1adbd3e53446392880c9fa6fc965e641a
SHA256

f48334d323deeec1aa5205e267e913c9547fe190382bed98a7074a29facc284c
SHA512

db0d7d81d3db64ae54003bbeab9f8df1458e9feb65bce2eca5d993e7c0177755aadb41ee548431af5844f8913a4a54f1a955c758fc32e490b0389cb7d575745a
SSDEEP

6144:juJX2zU66bkWmchVySqkvAH3qo0wWJC6G/SMT4FWqC:9U66b5zhVymA/XSRh

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4400	Logo1_.exe
3092	f48334d323deeec1aa5205e267e913c9547fe190382bed98a7074a29facc284c.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\cs-cz\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft\Edge\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\fi-fi\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\zh-tw\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\pl-pl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\en-ae\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\email\dummy\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\hr-hr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example2.Diagnostics\1.0.1\Diagnostics\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\uk-ua\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Crashpad\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fr\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\fr-fr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\en-ae\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ast\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Examples\Validator\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\cs-cz\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\fr-fr\_desktop.ini	Logo1_.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ms\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ko-kr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\_desktop.ini	Logo1_.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\it-it\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\pl-pl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\pl-pl\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\visualization\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\pl-pl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\sl-si\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\es-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ja-jp\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\en-gb\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\lo\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_neutral_split.scale-100_8wekyb3d8bbwe\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxIdentityProvider_12.50.6001.0_x64__8wekyb3d8bbwe\Assets\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\uk-ua\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\fr-fr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\hr-hr\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\lua\meta\reader\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ar-ae\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\hu-hu\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\en-il\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\2.0.1\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\sv-se\_desktop.ini	Logo1_.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ca@valencia\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\ko-KR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ca-es\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\sv-se\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\es_MX\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	f48334d323deeec1aa5205e267e913c9547fe190382bed98a7074a29facc284c.exe
File created	C:\Windows\Logo1_.exe	f48334d323deeec1aa5205e267e913c9547fe190382bed98a7074a29facc284c.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
4400	Logo1_.exe
4400	Logo1_.exe
4400	Logo1_.exe
4400	Logo1_.exe
4400	Logo1_.exe
4400	Logo1_.exe
4400	Logo1_.exe
4400	Logo1_.exe
4400	Logo1_.exe
4400	Logo1_.exe
4400	Logo1_.exe
4400	Logo1_.exe
4400	Logo1_.exe
4400	Logo1_.exe
4400	Logo1_.exe
4400	Logo1_.exe
4400	Logo1_.exe
4400	Logo1_.exe
4400	Logo1_.exe
4400	Logo1_.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 3404 wrote to memory of 2412	3404	f48334d323deeec1aa5205e267e913c9547fe190382bed98a7074a29facc284c.exe	83
PID 3404 wrote to memory of 2412	3404	f48334d323deeec1aa5205e267e913c9547fe190382bed98a7074a29facc284c.exe	83
PID 3404 wrote to memory of 2412	3404	f48334d323deeec1aa5205e267e913c9547fe190382bed98a7074a29facc284c.exe	83
PID 3404 wrote to memory of 4400	3404	f48334d323deeec1aa5205e267e913c9547fe190382bed98a7074a29facc284c.exe	85
PID 3404 wrote to memory of 4400	3404	f48334d323deeec1aa5205e267e913c9547fe190382bed98a7074a29facc284c.exe	85
PID 3404 wrote to memory of 4400	3404	f48334d323deeec1aa5205e267e913c9547fe190382bed98a7074a29facc284c.exe	85
PID 4400 wrote to memory of 2360	4400	Logo1_.exe	86
PID 4400 wrote to memory of 2360	4400	Logo1_.exe	86
PID 4400 wrote to memory of 2360	4400	Logo1_.exe	86
PID 2360 wrote to memory of 3804	2360	net.exe	88
PID 2360 wrote to memory of 3804	2360	net.exe	88
PID 2360 wrote to memory of 3804	2360	net.exe	88
PID 2412 wrote to memory of 3092	2412	cmd.exe	89
PID 2412 wrote to memory of 3092	2412	cmd.exe	89
PID 4400 wrote to memory of 3600	4400	Logo1_.exe	56
PID 4400 wrote to memory of 3600	4400	Logo1_.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3600
- C:\Users\Admin\AppData\Local\Temp\f48334d323deeec1aa5205e267e913c9547fe190382bed98a7074a29facc284c.exe
  "C:\Users\Admin\AppData\Local\Temp\f48334d323deeec1aa5205e267e913c9547fe190382bed98a7074a29facc284c.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:3404
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a3420.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2412
  - - C:\Users\Admin\AppData\Local\Temp\f48334d323deeec1aa5205e267e913c9547fe190382bed98a7074a29facc284c.exe
      "C:\Users\Admin\AppData\Local\Temp\f48334d323deeec1aa5205e267e913c9547fe190382bed98a7074a29facc284c.exe"
      4⤵
      Executes dropped EXE
      PID:3092
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4400
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2360
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:3804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7z.exe

Filesize
573KB

MD5
091c51226a4369afe4c74e87c88ec399

SHA1
605cb8859e56dbcea707b741c87122cbfe3a7496

SHA256
74fe038d3116c78761970d6a74aed9db8ed74a0aa43827b6627cc183af671949

SHA512
932ff1e988636c7961fe94ddb8623784cb7d72c51eab223017bf511690e5d89e2b572cd79eb10fcdb1828ccef35c82984349d579715d105c1e03c6b06cad2b51

Download Submit
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

Filesize
639KB

MD5
a2540206dc9b71273e644fb92239c7d1

SHA1
55378e43a34bd0727bda0b1065b85b66bba74899

SHA256
8d56d576f5b8f0f4b59fcc43eaba1322a3e4fa0b190da954525e9a0215189a61

SHA512
40d00e50f24a4985cabfbd35942175634f917e26898f0b274e24ebe2e1879e86ef10a3cece7ca8e7bc4e968286c74e02cd90fd8ca248a1968cdf3b8e679e2d06

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a3420.bat

Filesize
722B

MD5
fc289a3479491e6766b209ad6f5f30a5

SHA1
c3dfa019aee0c0860b9abb27154af8d002e3c6a6

SHA256
dda53c03ddbc05a9bc9c02478362b18a7049aaa847a1fb0d7f844fbb97b49a3b

SHA512
18f2da30fc25f775fe044d2919124f0befffc50803065e20f9bfc80e3d6a14a088618d6ab43c0411f739df422a5d5d0c19460fd141ffb0221a368181976ced4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\f48334d323deeec1aa5205e267e913c9547fe190382bed98a7074a29facc284c.exe.exe

Filesize
335KB

MD5
40ac62c087648ccc2c58dae066d34c98

SHA1
0e87efb6ddfe59e534ea9e829cad35be8563e5f7

SHA256
482c4c1562490e164d5f17990253373691aa5eab55a81c7f890fe9583a9ea916

SHA512
0c1ff13ff88409d54fee2ceb07fe65135ce2a9aa6f8da51ac0158abb2cfbb3a898ef26f476931986f1367622f21a7c0b0e742d0f4de8be6e215596b0d88c518f

Download Submit
C:\Windows\Logo1_.exe

Filesize
29KB

MD5
7ad4e87b0cd43eaef9f601d3a5ec098e

SHA1
3590a3062cd73057ac6644ceb88646cadb30d3af

SHA256
81498756cc164063aec38129d44c383a13a0a9c53b72074dfae98736821ac5cd

SHA512
de70f1562dcc1583376dae1f05ac830f0ab90c6ef0675a609284293affcffabeecc528f3b157e61e2cd269ad20441ddc32296d71aa4ceb2788798c3327fb1774

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2860750803-256193626-1801997576-1000\_desktop.ini

Filesize
9B

MD5
c1decdd7d6df1d9437bb5f2bc5fe1486

SHA1
d71402dc8d37a148651cb5017219322267c7b922

SHA256
bd6d31806e5ebc86100e3c7ed2cf5348757149082d775fa986d41e8554ce8089

SHA512
ebbaed70f5d858508011ec3f251e16aa09c861b3d6dcc62ed28f293b37dfda2434b0e36f898bc62fca3107ee6356c77e5662a76085f191a63913013837cc0f07

Download Submit
memory/3404-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3404-8-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4400-26-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4400-32-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4400-36-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4400-19-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4400-1236-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4400-4800-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4400-12-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4400-5263-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download