53f2cde6306abd6208931637fe7b2d11e9d228dbeb9aeb752801820edfc87f23

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
26/04/2024, 04:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

53f2cde6306abd6208931637fe7b2d11e9d228dbeb9aeb752801820edfc87f23.exe
Size

573KB
MD5

d9310b049e6abc50d37c5cbab6568c40
SHA1

74fa82cbc888cc95aae14d59327319ad925d6cb2
SHA256

53f2cde6306abd6208931637fe7b2d11e9d228dbeb9aeb752801820edfc87f23
SHA512

7fd232e22beb11324901f09d0df0fea348fea170e9ef13fc845776d849e9c8ea6a6231734a65b98d213b5ce1bff211e8ad04c0cc1af7912befbeb260efe0ade0
SSDEEP

6144:wPuJpE7cV3iwbAFRWAbd4nf0H05yqE6Hl0ChW0+ksllAXBu0lWGWUJJQ4t0BHQQG:wZ7a3iwbihym2g7XO3LWUQfh4Co

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4400	Logo1_.exe
5048	53f2cde6306abd6208931637fe7b2d11e9d228dbeb9aeb752801820edfc87f23.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\fi-fi\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\en-il\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\nb-no\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\people\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\en-gb\jsaddins\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre-1.8\lib\images\cursors\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\sk-sk\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\nb-no\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\de-de\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\Java\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\hu-hu\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\sv-se\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\zh-tw\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\hu-hu\_desktop.ini	Logo1_.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\lo\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\nb\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_extractor\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sv-se\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\ar-ae\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office 15\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeApp.exe	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\sv-se\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\hu-hu\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ru-ru\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\tr-tr\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_x64__8wekyb3d8bbwe\Assets\MixerBranding\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\AppxMetadata\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Examples\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\zh-tw\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\eu-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\de\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\sk-sk\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Acrobat\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ro\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\cmm\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.People_2019.305.632.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\tr-tr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\en-gb\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\hu-hu\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\zh-cn\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\it\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Portable Devices\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-150_8wekyb3d8bbwe\Assets\AppTiles\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\Assets\AppTiles\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Resources\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\ja-jp\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\nl-nl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\cs-cz\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ca@valencia\LC_MESSAGES\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	53f2cde6306abd6208931637fe7b2d11e9d228dbeb9aeb752801820edfc87f23.exe
File created	C:\Windows\Logo1_.exe	53f2cde6306abd6208931637fe7b2d11e9d228dbeb9aeb752801820edfc87f23.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
4400	Logo1_.exe
4400	Logo1_.exe
4400	Logo1_.exe
4400	Logo1_.exe
4400	Logo1_.exe
4400	Logo1_.exe
4400	Logo1_.exe
4400	Logo1_.exe
4400	Logo1_.exe
4400	Logo1_.exe
4400	Logo1_.exe
4400	Logo1_.exe
4400	Logo1_.exe
4400	Logo1_.exe
4400	Logo1_.exe
4400	Logo1_.exe
4400	Logo1_.exe
4400	Logo1_.exe
4400	Logo1_.exe
4400	Logo1_.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1168 wrote to memory of 1580	1168	53f2cde6306abd6208931637fe7b2d11e9d228dbeb9aeb752801820edfc87f23.exe	87
PID 1168 wrote to memory of 1580	1168	53f2cde6306abd6208931637fe7b2d11e9d228dbeb9aeb752801820edfc87f23.exe	87
PID 1168 wrote to memory of 1580	1168	53f2cde6306abd6208931637fe7b2d11e9d228dbeb9aeb752801820edfc87f23.exe	87
PID 1168 wrote to memory of 4400	1168	53f2cde6306abd6208931637fe7b2d11e9d228dbeb9aeb752801820edfc87f23.exe	88
PID 1168 wrote to memory of 4400	1168	53f2cde6306abd6208931637fe7b2d11e9d228dbeb9aeb752801820edfc87f23.exe	88
PID 1168 wrote to memory of 4400	1168	53f2cde6306abd6208931637fe7b2d11e9d228dbeb9aeb752801820edfc87f23.exe	88
PID 4400 wrote to memory of 3472	4400	Logo1_.exe	89
PID 4400 wrote to memory of 3472	4400	Logo1_.exe	89
PID 4400 wrote to memory of 3472	4400	Logo1_.exe	89
PID 3472 wrote to memory of 4532	3472	net.exe	92
PID 3472 wrote to memory of 4532	3472	net.exe	92
PID 3472 wrote to memory of 4532	3472	net.exe	92
PID 1580 wrote to memory of 5048	1580	cmd.exe	93
PID 1580 wrote to memory of 5048	1580	cmd.exe	93
PID 4400 wrote to memory of 3424	4400	Logo1_.exe	56
PID 4400 wrote to memory of 3424	4400	Logo1_.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3424
- C:\Users\Admin\AppData\Local\Temp\53f2cde6306abd6208931637fe7b2d11e9d228dbeb9aeb752801820edfc87f23.exe
  "C:\Users\Admin\AppData\Local\Temp\53f2cde6306abd6208931637fe7b2d11e9d228dbeb9aeb752801820edfc87f23.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1168
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a6CD3.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1580
  - - C:\Users\Admin\AppData\Local\Temp\53f2cde6306abd6208931637fe7b2d11e9d228dbeb9aeb752801820edfc87f23.exe
      "C:\Users\Admin\AppData\Local\Temp\53f2cde6306abd6208931637fe7b2d11e9d228dbeb9aeb752801820edfc87f23.exe"
      4⤵
      Executes dropped EXE
      PID:5048
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4400
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3472
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:4532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
254KB

MD5
78b6be324c6fb118c467cb7bbada1c12

SHA1
86c599047ac6dab268769c21197969db18fd788d

SHA256
11e921aefa9e88ea6e0bf50e4a4f811778080cc06738221cba42252b78506d04

SHA512
b450aac9fb8c34ef2ad17e19007f313d0b3e69513621fb335b76d2a70070c2a118cffdaef296d4b2b876bd834639895883fb3c191bc66754fa74dc1cb563c4fa

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
573KB

MD5
d9310b049e6abc50d37c5cbab6568c40

SHA1
74fa82cbc888cc95aae14d59327319ad925d6cb2

SHA256
53f2cde6306abd6208931637fe7b2d11e9d228dbeb9aeb752801820edfc87f23

SHA512
7fd232e22beb11324901f09d0df0fea348fea170e9ef13fc845776d849e9c8ea6a6231734a65b98d213b5ce1bff211e8ad04c0cc1af7912befbeb260efe0ade0

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a6CD3.bat

Filesize
722B

MD5
ff27f213bcc64a1aa6087982d027ebb3

SHA1
ef749358b62e8a698760c7d7c8abf76b6e758ba8

SHA256
55535b462c8c830aaf03f38477d96fbb03daa188c4d4b64d9f547603e07a8d2c

SHA512
563f141c3e3f01e66291bd6cfa1f51716677ca313ac115f160deb0a790fe20b0d3383c97fafbe5c632ddb952d70c586b43f82c8d311594cce243688be04cb6bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\53f2cde6306abd6208931637fe7b2d11e9d228dbeb9aeb752801820edfc87f23.exe.exe

Filesize
544KB

MD5
9a1dd1d96481d61934dcc2d568971d06

SHA1
f136ef9bf8bd2fc753292fb5b7cf173a22675fb3

SHA256
8cebb25e240db3b6986fcaed6bc0b900fa09dad763a56fb71273529266c5c525

SHA512
7ac1581f8a29e778ba1a1220670796c47fa5b838417f8f635e2cb1998a01515cff3ee57045dacb78a8ec70d43754b970743aba600379fe6d9481958d32d8a5aa

Download Submit
C:\Windows\Logo1_.exe

Filesize
29KB

MD5
b3e41c1d311f698d8ffde877bdc3fe63

SHA1
7d8265115168f5e8c955a9cde5eeddc7f2b78f8c

SHA256
870af7f02411e1286ce4b2cd0a1b6d48c1f4a0c1017dd559334a6f23085cc0d3

SHA512
1fc32ac7c1e2b2a905d0f3261f844c424f6c340262930e101f9ca1c31773a303cbe951ca9e418115e1348a594be92d976424e5adb7877087698e5f36dc4d534d

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-1132431369-515282257-1998160155-1000\_desktop.ini

Filesize
9B

MD5
c1decdd7d6df1d9437bb5f2bc5fe1486

SHA1
d71402dc8d37a148651cb5017219322267c7b922

SHA256
bd6d31806e5ebc86100e3c7ed2cf5348757149082d775fa986d41e8554ce8089

SHA512
ebbaed70f5d858508011ec3f251e16aa09c861b3d6dcc62ed28f293b37dfda2434b0e36f898bc62fca3107ee6356c77e5662a76085f191a63913013837cc0f07

Download Submit
memory/1168-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1168-8-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4400-26-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4400-32-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4400-36-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4400-19-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4400-1227-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4400-12-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4400-4792-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4400-5231-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download