4e935354e1c6c61a1aa16405a415266edc4b6f910f6dae8eeee48321dba88899

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
11/05/2024, 00:15

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4e935354e1c6c61a1aa16405a415266edc4b6f910f6dae8eeee48321dba88899.exe
Size

127KB
MD5

d68a482f70846832ab29b6aecefab6a8
SHA1

7796c513812623a9b4bab582fc0ef1f106a55906
SHA256

4e935354e1c6c61a1aa16405a415266edc4b6f910f6dae8eeee48321dba88899
SHA512

895ca06a79fb2ca2019556b76683c91b2184c6dbc29e41b7e9ed812c26a4fac2b817cf17752542e9c6ef440057b47a82e69fb18fdc89b984f671d0c973b1220c
SSDEEP

3072:p9kuJVLxhUBf8Bo/mu+YDfYz8KrRVwWEhPt4zB+yNFp0:4uJVG7/fYfLnzB+AFa

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
996	Logo1_.exe
2860	4e935354e1c6c61a1aa16405a415266edc4b6f910f6dae8eeee48321dba88899.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ru-ru\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\eu-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\nl-nl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\de-de\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\ca-es\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\it-it\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\themeless\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\ro-ro\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\es-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\cs-cz\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\ca-es\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\th\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Reference Assemblies\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Defender\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\en-us\jscripts\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\plugins\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\de-de\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\nl-nl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\root\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\de-de\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\fi-fi\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_~_8wekyb3d8bbwe\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\defaults\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\pl-pl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\ru-ru\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\ext\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sw\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\es-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\sv-se\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\en-il\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\bs\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxIdentityProvider_12.50.6001.0_x64__8wekyb3d8bbwe\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\eu-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\nb-no\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\zh-tw\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\hr-hr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\themes\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_2019.904.1644.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hy\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sv\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\fr-fr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\nb-no\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	4e935354e1c6c61a1aa16405a415266edc4b6f910f6dae8eeee48321dba88899.exe
File created	C:\Windows\Logo1_.exe	4e935354e1c6c61a1aa16405a415266edc4b6f910f6dae8eeee48321dba88899.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
996	Logo1_.exe
996	Logo1_.exe
996	Logo1_.exe
996	Logo1_.exe
996	Logo1_.exe
996	Logo1_.exe
996	Logo1_.exe
996	Logo1_.exe
996	Logo1_.exe
996	Logo1_.exe
996	Logo1_.exe
996	Logo1_.exe
996	Logo1_.exe
996	Logo1_.exe
996	Logo1_.exe
996	Logo1_.exe
996	Logo1_.exe
996	Logo1_.exe
996	Logo1_.exe
996	Logo1_.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 3996 wrote to memory of 4036	3996	4e935354e1c6c61a1aa16405a415266edc4b6f910f6dae8eeee48321dba88899.exe	83
PID 3996 wrote to memory of 4036	3996	4e935354e1c6c61a1aa16405a415266edc4b6f910f6dae8eeee48321dba88899.exe	83
PID 3996 wrote to memory of 4036	3996	4e935354e1c6c61a1aa16405a415266edc4b6f910f6dae8eeee48321dba88899.exe	83
PID 3996 wrote to memory of 996	3996	4e935354e1c6c61a1aa16405a415266edc4b6f910f6dae8eeee48321dba88899.exe	84
PID 3996 wrote to memory of 996	3996	4e935354e1c6c61a1aa16405a415266edc4b6f910f6dae8eeee48321dba88899.exe	84
PID 3996 wrote to memory of 996	3996	4e935354e1c6c61a1aa16405a415266edc4b6f910f6dae8eeee48321dba88899.exe	84
PID 996 wrote to memory of 4748	996	Logo1_.exe	86
PID 996 wrote to memory of 4748	996	Logo1_.exe	86
PID 996 wrote to memory of 4748	996	Logo1_.exe	86
PID 4748 wrote to memory of 4060	4748	net.exe	88
PID 4748 wrote to memory of 4060	4748	net.exe	88
PID 4748 wrote to memory of 4060	4748	net.exe	88
PID 4036 wrote to memory of 2860	4036	cmd.exe	89
PID 4036 wrote to memory of 2860	4036	cmd.exe	89
PID 4036 wrote to memory of 2860	4036	cmd.exe	89
PID 996 wrote to memory of 3480	996	Logo1_.exe	56
PID 996 wrote to memory of 3480	996	Logo1_.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3480
- C:\Users\Admin\AppData\Local\Temp\4e935354e1c6c61a1aa16405a415266edc4b6f910f6dae8eeee48321dba88899.exe
  "C:\Users\Admin\AppData\Local\Temp\4e935354e1c6c61a1aa16405a415266edc4b6f910f6dae8eeee48321dba88899.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:3996
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a659F.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4036
  - - C:\Users\Admin\AppData\Local\Temp\4e935354e1c6c61a1aa16405a415266edc4b6f910f6dae8eeee48321dba88899.exe
      "C:\Users\Admin\AppData\Local\Temp\4e935354e1c6c61a1aa16405a415266edc4b6f910f6dae8eeee48321dba88899.exe"
      4⤵
      Executes dropped EXE
      PID:2860
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:996
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4748
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:4060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7z.exe

Filesize
573KB

MD5
b53bff31a1dca2207b0341a432ff790b

SHA1
95c6b721c62c070074a4662e42ca22769899ea95

SHA256
36f3c49f01eb7f520ad11b56eb4f2be2c0c812f2e7f1a2ad63803a0068205202

SHA512
cdba33a42a143387542f6a2fdbe2f2e45762e271e54b7581c6273a1f92f353cb34045248b5e7f7200332f47297966fac5f742c6e906cbfd4fab0423b6c89ba0d

Download Submit
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

Filesize
639KB

MD5
ff7ce6c4ffc92d1beca4883dfcfde0af

SHA1
4a52e320cd88765f13e2799a4980a12f788c98a4

SHA256
5a4e150d03f1cfadccd40a407a3ae8ec5ffbb5d28ea95dca136d67cac24fd8b5

SHA512
99056bcbb382e545304a33002a6cfbb7a57df663feca5a3842bf077d1126931ba78d5e04a93cbd72a7c6d9eb09005750e5cff1030d8586e26838e7634d7ad583

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a659F.bat

Filesize
722B

MD5
cea06ad61a15cd932755af44f9e93318

SHA1
0663c7bbe9814582c3961ceed7247d4b5a93b10d

SHA256
d329dcb90d2955dacea4e66fadc8d5f17dd9caad3ef1f6cfa47f9a3b9b954701

SHA512
a27c64e3001938ceb7f58e24c95d6cdc2b73e8f61942f0faaa44769d87efe4b35f72bed3f56248650a696752cdd445101c2c92c5cf863181d16b6818ee5ce2d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\4e935354e1c6c61a1aa16405a415266edc4b6f910f6dae8eeee48321dba88899.exe.exe

Filesize
98KB

MD5
b8d34226a11443d575f205e3dc9d87e8

SHA1
f1952c7a285664816ae09ce1df8a79d1d49f3dbf

SHA256
57db243b4fbae3ee90c0f52e0d6871bcd47e8d23236381f051704350c8297f7c

SHA512
181229544e43348d08ac0be3f03e4572baa5df255de5db79466904857016e670c130177035492159eb077c5629857741430639bee7c9552d17f7ae960403c82d

Download Submit
C:\Windows\Logo1_.exe

Filesize
29KB

MD5
ca7aead79b7295c052be33014e4ed990

SHA1
a768ad348a64c11d69c5e909871beb9361d2c16b

SHA256
13ffeb88b5674f2f8588cff12c5e4e0a2dab8843a1e5e0ddcdc1e3fa8e10a7a7

SHA512
4fc323fd0aa80bbdaa85d7c37032ed92b54817f55a07976b9a45eb65e77cdd80cab98c34fd38b9c2f3a9cadbf878396bf9ce196b2f9168cbebf4a9107e191f26

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3558294865-3673844354-2255444939-1000\_desktop.ini

Filesize
9B

MD5
db64fea40b8b0f0d620ef2ecc6eadbca

SHA1
51736590bfbfbac961899ddcc9be998bfeabd3d5

SHA256
946d3f6b9ecc2fa53895526caf79e41850ad594f22a240d93f8bb7eb286d70f8

SHA512
b70e24f5930090ac0c9a584f3810d41af8de5562c6b78f6979ea97c929edc18d57bedb9af335d19307aa0db00004aa5a4e553f24ac884365d8bd899d6f3258c0

Download Submit
memory/996-31-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/996-25-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/996-35-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/996-18-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/996-1191-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/996-1230-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/996-4795-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/996-5234-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3996-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3996-8-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download