Malware Analysis Report

2025-08-05 16:00

Sample ID 240610-hbk26sdc2s
Target d0bbbb6cb7adbecf36f907979ffa22e8cd767042a0f1197d8deb7304f892e0d4
SHA256 d0bbbb6cb7adbecf36f907979ffa22e8cd767042a0f1197d8deb7304f892e0d4
Tags
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

d0bbbb6cb7adbecf36f907979ffa22e8cd767042a0f1197d8deb7304f892e0d4

Threat Level: Shows suspicious behavior

The file d0bbbb6cb7adbecf36f907979ffa22e8cd767042a0f1197d8deb7304f892e0d4 was found to be: Shows suspicious behavior.

Malicious Activity Summary


Deletes itself

Executes dropped EXE

Loads dropped DLL

Enumerates connected drives

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Suspicious use of WriteProcessMemory

Runs net.exe

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-10 06:34

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-10 06:33

Reported

2024-06-10 06:38

Platform

win7-20240508-en

Max time kernel

100s

Max time network

123s

Command Line

C:\Windows\Explorer.EXE

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\K: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\I: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\H: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\E: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\V: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\S: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\N: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\L: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\J: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\G: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Z: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\W: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\R: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\O: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\P: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\M: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Y: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\X: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\U: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\T: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Q: C:\Windows\Logo1_.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\amd64\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Kentucky\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.update\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\chrome.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\META-INF\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\html\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\META-INF\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\applet\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\7-Zip\Lang\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\META-INF\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\META-INF\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\7-Zip\7zFM.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Full\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\DVD Maker\it-IT\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\applet\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\_desktop.ini C:\Windows\Logo1_.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rundl132.exe C:\Users\Admin\AppData\Local\Temp\d0bbbb6cb7adbecf36f907979ffa22e8cd767042a0f1197d8deb7304f892e0d4.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\d0bbbb6cb7adbecf36f907979ffa22e8cd767042a0f1197d8deb7304f892e0d4.exe N/A
File opened for modification C:\Windows\rundl132.exe C:\Windows\Logo1_.exe N/A
File created C:\Windows\vDll.dll C:\Windows\Logo1_.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2424 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\d0bbbb6cb7adbecf36f907979ffa22e8cd767042a0f1197d8deb7304f892e0d4.exe C:\Windows\SysWOW64\cmd.exe
PID 2424 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\d0bbbb6cb7adbecf36f907979ffa22e8cd767042a0f1197d8deb7304f892e0d4.exe C:\Windows\SysWOW64\cmd.exe
PID 2424 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\d0bbbb6cb7adbecf36f907979ffa22e8cd767042a0f1197d8deb7304f892e0d4.exe C:\Windows\SysWOW64\cmd.exe
PID 2424 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\d0bbbb6cb7adbecf36f907979ffa22e8cd767042a0f1197d8deb7304f892e0d4.exe C:\Windows\SysWOW64\cmd.exe
PID 2424 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\d0bbbb6cb7adbecf36f907979ffa22e8cd767042a0f1197d8deb7304f892e0d4.exe C:\Windows\Logo1_.exe
PID 2424 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\d0bbbb6cb7adbecf36f907979ffa22e8cd767042a0f1197d8deb7304f892e0d4.exe C:\Windows\Logo1_.exe
PID 2424 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\d0bbbb6cb7adbecf36f907979ffa22e8cd767042a0f1197d8deb7304f892e0d4.exe C:\Windows\Logo1_.exe
PID 2424 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\d0bbbb6cb7adbecf36f907979ffa22e8cd767042a0f1197d8deb7304f892e0d4.exe C:\Windows\Logo1_.exe
PID 2028 wrote to memory of 2368 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2028 wrote to memory of 2368 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2028 wrote to memory of 2368 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2028 wrote to memory of 2368 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2368 wrote to memory of 2744 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2368 wrote to memory of 2744 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2368 wrote to memory of 2744 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2368 wrote to memory of 2744 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2448 wrote to memory of 2648 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\d0bbbb6cb7adbecf36f907979ffa22e8cd767042a0f1197d8deb7304f892e0d4.exe
PID 2448 wrote to memory of 2648 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\d0bbbb6cb7adbecf36f907979ffa22e8cd767042a0f1197d8deb7304f892e0d4.exe
PID 2448 wrote to memory of 2648 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\d0bbbb6cb7adbecf36f907979ffa22e8cd767042a0f1197d8deb7304f892e0d4.exe
PID 2448 wrote to memory of 2648 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\d0bbbb6cb7adbecf36f907979ffa22e8cd767042a0f1197d8deb7304f892e0d4.exe
PID 2028 wrote to memory of 1204 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE
PID 2028 wrote to memory of 1204 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\d0bbbb6cb7adbecf36f907979ffa22e8cd767042a0f1197d8deb7304f892e0d4.exe

"C:\Users\Admin\AppData\Local\Temp\d0bbbb6cb7adbecf36f907979ffa22e8cd767042a0f1197d8deb7304f892e0d4.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$$a1A64.bat

C:\Windows\Logo1_.exe

C:\Windows\Logo1_.exe

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Users\Admin\AppData\Local\Temp\d0bbbb6cb7adbecf36f907979ffa22e8cd767042a0f1197d8deb7304f892e0d4.exe

"C:\Users\Admin\AppData\Local\Temp\d0bbbb6cb7adbecf36f907979ffa22e8cd767042a0f1197d8deb7304f892e0d4.exe"

Network

N/A

Files

memory/2424-0-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2424-12-0x0000000000220000-0x0000000000256000-memory.dmp

C:\Windows\Logo1_.exe

MD5 ba189b5e31c56a2e16e9c7accf623760
SHA1 52470f4d5e556832e9e4ff4625751ae62219d0ee
SHA256 037c1fc35982012dddedd497646d12ef35654415a14d4bbd467dca672954a3ed
SHA512 8da8c08b8af3450f715d2a04b492f2f459a93695bdf7514441705d041d5aba0df6edbb7a5e69e9a8bcbabd9f3c692e2522365ef2e889db3857043118c6df05b0

memory/2028-20-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2424-18-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2424-17-0x0000000000220000-0x0000000000256000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a1A64.bat

MD5 8b3f912b135c269c2932cb04685e9117
SHA1 341998c0e494140543a7971786f0e2643adca164
SHA256 48b9db0b7386f3a53727a1c5808920e6f730ba409de3d7cf56b2b8a1f9a96267
SHA512 8fe84c1034f4113de936d8b290427727a5c80678d1629009e26c2fab9085ff4938839f752781ab0a2eaaf474a885fe9f45ae6cd3fbde761276e1230ca6243908

C:\Users\Admin\AppData\Local\Temp\d0bbbb6cb7adbecf36f907979ffa22e8cd767042a0f1197d8deb7304f892e0d4.exe.exe

MD5 5fbd45261a2de3bb42f489e825a9a935
SHA1 ff388f6e9efe651ec62c4152c1739783e7899293
SHA256 9e63701598199d5c47217e23b44d0e3ec5d53f5419166b1b6c68a7e9e8fc47a4
SHA512 7f22b1995a07016adb342c551454d602bfbe511525139aee8581b62116608e9e278fd81c26382f1333c7eccded4474196e73c093bb5cbf8e8f203e865024c058

memory/1204-31-0x0000000002F00000-0x0000000002F01000-memory.dmp

memory/2028-33-0x0000000000400000-0x0000000000436000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-3691908287-3775019229-3534252667-1000\_desktop.ini

MD5 60b1ffe4d5892b7ae054738eec1fd425
SHA1 80d4e944617f4132b1c6917345b158f3693f35c8
SHA256 5e9944cc48c7ec641cf7b1b0125f47f26102c371a973612f0583f604bc3900d4
SHA512 7f5c200924dbb5531df997e6a35cb94f36b54f5651284b0d6404f0576301125ef72b410a170fca889d46c033063663cfc7791f9e4c3c30695af069053eee66cc

memory/2028-40-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2028-46-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2028-92-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2028-98-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2028-674-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2028-1875-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

MD5 9fff503fad7fa1d9cc7453fdf86ff0e0
SHA1 f9b728ba2e8bf2b3a570583f06b0fd7e9fce4ef2
SHA256 826148f8b31a5372a71adf8f51961e1b59de63c8865393feffb99ece5e113147
SHA512 c00773863ea4b6d88ba1c5a9dcfd2f1033e540c854f2f041bb193f367a9153d54d9fcec0c71e4e9834bbe98a6a5be030b045d34e3b54d69cddfd4d427895af4f

memory/2028-2816-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2028-3335-0x0000000000400000-0x0000000000436000-memory.dmp

C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

MD5 25408b7ff8c885c99c0429788fcc1320
SHA1 e5a91f3984dd3569a32a8b82c95a5430e828eb75
SHA256 ce5b5c337e6b25e7ea60ab1a528dcf8c70e952761b99c47a5051a17aabd9462c
SHA512 680cfc4bbcf7859075dd43a4a4e3a41084cd3e4783ad3fb35f1d9ee1971a3324ef132f65bd8afd9e245eb2ffcd27e02b035f1f96a0a97a06c37b620849d68c15

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-10 06:33

Reported

2024-06-10 06:38

Platform

win10v2004-20240508-en

Max time kernel

80s

Max time network

151s

Command Line

C:\Windows\Explorer.EXE

Signatures

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\K: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\E: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Q: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\P: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\N: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\T: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\M: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\J: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\U: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\R: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\L: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\I: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\H: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Z: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Y: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\W: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\G: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\O: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\X: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\V: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\S: C:\Windows\Logo1_.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ast\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\dotnet\host\fxr\8.0.2\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\bn\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\jfr\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\an\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\bg\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\7-Zip\Uninstall.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\include\win32\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\an\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\dotnet\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\updater.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\limited\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\jdk\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\fonts\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ar\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\dotnet\host\fxr\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jre8\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\as_IN\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk-1.8\include\win32\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\lib\security\policy\limited\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\uninstall\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\an\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Google\Chrome\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\legal\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\legal\jdk\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ast\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\MSBuild\Microsoft\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\security\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\jfr\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\gmp-clearkey\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\_desktop.ini C:\Windows\Logo1_.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rundl132.exe C:\Users\Admin\AppData\Local\Temp\d0bbbb6cb7adbecf36f907979ffa22e8cd767042a0f1197d8deb7304f892e0d4.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\d0bbbb6cb7adbecf36f907979ffa22e8cd767042a0f1197d8deb7304f892e0d4.exe N/A
File opened for modification C:\Windows\rundl132.exe C:\Windows\Logo1_.exe N/A
File created C:\Windows\vDll.dll C:\Windows\Logo1_.exe N/A

Runs net.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3452 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\d0bbbb6cb7adbecf36f907979ffa22e8cd767042a0f1197d8deb7304f892e0d4.exe C:\Windows\SysWOW64\cmd.exe
PID 3452 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\d0bbbb6cb7adbecf36f907979ffa22e8cd767042a0f1197d8deb7304f892e0d4.exe C:\Windows\SysWOW64\cmd.exe
PID 3452 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\d0bbbb6cb7adbecf36f907979ffa22e8cd767042a0f1197d8deb7304f892e0d4.exe C:\Windows\SysWOW64\cmd.exe
PID 3452 wrote to memory of 244 N/A C:\Users\Admin\AppData\Local\Temp\d0bbbb6cb7adbecf36f907979ffa22e8cd767042a0f1197d8deb7304f892e0d4.exe C:\Windows\Logo1_.exe
PID 3452 wrote to memory of 244 N/A C:\Users\Admin\AppData\Local\Temp\d0bbbb6cb7adbecf36f907979ffa22e8cd767042a0f1197d8deb7304f892e0d4.exe C:\Windows\Logo1_.exe
PID 3452 wrote to memory of 244 N/A C:\Users\Admin\AppData\Local\Temp\d0bbbb6cb7adbecf36f907979ffa22e8cd767042a0f1197d8deb7304f892e0d4.exe C:\Windows\Logo1_.exe
PID 244 wrote to memory of 960 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 244 wrote to memory of 960 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 244 wrote to memory of 960 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 960 wrote to memory of 880 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 960 wrote to memory of 880 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 960 wrote to memory of 880 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 232 wrote to memory of 3736 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\d0bbbb6cb7adbecf36f907979ffa22e8cd767042a0f1197d8deb7304f892e0d4.exe
PID 232 wrote to memory of 3736 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\d0bbbb6cb7adbecf36f907979ffa22e8cd767042a0f1197d8deb7304f892e0d4.exe
PID 244 wrote to memory of 3432 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE
PID 244 wrote to memory of 3432 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\d0bbbb6cb7adbecf36f907979ffa22e8cd767042a0f1197d8deb7304f892e0d4.exe

"C:\Users\Admin\AppData\Local\Temp\d0bbbb6cb7adbecf36f907979ffa22e8cd767042a0f1197d8deb7304f892e0d4.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a5360.bat

C:\Windows\Logo1_.exe

C:\Windows\Logo1_.exe

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Users\Admin\AppData\Local\Temp\d0bbbb6cb7adbecf36f907979ffa22e8cd767042a0f1197d8deb7304f892e0d4.exe

"C:\Users\Admin\AppData\Local\Temp\d0bbbb6cb7adbecf36f907979ffa22e8cd767042a0f1197d8deb7304f892e0d4.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 18.173.189.20.in-addr.arpa udp

Files

memory/3452-0-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Windows\rundl132.exe

MD5 ba189b5e31c56a2e16e9c7accf623760
SHA1 52470f4d5e556832e9e4ff4625751ae62219d0ee
SHA256 037c1fc35982012dddedd497646d12ef35654415a14d4bbd467dca672954a3ed
SHA512 8da8c08b8af3450f715d2a04b492f2f459a93695bdf7514441705d041d5aba0df6edbb7a5e69e9a8bcbabd9f3c692e2522365ef2e889db3857043118c6df05b0

memory/244-11-0x0000000000400000-0x0000000000436000-memory.dmp

memory/3452-10-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a5360.bat

MD5 6776d37b846fbf9c0b0047ab3a66ebe9
SHA1 f08b94884711f33b9ba39a79674d88eb9e99363c
SHA256 52d3b044ba68a341d8977eb18938df8acff5a21d931c8e257cea157d3bd9e2a8
SHA512 fbd0668a81db2c36ff34481335d236dd184da898214e125c8d046cd2fec2ecd3c932dba49a222fd3568550fdfba35c23c7702db984f25bddd48274cbd7bd6207

C:\Users\Admin\AppData\Local\Temp\d0bbbb6cb7adbecf36f907979ffa22e8cd767042a0f1197d8deb7304f892e0d4.exe

MD5 5fbd45261a2de3bb42f489e825a9a935
SHA1 ff388f6e9efe651ec62c4152c1739783e7899293
SHA256 9e63701598199d5c47217e23b44d0e3ec5d53f5419166b1b6c68a7e9e8fc47a4
SHA512 7f22b1995a07016adb342c551454d602bfbe511525139aee8581b62116608e9e278fd81c26382f1333c7eccded4474196e73c093bb5cbf8e8f203e865024c058

memory/244-20-0x0000000000400000-0x0000000000436000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-2804150937-2146708401-419095071-1000\_desktop.ini

MD5 60b1ffe4d5892b7ae054738eec1fd425
SHA1 80d4e944617f4132b1c6917345b158f3693f35c8
SHA256 5e9944cc48c7ec641cf7b1b0125f47f26102c371a973612f0583f604bc3900d4
SHA512 7f5c200924dbb5531df997e6a35cb94f36b54f5651284b0d6404f0576301125ef72b410a170fca889d46c033063663cfc7791f9e4c3c30695af069053eee66cc

memory/244-27-0x0000000000400000-0x0000000000436000-memory.dmp

memory/244-33-0x0000000000400000-0x0000000000436000-memory.dmp

memory/244-37-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Program Files\WatchRegister.exe

MD5 36618a164747e2f3fae28f980f706160
SHA1 127cadc51b2f001bac890c7b3ec3e11f7abc622e
SHA256 c96aa9dc2ae6cad147d49fc820c91733ebb03c305d05c9678c2b50d4fecee095
SHA512 861fa33e5928ab068c0b87fcff1d6986d68de275a84c0a8b446450796332a5d6e104fe86ee2a420415a70d1c0f220947a4d32444b4f2aa4afe31395662056d57

memory/244-1232-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

MD5 9fff503fad7fa1d9cc7453fdf86ff0e0
SHA1 f9b728ba2e8bf2b3a570583f06b0fd7e9fce4ef2
SHA256 826148f8b31a5372a71adf8f51961e1b59de63c8865393feffb99ece5e113147
SHA512 c00773863ea4b6d88ba1c5a9dcfd2f1033e540c854f2f041bb193f367a9153d54d9fcec0c71e4e9834bbe98a6a5be030b045d34e3b54d69cddfd4d427895af4f

memory/244-4798-0x0000000000400000-0x0000000000436000-memory.dmp

C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

MD5 c168f1400f09b767044170c5c0603287
SHA1 806b134d2145304a602bc358c2664cc266a52aeb
SHA256 05d52614bdae4496eb435a35b3eb91cc424abb582fdaaae8a8f96a3cf34e2676
SHA512 532f698580361daa78290a7871c1a58fd6e9a445ec78224f7b90bea454fb15183eaa9cee1ef9dcf3fb30a56b5fa6e57de67b817fe04cd5bd61ca5e6710f8f9a1

memory/244-5237-0x0000000000400000-0x0000000000436000-memory.dmp