Malware Analysis Report

2025-08-05 16:00

Sample ID 240610-hbnhasdc2w
Target 311e0908222b68ef5622539585ebffc10fef822f795e69ef54f8290bfb36162a
SHA256 311e0908222b68ef5622539585ebffc10fef822f795e69ef54f8290bfb36162a
Tags
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

311e0908222b68ef5622539585ebffc10fef822f795e69ef54f8290bfb36162a

Threat Level: Shows suspicious behavior

The file 311e0908222b68ef5622539585ebffc10fef822f795e69ef54f8290bfb36162a was found to be: Shows suspicious behavior.

Malicious Activity Summary


Executes dropped EXE

Deletes itself

Loads dropped DLL

Enumerates connected drives

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Runs net.exe

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-10 06:34

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-10 06:33

Reported

2024-06-10 06:38

Platform

win7-20240221-en

Max time kernel

100s

Max time network

121s

Command Line

C:\Windows\Explorer.EXE

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\I: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Y: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\X: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\U: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\S: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\R: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Q: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\L: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\E: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\O: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\M: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\J: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\W: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\V: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\T: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\N: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\K: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\H: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\G: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Z: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\P: C:\Windows\Logo1_.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Kentucky\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\DVD Maker\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\DVD Maker\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\DVD Maker\ja-JP\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\DVD Maker\ja-JP\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Full\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Google\Chrome\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\etc\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\java.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\include\win32\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\North_Dakota\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\DVD Maker\de-DE\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\DVD Maker\en-US\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Google\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\_desktop.ini C:\Windows\Logo1_.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rundl132.exe C:\Users\Admin\AppData\Local\Temp\311e0908222b68ef5622539585ebffc10fef822f795e69ef54f8290bfb36162a.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\311e0908222b68ef5622539585ebffc10fef822f795e69ef54f8290bfb36162a.exe N/A
File opened for modification C:\Windows\rundl132.exe C:\Windows\Logo1_.exe N/A
File created C:\Windows\vDll.dll C:\Windows\Logo1_.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1928 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\311e0908222b68ef5622539585ebffc10fef822f795e69ef54f8290bfb36162a.exe C:\Windows\SysWOW64\cmd.exe
PID 1928 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\311e0908222b68ef5622539585ebffc10fef822f795e69ef54f8290bfb36162a.exe C:\Windows\SysWOW64\cmd.exe
PID 1928 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\311e0908222b68ef5622539585ebffc10fef822f795e69ef54f8290bfb36162a.exe C:\Windows\SysWOW64\cmd.exe
PID 1928 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\311e0908222b68ef5622539585ebffc10fef822f795e69ef54f8290bfb36162a.exe C:\Windows\SysWOW64\cmd.exe
PID 1928 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\311e0908222b68ef5622539585ebffc10fef822f795e69ef54f8290bfb36162a.exe C:\Windows\Logo1_.exe
PID 1928 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\311e0908222b68ef5622539585ebffc10fef822f795e69ef54f8290bfb36162a.exe C:\Windows\Logo1_.exe
PID 1928 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\311e0908222b68ef5622539585ebffc10fef822f795e69ef54f8290bfb36162a.exe C:\Windows\Logo1_.exe
PID 1928 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\311e0908222b68ef5622539585ebffc10fef822f795e69ef54f8290bfb36162a.exe C:\Windows\Logo1_.exe
PID 2732 wrote to memory of 2716 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2732 wrote to memory of 2716 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2732 wrote to memory of 2716 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2732 wrote to memory of 2716 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2592 wrote to memory of 2408 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\311e0908222b68ef5622539585ebffc10fef822f795e69ef54f8290bfb36162a.exe
PID 2592 wrote to memory of 2408 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\311e0908222b68ef5622539585ebffc10fef822f795e69ef54f8290bfb36162a.exe
PID 2592 wrote to memory of 2408 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\311e0908222b68ef5622539585ebffc10fef822f795e69ef54f8290bfb36162a.exe
PID 2592 wrote to memory of 2408 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\311e0908222b68ef5622539585ebffc10fef822f795e69ef54f8290bfb36162a.exe
PID 2716 wrote to memory of 2692 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2716 wrote to memory of 2692 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2716 wrote to memory of 2692 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2716 wrote to memory of 2692 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2732 wrote to memory of 1232 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE
PID 2732 wrote to memory of 1232 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\311e0908222b68ef5622539585ebffc10fef822f795e69ef54f8290bfb36162a.exe

"C:\Users\Admin\AppData\Local\Temp\311e0908222b68ef5622539585ebffc10fef822f795e69ef54f8290bfb36162a.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$$a2C5E.bat

C:\Windows\Logo1_.exe

C:\Windows\Logo1_.exe

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Users\Admin\AppData\Local\Temp\311e0908222b68ef5622539585ebffc10fef822f795e69ef54f8290bfb36162a.exe

"C:\Users\Admin\AppData\Local\Temp\311e0908222b68ef5622539585ebffc10fef822f795e69ef54f8290bfb36162a.exe"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

Network

N/A

Files

memory/1928-0-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a2C5E.bat

MD5 fede6aba9e5e5c669f577fef05d46d45
SHA1 3fc6274d96ebdb6ee319fe2332b94e697d4dcbd8
SHA256 f4a7681351e7c047a356915b33b7f7da0696ef31b968195bf9584e2adcc51c30
SHA512 0b16c5bacd0e0d5e6cf16852c7398cfd81529cd4d5ba804ca1862ae14f30094a9908cfb83aba4ae848df229e77e2aca1213a54f482b7757911fef865d0bb0d2b

C:\Windows\Logo1_.exe

MD5 ba189b5e31c56a2e16e9c7accf623760
SHA1 52470f4d5e556832e9e4ff4625751ae62219d0ee
SHA256 037c1fc35982012dddedd497646d12ef35654415a14d4bbd467dca672954a3ed
SHA512 8da8c08b8af3450f715d2a04b492f2f459a93695bdf7514441705d041d5aba0df6edbb7a5e69e9a8bcbabd9f3c692e2522365ef2e889db3857043118c6df05b0

memory/2732-19-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1928-20-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1928-18-0x0000000000220000-0x0000000000256000-memory.dmp

memory/1928-17-0x0000000000220000-0x0000000000256000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\311e0908222b68ef5622539585ebffc10fef822f795e69ef54f8290bfb36162a.exe.exe

MD5 dfc18f7068913dde25742b856788d7ca
SHA1 cbaa23f782c2ddcd7c9ff024fd0b096952a2b387
SHA256 ff4ac75c02247000da084de006c214d3dd3583867bd3533ba788e22734c7a2bf
SHA512 d0c7ec1dae41a803325b51c12490c355ed779d297daa35247889950491e52427810132f0829fc7ffa3022f1a106f4e4ba78ed612223395313a6f267e9ab24945

memory/1232-31-0x00000000024C0000-0x00000000024C1000-memory.dmp

memory/2732-33-0x0000000000400000-0x0000000000436000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-1298544033-3225604241-2703760938-1000\_desktop.ini

MD5 60b1ffe4d5892b7ae054738eec1fd425
SHA1 80d4e944617f4132b1c6917345b158f3693f35c8
SHA256 5e9944cc48c7ec641cf7b1b0125f47f26102c371a973612f0583f604bc3900d4
SHA512 7f5c200924dbb5531df997e6a35cb94f36b54f5651284b0d6404f0576301125ef72b410a170fca889d46c033063663cfc7791f9e4c3c30695af069053eee66cc

memory/2732-40-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2732-46-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2732-92-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2732-98-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2732-583-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2732-1851-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2732-2103-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

MD5 c72fe4f8c15b04ef57e2d34d7a079caa
SHA1 ca11936d2d1d6ad47a3108e423235e6ac95f28cb
SHA256 b3a1ce36ab9e9055503a359aeaa874f514329126eb55146ffb072a31d23b3018
SHA512 9be0d93ae6d307f8806bd0b51d7d1f0328ca018929c3b4e5dc69e5dda24ef69a0a850602e13736e8a60213c8ede81e25041961bf4d3183b7876187660c79c8d7

memory/2732-3311-0x0000000000400000-0x0000000000436000-memory.dmp

C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

MD5 9c1671821855ca12975573629ddd484a
SHA1 ba971ed691b0a86d1edcd8d6f1cbd1ceba8e6acb
SHA256 7441f57dcd2c39df50c7b9a40c858958f1ae0cf10eee1b8e348f8469a8cae3f8
SHA512 e3e26e0afbcdc285686d26187c2e39ff1716a794a58cd3615bcf4e3494a0cde80cc41f0be3ca4a87e0018f2c707599041dc86627a581b1c06297c7aab52d9c89

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-10 06:33

Reported

2024-06-10 06:38

Platform

win10v2004-20240508-en

Max time kernel

81s

Max time network

127s

Command Line

C:\Windows\Explorer.EXE

Signatures

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\V: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\T: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\M: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\I: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\G: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Z: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\W: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\P: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\N: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\K: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\E: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\U: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Q: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\O: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\L: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\J: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\H: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\S: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\R: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Y: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\X: C:\Windows\Logo1_.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Google\Chrome\Application\110.0.5481.104\Extensions\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\legal\javafx\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\ModifiableWindowsApps\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ar\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Uninstall Information\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\MEIPreload\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office 15\ClientX64\IntegratedOffice.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\server\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\defaults\pref\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Google\Chrome\Application\110.0.5481.104\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\schemagen.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\dotnet\host\fxr\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\gmp-clearkey\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\unlimited\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ar\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\WidevineCdm\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre8\lib\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\fonts\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\ext\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\kinit.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Mozilla Firefox\browser\VisualElements\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\7-Zip\7zFM.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\7-Zip\Uninstall.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\updater.exe C:\Windows\Logo1_.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rundl132.exe C:\Users\Admin\AppData\Local\Temp\311e0908222b68ef5622539585ebffc10fef822f795e69ef54f8290bfb36162a.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\311e0908222b68ef5622539585ebffc10fef822f795e69ef54f8290bfb36162a.exe N/A
File opened for modification C:\Windows\rundl132.exe C:\Windows\Logo1_.exe N/A
File created C:\Windows\vDll.dll C:\Windows\Logo1_.exe N/A

Runs net.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4820 wrote to memory of 3428 N/A C:\Users\Admin\AppData\Local\Temp\311e0908222b68ef5622539585ebffc10fef822f795e69ef54f8290bfb36162a.exe C:\Windows\SysWOW64\cmd.exe
PID 4820 wrote to memory of 3428 N/A C:\Users\Admin\AppData\Local\Temp\311e0908222b68ef5622539585ebffc10fef822f795e69ef54f8290bfb36162a.exe C:\Windows\SysWOW64\cmd.exe
PID 4820 wrote to memory of 3428 N/A C:\Users\Admin\AppData\Local\Temp\311e0908222b68ef5622539585ebffc10fef822f795e69ef54f8290bfb36162a.exe C:\Windows\SysWOW64\cmd.exe
PID 4820 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\311e0908222b68ef5622539585ebffc10fef822f795e69ef54f8290bfb36162a.exe C:\Windows\Logo1_.exe
PID 4820 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\311e0908222b68ef5622539585ebffc10fef822f795e69ef54f8290bfb36162a.exe C:\Windows\Logo1_.exe
PID 4820 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\311e0908222b68ef5622539585ebffc10fef822f795e69ef54f8290bfb36162a.exe C:\Windows\Logo1_.exe
PID 3428 wrote to memory of 3168 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\311e0908222b68ef5622539585ebffc10fef822f795e69ef54f8290bfb36162a.exe
PID 3428 wrote to memory of 3168 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\311e0908222b68ef5622539585ebffc10fef822f795e69ef54f8290bfb36162a.exe
PID 1048 wrote to memory of 4552 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 1048 wrote to memory of 4552 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 1048 wrote to memory of 4552 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 4552 wrote to memory of 4028 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4552 wrote to memory of 4028 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4552 wrote to memory of 4028 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1048 wrote to memory of 3512 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE
PID 1048 wrote to memory of 3512 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\311e0908222b68ef5622539585ebffc10fef822f795e69ef54f8290bfb36162a.exe

"C:\Users\Admin\AppData\Local\Temp\311e0908222b68ef5622539585ebffc10fef822f795e69ef54f8290bfb36162a.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aE62A.bat

C:\Windows\Logo1_.exe

C:\Windows\Logo1_.exe

C:\Users\Admin\AppData\Local\Temp\311e0908222b68ef5622539585ebffc10fef822f795e69ef54f8290bfb36162a.exe

"C:\Users\Admin\AppData\Local\Temp\311e0908222b68ef5622539585ebffc10fef822f795e69ef54f8290bfb36162a.exe"

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4396,i,7012731823941922179,12386606396608877869,262144 --variations-seed-version --mojo-platform-channel-handle=4376 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp

Files

memory/4820-0-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4820-9-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1048-11-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Windows\Logo1_.exe

MD5 ba189b5e31c56a2e16e9c7accf623760
SHA1 52470f4d5e556832e9e4ff4625751ae62219d0ee
SHA256 037c1fc35982012dddedd497646d12ef35654415a14d4bbd467dca672954a3ed
SHA512 8da8c08b8af3450f715d2a04b492f2f459a93695bdf7514441705d041d5aba0df6edbb7a5e69e9a8bcbabd9f3c692e2522365ef2e889db3857043118c6df05b0

C:\Users\Admin\AppData\Local\Temp\311e0908222b68ef5622539585ebffc10fef822f795e69ef54f8290bfb36162a.exe

MD5 dfc18f7068913dde25742b856788d7ca
SHA1 cbaa23f782c2ddcd7c9ff024fd0b096952a2b387
SHA256 ff4ac75c02247000da084de006c214d3dd3583867bd3533ba788e22734c7a2bf
SHA512 d0c7ec1dae41a803325b51c12490c355ed779d297daa35247889950491e52427810132f0829fc7ffa3022f1a106f4e4ba78ed612223395313a6f267e9ab24945

C:\Users\Admin\AppData\Local\Temp\$$aE62A.bat

MD5 2a80337d15968dca64c54a1abcf93fad
SHA1 0cd4cd0d3eb77e37bae73da44afa8cb771efae31
SHA256 721b5391c1993817d55aa33d89c1ec371d5e90505f280d9a740be1447850b921
SHA512 f71258d8e830db30fccd019bfcd2e632f3175fcb13e0d9bf41c6d20fea71050ac755e543c00eb59a9d270e0616b660c69de044bc972a41c2ff4126d9152e0254

memory/1048-20-0x0000000000400000-0x0000000000436000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-1181767204-2009306918-3718769404-1000\_desktop.ini

MD5 60b1ffe4d5892b7ae054738eec1fd425
SHA1 80d4e944617f4132b1c6917345b158f3693f35c8
SHA256 5e9944cc48c7ec641cf7b1b0125f47f26102c371a973612f0583f604bc3900d4
SHA512 7f5c200924dbb5531df997e6a35cb94f36b54f5651284b0d6404f0576301125ef72b410a170fca889d46c033063663cfc7791f9e4c3c30695af069053eee66cc

memory/1048-27-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1048-33-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1048-37-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Program Files\7-Zip\7z.exe

MD5 71135c3e2b4ff6c00c3787cb0537c3bc
SHA1 2dee07d4b2b63ad50cae0ecb82419f2be2269b71
SHA256 832d8786895864bc451ae9166d82475b0d7655d5b0f0944bc45a672a3cc0b588
SHA512 a92aea492ca4ce9f4b62927df6cdb206a4a709e8d79e7434b28b0cd0b02262a8ceb45a01911c8bb3cc0cf71b36b6a43f138b0eb268abe3b08eb3d5a02d911c82

memory/1048-1237-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

MD5 9fff503fad7fa1d9cc7453fdf86ff0e0
SHA1 f9b728ba2e8bf2b3a570583f06b0fd7e9fce4ef2
SHA256 826148f8b31a5372a71adf8f51961e1b59de63c8865393feffb99ece5e113147
SHA512 c00773863ea4b6d88ba1c5a9dcfd2f1033e540c854f2f041bb193f367a9153d54d9fcec0c71e4e9834bbe98a6a5be030b045d34e3b54d69cddfd4d427895af4f

memory/1048-4875-0x0000000000400000-0x0000000000436000-memory.dmp

C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

MD5 0c9de19b9991afe6465725eb0c96d2ee
SHA1 8bf03e9174fd8481ad6529fd05e90666593f0b18
SHA256 e18a2ba77878bec56ed24f422f4daf0bd7232764b514654e02bc8417b5128afe
SHA512 92ed9c8b6dad1a58730bc139d5197c15a13300faae1bde8026827ae248d6043817614f362dedd23a27868e695f52302f618c9f2f504fb878791b5345adfc6171

memory/1048-5320-0x0000000000400000-0x0000000000436000-memory.dmp