Malware Analysis Report

2025-08-05 16:00

Sample ID 240610-hbrjysdh88
Target 62cb24949ba3e484fe090870ad96e159185019882ac17d890cc6f8d3bffbd98e
SHA256 62cb24949ba3e484fe090870ad96e159185019882ac17d890cc6f8d3bffbd98e
Tags
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

62cb24949ba3e484fe090870ad96e159185019882ac17d890cc6f8d3bffbd98e

Threat Level: Shows suspicious behavior

The file 62cb24949ba3e484fe090870ad96e159185019882ac17d890cc6f8d3bffbd98e was found to be: Shows suspicious behavior.

Malicious Activity Summary


Executes dropped EXE

Deletes itself

Loads dropped DLL

Enumerates connected drives

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Runs net.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-10 06:34

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-10 06:34

Reported

2024-06-10 06:38

Platform

win7-20240508-en

Max time kernel

101s

Max time network

129s

Command Line

C:\Windows\Explorer.EXE

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\I: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\H: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\T: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\S: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\O: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\M: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\L: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\J: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\G: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\W: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\V: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\U: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\E: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Z: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Y: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\X: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\P: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\K: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\R: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Q: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\N: C:\Windows\Logo1_.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Google\Chrome\Application\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15\windows-amd64\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Full\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\.data\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\DVD Maker\Shared\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk16\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\chrome.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\META-INF\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\lib\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk16\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\dtplugin\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\7-Zip\7zG.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\lib\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\include\win32\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\META-INF\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe C:\Windows\Logo1_.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rundl132.exe C:\Users\Admin\AppData\Local\Temp\62cb24949ba3e484fe090870ad96e159185019882ac17d890cc6f8d3bffbd98e.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\62cb24949ba3e484fe090870ad96e159185019882ac17d890cc6f8d3bffbd98e.exe N/A
File opened for modification C:\Windows\rundl132.exe C:\Windows\Logo1_.exe N/A
File created C:\Windows\vDll.dll C:\Windows\Logo1_.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1920 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\62cb24949ba3e484fe090870ad96e159185019882ac17d890cc6f8d3bffbd98e.exe C:\Windows\SysWOW64\cmd.exe
PID 1920 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\62cb24949ba3e484fe090870ad96e159185019882ac17d890cc6f8d3bffbd98e.exe C:\Windows\SysWOW64\cmd.exe
PID 1920 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\62cb24949ba3e484fe090870ad96e159185019882ac17d890cc6f8d3bffbd98e.exe C:\Windows\SysWOW64\cmd.exe
PID 1920 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\62cb24949ba3e484fe090870ad96e159185019882ac17d890cc6f8d3bffbd98e.exe C:\Windows\SysWOW64\cmd.exe
PID 1920 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\62cb24949ba3e484fe090870ad96e159185019882ac17d890cc6f8d3bffbd98e.exe C:\Windows\Logo1_.exe
PID 1920 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\62cb24949ba3e484fe090870ad96e159185019882ac17d890cc6f8d3bffbd98e.exe C:\Windows\Logo1_.exe
PID 1920 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\62cb24949ba3e484fe090870ad96e159185019882ac17d890cc6f8d3bffbd98e.exe C:\Windows\Logo1_.exe
PID 1920 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\62cb24949ba3e484fe090870ad96e159185019882ac17d890cc6f8d3bffbd98e.exe C:\Windows\Logo1_.exe
PID 2848 wrote to memory of 2616 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2848 wrote to memory of 2616 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2848 wrote to memory of 2616 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2848 wrote to memory of 2616 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 3068 wrote to memory of 2504 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\62cb24949ba3e484fe090870ad96e159185019882ac17d890cc6f8d3bffbd98e.exe
PID 3068 wrote to memory of 2504 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\62cb24949ba3e484fe090870ad96e159185019882ac17d890cc6f8d3bffbd98e.exe
PID 3068 wrote to memory of 2504 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\62cb24949ba3e484fe090870ad96e159185019882ac17d890cc6f8d3bffbd98e.exe
PID 3068 wrote to memory of 2504 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\62cb24949ba3e484fe090870ad96e159185019882ac17d890cc6f8d3bffbd98e.exe
PID 3068 wrote to memory of 2504 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\62cb24949ba3e484fe090870ad96e159185019882ac17d890cc6f8d3bffbd98e.exe
PID 3068 wrote to memory of 2504 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\62cb24949ba3e484fe090870ad96e159185019882ac17d890cc6f8d3bffbd98e.exe
PID 3068 wrote to memory of 2504 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\62cb24949ba3e484fe090870ad96e159185019882ac17d890cc6f8d3bffbd98e.exe
PID 2616 wrote to memory of 2768 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2616 wrote to memory of 2768 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2616 wrote to memory of 2768 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2616 wrote to memory of 2768 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2848 wrote to memory of 1192 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE
PID 2848 wrote to memory of 1192 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\62cb24949ba3e484fe090870ad96e159185019882ac17d890cc6f8d3bffbd98e.exe

"C:\Users\Admin\AppData\Local\Temp\62cb24949ba3e484fe090870ad96e159185019882ac17d890cc6f8d3bffbd98e.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$$a1AB2.bat

C:\Windows\Logo1_.exe

C:\Windows\Logo1_.exe

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Users\Admin\AppData\Local\Temp\62cb24949ba3e484fe090870ad96e159185019882ac17d890cc6f8d3bffbd98e.exe

"C:\Users\Admin\AppData\Local\Temp\62cb24949ba3e484fe090870ad96e159185019882ac17d890cc6f8d3bffbd98e.exe"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

Network

N/A

Files

memory/1920-0-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a1AB2.bat

MD5 43b1c191a08b3922900c036c582df4c4
SHA1 3545f174a6f1506115adcd5441097eb90130b847
SHA256 53816fc84e807a3ec004163eb4b0c09048c20eacf0282946c888476e35d2cabf
SHA512 2b35c27f06ca9d8a55ff55e20fd6993277b3f8a44c71ff6af92ff53acd2746a6f43533022bd82194b7cf362e8d33c33ab2e03bd004761cd99d86aeb5f03f31c6

C:\Windows\Logo1_.exe

MD5 e76bc01a95541b7053d812c194d99999
SHA1 958bb2a983d7c04de2a6a21fe6784d09f9406130
SHA256 681838ab6bee836a3724d70b442fedfebeb0da5f5f38264f8fe6990640c79401
SHA512 5d238d9886296877e1583c20d5dc00e8529c9fb5a6d0522a30ae3fc5a371e71952b10cf6f23510bfe9865fda5b938e2c3ed075c21f265912d022ef9185793623

memory/1920-16-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2848-18-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\62cb24949ba3e484fe090870ad96e159185019882ac17d890cc6f8d3bffbd98e.exe.exe

MD5 6f581a41167d2d484fcba20e6fc3c39a
SHA1 d48de48d24101b9baaa24f674066577e38e6b75c
SHA256 3eb8d53778eab9fb13b4c97aeab56e4bad2a6ea3748d342f22eaf4d7aa3185a7
SHA512 e1177b6cea89445d58307b3327c78909adff225497f9abb8de571cdd114b547a8f515ec3ab038b583bf752a085b231f6329d6ca82fbe6be8a58cd97a1dbaf0f6

memory/1192-29-0x00000000026A0000-0x00000000026A1000-memory.dmp

memory/2848-31-0x0000000000400000-0x0000000000436000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-268080393-3149932598-1824759070-1000\_desktop.ini

MD5 60b1ffe4d5892b7ae054738eec1fd425
SHA1 80d4e944617f4132b1c6917345b158f3693f35c8
SHA256 5e9944cc48c7ec641cf7b1b0125f47f26102c371a973612f0583f604bc3900d4
SHA512 7f5c200924dbb5531df997e6a35cb94f36b54f5651284b0d6404f0576301125ef72b410a170fca889d46c033063663cfc7791f9e4c3c30695af069053eee66cc

memory/2848-38-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2848-44-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2848-90-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2848-96-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2848-459-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2848-1873-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2848-2199-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

MD5 76f7a1163a5fc31bb5344ba1b202fed8
SHA1 15a2cea406042e2e9809d0980e62701c77929d7f
SHA256 064a9416a904e64a1fc3670b7b326ea72bd1a0871e9e56fc55e381e8e8fdccc3
SHA512 3dd7dd114c80805d24e865ddaabe54c0d9a826c6edebe52b8dbaae621651fc448a664f0a03dcda581e29647246aca0a84cd70af855c6eb2480c200a2b6309cb3

memory/2848-3333-0x0000000000400000-0x0000000000436000-memory.dmp

C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

MD5 9c1671821855ca12975573629ddd484a
SHA1 ba971ed691b0a86d1edcd8d6f1cbd1ceba8e6acb
SHA256 7441f57dcd2c39df50c7b9a40c858958f1ae0cf10eee1b8e348f8469a8cae3f8
SHA512 e3e26e0afbcdc285686d26187c2e39ff1716a794a58cd3615bcf4e3494a0cde80cc41f0be3ca4a87e0018f2c707599041dc86627a581b1c06297c7aab52d9c89

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-10 06:34

Reported

2024-06-10 06:38

Platform

win10v2004-20240426-en

Max time kernel

80s

Max time network

155s

Command Line

C:\Windows\Explorer.EXE

Signatures

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\N: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\L: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\H: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\X: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\T: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Q: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\O: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\W: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\S: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\J: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\G: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Z: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\P: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\M: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\E: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\K: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\I: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Y: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\V: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\U: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\R: C:\Windows\Logo1_.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\am\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\kinit.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\7-Zip\7zFM.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\am\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\as_IN\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\lib\amd64\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\VisualElements\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\legal\javafx\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\am_ET\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\bn\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\legal\jdk\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\ext\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\ModifiableWindowsApps\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\dtplugin\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\deploy\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jre8\lib\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk-1.8\lib\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\bn\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\javacpl.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\brx\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jps.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk-1.8\include\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\images\cursors\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Mozilla Firefox\browser\VisualElements\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\br\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\jfr\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\lib\security\policy\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\7-Zip\Lang\_desktop.ini C:\Windows\Logo1_.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rundl132.exe C:\Users\Admin\AppData\Local\Temp\62cb24949ba3e484fe090870ad96e159185019882ac17d890cc6f8d3bffbd98e.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\62cb24949ba3e484fe090870ad96e159185019882ac17d890cc6f8d3bffbd98e.exe N/A
File opened for modification C:\Windows\rundl132.exe C:\Windows\Logo1_.exe N/A
File created C:\Windows\vDll.dll C:\Windows\Logo1_.exe N/A

Runs net.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3416 wrote to memory of 3240 N/A C:\Users\Admin\AppData\Local\Temp\62cb24949ba3e484fe090870ad96e159185019882ac17d890cc6f8d3bffbd98e.exe C:\Windows\SysWOW64\cmd.exe
PID 3416 wrote to memory of 3240 N/A C:\Users\Admin\AppData\Local\Temp\62cb24949ba3e484fe090870ad96e159185019882ac17d890cc6f8d3bffbd98e.exe C:\Windows\SysWOW64\cmd.exe
PID 3416 wrote to memory of 3240 N/A C:\Users\Admin\AppData\Local\Temp\62cb24949ba3e484fe090870ad96e159185019882ac17d890cc6f8d3bffbd98e.exe C:\Windows\SysWOW64\cmd.exe
PID 3416 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\62cb24949ba3e484fe090870ad96e159185019882ac17d890cc6f8d3bffbd98e.exe C:\Windows\Logo1_.exe
PID 3416 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\62cb24949ba3e484fe090870ad96e159185019882ac17d890cc6f8d3bffbd98e.exe C:\Windows\Logo1_.exe
PID 3416 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\62cb24949ba3e484fe090870ad96e159185019882ac17d890cc6f8d3bffbd98e.exe C:\Windows\Logo1_.exe
PID 4744 wrote to memory of 4208 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 4744 wrote to memory of 4208 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 4744 wrote to memory of 4208 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 4208 wrote to memory of 4572 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4208 wrote to memory of 4572 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4208 wrote to memory of 4572 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3240 wrote to memory of 3244 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\62cb24949ba3e484fe090870ad96e159185019882ac17d890cc6f8d3bffbd98e.exe
PID 3240 wrote to memory of 3244 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\62cb24949ba3e484fe090870ad96e159185019882ac17d890cc6f8d3bffbd98e.exe
PID 3240 wrote to memory of 3244 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\62cb24949ba3e484fe090870ad96e159185019882ac17d890cc6f8d3bffbd98e.exe
PID 4744 wrote to memory of 3424 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE
PID 4744 wrote to memory of 3424 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\62cb24949ba3e484fe090870ad96e159185019882ac17d890cc6f8d3bffbd98e.exe

"C:\Users\Admin\AppData\Local\Temp\62cb24949ba3e484fe090870ad96e159185019882ac17d890cc6f8d3bffbd98e.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a33C2.bat

C:\Windows\Logo1_.exe

C:\Windows\Logo1_.exe

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Users\Admin\AppData\Local\Temp\62cb24949ba3e484fe090870ad96e159185019882ac17d890cc6f8d3bffbd98e.exe

"C:\Users\Admin\AppData\Local\Temp\62cb24949ba3e484fe090870ad96e159185019882ac17d890cc6f8d3bffbd98e.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 233.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 7.173.189.20.in-addr.arpa udp

Files

memory/3416-0-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Windows\Logo1_.exe

MD5 e76bc01a95541b7053d812c194d99999
SHA1 958bb2a983d7c04de2a6a21fe6784d09f9406130
SHA256 681838ab6bee836a3724d70b442fedfebeb0da5f5f38264f8fe6990640c79401
SHA512 5d238d9886296877e1583c20d5dc00e8529c9fb5a6d0522a30ae3fc5a371e71952b10cf6f23510bfe9865fda5b938e2c3ed075c21f265912d022ef9185793623

memory/3416-10-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4744-11-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a33C2.bat

MD5 24f8cb84d964d04825139ee8503c26bf
SHA1 a195c1b3256074f87db9e255a1ba83f030a2482b
SHA256 0fb0b51ce0b4092b216ecf46cc7eaf2c8f29002a446c467de217b60b027038f6
SHA512 d85ce9e8b6d1d71d6b3b0c4e6e97769f0c905c35df75cb1175fd7a77cb3019c539345c76977e92d61344620f468087dfa86785b722caf879b3fd7f73a857124d

C:\Users\Admin\AppData\Local\Temp\62cb24949ba3e484fe090870ad96e159185019882ac17d890cc6f8d3bffbd98e.exe.exe

MD5 6f581a41167d2d484fcba20e6fc3c39a
SHA1 d48de48d24101b9baaa24f674066577e38e6b75c
SHA256 3eb8d53778eab9fb13b4c97aeab56e4bad2a6ea3748d342f22eaf4d7aa3185a7
SHA512 e1177b6cea89445d58307b3327c78909adff225497f9abb8de571cdd114b547a8f515ec3ab038b583bf752a085b231f6329d6ca82fbe6be8a58cd97a1dbaf0f6

memory/4744-20-0x0000000000400000-0x0000000000436000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-711569230-3659488422-571408806-1000\_desktop.ini

MD5 60b1ffe4d5892b7ae054738eec1fd425
SHA1 80d4e944617f4132b1c6917345b158f3693f35c8
SHA256 5e9944cc48c7ec641cf7b1b0125f47f26102c371a973612f0583f604bc3900d4
SHA512 7f5c200924dbb5531df997e6a35cb94f36b54f5651284b0d6404f0576301125ef72b410a170fca889d46c033063663cfc7791f9e4c3c30695af069053eee66cc

memory/4744-27-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4744-33-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4744-37-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Program Files\7-Zip\7z.exe

MD5 eaf5c7310ef7e48ff1d0dce1ef4fcd20
SHA1 c0d7950bc14afdf159eea62ef231a4086137d1ec
SHA256 8411c80aeca9f35dd06be9c7f5774f2d2915fd06be4582edb408100f127c51a4
SHA512 8855d4bfd452595d94c9705941c61314771f8e17b3091dd3b8c5a874f66a00fc54fa655cddbcd845b9d428a0cb7bb390fb3ac448709a161bbdd840afd25000db

memory/4744-1231-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

MD5 76f7a1163a5fc31bb5344ba1b202fed8
SHA1 15a2cea406042e2e9809d0980e62701c77929d7f
SHA256 064a9416a904e64a1fc3670b7b326ea72bd1a0871e9e56fc55e381e8e8fdccc3
SHA512 3dd7dd114c80805d24e865ddaabe54c0d9a826c6edebe52b8dbaae621651fc448a664f0a03dcda581e29647246aca0a84cd70af855c6eb2480c200a2b6309cb3

memory/4744-4799-0x0000000000400000-0x0000000000436000-memory.dmp

C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

MD5 c168f1400f09b767044170c5c0603287
SHA1 806b134d2145304a602bc358c2664cc266a52aeb
SHA256 05d52614bdae4496eb435a35b3eb91cc424abb582fdaaae8a8f96a3cf34e2676
SHA512 532f698580361daa78290a7871c1a58fd6e9a445ec78224f7b90bea454fb15183eaa9cee1ef9dcf3fb30a56b5fa6e57de67b817fe04cd5bd61ca5e6710f8f9a1

memory/4744-5238-0x0000000000400000-0x0000000000436000-memory.dmp