de8d9dfd0bf29edd729faa69f5d37c512246f3133a805dd0bd41c733f0cdf4aa

Analysis

max time kernel
119s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10-06-2024 06:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

de8d9dfd0bf29edd729faa69f5d37c512246f3133a805dd0bd41c733f0cdf4aa.exe
Size

437KB
MD5

a3cef060995db1884c1522632bf00653
SHA1

7e542ccaa9d6379c1fad52a46d9850b08072b267
SHA256

de8d9dfd0bf29edd729faa69f5d37c512246f3133a805dd0bd41c733f0cdf4aa
SHA512

88ad37680cee1c22617a00a80d854bb20ef5fd4af91640367593de692c1618890143ba4b960571ac447c58268cd8b1f8726b8625097758765f0d45b8eb81b56e
SSDEEP

12288:iU7+T0AWrA+gThCNwpEcAjq9Trv9g0Z9i3v9:37wMUUKvAjq9TRg0Z9iF

Score

9^/10

oss_ak

Malware Config

Signatures

detect oss ak 1 IoCs

oss ak information detected.

oss_ak

resource	yara_rule
behavioral2/files/0x0008000000023261-18.dat	detect_ak_stuff

Executes dropped EXE 2 IoCs

pid	Process
5116	Logo1_.exe
2636	de8d9dfd0bf29edd729faa69f5d37c512246f3133a805dd0bd41c733f0cdf4aa.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\pl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	Logo1_.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\_desktop.ini	Logo1_.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\tr\_desktop.ini	Logo1_.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\it\_desktop.ini	Logo1_.exe
File created	C:\Program Files\dotnet\swidtag\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	Logo1_.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\_desktop.ini	Logo1_.exe
File created	C:\Program Files\dotnet\host\fxr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\legal\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	Logo1_.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\cmm\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\lib\_desktop.ini	Logo1_.exe
File created	C:\Program Files\dotnet\shared\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	Logo1_.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\pl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\amd64\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\applet\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre-1.8\legal\javafx\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\it\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	Logo1_.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\es\_desktop.ini	Logo1_.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\ko\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	Logo1_.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	Logo1_.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\createdump.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	Logo1_.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\ja\_desktop.ini	Logo1_.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\zh-Hant\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	Logo1_.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\zh-Hans\_desktop.ini	Logo1_.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\zh-Hant\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\jfr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	Logo1_.exe
File created	C:\Program Files\Java\jre-1.8\bin\server\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\7-Zip\Lang\_desktop.ini	Logo1_.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\cs\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	Logo1_.exe
File created	C:\Program Files\Java\jdk-1.8\include\win32\bridge\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	de8d9dfd0bf29edd729faa69f5d37c512246f3133a805dd0bd41c733f0cdf4aa.exe
File created	C:\Windows\Logo1_.exe	de8d9dfd0bf29edd729faa69f5d37c512246f3133a805dd0bd41c733f0cdf4aa.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
5116	Logo1_.exe
5116	Logo1_.exe
5116	Logo1_.exe
5116	Logo1_.exe
5116	Logo1_.exe
5116	Logo1_.exe
5116	Logo1_.exe
5116	Logo1_.exe
5116	Logo1_.exe
5116	Logo1_.exe
5116	Logo1_.exe
5116	Logo1_.exe
5116	Logo1_.exe
5116	Logo1_.exe
5116	Logo1_.exe
5116	Logo1_.exe
5116	Logo1_.exe
5116	Logo1_.exe
5116	Logo1_.exe
5116	Logo1_.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 5020 wrote to memory of 2880	5020	de8d9dfd0bf29edd729faa69f5d37c512246f3133a805dd0bd41c733f0cdf4aa.exe	90
PID 5020 wrote to memory of 2880	5020	de8d9dfd0bf29edd729faa69f5d37c512246f3133a805dd0bd41c733f0cdf4aa.exe	90
PID 5020 wrote to memory of 2880	5020	de8d9dfd0bf29edd729faa69f5d37c512246f3133a805dd0bd41c733f0cdf4aa.exe	90
PID 5020 wrote to memory of 5116	5020	de8d9dfd0bf29edd729faa69f5d37c512246f3133a805dd0bd41c733f0cdf4aa.exe	92
PID 5020 wrote to memory of 5116	5020	de8d9dfd0bf29edd729faa69f5d37c512246f3133a805dd0bd41c733f0cdf4aa.exe	92
PID 5020 wrote to memory of 5116	5020	de8d9dfd0bf29edd729faa69f5d37c512246f3133a805dd0bd41c733f0cdf4aa.exe	92
PID 5116 wrote to memory of 2348	5116	Logo1_.exe	93
PID 5116 wrote to memory of 2348	5116	Logo1_.exe	93
PID 5116 wrote to memory of 2348	5116	Logo1_.exe	93
PID 2348 wrote to memory of 220	2348	net.exe	95
PID 2348 wrote to memory of 220	2348	net.exe	95
PID 2348 wrote to memory of 220	2348	net.exe	95
PID 2880 wrote to memory of 2636	2880	cmd.exe	96
PID 2880 wrote to memory of 2636	2880	cmd.exe	96
PID 2880 wrote to memory of 2636	2880	cmd.exe	96
PID 5116 wrote to memory of 3240	5116	Logo1_.exe	54
PID 5116 wrote to memory of 3240	5116	Logo1_.exe	54

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3240
- C:\Users\Admin\AppData\Local\Temp\de8d9dfd0bf29edd729faa69f5d37c512246f3133a805dd0bd41c733f0cdf4aa.exe
  "C:\Users\Admin\AppData\Local\Temp\de8d9dfd0bf29edd729faa69f5d37c512246f3133a805dd0bd41c733f0cdf4aa.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:5020
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a461C.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2880
  - - C:\Users\Admin\AppData\Local\Temp\de8d9dfd0bf29edd729faa69f5d37c512246f3133a805dd0bd41c733f0cdf4aa.exe
      "C:\Users\Admin\AppData\Local\Temp\de8d9dfd0bf29edd729faa69f5d37c512246f3133a805dd0bd41c733f0cdf4aa.exe"
      4⤵
      Executes dropped EXE
      PID:2636
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:5116
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2348
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:220

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3768 --field-trial-handle=3088,i,14310325015283915034,7660943942870463106,262144 --variations-seed-version /prefetch:8
1⤵
PID:932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7z.exe

Filesize
512KB

MD5
0eb4e12860f2859cab48837572c4399a

SHA1
ea8cbd8ed6ff399516ec0841298fa9e7882aff3a

SHA256
5195d5e6bad96971376b807f811e9442d9fb1c9d557788fa74b32688b0769435

SHA512
8dd5757b576a8586d8f382e70a4d9d781fc8bf39c5d4ec23f94c7c144e271b78b87cd507597ccea910601478c31f7d8320dc289dc558b3991333858b12384ac9

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a461C.bat

Filesize
722B

MD5
6209cddf0234bf744bcadcfdfe543eab

SHA1
43d95695cf7cdeaa4d4c76150ce21335c65dc5e4

SHA256
507dcadd805bf2a030fcaa81bab7763de0f2701ca4dcb178eb0bbab990ce02d9

SHA512
cb6bfc737b8c800d5705fc0757cb0f3ab1bcd3c4636d634b18b1efdc872ff69f5ea871910e9848bc01d0651960cada384e95a48edeaffebd781fc736ec611d4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\de8d9dfd0bf29edd729faa69f5d37c512246f3133a805dd0bd41c733f0cdf4aa.exe.exe

Filesize
410KB

MD5
ec1f17b80fe5ba414a9f952d930dd018

SHA1
0b830a8549ffddd3c5e7595d8ca17a05e86988fc

SHA256
0b7c5713b0353e068e873388f0fd4aa5af1070f1ebf26a9b446e32422e030e8e

SHA512
9bf31bdfe90eb433bd7f3541472bcdc67b24f2adcaa1eceeec1c9ce50effba239f718976997f5947f653d0d1a3f7459fe3153c371f73c16227b4cacdb4367931

Download Submit
C:\Windows\Logo1_.exe

Filesize
26KB

MD5
738139875a4e601cb15f0d1bce2a0073

SHA1
15d48505b97a2b1bae4c4775437735f3842513de

SHA256
986310af0e488e221fb864c816c7dd3e2e362d2bd22a69ab7bada3d23a4de3f5

SHA512
456367b9e8af79b6f0b22f69d9310dfcc93ab497680d239c21ca95bb3ed8659b544c020bb63b810d6902ecdaf740016bcdbefac2e2edc67ac3226258e3b8de18

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3808065738-1666277613-1125846146-1000\_desktop.ini

Filesize
9B

MD5
60b1ffe4d5892b7ae054738eec1fd425

SHA1
80d4e944617f4132b1c6917345b158f3693f35c8

SHA256
5e9944cc48c7ec641cf7b1b0125f47f26102c371a973612f0583f604bc3900d4

SHA512
7f5c200924dbb5531df997e6a35cb94f36b54f5651284b0d6404f0576301125ef72b410a170fca889d46c033063663cfc7791f9e4c3c30695af069053eee66cc

Download Submit
memory/5020-12-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5020-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5020-1-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5116-21-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5116-10-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5116-28-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5116-34-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5116-39-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5116-43-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5116-156-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5116-1017-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5116-1184-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5116-1200-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download