Malware Analysis Report

2024-09-09 12:17

Sample ID 240610-hhkpzsdd2w
Target de8d9dfd0bf29edd729faa69f5d37c512246f3133a805dd0bd41c733f0cdf4aa
SHA256 de8d9dfd0bf29edd729faa69f5d37c512246f3133a805dd0bd41c733f0cdf4aa
Tags
oss_ak
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

de8d9dfd0bf29edd729faa69f5d37c512246f3133a805dd0bd41c733f0cdf4aa

Threat Level: Likely malicious

The file de8d9dfd0bf29edd729faa69f5d37c512246f3133a805dd0bd41c733f0cdf4aa was found to be: Likely malicious.

Malicious Activity Summary

oss_ak

detect oss ak

Deletes itself

Loads dropped DLL

Executes dropped EXE

Enumerates connected drives

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Runs net.exe

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-10 06:51

Signatures

detect oss ak

oss_ak
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-10 06:44

Reported

2024-06-10 07:01

Platform

win7-20240221-en

Max time kernel

100s

Max time network

124s

Command Line

C:\Windows\Explorer.EXE

Signatures

detect oss ak

oss_ak
Description Indicator Process Target
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\W: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\O: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\M: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\I: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\K: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\J: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Z: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\X: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\S: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\R: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\N: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\G: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\E: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\H: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Y: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\V: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\U: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\T: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Q: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\P: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\L: C:\Windows\Logo1_.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\DVD Maker\DVDMaker.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\DVD Maker\ja-JP\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\amd64\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\DVD Maker\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Full\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\locale\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\java.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\META-INF\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\META-INF\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Google\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\_desktop.ini C:\Windows\Logo1_.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rundl132.exe C:\Users\Admin\AppData\Local\Temp\de8d9dfd0bf29edd729faa69f5d37c512246f3133a805dd0bd41c733f0cdf4aa.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\de8d9dfd0bf29edd729faa69f5d37c512246f3133a805dd0bd41c733f0cdf4aa.exe N/A
File opened for modification C:\Windows\rundl132.exe C:\Windows\Logo1_.exe N/A
File created C:\Windows\vDll.dll C:\Windows\Logo1_.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3000 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\de8d9dfd0bf29edd729faa69f5d37c512246f3133a805dd0bd41c733f0cdf4aa.exe C:\Windows\SysWOW64\cmd.exe
PID 3000 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\de8d9dfd0bf29edd729faa69f5d37c512246f3133a805dd0bd41c733f0cdf4aa.exe C:\Windows\SysWOW64\cmd.exe
PID 3000 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\de8d9dfd0bf29edd729faa69f5d37c512246f3133a805dd0bd41c733f0cdf4aa.exe C:\Windows\SysWOW64\cmd.exe
PID 3000 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\de8d9dfd0bf29edd729faa69f5d37c512246f3133a805dd0bd41c733f0cdf4aa.exe C:\Windows\SysWOW64\cmd.exe
PID 3000 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\de8d9dfd0bf29edd729faa69f5d37c512246f3133a805dd0bd41c733f0cdf4aa.exe C:\Windows\Logo1_.exe
PID 3000 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\de8d9dfd0bf29edd729faa69f5d37c512246f3133a805dd0bd41c733f0cdf4aa.exe C:\Windows\Logo1_.exe
PID 3000 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\de8d9dfd0bf29edd729faa69f5d37c512246f3133a805dd0bd41c733f0cdf4aa.exe C:\Windows\Logo1_.exe
PID 3000 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\de8d9dfd0bf29edd729faa69f5d37c512246f3133a805dd0bd41c733f0cdf4aa.exe C:\Windows\Logo1_.exe
PID 2208 wrote to memory of 2532 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2208 wrote to memory of 2532 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2208 wrote to memory of 2532 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2208 wrote to memory of 2532 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2532 wrote to memory of 2576 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2532 wrote to memory of 2576 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2532 wrote to memory of 2576 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2532 wrote to memory of 2576 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1544 wrote to memory of 2656 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\de8d9dfd0bf29edd729faa69f5d37c512246f3133a805dd0bd41c733f0cdf4aa.exe
PID 1544 wrote to memory of 2656 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\de8d9dfd0bf29edd729faa69f5d37c512246f3133a805dd0bd41c733f0cdf4aa.exe
PID 1544 wrote to memory of 2656 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\de8d9dfd0bf29edd729faa69f5d37c512246f3133a805dd0bd41c733f0cdf4aa.exe
PID 1544 wrote to memory of 2656 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\de8d9dfd0bf29edd729faa69f5d37c512246f3133a805dd0bd41c733f0cdf4aa.exe
PID 2208 wrote to memory of 1196 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE
PID 2208 wrote to memory of 1196 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\de8d9dfd0bf29edd729faa69f5d37c512246f3133a805dd0bd41c733f0cdf4aa.exe

"C:\Users\Admin\AppData\Local\Temp\de8d9dfd0bf29edd729faa69f5d37c512246f3133a805dd0bd41c733f0cdf4aa.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$$a225F.bat

C:\Windows\Logo1_.exe

C:\Windows\Logo1_.exe

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Users\Admin\AppData\Local\Temp\de8d9dfd0bf29edd729faa69f5d37c512246f3133a805dd0bd41c733f0cdf4aa.exe

"C:\Users\Admin\AppData\Local\Temp\de8d9dfd0bf29edd729faa69f5d37c512246f3133a805dd0bd41c733f0cdf4aa.exe"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

Network

N/A

Files

memory/3000-0-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a225F.bat

MD5 7d9b33fa043551317fa38d72cda53000
SHA1 ef773636424a5c5e53d8623d6fd6f7cdea72afba
SHA256 770c99ed1145f2263938e31ea5d27efe3faa97471b5cbe7f965810ada0cc7b42
SHA512 c5ca55f1d9b0dff811db1bbdd9b255036398a2b8a38c7dc552be27099f7256637f13e1fd5b7b550c597d8cf1adc60656ba9ef454b8d2c414cf70b1e2384d5360

C:\Windows\Logo1_.exe

MD5 738139875a4e601cb15f0d1bce2a0073
SHA1 15d48505b97a2b1bae4c4775437735f3842513de
SHA256 986310af0e488e221fb864c816c7dd3e2e362d2bd22a69ab7bada3d23a4de3f5
SHA512 456367b9e8af79b6f0b22f69d9310dfcc93ab497680d239c21ca95bb3ed8659b544c020bb63b810d6902ecdaf740016bcdbefac2e2edc67ac3226258e3b8de18

memory/3000-15-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3000-17-0x0000000000220000-0x0000000000254000-memory.dmp

memory/3000-16-0x0000000000220000-0x0000000000254000-memory.dmp

memory/2208-19-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\de8d9dfd0bf29edd729faa69f5d37c512246f3133a805dd0bd41c733f0cdf4aa.exe.exe

MD5 ec1f17b80fe5ba414a9f952d930dd018
SHA1 0b830a8549ffddd3c5e7595d8ca17a05e86988fc
SHA256 0b7c5713b0353e068e873388f0fd4aa5af1070f1ebf26a9b446e32422e030e8e
SHA512 9bf31bdfe90eb433bd7f3541472bcdc67b24f2adcaa1eceeec1c9ce50effba239f718976997f5947f653d0d1a3f7459fe3153c371f73c16227b4cacdb4367931

memory/1196-30-0x00000000025C0000-0x00000000025C1000-memory.dmp

memory/2208-32-0x0000000000400000-0x0000000000434000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-1298544033-3225604241-2703760938-1000\_desktop.ini

MD5 60b1ffe4d5892b7ae054738eec1fd425
SHA1 80d4e944617f4132b1c6917345b158f3693f35c8
SHA256 5e9944cc48c7ec641cf7b1b0125f47f26102c371a973612f0583f604bc3900d4
SHA512 7f5c200924dbb5531df997e6a35cb94f36b54f5651284b0d6404f0576301125ef72b410a170fca889d46c033063663cfc7791f9e4c3c30695af069053eee66cc

memory/2208-39-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2208-45-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2208-91-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2208-97-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2208-646-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2208-1850-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

MD5 1f3a1a9168dbe63459547cd13d0fde0b
SHA1 c04efb99a095e82bf5ccf7ca84975e038c26a24f
SHA256 185ac37c095e4bb0762713d5467a3ab24b00359db8ac1fb67f11b93718f10b9b
SHA512 68c1a38d74468106021c3ec65f70f9bfb6961528c9282466236d6d10d0fc79d751b87d634c0cdeca3c45c5c62d4b2f17d9c2f35a84e313e8fb70815914ae57d8

memory/2208-2442-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2208-3310-0x0000000000400000-0x0000000000434000-memory.dmp

C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

MD5 df237e69878d995bac782d82f5f1d253
SHA1 2f840581e688be2e17a29189cab2e7b3378495ee
SHA256 0e1517726d96d9615155f3b54c46a5e570a659f8ae897a7c250a55bca6bf0ae2
SHA512 2ca8eb5e35b2fc315650b17d74df577a35652ce753bd7296e8d48f2bd5d52848cbf86cea7999f509330cf40832c2a33101a895c423e47f9ee133484fe14a9bab

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-10 06:44

Reported

2024-06-10 07:02

Platform

win10v2004-20240226-en

Max time kernel

119s

Max time network

161s

Command Line

C:\Windows\Explorer.EXE

Signatures

detect oss ak

oss_ak
Description Indicator Process Target
N/A N/A N/A N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Z: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\X: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\U: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\K: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\V: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\R: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\P: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\G: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\W: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\S: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\N: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\M: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\L: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\H: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\E: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Y: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\T: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Q: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\O: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\J: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\I: C:\Windows\Logo1_.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\pl\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\legal\jdk\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\tr\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\it\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\dotnet\swidtag\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\legal\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\dotnet\host\fxr\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\legal\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\cmm\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\lib\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\dotnet\shared\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\pl\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\amd64\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\applet\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\javafx\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\it\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\unpack200.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\es\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\ko\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\7-Zip\7zG.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\createdump.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\ja\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\zh-Hant\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\zh-Hans\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\zh-Hant\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\jfr\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\server\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\cs\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk-1.8\include\win32\bridge\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\servertool.exe C:\Windows\Logo1_.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rundl132.exe C:\Users\Admin\AppData\Local\Temp\de8d9dfd0bf29edd729faa69f5d37c512246f3133a805dd0bd41c733f0cdf4aa.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\de8d9dfd0bf29edd729faa69f5d37c512246f3133a805dd0bd41c733f0cdf4aa.exe N/A
File opened for modification C:\Windows\rundl132.exe C:\Windows\Logo1_.exe N/A
File created C:\Windows\vDll.dll C:\Windows\Logo1_.exe N/A

Runs net.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5020 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\de8d9dfd0bf29edd729faa69f5d37c512246f3133a805dd0bd41c733f0cdf4aa.exe C:\Windows\SysWOW64\cmd.exe
PID 5020 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\de8d9dfd0bf29edd729faa69f5d37c512246f3133a805dd0bd41c733f0cdf4aa.exe C:\Windows\SysWOW64\cmd.exe
PID 5020 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\de8d9dfd0bf29edd729faa69f5d37c512246f3133a805dd0bd41c733f0cdf4aa.exe C:\Windows\SysWOW64\cmd.exe
PID 5020 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\de8d9dfd0bf29edd729faa69f5d37c512246f3133a805dd0bd41c733f0cdf4aa.exe C:\Windows\Logo1_.exe
PID 5020 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\de8d9dfd0bf29edd729faa69f5d37c512246f3133a805dd0bd41c733f0cdf4aa.exe C:\Windows\Logo1_.exe
PID 5020 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\de8d9dfd0bf29edd729faa69f5d37c512246f3133a805dd0bd41c733f0cdf4aa.exe C:\Windows\Logo1_.exe
PID 5116 wrote to memory of 2348 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 5116 wrote to memory of 2348 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 5116 wrote to memory of 2348 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2348 wrote to memory of 220 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2348 wrote to memory of 220 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2348 wrote to memory of 220 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2880 wrote to memory of 2636 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\de8d9dfd0bf29edd729faa69f5d37c512246f3133a805dd0bd41c733f0cdf4aa.exe
PID 2880 wrote to memory of 2636 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\de8d9dfd0bf29edd729faa69f5d37c512246f3133a805dd0bd41c733f0cdf4aa.exe
PID 2880 wrote to memory of 2636 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\de8d9dfd0bf29edd729faa69f5d37c512246f3133a805dd0bd41c733f0cdf4aa.exe
PID 5116 wrote to memory of 3240 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE
PID 5116 wrote to memory of 3240 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\de8d9dfd0bf29edd729faa69f5d37c512246f3133a805dd0bd41c733f0cdf4aa.exe

"C:\Users\Admin\AppData\Local\Temp\de8d9dfd0bf29edd729faa69f5d37c512246f3133a805dd0bd41c733f0cdf4aa.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a461C.bat

C:\Windows\Logo1_.exe

C:\Windows\Logo1_.exe

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Users\Admin\AppData\Local\Temp\de8d9dfd0bf29edd729faa69f5d37c512246f3133a805dd0bd41c733f0cdf4aa.exe

"C:\Users\Admin\AppData\Local\Temp\de8d9dfd0bf29edd729faa69f5d37c512246f3133a805dd0bd41c733f0cdf4aa.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3768 --field-trial-handle=3088,i,14310325015283915034,7660943942870463106,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 13.107.253.67:443 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 90.16.208.104.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
FR 172.217.20.170:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 170.20.217.172.in-addr.arpa udp

Files

memory/5020-0-0x0000000000400000-0x0000000000434000-memory.dmp

memory/5020-1-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\Logo1_.exe

MD5 738139875a4e601cb15f0d1bce2a0073
SHA1 15d48505b97a2b1bae4c4775437735f3842513de
SHA256 986310af0e488e221fb864c816c7dd3e2e362d2bd22a69ab7bada3d23a4de3f5
SHA512 456367b9e8af79b6f0b22f69d9310dfcc93ab497680d239c21ca95bb3ed8659b544c020bb63b810d6902ecdaf740016bcdbefac2e2edc67ac3226258e3b8de18

memory/5116-10-0x0000000000400000-0x0000000000434000-memory.dmp

memory/5020-12-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a461C.bat

MD5 6209cddf0234bf744bcadcfdfe543eab
SHA1 43d95695cf7cdeaa4d4c76150ce21335c65dc5e4
SHA256 507dcadd805bf2a030fcaa81bab7763de0f2701ca4dcb178eb0bbab990ce02d9
SHA512 cb6bfc737b8c800d5705fc0757cb0f3ab1bcd3c4636d634b18b1efdc872ff69f5ea871910e9848bc01d0651960cada384e95a48edeaffebd781fc736ec611d4f

C:\Users\Admin\AppData\Local\Temp\de8d9dfd0bf29edd729faa69f5d37c512246f3133a805dd0bd41c733f0cdf4aa.exe.exe

MD5 ec1f17b80fe5ba414a9f952d930dd018
SHA1 0b830a8549ffddd3c5e7595d8ca17a05e86988fc
SHA256 0b7c5713b0353e068e873388f0fd4aa5af1070f1ebf26a9b446e32422e030e8e
SHA512 9bf31bdfe90eb433bd7f3541472bcdc67b24f2adcaa1eceeec1c9ce50effba239f718976997f5947f653d0d1a3f7459fe3153c371f73c16227b4cacdb4367931

memory/5116-21-0x0000000000400000-0x0000000000434000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-3808065738-1666277613-1125846146-1000\_desktop.ini

MD5 60b1ffe4d5892b7ae054738eec1fd425
SHA1 80d4e944617f4132b1c6917345b158f3693f35c8
SHA256 5e9944cc48c7ec641cf7b1b0125f47f26102c371a973612f0583f604bc3900d4
SHA512 7f5c200924dbb5531df997e6a35cb94f36b54f5651284b0d6404f0576301125ef72b410a170fca889d46c033063663cfc7791f9e4c3c30695af069053eee66cc

memory/5116-28-0x0000000000400000-0x0000000000434000-memory.dmp

memory/5116-34-0x0000000000400000-0x0000000000434000-memory.dmp

memory/5116-39-0x0000000000400000-0x0000000000434000-memory.dmp

memory/5116-43-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Program Files\7-Zip\7z.exe

MD5 0eb4e12860f2859cab48837572c4399a
SHA1 ea8cbd8ed6ff399516ec0841298fa9e7882aff3a
SHA256 5195d5e6bad96971376b807f811e9442d9fb1c9d557788fa74b32688b0769435
SHA512 8dd5757b576a8586d8f382e70a4d9d781fc8bf39c5d4ec23f94c7c144e271b78b87cd507597ccea910601478c31f7d8320dc289dc558b3991333858b12384ac9

memory/5116-156-0x0000000000400000-0x0000000000434000-memory.dmp

memory/5116-1017-0x0000000000400000-0x0000000000434000-memory.dmp

memory/5116-1184-0x0000000000400000-0x0000000000434000-memory.dmp

memory/5116-1200-0x0000000000400000-0x0000000000434000-memory.dmp