d123d39c153b968fd4a0a7f4f5b488778e48b1bcf45e37a9956e84c710a2dead

Analysis

max time kernel
153s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
27-06-2024 04:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d123d39c153b968fd4a0a7f4f5b488778e48b1bcf45e37a9956e84c710a2dead.exe
Size

260KB
MD5

e2cbfa7c2535dccb0498e65a13d663e0
SHA1

d09b49a7cf5b57199a449379dfb14d6bd27254ee
SHA256

d123d39c153b968fd4a0a7f4f5b488778e48b1bcf45e37a9956e84c710a2dead
SHA512

73121287523b692ad2b72ab1d8298b2fa76cee13019061dfbd1d779275b271bbbcfe4fbf616c265cc082ea2de4105264a819fbfd58d6938afada76386304c928
SSDEEP

1536:pM3SHuJV9N1ILFkbeumIkA39xSZW175V7UZQJ0UjsWpcdVO4Mqg+aJRaCAd1uhNS:pMkuJVL1LRkgUA1nQZwFGVO4Mqg+WDY

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3012	Logo1_.exe
1884	d123d39c153b968fd4a0a7f4f5b488778e48b1bcf45e37a9956e84c710a2dead.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxIdentityProvider_12.50.6001.0_x64__8wekyb3d8bbwe\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\sv-se\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Photo Viewer\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files\MSBuild\Microsoft\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Multimedia Platform\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\is-IS\View3d\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_neutral_split.scale-100_8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_neutral_split.scale-125_8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\hr-hr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\he-il\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\FileAssociation\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\zh-CN\View3d\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\FileAssociation\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-100_kzf8qxf38zg5c\Assets\Images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ar-ae\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\sv-se\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-100_8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example2.Diagnostics\1.0.1\Diagnostics\Simple\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ca-es\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_x64__8wekyb3d8bbwe\Assets\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\demux\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-125_8wekyb3d8bbwe\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	Logo1_.exe
File created	C:\Program Files\Windows Photo Viewer\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.NET.Native.Framework.2.2_2.2.27405.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\Autogen\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Services.Store.Engagement_10.0.18101.0_x86__8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\images\cursors\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Microsoft.Membership.MeControl\Assets\OfflinePages\Scripts\Me\MeControl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fr-fr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sl-si\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\archives\_desktop.ini	Logo1_.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\ko\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\meta\art\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\en-us\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\sr-latn-cs\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.VCLibs.140.00_14.0.27323.0_x64__8wekyb3d8bbwe\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Configuration\_desktop.ini	Logo1_.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\cs\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Photo Viewer\uk-UA\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\AppxMetadata\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sv\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	Logo1_.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fi\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\PeopleApp.exe	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Resources\Fonts\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	d123d39c153b968fd4a0a7f4f5b488778e48b1bcf45e37a9956e84c710a2dead.exe
File created	C:\Windows\Logo1_.exe	d123d39c153b968fd4a0a7f4f5b488778e48b1bcf45e37a9956e84c710a2dead.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
3012	Logo1_.exe
3012	Logo1_.exe
3012	Logo1_.exe
3012	Logo1_.exe
3012	Logo1_.exe
3012	Logo1_.exe
3012	Logo1_.exe
3012	Logo1_.exe
3012	Logo1_.exe
3012	Logo1_.exe
3012	Logo1_.exe
3012	Logo1_.exe
3012	Logo1_.exe
3012	Logo1_.exe
3012	Logo1_.exe
3012	Logo1_.exe
3012	Logo1_.exe
3012	Logo1_.exe
3012	Logo1_.exe
3012	Logo1_.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 4412 wrote to memory of 984	4412	d123d39c153b968fd4a0a7f4f5b488778e48b1bcf45e37a9956e84c710a2dead.exe	91
PID 4412 wrote to memory of 984	4412	d123d39c153b968fd4a0a7f4f5b488778e48b1bcf45e37a9956e84c710a2dead.exe	91
PID 4412 wrote to memory of 984	4412	d123d39c153b968fd4a0a7f4f5b488778e48b1bcf45e37a9956e84c710a2dead.exe	91
PID 4412 wrote to memory of 3012	4412	d123d39c153b968fd4a0a7f4f5b488778e48b1bcf45e37a9956e84c710a2dead.exe	93
PID 4412 wrote to memory of 3012	4412	d123d39c153b968fd4a0a7f4f5b488778e48b1bcf45e37a9956e84c710a2dead.exe	93
PID 4412 wrote to memory of 3012	4412	d123d39c153b968fd4a0a7f4f5b488778e48b1bcf45e37a9956e84c710a2dead.exe	93
PID 984 wrote to memory of 1884	984	cmd.exe	94
PID 984 wrote to memory of 1884	984	cmd.exe	94
PID 984 wrote to memory of 1884	984	cmd.exe	94
PID 3012 wrote to memory of 888	3012	Logo1_.exe	95
PID 3012 wrote to memory of 888	3012	Logo1_.exe	95
PID 3012 wrote to memory of 888	3012	Logo1_.exe	95
PID 888 wrote to memory of 4152	888	net.exe	97
PID 888 wrote to memory of 4152	888	net.exe	97
PID 888 wrote to memory of 4152	888	net.exe	97
PID 3012 wrote to memory of 3376	3012	Logo1_.exe	57
PID 3012 wrote to memory of 3376	3012	Logo1_.exe	57

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3376
- C:\Users\Admin\AppData\Local\Temp\d123d39c153b968fd4a0a7f4f5b488778e48b1bcf45e37a9956e84c710a2dead.exe
  "C:\Users\Admin\AppData\Local\Temp\d123d39c153b968fd4a0a7f4f5b488778e48b1bcf45e37a9956e84c710a2dead.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:4412
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aD448.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:984
  - - C:\Users\Admin\AppData\Local\Temp\d123d39c153b968fd4a0a7f4f5b488778e48b1bcf45e37a9956e84c710a2dead.exe
      "C:\Users\Admin\AppData\Local\Temp\d123d39c153b968fd4a0a7f4f5b488778e48b1bcf45e37a9956e84c710a2dead.exe"
      4⤵
      Executes dropped EXE
      PID:1884
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3012
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:888
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:4152

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4112 --field-trial-handle=2292,i,2103142837140538807,15881446839139365070,262144 --variations-seed-version /prefetch:8
1⤵
PID:4020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7z.exe

Filesize
573KB

MD5
a3635526227732f8e9d430ee7d584cd9

SHA1
89e3340ed0e5c3af981e8b46b5f264c7dfe05514

SHA256
28424b9aefb7670b294303daf622c52e936a6c84bcc9bc22785918ed32d70629

SHA512
439759aeec5377660e86e61ce5e71f401313a7174fc23ecef6475e1a14faaf2182f344602bc076e72ea8715560d8c6aaf9c7758b6e59220752c04db601ef7a6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aD448.bat

Filesize
722B

MD5
b67cbf11a4334aa2f2c970c40c545e6e

SHA1
66e8300529a25410aeef8bd2ab055b91d427f402

SHA256
5db907248c03bc2893f77609565503d33c232fbe66b693e6aee924cf6b29782c

SHA512
2aa7570ea1ee0d10671a5440f94baed01385f8e6d84fc920a3e309e88fa4b55a2477b7d263756dc5ca821610b0c667993a383f78b85ad841bf1421bf5e9d7411

Download Submit
C:\Users\Admin\AppData\Local\Temp\d123d39c153b968fd4a0a7f4f5b488778e48b1bcf45e37a9956e84c710a2dead.exe.exe

Filesize
231KB

MD5
6f581a41167d2d484fcba20e6fc3c39a

SHA1
d48de48d24101b9baaa24f674066577e38e6b75c

SHA256
3eb8d53778eab9fb13b4c97aeab56e4bad2a6ea3748d342f22eaf4d7aa3185a7

SHA512
e1177b6cea89445d58307b3327c78909adff225497f9abb8de571cdd114b547a8f515ec3ab038b583bf752a085b231f6329d6ca82fbe6be8a58cd97a1dbaf0f6

Download Submit
C:\Windows\Logo1_.exe

Filesize
29KB

MD5
ffd4c08e47961e2de68bbe4105d8d26a

SHA1
4cfa8ccbd7efb2e91d193765ff10a7db5672ee66

SHA256
8145b427321f639aea369886bf367b29002dd11e45087b4361f7da2c0eff2791

SHA512
d755ae9bea63b39f99d3ed5a3396af855984d1afff1df4d7107342ec6ace5cb1b91cbd96d27770ccafd5e4f78e7616f99f92def5c0a9c74862b229e12e8be60a

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3808065738-1666277613-1125846146-1000\_desktop.ini

Filesize
9B

MD5
7d17b811a66f09661920bf5af1f95ae9

SHA1
f974fb71f0c9242357d308243f16d5509a0fb040

SHA256
1ffbf32a83283a76202c268eb3ea579c4b39aa6fb11fc42ad18318286fbf749c

SHA512
019689bb28dd360a9b3fe6696944854f806ebe877734f4f8533f7c2508d371049a96f6c7bd5dda908ab91686dbfba4a54335cbc6c4d649775e62912f0af730e3

Download Submit
memory/3012-34-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3012-20-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3012-9-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3012-27-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3012-38-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3012-43-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3012-79-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3012-1016-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3012-1017-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3012-1184-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4412-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4412-13-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download