cc86bc48d4f1cc13fcd84842ab4a30c9086f12eac0daa6f9b7f9353a65deaba9

Analysis

max time kernel
150s
max time network
54s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
06/07/2024, 03:09

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

36bd4933ec5fdb10a5914ef3ff319e60.exe
Size

2.3MB
MD5

36bd4933ec5fdb10a5914ef3ff319e60
SHA1

20f5df024590c10b9353d3d746e36c2c038222af
SHA256

cc86bc48d4f1cc13fcd84842ab4a30c9086f12eac0daa6f9b7f9353a65deaba9
SHA512

7b4436a9adc4a52c226c839ea962b767c68d2780e5a25035abfa97ea94deb8a52ce7bb1815df5dcf4f7e00f77b62b1b634b56db74fe2b0c307ffeaa9d7fadb95
SSDEEP

49152:cOE39Y0jCMnxDHpgmpz873cKsvVBAUZLYgio6EZGaXBuQQ9ec0NUEB:/1Mnx7p19873cKstBAUZLGqa0NUEB

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
928	Logo1_.exe
2968	36bd4933ec5fdb10a5914ef3ff319e60.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\cookie_exporter.exe	Logo1_.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	Logo1_.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\YourPhone.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeUpdate.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeUpdateOnDemand.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	Logo1_.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Microsoft.MicrosoftSolitaireCollection.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	Logo1_.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\GetHelp.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	Logo1_.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeUpdateSetup.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	Logo1_.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\createdump.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	Logo1_.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Cortana.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\msedgewebview2.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	Logo1_.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\SoundRec.exe	Logo1_.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_x64__8wekyb3d8bbwe\GameBar.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\msinfo32.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	Logo1_.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Microsoft.Photos.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\wmpconfig.exe	Logo1_.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\WindowsCamera.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\setup_wm.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\wmpshare.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office 15\ClientX64\IntegratedOffice.exe	Logo1_.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\3DViewer.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	Logo1_.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Logo1_.exe	36bd4933ec5fdb10a5914ef3ff319e60.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
928	Logo1_.exe
928	Logo1_.exe
928	Logo1_.exe
928	Logo1_.exe
928	Logo1_.exe
928	Logo1_.exe
928	Logo1_.exe
928	Logo1_.exe
928	Logo1_.exe
928	Logo1_.exe
928	Logo1_.exe
928	Logo1_.exe
928	Logo1_.exe
928	Logo1_.exe
928	Logo1_.exe
928	Logo1_.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 4016 wrote to memory of 1088	4016	36bd4933ec5fdb10a5914ef3ff319e60.exe	81
PID 4016 wrote to memory of 1088	4016	36bd4933ec5fdb10a5914ef3ff319e60.exe	81
PID 4016 wrote to memory of 1088	4016	36bd4933ec5fdb10a5914ef3ff319e60.exe	81
PID 4016 wrote to memory of 928	4016	36bd4933ec5fdb10a5914ef3ff319e60.exe	82
PID 4016 wrote to memory of 928	4016	36bd4933ec5fdb10a5914ef3ff319e60.exe	82
PID 4016 wrote to memory of 928	4016	36bd4933ec5fdb10a5914ef3ff319e60.exe	82
PID 928 wrote to memory of 2724	928	Logo1_.exe	84
PID 928 wrote to memory of 2724	928	Logo1_.exe	84
PID 928 wrote to memory of 2724	928	Logo1_.exe	84
PID 2724 wrote to memory of 3180	2724	net.exe	86
PID 2724 wrote to memory of 3180	2724	net.exe	86
PID 2724 wrote to memory of 3180	2724	net.exe	86
PID 1088 wrote to memory of 2968	1088	cmd.exe	87
PID 1088 wrote to memory of 2968	1088	cmd.exe	87

C:\Users\Admin\AppData\Local\Temp\36bd4933ec5fdb10a5914ef3ff319e60.exe
"C:\Users\Admin\AppData\Local\Temp\36bd4933ec5fdb10a5914ef3ff319e60.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4016
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a48E0.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1088
- - C:\Users\Admin\AppData\Local\Temp\36bd4933ec5fdb10a5914ef3ff319e60.exe
    "C:\Users\Admin\AppData\Local\Temp\36bd4933ec5fdb10a5914ef3ff319e60.exe"
    3⤵
    - Executes dropped EXE
    PID:2968
- C:\Windows\Logo1_.exe
  C:\Windows\Logo1_.exe
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:928
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2724
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      PID:3180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7zG.exe

Filesize
750KB

MD5
a7b3865ba649fd66cd830878dea6c5f2

SHA1
949f6d0eeff7efc6da7dc5bc1f4dd6e092bf2e2b

SHA256
9fbc11a841eb1249c8635be81ad70286c0db9bc84fb51e32e584c7fff33469f7

SHA512
1ebe25a263a61cf5156f1e7f835142fc9bc68563ca6857730c4675cbde26788b3b24378921476bfad6e8cd2c1f01f22b2de88ce901ab169e48536341c827f60a

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a48E0.bat

Filesize
530B

MD5
fcea7d5992b218ea555c16db40a70d4a

SHA1
5c4bfed2e28d8393eb19ad6796a5fd60a5d1ed46

SHA256
6d493cff154fe685914ac57c841f1a0ff34f1d3a01ec6b40796c6e5d0ad2412d

SHA512
0a6b062acd27c07e2084a21b3c6f13a8e88c411c3444e1525fc63de775c312f7ca4ad6c6eb41ce5cb7916d8bfa8d264c0be7828fe3f0a9b5884a1ab45ae53d49

Download Submit
C:\Users\Admin\AppData\Local\Temp\36bd4933ec5fdb10a5914ef3ff319e60.exe.exe

Filesize
2.3MB

MD5
643c51fd99bb9be6929acd63f50a1f60

SHA1
2614e35d129468e0226abf4b82fc827f596915b6

SHA256
b266ca5c912404a50ddb09eecb65158471677335e0ee6bdb3a3896509f9296e9

SHA512
df54310775c19144a18eab4358203a59351ef138ff896d1a3646800f546c93e23ebfd1f4bbf105511d3065abb945c99a231e5144f8061c3dcdc8651d33858d6f

Download Submit
C:\Windows\Logo1_.exe

Filesize
66KB

MD5
a81c8cb12d60acf8c759fa71889799c6

SHA1
797ea1fb6f2704e56448db6ff0992d5bc322b4ad

SHA256
c8d74f72173f6a12145368db4df2d22522e58e06973e4360293fb6d83375079e

SHA512
c8ddf074f4d467e170211fbcbca12fbec25b8ebcf40c0969bc9e9130c12337e633e5d8000803c1dfccb9edd34756c8beb2af66edeb1b39905b46534e1ea9bd67

Download Submit
memory/928-12-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/928-13-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/928-15-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/928-17-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/928-141-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/928-205-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/928-218-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4016-6-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download