0ffc2b1804f965571d224af91aa5680649ae0acd2ff1837fb86e07f9df957156

Analysis

max time kernel
150s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
19/07/2024, 03:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0ffc2b1804f965571d224af91aa5680649ae0acd2ff1837fb86e07f9df957156.exe
Size

905KB
MD5

99a2658988fcbeeb6e5be4dca4716b71
SHA1

6fdb11cfadcebc9e9e9f82e75d8b9ec763fe52ea
SHA256

0ffc2b1804f965571d224af91aa5680649ae0acd2ff1837fb86e07f9df957156
SHA512

1927a6a1b192b7e52d30725ef464b48da33d11ce81b82238068084a4302aee77e2572968d923563db5a80e101f093785a2297504b891d18f983cf2056616cd5f
SSDEEP

24576:X7mlPWOOMqdk/iHmR208IOJ0oCj5BMwoV1k9CcPJ:X7KWyqiaGR20S0o6fMwojk9CmJ

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4512	Logo1_.exe
2640	0ffc2b1804f965571d224af91aa5680649ae0acd2ff1837fb86e07f9df957156.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\VideoLAN\VLC\locale\kk\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Audio\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.VCLibs.140.00_14.0.27323.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\Autogen\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\fr-fr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x86\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\wab.exe	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\stream_extractor\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\onboarding\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\Tented\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\collect_feedback\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\da-dk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\sl-si\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\zh-tw\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\swiftshader\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\lua\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_~_8wekyb3d8bbwe\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\sl-sl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\en-il\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\ja-jp\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\nl-nl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Crashpad\attachments\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\gd\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-100_8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\sk-sk\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\en-gb\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\pl-pl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe	Logo1_.exe
File created	C:\Program Files\dotnet\host\fxr\7.0.16\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.UI.Xaml.2.0_2.1810.18004.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\fr-ma\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\fi-fi\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\fr-fr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\text_renderer\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Home\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\th-TH\View3d\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\osf\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ro-ro\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\eu-es\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\root\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\plugins\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\sl-si\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-125_8wekyb3d8bbwe\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\contrast-black\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\as_IN\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\tool\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x86\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\management\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\CoreEngine\Data\BrushProfile\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ru-ru\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\es-es\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\fr-ma\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\uk-ua\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Logo1_.exe	0ffc2b1804f965571d224af91aa5680649ae0acd2ff1837fb86e07f9df957156.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe
File created	C:\Windows\rundl132.exe	0ffc2b1804f965571d224af91aa5680649ae0acd2ff1837fb86e07f9df957156.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 20 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	0ffc2b1804f965571d224af91aa5680649ae0acd2ff1837fb86e07f9df957156.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	0ffc2b1804f965571d224af91aa5680649ae0acd2ff1837fb86e07f9df957156.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	0ffc2b1804f965571d224af91aa5680649ae0acd2ff1837fb86e07f9df957156.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	0ffc2b1804f965571d224af91aa5680649ae0acd2ff1837fb86e07f9df957156.exe
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	0ffc2b1804f965571d224af91aa5680649ae0acd2ff1837fb86e07f9df957156.exe
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	0ffc2b1804f965571d224af91aa5680649ae0acd2ff1837fb86e07f9df957156.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	0ffc2b1804f965571d224af91aa5680649ae0acd2ff1837fb86e07f9df957156.exe
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings	0ffc2b1804f965571d224af91aa5680649ae0acd2ff1837fb86e07f9df957156.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	0ffc2b1804f965571d224af91aa5680649ae0acd2ff1837fb86e07f9df957156.exe
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	0ffc2b1804f965571d224af91aa5680649ae0acd2ff1837fb86e07f9df957156.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	0ffc2b1804f965571d224af91aa5680649ae0acd2ff1837fb86e07f9df957156.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	0ffc2b1804f965571d224af91aa5680649ae0acd2ff1837fb86e07f9df957156.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	0ffc2b1804f965571d224af91aa5680649ae0acd2ff1837fb86e07f9df957156.exe
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	0ffc2b1804f965571d224af91aa5680649ae0acd2ff1837fb86e07f9df957156.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	0ffc2b1804f965571d224af91aa5680649ae0acd2ff1837fb86e07f9df957156.exe
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	0ffc2b1804f965571d224af91aa5680649ae0acd2ff1837fb86e07f9df957156.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000	0ffc2b1804f965571d224af91aa5680649ae0acd2ff1837fb86e07f9df957156.exe
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	0ffc2b1804f965571d224af91aa5680649ae0acd2ff1837fb86e07f9df957156.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	0ffc2b1804f965571d224af91aa5680649ae0acd2ff1837fb86e07f9df957156.exe
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	0ffc2b1804f965571d224af91aa5680649ae0acd2ff1837fb86e07f9df957156.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
4512	Logo1_.exe
4512	Logo1_.exe
4512	Logo1_.exe
4512	Logo1_.exe
4512	Logo1_.exe
4512	Logo1_.exe
4512	Logo1_.exe
4512	Logo1_.exe
4512	Logo1_.exe
4512	Logo1_.exe
4512	Logo1_.exe
4512	Logo1_.exe
2640	0ffc2b1804f965571d224af91aa5680649ae0acd2ff1837fb86e07f9df957156.exe
2640	0ffc2b1804f965571d224af91aa5680649ae0acd2ff1837fb86e07f9df957156.exe
4512	Logo1_.exe
4512	Logo1_.exe
4512	Logo1_.exe
4512	Logo1_.exe
4512	Logo1_.exe
4512	Logo1_.exe
4512	Logo1_.exe
4512	Logo1_.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2640	0ffc2b1804f965571d224af91aa5680649ae0acd2ff1837fb86e07f9df957156.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 3388 wrote to memory of 4792	3388	0ffc2b1804f965571d224af91aa5680649ae0acd2ff1837fb86e07f9df957156.exe	84
PID 3388 wrote to memory of 4792	3388	0ffc2b1804f965571d224af91aa5680649ae0acd2ff1837fb86e07f9df957156.exe	84
PID 3388 wrote to memory of 4792	3388	0ffc2b1804f965571d224af91aa5680649ae0acd2ff1837fb86e07f9df957156.exe	84
PID 3388 wrote to memory of 4512	3388	0ffc2b1804f965571d224af91aa5680649ae0acd2ff1837fb86e07f9df957156.exe	85
PID 3388 wrote to memory of 4512	3388	0ffc2b1804f965571d224af91aa5680649ae0acd2ff1837fb86e07f9df957156.exe	85
PID 3388 wrote to memory of 4512	3388	0ffc2b1804f965571d224af91aa5680649ae0acd2ff1837fb86e07f9df957156.exe	85
PID 4512 wrote to memory of 2808	4512	Logo1_.exe	87
PID 4512 wrote to memory of 2808	4512	Logo1_.exe	87
PID 4512 wrote to memory of 2808	4512	Logo1_.exe	87
PID 2808 wrote to memory of 3916	2808	net.exe	89
PID 2808 wrote to memory of 3916	2808	net.exe	89
PID 2808 wrote to memory of 3916	2808	net.exe	89
PID 4792 wrote to memory of 2640	4792	cmd.exe	90
PID 4792 wrote to memory of 2640	4792	cmd.exe	90
PID 4792 wrote to memory of 2640	4792	cmd.exe	90
PID 4512 wrote to memory of 3428	4512	Logo1_.exe	56
PID 4512 wrote to memory of 3428	4512	Logo1_.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3428
- C:\Users\Admin\AppData\Local\Temp\0ffc2b1804f965571d224af91aa5680649ae0acd2ff1837fb86e07f9df957156.exe
  "C:\Users\Admin\AppData\Local\Temp\0ffc2b1804f965571d224af91aa5680649ae0acd2ff1837fb86e07f9df957156.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:3388
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aA306.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4792
  - - C:\Users\Admin\AppData\Local\Temp\0ffc2b1804f965571d224af91aa5680649ae0acd2ff1837fb86e07f9df957156.exe
      "C:\Users\Admin\AppData\Local\Temp\0ffc2b1804f965571d224af91aa5680649ae0acd2ff1837fb86e07f9df957156.exe"
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:2640
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4512
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2808
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:3916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe

Filesize
244KB

MD5
24f767818a4eec0fb3bf5af33cc879df

SHA1
c0b1caa9bde205d5cbf3f2e525c66ea30e0fb4f4

SHA256
833fa483fd307e6b60fbfd2eeff211d79fe2b6f1935ee3e06cdfaa19632ff4d3

SHA512
ae7aafbdc5adc62dbf93277b622fb9cc2bd589907e860701d63746be16c5ec865353e7e01463e9cbbd67725fa8e882a010e8abb89365fd9e650d3fd2a1c3c946

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
570KB

MD5
34f5f360df86940c3814b5629ccdd1fe

SHA1
1b3b4bbc216494eb9619e3e4af1cd1ab80f71fb3

SHA256
e6269fc768a2362a9f557dc109d8cd0aa4327dc5cae085874a3d48c00df207c2

SHA512
4a77b48df5cf413322f2aae9512097985092546cda0da142b86af242d933d60085b0afb08a066dedd8aa41f6b13599411648f1ba98164e08e4e37bd158943668

Download Submit
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

Filesize
636KB

MD5
2500f702e2b9632127c14e4eaae5d424

SHA1
8726fef12958265214eeb58001c995629834b13a

SHA256
82e5b0001f025ca3b8409c98e4fb06c119c68de1e4ef60a156360cb4ef61d19c

SHA512
f420c62fa1f6897f51dd7a0f0e910fb54ad14d51973a2d4840eeea0448c860bf83493fb1c07be65f731efc39e19f8a99886c8cfd058cee482fe52d255a33a55c

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aA306.bat

Filesize
722B

MD5
a44b5a665b73d68b2b90e606440cf8df

SHA1
03f8f98028d1c52d18b2792dc0908e2bb602932b

SHA256
0b0a2e25823ef5741f23be80967c9b7e6a0dcdcc596a7e18bfff55e29667ad21

SHA512
2eecb2ec40707e728c0d1ccdbf678cf603ad186422c71cc861d945f34b3a2bdc4247b73ee1c55f35bce17ca0a422f2ccb1f0f7fffbdfdceecd4c3f280a00a66f

Download Submit
C:\Users\Admin\AppData\Local\Temp\0ffc2b1804f965571d224af91aa5680649ae0acd2ff1837fb86e07f9df957156.exe.exe

Filesize
879KB

MD5
cfca81243713de5d6e6e6653bd01f25e

SHA1
2d4e583b452a664a8fad657497799210df2527d3

SHA256
38afb7a96e6e05d0fa8aa6c651a080dc9b4e610d72c35ec04a222ab3f5f182cb

SHA512
b6f5b78783472f33a63b51618be95007ad1c1d203a7323e75d58dafd672004d7f72c50f9614d2f71250ecd671ce3650227d543eabb838090d0de2d2f7aa84698

Download Submit
C:\Windows\Logo1_.exe

Filesize
26KB

MD5
e8ad4adb6a386853a8f6d32cb50c8044

SHA1
a44fcfb9b66ace9ac65d1aef71d4c0034bd72bc9

SHA256
63809d018fd7b0f5a9fc15abccd646c3fc8dc5a4a5cfd2117b38a4da4864658e

SHA512
f76ba72cebf8a938c4bc54d263dcf7c1e2b165846c504a3b38efdb0328f98c57944ead1ea5f3a397c09142b37b1a0fc6f3ea5f0f909643808be3a89963beda46

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3419463127-3903270268-2580331543-1000\_desktop.ini

Filesize
9B

MD5
1368e4d784ef82633de86fa6bc6e37f9

SHA1
77c7384e886b27647bb4f2fd364e7947e7b6abc6

SHA256
57507bed6cf91d70e66bd4cc287634889ef30b648cb7c44a4edec0e2cb68b772

SHA512
3cb7168e776eb564768e30eba43174014a85108ab306a7c07a1522fb42173c381a5bff9ac10944fd345dd5308061cbe2878c60d1e878f8768281c1adcf5dd85b

Download Submit
memory/2640-18-0x00000000006C0000-0x00000000007D4000-memory.dmp

Filesize
1.1MB

Download
memory/2640-21-0x00000000006C0000-0x00000000007D4000-memory.dmp

Filesize
1.1MB

Download
memory/3388-8-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3388-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4512-28-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4512-43-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4512-36-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4512-52-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4512-1243-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4512-20-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4512-4806-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4512-10-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4512-5253-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download