a83dc3947ccdea789fa77a778c180fb315dd72dc686a62507ca73a790723f06a

Analysis

max time kernel
119s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
20-07-2024 04:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

489b34427f1d1617f27dcdb18231df30N.exe
Size

411KB
MD5

489b34427f1d1617f27dcdb18231df30
SHA1

4b1bcdd4054e042827ff93c05ad638c3b21ccef2
SHA256

a83dc3947ccdea789fa77a778c180fb315dd72dc686a62507ca73a790723f06a
SHA512

337b4740d896276e0cfde18faed210e03461a5691d0537112975cf5eae6754295a724cc4a16de38d388ddd762a5c7222f6f76d5385c11ac79ea223698d855708
SSDEEP

6144:XLZ/JdK0RsrJ3n0dK2NP0RHx8D98WTBPW8fF8oABm1nKE:1/JjqwKhHSDeWTRW8fdebE

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4008	Logo1_.exe
3520	489b34427f1d1617f27dcdb18231df30N.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	Logo1_.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxTsr.exe	Logo1_.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxIdentityProvider_12.50.6001.0_x64__8wekyb3d8bbwe\XboxIdp.exe	Logo1_.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\YourPhone.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeUpdateBroker.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\wmlaunch.exe	Logo1_.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\ScreenSketch.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	Logo1_.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\LocalBridge.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\wmpconfig.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\wab.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeComRegisterShellARM64.exe	Logo1_.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Win32Bridge.Server.exe	Logo1_.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Microsoft.MicrosoftSolitaireCollection.exe	Logo1_.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Cortana.exe	Logo1_.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Solitaire.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	Logo1_.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	Logo1_.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe	Logo1_.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeBridge\SkypeBridge.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\wmpshare.exe	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	Logo1_.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Maps.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	Logo1_.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_x64__8wekyb3d8bbwe\SpeechToTextOverlay64-Retail.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	Logo1_.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\msedgewebview2.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	Logo1_.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Logo1_.exe	489b34427f1d1617f27dcdb18231df30N.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
4008	Logo1_.exe
4008	Logo1_.exe
4008	Logo1_.exe
4008	Logo1_.exe
4008	Logo1_.exe
4008	Logo1_.exe
4008	Logo1_.exe
4008	Logo1_.exe
4008	Logo1_.exe
4008	Logo1_.exe
4008	Logo1_.exe
4008	Logo1_.exe
4008	Logo1_.exe
4008	Logo1_.exe
4008	Logo1_.exe
4008	Logo1_.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4864 wrote to memory of 4916	4864	489b34427f1d1617f27dcdb18231df30N.exe	84
PID 4864 wrote to memory of 4916	4864	489b34427f1d1617f27dcdb18231df30N.exe	84
PID 4864 wrote to memory of 4916	4864	489b34427f1d1617f27dcdb18231df30N.exe	84
PID 4864 wrote to memory of 4008	4864	489b34427f1d1617f27dcdb18231df30N.exe	85
PID 4864 wrote to memory of 4008	4864	489b34427f1d1617f27dcdb18231df30N.exe	85
PID 4864 wrote to memory of 4008	4864	489b34427f1d1617f27dcdb18231df30N.exe	85
PID 4008 wrote to memory of 4524	4008	Logo1_.exe	87
PID 4008 wrote to memory of 4524	4008	Logo1_.exe	87
PID 4008 wrote to memory of 4524	4008	Logo1_.exe	87
PID 4524 wrote to memory of 2560	4524	net.exe	89
PID 4524 wrote to memory of 2560	4524	net.exe	89
PID 4524 wrote to memory of 2560	4524	net.exe	89
PID 4916 wrote to memory of 3520	4916	cmd.exe	90
PID 4916 wrote to memory of 3520	4916	cmd.exe	90
PID 4916 wrote to memory of 3520	4916	cmd.exe	90

C:\Users\Admin\AppData\Local\Temp\489b34427f1d1617f27dcdb18231df30N.exe
"C:\Users\Admin\AppData\Local\Temp\489b34427f1d1617f27dcdb18231df30N.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4864
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aA0B4.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4916
- - C:\Users\Admin\AppData\Local\Temp\489b34427f1d1617f27dcdb18231df30N.exe
    "C:\Users\Admin\AppData\Local\Temp\489b34427f1d1617f27dcdb18231df30N.exe"
    3⤵
    - Executes dropped EXE
    PID:3520
- C:\Windows\Logo1_.exe
  C:\Windows\Logo1_.exe
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4008
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4524
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      PID:2560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7zG.exe

Filesize
750KB

MD5
4016c5a6d7efeddaada12e6ceceb438f

SHA1
006d6ce23e29617d55c8dcaa13cba9f69c28889c

SHA256
facfb7e0bef373dfa13f14407dfff29ceadb9f1de947571a779f5264243eac7b

SHA512
bcd38d28505dac5cfed75506b4b5a1852b15add621491c73855749529be04fd40a92c4c871d58d0dbfc56c0935559611c4261071e23f37df441701560588bd50

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aA0B4.bat

Filesize
536B

MD5
c9b7935fe58fe244ea4a63dcae2d4e30

SHA1
3516b822722fedeaa40b920ed3555be643f60e26

SHA256
4d6ae7501eab493d1ef40a2d23eb8468cb5a61adbe3f6b00d5b9a3c23a3808cf

SHA512
8e8d060ead825f0ebecb24cfb9b00079a6366e42b5f72af24092b7f63d5b93352a3173e577495c8aad14e37f0187ca4ada8a4c8cda0fb52ec136f2563e320769

Download Submit
C:\Users\Admin\AppData\Local\Temp\489b34427f1d1617f27dcdb18231df30N.exe.exe

Filesize
345KB

MD5
6623abd95d6ca5b4e9d78570d1e531ad

SHA1
dd734ce4057e98af82197af22a436b3ae05e1af9

SHA256
db197e4e2d60b8161a5cf5c41a9d3d1d5cc694c19fe96d71e33747dd20c1d4b3

SHA512
77624baf530a198eeb708b5d28cd536a8314101a23e8b9570699f35d4d962f47e1537ee283efb09eabaef4cf5c0523a9388d37a64f9e926c580028454d65d45f

Download Submit
C:\Windows\Logo1_.exe

Filesize
66KB

MD5
9489ba70ef0f9bfa69ec3a793b5b5387

SHA1
9fac7e42cb96b825ec1b0e4eec39ff23506efb4b

SHA256
8a40ccad0bedf960ec09b5a428767e471354cc6a06c50613670a6fbf862bfa84

SHA512
976d522c5e355ba8138fb58adbac4632bf9bb84a441c8f071e20ce875e0ac1ba39419fbd68e4691f2308c9d5786623674738b0052b6743ea05a038a8ac90c088

Download Submit
memory/4008-25-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4008-26-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4008-28-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4008-30-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4008-154-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4008-218-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4864-6-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download