abac9b724c6d13aa90b5484b7c424c1505f9f7d58504954bb3ed9b718a448991

Analysis

max time kernel
203s
max time network
50s
platform
windows7_x64
resource
win7-20220414-en
submitted
07-07-2022 09:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

trojan/5.exe
Size

1.1MB
MD5

1d13e667dbcf6a1ec0d0cacfbf1397ca
SHA1

709eaeb8969ac6e3da0bb41348e0369245147d66
SHA256

bb7eed4a124277973d985fc52e066f66e075181c337fa61de918a6d1b498ac8e
SHA512

a02bbb787e27a1ab25ad8f6bc6c9f6934859027ac23c4427d6385ea75ac0f73ee76853418200055e97b2ad3b2c4be90f19e1fcfd77b4d9cd93491cce4f2b102d

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

Logo1_.exe5.exe

pid process

1936 Logo1_.exe
1960 5.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\trojan\5.exe.exe	upx
\Users\Admin\AppData\Local\Temp\trojan\5.exe	upx
C:\Users\Admin\AppData\Local\Temp\trojan\5.exe	upx
behavioral11/memory/1960-68-0x0000000000400000-0x0000000000775000-memory.dmp	upx
behavioral11/memory/1960-72-0x0000000000400000-0x0000000000775000-memory.dmp	upx

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1396 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

1396 cmd.exe

pid	process
1396	cmd.exe

pid	process
1396	cmd.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Logo1_.exe

description	ioc	process
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\F:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

Processes:

Logo1_.exe

description	ioc	process
File opened for modification	C:\Program Files\7-Zip\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-hang-ui.exe	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\control\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Spades\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mn\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Solitaire\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\pt_BR\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\win_x64\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\applet\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\hr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Mahjong\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ko\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\or\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Minesweeper\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\defaults\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sr\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\lua\intf\modules\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\cy\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\pt_PT\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_chroma\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Spades\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\br\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Mail\WinMail.exe	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\applet\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fa\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\pl\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\si\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\FreeCell\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Mozilla Firefox\uninstall\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

Processes:

5.exeLogo1_.exe

description	ioc	process
File created	C:\Windows\rundl132.exe	5.exe
File created	C:\Windows\Logo1_.exe	5.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

Logo1_.exe

pid	process
1936	Logo1_.exe
1936	Logo1_.exe
1936	Logo1_.exe
1936	Logo1_.exe
1936	Logo1_.exe
1936	Logo1_.exe
1936	Logo1_.exe
1936	Logo1_.exe
1936	Logo1_.exe
1936	Logo1_.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

5.exeLogo1_.execmd.exenet.exe

description	pid	process	target process
PID 2000 wrote to memory of 1396	2000	5.exe	cmd.exe
PID 2000 wrote to memory of 1396	2000	5.exe	cmd.exe
PID 2000 wrote to memory of 1396	2000	5.exe	cmd.exe
PID 2000 wrote to memory of 1396	2000	5.exe	cmd.exe
PID 2000 wrote to memory of 1936	2000	5.exe	Logo1_.exe
PID 2000 wrote to memory of 1936	2000	5.exe	Logo1_.exe
PID 2000 wrote to memory of 1936	2000	5.exe	Logo1_.exe
PID 2000 wrote to memory of 1936	2000	5.exe	Logo1_.exe
PID 1936 wrote to memory of 1744	1936	Logo1_.exe	net.exe
PID 1936 wrote to memory of 1744	1936	Logo1_.exe	net.exe
PID 1936 wrote to memory of 1744	1936	Logo1_.exe	net.exe
PID 1936 wrote to memory of 1744	1936	Logo1_.exe	net.exe
PID 1396 wrote to memory of 1960	1396	cmd.exe	5.exe
PID 1396 wrote to memory of 1960	1396	cmd.exe	5.exe
PID 1396 wrote to memory of 1960	1396	cmd.exe	5.exe
PID 1396 wrote to memory of 1960	1396	cmd.exe	5.exe
PID 1744 wrote to memory of 1692	1744	net.exe	net1.exe
PID 1744 wrote to memory of 1692	1744	net.exe	net1.exe
PID 1744 wrote to memory of 1692	1744	net.exe	net1.exe
PID 1744 wrote to memory of 1692	1744	net.exe	net1.exe
PID 1936 wrote to memory of 1300	1936	Logo1_.exe	Explorer.EXE
PID 1936 wrote to memory of 1300	1936	Logo1_.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1300

C:\Users\Admin\AppData\Local\Temp\trojan\5.exe
"C:\Users\Admin\AppData\Local\Temp\trojan\5.exe"
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2000

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\$$a742.bat
3⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1396

C:\Users\Admin\AppData\Local\Temp\trojan\5.exe
"C:\Users\Admin\AppData\Local\Temp\trojan\5.exe"
4⤵
- Executes dropped EXE
PID:1960

C:\Windows\Logo1_.exe
C:\Windows\Logo1_.exe
3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1936

C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
4⤵
- Suspicious use of WriteProcessMemory
PID:1744

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
5⤵
PID:1692

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\$$a742.bat
Filesize
378B

MD5
f3bb48b56bde7841e3a1fc5f2eeb2efa

SHA1
bb203ae092324a34521344829bf63145b2c59a93

SHA256
2200e5a607cb7df559d0dd7593cb7d7d0886c054f5d8b76f3f79f10bed6aecfd

SHA512
4c6e7ab9aff8527a8e03451e54d8ec7cf106fd69037cddb37169959087696c5d852a355199ee6a217e730fdf2d56288704f1b9aa3d25456a9969772a6f4b0f15

Download Submit
C:\Users\Admin\AppData\Local\Temp\trojan\5.exe
Filesize
1.1MB

MD5
8507edd2a984820273b1649707fac1a1

SHA1
436744c85a49d16574324fc9170dc43f9bb28123

SHA256
1e15a36a769b697c7e74862b8547808a3908f0c3ff57ba107257d6aac252dbb6

SHA512
101a15f48d91f29b82ceba9c3c9ceda07d208802614eea8a130a076324369589420469624b02aee1174a8fc1e0895af5d15df26042368cec3570b8d166fd0ff4

Download Submit
C:\Users\Admin\AppData\Local\Temp\trojan\5.exe.exe
Filesize
1.1MB

MD5
8507edd2a984820273b1649707fac1a1

SHA1
436744c85a49d16574324fc9170dc43f9bb28123

SHA256
1e15a36a769b697c7e74862b8547808a3908f0c3ff57ba107257d6aac252dbb6

SHA512
101a15f48d91f29b82ceba9c3c9ceda07d208802614eea8a130a076324369589420469624b02aee1174a8fc1e0895af5d15df26042368cec3570b8d166fd0ff4

Download Submit
C:\Windows\Logo1_.exe
Filesize
26KB

MD5
dc52b29739bc2a3095d04f309def1f2c

SHA1
95af9562790393d727b5e4f4c33870b95083aa11

SHA256
81f6f7c8c07dede2c8bff3f3143eba6ef228b1b9f16a79bc529bc003a56b0ca8

SHA512
28c3f848acae11097023ed7cee538b52791f22879279f3e479941a4f7cdd7fcfce013ee15e6b194054ecaf4c50c3a25162a343b92fa02ce21a7816f398f1db94

Download Submit
C:\Windows\Logo1_.exe
Filesize
26KB

MD5
dc52b29739bc2a3095d04f309def1f2c

SHA1
95af9562790393d727b5e4f4c33870b95083aa11

SHA256
81f6f7c8c07dede2c8bff3f3143eba6ef228b1b9f16a79bc529bc003a56b0ca8

SHA512
28c3f848acae11097023ed7cee538b52791f22879279f3e479941a4f7cdd7fcfce013ee15e6b194054ecaf4c50c3a25162a343b92fa02ce21a7816f398f1db94

Download Submit
C:\Windows\rundl132.exe
Filesize
26KB

MD5
dc52b29739bc2a3095d04f309def1f2c

SHA1
95af9562790393d727b5e4f4c33870b95083aa11

SHA256
81f6f7c8c07dede2c8bff3f3143eba6ef228b1b9f16a79bc529bc003a56b0ca8

SHA512
28c3f848acae11097023ed7cee538b52791f22879279f3e479941a4f7cdd7fcfce013ee15e6b194054ecaf4c50c3a25162a343b92fa02ce21a7816f398f1db94

Download Submit
\Users\Admin\AppData\Local\Temp\trojan\5.exe
Filesize
1.1MB

MD5
8507edd2a984820273b1649707fac1a1

SHA1
436744c85a49d16574324fc9170dc43f9bb28123

SHA256
1e15a36a769b697c7e74862b8547808a3908f0c3ff57ba107257d6aac252dbb6

SHA512
101a15f48d91f29b82ceba9c3c9ceda07d208802614eea8a130a076324369589420469624b02aee1174a8fc1e0895af5d15df26042368cec3570b8d166fd0ff4

Download Submit
memory/1396-66-0x0000000002240000-0x00000000025B5000-memory.dmp

Filesize
3.5MB

Download
memory/1396-71-0x0000000002240000-0x00000000025B5000-memory.dmp

Filesize
3.5MB

Download
memory/1396-54-0x0000000000000000-mapping.dmp

Download
memory/1692-70-0x0000000000000000-mapping.dmp

Download
memory/1744-62-0x0000000000000000-mapping.dmp

Download
memory/1936-69-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1936-56-0x0000000000000000-mapping.dmp

Download
memory/1936-73-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1960-68-0x0000000000400000-0x0000000000775000-memory.dmp

Filesize
3.5MB

Download
memory/1960-67-0x00000000763E1000-0x00000000763E3000-memory.dmp

Filesize
8KB

Download
memory/1960-64-0x0000000000000000-mapping.dmp

Download
memory/1960-72-0x0000000000400000-0x0000000000775000-memory.dmp

Filesize
3.5MB

Download
memory/2000-58-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads