b885b6b34a016cc5d2f23d54a0ac169b44a69b5fa9e34ff2f1cc37c6e0393c62

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
27/08/2023, 08:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b885b6b34a016cc5d2f23d54a0ac169b44a69b5fa9e34ff2f1cc37c6e0393c62.exe
Size

384KB
MD5

05742fbc0a4036981dff8f7cf5a3b0e6
SHA1

809a4562d77120cdd87fedea22b664f033f2acd7
SHA256

b885b6b34a016cc5d2f23d54a0ac169b44a69b5fa9e34ff2f1cc37c6e0393c62
SHA512

8e282467ad8ba9e8d9363b01d40628f38352ea403e15652386719ee05c1792650bebc069eb57febab7f94813ab72eebd3bc04dddc793ce2f224d676b888d6b96
SSDEEP

6144:JuJtBjQ2xL9L5e6j9MfpMQkjkPNWEXzVGBJh:I7L9L5GfpM7Y1VUJh

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2228	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1680	Logo1_.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\microsoft shared\Triedit\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\el\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proofing.en-us\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\setup_wm.exe	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ia\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\lt\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ms\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	Logo1_.exe
File created	C:\Program Files\Microsoft Games\More Games\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PROOF\1033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Portal\1033\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Journal\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Stationery\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\amd64\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ks_IN\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_filter\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Biscay\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Chess\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ko\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Media Player\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\zh_TW\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\misc\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\1033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\mn\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Help\1028\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\de-DE\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\vDll.dll	Logo1_.exe
File created	C:\Windows\rundl132.exe	b885b6b34a016cc5d2f23d54a0ac169b44a69b5fa9e34ff2f1cc37c6e0393c62.exe
File created	C:\Windows\Logo1_.exe	b885b6b34a016cc5d2f23d54a0ac169b44a69b5fa9e34ff2f1cc37c6e0393c62.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1680	Logo1_.exe
1680	Logo1_.exe
1680	Logo1_.exe
1680	Logo1_.exe
1680	Logo1_.exe
1680	Logo1_.exe
1680	Logo1_.exe
1680	Logo1_.exe
1680	Logo1_.exe
1680	Logo1_.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2504 wrote to memory of 2228	2504	b885b6b34a016cc5d2f23d54a0ac169b44a69b5fa9e34ff2f1cc37c6e0393c62.exe	28
PID 2504 wrote to memory of 2228	2504	b885b6b34a016cc5d2f23d54a0ac169b44a69b5fa9e34ff2f1cc37c6e0393c62.exe	28
PID 2504 wrote to memory of 2228	2504	b885b6b34a016cc5d2f23d54a0ac169b44a69b5fa9e34ff2f1cc37c6e0393c62.exe	28
PID 2504 wrote to memory of 2228	2504	b885b6b34a016cc5d2f23d54a0ac169b44a69b5fa9e34ff2f1cc37c6e0393c62.exe	28
PID 2504 wrote to memory of 1680	2504	b885b6b34a016cc5d2f23d54a0ac169b44a69b5fa9e34ff2f1cc37c6e0393c62.exe	30
PID 2504 wrote to memory of 1680	2504	b885b6b34a016cc5d2f23d54a0ac169b44a69b5fa9e34ff2f1cc37c6e0393c62.exe	30
PID 2504 wrote to memory of 1680	2504	b885b6b34a016cc5d2f23d54a0ac169b44a69b5fa9e34ff2f1cc37c6e0393c62.exe	30
PID 2504 wrote to memory of 1680	2504	b885b6b34a016cc5d2f23d54a0ac169b44a69b5fa9e34ff2f1cc37c6e0393c62.exe	30
PID 1680 wrote to memory of 1156	1680	Logo1_.exe	31
PID 1680 wrote to memory of 1156	1680	Logo1_.exe	31
PID 1680 wrote to memory of 1156	1680	Logo1_.exe	31
PID 1680 wrote to memory of 1156	1680	Logo1_.exe	31
PID 1156 wrote to memory of 2896	1156	net.exe	33
PID 1156 wrote to memory of 2896	1156	net.exe	33
PID 1156 wrote to memory of 2896	1156	net.exe	33
PID 1156 wrote to memory of 2896	1156	net.exe	33
PID 1680 wrote to memory of 1248	1680	Logo1_.exe	13
PID 1680 wrote to memory of 1248	1680	Logo1_.exe	13

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1248
- C:\Users\Admin\AppData\Local\Temp\b885b6b34a016cc5d2f23d54a0ac169b44a69b5fa9e34ff2f1cc37c6e0393c62.exe
  "C:\Users\Admin\AppData\Local\Temp\b885b6b34a016cc5d2f23d54a0ac169b44a69b5fa9e34ff2f1cc37c6e0393c62.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2504
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$a7DE7.bat
    3⤵
    - Deletes itself
    PID:2228
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1680
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1156
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
254KB

MD5
0b0dac311401ff1b6c3a092116a26c2b

SHA1
2a19d8ac6941b308707d87242033d4b628691daa

SHA256
3ad8d5c2568c0022db72b64c9ca050cb18165605f0ad597f53021955f36eae47

SHA512
a82a4a766b2a2d7badbc4d2de184031423ebe03fa73101b847085866d774386af5b69623c850150f5d36f45b3adfd53fccbdbe17a7041d01734ca8b0c24177d2

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
474KB

MD5
1acab96f0606ad7bd3a2bee2a44b724f

SHA1
dc5222756c51253ecb6e8bede2f96ad1ce439dc7

SHA256
aeb047330557f3b635885ceaed77cf5733e7ab9cbeedf0df4382c7d26a73c66f

SHA512
f9a3a7d216bbfb99cb1b069f112221685bbd5f20aafc54796dcfe4792b9f81abe2c6bc26d0d9f35cefaf4fe9bf300332d7715b8efdd6ef0ed67e4c0f1d61db53

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a7DE7.bat

Filesize
722B

MD5
5fd5e5e94a367e4b1c0d74f65110e72b

SHA1
b1593f6591cd249473f505053fe5b84ea6e0aeed

SHA256
527b6049eeca1641f19de507ff9d40fc7f79e5b6b456f1e8900d705864d8204a

SHA512
63bc854d1d016a703ea98c46b3da9a47c9dafee2a16586b85035e81f47d265f54acc2ecb8a2cfbc603739a552722f96cebe43ed83a70d64f86a7a25e31de9cde

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a7DE7.bat

Filesize
722B

MD5
5fd5e5e94a367e4b1c0d74f65110e72b

SHA1
b1593f6591cd249473f505053fe5b84ea6e0aeed

SHA256
527b6049eeca1641f19de507ff9d40fc7f79e5b6b456f1e8900d705864d8204a

SHA512
63bc854d1d016a703ea98c46b3da9a47c9dafee2a16586b85035e81f47d265f54acc2ecb8a2cfbc603739a552722f96cebe43ed83a70d64f86a7a25e31de9cde

Download Submit
C:\Users\Admin\AppData\Local\Temp\b885b6b34a016cc5d2f23d54a0ac169b44a69b5fa9e34ff2f1cc37c6e0393c62.exe.exe

Filesize
354KB

MD5
cea1ec5c3f5df72ffc043707ddc8f812

SHA1
9368633df5d61dc43ba034cc30e316e26f54b44f

SHA256
6ecda38015ea84688cf3a60baee335d0df6ca8806afc4e695c192f224c124da4

SHA512
fa239c447fc97fb9b037de254aa2f2d5e320b5b2da5bbdefeeaa13b37d361cc5718c9c93fe83fec15ec7a5a04284f8ef1a0ddc2c1fa49338e59cb0b5176adc2f

Download Submit
C:\Windows\Logo1_.exe

Filesize
29KB

MD5
d0a661a02bca60ec3c2b4435aaba7432

SHA1
8a6f7729f2323bcd99c9b5c5c960b3627c8bfd0e

SHA256
27bbde16b6b816535421e10e5b4ddcd11d679e740f2cc66707ddc5c7234829d0

SHA512
289a5b28c9ed0e83e2b1ed4230a24d1daae743e0e816e2f3de30eb3ecf6b4b65c6b44ecbc9e07d70f0057b4efec3138b8e398beb928afab11647443ac55887bb

Download Submit
C:\Windows\Logo1_.exe

Filesize
29KB

MD5
d0a661a02bca60ec3c2b4435aaba7432

SHA1
8a6f7729f2323bcd99c9b5c5c960b3627c8bfd0e

SHA256
27bbde16b6b816535421e10e5b4ddcd11d679e740f2cc66707ddc5c7234829d0

SHA512
289a5b28c9ed0e83e2b1ed4230a24d1daae743e0e816e2f3de30eb3ecf6b4b65c6b44ecbc9e07d70f0057b4efec3138b8e398beb928afab11647443ac55887bb

Download Submit
C:\Windows\Logo1_.exe

Filesize
29KB

MD5
d0a661a02bca60ec3c2b4435aaba7432

SHA1
8a6f7729f2323bcd99c9b5c5c960b3627c8bfd0e

SHA256
27bbde16b6b816535421e10e5b4ddcd11d679e740f2cc66707ddc5c7234829d0

SHA512
289a5b28c9ed0e83e2b1ed4230a24d1daae743e0e816e2f3de30eb3ecf6b4b65c6b44ecbc9e07d70f0057b4efec3138b8e398beb928afab11647443ac55887bb

Download Submit
C:\Windows\rundl132.exe

Filesize
29KB

MD5
d0a661a02bca60ec3c2b4435aaba7432

SHA1
8a6f7729f2323bcd99c9b5c5c960b3627c8bfd0e

SHA256
27bbde16b6b816535421e10e5b4ddcd11d679e740f2cc66707ddc5c7234829d0

SHA512
289a5b28c9ed0e83e2b1ed4230a24d1daae743e0e816e2f3de30eb3ecf6b4b65c6b44ecbc9e07d70f0057b4efec3138b8e398beb928afab11647443ac55887bb

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-4159544280-4273523227-683900707-1000\_desktop.ini

Filesize
9B

MD5
c0232c2f01c543d260713210da47a57b

SHA1
63f2c13c2c5c83091133c2802e69993d52e3ec65

SHA256
278e1b8fd3f40d95faaecf548098b8d9ee4b32e98a8878559c8c8dfcd5cd1197

SHA512
2ccfd67393a63f03f588296bb798d7a7d4ec2ea5d6ac486cb7bdf8a5a66b1df944d8b548f317e58bfe17dea2ae54e536ffe77bc11a43c931f3d10e299ab3fca0

Download Submit
memory/1248-27-0x0000000002BA0000-0x0000000002BA1000-memory.dmp

Filesize
4KB

Download
memory/1680-44-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1680-31-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1680-21-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1680-38-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1680-90-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1680-97-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1680-173-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1680-1850-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1680-3310-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2504-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2504-12-0x0000000000290000-0x00000000002C6000-memory.dmp

Filesize
216KB

Download
memory/2504-16-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download