feeec515641c4924a617431ee694000d5f4e5cb4d328678b3130237653f9979a

Analysis

max time kernel
151s
max time network
130s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
11/10/2023, 14:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

feeec515641c4924a617431ee694000d5f4e5cb4d328678b3130237653f9979a.exe
Size

434KB
MD5

231948659b7f4a720d4b6ae4d492694a
SHA1

cbfd1b17b0191e5d91f9bcf544b3f7694b60da38
SHA256

feeec515641c4924a617431ee694000d5f4e5cb4d328678b3130237653f9979a
SHA512

7bd41a7b74b7044fdf4ab0db599e276d7b6e55c8c353dfaa22579333e267b2ee7e4e68f0c20ea1e18275b17721a9f22a9d3521f9b22d497ffe815efd08c17f68
SSDEEP

3072:AftffjmNID6O+JVo4G+a40mCy/uGK0qFYrRrvwNVN:AVfjmNE6xJHA40gIrIrvk

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1772	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2912	Logo1_.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ckb\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\on_desktop\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Mahjong\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\META-INF\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	Logo1_.exe
File created	C:\Program Files\MSBuild\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\el\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\kk\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ky\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\si\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Mail\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sl\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\az\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\locale\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\es\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\zh_CN\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\SystemV\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Solitaire\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\cy\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	Logo1_.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Indiana\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\More Games\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\applet\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\en_GB\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Mail\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe
File created	C:\Windows\rundl132.exe	feeec515641c4924a617431ee694000d5f4e5cb4d328678b3130237653f9979a.exe
File created	C:\Windows\Logo1_.exe	feeec515641c4924a617431ee694000d5f4e5cb4d328678b3130237653f9979a.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2912	Logo1_.exe
2912	Logo1_.exe
2912	Logo1_.exe
2912	Logo1_.exe
2912	Logo1_.exe
2912	Logo1_.exe
2912	Logo1_.exe
2912	Logo1_.exe
2912	Logo1_.exe
2912	Logo1_.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2212 wrote to memory of 1772	2212	feeec515641c4924a617431ee694000d5f4e5cb4d328678b3130237653f9979a.exe	28
PID 2212 wrote to memory of 1772	2212	feeec515641c4924a617431ee694000d5f4e5cb4d328678b3130237653f9979a.exe	28
PID 2212 wrote to memory of 1772	2212	feeec515641c4924a617431ee694000d5f4e5cb4d328678b3130237653f9979a.exe	28
PID 2212 wrote to memory of 1772	2212	feeec515641c4924a617431ee694000d5f4e5cb4d328678b3130237653f9979a.exe	28
PID 2212 wrote to memory of 2912	2212	feeec515641c4924a617431ee694000d5f4e5cb4d328678b3130237653f9979a.exe	30
PID 2212 wrote to memory of 2912	2212	feeec515641c4924a617431ee694000d5f4e5cb4d328678b3130237653f9979a.exe	30
PID 2212 wrote to memory of 2912	2212	feeec515641c4924a617431ee694000d5f4e5cb4d328678b3130237653f9979a.exe	30
PID 2212 wrote to memory of 2912	2212	feeec515641c4924a617431ee694000d5f4e5cb4d328678b3130237653f9979a.exe	30
PID 2912 wrote to memory of 2648	2912	Logo1_.exe	31
PID 2912 wrote to memory of 2648	2912	Logo1_.exe	31
PID 2912 wrote to memory of 2648	2912	Logo1_.exe	31
PID 2912 wrote to memory of 2648	2912	Logo1_.exe	31
PID 2648 wrote to memory of 2972	2648	net.exe	33
PID 2648 wrote to memory of 2972	2648	net.exe	33
PID 2648 wrote to memory of 2972	2648	net.exe	33
PID 2648 wrote to memory of 2972	2648	net.exe	33
PID 2912 wrote to memory of 1192	2912	Logo1_.exe	14
PID 2912 wrote to memory of 1192	2912	Logo1_.exe	14

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1192
- C:\Users\Admin\AppData\Local\Temp\feeec515641c4924a617431ee694000d5f4e5cb4d328678b3130237653f9979a.exe
  "C:\Users\Admin\AppData\Local\Temp\feeec515641c4924a617431ee694000d5f4e5cb4d328678b3130237653f9979a.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2212
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$a6049.bat
    3⤵
    - Deletes itself
    PID:1772
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2912
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2648
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\$$a6049.bat

Filesize
722B

MD5
41b98cfe87efeacce8d1742f0e2fd2e1

SHA1
40e5b21aae36023481bc2cc115f6e055cce04868

SHA256
82496c054bd345a391d6590e2f5e7ac3a46b2c7b20aeaad7cb0c3f0b1abe291b

SHA512
b210cde1f0bc08da1015b32598cd5b3875256402e379de4b193245de0210e6f64f20cae1cc1b218493f1ad8594b3f8ec58bb8e6a7352d4a587c438e9ba81112e

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a6049.bat

Filesize
722B

MD5
41b98cfe87efeacce8d1742f0e2fd2e1

SHA1
40e5b21aae36023481bc2cc115f6e055cce04868

SHA256
82496c054bd345a391d6590e2f5e7ac3a46b2c7b20aeaad7cb0c3f0b1abe291b

SHA512
b210cde1f0bc08da1015b32598cd5b3875256402e379de4b193245de0210e6f64f20cae1cc1b218493f1ad8594b3f8ec58bb8e6a7352d4a587c438e9ba81112e

Download Submit
C:\Users\Admin\AppData\Local\Temp\feeec515641c4924a617431ee694000d5f4e5cb4d328678b3130237653f9979a.exe.exe

Filesize
407KB

MD5
62ca5fc8100cc18744bf1aca9c9c6cc6

SHA1
c12de09b42457a8a0e4b95409fcdf936a7177f1f

SHA256
4e0401f6c7937d83daf96b5860f8e79e2e226a1733ee499c6f5982ac90edfc45

SHA512
a9c1524d4a3687a1ce03f096fb08c088e5aeb5962a08748c0be82e7d4112586fe3b7a790dd481d481ea84c4bb760cccb78d8b4f25e7735dcdf22bc1a988b058f

Download Submit
C:\Windows\Logo1_.exe

Filesize
26KB

MD5
ed556e19d17001e2e3acc54fa3494e44

SHA1
ff4ca1d69ea9cadc7e0437e823ff1d15ce2ae8d9

SHA256
d451cd578e3d5b6bd97862a617dde8099803e219409f4c8124da772aed6ff65b

SHA512
64de143fafa7066f1f28d63907fb3e287125a76a13ef8b0ed6c2de1d921697297b751b9e2838ed413fbc532d7a2fc7df486c13dc17c80f5e15d99a20f1a0301a

Download Submit
C:\Windows\Logo1_.exe

Filesize
26KB

MD5
ed556e19d17001e2e3acc54fa3494e44

SHA1
ff4ca1d69ea9cadc7e0437e823ff1d15ce2ae8d9

SHA256
d451cd578e3d5b6bd97862a617dde8099803e219409f4c8124da772aed6ff65b

SHA512
64de143fafa7066f1f28d63907fb3e287125a76a13ef8b0ed6c2de1d921697297b751b9e2838ed413fbc532d7a2fc7df486c13dc17c80f5e15d99a20f1a0301a

Download Submit
C:\Windows\Logo1_.exe

Filesize
26KB

MD5
ed556e19d17001e2e3acc54fa3494e44

SHA1
ff4ca1d69ea9cadc7e0437e823ff1d15ce2ae8d9

SHA256
d451cd578e3d5b6bd97862a617dde8099803e219409f4c8124da772aed6ff65b

SHA512
64de143fafa7066f1f28d63907fb3e287125a76a13ef8b0ed6c2de1d921697297b751b9e2838ed413fbc532d7a2fc7df486c13dc17c80f5e15d99a20f1a0301a

Download Submit
C:\Windows\rundl132.exe

Filesize
26KB

MD5
ed556e19d17001e2e3acc54fa3494e44

SHA1
ff4ca1d69ea9cadc7e0437e823ff1d15ce2ae8d9

SHA256
d451cd578e3d5b6bd97862a617dde8099803e219409f4c8124da772aed6ff65b

SHA512
64de143fafa7066f1f28d63907fb3e287125a76a13ef8b0ed6c2de1d921697297b751b9e2838ed413fbc532d7a2fc7df486c13dc17c80f5e15d99a20f1a0301a

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3513876443-2771975297-1923446376-1000\_desktop.ini

Filesize
10B

MD5
dbf19ca54500e964528b156763234c1d

SHA1
05376f86423aec8badf0adbc47887234ac83ef5a

SHA256
bfa0ad2e861e2369dc239edf8f62fbe1c4507d877ec2f76e46e48f1e68fdd5ae

SHA512
fb8ce1253ad6d3c1b7d970614dbc2d21574576336a490b54a8dc705a3d8637c0669747ba821fb2f4da14d7447dc24607aca988b0cd3bd9fc4d9d5988b4b631d0

Download Submit
memory/1192-27-0x0000000002A60000-0x0000000002A61000-memory.dmp

Filesize
4KB

Download
memory/2212-16-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2212-15-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2212-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2912-21-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2912-29-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2912-37-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2912-43-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2912-89-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2912-95-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2912-97-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2912-883-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2912-1849-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download