6112028771422c85b77046df3dd573463b642e4c1610a7b5552b528645cba21c

Analysis

max time kernel
151s
max time network
127s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
11/10/2023, 15:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6112028771422c85b77046df3dd573463b642e4c1610a7b5552b528645cba21c.exe
Size

3.1MB
MD5

0cbe14e9aca0103b29b6f6b588673be9
SHA1

f2c96166e1a463af5c2a500b5a213a8ff2a8ff43
SHA256

6112028771422c85b77046df3dd573463b642e4c1610a7b5552b528645cba21c
SHA512

2711cb899b9c1dda2fedbbc3b500edee9ab27241638392ef5c859d2e59692b81835264a1d427748b2a684878a870efdfa6ef444a20cba9e49906fbd9a78ec89f
SSDEEP

49152:W7ukCSbbYstGP3jg6hEXJJ1o9FuHje1cnklfu5A3cP:CkvEJ/cuHjeHu

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1248	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2172	Logo1_.exe
2712	6112028771422c85b77046df3dd573463b642e4c1610a7b5552b528645cba21c.exe

Loads dropped DLL 1 IoCs

pid	Process
1248	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\kk\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\pt_PT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\bg\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ug\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\META-INF\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\FreeCell\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ky\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Chess\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\lg\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\uk\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Hearts\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Mail\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fy\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Reference Assemblies\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bg\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sv\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Mahjong\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\shvlzm.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ar\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\pl\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Minesweeper\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\More Games\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sk\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Minesweeper\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\am\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\skins\fonts\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ff\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Hearts\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	6112028771422c85b77046df3dd573463b642e4c1610a7b5552b528645cba21c.exe
File created	C:\Windows\Logo1_.exe	6112028771422c85b77046df3dd573463b642e4c1610a7b5552b528645cba21c.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2172	Logo1_.exe
2172	Logo1_.exe
2172	Logo1_.exe
2172	Logo1_.exe
2172	Logo1_.exe
2172	Logo1_.exe
2172	Logo1_.exe
2172	Logo1_.exe
2172	Logo1_.exe
2172	Logo1_.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2208 wrote to memory of 1248	2208	6112028771422c85b77046df3dd573463b642e4c1610a7b5552b528645cba21c.exe	28
PID 2208 wrote to memory of 1248	2208	6112028771422c85b77046df3dd573463b642e4c1610a7b5552b528645cba21c.exe	28
PID 2208 wrote to memory of 1248	2208	6112028771422c85b77046df3dd573463b642e4c1610a7b5552b528645cba21c.exe	28
PID 2208 wrote to memory of 1248	2208	6112028771422c85b77046df3dd573463b642e4c1610a7b5552b528645cba21c.exe	28
PID 2208 wrote to memory of 2172	2208	6112028771422c85b77046df3dd573463b642e4c1610a7b5552b528645cba21c.exe	30
PID 2208 wrote to memory of 2172	2208	6112028771422c85b77046df3dd573463b642e4c1610a7b5552b528645cba21c.exe	30
PID 2208 wrote to memory of 2172	2208	6112028771422c85b77046df3dd573463b642e4c1610a7b5552b528645cba21c.exe	30
PID 2208 wrote to memory of 2172	2208	6112028771422c85b77046df3dd573463b642e4c1610a7b5552b528645cba21c.exe	30
PID 2172 wrote to memory of 2144	2172	Logo1_.exe	31
PID 2172 wrote to memory of 2144	2172	Logo1_.exe	31
PID 2172 wrote to memory of 2144	2172	Logo1_.exe	31
PID 2172 wrote to memory of 2144	2172	Logo1_.exe	31
PID 2144 wrote to memory of 2980	2144	net.exe	34
PID 2144 wrote to memory of 2980	2144	net.exe	34
PID 2144 wrote to memory of 2980	2144	net.exe	34
PID 2144 wrote to memory of 2980	2144	net.exe	34
PID 2172 wrote to memory of 1264	2172	Logo1_.exe	7
PID 2172 wrote to memory of 1264	2172	Logo1_.exe	7

C:\Users\Admin\AppData\Local\Temp\6112028771422c85b77046df3dd573463b642e4c1610a7b5552b528645cba21c.exe
"C:\Users\Admin\AppData\Local\Temp\6112028771422c85b77046df3dd573463b642e4c1610a7b5552b528645cba21c.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\$$a51D8.bat
  2⤵
  - Deletes itself
  - Loads dropped DLL
  PID:1248
- - C:\Users\Admin\AppData\Local\Temp\6112028771422c85b77046df3dd573463b642e4c1610a7b5552b528645cba21c.exe
    "C:\Users\Admin\AppData\Local\Temp\6112028771422c85b77046df3dd573463b642e4c1610a7b5552b528645cba21c.exe"
    3⤵
    - Executes dropped EXE
    PID:2712
- C:\Windows\Logo1_.exe
  C:\Windows\Logo1_.exe
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2172
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2144
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      PID:2980

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\$$a51D8.bat

Filesize
722B

MD5
e173da7d4bf1d6fd651f34d5443d9e61

SHA1
a172787c776147f7b6fa199b33d68581b5f3fa82

SHA256
869b0ae8e827e2dace19fb36cfe6e3413410b2af4272cfecf9893b6facda0bce

SHA512
174a281002c6f23991ae533a5ce606649c13e5ef2992897dfc06ddff7ba2458f81cc78d15df7e7d8e518ecb99fbc63da4c390317d2a4a9aa35375217d8937d66

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a51D8.bat

Filesize
722B

MD5
e173da7d4bf1d6fd651f34d5443d9e61

SHA1
a172787c776147f7b6fa199b33d68581b5f3fa82

SHA256
869b0ae8e827e2dace19fb36cfe6e3413410b2af4272cfecf9893b6facda0bce

SHA512
174a281002c6f23991ae533a5ce606649c13e5ef2992897dfc06ddff7ba2458f81cc78d15df7e7d8e518ecb99fbc63da4c390317d2a4a9aa35375217d8937d66

Download Submit
C:\Users\Admin\AppData\Local\Temp\6112028771422c85b77046df3dd573463b642e4c1610a7b5552b528645cba21c.exe

Filesize
3.1MB

MD5
b17fe656921e74ac23534752dedca872

SHA1
c322cf96e2dee58f1e3c41cf14ac3d9d5887caf7

SHA256
0b7ca2d0761a3725cf7ea652386c3e97cbb97189e09fa4c9607272c371186a8e

SHA512
2b11f1e4471c8212593971916d8a50279566a681220b802d7c5935671b93b1a5eb94c076cd57684c48e948faa1529b4c00cf36d18b6fa08536831ffa6b6a4d3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\6112028771422c85b77046df3dd573463b642e4c1610a7b5552b528645cba21c.exe.exe

Filesize
3.1MB

MD5
b17fe656921e74ac23534752dedca872

SHA1
c322cf96e2dee58f1e3c41cf14ac3d9d5887caf7

SHA256
0b7ca2d0761a3725cf7ea652386c3e97cbb97189e09fa4c9607272c371186a8e

SHA512
2b11f1e4471c8212593971916d8a50279566a681220b802d7c5935671b93b1a5eb94c076cd57684c48e948faa1529b4c00cf36d18b6fa08536831ffa6b6a4d3b

Download Submit
C:\Windows\Logo1_.exe

Filesize
26KB

MD5
72ee62aa96d51b3a02f9cfaf30828cd9

SHA1
6b558f8efffb2126da7bdcc97666231d72468100

SHA256
85adecf849ee286858e3d639c57ee0acab6c4bba12f6cc74ea99ed6dc7941918

SHA512
af28159202957a1dbde14b276333cef978efb0125e913bf1a6838e22d1873271ccec42f7a7b8293b81d73758545c7aa178a3429ec22744719868eed72da05079

Download Submit
C:\Windows\Logo1_.exe

Filesize
26KB

MD5
72ee62aa96d51b3a02f9cfaf30828cd9

SHA1
6b558f8efffb2126da7bdcc97666231d72468100

SHA256
85adecf849ee286858e3d639c57ee0acab6c4bba12f6cc74ea99ed6dc7941918

SHA512
af28159202957a1dbde14b276333cef978efb0125e913bf1a6838e22d1873271ccec42f7a7b8293b81d73758545c7aa178a3429ec22744719868eed72da05079

Download Submit
C:\Windows\Logo1_.exe

Filesize
26KB

MD5
72ee62aa96d51b3a02f9cfaf30828cd9

SHA1
6b558f8efffb2126da7bdcc97666231d72468100

SHA256
85adecf849ee286858e3d639c57ee0acab6c4bba12f6cc74ea99ed6dc7941918

SHA512
af28159202957a1dbde14b276333cef978efb0125e913bf1a6838e22d1873271ccec42f7a7b8293b81d73758545c7aa178a3429ec22744719868eed72da05079

Download Submit
C:\Windows\rundl132.exe

Filesize
26KB

MD5
72ee62aa96d51b3a02f9cfaf30828cd9

SHA1
6b558f8efffb2126da7bdcc97666231d72468100

SHA256
85adecf849ee286858e3d639c57ee0acab6c4bba12f6cc74ea99ed6dc7941918

SHA512
af28159202957a1dbde14b276333cef978efb0125e913bf1a6838e22d1873271ccec42f7a7b8293b81d73758545c7aa178a3429ec22744719868eed72da05079

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-607259312-1573743425-2763420908-1000\_desktop.ini

Filesize
10B

MD5
dbf19ca54500e964528b156763234c1d

SHA1
05376f86423aec8badf0adbc47887234ac83ef5a

SHA256
bfa0ad2e861e2369dc239edf8f62fbe1c4507d877ec2f76e46e48f1e68fdd5ae

SHA512
fb8ce1253ad6d3c1b7d970614dbc2d21574576336a490b54a8dc705a3d8637c0669747ba821fb2f4da14d7447dc24607aca988b0cd3bd9fc4d9d5988b4b631d0

Download Submit
\Users\Admin\AppData\Local\Temp\6112028771422c85b77046df3dd573463b642e4c1610a7b5552b528645cba21c.exe

Filesize
3.1MB

MD5
b17fe656921e74ac23534752dedca872

SHA1
c322cf96e2dee58f1e3c41cf14ac3d9d5887caf7

SHA256
0b7ca2d0761a3725cf7ea652386c3e97cbb97189e09fa4c9607272c371186a8e

SHA512
2b11f1e4471c8212593971916d8a50279566a681220b802d7c5935671b93b1a5eb94c076cd57684c48e948faa1529b4c00cf36d18b6fa08536831ffa6b6a4d3b

Download Submit
memory/1264-29-0x00000000029F0000-0x00000000029F1000-memory.dmp

Filesize
4KB

Download
memory/2172-46-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2172-99-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2172-1853-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2172-31-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2172-33-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2172-1034-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2172-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2172-103-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2172-48-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2172-93-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2208-18-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2208-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2208-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2208-12-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download