2dbb8d0990103bf4776bc627e8b41de2630053cc67533ed38d5d05b3da195524

Analysis

max time kernel
154s
max time network
130s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
14/10/2023, 01:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2dbb8d0990103bf4776bc627e8b41de2630053cc67533ed38d5d05b3da195524.exe
Size

99KB
MD5

ceea6638b83ca939a0df100d39de574b
SHA1

0c2d176a1b2b8e051d9998173835c523a7a2efa0
SHA256

2dbb8d0990103bf4776bc627e8b41de2630053cc67533ed38d5d05b3da195524
SHA512

b3c8e659ed51a04d8035ee38e548faea672db93d2e8ec8bf3206610783e2389a7680408d3a30bfe0b16bc8cc89776e3792956992691bc8531038938ec01647d5
SSDEEP

1536:xfgLdQAQfwt7FZJ92BsQCKBAR2pmU/BGhkp3szGPpbTDblnYVJV1PBs:xftffepVPn4ARXU/HZ9/D8Ds

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3012	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2632	Logo1_.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk16\windows-amd64\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\klist.exe	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Spades\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\META-INF\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\html\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\More Games\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\hy\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\.data\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre7\lib\zi\Africa\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ar\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\brx\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\gd\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Spades\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fur\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\nl\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\it\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sk\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\am\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\nb\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ka\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Mozilla Firefox\browser\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\az\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\gu\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mai\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	Logo1_.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Kentucky\_desktop.ini	Logo1_.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\requests\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\lua\modules\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\br\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\zh_TW\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\my\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\tet\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	2dbb8d0990103bf4776bc627e8b41de2630053cc67533ed38d5d05b3da195524.exe
File created	C:\Windows\Logo1_.exe	2dbb8d0990103bf4776bc627e8b41de2630053cc67533ed38d5d05b3da195524.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2632	Logo1_.exe
2632	Logo1_.exe
2632	Logo1_.exe
2632	Logo1_.exe
2632	Logo1_.exe
2632	Logo1_.exe
2632	Logo1_.exe
2632	Logo1_.exe
2632	Logo1_.exe
2632	Logo1_.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2036 wrote to memory of 3012	2036	2dbb8d0990103bf4776bc627e8b41de2630053cc67533ed38d5d05b3da195524.exe	28
PID 2036 wrote to memory of 3012	2036	2dbb8d0990103bf4776bc627e8b41de2630053cc67533ed38d5d05b3da195524.exe	28
PID 2036 wrote to memory of 3012	2036	2dbb8d0990103bf4776bc627e8b41de2630053cc67533ed38d5d05b3da195524.exe	28
PID 2036 wrote to memory of 3012	2036	2dbb8d0990103bf4776bc627e8b41de2630053cc67533ed38d5d05b3da195524.exe	28
PID 2036 wrote to memory of 2632	2036	2dbb8d0990103bf4776bc627e8b41de2630053cc67533ed38d5d05b3da195524.exe	30
PID 2036 wrote to memory of 2632	2036	2dbb8d0990103bf4776bc627e8b41de2630053cc67533ed38d5d05b3da195524.exe	30
PID 2036 wrote to memory of 2632	2036	2dbb8d0990103bf4776bc627e8b41de2630053cc67533ed38d5d05b3da195524.exe	30
PID 2036 wrote to memory of 2632	2036	2dbb8d0990103bf4776bc627e8b41de2630053cc67533ed38d5d05b3da195524.exe	30
PID 2632 wrote to memory of 2824	2632	Logo1_.exe	31
PID 2632 wrote to memory of 2824	2632	Logo1_.exe	31
PID 2632 wrote to memory of 2824	2632	Logo1_.exe	31
PID 2632 wrote to memory of 2824	2632	Logo1_.exe	31
PID 2824 wrote to memory of 2556	2824	net.exe	33
PID 2824 wrote to memory of 2556	2824	net.exe	33
PID 2824 wrote to memory of 2556	2824	net.exe	33
PID 2824 wrote to memory of 2556	2824	net.exe	33
PID 2632 wrote to memory of 1196	2632	Logo1_.exe	9
PID 2632 wrote to memory of 1196	2632	Logo1_.exe	9

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1196
- C:\Users\Admin\AppData\Local\Temp\2dbb8d0990103bf4776bc627e8b41de2630053cc67533ed38d5d05b3da195524.exe
  "C:\Users\Admin\AppData\Local\Temp\2dbb8d0990103bf4776bc627e8b41de2630053cc67533ed38d5d05b3da195524.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2036
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$aB970.bat
    3⤵
    - Deletes itself
    PID:3012
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2632
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2824
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\$$aB970.bat

Filesize
722B

MD5
1b0dbbcd259a81e268fbd4472f439d81

SHA1
a17c0d024704171837eca4f86149684ee4e0dde2

SHA256
39125e2afa4c0045c95f4a38683ce694928b45b6720e94fba30adae9e8054a55

SHA512
57252a5a84ffaac6efef84d65e01186479ed98f7a5953ee4ba467f848efc4f3f3dda7dc472818f3c74272b6c57b05bdcf80f5251f9be40f3038f20bccfa816b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aB970.bat

Filesize
722B

MD5
1b0dbbcd259a81e268fbd4472f439d81

SHA1
a17c0d024704171837eca4f86149684ee4e0dde2

SHA256
39125e2afa4c0045c95f4a38683ce694928b45b6720e94fba30adae9e8054a55

SHA512
57252a5a84ffaac6efef84d65e01186479ed98f7a5953ee4ba467f848efc4f3f3dda7dc472818f3c74272b6c57b05bdcf80f5251f9be40f3038f20bccfa816b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\2dbb8d0990103bf4776bc627e8b41de2630053cc67533ed38d5d05b3da195524.exe.exe

Filesize
73KB

MD5
a2f63aa3630f40b95ea45dca951a6785

SHA1
80f8cf7e7134682e661b1bbc08979d14bce13793

SHA256
ecb8c2817df29a2c6d5057dae4a4ffb4a7bf4ae3e33aeca4be9f635c06f0380f

SHA512
5e35ad38e9852b489a77a6d5ad028c5645b6c6987a6fee2a660186c34afa6ffd6db1dd255fec3ea5a92dc462c02832c9ed10bfa1772f9fed9aa774774c6662d8

Download Submit
C:\Windows\Logo1_.exe

Filesize
26KB

MD5
8758044db9fce67ea2ad542f86e69e57

SHA1
60cc4d25ea4e17f676e8ac8be10b9dfe2f7ed67d

SHA256
0c91b552dc6db19b6711e32cb8c9c604b60dc9d674be06cccb6adf08b4dbd82d

SHA512
411737be53feaef0829190b6610c729b925949bcc0b4a65063ab393acb1a92c577093e6377a373704ce54d27a593f2faddc23c80c660638f7c304a93f1972c93

Download Submit
C:\Windows\Logo1_.exe

Filesize
26KB

MD5
8758044db9fce67ea2ad542f86e69e57

SHA1
60cc4d25ea4e17f676e8ac8be10b9dfe2f7ed67d

SHA256
0c91b552dc6db19b6711e32cb8c9c604b60dc9d674be06cccb6adf08b4dbd82d

SHA512
411737be53feaef0829190b6610c729b925949bcc0b4a65063ab393acb1a92c577093e6377a373704ce54d27a593f2faddc23c80c660638f7c304a93f1972c93

Download Submit
C:\Windows\Logo1_.exe

Filesize
26KB

MD5
8758044db9fce67ea2ad542f86e69e57

SHA1
60cc4d25ea4e17f676e8ac8be10b9dfe2f7ed67d

SHA256
0c91b552dc6db19b6711e32cb8c9c604b60dc9d674be06cccb6adf08b4dbd82d

SHA512
411737be53feaef0829190b6610c729b925949bcc0b4a65063ab393acb1a92c577093e6377a373704ce54d27a593f2faddc23c80c660638f7c304a93f1972c93

Download Submit
C:\Windows\rundl132.exe

Filesize
26KB

MD5
8758044db9fce67ea2ad542f86e69e57

SHA1
60cc4d25ea4e17f676e8ac8be10b9dfe2f7ed67d

SHA256
0c91b552dc6db19b6711e32cb8c9c604b60dc9d674be06cccb6adf08b4dbd82d

SHA512
411737be53feaef0829190b6610c729b925949bcc0b4a65063ab393acb1a92c577093e6377a373704ce54d27a593f2faddc23c80c660638f7c304a93f1972c93

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3185155662-718608226-894467740-1000\_desktop.ini

Filesize
10B

MD5
b00c1a89b15effd3d1fb2de4fdc7bee5

SHA1
0c3a4f06bcd397d1d3a63ab2ca05e64cc7ae554d

SHA256
0767fccea7e57d6427b0a9b440f28687f4b835409c5dcdeb337a479009222cd9

SHA512
b50a3c1df331ecd7dbbd88c202c7b7b8fe6ece8df96249d88f40138952fb3c523f6f133a2d12daa2fd892643b53e4c19b39bcb16ef810f789c996e00bad03bc0

Download Submit
memory/1196-59-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/2036-12-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2036-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2036-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2632-78-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2632-71-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2632-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2632-136-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2632-57-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2632-130-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2632-84-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2632-143-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2632-456-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2632-750-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2632-1675-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3012-63-0x00000000022E0000-0x00000000022E1000-memory.dmp

Filesize
4KB

Download