a60cf40875658bd2c90ad2e0e1593e4bdfea3e1220fb14977792c46821e1a09a

Resubmissions

21/10/2023, 08:30

231021-kd4neafa63 7

Analysis

max time kernel
152s
max time network
127s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
21/10/2023, 08:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a60cf40875658bd2c90ad2e0e1593e4bdfea3e1220fb14977792c46821e1a09a.exe
Size

9.3MB
MD5

919bbdde8fad68e97083e83aba59d31a
SHA1

96d87e5f50eb9fa61df82c1ebd1e0c1a52787805
SHA256

a60cf40875658bd2c90ad2e0e1593e4bdfea3e1220fb14977792c46821e1a09a
SHA512

cee7efda2c751bb490d999ce6ce4fb3013448dc3c2280c8e69fbd84ce6063e2b670a5539e8875fff4b69133174b56ac576912d1f9524aae38a512d94c912c7c4
SSDEEP

98304:VxfZeZiONXe0cK7jfI60f8BYNg3kQVLPXnmGLH376+MyUXnby:VNZekOte0cifXmZNg0ILPXnmGDm3

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2068	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2584	Logo1_.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\DVD Maker\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.es\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\th\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre7\lib\zi\Indian\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LAYERS\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fr\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\he\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Discussion\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\InfoPath.en-us\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Triedit\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\VisualElements\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\REFINED\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Google\Update\Install\{C12E5921-F58C-48D2-8296-7A848CE8B130}\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\pt_BR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\1033\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\deploy\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\fonts\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\lua\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSEnv\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Spades\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SoftBlue\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ps\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\DEEPBLUE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ESEN\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightYellow\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Web Folders\1033\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	a60cf40875658bd2c90ad2e0e1593e4bdfea3e1220fb14977792c46821e1a09a.exe
File created	C:\Windows\Logo1_.exe	a60cf40875658bd2c90ad2e0e1593e4bdfea3e1220fb14977792c46821e1a09a.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2584	Logo1_.exe
2584	Logo1_.exe
2584	Logo1_.exe
2584	Logo1_.exe
2584	Logo1_.exe
2584	Logo1_.exe
2584	Logo1_.exe
2584	Logo1_.exe
2584	Logo1_.exe
2584	Logo1_.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2768 wrote to memory of 2068	2768	a60cf40875658bd2c90ad2e0e1593e4bdfea3e1220fb14977792c46821e1a09a.exe	28
PID 2768 wrote to memory of 2068	2768	a60cf40875658bd2c90ad2e0e1593e4bdfea3e1220fb14977792c46821e1a09a.exe	28
PID 2768 wrote to memory of 2068	2768	a60cf40875658bd2c90ad2e0e1593e4bdfea3e1220fb14977792c46821e1a09a.exe	28
PID 2768 wrote to memory of 2068	2768	a60cf40875658bd2c90ad2e0e1593e4bdfea3e1220fb14977792c46821e1a09a.exe	28
PID 2768 wrote to memory of 2584	2768	a60cf40875658bd2c90ad2e0e1593e4bdfea3e1220fb14977792c46821e1a09a.exe	30
PID 2768 wrote to memory of 2584	2768	a60cf40875658bd2c90ad2e0e1593e4bdfea3e1220fb14977792c46821e1a09a.exe	30
PID 2768 wrote to memory of 2584	2768	a60cf40875658bd2c90ad2e0e1593e4bdfea3e1220fb14977792c46821e1a09a.exe	30
PID 2768 wrote to memory of 2584	2768	a60cf40875658bd2c90ad2e0e1593e4bdfea3e1220fb14977792c46821e1a09a.exe	30
PID 2584 wrote to memory of 2840	2584	Logo1_.exe	31
PID 2584 wrote to memory of 2840	2584	Logo1_.exe	31
PID 2584 wrote to memory of 2840	2584	Logo1_.exe	31
PID 2584 wrote to memory of 2840	2584	Logo1_.exe	31
PID 2840 wrote to memory of 2616	2840	net.exe	33
PID 2840 wrote to memory of 2616	2840	net.exe	33
PID 2840 wrote to memory of 2616	2840	net.exe	33
PID 2840 wrote to memory of 2616	2840	net.exe	33
PID 2584 wrote to memory of 1372	2584	Logo1_.exe	6
PID 2584 wrote to memory of 1372	2584	Logo1_.exe	6

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1372
- C:\Users\Admin\AppData\Local\Temp\a60cf40875658bd2c90ad2e0e1593e4bdfea3e1220fb14977792c46821e1a09a.exe
  "C:\Users\Admin\AppData\Local\Temp\a60cf40875658bd2c90ad2e0e1593e4bdfea3e1220fb14977792c46821e1a09a.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2768
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$a8269.bat
    3⤵
    - Deletes itself
    PID:2068
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2584
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2840
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
254KB

MD5
23f9a9e8d92f32e07b8dc55e027848e2

SHA1
867f0e1b38ad46c4e15524524a852e22b37a78c5

SHA256
36fbbfddae0194154eb4c90a4d0e79c2a89ca8baf5bd10306b8caf2b170664f6

SHA512
dd5ade2ead58f3727a864c57992257e7eba77cdac3d958d0d87cf136f09ee8fa9436bdda88aed1a6afddd9d27fffde2e4fee10dc19a60f377a6f592ed2bac5bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a8269.bat

Filesize
722B

MD5
1678791c967e5560b07ce84a9919cb08

SHA1
e7d590671ff848d694aed88286de33493384f511

SHA256
061125405eddf5954fc72c2b6479c5677da90ac15709586a4a9c211b5e0b98b2

SHA512
6dc2b3a22ca48f6c56405ee373dea48aa25583714b7e9c4b3f80ba7ce81975e79f59d785b2f94979f8e879c48d909d5415f9e154afc560756b04e617724f368c

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a8269.bat

Filesize
722B

MD5
1678791c967e5560b07ce84a9919cb08

SHA1
e7d590671ff848d694aed88286de33493384f511

SHA256
061125405eddf5954fc72c2b6479c5677da90ac15709586a4a9c211b5e0b98b2

SHA512
6dc2b3a22ca48f6c56405ee373dea48aa25583714b7e9c4b3f80ba7ce81975e79f59d785b2f94979f8e879c48d909d5415f9e154afc560756b04e617724f368c

Download Submit
C:\Users\Admin\AppData\Local\Temp\a60cf40875658bd2c90ad2e0e1593e4bdfea3e1220fb14977792c46821e1a09a.exe.exe

Filesize
9.3MB

MD5
b86f86ef5c09df3336638ad99b7c0c0f

SHA1
0428ad68c4dd86cebf917582d9de21ad2bdac97f

SHA256
3ef229a273ff767f0dbc891329fa906455e8f696beb5b6611efe9d6f657d7ced

SHA512
cd3ef6725bbc15c2090f3eee10af01766030a428ec39e8dab8f0174961e9aaef1a573fdbba3f7db0e251c5888a83b701cfab8055b28c30474405c2b00e826f97

Download Submit
C:\Windows\Logo1_.exe

Filesize
29KB

MD5
b1d0156c130f4bb18a18cf4e8a8d5d5a

SHA1
f13f808d5bbe47f71cfeaa7a4039a06fb7ab0af8

SHA256
08a340277c4de827ce0dcaab6afc87cc3cf927ce81e76d75934e222e78b5e978

SHA512
24f9324dbcb2853dccfd68291dddb1b19bfa95ece5cdcb6dc8e6aaec7c6d294722f64525068cc400bcae34838640d0ca8919d7bcbeef5b2f069e28c425149b2a

Download Submit
C:\Windows\Logo1_.exe

Filesize
29KB

MD5
b1d0156c130f4bb18a18cf4e8a8d5d5a

SHA1
f13f808d5bbe47f71cfeaa7a4039a06fb7ab0af8

SHA256
08a340277c4de827ce0dcaab6afc87cc3cf927ce81e76d75934e222e78b5e978

SHA512
24f9324dbcb2853dccfd68291dddb1b19bfa95ece5cdcb6dc8e6aaec7c6d294722f64525068cc400bcae34838640d0ca8919d7bcbeef5b2f069e28c425149b2a

Download Submit
C:\Windows\Logo1_.exe

Filesize
29KB

MD5
b1d0156c130f4bb18a18cf4e8a8d5d5a

SHA1
f13f808d5bbe47f71cfeaa7a4039a06fb7ab0af8

SHA256
08a340277c4de827ce0dcaab6afc87cc3cf927ce81e76d75934e222e78b5e978

SHA512
24f9324dbcb2853dccfd68291dddb1b19bfa95ece5cdcb6dc8e6aaec7c6d294722f64525068cc400bcae34838640d0ca8919d7bcbeef5b2f069e28c425149b2a

Download Submit
C:\Windows\rundl132.exe

Filesize
29KB

MD5
b1d0156c130f4bb18a18cf4e8a8d5d5a

SHA1
f13f808d5bbe47f71cfeaa7a4039a06fb7ab0af8

SHA256
08a340277c4de827ce0dcaab6afc87cc3cf927ce81e76d75934e222e78b5e978

SHA512
24f9324dbcb2853dccfd68291dddb1b19bfa95ece5cdcb6dc8e6aaec7c6d294722f64525068cc400bcae34838640d0ca8919d7bcbeef5b2f069e28c425149b2a

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3185155662-718608226-894467740-1000\_desktop.ini

Filesize
10B

MD5
d3c36a72fc1c8bd61b57107d5d012a29

SHA1
2a13da90a3c63c88dd43ae9c670876f0dd0fc03e

SHA256
a2f94b462f3497d26399b1f5eda449b87e3ded10e09de07369f6a984eff5383d

SHA512
4c08a9bdba23ece3ba391c1cd3696b046892c028f94e04e955fbee3a13dc181f1073c8f6e686529dd613bd468297d6b21a7de318ae61b88a2d642f3215c20232

Download Submit
memory/1372-63-0x0000000002690000-0x0000000002691000-memory.dmp

Filesize
4KB

Download
memory/2068-57-0x00000000023A0000-0x00000000023A1000-memory.dmp

Filesize
4KB

Download
memory/2584-22-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2584-68-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2584-76-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2584-83-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2584-104-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2584-129-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2584-134-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2584-1887-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2584-2889-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2584-3348-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2768-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2768-13-0x0000000000220000-0x0000000000256000-memory.dmp

Filesize
216KB

Download
memory/2768-17-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download