5b76b833e7a2675a3b9ceaf5ceb370fc45ff2df28d5b70555767469fbbc06d5e

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
22/12/2023, 10:53

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5b76b833e7a2675a3b9ceaf5ceb370fc45ff2df28d5b70555767469fbbc06d5e.exe
Size

55KB
MD5

109cd001f3a1d08a233c903a0261f714
SHA1

bafe06c4e92b857f7e61d53efac44be369fa254d
SHA256

5b76b833e7a2675a3b9ceaf5ceb370fc45ff2df28d5b70555767469fbbc06d5e
SHA512

2f01e3cc32e1c0ceb22654961c1840083128dd6464b2ae962a866f4da2b3a6c396826647d112e6a4faee996e41c2c47c661e029efa1019cb4f16ff8bbd7b0248
SSDEEP

768:OO1ODKAaDMG8H92RwZNQSwcfymNBg+g61GoLz2QkpDYMJcoYmgKFjowQ2Uf2hK:OIfgLdQAQfcfymNrkpDjWm7rUfj

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1336	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2668	Logo1_.exe
2788	5b76b833e7a2675a3b9ceaf5ceb370fc45ff2df28d5b70555767469fbbc06d5e.exe

Loads dropped DLL 1 IoCs

pid	Process
1336	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\af\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\gui\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre7\lib\deploy\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\SystemV\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Mozilla Firefox\uninstall\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\dtplugin\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hy\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\hy\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Mail\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Shared Gadgets\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fi\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Photo Viewer\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Spades\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Solitaire\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\en_GB\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.update\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fi\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Minesweeper\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\it\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\pt_BR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	Logo1_.exe
File created	C:\Program Files\Microsoft Games\FreeCell\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Minesweeper\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Purble Place\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\META-INF\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\am\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sv\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre7\lib\zi\Pacific\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\hr\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\More Games\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\kk\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\services_discovery\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ar\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\locale\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	5b76b833e7a2675a3b9ceaf5ceb370fc45ff2df28d5b70555767469fbbc06d5e.exe
File created	C:\Windows\Logo1_.exe	5b76b833e7a2675a3b9ceaf5ceb370fc45ff2df28d5b70555767469fbbc06d5e.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2668	Logo1_.exe
2668	Logo1_.exe
2668	Logo1_.exe
2668	Logo1_.exe
2668	Logo1_.exe
2668	Logo1_.exe
2668	Logo1_.exe
2668	Logo1_.exe
2668	Logo1_.exe
2668	Logo1_.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2500 wrote to memory of 1336	2500	5b76b833e7a2675a3b9ceaf5ceb370fc45ff2df28d5b70555767469fbbc06d5e.exe	28
PID 2500 wrote to memory of 1336	2500	5b76b833e7a2675a3b9ceaf5ceb370fc45ff2df28d5b70555767469fbbc06d5e.exe	28
PID 2500 wrote to memory of 1336	2500	5b76b833e7a2675a3b9ceaf5ceb370fc45ff2df28d5b70555767469fbbc06d5e.exe	28
PID 2500 wrote to memory of 1336	2500	5b76b833e7a2675a3b9ceaf5ceb370fc45ff2df28d5b70555767469fbbc06d5e.exe	28
PID 2500 wrote to memory of 2668	2500	5b76b833e7a2675a3b9ceaf5ceb370fc45ff2df28d5b70555767469fbbc06d5e.exe	29
PID 2500 wrote to memory of 2668	2500	5b76b833e7a2675a3b9ceaf5ceb370fc45ff2df28d5b70555767469fbbc06d5e.exe	29
PID 2500 wrote to memory of 2668	2500	5b76b833e7a2675a3b9ceaf5ceb370fc45ff2df28d5b70555767469fbbc06d5e.exe	29
PID 2500 wrote to memory of 2668	2500	5b76b833e7a2675a3b9ceaf5ceb370fc45ff2df28d5b70555767469fbbc06d5e.exe	29
PID 2668 wrote to memory of 2832	2668	Logo1_.exe	31
PID 2668 wrote to memory of 2832	2668	Logo1_.exe	31
PID 2668 wrote to memory of 2832	2668	Logo1_.exe	31
PID 2668 wrote to memory of 2832	2668	Logo1_.exe	31
PID 1336 wrote to memory of 2788	1336	cmd.exe	33
PID 1336 wrote to memory of 2788	1336	cmd.exe	33
PID 1336 wrote to memory of 2788	1336	cmd.exe	33
PID 1336 wrote to memory of 2788	1336	cmd.exe	33
PID 2832 wrote to memory of 2000	2832	net.exe	34
PID 2832 wrote to memory of 2000	2832	net.exe	34
PID 2832 wrote to memory of 2000	2832	net.exe	34
PID 2832 wrote to memory of 2000	2832	net.exe	34
PID 2668 wrote to memory of 1264	2668	Logo1_.exe	15
PID 2668 wrote to memory of 1264	2668	Logo1_.exe	15

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1264
- C:\Users\Admin\AppData\Local\Temp\5b76b833e7a2675a3b9ceaf5ceb370fc45ff2df28d5b70555767469fbbc06d5e.exe
  "C:\Users\Admin\AppData\Local\Temp\5b76b833e7a2675a3b9ceaf5ceb370fc45ff2df28d5b70555767469fbbc06d5e.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2500
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$a3F22.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1336
  - - C:\Users\Admin\AppData\Local\Temp\5b76b833e7a2675a3b9ceaf5ceb370fc45ff2df28d5b70555767469fbbc06d5e.exe
      "C:\Users\Admin\AppData\Local\Temp\5b76b833e7a2675a3b9ceaf5ceb370fc45ff2df28d5b70555767469fbbc06d5e.exe"
      4⤵
      Executes dropped EXE
      PID:2788
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2668
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2832
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\$$a3F22.bat

Filesize
722B

MD5
0c6b4a9a42ca52ccac1a1a9c8e8bbbfa

SHA1
dc980002cb601d6f7077a26f906a923c342688c8

SHA256
f273e6a4d5ebf2151e67a46bd006e613ed57b878e1710cc1f0bc29cb4cf9db1c

SHA512
390db00dc7d8b1425b8eb5028e9e153ccfb590822c7a42354cc01632f00955f03dabcb4c9f43a26b69bb2f1f2b4ea53e7b5c50930ef79f28ae1f0f111bf360c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\5b76b833e7a2675a3b9ceaf5ceb370fc45ff2df28d5b70555767469fbbc06d5e.exe.exe

Filesize
29KB

MD5
2be39ecb5b51b5ff87c7c38d48a27b88

SHA1
202fd79c7396d69d6ef8591c41cdc416e76f6223

SHA256
4a3249b3ccd596ea3880b0e9449662752d5155ec5c4318f84d5ca9eef6611c87

SHA512
5164f66dc109e118424a3c62fcdeb84e48de5163b565ebffe0cafb558c173a19d042f30fdbceb95ac8a69aba99de041a3c90da7f8d2d10c4215a0a50d6e34c6a

Download Submit
C:\Windows\Logo1_.exe

Filesize
26KB

MD5
2fc9270643794e6dc2337d8ac92c10b2

SHA1
605dd0b7e8c655dae3805c72525a009a9b49aeeb

SHA256
5f9414de7c93a50fa9ee56589d7d24d199dfe115f51af0731e2c1b5b5666043c

SHA512
3be0147248b684294a00d7cca4c4e24e723f904bc82c702645a86c088e64bbd510139940a6ba86e7f40e6f1a5d39ef325ad4e9635c5768f988d1cebfb558587b

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-1268429524-3929314613-1992311491-1000\_desktop.ini

Filesize
10B

MD5
34c7bf8c1e8aa0e76a1cb36da6f3c07f

SHA1
93bff4db65fd067f94ca08ce2654a2675925b27d

SHA256
89ee7da24a1550d124e7ac206a8d49733f819c098eebf27b8c7f28e931a09f53

SHA512
ba8fa54ac2e6eafb524f14c7d286d9910afd808ec561c933af8b72a9cdb813e0e7777dc04a9dfdb6c985f27f123ac34a19782d6c0e734f8ab4e9860c9033139b

Download Submit
memory/1264-30-0x0000000002A10000-0x0000000002A11000-memory.dmp

Filesize
4KB

Download
memory/2500-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2500-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2500-17-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2500-12-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2668-22-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2668-33-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2668-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2668-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2668-45-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2668-58-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2668-93-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2668-97-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2668-100-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2668-1852-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download