92b426ffd5e69a7932e348001466d2bda0a5a93c7ca44eadd223dd86fb445b45

Analysis

max time kernel
150s
max time network
127s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
23/12/2023, 23:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

92b426ffd5e69a7932e348001466d2bda0a5a93c7ca44eadd223dd86fb445b45.exe
Size

641KB
MD5

5f0b50fa48f8975570dc830d328f1737
SHA1

6042a4c423a92e0ed1d08a23e9b1d3021abe6f64
SHA256

92b426ffd5e69a7932e348001466d2bda0a5a93c7ca44eadd223dd86fb445b45
SHA512

26e07352fc1893ac2ca40c77a190110b92335eec718beaa541278cb9a47f4f20201a863e9b544e39b1b3e3bc6eb74108563ea02040d89989bc3ed0eb8eeb4568
SSDEEP

12288:D7+Nyqt7zfAfzN3kQF4dpWlQj8wXeci6usP7BA8fB:D7dquN3k04yieZ6usP7m8J

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2384	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2276	Logo1_.exe
2324	92b426ffd5e69a7932e348001466d2bda0a5a93c7ca44eadd223dd86fb445b45.exe

Loads dropped DLL 1 IoCs

pid	Process
2384	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\SpeechEngines\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\it\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\WMPDMC.exe	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Minesweeper\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Mozilla Firefox\uninstall\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\cy\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\it\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Journal\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\setup_wm.exe	Logo1_.exe
File created	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\am\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Defender\MpCmdRun.exe	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\chkrzm.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bg\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\SELFCERT.EXE	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\is\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\14\BIN\1033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\kk\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BabyBlue\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Indiana\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ru\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CANYON\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\lua\extensions\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\logger\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RMNSQUE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office64.en-us\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ca\LC_MESSAGES\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe
File created	C:\Windows\rundl132.exe	92b426ffd5e69a7932e348001466d2bda0a5a93c7ca44eadd223dd86fb445b45.exe
File created	C:\Windows\Logo1_.exe	92b426ffd5e69a7932e348001466d2bda0a5a93c7ca44eadd223dd86fb445b45.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2276	Logo1_.exe
2276	Logo1_.exe
2276	Logo1_.exe
2276	Logo1_.exe
2276	Logo1_.exe
2276	Logo1_.exe
2276	Logo1_.exe
2276	Logo1_.exe
2276	Logo1_.exe
2276	Logo1_.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1240 wrote to memory of 2384	1240	92b426ffd5e69a7932e348001466d2bda0a5a93c7ca44eadd223dd86fb445b45.exe	28
PID 1240 wrote to memory of 2384	1240	92b426ffd5e69a7932e348001466d2bda0a5a93c7ca44eadd223dd86fb445b45.exe	28
PID 1240 wrote to memory of 2384	1240	92b426ffd5e69a7932e348001466d2bda0a5a93c7ca44eadd223dd86fb445b45.exe	28
PID 1240 wrote to memory of 2384	1240	92b426ffd5e69a7932e348001466d2bda0a5a93c7ca44eadd223dd86fb445b45.exe	28
PID 1240 wrote to memory of 2276	1240	92b426ffd5e69a7932e348001466d2bda0a5a93c7ca44eadd223dd86fb445b45.exe	30
PID 1240 wrote to memory of 2276	1240	92b426ffd5e69a7932e348001466d2bda0a5a93c7ca44eadd223dd86fb445b45.exe	30
PID 1240 wrote to memory of 2276	1240	92b426ffd5e69a7932e348001466d2bda0a5a93c7ca44eadd223dd86fb445b45.exe	30
PID 1240 wrote to memory of 2276	1240	92b426ffd5e69a7932e348001466d2bda0a5a93c7ca44eadd223dd86fb445b45.exe	30
PID 2276 wrote to memory of 2840	2276	Logo1_.exe	31
PID 2276 wrote to memory of 2840	2276	Logo1_.exe	31
PID 2276 wrote to memory of 2840	2276	Logo1_.exe	31
PID 2276 wrote to memory of 2840	2276	Logo1_.exe	31
PID 2384 wrote to memory of 2324	2384	cmd.exe	33
PID 2384 wrote to memory of 2324	2384	cmd.exe	33
PID 2384 wrote to memory of 2324	2384	cmd.exe	33
PID 2384 wrote to memory of 2324	2384	cmd.exe	33
PID 2840 wrote to memory of 2896	2840	net.exe	34
PID 2840 wrote to memory of 2896	2840	net.exe	34
PID 2840 wrote to memory of 2896	2840	net.exe	34
PID 2840 wrote to memory of 2896	2840	net.exe	34
PID 2276 wrote to memory of 1324	2276	Logo1_.exe	14
PID 2276 wrote to memory of 1324	2276	Logo1_.exe	14

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1324
- C:\Users\Admin\AppData\Local\Temp\92b426ffd5e69a7932e348001466d2bda0a5a93c7ca44eadd223dd86fb445b45.exe
  "C:\Users\Admin\AppData\Local\Temp\92b426ffd5e69a7932e348001466d2bda0a5a93c7ca44eadd223dd86fb445b45.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1240
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$a3C64.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2384
  - - C:\Users\Admin\AppData\Local\Temp\92b426ffd5e69a7932e348001466d2bda0a5a93c7ca44eadd223dd86fb445b45.exe
      "C:\Users\Admin\AppData\Local\Temp\92b426ffd5e69a7932e348001466d2bda0a5a93c7ca44eadd223dd86fb445b45.exe"
      4⤵
      Executes dropped EXE
      PID:2324
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2276
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2840
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
251KB

MD5
567397ffc8e6f313653339d5d01a01a3

SHA1
e4341d07518e961b478160a552e5556127d77687

SHA256
87eecbd152e74de2def9f763dfaef840763879dd37789f5967ee6d8621ec7d12

SHA512
a89363535d5ab684761bb8e30b0a7dba318f8f5929e5563ba908ecaafdc48aabdeb61df179f8ae786e232aab6eb1884ecbc0475bd55c7ecb1975a45b0877e7ee

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
271KB

MD5
cf3e76c0ef69d1f4d123d62b17f6e636

SHA1
b0b571960d14415b26c59b1a3d2b91a75a9541ab

SHA256
3f50b2133b3e9b67f16f6904363465281d96c9a9a779a7009ca2ef4cbcb5c185

SHA512
a01b5e25d47efcfd24a5768dff9d9243f18f4284bb76440cc52104d7e5525941662c5afc40ea4f201bdd61f2e5d238e3b2454f96c778ff9ea3e54a8490d74854

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a3C64.bat

Filesize
722B

MD5
f09fa8ba98eb6611141fd6cc7f366279

SHA1
a9f36b8a53f30d726b9333c07528f5abad6f9c73

SHA256
639e43d25cbcf2eef8bf80e2e3c36146361d0be483bc455315adf1b12884cdc0

SHA512
15dd2306f3873d8d6898aa47c3b8b042a221ce5423117f77eab8f1212006b4e41ef14aece26db06460284b8de1fbe874541f2b907d5ee227d9b6167a33cc2c95

Download Submit
C:\Users\Admin\AppData\Local\Temp\92b426ffd5e69a7932e348001466d2bda0a5a93c7ca44eadd223dd86fb445b45.exe.exe

Filesize
615KB

MD5
dfbbd6d76a42cd7518ecbb1b4ec41d25

SHA1
541ce929b433ed34924ffaef13f23a4669301f1e

SHA256
db9fb79e045daccda6a5508faac41eee3fe023ed49b24a637911af5034d788c8

SHA512
133678e0b2d60b929398c88c060c0ea4da1577f17852cd5a5baaef04579b04e11f09969c59b7b47bb1fbbcb665796bcc950e6b8ae03205564cd9a00cd4c94982

Download Submit
C:\Windows\rundl132.exe

Filesize
26KB

MD5
29989799438a463b62c9deb98951b7bd

SHA1
f416c1209a4faef54928893920def7e8be68a487

SHA256
6113caab166df74a34eaab544b21ea5610739e233e6e62a7e3643bac6443eecc

SHA512
597fae1f1dd044a3871c388a76015ff91572a207803e34fd4eabe6e1f46e05aaba60e1a41ca5e8e281150560a7e319f6f721b841459444927359aa15bd9190fb

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-928733405-3780110381-2966456290-1000\_desktop.ini

Filesize
10B

MD5
7ffaa74dcf5b57082a43c17464e10782

SHA1
c6cf002ebb82e54cb14553d044f6c61463b369a6

SHA256
b3bfda52765f0ec02320ef68e5fca5e0d4bb61e1ec6f062430a5711a41c1be65

SHA512
35ef0f681e44781b5dc20e179918be9dad7be2029093f9537cfe30bff888bc875ad32e6bbb59294dc36779829bab7aa6ebfac9e93c6a1ef5e4e7ddde85bb6de8

Download Submit
memory/1240-15-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1240-20-0x0000000001DC0000-0x0000000001DF4000-memory.dmp

Filesize
208KB

Download
memory/1240-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1324-29-0x00000000026B0000-0x00000000026B1000-memory.dmp

Filesize
4KB

Download
memory/2276-31-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2276-44-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2276-90-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2276-96-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2276-98-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2276-1849-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2276-38-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2276-3309-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2276-21-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download