9cb7621b5a9832b63afe78fd1c5e2b39cc0612bca1fc070b5893dc54497b88d6

Analysis

max time kernel
266s
max time network
288s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25/12/2023, 19:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9cb7621b5a9832b63afe78fd1c5e2b39cc0612bca1fc070b5893dc54497b88d6.exe
Size

1.5MB
MD5

e7d75c65705def420338969ca9346ed6
SHA1

1a17914edc6496284b75fbc62b5b3ba5e15c8dcc
SHA256

9cb7621b5a9832b63afe78fd1c5e2b39cc0612bca1fc070b5893dc54497b88d6
SHA512

57ab8ec6af0460f2e204519cfa76b9775770f1d2614547dc51e6eb55ff4d768a13dd834ed68eb075b6566d65309488c8a655bdd20d7793ecb2008c782fa8413e
SSDEEP

24576:u7UwxMOKp26S1HVsr+jLuLLv7Z68uUo+fpaeVxLte60J3Tft32AgK9:u7U8Kp26S1HCr+jL6v7a+VVxLtpSTfx1

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2784	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
1812	Logo1_.exe
1476	9cb7621b5a9832b63afe78fd1c5e2b39cc0612bca1fc070b5893dc54497b88d6.exe

Loads dropped DLL 1 IoCs

pid	Process
2784	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	Logo1_.exe
File created	C:\Program Files\DVD Maker\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\7-Zip\Lang\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\_desktop.ini	Logo1_.exe
File created	C:\Program Files\7-Zip\Lang\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\_desktop.ini	Logo1_.exe
File created	C:\Program Files\7-Zip\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\7-Zip\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	Logo1_.exe
File created	C:\Program Files\DVD Maker\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\Shared\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	Logo1_.exe
File created	C:\Program Files\DVD Maker\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	Logo1_.exe
File created	C:\Program Files\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	9cb7621b5a9832b63afe78fd1c5e2b39cc0612bca1fc070b5893dc54497b88d6.exe
File created	C:\Windows\Logo1_.exe	9cb7621b5a9832b63afe78fd1c5e2b39cc0612bca1fc070b5893dc54497b88d6.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1812	Logo1_.exe
1812	Logo1_.exe
1812	Logo1_.exe
1812	Logo1_.exe
1812	Logo1_.exe
1812	Logo1_.exe
1812	Logo1_.exe
1812	Logo1_.exe
1812	Logo1_.exe
1812	Logo1_.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2128 wrote to memory of 2784	2128	9cb7621b5a9832b63afe78fd1c5e2b39cc0612bca1fc070b5893dc54497b88d6.exe	27
PID 2128 wrote to memory of 2784	2128	9cb7621b5a9832b63afe78fd1c5e2b39cc0612bca1fc070b5893dc54497b88d6.exe	27
PID 2128 wrote to memory of 2784	2128	9cb7621b5a9832b63afe78fd1c5e2b39cc0612bca1fc070b5893dc54497b88d6.exe	27
PID 2128 wrote to memory of 2784	2128	9cb7621b5a9832b63afe78fd1c5e2b39cc0612bca1fc070b5893dc54497b88d6.exe	27
PID 2128 wrote to memory of 1812	2128	9cb7621b5a9832b63afe78fd1c5e2b39cc0612bca1fc070b5893dc54497b88d6.exe	29
PID 2128 wrote to memory of 1812	2128	9cb7621b5a9832b63afe78fd1c5e2b39cc0612bca1fc070b5893dc54497b88d6.exe	29
PID 2128 wrote to memory of 1812	2128	9cb7621b5a9832b63afe78fd1c5e2b39cc0612bca1fc070b5893dc54497b88d6.exe	29
PID 2128 wrote to memory of 1812	2128	9cb7621b5a9832b63afe78fd1c5e2b39cc0612bca1fc070b5893dc54497b88d6.exe	29
PID 1812 wrote to memory of 2796	1812	Logo1_.exe	30
PID 1812 wrote to memory of 2796	1812	Logo1_.exe	30
PID 1812 wrote to memory of 2796	1812	Logo1_.exe	30
PID 1812 wrote to memory of 2796	1812	Logo1_.exe	30
PID 2796 wrote to memory of 780	2796	net.exe	32
PID 2796 wrote to memory of 780	2796	net.exe	32
PID 2796 wrote to memory of 780	2796	net.exe	32
PID 2796 wrote to memory of 780	2796	net.exe	32
PID 2784 wrote to memory of 1476	2784	cmd.exe	33
PID 2784 wrote to memory of 1476	2784	cmd.exe	33
PID 2784 wrote to memory of 1476	2784	cmd.exe	33
PID 2784 wrote to memory of 1476	2784	cmd.exe	33
PID 1812 wrote to memory of 1224	1812	Logo1_.exe	6
PID 1812 wrote to memory of 1224	1812	Logo1_.exe	6

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1224
- C:\Users\Admin\AppData\Local\Temp\9cb7621b5a9832b63afe78fd1c5e2b39cc0612bca1fc070b5893dc54497b88d6.exe
  "C:\Users\Admin\AppData\Local\Temp\9cb7621b5a9832b63afe78fd1c5e2b39cc0612bca1fc070b5893dc54497b88d6.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2128
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$aE512.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2784
  - - C:\Users\Admin\AppData\Local\Temp\9cb7621b5a9832b63afe78fd1c5e2b39cc0612bca1fc070b5893dc54497b88d6.exe
      "C:\Users\Admin\AppData\Local\Temp\9cb7621b5a9832b63afe78fd1c5e2b39cc0612bca1fc070b5893dc54497b88d6.exe"
      4⤵
      Executes dropped EXE
      PID:1476
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1812
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2796
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\SogouPY.users\acc.dat

Filesize
80B

MD5
c9b2f9f22970b6b809ea95b71a6ebe4f

SHA1
599786c1d8352341bca606df7058151221c18368

SHA256
6421405bdb9a70d7d7d962feeb474c1470ac032f4379cc2c3dc60f1bd62c1f6b

SHA512
eea33812a7482926dd04b9eb77744100bca7eb9cb035c96ef246a9a166586d9bf74a917630d2cdd88c7d0b2fdafb704c7bf40b8b4484fce3cc5fa4fbb5b5b711

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aE512.bat

Filesize
722B

MD5
cb44ed34c6a5322cb32139ed1453c3dd

SHA1
68ceeaed28a8a49f8ac266036a20a7a6aee94667

SHA256
1be72472a353642f3886a5c73e0a37d51cd9f2ea1b501bb9609f32ff58d9cfb5

SHA512
949af84754397f2130d059900295cfc753b8c8a4d8df5f22c004b0958eb71b39ffa6c58e145791a958caf73006df0c935e30c42e30f57d7b9cc57ddfa033fd97

Download Submit
C:\Users\Admin\AppData\Local\Temp\9cb7621b5a9832b63afe78fd1c5e2b39cc0612bca1fc070b5893dc54497b88d6.exe.exe

Filesize
1.5MB

MD5
452489aa25a4f305d8806f3015cd5a99

SHA1
b22260f546ace81ecbe40c2e4015ba8d46fcae39

SHA256
14485683fba34a02aa1d75ca143dd02a2c57568a867ceafbeac61fdc4e737dd7

SHA512
cfeaef480ba5fac3cb858fc1318300925edc24bbdfc9bb462055a863f32131b6aeac29f08d5d4ebcda013a0e8e76994b6c86d78c11344dd38ed896db4e0d57f7

Download Submit
C:\Windows\rundl132.exe

Filesize
26KB

MD5
80fc05d81eb2408243d8cb9531ead60f

SHA1
88c89a52d2d36a5d439acddcb4c75277ef69a2be

SHA256
be87f688dc39392e406c8da833e7e32bbeb62713d5fc6f4c0cdf10e07e04d178

SHA512
caad2f5f8a74f0fc436f3d147c8eaf8f428411c58c0c53647917a836b99a311ae6fecfe3bf152085933f2279b6b9eb38efc47b796d9e9f72f893c911014e8f61

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3308111660-3636268597-2291490419-1000\_desktop.ini

Filesize
10B

MD5
0c6beb6d4da16bbf902e01a42ff163f5

SHA1
aeeec783750199c10f8dd6e8aa828a44233e760b

SHA256
2c5a0b332a8c9449c746ee8dd0d751b77f5ff89c525609cd48a7959a9cf2e793

SHA512
3f4ec9bc64092ea98aee91777e052f410194ce728890df45cbeccb60c321c5547e52eaae747c8b64c4f8a9c22a04c0f20146bb7cc5826552ae23e3be8ccb7c3a

Download Submit
memory/1224-40-0x0000000002240000-0x0000000002241000-memory.dmp

Filesize
4KB

Download
memory/1812-103-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1812-52-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1812-139-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1812-136-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1812-43-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1812-121-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1812-50-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1812-22-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1812-57-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1812-109-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2128-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2128-1-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2128-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2128-17-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download