0d850877609ea4ca720282e7418e39e79960e49cd79a54a6a4f726b326b04dfe

Analysis

max time kernel
151s
max time network
121s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
19/01/2024, 18:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0d850877609ea4ca720282e7418e39e79960e49cd79a54a6a4f726b326b04dfe.exe
Size

76KB
MD5

2283eb699e37f8bf265a5d65668df9ea
SHA1

4b6de7fcc586212655f94036fa0d919305eb543b
SHA256

0d850877609ea4ca720282e7418e39e79960e49cd79a54a6a4f726b326b04dfe
SHA512

e6622b48d0662a5733896ab279ad6c80309c056ce17e9114fad8de95cb6a127f5776d86c7105bbddae61409fbc18031187bfd0a48149c0f7edb159747906233f
SSDEEP

1536:WfgLdQAQfcfymNMJi2pHA9dC4l2Rc3D2SbIl6EsNelnUEWPPZ++gBurIfDgwDb4i:WftffjmNMJSP8RMDcVyHQ8qf

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1960	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2848	Logo1_.exe
2856	0d850877609ea4ca720282e7418e39e79960e49cd79a54a6a4f726b326b04dfe.exe

Loads dropped DLL 2 IoCs

pid	Process
1960	cmd.exe
1960	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Indiana\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Mahjong\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ta\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\defaults\pref\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ar\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\2052\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\pt_BR\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\GrayCheck\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\in_sidebar\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\it\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Lime\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\Servers\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ja\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ms\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\id\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\nl\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\vi\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\lua\intf\modules\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ro\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\ja\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ky\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sq\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\MSEnv\PublicAssemblies\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\1033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CONCRETE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Mail\wab.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\lv\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre7\lib\cmm\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\it-IT\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	0d850877609ea4ca720282e7418e39e79960e49cd79a54a6a4f726b326b04dfe.exe
File created	C:\Windows\Logo1_.exe	0d850877609ea4ca720282e7418e39e79960e49cd79a54a6a4f726b326b04dfe.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2848	Logo1_.exe
2848	Logo1_.exe
2848	Logo1_.exe
2848	Logo1_.exe
2848	Logo1_.exe
2848	Logo1_.exe
2848	Logo1_.exe
2848	Logo1_.exe
2848	Logo1_.exe
2848	Logo1_.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2016 wrote to memory of 1960	2016	0d850877609ea4ca720282e7418e39e79960e49cd79a54a6a4f726b326b04dfe.exe	28
PID 2016 wrote to memory of 1960	2016	0d850877609ea4ca720282e7418e39e79960e49cd79a54a6a4f726b326b04dfe.exe	28
PID 2016 wrote to memory of 1960	2016	0d850877609ea4ca720282e7418e39e79960e49cd79a54a6a4f726b326b04dfe.exe	28
PID 2016 wrote to memory of 1960	2016	0d850877609ea4ca720282e7418e39e79960e49cd79a54a6a4f726b326b04dfe.exe	28
PID 2016 wrote to memory of 2848	2016	0d850877609ea4ca720282e7418e39e79960e49cd79a54a6a4f726b326b04dfe.exe	29
PID 2016 wrote to memory of 2848	2016	0d850877609ea4ca720282e7418e39e79960e49cd79a54a6a4f726b326b04dfe.exe	29
PID 2016 wrote to memory of 2848	2016	0d850877609ea4ca720282e7418e39e79960e49cd79a54a6a4f726b326b04dfe.exe	29
PID 2016 wrote to memory of 2848	2016	0d850877609ea4ca720282e7418e39e79960e49cd79a54a6a4f726b326b04dfe.exe	29
PID 2848 wrote to memory of 2464	2848	Logo1_.exe	30
PID 2848 wrote to memory of 2464	2848	Logo1_.exe	30
PID 2848 wrote to memory of 2464	2848	Logo1_.exe	30
PID 2848 wrote to memory of 2464	2848	Logo1_.exe	30
PID 2464 wrote to memory of 2632	2464	net.exe	33
PID 2464 wrote to memory of 2632	2464	net.exe	33
PID 2464 wrote to memory of 2632	2464	net.exe	33
PID 2464 wrote to memory of 2632	2464	net.exe	33
PID 1960 wrote to memory of 2856	1960	cmd.exe	34
PID 1960 wrote to memory of 2856	1960	cmd.exe	34
PID 1960 wrote to memory of 2856	1960	cmd.exe	34
PID 1960 wrote to memory of 2856	1960	cmd.exe	34
PID 2848 wrote to memory of 1232	2848	Logo1_.exe	5
PID 2848 wrote to memory of 1232	2848	Logo1_.exe	5

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1232
- C:\Users\Admin\AppData\Local\Temp\0d850877609ea4ca720282e7418e39e79960e49cd79a54a6a4f726b326b04dfe.exe
  "C:\Users\Admin\AppData\Local\Temp\0d850877609ea4ca720282e7418e39e79960e49cd79a54a6a4f726b326b04dfe.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2016
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$a4DE2.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1960
  - - C:\Users\Admin\AppData\Local\Temp\0d850877609ea4ca720282e7418e39e79960e49cd79a54a6a4f726b326b04dfe.exe
      "C:\Users\Admin\AppData\Local\Temp\0d850877609ea4ca720282e7418e39e79960e49cd79a54a6a4f726b326b04dfe.exe"
      4⤵
      Executes dropped EXE
      PID:2856
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2848
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2464
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
471KB

MD5
4cfdb20b04aa239d6f9e83084d5d0a77

SHA1
f22863e04cc1fd4435f785993ede165bd8245ac6

SHA256
30ed17ca6ae530e8bf002bcef6048f94dba4b3b10252308147031f5c86ace1b9

SHA512
35b4c2f68a7caa45f2bb14b168947e06831f358e191478a6659b49f30ca6f538dc910fe6067448d5d8af4cb8558825d70f94d4bd67709aee414b2be37d49be86

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a4DE2.bat

Filesize
722B

MD5
97412116d32b186568c562abe264612b

SHA1
ec3752896e73c6f95455cf5bfbfda296c86efef2

SHA256
d485cc2f63344bf2e20156daf8d26b9786c5010574f56e58e986bfcd404e45dd

SHA512
5785f55f068700e793cc52d3b71946a9413779fb575ae4b4be0a7c98f7bf487dbf46fea1aaa5b8644f23612c6e87ec186ac55c46016f92c0b9a7e2333e3f7a06

Download Submit
C:\Users\Admin\AppData\Local\Temp\0d850877609ea4ca720282e7418e39e79960e49cd79a54a6a4f726b326b04dfe.exe.exe

Filesize
50KB

MD5
10f8ad7118d61f95e529937f7dfdeb8d

SHA1
4cf62bc01db26852353167416cd7c760473c3c3b

SHA256
8db84b45c31f64f03ffef9728a39eae8e32c9b3fd21cc4fa914aab22c0104de1

SHA512
e27e6554a55a601bd2ae4c07c66d5bfe0ed96be6bb237603c81b06d50f7300bd02eebc362d0e76e67e6919a19f84931439eb93587adacf0b1d123c433425d02d

Download Submit
C:\Windows\rundl132.exe

Filesize
26KB

MD5
945eff1aba01166e9f52775e509492cd

SHA1
d505c37410e195b610ab748753b75b710254bad3

SHA256
c3b05c87724047cb8f144db11f91fe73b8a344bf1659135f1a9a8ac493afe31a

SHA512
67c512607252fa41cc43a67bce9e16346d69e6a23966936b6cfeb92c630e3bf273d6ed02acd7a99bd4c20e6d10fe0c25b60a90432ff37310ad8c89299a91a67b

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3308111660-3636268597-2291490419-1000\_desktop.ini

Filesize
9B

MD5
593130a35dad97776f4a5d8af38d4ec6

SHA1
d3673081d997fe2057dd0e2ce152af5369692767

SHA256
479ae218866e5c40d1a0e41c1e380e6c9be107e86bc4e465be1d87f77e5741e5

SHA512
083d63f2813ea37e914a8764a32fd2953ed74c25690696007a82f4e55ada3fcaca8c362762fb114b101840c801a522aaac2ba958a8a66e3fb86e08ccaf5e73c3

Download Submit
memory/1232-30-0x00000000025A0000-0x00000000025A1000-memory.dmp

Filesize
4KB

Download
memory/2016-40-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2016-15-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2016-20-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2016-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2848-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2848-46-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2848-92-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2848-98-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2848-1851-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2848-39-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2848-3311-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2848-21-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download