86b4ab938a5400c50f8f7e627b3304efbd4cdd90555f407858fcbf0aafed480a

Analysis

max time kernel
149s
max time network
117s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
24/01/2024, 23:38

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

86b4ab938a5400c50f8f7e627b3304efbd4cdd90555f407858fcbf0aafed480a.exe
Size

1.5MB
MD5

033c6bc641d532f2c5492e7089552402
SHA1

5135502df837d8f8375cdfd9b5b05b155c9f0ae5
SHA256

86b4ab938a5400c50f8f7e627b3304efbd4cdd90555f407858fcbf0aafed480a
SHA512

052d51a0d828b6504ac526dae2f15940a155c2697b49ecd9eed7406851cc6bab734fd92d8b9a791e656616eb9fe8eb756a1ba78bcc6f6b814b6372f4e218a8f1
SSDEEP

49152:W7YJ5W+3tzEfsRSbJtbCor2nLfQlyCAI0Ts:Xa2LRSbreor+OT0Y

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2140	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2764	Logo1_.exe
2836	86b4ab938a5400c50f8f7e627b3304efbd4cdd90555f407858fcbf0aafed480a.exe

Loads dropped DLL 1 IoCs

pid	Process
2140	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\nn\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\hr\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\HostSideAdapters\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ga\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\1028\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\AddInViews\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\as_IN\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sv\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\SubsetList\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\bin\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_filter\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ach\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BabyBlue\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\STARTUP\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Visualizations\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Minesweeper\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Purble Place\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Web Folders\1033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\cmm\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Mahjong\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ia\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTool\Project Report Type\Basic\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\server\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\DataType\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\FAX\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\bckgzm.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fy\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\pt_PT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\MSBuild\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Spades\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSPUB.EXE	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\14\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\packetizer\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\Verisign\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	86b4ab938a5400c50f8f7e627b3304efbd4cdd90555f407858fcbf0aafed480a.exe
File created	C:\Windows\Logo1_.exe	86b4ab938a5400c50f8f7e627b3304efbd4cdd90555f407858fcbf0aafed480a.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2764	Logo1_.exe
2764	Logo1_.exe
2764	Logo1_.exe
2764	Logo1_.exe
2764	Logo1_.exe
2764	Logo1_.exe
2764	Logo1_.exe
2764	Logo1_.exe
2764	Logo1_.exe
2764	Logo1_.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2356 wrote to memory of 2140	2356	86b4ab938a5400c50f8f7e627b3304efbd4cdd90555f407858fcbf0aafed480a.exe	28
PID 2356 wrote to memory of 2140	2356	86b4ab938a5400c50f8f7e627b3304efbd4cdd90555f407858fcbf0aafed480a.exe	28
PID 2356 wrote to memory of 2140	2356	86b4ab938a5400c50f8f7e627b3304efbd4cdd90555f407858fcbf0aafed480a.exe	28
PID 2356 wrote to memory of 2140	2356	86b4ab938a5400c50f8f7e627b3304efbd4cdd90555f407858fcbf0aafed480a.exe	28
PID 2356 wrote to memory of 2764	2356	86b4ab938a5400c50f8f7e627b3304efbd4cdd90555f407858fcbf0aafed480a.exe	30
PID 2356 wrote to memory of 2764	2356	86b4ab938a5400c50f8f7e627b3304efbd4cdd90555f407858fcbf0aafed480a.exe	30
PID 2356 wrote to memory of 2764	2356	86b4ab938a5400c50f8f7e627b3304efbd4cdd90555f407858fcbf0aafed480a.exe	30
PID 2356 wrote to memory of 2764	2356	86b4ab938a5400c50f8f7e627b3304efbd4cdd90555f407858fcbf0aafed480a.exe	30
PID 2764 wrote to memory of 2692	2764	Logo1_.exe	31
PID 2764 wrote to memory of 2692	2764	Logo1_.exe	31
PID 2764 wrote to memory of 2692	2764	Logo1_.exe	31
PID 2764 wrote to memory of 2692	2764	Logo1_.exe	31
PID 2692 wrote to memory of 2676	2692	net.exe	33
PID 2692 wrote to memory of 2676	2692	net.exe	33
PID 2692 wrote to memory of 2676	2692	net.exe	33
PID 2692 wrote to memory of 2676	2692	net.exe	33
PID 2140 wrote to memory of 2836	2140	cmd.exe	34
PID 2140 wrote to memory of 2836	2140	cmd.exe	34
PID 2140 wrote to memory of 2836	2140	cmd.exe	34
PID 2140 wrote to memory of 2836	2140	cmd.exe	34
PID 2140 wrote to memory of 2836	2140	cmd.exe	34
PID 2140 wrote to memory of 2836	2140	cmd.exe	34
PID 2140 wrote to memory of 2836	2140	cmd.exe	34
PID 2764 wrote to memory of 1192	2764	Logo1_.exe	22
PID 2764 wrote to memory of 1192	2764	Logo1_.exe	22

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1192
- C:\Users\Admin\AppData\Local\Temp\86b4ab938a5400c50f8f7e627b3304efbd4cdd90555f407858fcbf0aafed480a.exe
  "C:\Users\Admin\AppData\Local\Temp\86b4ab938a5400c50f8f7e627b3304efbd4cdd90555f407858fcbf0aafed480a.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2356
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$a1381.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2140
  - - C:\Users\Admin\AppData\Local\Temp\86b4ab938a5400c50f8f7e627b3304efbd4cdd90555f407858fcbf0aafed480a.exe
      "C:\Users\Admin\AppData\Local\Temp\86b4ab938a5400c50f8f7e627b3304efbd4cdd90555f407858fcbf0aafed480a.exe"
      4⤵
      Executes dropped EXE
      PID:2836
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2764
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2692
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
251KB

MD5
02c4015fb0e29be5b32bc18af460236e

SHA1
da349209a1c48a5af122d84bcb35a640538115c9

SHA256
db523a43ec00102b2d9d6da267774506f2c6cb7b82243cd4075a524670a789b9

SHA512
5f70342b9f2e9c611dd1618594db3e26c8f489fef57d7503eb3dc37b209476723e74818544699565b8883de942fa96c6c245140509d7dfb74353cf3e06c0714f

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
471KB

MD5
4cfdb20b04aa239d6f9e83084d5d0a77

SHA1
f22863e04cc1fd4435f785993ede165bd8245ac6

SHA256
30ed17ca6ae530e8bf002bcef6048f94dba4b3b10252308147031f5c86ace1b9

SHA512
35b4c2f68a7caa45f2bb14b168947e06831f358e191478a6659b49f30ca6f538dc910fe6067448d5d8af4cb8558825d70f94d4bd67709aee414b2be37d49be86

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a1381.bat

Filesize
722B

MD5
29bc9886763817c421f350b7f5060cbd

SHA1
c06e801aed5ee9b931bb59bc24a9ef09a53e9bb7

SHA256
49ade22d60e05f7cafa66e246bf34914a206beb2971ecc9dfe625b759614298a

SHA512
e50b2108306d2abf32c128e14ae1f457b1cfbafa17de9f207624bb1ca9a0565a83325093369ec1e79cdee8a88257f11be50c0c2b6b321a58c834bda7ccf825a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\86b4ab938a5400c50f8f7e627b3304efbd4cdd90555f407858fcbf0aafed480a.exe.exe

Filesize
1.5MB

MD5
abcdf5fd3f15c77571cf8267de2de7a3

SHA1
51e8dae9c7946502b6bf7088cca57edd10c36fa0

SHA256
936ed0d8b2bb2e02762014a51eefec6140bb63a2544698cee82b2526f5b3a87e

SHA512
9be80b2bffc40a455d813e7b7f11dedca57455bc98517521f8d3a52e5613f5a0230b925af1e625dd027be2824485f2c89ed058988c450d194b908da794431b21

Download Submit
C:\Windows\Logo1_.exe

Filesize
26KB

MD5
474c3982f07bbcf1891f8de2d5e4b0e3

SHA1
886a18cce7548121d7110060d261fadc73ae8518

SHA256
7fc7cf5e5da8d674a1fb954fbc201b41a8638238bbbbb1768e9c86c44ac04b5c

SHA512
5a5e8b0d5be0c98709df40a1c47659ee3f5e854ede1e39b73502df943198f1c40145aabd7eea1f0ec40d49eaa27f99c9c557a0ec70f3e4ade96cf67b755ab1f9

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3818056530-936619650-3554021955-1000\_desktop.ini

Filesize
9B

MD5
496f90378d67e8fbaed42c22694fca1f

SHA1
5b66b632733edca5a21d439a5498ddbac620f1f1

SHA256
7ec0f9772f1aaa80c3ab5311e5fb68034cfd40139902322a2fa6a435b56cf676

SHA512
06e46720cecfb9e805bd5339a1b7503b595d340bd528b3ddc70dec133757519025d875c1f715cd61da2f98083731138fc14c30ddf000789406c84bf10b5db1a1

Download Submit
memory/1192-29-0x00000000025E0000-0x00000000025E1000-memory.dmp

Filesize
4KB

Download
memory/2356-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2356-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2356-20-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2764-38-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2764-44-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2764-90-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2764-96-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2764-1002-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2764-1849-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2764-31-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2764-3052-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2764-3309-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2764-21-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download