5d84d075e3ce6b8cbd211885509810e24acc23aab21939949a02432c4a54fb43

Analysis

max time kernel
150s
max time network
127s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
12-02-2024 08:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5d84d075e3ce6b8cbd211885509810e24acc23aab21939949a02432c4a54fb43.exe
Size

484KB
MD5

3a50edc073789c925d71242490e77518
SHA1

cc3f627385e7429b0da0e4b9748b2725d8d265ca
SHA256

5d84d075e3ce6b8cbd211885509810e24acc23aab21939949a02432c4a54fb43
SHA512

4ce4d598de8e10ce03590229a79fac1aa665e62080e37800568add5286a09814b8ec27f38a2622fdcb14dd8d1446e6f97fb0ba647d1e5aead7f6cfb52892ad55
SSDEEP

6144:ZVfjmNIz1gL5pRTMTTjMkId/BynSx7dEe6XwzRaktNP08NhKs39zo43fTtl1fay7:v7+G1gL5pRTcAkS/3hzN8qE43fm78V

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2760	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2668	Logo1_.exe
2808	5d84d075e3ce6b8cbd211885509810e24acc23aab21939949a02432c4a54fb43.exe

Loads dropped DLL 1 IoCs

pid	Process
2760	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\am\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Chess\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\si\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Mail\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\eu\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\text_renderer\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PIXEL\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ONENOTE.EXE	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\visualization\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Photo Viewer\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Indiana\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hy\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\tr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\7-Zip\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\amd64\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Swirl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\FreeCell\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RIPPLE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\DW\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mr\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\pl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fr\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.en\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	5d84d075e3ce6b8cbd211885509810e24acc23aab21939949a02432c4a54fb43.exe
File created	C:\Windows\Logo1_.exe	5d84d075e3ce6b8cbd211885509810e24acc23aab21939949a02432c4a54fb43.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2668	Logo1_.exe
2668	Logo1_.exe
2668	Logo1_.exe
2668	Logo1_.exe
2668	Logo1_.exe
2668	Logo1_.exe
2668	Logo1_.exe
2668	Logo1_.exe
2668	Logo1_.exe
2668	Logo1_.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1340 wrote to memory of 2760	1340	5d84d075e3ce6b8cbd211885509810e24acc23aab21939949a02432c4a54fb43.exe	28
PID 1340 wrote to memory of 2760	1340	5d84d075e3ce6b8cbd211885509810e24acc23aab21939949a02432c4a54fb43.exe	28
PID 1340 wrote to memory of 2760	1340	5d84d075e3ce6b8cbd211885509810e24acc23aab21939949a02432c4a54fb43.exe	28
PID 1340 wrote to memory of 2760	1340	5d84d075e3ce6b8cbd211885509810e24acc23aab21939949a02432c4a54fb43.exe	28
PID 1340 wrote to memory of 2668	1340	5d84d075e3ce6b8cbd211885509810e24acc23aab21939949a02432c4a54fb43.exe	29
PID 1340 wrote to memory of 2668	1340	5d84d075e3ce6b8cbd211885509810e24acc23aab21939949a02432c4a54fb43.exe	29
PID 1340 wrote to memory of 2668	1340	5d84d075e3ce6b8cbd211885509810e24acc23aab21939949a02432c4a54fb43.exe	29
PID 1340 wrote to memory of 2668	1340	5d84d075e3ce6b8cbd211885509810e24acc23aab21939949a02432c4a54fb43.exe	29
PID 2668 wrote to memory of 2784	2668	Logo1_.exe	31
PID 2668 wrote to memory of 2784	2668	Logo1_.exe	31
PID 2668 wrote to memory of 2784	2668	Logo1_.exe	31
PID 2668 wrote to memory of 2784	2668	Logo1_.exe	31
PID 2784 wrote to memory of 2708	2784	net.exe	33
PID 2784 wrote to memory of 2708	2784	net.exe	33
PID 2784 wrote to memory of 2708	2784	net.exe	33
PID 2784 wrote to memory of 2708	2784	net.exe	33
PID 2760 wrote to memory of 2808	2760	cmd.exe	34
PID 2760 wrote to memory of 2808	2760	cmd.exe	34
PID 2760 wrote to memory of 2808	2760	cmd.exe	34
PID 2760 wrote to memory of 2808	2760	cmd.exe	34
PID 2668 wrote to memory of 1256	2668	Logo1_.exe	18
PID 2668 wrote to memory of 1256	2668	Logo1_.exe	18

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1256
- C:\Users\Admin\AppData\Local\Temp\5d84d075e3ce6b8cbd211885509810e24acc23aab21939949a02432c4a54fb43.exe
  "C:\Users\Admin\AppData\Local\Temp\5d84d075e3ce6b8cbd211885509810e24acc23aab21939949a02432c4a54fb43.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1340
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$a4E4F.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2760
  - - C:\Users\Admin\AppData\Local\Temp\5d84d075e3ce6b8cbd211885509810e24acc23aab21939949a02432c4a54fb43.exe
      "C:\Users\Admin\AppData\Local\Temp\5d84d075e3ce6b8cbd211885509810e24acc23aab21939949a02432c4a54fb43.exe"
      4⤵
      Executes dropped EXE
      PID:2808
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2668
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2784
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
251KB

MD5
c6d96ae5e83108c20fcd962db8108062

SHA1
670a9e34e194dec707475d2eb3dfa2c7c8de8765

SHA256
c73d6d60169c0848ac5d3f0bb3d09efba8acd0ad0d763791718cd866e786eef1

SHA512
d0b5180459bb341226359b087e77f2b60be8108cdeb0ccaadb92cd326650b46f1dd02d801704a022fd80446193ba2892ec0eb9b1b816abee57aeb649cde99f44

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
471KB

MD5
c6c8fde27f649c91ddaab8cb9ca344a6

SHA1
5e4865aec432a18107182f47edda176e8c566152

SHA256
32c3fed53bfc1d890e9bd1d771fdc7e2c81480e03f1425bce07b4045a192d100

SHA512
a8df7d1e852d871d7f16bae10c4ff049359583da88cc85a039f0298525839040d5363ce5ef4cbdb92a12a25785f73df83cf0df07752b78e6e6444f32160a2155

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a4E4F.bat

Filesize
722B

MD5
ab618c6be75dc6c41fc2c1743e2bf168

SHA1
1f5401fec353e7c783e02727bc71ef8a7e90edac

SHA256
84cf98033b3c33aac3cab6bbb9dd2dad223cd10c728840115105f94f83dbb26c

SHA512
1097bbb5a9bf27623356b24fc5a4bb7aa6c2aa3220ae576ad362b8933ec63a1b7632525ef9aa223715e1c85e404670bc2402ddc265ea3f64d549c159c3051a24

Download Submit
C:\Users\Admin\AppData\Local\Temp\5d84d075e3ce6b8cbd211885509810e24acc23aab21939949a02432c4a54fb43.exe.exe

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Windows\Logo1_.exe

Filesize
26KB

MD5
51c05487419e979a0e573da43c365694

SHA1
e646035fa3b0f55e86fa30675e8f06c2ba911ba9

SHA256
c76431cf4d36713554bf9996d0b425898ba0a6de969b5bd6b6a9a2fd4384c595

SHA512
47885998e18e589c89915b5c4955c5c27c8d1649d5194e871cfa008b6afebbfcf6c55e9ad687e032e23c8aa12db7a31bd4f85e631f345bc6023841f75bbc0296

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3308111660-3636268597-2291490419-1000\_desktop.ini

Filesize
9B

MD5
656878f7f928e71d7f24b57fcc0f6261

SHA1
03d784e1d3d642f69b11963a421200e3c046e6e6

SHA256
fac18ac822bec04370e7632ba99c7434d4674099af7ba5260689b778a7e13f93

SHA512
6df81d09518887c18a145a5866582839e3c8c469111ed260916acf23b759845d3ff4416539f0cd03d74dd0379aea26b247ca14fd54ecf5544a63c7e76edec22c

Download Submit
memory/1256-30-0x0000000002980000-0x0000000002981000-memory.dmp

Filesize
4KB

Download
memory/1340-18-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1340-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1340-17-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/1340-15-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/2668-19-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2668-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2668-39-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2668-45-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2668-91-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2668-97-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2668-273-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2668-1850-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2668-3310-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download