4c9b227230b5ee98b40a05f98a03e5cc855761827a32316a6eedb156f8ed0b6e

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
28-02-2024 02:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4c9b227230b5ee98b40a05f98a03e5cc855761827a32316a6eedb156f8ed0b6e.exe
Size

104KB
MD5

32f883f1a2b1757582b2e41ad74f9f27
SHA1

96c7f8b0d6fdee097140c77f1d9d421ecd8c5d8a
SHA256

4c9b227230b5ee98b40a05f98a03e5cc855761827a32316a6eedb156f8ed0b6e
SHA512

55d21e9b0f7ff413f279498ab36ca54efe39bd5751732a0727f3b95c4d4bcfb96d00178c784fbb4f342dc9c443e7f19db1e4db26ecc4534bb2eda1f79cb1cbdf
SSDEEP

3072:SftffjmNruuKxHSbz07u4zjJY251dZmxq4hi9ezOhu9vPt:iVfjmNAHSb45dZWqdezOhI

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2736	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2308	Logo1_.exe
2640	4c9b227230b5ee98b40a05f98a03e5cc855761827a32316a6eedb156f8ed0b6e.exe

Loads dropped DLL 1 IoCs

pid	Process
2736	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Games\Minesweeper\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\pt_PT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\IEContentService.exe	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Outlook.en-us\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\ja\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Reference Assemblies\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\deploy\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SoftBlue\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ckb\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ta\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Oasis\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ff\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Sort\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Oasis\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\af\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\intf\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\3082\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\klist.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_extractor\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fy\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ar\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\oc\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\demux\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\NETWORK\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\cmm\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\kinit.exe	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\in_sidebar\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jabswitch.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ast\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\1.0\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	4c9b227230b5ee98b40a05f98a03e5cc855761827a32316a6eedb156f8ed0b6e.exe
File created	C:\Windows\Logo1_.exe	4c9b227230b5ee98b40a05f98a03e5cc855761827a32316a6eedb156f8ed0b6e.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2308	Logo1_.exe
2308	Logo1_.exe
2308	Logo1_.exe
2308	Logo1_.exe
2308	Logo1_.exe
2308	Logo1_.exe
2308	Logo1_.exe
2308	Logo1_.exe
2308	Logo1_.exe
2308	Logo1_.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2232 wrote to memory of 2736	2232	4c9b227230b5ee98b40a05f98a03e5cc855761827a32316a6eedb156f8ed0b6e.exe	28
PID 2232 wrote to memory of 2736	2232	4c9b227230b5ee98b40a05f98a03e5cc855761827a32316a6eedb156f8ed0b6e.exe	28
PID 2232 wrote to memory of 2736	2232	4c9b227230b5ee98b40a05f98a03e5cc855761827a32316a6eedb156f8ed0b6e.exe	28
PID 2232 wrote to memory of 2736	2232	4c9b227230b5ee98b40a05f98a03e5cc855761827a32316a6eedb156f8ed0b6e.exe	28
PID 2232 wrote to memory of 2308	2232	4c9b227230b5ee98b40a05f98a03e5cc855761827a32316a6eedb156f8ed0b6e.exe	29
PID 2232 wrote to memory of 2308	2232	4c9b227230b5ee98b40a05f98a03e5cc855761827a32316a6eedb156f8ed0b6e.exe	29
PID 2232 wrote to memory of 2308	2232	4c9b227230b5ee98b40a05f98a03e5cc855761827a32316a6eedb156f8ed0b6e.exe	29
PID 2232 wrote to memory of 2308	2232	4c9b227230b5ee98b40a05f98a03e5cc855761827a32316a6eedb156f8ed0b6e.exe	29
PID 2736 wrote to memory of 2640	2736	cmd.exe	32
PID 2736 wrote to memory of 2640	2736	cmd.exe	32
PID 2736 wrote to memory of 2640	2736	cmd.exe	32
PID 2736 wrote to memory of 2640	2736	cmd.exe	32
PID 2308 wrote to memory of 2704	2308	Logo1_.exe	31
PID 2308 wrote to memory of 2704	2308	Logo1_.exe	31
PID 2308 wrote to memory of 2704	2308	Logo1_.exe	31
PID 2308 wrote to memory of 2704	2308	Logo1_.exe	31
PID 2704 wrote to memory of 3032	2704	net.exe	34
PID 2704 wrote to memory of 3032	2704	net.exe	34
PID 2704 wrote to memory of 3032	2704	net.exe	34
PID 2704 wrote to memory of 3032	2704	net.exe	34
PID 2308 wrote to memory of 1208	2308	Logo1_.exe	8
PID 2308 wrote to memory of 1208	2308	Logo1_.exe	8

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1208
- C:\Users\Admin\AppData\Local\Temp\4c9b227230b5ee98b40a05f98a03e5cc855761827a32316a6eedb156f8ed0b6e.exe
  "C:\Users\Admin\AppData\Local\Temp\4c9b227230b5ee98b40a05f98a03e5cc855761827a32316a6eedb156f8ed0b6e.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2232
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$a24B0.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2736
  - - C:\Users\Admin\AppData\Local\Temp\4c9b227230b5ee98b40a05f98a03e5cc855761827a32316a6eedb156f8ed0b6e.exe
      "C:\Users\Admin\AppData\Local\Temp\4c9b227230b5ee98b40a05f98a03e5cc855761827a32316a6eedb156f8ed0b6e.exe"
      4⤵
      Executes dropped EXE
      PID:2640
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2308
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2704
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:3032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
251KB

MD5
511a2d5905efad810a21feada48ceb39

SHA1
6a4cf6d0a4bb651ea17966e3accbea68d62b9c3e

SHA256
e4286846db738761d9e779ad53e9ba92d875f9acc03f8086307e6f1f1173ebaf

SHA512
56e2dda4271555861074bca1121e1b512c64aacc991bc089ef546f11e619359d5b338762d76bf67c8a069293a542ef1f59715f19efceac2ead1fe5eafacc8d3c

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
471KB

MD5
4cfdb20b04aa239d6f9e83084d5d0a77

SHA1
f22863e04cc1fd4435f785993ede165bd8245ac6

SHA256
30ed17ca6ae530e8bf002bcef6048f94dba4b3b10252308147031f5c86ace1b9

SHA512
35b4c2f68a7caa45f2bb14b168947e06831f358e191478a6659b49f30ca6f538dc910fe6067448d5d8af4cb8558825d70f94d4bd67709aee414b2be37d49be86

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a24B0.bat

Filesize
722B

MD5
0e517f9a9fdbaf8dd3aea3082c91f7d5

SHA1
87c2f39fba8ce1ca2f5d2282981725274abf554d

SHA256
b6d0081a18e1c341f03f136c4e8f676647c46a22bab0dd0cac050cf616d225f4

SHA512
c5c2dd87c0b8a92062f28b925cc9fda5626e006783c0c45da1ddbea00e08e1dc0acba467729e118e7664a66dcb111856f054e34b0d6ba0adbb367b2e1967063d

Download Submit
C:\Users\Admin\AppData\Local\Temp\4c9b227230b5ee98b40a05f98a03e5cc855761827a32316a6eedb156f8ed0b6e.exe.exe

Filesize
78KB

MD5
b82829adc9cfa9931fd90db4c064fa42

SHA1
0a717fc3f7ef3bd6fad81a358fbfd629a07da565

SHA256
b811979578ed2fda03e2537ad221d6861ff5e425c11d34a20a4b24bf508fcaf2

SHA512
c09a8159b661975cc5e9be6de12e40592c208f7e0ac99481e2be86ae705c3f8c475a885461da4c01519b9cb17187c2cef0de8b9620c633ac7fd5a86d313c4023

Download Submit
C:\Windows\Logo1_.exe

Filesize
26KB

MD5
247aafc1af131a360429f437cdedad82

SHA1
02ab749c7aa28ae7beb232991754aecbc3e596ba

SHA256
318e25db58c0812b719310265b3dc04aa4e1fa756cef4e26b57162ab54fc0ad1

SHA512
2486fe7c037e6d57936521ea35098df0955a16438979d1335d48f7c912d0ee21b37225c14fb6a2ad62c268b84132883650684664c4370e7188105cd070bddf78

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-1298544033-3225604241-2703760938-1000\_desktop.ini

Filesize
9B

MD5
20579de1c6702ea14f25df921a00274b

SHA1
fc7299007b5fb0580c7a3ef6ae0efd8aaf80a35f

SHA256
3eb24c26a19e67d7f499ccb30f78fc29bee126bafd13f41470223c1b8f2e1e4e

SHA512
e9a21ede4321b86e5d215d41321741f8db22b9eb92c1325026182c688311d5134041102a194d670abcbd182d2c91d5180ac9b7c9daaf9e41109a3b3d8e3c3d81

Download Submit
memory/1208-29-0x0000000002F60000-0x0000000002F61000-memory.dmp

Filesize
4KB

Download
memory/2232-15-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2232-17-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/2232-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2308-31-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2308-44-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2308-90-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2308-96-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2308-459-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2308-1849-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2308-38-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2308-3309-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2308-18-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download