bd1b165c1616e8e7872c7780267db520613227484d7293d06937f6c9ae61b19f

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
05/03/2024, 07:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bd1b165c1616e8e7872c7780267db520613227484d7293d06937f6c9ae61b19f.exe
Size

46KB
MD5

5abe06767d00207a0fc26f034a4b6b74
SHA1

00daa2a8d778fef8a7442299489a077a9e998b19
SHA256

bd1b165c1616e8e7872c7780267db520613227484d7293d06937f6c9ae61b19f
SHA512

9d257f85c47a36e48d83203acae9016e7dff1b11def8c5181dde3e5c38914273a6dd208bb31c14ef61b1eaa0f953ac31c602bc1dd4e0bef5fff045693765b5fd
SSDEEP

768:n1ODKAaDMG8H92RwZNQSwcfymNBg+g61GoLwnV9P85GB2FlFfNDG7qHUf2h:1fgLdQAQfcfymNsV9kFfO2Uf

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2956	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2444	Logo1_.exe
2512	bd1b165c1616e8e7872c7780267db520613227484d7293d06937f6c9ae61b19f.exe

Loads dropped DLL 1 IoCs

pid	Process
2956	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\wa\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Americana\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Help\2052\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\SAMPLES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	Logo1_.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ach\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Sort\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\is\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Journal\PDIALOG.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LAYERS\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Photo Viewer\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\d3d11\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\et\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ga\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Mail\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\WMPDMC.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Australia\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\More Games\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ia\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Google\Update\Download\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\meta\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ja\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ktab.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\1.0\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe
File created	C:\Windows\rundl132.exe	bd1b165c1616e8e7872c7780267db520613227484d7293d06937f6c9ae61b19f.exe
File created	C:\Windows\Logo1_.exe	bd1b165c1616e8e7872c7780267db520613227484d7293d06937f6c9ae61b19f.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2444	Logo1_.exe
2444	Logo1_.exe
2444	Logo1_.exe
2444	Logo1_.exe
2444	Logo1_.exe
2444	Logo1_.exe
2444	Logo1_.exe
2444	Logo1_.exe
2444	Logo1_.exe
2444	Logo1_.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2916 wrote to memory of 2956	2916	bd1b165c1616e8e7872c7780267db520613227484d7293d06937f6c9ae61b19f.exe	28
PID 2916 wrote to memory of 2956	2916	bd1b165c1616e8e7872c7780267db520613227484d7293d06937f6c9ae61b19f.exe	28
PID 2916 wrote to memory of 2956	2916	bd1b165c1616e8e7872c7780267db520613227484d7293d06937f6c9ae61b19f.exe	28
PID 2916 wrote to memory of 2956	2916	bd1b165c1616e8e7872c7780267db520613227484d7293d06937f6c9ae61b19f.exe	28
PID 2916 wrote to memory of 2444	2916	bd1b165c1616e8e7872c7780267db520613227484d7293d06937f6c9ae61b19f.exe	29
PID 2916 wrote to memory of 2444	2916	bd1b165c1616e8e7872c7780267db520613227484d7293d06937f6c9ae61b19f.exe	29
PID 2916 wrote to memory of 2444	2916	bd1b165c1616e8e7872c7780267db520613227484d7293d06937f6c9ae61b19f.exe	29
PID 2916 wrote to memory of 2444	2916	bd1b165c1616e8e7872c7780267db520613227484d7293d06937f6c9ae61b19f.exe	29
PID 2444 wrote to memory of 2544	2444	Logo1_.exe	30
PID 2444 wrote to memory of 2544	2444	Logo1_.exe	30
PID 2444 wrote to memory of 2544	2444	Logo1_.exe	30
PID 2444 wrote to memory of 2544	2444	Logo1_.exe	30
PID 2544 wrote to memory of 2484	2544	net.exe	33
PID 2544 wrote to memory of 2484	2544	net.exe	33
PID 2544 wrote to memory of 2484	2544	net.exe	33
PID 2544 wrote to memory of 2484	2544	net.exe	33
PID 2956 wrote to memory of 2512	2956	cmd.exe	34
PID 2956 wrote to memory of 2512	2956	cmd.exe	34
PID 2956 wrote to memory of 2512	2956	cmd.exe	34
PID 2956 wrote to memory of 2512	2956	cmd.exe	34
PID 2444 wrote to memory of 1152	2444	Logo1_.exe	20
PID 2444 wrote to memory of 1152	2444	Logo1_.exe	20

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1152
- C:\Users\Admin\AppData\Local\Temp\bd1b165c1616e8e7872c7780267db520613227484d7293d06937f6c9ae61b19f.exe
  "C:\Users\Admin\AppData\Local\Temp\bd1b165c1616e8e7872c7780267db520613227484d7293d06937f6c9ae61b19f.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2916
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$aFDCF.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2956
  - - C:\Users\Admin\AppData\Local\Temp\bd1b165c1616e8e7872c7780267db520613227484d7293d06937f6c9ae61b19f.exe
      "C:\Users\Admin\AppData\Local\Temp\bd1b165c1616e8e7872c7780267db520613227484d7293d06937f6c9ae61b19f.exe"
      4⤵
      Executes dropped EXE
      PID:2512
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2444
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2544
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
251KB

MD5
9b93e29b22e6f04690e432f03f2dfa2e

SHA1
47f1cee9f961506ccebd6044febbb88ca2430597

SHA256
c8aeb785387be37a4430fc2cf99f162eb573b2df50026b64fcf1ddd3c6a8014c

SHA512
83212d8c1097387007b15ff8e486af84db6ccd16a6623a9d873fce187d3a74d0d0aeff810e08084047e8022f7ed48b3112e7be7ba6a0f8fda0f499932feeaf7f

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
471KB

MD5
4cfdb20b04aa239d6f9e83084d5d0a77

SHA1
f22863e04cc1fd4435f785993ede165bd8245ac6

SHA256
30ed17ca6ae530e8bf002bcef6048f94dba4b3b10252308147031f5c86ace1b9

SHA512
35b4c2f68a7caa45f2bb14b168947e06831f358e191478a6659b49f30ca6f538dc910fe6067448d5d8af4cb8558825d70f94d4bd67709aee414b2be37d49be86

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aFDCF.bat

Filesize
722B

MD5
dbae24f8eb5cb1a1289a83c07c221fa4

SHA1
546af1597f275abd9d28ddc2135234e996aa5bac

SHA256
c0be84d745266dabfb7ec244aa496d42799099c4d571b2fe98b125efdc4eaae2

SHA512
dcdd1ebc326cf782723b216eac1ad6d2cc419f9cfc118d61a02356826b1cb821b6934875252f1138126ab1f73de583ff940bccd1104b693d7937bb9892ed0494

Download Submit
C:\Users\Admin\AppData\Local\Temp\bd1b165c1616e8e7872c7780267db520613227484d7293d06937f6c9ae61b19f.exe.exe

Filesize
20KB

MD5
041c541459d66173349737675707f8e8

SHA1
675368be6d2585d97c58d904981037a4dd255af7

SHA256
3e7712361e0ae26920b3b6caa299ef06a62fcc86301ec97c44df4981b3f2a446

SHA512
c876e48e386602fd7f7353a7e0d7126ff2b890ebce04ffe751cf898509198ae8264c448b02894309d24e4f1e5315aae2a08402583cab838439af501bcad5aead

Download Submit
C:\Windows\Logo1_.exe

Filesize
26KB

MD5
11bac14958e375a9b26e1adae9f76043

SHA1
99f19224054d3dc26f20ace9c701e2c70d440d40

SHA256
eac627202d1b0142c98178cd516ac002c927846e714d0bd4fde46e62ef295a35

SHA512
a93847b47caf2ae4ae1cd27b1a8a3592f88d9d48d1bc0667e5b8d9a20ff8b6f3b80c42f11af5d77a53ae891327e1c55b88e5989565c4eb15dc39df6cb0932b67

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2721934792-624042501-2768869379-1000\_desktop.ini

Filesize
8B

MD5
658d36413fa4de67d2edb254a0383bbf

SHA1
bd660e7319a5040c3af6edca0911a4ab4bdc33df

SHA256
0118c20e2d539544ae8e73767b080d41f4ff57be18407222143ebea26d6affa2

SHA512
f368a5a7d963fec63b9d599a1da34ae9eea37261f8c4d267d73624f5a36a0402f1f780317e094b240de3980a0a144929ea2076a23b134267cb0209b3172e1b7b

Download Submit
memory/1152-29-0x0000000002600000-0x0000000002601000-memory.dmp

Filesize
4KB

Download
memory/2444-1849-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2444-31-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2444-38-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2444-44-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2444-90-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2444-96-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2444-744-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2444-21-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2444-2377-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2444-3309-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2916-12-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2916-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2916-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download