db90ba0c6d918ff7913344d42e1c64faab7d636dc19fe237499b44c2bcd661ff

Analysis

max time kernel
159s
max time network
135s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
13-03-2024 18:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

db90ba0c6d918ff7913344d42e1c64faab7d636dc19fe237499b44c2bcd661ff.exe
Size

297KB
MD5

2d2fd82cf3a3bc026aa320530352b1d1
SHA1

fc42c5f1f01792885e149de31e7570fa853b671e
SHA256

db90ba0c6d918ff7913344d42e1c64faab7d636dc19fe237499b44c2bcd661ff
SHA512

dd57584dd2f42c56c51b495597bd43c2eb904685319960f1ad9cd04bb270edf98844ed1dddc1e45a40037cc7066a7dc175056fa0547fc42ee1be3eb517f8cdde
SSDEEP

6144:5VfjmNTXEsQ8sX8DohN09wzABEtot5AOxdsJapJ9Q:P7+Be8CN0QIfryJapJ9Q

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2572	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2680	Logo1_.exe
2756	db90ba0c6d918ff7913344d42e1c64faab7d636dc19fe237499b44c2bcd661ff.exe

Loads dropped DLL 1 IoCs

pid	Process
2572	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Mail\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\SIGNUP\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre7\lib\security\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\North_Dakota\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fy\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\gl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\zu\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\Contracts\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\.settings\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ECHO\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ia\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\my\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\d3d9\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java-rmi.exe	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\az\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\el\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\zh_CN\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\1033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\en_GB\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\my\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\FRAR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMFormServices\InfoPathOMFormServicesV12\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Purble Place\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\HostSideAdapters\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\Bibliography\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	db90ba0c6d918ff7913344d42e1c64faab7d636dc19fe237499b44c2bcd661ff.exe
File created	C:\Windows\Logo1_.exe	db90ba0c6d918ff7913344d42e1c64faab7d636dc19fe237499b44c2bcd661ff.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2680	Logo1_.exe
2680	Logo1_.exe
2680	Logo1_.exe
2680	Logo1_.exe
2680	Logo1_.exe
2680	Logo1_.exe
2680	Logo1_.exe
2680	Logo1_.exe
2680	Logo1_.exe
2680	Logo1_.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2736 wrote to memory of 2572	2736	db90ba0c6d918ff7913344d42e1c64faab7d636dc19fe237499b44c2bcd661ff.exe	28
PID 2736 wrote to memory of 2572	2736	db90ba0c6d918ff7913344d42e1c64faab7d636dc19fe237499b44c2bcd661ff.exe	28
PID 2736 wrote to memory of 2572	2736	db90ba0c6d918ff7913344d42e1c64faab7d636dc19fe237499b44c2bcd661ff.exe	28
PID 2736 wrote to memory of 2572	2736	db90ba0c6d918ff7913344d42e1c64faab7d636dc19fe237499b44c2bcd661ff.exe	28
PID 2736 wrote to memory of 2680	2736	db90ba0c6d918ff7913344d42e1c64faab7d636dc19fe237499b44c2bcd661ff.exe	29
PID 2736 wrote to memory of 2680	2736	db90ba0c6d918ff7913344d42e1c64faab7d636dc19fe237499b44c2bcd661ff.exe	29
PID 2736 wrote to memory of 2680	2736	db90ba0c6d918ff7913344d42e1c64faab7d636dc19fe237499b44c2bcd661ff.exe	29
PID 2736 wrote to memory of 2680	2736	db90ba0c6d918ff7913344d42e1c64faab7d636dc19fe237499b44c2bcd661ff.exe	29
PID 2680 wrote to memory of 2600	2680	Logo1_.exe	30
PID 2680 wrote to memory of 2600	2680	Logo1_.exe	30
PID 2680 wrote to memory of 2600	2680	Logo1_.exe	30
PID 2680 wrote to memory of 2600	2680	Logo1_.exe	30
PID 2600 wrote to memory of 2604	2600	net.exe	33
PID 2600 wrote to memory of 2604	2600	net.exe	33
PID 2600 wrote to memory of 2604	2600	net.exe	33
PID 2600 wrote to memory of 2604	2600	net.exe	33
PID 2572 wrote to memory of 2756	2572	cmd.exe	34
PID 2572 wrote to memory of 2756	2572	cmd.exe	34
PID 2572 wrote to memory of 2756	2572	cmd.exe	34
PID 2572 wrote to memory of 2756	2572	cmd.exe	34
PID 2680 wrote to memory of 1268	2680	Logo1_.exe	21
PID 2680 wrote to memory of 1268	2680	Logo1_.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1268
- C:\Users\Admin\AppData\Local\Temp\db90ba0c6d918ff7913344d42e1c64faab7d636dc19fe237499b44c2bcd661ff.exe
  "C:\Users\Admin\AppData\Local\Temp\db90ba0c6d918ff7913344d42e1c64faab7d636dc19fe237499b44c2bcd661ff.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2736
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$a89E8.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2572
  - - C:\Users\Admin\AppData\Local\Temp\db90ba0c6d918ff7913344d42e1c64faab7d636dc19fe237499b44c2bcd661ff.exe
      "C:\Users\Admin\AppData\Local\Temp\db90ba0c6d918ff7913344d42e1c64faab7d636dc19fe237499b44c2bcd661ff.exe"
      4⤵
      Executes dropped EXE
      PID:2756
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2680
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2600
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
251KB

MD5
15de3119354bf2f7ada1ae847042a205

SHA1
332314350f2e545988ab7b1c3e8cc68788fdff1b

SHA256
86bcacef389ea0f42219d11c4e9494971f2cb8ba7d7f414b70976a905ce13583

SHA512
ac803936cc1e993bcf5e855a7441fe323bbe543d6092bb4951251afd8ae28932c966dd034cf774f1b66362183b071a7ce42653c8cfac4a8a241bc11a62215ce8

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a89E8.bat

Filesize
722B

MD5
3f49d84854e0214173c5d1f311f5b537

SHA1
c2d345ae1d844c8f7f00600fe30ab01951f5b4fb

SHA256
03df2cfeedc77e3d41ab0273598f347a262dffb5dcc33f8dce04063a2d87dd21

SHA512
6508a7667a7ee52bed9215c06f499b44e8deb17abf35de4a4a924a9659375460ea8aa09cf09c9dcd5c3708b7abefa6e15a55755a18cd89b8c34965b489a88b4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\db90ba0c6d918ff7913344d42e1c64faab7d636dc19fe237499b44c2bcd661ff.exe.exe

Filesize
270KB

MD5
394d109e7c282ed7fecfc78ea0da9dcf

SHA1
aadf25ede61ba501a380a3959b7eba196a675999

SHA256
5c1c9968df0af2cc56a85ac592389f82d053a74e884e2117e019fb72798ca54a

SHA512
924e7b2136b89fcf3e991031beef6c4acb79a14f8a36ddc312e3409325aa287e836cc832cd040727281d265bd978e396369cff2bcc2532aff54c4ca7ee62accd

Download Submit
C:\Windows\rundl132.exe

Filesize
26KB

MD5
bd5889d3899d3d107d129b64afca9d88

SHA1
77ea9915b9a4b30d24b4a31909a2ff49ac2e242e

SHA256
b811cc0e46ee95219f6345fb788e7639fcb76d29c855a9886f66cbbcc123c2ee

SHA512
31c60690421f54b0ac57067c31003f523f5df12d55e98cc6f5ba7b906120215e4cac7a5d7a6f996a45907289ceca1a6123826ebfaa688e18b753a8364998191e

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2461186416-2307104501-1787948496-1000\_desktop.ini

Filesize
9B

MD5
6304f6cd23949a0e203abd81fc93bcfd

SHA1
260299dcdd7b9af6298e036322e7493d3598ab44

SHA256
6e249dd60655637cf4a7f940b41cfc3b70dc36b986a37babad9180d29d22adb8

SHA512
ce9d77f19554bdfdf7bc99adc9a9cdbc79c3d30f901b9f47ffb8e2d737c7a3fceb059de56993f9092c4ba0276b9d6ebc035fd48298dc62e11a9ef05bb9e00ab5

Download Submit
memory/1268-29-0x0000000002240000-0x0000000002241000-memory.dmp

Filesize
4KB

Download
memory/2680-47-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2680-33-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2680-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2680-93-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2680-99-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2680-1852-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2680-21-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2680-3312-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2736-15-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2736-17-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2736-41-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2736-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download