d882c46f4a599062f2226c7acc843f5cce6523d794400932eaec78855c94443e

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
13/03/2024, 19:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d882c46f4a599062f2226c7acc843f5cce6523d794400932eaec78855c94443e.exe
Size

977KB
MD5

4d5a57b4add8d1044e7fdfafbe9765ea
SHA1

71749333440c7cadd8da09a0abdb65f6f89f5010
SHA256

d882c46f4a599062f2226c7acc843f5cce6523d794400932eaec78855c94443e
SHA512

a928bb79b482686d4d5826126ceec388ba1d27767e102e15c5fe15ef59b65dd8d06c3146a788556710b3c72fa3b094a0320873fdd0cca4c0b86aa268a9ddc4db
SSDEEP

12288:q7+UdvEgLJpSWyIlTxZdiyIvLGf0vItZBWuo/p+xwFMKHhB3gZKtmNBa:q7pscAK9Zdlf0vYWFMaB3gZKoNBa

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2252	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2372	Logo1_.exe
2760	d882c46f4a599062f2226c7acc843f5cce6523d794400932eaec78855c94443e.exe

Loads dropped DLL 1 IoCs

pid	Process
2252	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\META-INF\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\te\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\FreeCell\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Swirl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BrightOrange\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\include\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Solitaire\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\in_sidebar\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\nb\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Biscay\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Mail\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\locale\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sq\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\tet\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\1033\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\wa\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Portal\1033\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Defender\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\be\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\meta\reader\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Desert\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\co\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\tr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_chroma\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\hi\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\in_sidebar\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\More Games\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	d882c46f4a599062f2226c7acc843f5cce6523d794400932eaec78855c94443e.exe
File created	C:\Windows\Logo1_.exe	d882c46f4a599062f2226c7acc843f5cce6523d794400932eaec78855c94443e.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2372	Logo1_.exe
2372	Logo1_.exe
2372	Logo1_.exe
2372	Logo1_.exe
2372	Logo1_.exe
2372	Logo1_.exe
2372	Logo1_.exe
2372	Logo1_.exe
2372	Logo1_.exe
2372	Logo1_.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2232 wrote to memory of 2252	2232	d882c46f4a599062f2226c7acc843f5cce6523d794400932eaec78855c94443e.exe	28
PID 2232 wrote to memory of 2252	2232	d882c46f4a599062f2226c7acc843f5cce6523d794400932eaec78855c94443e.exe	28
PID 2232 wrote to memory of 2252	2232	d882c46f4a599062f2226c7acc843f5cce6523d794400932eaec78855c94443e.exe	28
PID 2232 wrote to memory of 2252	2232	d882c46f4a599062f2226c7acc843f5cce6523d794400932eaec78855c94443e.exe	28
PID 2232 wrote to memory of 2372	2232	d882c46f4a599062f2226c7acc843f5cce6523d794400932eaec78855c94443e.exe	29
PID 2232 wrote to memory of 2372	2232	d882c46f4a599062f2226c7acc843f5cce6523d794400932eaec78855c94443e.exe	29
PID 2232 wrote to memory of 2372	2232	d882c46f4a599062f2226c7acc843f5cce6523d794400932eaec78855c94443e.exe	29
PID 2232 wrote to memory of 2372	2232	d882c46f4a599062f2226c7acc843f5cce6523d794400932eaec78855c94443e.exe	29
PID 2372 wrote to memory of 2600	2372	Logo1_.exe	30
PID 2372 wrote to memory of 2600	2372	Logo1_.exe	30
PID 2372 wrote to memory of 2600	2372	Logo1_.exe	30
PID 2372 wrote to memory of 2600	2372	Logo1_.exe	30
PID 2600 wrote to memory of 2896	2600	net.exe	33
PID 2600 wrote to memory of 2896	2600	net.exe	33
PID 2600 wrote to memory of 2896	2600	net.exe	33
PID 2600 wrote to memory of 2896	2600	net.exe	33
PID 2252 wrote to memory of 2760	2252	cmd.exe	34
PID 2252 wrote to memory of 2760	2252	cmd.exe	34
PID 2252 wrote to memory of 2760	2252	cmd.exe	34
PID 2252 wrote to memory of 2760	2252	cmd.exe	34
PID 2372 wrote to memory of 1336	2372	Logo1_.exe	21
PID 2372 wrote to memory of 1336	2372	Logo1_.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1336
- C:\Users\Admin\AppData\Local\Temp\d882c46f4a599062f2226c7acc843f5cce6523d794400932eaec78855c94443e.exe
  "C:\Users\Admin\AppData\Local\Temp\d882c46f4a599062f2226c7acc843f5cce6523d794400932eaec78855c94443e.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2232
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$aE14.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2252
  - - C:\Users\Admin\AppData\Local\Temp\d882c46f4a599062f2226c7acc843f5cce6523d794400932eaec78855c94443e.exe
      "C:\Users\Admin\AppData\Local\Temp\d882c46f4a599062f2226c7acc843f5cce6523d794400932eaec78855c94443e.exe"
      4⤵
      Executes dropped EXE
      PID:2760
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2372
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2600
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
21KB

MD5
c01d22d2e6c20c60e7e9504e8764a65b

SHA1
bc88f0cb03d0481d957796972a05df58dfde22b1

SHA256
24bc0deb70845134f6f90bf05bc6107e594bf6cc6697a763dcb42fb7d1a3aad0

SHA512
53f4ff8aff17efe9299059c5216df4b1ce36bee2fe3bf4769440048e2bfb6718254681697e12ac1fce364dc07f6577feac8c8180afed236f3b11dd8c44b5d4b7

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
471KB

MD5
4cfdb20b04aa239d6f9e83084d5d0a77

SHA1
f22863e04cc1fd4435f785993ede165bd8245ac6

SHA256
30ed17ca6ae530e8bf002bcef6048f94dba4b3b10252308147031f5c86ace1b9

SHA512
35b4c2f68a7caa45f2bb14b168947e06831f358e191478a6659b49f30ca6f538dc910fe6067448d5d8af4cb8558825d70f94d4bd67709aee414b2be37d49be86

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aE14.bat

Filesize
721B

MD5
5438c9d4825dfc89d2750961587a9e08

SHA1
eddb20c6861627cc8fef796d0d5f40055ca3f0d8

SHA256
b5fb12a02f826ff63f5c5dcd6c8e070b6ad01094e9bbe75ffc1163274e31e9e5

SHA512
95d06c1535d4df8e00fe3128de3b1b9be8de151bcc54680921b19e044e358d949a0a050407d4da316679d2fc49f6f0545b9d4a5279a9e0fb3b3be78ad413a9c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\d882c46f4a599062f2226c7acc843f5cce6523d794400932eaec78855c94443e.exe.exe

Filesize
950KB

MD5
f11973e5b142b2f73fac09f8e21ce29a

SHA1
882557847b5b1eee286d330f957c1197f200a61f

SHA256
7cd6b97cc02d589866f0cd9f43b169f4267949503466bf79702b6dda06f5fd78

SHA512
49d1b011827f7eca37f3eb838d43e272aee14c218639cab9c15d5e7cdeeaa0c74660277d7e8c03a840ef350f49bc066bbd2600917dda83d144d9fed1b29a0ccf

Download Submit
C:\Windows\rundl132.exe

Filesize
26KB

MD5
4f100cba849d788770ac90cd66c97120

SHA1
ebb9cbf021afc23121a8c682a4a5b80240bddc37

SHA256
ae843e93ea4355adff60e584fc7186e05eaa40468b64510cc3dc501fc1db1fdd

SHA512
69f3c5f1efd10053e8debd76143a88755d5a035882b69c3bca7ebc93aa040e3ef0aede3e7691089485850dd3212abcc02b23acdc396878a6d2658419cec8a0ee

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3627615824-4061627003-3019543961-1000\_desktop.ini

Filesize
9B

MD5
6304f6cd23949a0e203abd81fc93bcfd

SHA1
260299dcdd7b9af6298e036322e7493d3598ab44

SHA256
6e249dd60655637cf4a7f940b41cfc3b70dc36b986a37babad9180d29d22adb8

SHA512
ce9d77f19554bdfdf7bc99adc9a9cdbc79c3d30f901b9f47ffb8e2d737c7a3fceb059de56993f9092c4ba0276b9d6ebc035fd48298dc62e11a9ef05bb9e00ab5

Download Submit
memory/1336-29-0x0000000002E30000-0x0000000002E31000-memory.dmp

Filesize
4KB

Download
memory/2232-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2232-15-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2232-16-0x00000000003C0000-0x00000000003F4000-memory.dmp

Filesize
208KB

Download
memory/2372-38-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2372-44-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2372-90-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2372-96-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2372-744-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2372-1849-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2372-31-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2372-2430-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2372-3309-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2372-21-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download