cee964296a3441cda07893b772b68d15d6e22f5649fa2de45a7753aca27628ce

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
18/03/2024, 19:15

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

cee964296a3441cda07893b772b68d15d6e22f5649fa2de45a7753aca27628ce.exe
Size

487KB
MD5

ad8007511bd20d7f503dfeaffbe919fd
SHA1

e31688bc97e8d158bd0da8f04b21e4dc9efd926b
SHA256

cee964296a3441cda07893b772b68d15d6e22f5649fa2de45a7753aca27628ce
SHA512

fd8b7e31fc679756ae14d881feefa28297b3709e8b963bb6d31b8f6faab21364580ffc7c78a0764527ec3c8e05777b4db4a24ed11ff1bb1cbc9ede0d3965c306
SSDEEP

6144:ZXuJoz1gL5pRTMTTjMkId/BynSx7dEe6XwzRaktNP08NhKs39zo43fTtl1fayCV4:R1gL5pRTcAkS/3hzN8qE43fm78V

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2860	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2884	Logo1_.exe
2364	cee964296a3441cda07893b772b68d15d6e22f5649fa2de45a7753aca27628ce.exe

Loads dropped DLL 1 IoCs

pid	Process
2860	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Oasis\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hu\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Google\Temp\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	Logo1_.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\SpeechEngines\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sl\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Internet Explorer\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ENES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\d3d11\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mai\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\si\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OIS.EXE	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Americana\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\include\win32\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\management\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMFormServices\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\NETWORK\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\CrashReports\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Australia\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\kk\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\META-INF\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSClientDataMgr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fr\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PROOF\3082\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Logo1_.exe	cee964296a3441cda07893b772b68d15d6e22f5649fa2de45a7753aca27628ce.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe
File created	C:\Windows\rundl132.exe	cee964296a3441cda07893b772b68d15d6e22f5649fa2de45a7753aca27628ce.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2884	Logo1_.exe
2884	Logo1_.exe
2884	Logo1_.exe
2884	Logo1_.exe
2884	Logo1_.exe
2884	Logo1_.exe
2884	Logo1_.exe
2884	Logo1_.exe
2884	Logo1_.exe
2884	Logo1_.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2320 wrote to memory of 2860	2320	cee964296a3441cda07893b772b68d15d6e22f5649fa2de45a7753aca27628ce.exe	28
PID 2320 wrote to memory of 2860	2320	cee964296a3441cda07893b772b68d15d6e22f5649fa2de45a7753aca27628ce.exe	28
PID 2320 wrote to memory of 2860	2320	cee964296a3441cda07893b772b68d15d6e22f5649fa2de45a7753aca27628ce.exe	28
PID 2320 wrote to memory of 2860	2320	cee964296a3441cda07893b772b68d15d6e22f5649fa2de45a7753aca27628ce.exe	28
PID 2320 wrote to memory of 2884	2320	cee964296a3441cda07893b772b68d15d6e22f5649fa2de45a7753aca27628ce.exe	30
PID 2320 wrote to memory of 2884	2320	cee964296a3441cda07893b772b68d15d6e22f5649fa2de45a7753aca27628ce.exe	30
PID 2320 wrote to memory of 2884	2320	cee964296a3441cda07893b772b68d15d6e22f5649fa2de45a7753aca27628ce.exe	30
PID 2320 wrote to memory of 2884	2320	cee964296a3441cda07893b772b68d15d6e22f5649fa2de45a7753aca27628ce.exe	30
PID 2884 wrote to memory of 2608	2884	Logo1_.exe	31
PID 2884 wrote to memory of 2608	2884	Logo1_.exe	31
PID 2884 wrote to memory of 2608	2884	Logo1_.exe	31
PID 2884 wrote to memory of 2608	2884	Logo1_.exe	31
PID 2860 wrote to memory of 2364	2860	cmd.exe	33
PID 2860 wrote to memory of 2364	2860	cmd.exe	33
PID 2860 wrote to memory of 2364	2860	cmd.exe	33
PID 2860 wrote to memory of 2364	2860	cmd.exe	33
PID 2608 wrote to memory of 2516	2608	net.exe	34
PID 2608 wrote to memory of 2516	2608	net.exe	34
PID 2608 wrote to memory of 2516	2608	net.exe	34
PID 2608 wrote to memory of 2516	2608	net.exe	34
PID 2884 wrote to memory of 1216	2884	Logo1_.exe	21
PID 2884 wrote to memory of 1216	2884	Logo1_.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1216
- C:\Users\Admin\AppData\Local\Temp\cee964296a3441cda07893b772b68d15d6e22f5649fa2de45a7753aca27628ce.exe
  "C:\Users\Admin\AppData\Local\Temp\cee964296a3441cda07893b772b68d15d6e22f5649fa2de45a7753aca27628ce.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2320
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$a928F.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2860
  - - C:\Users\Admin\AppData\Local\Temp\cee964296a3441cda07893b772b68d15d6e22f5649fa2de45a7753aca27628ce.exe
      "C:\Users\Admin\AppData\Local\Temp\cee964296a3441cda07893b772b68d15d6e22f5649fa2de45a7753aca27628ce.exe"
      4⤵
      Executes dropped EXE
      PID:2364
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2884
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2608
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
254KB

MD5
3a9e3f48dfa3fe9fdb994723a23d73bc

SHA1
9aecc76a820839a16913e78318d430e794319949

SHA256
6c13925b5bdd985d2e04af1933a1d76feb7192de4637de9a709564705fc9dd81

SHA512
a3651033d18e0aef67eb990d068756dafb716e5d5d1ce9608fffbce57ae29e25caf3d61f18ec241bbb28e69c89be51dd0b3ed44d5255db37b59c09f2ab65829b

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
474KB

MD5
8beab7d90559fe385c30b08b3cc454d2

SHA1
65e627284e5c6b1a28618d976575bbade15d7160

SHA256
3662c245331ac74241676bc8de866ceadf1b77fd58bd094b05f8921c287f7995

SHA512
5c2544684b45354d204d6be7548c57a7e3b00f4042d535dfd2ac4670a99f2ca0590bcd781992178ccf83e56af38db13d646c10c166a05983ebdb050441d2d887

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a928F.bat

Filesize
722B

MD5
508acb5bf69ef11d1d997ebf89cb98ac

SHA1
86cc968815a17fa3b252ffceb89cd1852c4343e2

SHA256
48589e3ac321a2bc5dabaa33d1f77e91daae9df784977376cf693d32b94b9b22

SHA512
53deb99f84b5146b74c8bdf8e8d40ce0372c67485ae6375dae2b3fdcbdb3e6b355c77644770917af4b72305e30211a1dc4b4783fd5603d9800aeb0d61dc06281

Download Submit
C:\Users\Admin\AppData\Local\Temp\cee964296a3441cda07893b772b68d15d6e22f5649fa2de45a7753aca27628ce.exe.exe

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Windows\Logo1_.exe

Filesize
29KB

MD5
72204b3896b27e0e4b58190ba1ed8195

SHA1
762d4a960b35d2c8a7f458f109291948175799b8

SHA256
34aa074b53f45173252aa8c2b82c3eda84f8dc4c447fcafc9fe580f71badddc6

SHA512
cbabd2d4bf84a4f5a167d6d31011f0fece755f3cce318ec18f3c85bedd658f22c806eeb89234515fc814e1c24a4bbf60c58a0b0931e820b22133b3d240540cb7

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-330940541-141609230-1670313778-1000\_desktop.ini

Filesize
9B

MD5
54b7af1605eeb1f5569c4b61bc719660

SHA1
36ae9b4051c72b86fc5bad5d175acf9e9ed12076

SHA256
9b92406bdee720b5f88c329b99690d3721c7f917aa57c3febac6efcb7e938a2b

SHA512
83b77ba22dde00916a9be4d1e12d9ff8584c6e53c192107edca49ac6608fc82718a7d902e4143c2968e92cf53853d5b7a94f8b6d6a7c5d29c4add5ea04ae1704

Download Submit
memory/1216-30-0x00000000025C0000-0x00000000025C1000-memory.dmp

Filesize
4KB

Download
memory/2320-15-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2320-40-0x0000000000270000-0x00000000002A6000-memory.dmp

Filesize
216KB

Download
memory/2320-20-0x0000000000270000-0x00000000002A6000-memory.dmp

Filesize
216KB

Download
memory/2320-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2320-21-0x0000000000270000-0x00000000002A6000-memory.dmp

Filesize
216KB

Download
memory/2884-92-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2884-46-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2884-39-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2884-98-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2884-250-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2884-1852-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2884-22-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2884-3312-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2884-32-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download