c253a333619d3cfb852f0419e735e17b9304a06d1d78668444bfaaaed0cbffec

Analysis

max time kernel
149s
max time network
127s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
29/03/2024, 17:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c253a333619d3cfb852f0419e735e17b9304a06d1d78668444bfaaaed0cbffec.exe
Size

394KB
MD5

d7f6e30036dff3820b2e3f4b161dd672
SHA1

b0da76f73f8f94e984553f12d9411b9a6e006f5e
SHA256

c253a333619d3cfb852f0419e735e17b9304a06d1d78668444bfaaaed0cbffec
SHA512

ae26610f04d8ace1599e13849d16e115609f254cb69169d507285191682e76f858e205ae231f3f6622f16ffe15d66f54b5c9398006134c91920cf4ee23638d7d
SSDEEP

6144:6VfgP5jbD9aZHQ/UX80fCbByZfDWln2OQvsTFQgG4gXbPwpjEf2xll:0YFDEZHQ/iC9yZfCl2OQj4grPwVemD

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2496	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2592	Logo1_.exe
2624	c253a333619d3cfb852f0419e735e17b9304a06d1d78668444bfaaaed0cbffec.exe

Loads dropped DLL 2 IoCs

pid	Process
2496	cmd.exe
2496	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\META-INF\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\am\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ff\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\nl\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\te\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ONENOTE.EXE	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\Servers\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Argentina\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\FAX\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\packetizer\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\META-INF\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hy\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTool\Project Report Type\Basic\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\DAO\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Access.en-us\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Americana\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Chess\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Solitaire\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre7\lib\zi\Etc\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\WinMail.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\1040\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ar\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EDGE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Portable Devices\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Google\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Library\SOLVER\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PROOF\1033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\co\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Indian\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Help\1036\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\FREN\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe
File created	C:\Windows\rundl132.exe	c253a333619d3cfb852f0419e735e17b9304a06d1d78668444bfaaaed0cbffec.exe
File created	C:\Windows\Logo1_.exe	c253a333619d3cfb852f0419e735e17b9304a06d1d78668444bfaaaed0cbffec.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2592	Logo1_.exe
2592	Logo1_.exe
2592	Logo1_.exe
2592	Logo1_.exe
2592	Logo1_.exe
2592	Logo1_.exe
2592	Logo1_.exe
2592	Logo1_.exe
2592	Logo1_.exe
2592	Logo1_.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1812 wrote to memory of 2496	1812	c253a333619d3cfb852f0419e735e17b9304a06d1d78668444bfaaaed0cbffec.exe	28
PID 1812 wrote to memory of 2496	1812	c253a333619d3cfb852f0419e735e17b9304a06d1d78668444bfaaaed0cbffec.exe	28
PID 1812 wrote to memory of 2496	1812	c253a333619d3cfb852f0419e735e17b9304a06d1d78668444bfaaaed0cbffec.exe	28
PID 1812 wrote to memory of 2496	1812	c253a333619d3cfb852f0419e735e17b9304a06d1d78668444bfaaaed0cbffec.exe	28
PID 1812 wrote to memory of 2592	1812	c253a333619d3cfb852f0419e735e17b9304a06d1d78668444bfaaaed0cbffec.exe	29
PID 1812 wrote to memory of 2592	1812	c253a333619d3cfb852f0419e735e17b9304a06d1d78668444bfaaaed0cbffec.exe	29
PID 1812 wrote to memory of 2592	1812	c253a333619d3cfb852f0419e735e17b9304a06d1d78668444bfaaaed0cbffec.exe	29
PID 1812 wrote to memory of 2592	1812	c253a333619d3cfb852f0419e735e17b9304a06d1d78668444bfaaaed0cbffec.exe	29
PID 2592 wrote to memory of 2524	2592	Logo1_.exe	31
PID 2592 wrote to memory of 2524	2592	Logo1_.exe	31
PID 2592 wrote to memory of 2524	2592	Logo1_.exe	31
PID 2592 wrote to memory of 2524	2592	Logo1_.exe	31
PID 2524 wrote to memory of 2840	2524	net.exe	33
PID 2524 wrote to memory of 2840	2524	net.exe	33
PID 2524 wrote to memory of 2840	2524	net.exe	33
PID 2524 wrote to memory of 2840	2524	net.exe	33
PID 2496 wrote to memory of 2624	2496	cmd.exe	34
PID 2496 wrote to memory of 2624	2496	cmd.exe	34
PID 2496 wrote to memory of 2624	2496	cmd.exe	34
PID 2496 wrote to memory of 2624	2496	cmd.exe	34
PID 2592 wrote to memory of 1212	2592	Logo1_.exe	21
PID 2592 wrote to memory of 1212	2592	Logo1_.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1212
- C:\Users\Admin\AppData\Local\Temp\c253a333619d3cfb852f0419e735e17b9304a06d1d78668444bfaaaed0cbffec.exe
  "C:\Users\Admin\AppData\Local\Temp\c253a333619d3cfb852f0419e735e17b9304a06d1d78668444bfaaaed0cbffec.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1812
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$a2961.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2496
  - - C:\Users\Admin\AppData\Local\Temp\c253a333619d3cfb852f0419e735e17b9304a06d1d78668444bfaaaed0cbffec.exe
      "C:\Users\Admin\AppData\Local\Temp\c253a333619d3cfb852f0419e735e17b9304a06d1d78668444bfaaaed0cbffec.exe"
      4⤵
      Executes dropped EXE
      PID:2624
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2592
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2524
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
251KB

MD5
5f1c30ed47c280f0b9412c90191e969c

SHA1
5763ae883d38e04bf2bd539c383c0884f32e703a

SHA256
25bf4f212b602d8cfd52e1e592b5ba80eea0c328d837b52b253474797a451aa0

SHA512
46829e258964d3c01638787cba96f70a3140303d55b65f782cde74f07b0f24c3115c124b43a09f80d42aa22407906ff20c7e0cf0042e7dc27d8e0ab06f2e657e

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
471KB

MD5
1a0dbecba0dbb963c2f3b0448796d47a

SHA1
5c0b5d378d3614fe984ce2915b5720886992da0c

SHA256
1ea2fb84177a921bc3df4763c3da53a970e192f93f6175d09696ded019e50cf8

SHA512
8e25dc08fa6f280a6bc1ccacb1ce665ab055b5d539f8915915fc7536c90185a221cb0c50a02d34b521b871b8487a155b9c40a5f25df87306e1df24ca7e96da25

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a2961.bat

Filesize
722B

MD5
395c81e883e3e227fb80820b479c3390

SHA1
8c1d5b0fe54652b6b56a99515d0ed189d0f7096d

SHA256
a3baffab167b26a21fc79a8f68cd28a5b7034a9cf239e5d17ae2f8e5446b5d3e

SHA512
0bb52a8fee7e2f1eaff858baa8a04a2b883bcb99345eacd6c98f934e2053ef012c9a8e43bb4cbc8c1166fd26827a3ba51c52bc5646dbcc76a00f77534991f01d

Download Submit
C:\Users\Admin\AppData\Local\Temp\c253a333619d3cfb852f0419e735e17b9304a06d1d78668444bfaaaed0cbffec.exe.exe

Filesize
368KB

MD5
16a2397c1d385c4206d235c63682f301

SHA1
d1af8b67528255200d121fd5799c268426a9f49a

SHA256
0a6682d79ff46707aa7af08dc3ef3b4c0fcba87a9cba58f2a40a7168d06cdb0b

SHA512
5d4b8f910c6c970084d7106ab8a90458dd6443dcabb6485061c20ad0855a4057412ba35b02c1dd7bed7a6c6bdd8e4b3aae973645e251541e2f19ed9cbc7436a1

Download Submit
C:\Windows\Logo1_.exe

Filesize
26KB

MD5
d1cbbe6133781e0c466ae32dfdcea838

SHA1
347f994867a11faa71a4080c7692ab63b050a514

SHA256
756713d19eb43d8478dcc4bc7746c2a7ed75bb7e4b2c77b004e8fc0ba7dab8f4

SHA512
cf18ebdb41634480afdefdc283d863ee248a7252d9ae6993f31a8b480a5a3f0efb4c0d4c7f9167f391ef443dad9ec0ef83f11ab74bc2336b25dd8c677fbe99df

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-1298544033-3225604241-2703760938-1000\_desktop.ini

Filesize
9B

MD5
9d515d16952bdb1cf51672ad091046bc

SHA1
5fe954c6d41499122182eb48cf6f9d203b9eae7c

SHA256
12ddf5d72be26a3f4fb46d905661e24bf30948454c9701f20e50436a238a25db

SHA512
d0f7522406355a837e55f5a99b6969ed4b0ccbc2e427b83a917eedffc37899b139c2b33ea73a90469a6045b3b71848bf97641528644a4a3f55d666223fa31d4b

Download Submit
memory/1212-30-0x0000000002DE0000-0x0000000002DE1000-memory.dmp

Filesize
4KB

Download
memory/1812-16-0x00000000002C0000-0x00000000002F4000-memory.dmp

Filesize
208KB

Download
memory/1812-42-0x00000000002C0000-0x00000000002F4000-memory.dmp

Filesize
208KB

Download
memory/1812-15-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1812-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2592-97-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2592-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2592-49-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2592-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2592-105-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2592-825-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2592-1861-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2592-21-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2592-2452-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2592-3323-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2624-33-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download