cacb5c40115d587333c6966a9a769bea0d6cf3ed0fe77292b4377724f337a2ca

Analysis

max time kernel
150s
max time network
119s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
10/04/2024, 12:10

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

cacb5c40115d587333c6966a9a769bea0d6cf3ed0fe77292b4377724f337a2ca.exe
Size

5.7MB
MD5

4fbfb8e5adf1ce3d692b211d586684d5
SHA1

b0a72bd7e8c2b1d3d3d3d4b8cad05eca85954db5
SHA256

cacb5c40115d587333c6966a9a769bea0d6cf3ed0fe77292b4377724f337a2ca
SHA512

509816168390c54f944dfca42baa74a7128f53c56dd7448912f9be19abbd3d595c53bebfa1dcd4162bf8c2bd6c3b9c30c55e93eb85d0c07ebeb0c77c0a14b151
SSDEEP

49152:nPv94AEsKU8ggw1g+1CART5eBiyKS3EI3wybn20DCYIHvc8ixuZm9+fWsw6dTPBJ:fKUgTH2M2m9UMpu1QfLczqssnKSk

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2780	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
3048	Logo1_.exe
2700	cacb5c40115d587333c6966a9a769bea0d6cf3ed0fe77292b4377724f337a2ca.exe

Loads dropped DLL 1 IoCs

pid	Process
2780	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\da\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\SpringGreen\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\requests\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ARCTIC\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Journal\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ECLIPSE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Oasis\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\en_GB\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ka\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\kn\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PublicAssemblies\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe	Logo1_.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BrightOrange\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bg\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office64.en-us\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Mail\wab.exe	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\3082\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\Places\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\nl\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\WMPDMC.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\pa\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ru\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PAPYRUS\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	cacb5c40115d587333c6966a9a769bea0d6cf3ed0fe77292b4377724f337a2ca.exe
File created	C:\Windows\Logo1_.exe	cacb5c40115d587333c6966a9a769bea0d6cf3ed0fe77292b4377724f337a2ca.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3048	Logo1_.exe
3048	Logo1_.exe
3048	Logo1_.exe
3048	Logo1_.exe
3048	Logo1_.exe
3048	Logo1_.exe
3048	Logo1_.exe
3048	Logo1_.exe
3048	Logo1_.exe
3048	Logo1_.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2216 wrote to memory of 2780	2216	cacb5c40115d587333c6966a9a769bea0d6cf3ed0fe77292b4377724f337a2ca.exe	28
PID 2216 wrote to memory of 2780	2216	cacb5c40115d587333c6966a9a769bea0d6cf3ed0fe77292b4377724f337a2ca.exe	28
PID 2216 wrote to memory of 2780	2216	cacb5c40115d587333c6966a9a769bea0d6cf3ed0fe77292b4377724f337a2ca.exe	28
PID 2216 wrote to memory of 2780	2216	cacb5c40115d587333c6966a9a769bea0d6cf3ed0fe77292b4377724f337a2ca.exe	28
PID 2216 wrote to memory of 3048	2216	cacb5c40115d587333c6966a9a769bea0d6cf3ed0fe77292b4377724f337a2ca.exe	30
PID 2216 wrote to memory of 3048	2216	cacb5c40115d587333c6966a9a769bea0d6cf3ed0fe77292b4377724f337a2ca.exe	30
PID 2216 wrote to memory of 3048	2216	cacb5c40115d587333c6966a9a769bea0d6cf3ed0fe77292b4377724f337a2ca.exe	30
PID 2216 wrote to memory of 3048	2216	cacb5c40115d587333c6966a9a769bea0d6cf3ed0fe77292b4377724f337a2ca.exe	30
PID 3048 wrote to memory of 2116	3048	Logo1_.exe	31
PID 3048 wrote to memory of 2116	3048	Logo1_.exe	31
PID 3048 wrote to memory of 2116	3048	Logo1_.exe	31
PID 3048 wrote to memory of 2116	3048	Logo1_.exe	31
PID 2116 wrote to memory of 2620	2116	net.exe	34
PID 2116 wrote to memory of 2620	2116	net.exe	34
PID 2116 wrote to memory of 2620	2116	net.exe	34
PID 2116 wrote to memory of 2620	2116	net.exe	34
PID 3048 wrote to memory of 1340	3048	Logo1_.exe	21
PID 3048 wrote to memory of 1340	3048	Logo1_.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1340
- C:\Users\Admin\AppData\Local\Temp\cacb5c40115d587333c6966a9a769bea0d6cf3ed0fe77292b4377724f337a2ca.exe
  "C:\Users\Admin\AppData\Local\Temp\cacb5c40115d587333c6966a9a769bea0d6cf3ed0fe77292b4377724f337a2ca.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2216
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$aF6C.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    PID:2780
  - - C:\Users\Admin\AppData\Local\Temp\cacb5c40115d587333c6966a9a769bea0d6cf3ed0fe77292b4377724f337a2ca.exe
      "C:\Users\Admin\AppData\Local\Temp\cacb5c40115d587333c6966a9a769bea0d6cf3ed0fe77292b4377724f337a2ca.exe"
      4⤵
      Executes dropped EXE
      PID:2700
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3048
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2116
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
254KB

MD5
fa083a8d2b6cb85c0085b8a9549c73ad

SHA1
ef1433b6454981b42881caad54e7448519dd272a

SHA256
ee7c084daf1a9ce345d913c436df6cf776a41df819dee31324c7158322d85325

SHA512
65da9dafac1cef3bde73ff70feb67f630da712d467f108717e357427edfdf8ee0bef452523e2a80ad2d00db2770d9e596a0117a50279959d329885ff4a40ca2d

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
474KB

MD5
deef5629f996ce278bce0b117b005d4a

SHA1
aff56f382688eafef359eeb69124ae4210681805

SHA256
eb89044a80660f8218d13a1da59accca1b4cb41048fc68358c728a2374960966

SHA512
b9a3f8255887c756c1d78988b73ecdf08dd6b22fc52b3bb2bf92c5d73d5e3d1dd97d704be0e23daf2593606ef799568f6f1ce14a97abae66f243f35c6b3659ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aF6C.bat

Filesize
721B

MD5
eaa36758da7588e0cfd7275779b0b165

SHA1
7776798a248a9b80a66269234a2070daaa7badc3

SHA256
5897d06daee3569d1f318d056ac56a59605dc1f07dc13c8cd887d9278b584ab9

SHA512
49de1d3033f98ae1b211e6a96ff1c8c25f0d420aaf4f7cbe7613956c85bdb0bdc3711675d895352984b69c03bf39d7cd5cf059e4962f24ad7f65bf228253f5b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cacb5c40115d587333c6966a9a769bea0d6cf3ed0fe77292b4377724f337a2ca.exe.exe

Filesize
5.7MB

MD5
ba18e99b3e17adb5b029eaebc457dd89

SHA1
ec0458f3c00d35b323f08d4e1cc2e72899429c38

SHA256
f5ee36de8edf9be2ac2752b219cfdcb7ca1677071b8e116cb876306e9f1b6628

SHA512
1f41929e6f5b555b60c411c7810cbf14e3af26100df5ac4533ec3739a278c1b925687284660efb4868e3741305098e2737836229efc9fe46c97a6057c10e677c

Download Submit
C:\Windows\Logo1_.exe

Filesize
29KB

MD5
485cb5b83f27dbc59c722daa3caf858f

SHA1
faa7c3517969995a34897cc79236f85f2c01d59f

SHA256
6cc84f9f66a5928707b42d4e08e9eb603fef6a85e9308f9320f63003cf145f4b

SHA512
22a37e3368109cb6565d64070360fecf481bc71afd52a2b9a35cad42d33e35cea763795628cfa0fd7146b206e846a272200f91938705ee87b7bafde524082ecf

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3627615824-4061627003-3019543961-1000\_desktop.ini

Filesize
9B

MD5
95b3e5fe04e8423c49a7f69a5d13771f

SHA1
615b63fb8bf07dbb0565ffd492067309645064c9

SHA256
1663db9b496c87701f6c8f6721e92994ffdd747f949ab1070fd844c4d63fb916

SHA512
d9a0d342e84c32d4c0aee97be7b9a102963d1aeab7edd87b080548f7dd144d851c558e6706bec441534d8e188938655c2b551e358d342309677511404a34ce81

Download Submit
memory/1340-29-0x0000000002D10000-0x0000000002D11000-memory.dmp

Filesize
4KB

Download
memory/2216-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2216-16-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2216-17-0x0000000000440000-0x0000000000476000-memory.dmp

Filesize
216KB

Download
memory/3048-38-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3048-44-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3048-90-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3048-96-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3048-934-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3048-1849-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3048-31-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3048-2992-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3048-3309-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3048-21-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download