44b16d1d5963e42afd4f785fee10a36b222158b80cbe2dcafe8cef6c7d6c7128

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
16/04/2024, 07:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

44b16d1d5963e42afd4f785fee10a36b222158b80cbe2dcafe8cef6c7d6c7128.exe
Size

66KB
MD5

d05e9203df52805cad1065adfe29e817
SHA1

858947a2beed787ef0aa9e72a5cdfefbb0692093
SHA256

44b16d1d5963e42afd4f785fee10a36b222158b80cbe2dcafe8cef6c7d6c7128
SHA512

45ba07be692dcffabac249d6a36c518b024bfa06a34b36013f8fab1c9c3438ab50d15020c3490215762be369ba3778cbed8e650362dc3a8fed9ee1c8d15f791c
SSDEEP

768:pBA16GVRu1yK9fMnJG2V9dHS8HNic1iTEpgSG9TJVQBWZrvW5TNDWfKgUkKtzYiP:pA3SHuJV9NBriw+d9bHrkT5gUHz7FxtJ

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1540	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2736	Logo1_.exe
1280	44b16d1d5963e42afd4f785fee10a36b222158b80cbe2dcafe8cef6c7d6c7128.exe

Loads dropped DLL 1 IoCs

pid	Process
1540	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Offline\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\pa\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Cultures\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Slate\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\zh_CN\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\WSS\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\mn\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SONORA\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\misc.exe	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ro\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Library\Analysis\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sq\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Notebook Templates\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\meta\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre7\lib\zi\SystemV\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\1028\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\am\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ga\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Solitaire\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ks_IN\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	Logo1_.exe
File created	C:\Program Files (x86)\Google\Update\Download\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\PROOF\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PROOF\3082\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA7\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\Bibliography\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\1033\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Minesweeper\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\cs\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\packetizer\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	44b16d1d5963e42afd4f785fee10a36b222158b80cbe2dcafe8cef6c7d6c7128.exe
File created	C:\Windows\Logo1_.exe	44b16d1d5963e42afd4f785fee10a36b222158b80cbe2dcafe8cef6c7d6c7128.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2736	Logo1_.exe
2736	Logo1_.exe
2736	Logo1_.exe
2736	Logo1_.exe
2736	Logo1_.exe
2736	Logo1_.exe
2736	Logo1_.exe
2736	Logo1_.exe
2736	Logo1_.exe
2736	Logo1_.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1200 wrote to memory of 1540	1200	44b16d1d5963e42afd4f785fee10a36b222158b80cbe2dcafe8cef6c7d6c7128.exe	28
PID 1200 wrote to memory of 1540	1200	44b16d1d5963e42afd4f785fee10a36b222158b80cbe2dcafe8cef6c7d6c7128.exe	28
PID 1200 wrote to memory of 1540	1200	44b16d1d5963e42afd4f785fee10a36b222158b80cbe2dcafe8cef6c7d6c7128.exe	28
PID 1200 wrote to memory of 1540	1200	44b16d1d5963e42afd4f785fee10a36b222158b80cbe2dcafe8cef6c7d6c7128.exe	28
PID 1200 wrote to memory of 2736	1200	44b16d1d5963e42afd4f785fee10a36b222158b80cbe2dcafe8cef6c7d6c7128.exe	30
PID 1200 wrote to memory of 2736	1200	44b16d1d5963e42afd4f785fee10a36b222158b80cbe2dcafe8cef6c7d6c7128.exe	30
PID 1200 wrote to memory of 2736	1200	44b16d1d5963e42afd4f785fee10a36b222158b80cbe2dcafe8cef6c7d6c7128.exe	30
PID 1200 wrote to memory of 2736	1200	44b16d1d5963e42afd4f785fee10a36b222158b80cbe2dcafe8cef6c7d6c7128.exe	30
PID 2736 wrote to memory of 2648	2736	Logo1_.exe	31
PID 2736 wrote to memory of 2648	2736	Logo1_.exe	31
PID 2736 wrote to memory of 2648	2736	Logo1_.exe	31
PID 2736 wrote to memory of 2648	2736	Logo1_.exe	31
PID 2648 wrote to memory of 2584	2648	net.exe	33
PID 2648 wrote to memory of 2584	2648	net.exe	33
PID 2648 wrote to memory of 2584	2648	net.exe	33
PID 2648 wrote to memory of 2584	2648	net.exe	33
PID 1540 wrote to memory of 1280	1540	cmd.exe	34
PID 1540 wrote to memory of 1280	1540	cmd.exe	34
PID 1540 wrote to memory of 1280	1540	cmd.exe	34
PID 1540 wrote to memory of 1280	1540	cmd.exe	34
PID 2736 wrote to memory of 1208	2736	Logo1_.exe	21
PID 2736 wrote to memory of 1208	2736	Logo1_.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1208
- C:\Users\Admin\AppData\Local\Temp\44b16d1d5963e42afd4f785fee10a36b222158b80cbe2dcafe8cef6c7d6c7128.exe
  "C:\Users\Admin\AppData\Local\Temp\44b16d1d5963e42afd4f785fee10a36b222158b80cbe2dcafe8cef6c7d6c7128.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1200
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$a13EE.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1540
  - - C:\Users\Admin\AppData\Local\Temp\44b16d1d5963e42afd4f785fee10a36b222158b80cbe2dcafe8cef6c7d6c7128.exe
      "C:\Users\Admin\AppData\Local\Temp\44b16d1d5963e42afd4f785fee10a36b222158b80cbe2dcafe8cef6c7d6c7128.exe"
      4⤵
      Executes dropped EXE
      PID:1280
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2736
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2648
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
254KB

MD5
746f8de78fb0f5b6cb4c9295bafb8aec

SHA1
f1b846705268d9d76a965c13093dee9d840b990e

SHA256
b0550e768b9025ce493d883e0573fad951cee10d233374c8ccd3bc67b8566e16

SHA512
f8ebff12cab27c01271a8239306a106b205255a3f0cbc2165220e5de50bc2793b4df0b2180c5f195128e3e5d8c8432b224d0cd992e56b7c16074bfd44f3bc00d

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
474KB

MD5
6eabc463f8025a7e6e65f38cba22f126

SHA1
3e430ee5ec01c5509ed750b88d3473e7990dfe95

SHA256
cc8da3ecd355b519d81415d279ed037c725ba221bf323d250aa92ee2b2b88ca7

SHA512
c8fde7026ac8633403bbefee4b044457184388fb7343d8c46f5f7f272724227976bf485ea91da49e2a85dd0cfb73f260ac705d8007333dd3e5539fe5ed67e3ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a13EE.bat

Filesize
722B

MD5
4f8b391f0bfa0e9d85627e4b6945b214

SHA1
4bc9c28ed42da08548e26382c9e83113e8109f4b

SHA256
e2c657fb59f0b628dd8e2e2ed64d67c0526cd7a3846e8f023d1e95636914d7ab

SHA512
48c7607d2be7a906badb5a8500c620c3a3730ef32a79f8a2176a870ee31523518c64bc51cc3f0e3a11af8b8d82a610b419b993a76a9b37c93379f605a66047f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\44b16d1d5963e42afd4f785fee10a36b222158b80cbe2dcafe8cef6c7d6c7128.exe.exe

Filesize
36KB

MD5
9f498971cbe636662f3d210747d619e1

SHA1
44b8e2732fa1e2f204fc70eaa1cb406616250085

SHA256
8adf6748981c3e7b62f5dbca992be6675574fffbce7673743f2d7fe787d56a41

SHA512
b73083c2f7b028d2946cb8f7b4fe2289fedaa4175364a2aac37db0aeff4602aede772ccc9eba7e6dcfcb7276e52604ca45d8021952201b5834485b48bca3dc93

Download Submit
C:\Windows\Logo1_.exe

Filesize
29KB

MD5
b5500add829762ff2dc7a543ea060ae3

SHA1
8d8a330081665b1c07b2caf8194c4d833ada1b2e

SHA256
e768fe66128b25403b91b91c0de524286cc487ab6195ecef7420126b7905cda8

SHA512
97026e69e5f159559c1e22f8896a630d1ca469a6b13d65a75acff76354117ead4c518b6174a2aee3d1c4636d63e0ed23b01343879ffb01724dc5c075c1517c4f

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2248906074-2862704502-246302768-1000\_desktop.ini

Filesize
9B

MD5
02ced53ce3f5b175c3bbec378047e7a7

SHA1
dafdf07efa697ec99b3d7b9f7512439a52ea618d

SHA256
485bb2341321a2837fd015a36963ea549c7c6f40985e165fd56c8a1e89b3f331

SHA512
669dde3ea8628704d40681a7f8974cf52985385c92a61a540c97c18c13eb4d451207ae171b2a56cd061cadbc90e672a84eb55111b1f5016846918d73fb075c99

Download Submit
memory/1200-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1200-16-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1200-20-0x00000000002A0000-0x00000000002D6000-memory.dmp

Filesize
216KB

Download
memory/1208-29-0x0000000003040000-0x0000000003041000-memory.dmp

Filesize
4KB

Download
memory/2736-38-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2736-44-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2736-90-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2736-96-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2736-1027-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2736-1850-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2736-31-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2736-3229-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2736-3310-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2736-21-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download