b8e13cf95a99252990797b70582a3f79025ae905028f2bd67dd558791d8f4267

Analysis

max time kernel
158s
max time network
139s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
17/04/2024, 23:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b8e13cf95a99252990797b70582a3f79025ae905028f2bd67dd558791d8f4267.exe
Size

122KB
MD5

5971748358e950a3cc34fb4833ee37ff
SHA1

9e3e5d94e9665e1569a1959ec26abbde7bc578f6
SHA256

b8e13cf95a99252990797b70582a3f79025ae905028f2bd67dd558791d8f4267
SHA512

ac138afe765e67c7658163b96034b60c9b328c09af742342cd4709e1dbe624218dc006f54c673c27d5f4932647a5309f5b31f8e4360ff1dcdb5ee41fc67b9e1a
SSDEEP

3072:aftffjmNoxND+qcfJUadDpArEbhZOkg9dn9myx:aVfjmNm+pJXdlArqHbqdn93x

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2520	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2628	Logo1_.exe
2020	b8e13cf95a99252990797b70582a3f79025ae905028f2bd67dd558791d8f4267.exe

Loads dropped DLL 1 IoCs

pid	Process
2520	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\mux\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Reference Assemblies\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre7\lib\fonts\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\pt_BR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\WSS\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Minesweeper\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fa\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\QUERIES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\cs\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Mail\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\lua\playlist\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\More Games\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ach\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\si\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\th\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Purble Place\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\PROPLUS\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ro\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bg\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\hr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VGX\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\DESIGNER\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ENES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre7\bin\server\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Media Player\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\Verisign\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\cy\LC_MESSAGES\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	b8e13cf95a99252990797b70582a3f79025ae905028f2bd67dd558791d8f4267.exe
File created	C:\Windows\Logo1_.exe	b8e13cf95a99252990797b70582a3f79025ae905028f2bd67dd558791d8f4267.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2628	Logo1_.exe
2628	Logo1_.exe
2628	Logo1_.exe
2628	Logo1_.exe
2628	Logo1_.exe
2628	Logo1_.exe
2628	Logo1_.exe
2628	Logo1_.exe
2628	Logo1_.exe
2628	Logo1_.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2028 wrote to memory of 2520	2028	b8e13cf95a99252990797b70582a3f79025ae905028f2bd67dd558791d8f4267.exe	28
PID 2028 wrote to memory of 2520	2028	b8e13cf95a99252990797b70582a3f79025ae905028f2bd67dd558791d8f4267.exe	28
PID 2028 wrote to memory of 2520	2028	b8e13cf95a99252990797b70582a3f79025ae905028f2bd67dd558791d8f4267.exe	28
PID 2028 wrote to memory of 2520	2028	b8e13cf95a99252990797b70582a3f79025ae905028f2bd67dd558791d8f4267.exe	28
PID 2028 wrote to memory of 2628	2028	b8e13cf95a99252990797b70582a3f79025ae905028f2bd67dd558791d8f4267.exe	30
PID 2028 wrote to memory of 2628	2028	b8e13cf95a99252990797b70582a3f79025ae905028f2bd67dd558791d8f4267.exe	30
PID 2028 wrote to memory of 2628	2028	b8e13cf95a99252990797b70582a3f79025ae905028f2bd67dd558791d8f4267.exe	30
PID 2028 wrote to memory of 2628	2028	b8e13cf95a99252990797b70582a3f79025ae905028f2bd67dd558791d8f4267.exe	30
PID 2628 wrote to memory of 2076	2628	Logo1_.exe	31
PID 2628 wrote to memory of 2076	2628	Logo1_.exe	31
PID 2628 wrote to memory of 2076	2628	Logo1_.exe	31
PID 2628 wrote to memory of 2076	2628	Logo1_.exe	31
PID 2520 wrote to memory of 2020	2520	cmd.exe	33
PID 2520 wrote to memory of 2020	2520	cmd.exe	33
PID 2520 wrote to memory of 2020	2520	cmd.exe	33
PID 2520 wrote to memory of 2020	2520	cmd.exe	33
PID 2076 wrote to memory of 2872	2076	net.exe	34
PID 2076 wrote to memory of 2872	2076	net.exe	34
PID 2076 wrote to memory of 2872	2076	net.exe	34
PID 2076 wrote to memory of 2872	2076	net.exe	34
PID 2628 wrote to memory of 1264	2628	Logo1_.exe	21
PID 2628 wrote to memory of 1264	2628	Logo1_.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1264
- C:\Users\Admin\AppData\Local\Temp\b8e13cf95a99252990797b70582a3f79025ae905028f2bd67dd558791d8f4267.exe
  "C:\Users\Admin\AppData\Local\Temp\b8e13cf95a99252990797b70582a3f79025ae905028f2bd67dd558791d8f4267.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2028
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$aA045.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2520
  - - C:\Users\Admin\AppData\Local\Temp\b8e13cf95a99252990797b70582a3f79025ae905028f2bd67dd558791d8f4267.exe
      "C:\Users\Admin\AppData\Local\Temp\b8e13cf95a99252990797b70582a3f79025ae905028f2bd67dd558791d8f4267.exe"
      4⤵
      Executes dropped EXE
      PID:2020
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2628
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2076
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
251KB

MD5
2778ad9e6aacad2241a99e7bd018bde0

SHA1
38915e38e2825f21bfe559ef5b15382f7fc38367

SHA256
eded432af34df84f3f4709ef344d5eff7a2f8ba9ebf4a0b42d165b699cdfda59

SHA512
385a8bae26a682bc971fa4fbc77b33fd18e7756b6e4dd3d68a9c8db5a20248b08dd35eb7e4d1647a272e94d5a32ed4598dd1eaafeff3b139bd45d55ef66a8e38

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aA045.bat

Filesize
722B

MD5
4ed210bd6ddb93b57a71c6926aef3469

SHA1
fa2d6ecec526c8a5e2c18f3e38e9c9c9179a0351

SHA256
14f0db577aa740276fd8becf0dca701281b47d021f14a25381e468684ebb7140

SHA512
8c07082a86f64468f6e2a211e85f8ccf8f4c840205b2fe604898f6363a01943da48be22d3a55a23d92a89a469fbf22bf0b9fbe8e20664052bd1839dfae62a0a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\b8e13cf95a99252990797b70582a3f79025ae905028f2bd67dd558791d8f4267.exe.exe

Filesize
96KB

MD5
cf4e5eab6e1990aaae552f564837bda6

SHA1
1863a363ac7b66cb57cf4e9018ad17672271dfe3

SHA256
aa9edadfb3521b99b0642f10123855f1b81947af29ab549945e119202215d353

SHA512
46b251b232694c55d8b1d7bb52f3eb99a3a22a69abcceba093958a42e0ce23298b2a3ab2f90aa93fef7302cf704875e068ee2a4664bc2d53614fe44cf99cf13f

Download Submit
C:\Windows\rundl132.exe

Filesize
26KB

MD5
4877a7c5579b449f8d6849f3b1e687c5

SHA1
490e0bdd1b9f7fab574906a0bab2b049cfedec28

SHA256
2d43f63dac7f509fdf11d2f138375a594df082ddb17fddab7fb06d66bd49e93a

SHA512
714caf3c7892a31d9b0b3e37a22349c77e6d33d32ab8ed3c3bea9945b1cfbf8b92d049ff447a2cb649aa1a134b485aa2b8920598c242ff7f331d9409ec27fbc9

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-406356229-2805545415-1236085040-1000\_desktop.ini

Filesize
9B

MD5
2be02af4dacf3254e321ffba77f0b1c6

SHA1
d8349307ec08d45f2db9c9735bde8f13e27a551d

SHA256
766fe9c47ca710d9a00c08965550ee7de9cba2d32d67e4901e8cec7e33151d16

SHA512
57f61e1b939ed98e6db460ccdbc36a1460b727a99baac0e3b041666dedcef11fcd72a486d91ec7f0ee6e1aec40465719a6a5c22820c28be1066fe12fcd47ddd0

Download Submit
memory/1264-30-0x00000000029E0000-0x00000000029E1000-memory.dmp

Filesize
4KB

Download
memory/2028-21-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2028-40-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2028-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2028-12-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2028-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2628-46-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2628-39-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2628-22-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2628-92-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2628-98-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2628-152-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2628-1851-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2628-1865-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2628-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2628-3312-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download