59b6322d43a089afdb07958cff456319ad07cb4cc17f578b610d85c173c5b01f

Analysis

max time kernel
119s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
17/04/2024, 04:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

59b6322d43a089afdb07958cff456319ad07cb4cc17f578b610d85c173c5b01f.exe
Size

141KB
MD5

07913768ba8671ed258c0cf4195c0a89
SHA1

f570b01892ddd594ad6a1a5327cda9397da65af1
SHA256

59b6322d43a089afdb07958cff456319ad07cb4cc17f578b610d85c173c5b01f
SHA512

4e7fc118bb8552380afd447b6260b4e8d57741e13189e27b382101c61d7e8eda8030c54152e8eab1fe7b489f34a61d5e68a18beaa33eaa9ba9f865bbc219eafd
SSDEEP

3072:EHj95SXqLhByvfc2KHj95SXqLhByvfc2v5dp9qdeQ+lUq58M:uj9N/Gfc2Uj9N/Gfc2hdp9qw3GqO

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1980	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
2148	Logo1_.exe
2712	59b6322d43a089afdb07958cff456319ad07cb4cc17f578b610d85c173c5b01f.exe
2476	59b6322d43a089afdb07958cff456319ad07cb4cc17f578b610d85c173c5b01f.exe

Loads dropped DLL 4 IoCs

pid	Process
1980	cmd.exe
1980	cmd.exe
2080	cmd.exe
2080	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe

Drops file in Program Files directory 22 IoCs

description	ioc	Process
File created	C:\Program Files\DVD Maker\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\7-Zip\Lang\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\Shared\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files\7-Zip\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\7-Zip\_desktop.ini	Logo1_.exe
File created	C:\Program Files\7-Zip\Lang\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\de-DE\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	59b6322d43a089afdb07958cff456319ad07cb4cc17f578b610d85c173c5b01f.exe
File created	C:\Windows\Logo1_.exe	59b6322d43a089afdb07958cff456319ad07cb4cc17f578b610d85c173c5b01f.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\Logo1_.exe	59b6322d43a089afdb07958cff456319ad07cb4cc17f578b610d85c173c5b01f.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
2928	59b6322d43a089afdb07958cff456319ad07cb4cc17f578b610d85c173c5b01f.exe
2928	59b6322d43a089afdb07958cff456319ad07cb4cc17f578b610d85c173c5b01f.exe
2928	59b6322d43a089afdb07958cff456319ad07cb4cc17f578b610d85c173c5b01f.exe
2928	59b6322d43a089afdb07958cff456319ad07cb4cc17f578b610d85c173c5b01f.exe
2928	59b6322d43a089afdb07958cff456319ad07cb4cc17f578b610d85c173c5b01f.exe
2928	59b6322d43a089afdb07958cff456319ad07cb4cc17f578b610d85c173c5b01f.exe
2928	59b6322d43a089afdb07958cff456319ad07cb4cc17f578b610d85c173c5b01f.exe
2928	59b6322d43a089afdb07958cff456319ad07cb4cc17f578b610d85c173c5b01f.exe
2928	59b6322d43a089afdb07958cff456319ad07cb4cc17f578b610d85c173c5b01f.exe
2148	Logo1_.exe
2148	Logo1_.exe
2148	Logo1_.exe
2148	Logo1_.exe
2148	Logo1_.exe
2148	Logo1_.exe
2148	Logo1_.exe
2148	Logo1_.exe
2148	Logo1_.exe
2148	Logo1_.exe
2148	Logo1_.exe
2148	Logo1_.exe
2148	Logo1_.exe
2148	Logo1_.exe
2148	Logo1_.exe
2148	Logo1_.exe
2148	Logo1_.exe
2148	Logo1_.exe
2148	Logo1_.exe
2148	Logo1_.exe
2148	Logo1_.exe
2148	Logo1_.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 2928 wrote to memory of 1980	2928	59b6322d43a089afdb07958cff456319ad07cb4cc17f578b610d85c173c5b01f.exe	28
PID 2928 wrote to memory of 1980	2928	59b6322d43a089afdb07958cff456319ad07cb4cc17f578b610d85c173c5b01f.exe	28
PID 2928 wrote to memory of 1980	2928	59b6322d43a089afdb07958cff456319ad07cb4cc17f578b610d85c173c5b01f.exe	28
PID 2928 wrote to memory of 1980	2928	59b6322d43a089afdb07958cff456319ad07cb4cc17f578b610d85c173c5b01f.exe	28
PID 2928 wrote to memory of 2148	2928	59b6322d43a089afdb07958cff456319ad07cb4cc17f578b610d85c173c5b01f.exe	29
PID 2928 wrote to memory of 2148	2928	59b6322d43a089afdb07958cff456319ad07cb4cc17f578b610d85c173c5b01f.exe	29
PID 2928 wrote to memory of 2148	2928	59b6322d43a089afdb07958cff456319ad07cb4cc17f578b610d85c173c5b01f.exe	29
PID 2928 wrote to memory of 2148	2928	59b6322d43a089afdb07958cff456319ad07cb4cc17f578b610d85c173c5b01f.exe	29
PID 2148 wrote to memory of 2656	2148	Logo1_.exe	31
PID 2148 wrote to memory of 2656	2148	Logo1_.exe	31
PID 2148 wrote to memory of 2656	2148	Logo1_.exe	31
PID 2148 wrote to memory of 2656	2148	Logo1_.exe	31
PID 1980 wrote to memory of 2712	1980	cmd.exe	32
PID 1980 wrote to memory of 2712	1980	cmd.exe	32
PID 1980 wrote to memory of 2712	1980	cmd.exe	32
PID 1980 wrote to memory of 2712	1980	cmd.exe	32
PID 2712 wrote to memory of 2080	2712	59b6322d43a089afdb07958cff456319ad07cb4cc17f578b610d85c173c5b01f.exe	34
PID 2712 wrote to memory of 2080	2712	59b6322d43a089afdb07958cff456319ad07cb4cc17f578b610d85c173c5b01f.exe	34
PID 2712 wrote to memory of 2080	2712	59b6322d43a089afdb07958cff456319ad07cb4cc17f578b610d85c173c5b01f.exe	34
PID 2712 wrote to memory of 2080	2712	59b6322d43a089afdb07958cff456319ad07cb4cc17f578b610d85c173c5b01f.exe	34
PID 2656 wrote to memory of 2096	2656	net.exe	36
PID 2656 wrote to memory of 2096	2656	net.exe	36
PID 2656 wrote to memory of 2096	2656	net.exe	36
PID 2656 wrote to memory of 2096	2656	net.exe	36
PID 2080 wrote to memory of 2476	2080	cmd.exe	37
PID 2080 wrote to memory of 2476	2080	cmd.exe	37
PID 2080 wrote to memory of 2476	2080	cmd.exe	37
PID 2080 wrote to memory of 2476	2080	cmd.exe	37
PID 2148 wrote to memory of 1212	2148	Logo1_.exe	21
PID 2148 wrote to memory of 1212	2148	Logo1_.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1212
- C:\Users\Admin\AppData\Local\Temp\59b6322d43a089afdb07958cff456319ad07cb4cc17f578b610d85c173c5b01f.exe
  "C:\Users\Admin\AppData\Local\Temp\59b6322d43a089afdb07958cff456319ad07cb4cc17f578b610d85c173c5b01f.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2928
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$aE43.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1980
  - - C:\Users\Admin\AppData\Local\Temp\59b6322d43a089afdb07958cff456319ad07cb4cc17f578b610d85c173c5b01f.exe
      "C:\Users\Admin\AppData\Local\Temp\59b6322d43a089afdb07958cff456319ad07cb4cc17f578b610d85c173c5b01f.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of WriteProcessMemory
      PID:2712
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aEC0.bat
        5⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2080
      - C:\Users\Admin\AppData\Local\Temp\59b6322d43a089afdb07958cff456319ad07cb4cc17f578b610d85c173c5b01f.exe
        
        "C:\Users\Admin\AppData\Local\Temp\59b6322d43a089afdb07958cff456319ad07cb4cc17f578b610d85c173c5b01f.exe"
        6⤵
        Executes dropped EXE
        
        PID:2476
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2148
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2656
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\$$aE43.bat

Filesize
721B

MD5
100f2363240e1c1eb49de44ef08bbb45

SHA1
ff6d026be278ccfc8671542377ff8488d46bbb9c

SHA256
32bc8abde4f993f7c237d20af4cab093e2a454048ad09c6e36d272454b2d1984

SHA512
3dddff4b7977b97c9f551e21ea5849f79b3dd54801af18ad62c3a8c429745f222c69b6a2257ac92abc1dec37bfad97d6a4ae9efdf2686f4e02cc8249c37d725c

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aEC0.bat

Filesize
721B

MD5
1dfe752b23d58c30fb7dc2cfaacf81f4

SHA1
c3a7ac7c2372d1bf3672e8a7256ba06b4b212167

SHA256
c23960717d58309ab433764ab61fe036fd453183a5ae5d01c628a579878c8d17

SHA512
89de3e99fe85ae3a6ee39c4a4d4fbc371cf7284f888007c4151ddfb09725158bf07f8acac185eec6a60fa4f74be628387b34b48a45a0c17bd3dbf6d981d562bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\59b6322d43a089afdb07958cff456319ad07cb4cc17f578b610d85c173c5b01f.exe.exe

Filesize
97KB

MD5
9d3084010a05ce316da013e3b8f965db

SHA1
c0d1b45834945884574f9aff8925fb0aae671995

SHA256
58cce921dbf2e5d35b82bf30e0cb6d7ef2571b8d51365756d8f770ad5225b280

SHA512
31eea46ee407c31f604ae3a4fe47bb1ecc333d36246b69d3e86318e879c3fa71e291948a29ebe72632ca1553daaf7db723efa78d828fbf301b2a4d11c32f282d

Download Submit
C:\Users\Admin\AppData\Local\Temp\59b6322d43a089afdb07958cff456319ad07cb4cc17f578b610d85c173c5b01f.exe.exe

Filesize
54KB

MD5
feaa33ff0acb74b3c0d033fb65006a8b

SHA1
c75b34d4eb1e0a8f36a6de9b97e98279216ece21

SHA256
e0f2b7fabc60ab10deb15ed61103d320071e054c603133a22a77ab28a2e6625c

SHA512
3451297e342714ba0d1910db69725481bcbc9943cb62a9294d523a7ccf966a7cf51b4c3ef3dfb241708081f4f295ad8f9da2051136ea9ec0e2c03851b33af128

Download Submit
C:\Windows\Logo1_.exe

Filesize
43KB

MD5
7dcba2547018dac956fb2009071b7645

SHA1
f42360ef36dd23d1ed1233022fdc194df3b274c5

SHA256
b1c7a31f00fab9fc58df21a8b17fbfcd09787260b4b576b8c2c3f6d9c58b83a5

SHA512
1f309fd880a182e2ad09256f861d608f4ee9f63acae9c9411f3a608f915f5960eb5bdc29d0e0fe4387514d847473910386f095781d598e93b634566cfdcea47e

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2297530677-1229052932-2803917579-1000\_desktop.ini

Filesize
9B

MD5
2be02af4dacf3254e321ffba77f0b1c6

SHA1
d8349307ec08d45f2db9c9735bde8f13e27a551d

SHA256
766fe9c47ca710d9a00c08965550ee7de9cba2d32d67e4901e8cec7e33151d16

SHA512
57f61e1b939ed98e6db460ccdbc36a1460b727a99baac0e3b041666dedcef11fcd72a486d91ec7f0ee6e1aec40465719a6a5c22820c28be1066fe12fcd47ddd0

Download Submit
memory/1212-45-0x0000000002D50000-0x0000000002D51000-memory.dmp

Filesize
4KB

Download
memory/1980-25-0x0000000000190000-0x00000000001DD000-memory.dmp

Filesize
308KB

Download
memory/2148-17-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2148-126-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2476-42-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2712-36-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2712-27-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2928-0-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2928-16-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download