4503e01489b3052532b7de4845cf9950b7fb7300d7c59369fa4b92f20551281b

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
17-04-2024 14:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4503e01489b3052532b7de4845cf9950b7fb7300d7c59369fa4b92f20551281b.exe
Size

88KB
MD5

ca873718c40924b8dad2d2426c98d327
SHA1

735a846507a6d7e0766aa89ce1e921f2542fcec8
SHA256

4503e01489b3052532b7de4845cf9950b7fb7300d7c59369fa4b92f20551281b
SHA512

2a42d3cf9f5c5df321ed4f91d7eca46412067df8873e992959b92e22bfcdb9ac4bc34bb7c633857b8b467831bf4ea910536af2bb420d1c6f1aa88ae6088262f5
SSDEEP

1536:ptD3SHuJV9Ntyapmebn4ddJZeY86iLflLJYEIs67rxo:ptDkuJVL8LK4ddJMY86ipmns6S

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2992	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
3024	Logo1_.exe
2576	4503e01489b3052532b7de4845cf9950b7fb7300d7c59369fa4b92f20551281b.exe

Loads dropped DLL 1 IoCs

pid	Process
2992	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Portal\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\QUERIES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre7\lib\zi\Africa\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\uz\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Outlook.en-us\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ff\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Defender\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Americana\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Minesweeper\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Minesweeper\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ga\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GROOVEMN.EXE	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\WSS\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mai\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\STARTUP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Atlantic\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\mn\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\audio_output\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Help\2052\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\3082\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SoftBlue\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\kk\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe
File created	C:\Windows\rundl132.exe	4503e01489b3052532b7de4845cf9950b7fb7300d7c59369fa4b92f20551281b.exe
File created	C:\Windows\Logo1_.exe	4503e01489b3052532b7de4845cf9950b7fb7300d7c59369fa4b92f20551281b.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3024	Logo1_.exe
3024	Logo1_.exe
3024	Logo1_.exe
3024	Logo1_.exe
3024	Logo1_.exe
3024	Logo1_.exe
3024	Logo1_.exe
3024	Logo1_.exe
3024	Logo1_.exe
3024	Logo1_.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 3048 wrote to memory of 2992	3048	4503e01489b3052532b7de4845cf9950b7fb7300d7c59369fa4b92f20551281b.exe	28
PID 3048 wrote to memory of 2992	3048	4503e01489b3052532b7de4845cf9950b7fb7300d7c59369fa4b92f20551281b.exe	28
PID 3048 wrote to memory of 2992	3048	4503e01489b3052532b7de4845cf9950b7fb7300d7c59369fa4b92f20551281b.exe	28
PID 3048 wrote to memory of 2992	3048	4503e01489b3052532b7de4845cf9950b7fb7300d7c59369fa4b92f20551281b.exe	28
PID 3048 wrote to memory of 3024	3048	4503e01489b3052532b7de4845cf9950b7fb7300d7c59369fa4b92f20551281b.exe	29
PID 3048 wrote to memory of 3024	3048	4503e01489b3052532b7de4845cf9950b7fb7300d7c59369fa4b92f20551281b.exe	29
PID 3048 wrote to memory of 3024	3048	4503e01489b3052532b7de4845cf9950b7fb7300d7c59369fa4b92f20551281b.exe	29
PID 3048 wrote to memory of 3024	3048	4503e01489b3052532b7de4845cf9950b7fb7300d7c59369fa4b92f20551281b.exe	29
PID 3024 wrote to memory of 2608	3024	Logo1_.exe	31
PID 3024 wrote to memory of 2608	3024	Logo1_.exe	31
PID 3024 wrote to memory of 2608	3024	Logo1_.exe	31
PID 3024 wrote to memory of 2608	3024	Logo1_.exe	31
PID 2992 wrote to memory of 2576	2992	cmd.exe	33
PID 2992 wrote to memory of 2576	2992	cmd.exe	33
PID 2992 wrote to memory of 2576	2992	cmd.exe	33
PID 2992 wrote to memory of 2576	2992	cmd.exe	33
PID 2608 wrote to memory of 2656	2608	net.exe	34
PID 2608 wrote to memory of 2656	2608	net.exe	34
PID 2608 wrote to memory of 2656	2608	net.exe	34
PID 2608 wrote to memory of 2656	2608	net.exe	34
PID 3024 wrote to memory of 1160	3024	Logo1_.exe	20
PID 3024 wrote to memory of 1160	3024	Logo1_.exe	20

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1160
- C:\Users\Admin\AppData\Local\Temp\4503e01489b3052532b7de4845cf9950b7fb7300d7c59369fa4b92f20551281b.exe
  "C:\Users\Admin\AppData\Local\Temp\4503e01489b3052532b7de4845cf9950b7fb7300d7c59369fa4b92f20551281b.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:3048
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$aEA1.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2992
  - - C:\Users\Admin\AppData\Local\Temp\4503e01489b3052532b7de4845cf9950b7fb7300d7c59369fa4b92f20551281b.exe
      "C:\Users\Admin\AppData\Local\Temp\4503e01489b3052532b7de4845cf9950b7fb7300d7c59369fa4b92f20551281b.exe"
      4⤵
      Executes dropped EXE
      PID:2576
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3024
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2608
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
254KB

MD5
acd3efdb8830b647d12d588722446be8

SHA1
cb0771cd6a4a8da78395018b7f1cfc78b749b8ea

SHA256
dcb724651943d49df290fffa5f750f598825688a6d805d29b9219a9d86c70f4c

SHA512
68d3207c376cc7983ffa57150ff9978501880e8b0e865280c60a8d9fbd8cfdf56873e4f0a1653c2911465a4fbe70699057375be077395d5a14e886f94b5135ff

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
474KB

MD5
00f29a8d359816b1921125f9f0ae8e37

SHA1
2b53bd590d1ada63ccb53d278d4faf64b33f8883

SHA256
748b9be7f6cbd72f5b86fdc1963f90876c4af7c6821f8e092474818898d386ba

SHA512
c4d06d41831511fb028ae0bb1196ff0f4bb40df7a2f67fb0b72a03367f7788b091cb6f3b4a807f45aae7a6d994c71a4f56b3e8acae62b7ae2b2ad38085827dce

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aEA1.bat

Filesize
721B

MD5
837defcbd4891c49078469a87853cffd

SHA1
8a2f0f816d06f6f1a1a523c569beec0086a6918f

SHA256
bd8763ea23e289c801cf675f5044ef12676e1165892ad86d0d1f34651da8c5ec

SHA512
694bfaae9200a11135b96a9db3b09d7857485d5e6709262d8d7cec23295a8b10ff7f48bbc3cba8e68e96520340fcd656e2de154e61125c595224c99330145950

Download Submit
C:\Users\Admin\AppData\Local\Temp\4503e01489b3052532b7de4845cf9950b7fb7300d7c59369fa4b92f20551281b.exe

Filesize
59KB

MD5
dfc18f7068913dde25742b856788d7ca

SHA1
cbaa23f782c2ddcd7c9ff024fd0b096952a2b387

SHA256
ff4ac75c02247000da084de006c214d3dd3583867bd3533ba788e22734c7a2bf

SHA512
d0c7ec1dae41a803325b51c12490c355ed779d297daa35247889950491e52427810132f0829fc7ffa3022f1a106f4e4ba78ed612223395313a6f267e9ab24945

Download Submit
C:\Windows\Logo1_.exe

Filesize
29KB

MD5
b66e0ea105de456f0d8801304fd4720a

SHA1
b789094d238484b6179a831b302945ba41282535

SHA256
29392376b2fa0ae7ff030d5f3db1933421ac7e401da5aaa8b789ad0d97f30274

SHA512
cf1c156f525ab87cf4b9f84bddb90e59b7e0bac85f62b801415dfcca370b1cf7f757dcb917de870ccab19800b3320b929e717ba504eecc42cd6a40a5669786d4

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2297530677-1229052932-2803917579-1000\_desktop.ini

Filesize
9B

MD5
2be02af4dacf3254e321ffba77f0b1c6

SHA1
d8349307ec08d45f2db9c9735bde8f13e27a551d

SHA256
766fe9c47ca710d9a00c08965550ee7de9cba2d32d67e4901e8cec7e33151d16

SHA512
57f61e1b939ed98e6db460ccdbc36a1460b727a99baac0e3b041666dedcef11fcd72a486d91ec7f0ee6e1aec40465719a6a5c22820c28be1066fe12fcd47ddd0

Download Submit
memory/1160-29-0x0000000002530000-0x0000000002531000-memory.dmp

Filesize
4KB

Download
memory/3024-38-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3024-31-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3024-44-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3024-90-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3024-96-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3024-607-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3024-1849-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3024-1928-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3024-21-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3024-3309-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3048-15-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3048-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3048-16-0x0000000000260000-0x0000000000296000-memory.dmp

Filesize
216KB

Download