b3acdbc34fab7b9aa4f5ebbb45955cdd0306a54d6707b454b64d26bfefe26d9f

Analysis

max time kernel
149s
max time network
126s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
17/04/2024, 16:35

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b3acdbc34fab7b9aa4f5ebbb45955cdd0306a54d6707b454b64d26bfefe26d9f.exe
Size

70KB
MD5

97a9078da204e2ae7226f00d2a32881a
SHA1

835e7d40b0163431925bfb57a6100b4b146031b3
SHA256

b3acdbc34fab7b9aa4f5ebbb45955cdd0306a54d6707b454b64d26bfefe26d9f
SHA512

ad4e215765c409dcf28f8f88e6ae04fba38e4379db635c9ec541771ee7bb605cff5ed9683924fcaa53f07717fb98f9c9c6509e80db807f3cd82a047fef871b2d
SSDEEP

1536:ok/Q3SHuJV97Ry7EToa9D4ZQKbgZi1dst7x9PxQ:okokuJV8lZQKbgZi1St7xQ

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3004	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
3000	Logo1_.exe
2688	b3acdbc34fab7b9aa4f5ebbb45955cdd0306a54d6707b454b64d26bfefe26d9f.exe

Loads dropped DLL 1 IoCs

pid	Process
3004	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\1033\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Mozilla Firefox\gmp-clearkey\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSPUB.EXE	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\cmm\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\WATERMAR\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\LISTS\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\INDUST\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\1033\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre7\lib\zi\SystemV\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\et\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\id\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\audio_output\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\3082\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\Components\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Defender\MpCmdRun.exe	Logo1_.exe
File created	C:\Program Files\Windows Photo Viewer\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Mail\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUECALM\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\pt_BR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	b3acdbc34fab7b9aa4f5ebbb45955cdd0306a54d6707b454b64d26bfefe26d9f.exe
File created	C:\Windows\Logo1_.exe	b3acdbc34fab7b9aa4f5ebbb45955cdd0306a54d6707b454b64d26bfefe26d9f.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3000	Logo1_.exe
3000	Logo1_.exe
3000	Logo1_.exe
3000	Logo1_.exe
3000	Logo1_.exe
3000	Logo1_.exe
3000	Logo1_.exe
3000	Logo1_.exe
3000	Logo1_.exe
3000	Logo1_.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2208 wrote to memory of 3004	2208	b3acdbc34fab7b9aa4f5ebbb45955cdd0306a54d6707b454b64d26bfefe26d9f.exe	28
PID 2208 wrote to memory of 3004	2208	b3acdbc34fab7b9aa4f5ebbb45955cdd0306a54d6707b454b64d26bfefe26d9f.exe	28
PID 2208 wrote to memory of 3004	2208	b3acdbc34fab7b9aa4f5ebbb45955cdd0306a54d6707b454b64d26bfefe26d9f.exe	28
PID 2208 wrote to memory of 3004	2208	b3acdbc34fab7b9aa4f5ebbb45955cdd0306a54d6707b454b64d26bfefe26d9f.exe	28
PID 2208 wrote to memory of 3000	2208	b3acdbc34fab7b9aa4f5ebbb45955cdd0306a54d6707b454b64d26bfefe26d9f.exe	30
PID 2208 wrote to memory of 3000	2208	b3acdbc34fab7b9aa4f5ebbb45955cdd0306a54d6707b454b64d26bfefe26d9f.exe	30
PID 2208 wrote to memory of 3000	2208	b3acdbc34fab7b9aa4f5ebbb45955cdd0306a54d6707b454b64d26bfefe26d9f.exe	30
PID 2208 wrote to memory of 3000	2208	b3acdbc34fab7b9aa4f5ebbb45955cdd0306a54d6707b454b64d26bfefe26d9f.exe	30
PID 3000 wrote to memory of 2608	3000	Logo1_.exe	31
PID 3000 wrote to memory of 2608	3000	Logo1_.exe	31
PID 3000 wrote to memory of 2608	3000	Logo1_.exe	31
PID 3000 wrote to memory of 2608	3000	Logo1_.exe	31
PID 3004 wrote to memory of 2688	3004	cmd.exe	33
PID 3004 wrote to memory of 2688	3004	cmd.exe	33
PID 3004 wrote to memory of 2688	3004	cmd.exe	33
PID 3004 wrote to memory of 2688	3004	cmd.exe	33
PID 2608 wrote to memory of 3012	2608	net.exe	34
PID 2608 wrote to memory of 3012	2608	net.exe	34
PID 2608 wrote to memory of 3012	2608	net.exe	34
PID 2608 wrote to memory of 3012	2608	net.exe	34
PID 3000 wrote to memory of 1280	3000	Logo1_.exe	21
PID 3000 wrote to memory of 1280	3000	Logo1_.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1280
- C:\Users\Admin\AppData\Local\Temp\b3acdbc34fab7b9aa4f5ebbb45955cdd0306a54d6707b454b64d26bfefe26d9f.exe
  "C:\Users\Admin\AppData\Local\Temp\b3acdbc34fab7b9aa4f5ebbb45955cdd0306a54d6707b454b64d26bfefe26d9f.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2208
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$a5300.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:3004
  - - C:\Users\Admin\AppData\Local\Temp\b3acdbc34fab7b9aa4f5ebbb45955cdd0306a54d6707b454b64d26bfefe26d9f.exe
      "C:\Users\Admin\AppData\Local\Temp\b3acdbc34fab7b9aa4f5ebbb45955cdd0306a54d6707b454b64d26bfefe26d9f.exe"
      4⤵
      Executes dropped EXE
      PID:2688
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3000
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2608
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:3012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
254KB

MD5
c8ee7a5fb03b99556c87fb5788a0b096

SHA1
d68ca9ecec85c35dfb0425e45e69072302e14f6f

SHA256
490b94a668345147b5ff2943e1329e552bee01d27574da352f071c1fff1a7502

SHA512
f0074f11c04bdaf94a41c5c61db5a4bca4b5314eeb367450032a97da08c490bc645bc8ebad97f9072bf319e1f599764e628e377bb9a8b63dde62abe94c548c8e

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
474KB

MD5
39c5a9489ed322953eb7a6b19e76fd6e

SHA1
79cae6e0d91eb10b9f5d85eb553f2431eb80f4b2

SHA256
cc7d0e41e68d59ec4000817d4effabd46a1806fb2e1a56045d983015e79f4224

SHA512
8cf752bf542ff6ca99725f897e73457242486cb4698ae57a19966580a85be19b49775282dd3e3c67899d11e15c3ce213053220ee0a3bb6d35220405b56949004

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a5300.bat

Filesize
722B

MD5
5fd26d8966c2501db16dd146b71609a3

SHA1
00f3ff7cb499de529e9d27e591cfb9075f111df8

SHA256
b9231624c509667ce9974145e609a8524eea6fd7612ba154714559e62ac86dab

SHA512
e895db94421f57b3ade43c01f7f79a2853431c756cef7364eb8fb0c30b94b42fccfff4b173b6702477c26de1a3aa832d4500f15312122d539dc48d4a03ae5686

Download Submit
C:\Users\Admin\AppData\Local\Temp\b3acdbc34fab7b9aa4f5ebbb45955cdd0306a54d6707b454b64d26bfefe26d9f.exe.exe

Filesize
41KB

MD5
977e405c109268909fd24a94cc23d4f0

SHA1
af5d032c2b6caa2164cf298e95b09060665c4188

SHA256
cd24c61fe7dc3896c6c928c92a2adc58fab0a3ff61ef7ddcac1ba794182ab12f

SHA512
12b4b59c1a8e65e72aa07ee4b6b6cd9fdedead01d5ce8e30f16ca26b5d733655e23a71c1d273a950a5b1a6cce810b696612de4a1148ac5f468ddf05d4549eed5

Download Submit
C:\Windows\rundl132.exe

Filesize
29KB

MD5
4fc59450f067e882eed0f3371b96c3c5

SHA1
2bbbbad030033029bfd54da1456e5a48f28df6d5

SHA256
b3cce769ad86ccfce45e2ced7335d6c3ed21dfa29c317444048600b819f0d0c0

SHA512
705853da871668da45abd07f5fd7e87bd537d4acc91393ea0e6df7d813e2ab476f3b91456e2a0eebf459ee524d929ac0b57dbd4eaf67690f0fef789df81f5bbb

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-406356229-2805545415-1236085040-1000\_desktop.ini

Filesize
9B

MD5
2be02af4dacf3254e321ffba77f0b1c6

SHA1
d8349307ec08d45f2db9c9735bde8f13e27a551d

SHA256
766fe9c47ca710d9a00c08965550ee7de9cba2d32d67e4901e8cec7e33151d16

SHA512
57f61e1b939ed98e6db460ccdbc36a1460b727a99baac0e3b041666dedcef11fcd72a486d91ec7f0ee6e1aec40465719a6a5c22820c28be1066fe12fcd47ddd0

Download Submit
memory/1280-29-0x00000000026D0000-0x00000000026D1000-memory.dmp

Filesize
4KB

Download
memory/2208-16-0x00000000005D0000-0x0000000000606000-memory.dmp

Filesize
216KB

Download
memory/2208-15-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2208-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3000-31-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3000-44-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3000-90-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3000-96-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3000-248-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3000-1849-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3000-38-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3000-3309-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3000-21-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download