16f5432e008aa63645c1f3c316502873937aa9ea92eb37df182df21f51796b20

Analysis

max time kernel
150s
max time network
118s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
17/04/2024, 21:10

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

16f5432e008aa63645c1f3c316502873937aa9ea92eb37df182df21f51796b20.exe
Size

162KB
MD5

5b27e0ef1bb13c090df14c54d6c9c197
SHA1

494cad13241405ecf50dd461c6d39135a035100e
SHA256

16f5432e008aa63645c1f3c316502873937aa9ea92eb37df182df21f51796b20
SHA512

bb1f1deedbdf5be6db8b888002845aa2e18ffdfc9b7edef185c20f8ea7eb8e98a96f1a2406e51c2d6ce2099394dcc4a3640b967f0f6822e989dba128f0073b64
SSDEEP

3072:0ftffjmNoxw1MbQ3whUqS2w/3zJFCj+YC7BIKL7fR0ShMZq92sss9Z1w5pGj:MVfjmNB1Mlh4/3zJIq/N3XJhKsp9Z7j

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2948	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
1956	Logo1_.exe
2696	16f5432e008aa63645c1f3c316502873937aa9ea92eb37df182df21f51796b20.exe

Loads dropped DLL 1 IoCs

pid	Process
2948	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VBA\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\FAX\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\management\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\Services\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GRAPH.EXE	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sq\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Groove.en-us\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\mn\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SLATE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\More Games\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\wa\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VC\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Google\Update\Install\{1FD4E3A4-6FE0-492C-90E9-7EE360CDB9FF}\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Calendar\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\orbd.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\tl\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\VisualElements\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	Logo1_.exe
File created	C:\Program Files\Windows Portable Devices\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\meta\reader\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\playlist\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\nl\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Americana\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Triedit\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office64.en-us\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Oasis\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\am\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\wa\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\TTS20\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\vDll.dll	Logo1_.exe
File created	C:\Windows\rundl132.exe	16f5432e008aa63645c1f3c316502873937aa9ea92eb37df182df21f51796b20.exe
File created	C:\Windows\Logo1_.exe	16f5432e008aa63645c1f3c316502873937aa9ea92eb37df182df21f51796b20.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1956	Logo1_.exe
1956	Logo1_.exe
1956	Logo1_.exe
1956	Logo1_.exe
1956	Logo1_.exe
1956	Logo1_.exe
1956	Logo1_.exe
1956	Logo1_.exe
1956	Logo1_.exe
1956	Logo1_.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2296 wrote to memory of 2948	2296	16f5432e008aa63645c1f3c316502873937aa9ea92eb37df182df21f51796b20.exe	28
PID 2296 wrote to memory of 2948	2296	16f5432e008aa63645c1f3c316502873937aa9ea92eb37df182df21f51796b20.exe	28
PID 2296 wrote to memory of 2948	2296	16f5432e008aa63645c1f3c316502873937aa9ea92eb37df182df21f51796b20.exe	28
PID 2296 wrote to memory of 2948	2296	16f5432e008aa63645c1f3c316502873937aa9ea92eb37df182df21f51796b20.exe	28
PID 2296 wrote to memory of 1956	2296	16f5432e008aa63645c1f3c316502873937aa9ea92eb37df182df21f51796b20.exe	29
PID 2296 wrote to memory of 1956	2296	16f5432e008aa63645c1f3c316502873937aa9ea92eb37df182df21f51796b20.exe	29
PID 2296 wrote to memory of 1956	2296	16f5432e008aa63645c1f3c316502873937aa9ea92eb37df182df21f51796b20.exe	29
PID 2296 wrote to memory of 1956	2296	16f5432e008aa63645c1f3c316502873937aa9ea92eb37df182df21f51796b20.exe	29
PID 1956 wrote to memory of 2580	1956	Logo1_.exe	30
PID 1956 wrote to memory of 2580	1956	Logo1_.exe	30
PID 1956 wrote to memory of 2580	1956	Logo1_.exe	30
PID 1956 wrote to memory of 2580	1956	Logo1_.exe	30
PID 2580 wrote to memory of 2600	2580	net.exe	33
PID 2580 wrote to memory of 2600	2580	net.exe	33
PID 2580 wrote to memory of 2600	2580	net.exe	33
PID 2580 wrote to memory of 2600	2580	net.exe	33
PID 2948 wrote to memory of 2696	2948	cmd.exe	34
PID 2948 wrote to memory of 2696	2948	cmd.exe	34
PID 2948 wrote to memory of 2696	2948	cmd.exe	34
PID 2948 wrote to memory of 2696	2948	cmd.exe	34
PID 1956 wrote to memory of 1256	1956	Logo1_.exe	21
PID 1956 wrote to memory of 1256	1956	Logo1_.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1256
- C:\Users\Admin\AppData\Local\Temp\16f5432e008aa63645c1f3c316502873937aa9ea92eb37df182df21f51796b20.exe
  "C:\Users\Admin\AppData\Local\Temp\16f5432e008aa63645c1f3c316502873937aa9ea92eb37df182df21f51796b20.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2296
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$a2156.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2948
  - - C:\Users\Admin\AppData\Local\Temp\16f5432e008aa63645c1f3c316502873937aa9ea92eb37df182df21f51796b20.exe
      "C:\Users\Admin\AppData\Local\Temp\16f5432e008aa63645c1f3c316502873937aa9ea92eb37df182df21f51796b20.exe"
      4⤵
      Executes dropped EXE
      PID:2696
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1956
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2580
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
251KB

MD5
93c7884ef62a600743bf637cc4fcf09e

SHA1
75553d123ec77fa7d3f91d7d1ac24473f2b50193

SHA256
e8b63fe2640fee8691ea34607cf46d6a2b0f6331efa9d7b946b932349350df73

SHA512
5abf22a06e7263264272746ec917745acdb06424945b89ec560491cc00d3dbedc23f7416441558f84f269c7340ef46b132ccfbf88d1ca85aa4b2e7ff92cb653a

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
471KB

MD5
c6c8fde27f649c91ddaab8cb9ca344a6

SHA1
5e4865aec432a18107182f47edda176e8c566152

SHA256
32c3fed53bfc1d890e9bd1d771fdc7e2c81480e03f1425bce07b4045a192d100

SHA512
a8df7d1e852d871d7f16bae10c4ff049359583da88cc85a039f0298525839040d5363ce5ef4cbdb92a12a25785f73df83cf0df07752b78e6e6444f32160a2155

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a2156.bat

Filesize
722B

MD5
1d6c6ec649fd6802f284027ff37a6365

SHA1
4218764be1885ff660e6b847db6a1acaaccf8df3

SHA256
d0f32db821800eeefb72828294da933cae5c48c76adce524803ec003a007ace1

SHA512
4cff49f5c5f7b48f701325fe504605ae73d28f67ecc494e2439410418c798e4e8a7b8ad9cd7d4795ced67f4e4823b0e390616142926c4f72bd09a41ecb5da261

Download Submit
C:\Users\Admin\AppData\Local\Temp\16f5432e008aa63645c1f3c316502873937aa9ea92eb37df182df21f51796b20.exe.exe

Filesize
136KB

MD5
df30ded8ea1da63fafed6c01b8bab4de

SHA1
23efe02590c795fd01f9e35058a769689a54f908

SHA256
d79e180fcfc2ba8e34f0b62a61d4ffe7a19ff95a0b6bf28a3400e716973c9c93

SHA512
475b08f22ddef00321768d286a95bf61fdda8ae2589bef4bbe0a836a4d00069825dacc7eb98a22c1eac53a3e602c73fc1198566f90db291c7912d2624dce77f0

Download Submit
C:\Windows\rundl132.exe

Filesize
26KB

MD5
99bdef518bf76bb3f924f8cc7d642d9f

SHA1
01e96d6e05fc1385999a35b943b5b0ab12983294

SHA256
24e98d9749b84150f0824850a4b8e5efb17dd208083008b224e3d42541ddab7b

SHA512
3ae78e16eabfdab12865165674c8db9c3e332d1d0f73952b5de9ee51eac7bb0077439d420598efcc554cc5a29ea9346eb678f9dc6e57a184043c5d0d934a6718

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3452737119-3959686427-228443150-1000\_desktop.ini

Filesize
9B

MD5
2be02af4dacf3254e321ffba77f0b1c6

SHA1
d8349307ec08d45f2db9c9735bde8f13e27a551d

SHA256
766fe9c47ca710d9a00c08965550ee7de9cba2d32d67e4901e8cec7e33151d16

SHA512
57f61e1b939ed98e6db460ccdbc36a1460b727a99baac0e3b041666dedcef11fcd72a486d91ec7f0ee6e1aec40465719a6a5c22820c28be1066fe12fcd47ddd0

Download Submit
memory/1256-29-0x0000000002CE0000-0x0000000002CE1000-memory.dmp

Filesize
4KB

Download
memory/1956-38-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1956-31-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1956-21-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1956-44-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1956-90-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1956-96-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1956-701-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1956-1850-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1956-2266-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1956-3310-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2296-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2296-16-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2296-15-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download