05de2f954afc3a5246d5b609197ca9f49d26517980de3da147f0adebe925c5d0

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
18/04/2024, 00:27

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

05de2f954afc3a5246d5b609197ca9f49d26517980de3da147f0adebe925c5d0.exe
Size

1.8MB
MD5

f524ca8a9000faad575f8c14c85dfb09
SHA1

f68d9961e54552381246332c80483f1d3a724384
SHA256

05de2f954afc3a5246d5b609197ca9f49d26517980de3da147f0adebe925c5d0
SHA512

20d9b3ee6a2ce7e26fbfecd1749bbaa14c5a12fd23b1710bb74750706d1a30a0189f9d181a2cb11622b60399e57a90f1dbb3128ed7b6ab9021f5a4c05b8545f5
SSDEEP

49152:fgQt30B3uA8EYHCree1uksbraFShGJ0WkA5:fBt32u51HCri+ss5

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1408	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
2944	Logo1_.exe
2976	05de2f954afc3a5246d5b609197ca9f49d26517980de3da147f0adebe925c5d0.exe
2432	05de2f954afc3a5246d5b609197ca9f49d26517980de3da147f0adebe925c5d0.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\eu\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Welcome Tool\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ga\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BabyBlue\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hu\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\lt\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\an\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Word.en-us\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Wordconv.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\br\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\te\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\GrayCheck\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\nn\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\uz\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\STARTUP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ARFR\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\1033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\intf\modules\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\AddInViews\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\amd64\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\lua\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Journal\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\css\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	05de2f954afc3a5246d5b609197ca9f49d26517980de3da147f0adebe925c5d0.exe
File created	C:\Windows\Logo1_.exe	05de2f954afc3a5246d5b609197ca9f49d26517980de3da147f0adebe925c5d0.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2944	Logo1_.exe
2944	Logo1_.exe
2944	Logo1_.exe
2944	Logo1_.exe
2944	Logo1_.exe
2944	Logo1_.exe
2944	Logo1_.exe
2944	Logo1_.exe
2944	Logo1_.exe
2944	Logo1_.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1784 wrote to memory of 1408	1784	05de2f954afc3a5246d5b609197ca9f49d26517980de3da147f0adebe925c5d0.exe	28
PID 1784 wrote to memory of 1408	1784	05de2f954afc3a5246d5b609197ca9f49d26517980de3da147f0adebe925c5d0.exe	28
PID 1784 wrote to memory of 1408	1784	05de2f954afc3a5246d5b609197ca9f49d26517980de3da147f0adebe925c5d0.exe	28
PID 1784 wrote to memory of 1408	1784	05de2f954afc3a5246d5b609197ca9f49d26517980de3da147f0adebe925c5d0.exe	28
PID 1784 wrote to memory of 2944	1784	05de2f954afc3a5246d5b609197ca9f49d26517980de3da147f0adebe925c5d0.exe	30
PID 1784 wrote to memory of 2944	1784	05de2f954afc3a5246d5b609197ca9f49d26517980de3da147f0adebe925c5d0.exe	30
PID 1784 wrote to memory of 2944	1784	05de2f954afc3a5246d5b609197ca9f49d26517980de3da147f0adebe925c5d0.exe	30
PID 1784 wrote to memory of 2944	1784	05de2f954afc3a5246d5b609197ca9f49d26517980de3da147f0adebe925c5d0.exe	30
PID 2944 wrote to memory of 2692	2944	Logo1_.exe	31
PID 2944 wrote to memory of 2692	2944	Logo1_.exe	31
PID 2944 wrote to memory of 2692	2944	Logo1_.exe	31
PID 2944 wrote to memory of 2692	2944	Logo1_.exe	31
PID 2692 wrote to memory of 2648	2692	net.exe	33
PID 2692 wrote to memory of 2648	2692	net.exe	33
PID 2692 wrote to memory of 2648	2692	net.exe	33
PID 2692 wrote to memory of 2648	2692	net.exe	33
PID 2944 wrote to memory of 1248	2944	Logo1_.exe	21
PID 2944 wrote to memory of 1248	2944	Logo1_.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1248
- C:\Users\Admin\AppData\Local\Temp\05de2f954afc3a5246d5b609197ca9f49d26517980de3da147f0adebe925c5d0.exe
  "C:\Users\Admin\AppData\Local\Temp\05de2f954afc3a5246d5b609197ca9f49d26517980de3da147f0adebe925c5d0.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1784
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$a388E.bat
    3⤵
    - Deletes itself
    PID:1408
  - - C:\Users\Admin\AppData\Local\Temp\05de2f954afc3a5246d5b609197ca9f49d26517980de3da147f0adebe925c5d0.exe
      "C:\Users\Admin\AppData\Local\Temp\05de2f954afc3a5246d5b609197ca9f49d26517980de3da147f0adebe925c5d0.exe"
      4⤵
      Executes dropped EXE
      PID:2976
  - - C:\Users\Admin\AppData\Local\Temp\05de2f954afc3a5246d5b609197ca9f49d26517980de3da147f0adebe925c5d0.exe
      "C:\Users\Admin\AppData\Local\Temp\05de2f954afc3a5246d5b609197ca9f49d26517980de3da147f0adebe925c5d0.exe"
      4⤵
      Executes dropped EXE
      PID:2432
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2944
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2692
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
254KB

MD5
568f17750238ab463c745953a303648a

SHA1
25e9de37d6edb52c584c442e4f93a0448b4b37d4

SHA256
5351b82387339c78b116a077f2ba633da2a6fef86a165d92bfe28c2c3770ac81

SHA512
9034bc060e8155e07009d2142830f03b29c50525232fa1719038eae4fc742d460c5dad7b7fdd6957264c338072fbe71193a23d994510dc809ae240023b9f1ed3

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
474KB

MD5
82d95ff3c368229d3ecd547bfc2e95e4

SHA1
05c2c8065f243260792924168f85c614057119e8

SHA256
5fd8262ebaf159fa1ba5a2b80dad6f98477d1f549a651fc1a327f0dd207f2fdb

SHA512
27815b93d6070f7026c23ceac6210a78e694616d6a6a2012369b271e2d2ec986438f80dd3a29db4c4419b08084cb5a5914af216177669b86d8e2ae7184691699

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a388E.bat

Filesize
722B

MD5
32365b5473b0da646eb970c8a59e1154

SHA1
7fc6b606c39fb2e854b484cd743b57f680336222

SHA256
945ccbef7a293be7c1b616ddfaeaeac38e9df3c27733353dd398ecff76cfe61d

SHA512
3cff6c987d2507565d521e83123aeb436defbe442c7f2971c02755708fc58ea505bea8688ffd4e1962b09e34d71ce02ce31cf4c6767eaa90f315a31662dbf11f

Download Submit
C:\Users\Admin\AppData\Local\Temp\05de2f954afc3a5246d5b609197ca9f49d26517980de3da147f0adebe925c5d0.exe.exe

Filesize
1.8MB

MD5
47ece88469c15cee23a088c037974dae

SHA1
1b4d355ee3d5718ce56c79f4ce70452bf4317d9a

SHA256
1a73fb874073af23280c673bbd1cd77d5cb239262a8b90dd4b3af009ca7a2b48

SHA512
a206a09499b5e337f3f9fa85c3c77c4fc4f4ebce71ac9c91a2fe2a0101a9539908d99b14bb4e809b2fb5b40b432cfd418ea87075060a798f24d5c60d417128bd

Download Submit
C:\Windows\rundl132.exe

Filesize
29KB

MD5
886eb3bf6157b45d4a041e1e32608c70

SHA1
f476a007366ac0349789b0e803ec46be523f457a

SHA256
a0e9eac517b54fe732db8bf9ceeb76c64a43e2e53bfd18b5a4ab0f8475f3873b

SHA512
6e978385b23d3054695eaf2209e92591a667ccbde747f69cb63ae28f2db3a362d136bf16afb41ceb8eb304161cc698853f9cb825a26cc683e9a693d07c190fca

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-1658372521-4246568289-2509113762-1000\_desktop.ini

Filesize
9B

MD5
72b7e38c6ba037d117f32b55c07b1a9c

SHA1
35e2435e512e17ca2be885e17d75913f06b90361

SHA256
e9719e3c653627668046bac84b77097bfb0cd018d68465c17130ed31d6d6eca6

SHA512
2bebd814b81ad2dc547802d42891d833caaad81d004758ec4373f9c7af2971eb822f0a559d2d5d4fca499912fea95e25bab22e92cb0c149d6a4c692eee6ee46a

Download Submit
memory/1248-65-0x0000000002A80000-0x0000000002A81000-memory.dmp

Filesize
4KB

Download
memory/1408-59-0x0000000000700000-0x0000000000701000-memory.dmp

Filesize
4KB

Download
memory/1784-16-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1784-12-0x0000000000220000-0x0000000000256000-memory.dmp

Filesize
216KB

Download
memory/1784-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2944-21-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2944-83-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2944-129-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2944-135-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2944-754-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2944-1888-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2944-78-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2944-3348-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2944-70-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download