58cce921dbf2e5d35b82bf30e0cb6d7ef2571b8d51365756d8f770ad5225b280

Analysis

max time kernel
141s
max time network
126s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
20/04/2024, 22:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

58cce921dbf2e5d35b82bf30e0cb6d7ef2571b8d51365756d8f770ad5225b280.exe
Size

97KB
MD5

9d3084010a05ce316da013e3b8f965db
SHA1

c0d1b45834945884574f9aff8925fb0aae671995
SHA256

58cce921dbf2e5d35b82bf30e0cb6d7ef2571b8d51365756d8f770ad5225b280
SHA512

31eea46ee407c31f604ae3a4fe47bb1ecc333d36246b69d3e86318e879c3fa71e291948a29ebe72632ca1553daaf7db723efa78d828fbf301b2a4d11c32f282d
SSDEEP

3072:EHj95SXqLhByvfc2v5dp9qdeQ+lUq58M:uj9N/Gfc2hdp9qw3GqO

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
784	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2504	Logo1_.exe
2272	58cce921dbf2e5d35b82bf30e0cb6d7ef2571b8d51365756d8f770ad5225b280.exe

Loads dropped DLL 2 IoCs

pid	Process
784	cmd.exe
784	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\dtplugin\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Kentucky\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Internet Explorer\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Internet Explorer\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Internet Explorer\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\bin\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\7-Zip\Lang\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\META-INF\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\.data\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Internet Explorer\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\META-INF\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Internet Explorer\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Internet Explorer\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Internet Explorer\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Internet Explorer\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\include\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	58cce921dbf2e5d35b82bf30e0cb6d7ef2571b8d51365756d8f770ad5225b280.exe
File created	C:\Windows\Logo1_.exe	58cce921dbf2e5d35b82bf30e0cb6d7ef2571b8d51365756d8f770ad5225b280.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\Dll.dll	Logo1_.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2648	2504	WerFault.exe	30

Runs net.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
2140	58cce921dbf2e5d35b82bf30e0cb6d7ef2571b8d51365756d8f770ad5225b280.exe
2140	58cce921dbf2e5d35b82bf30e0cb6d7ef2571b8d51365756d8f770ad5225b280.exe
2140	58cce921dbf2e5d35b82bf30e0cb6d7ef2571b8d51365756d8f770ad5225b280.exe
2140	58cce921dbf2e5d35b82bf30e0cb6d7ef2571b8d51365756d8f770ad5225b280.exe
2140	58cce921dbf2e5d35b82bf30e0cb6d7ef2571b8d51365756d8f770ad5225b280.exe
2140	58cce921dbf2e5d35b82bf30e0cb6d7ef2571b8d51365756d8f770ad5225b280.exe
2140	58cce921dbf2e5d35b82bf30e0cb6d7ef2571b8d51365756d8f770ad5225b280.exe
2140	58cce921dbf2e5d35b82bf30e0cb6d7ef2571b8d51365756d8f770ad5225b280.exe
2140	58cce921dbf2e5d35b82bf30e0cb6d7ef2571b8d51365756d8f770ad5225b280.exe
2504	Logo1_.exe
2504	Logo1_.exe
2504	Logo1_.exe
2504	Logo1_.exe
2504	Logo1_.exe
2504	Logo1_.exe
2504	Logo1_.exe
2504	Logo1_.exe
2504	Logo1_.exe
2504	Logo1_.exe
2504	Logo1_.exe
2504	Logo1_.exe
2504	Logo1_.exe
2504	Logo1_.exe
2504	Logo1_.exe
2504	Logo1_.exe
2504	Logo1_.exe
2504	Logo1_.exe
2504	Logo1_.exe
2504	Logo1_.exe
2504	Logo1_.exe
2504	Logo1_.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 2140 wrote to memory of 784	2140	58cce921dbf2e5d35b82bf30e0cb6d7ef2571b8d51365756d8f770ad5225b280.exe	28
PID 2140 wrote to memory of 784	2140	58cce921dbf2e5d35b82bf30e0cb6d7ef2571b8d51365756d8f770ad5225b280.exe	28
PID 2140 wrote to memory of 784	2140	58cce921dbf2e5d35b82bf30e0cb6d7ef2571b8d51365756d8f770ad5225b280.exe	28
PID 2140 wrote to memory of 784	2140	58cce921dbf2e5d35b82bf30e0cb6d7ef2571b8d51365756d8f770ad5225b280.exe	28
PID 2140 wrote to memory of 2504	2140	58cce921dbf2e5d35b82bf30e0cb6d7ef2571b8d51365756d8f770ad5225b280.exe	30
PID 2140 wrote to memory of 2504	2140	58cce921dbf2e5d35b82bf30e0cb6d7ef2571b8d51365756d8f770ad5225b280.exe	30
PID 2140 wrote to memory of 2504	2140	58cce921dbf2e5d35b82bf30e0cb6d7ef2571b8d51365756d8f770ad5225b280.exe	30
PID 2140 wrote to memory of 2504	2140	58cce921dbf2e5d35b82bf30e0cb6d7ef2571b8d51365756d8f770ad5225b280.exe	30
PID 2504 wrote to memory of 284	2504	Logo1_.exe	31
PID 2504 wrote to memory of 284	2504	Logo1_.exe	31
PID 2504 wrote to memory of 284	2504	Logo1_.exe	31
PID 2504 wrote to memory of 284	2504	Logo1_.exe	31
PID 784 wrote to memory of 2272	784	cmd.exe	33
PID 784 wrote to memory of 2272	784	cmd.exe	33
PID 784 wrote to memory of 2272	784	cmd.exe	33
PID 784 wrote to memory of 2272	784	cmd.exe	33
PID 284 wrote to memory of 2800	284	net.exe	34
PID 284 wrote to memory of 2800	284	net.exe	34
PID 284 wrote to memory of 2800	284	net.exe	34
PID 284 wrote to memory of 2800	284	net.exe	34
PID 2504 wrote to memory of 1208	2504	Logo1_.exe	21
PID 2504 wrote to memory of 1208	2504	Logo1_.exe	21
PID 2504 wrote to memory of 2648	2504	Logo1_.exe	37
PID 2504 wrote to memory of 2648	2504	Logo1_.exe	37
PID 2504 wrote to memory of 2648	2504	Logo1_.exe	37
PID 2504 wrote to memory of 2648	2504	Logo1_.exe	37

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1208
- C:\Users\Admin\AppData\Local\Temp\58cce921dbf2e5d35b82bf30e0cb6d7ef2571b8d51365756d8f770ad5225b280.exe
  "C:\Users\Admin\AppData\Local\Temp\58cce921dbf2e5d35b82bf30e0cb6d7ef2571b8d51365756d8f770ad5225b280.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2140
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$aD134.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:784
  - - C:\Users\Admin\AppData\Local\Temp\58cce921dbf2e5d35b82bf30e0cb6d7ef2571b8d51365756d8f770ad5225b280.exe
      "C:\Users\Admin\AppData\Local\Temp\58cce921dbf2e5d35b82bf30e0cb6d7ef2571b8d51365756d8f770ad5225b280.exe"
      4⤵
      Executes dropped EXE
      PID:2272
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2504
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:284
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2800
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2504 -s 596
      4⤵
      Program crash
      PID:2648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\$$aD134.bat

Filesize
722B

MD5
4ecc768591696bf3477291962e7d16f4

SHA1
f4af61991e295787d567d62f77336f13dc0494b6

SHA256
200a5ba2282bcf350496dc8178e0cbd959c4f3c8a630eb5d80769245c9630f14

SHA512
2d8655e9d77d9a6d6d08f5772f7bfeeb082a7335c77e1e87dda2082e6c72aebdbb775720a620949bc8786b0281e3e76a27550f3d389635f78cc896385342f655

Download Submit
C:\Users\Admin\AppData\Local\Temp\58cce921dbf2e5d35b82bf30e0cb6d7ef2571b8d51365756d8f770ad5225b280.exe.exe

Filesize
54KB

MD5
feaa33ff0acb74b3c0d033fb65006a8b

SHA1
c75b34d4eb1e0a8f36a6de9b97e98279216ece21

SHA256
e0f2b7fabc60ab10deb15ed61103d320071e054c603133a22a77ab28a2e6625c

SHA512
3451297e342714ba0d1910db69725481bcbc9943cb62a9294d523a7ccf966a7cf51b4c3ef3dfb241708081f4f295ad8f9da2051136ea9ec0e2c03851b33af128

Download Submit
C:\Windows\rundl132.exe

Filesize
43KB

MD5
7dcba2547018dac956fb2009071b7645

SHA1
f42360ef36dd23d1ed1233022fdc194df3b274c5

SHA256
b1c7a31f00fab9fc58df21a8b17fbfcd09787260b4b576b8c2c3f6d9c58b83a5

SHA512
1f309fd880a182e2ad09256f861d608f4ee9f63acae9c9411f3a608f915f5960eb5bdc29d0e0fe4387514d847473910386f095781d598e93b634566cfdcea47e

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-330940541-141609230-1670313778-1000\_desktop.ini

Filesize
9B

MD5
27729a3995958245e2d6799df42e26e7

SHA1
dfe386f53277c8387b50122f3fda9bc2467815ba

SHA256
9313041e89d4585b2606afa4809b101e7e8a2c944d063a28c796b0c0f070b5f1

SHA512
ba9157cea7ca5c01b52e2a4a758f4e12e018990e49f1ece5fa6d83423f37a0a4dd5246d9b01e5e212d5e8c36a66a8d0e2645bc73753671295965a855a5028ec6

Download Submit
memory/1208-31-0x0000000002C10000-0x0000000002C11000-memory.dmp

Filesize
4KB

Download
memory/2140-0-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2140-15-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2140-20-0x0000000003000000-0x000000000304D000-memory.dmp

Filesize
308KB

Download
memory/2140-426-0x0000000003000000-0x000000000304D000-memory.dmp

Filesize
308KB

Download
memory/2272-27-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2504-21-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2504-424-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download