bba51aa558cb580d6e7c475b34dea201d622e021b35da45a1163aa6fcc580bc8

Analysis

max time kernel
149s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
20/04/2024, 15:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bba51aa558cb580d6e7c475b34dea201d622e021b35da45a1163aa6fcc580bc8.exe
Size

88KB
MD5

0e18bab366112f1cc14f3bd0607ce80d
SHA1

7ca6a3291287edee5f35e822a9a57ba381ecb801
SHA256

bba51aa558cb580d6e7c475b34dea201d622e021b35da45a1163aa6fcc580bc8
SHA512

948a48a7e5ff0d2d147c0e041b367f7abe739fb816f30063f024b67a3a0798e2b2ca72c3d139d2a548d6599e75c987688ea65daf5cd0e43b099c8a289ee2fe0e
SSDEEP

1536:p6/3SHuJV9Ntyapmebn4ddJZeY86iLflLJYEIs67rxo:p6/kuJVL8LK4ddJMY86ipmns6S

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2668	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2908	Logo1_.exe
2804	bba51aa558cb580d6e7c475b34dea201d622e021b35da45a1163aa6fcc580bc8.exe

Loads dropped DLL 1 IoCs

pid	Process
2668	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.update\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\AccessWeb\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sq\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\Verisign\Components\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\audio_mixer\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\NAMECONTROLSERVER.EXE	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	Logo1_.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\OneNote.en-us\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\ImagingDevices.exe	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\_desktop.ini	Logo1_.exe
File created	C:\Program Files\MSBuild\Microsoft\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\144DPI\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fur\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.fr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Internet Explorer\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\tr\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Mail\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\on_desktop\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\1.0\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\7-Zip\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VGX\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_extractor\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.fr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\.settings\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\de\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access_output\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\css\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	bba51aa558cb580d6e7c475b34dea201d622e021b35da45a1163aa6fcc580bc8.exe
File created	C:\Windows\Logo1_.exe	bba51aa558cb580d6e7c475b34dea201d622e021b35da45a1163aa6fcc580bc8.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2908	Logo1_.exe
2908	Logo1_.exe
2908	Logo1_.exe
2908	Logo1_.exe
2908	Logo1_.exe
2908	Logo1_.exe
2908	Logo1_.exe
2908	Logo1_.exe
2908	Logo1_.exe
2908	Logo1_.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1728 wrote to memory of 2668	1728	bba51aa558cb580d6e7c475b34dea201d622e021b35da45a1163aa6fcc580bc8.exe	28
PID 1728 wrote to memory of 2668	1728	bba51aa558cb580d6e7c475b34dea201d622e021b35da45a1163aa6fcc580bc8.exe	28
PID 1728 wrote to memory of 2668	1728	bba51aa558cb580d6e7c475b34dea201d622e021b35da45a1163aa6fcc580bc8.exe	28
PID 1728 wrote to memory of 2668	1728	bba51aa558cb580d6e7c475b34dea201d622e021b35da45a1163aa6fcc580bc8.exe	28
PID 1728 wrote to memory of 2908	1728	bba51aa558cb580d6e7c475b34dea201d622e021b35da45a1163aa6fcc580bc8.exe	29
PID 1728 wrote to memory of 2908	1728	bba51aa558cb580d6e7c475b34dea201d622e021b35da45a1163aa6fcc580bc8.exe	29
PID 1728 wrote to memory of 2908	1728	bba51aa558cb580d6e7c475b34dea201d622e021b35da45a1163aa6fcc580bc8.exe	29
PID 1728 wrote to memory of 2908	1728	bba51aa558cb580d6e7c475b34dea201d622e021b35da45a1163aa6fcc580bc8.exe	29
PID 2908 wrote to memory of 2584	2908	Logo1_.exe	31
PID 2908 wrote to memory of 2584	2908	Logo1_.exe	31
PID 2908 wrote to memory of 2584	2908	Logo1_.exe	31
PID 2908 wrote to memory of 2584	2908	Logo1_.exe	31
PID 2668 wrote to memory of 2804	2668	cmd.exe	33
PID 2668 wrote to memory of 2804	2668	cmd.exe	33
PID 2668 wrote to memory of 2804	2668	cmd.exe	33
PID 2668 wrote to memory of 2804	2668	cmd.exe	33
PID 2584 wrote to memory of 2656	2584	net.exe	34
PID 2584 wrote to memory of 2656	2584	net.exe	34
PID 2584 wrote to memory of 2656	2584	net.exe	34
PID 2584 wrote to memory of 2656	2584	net.exe	34
PID 2908 wrote to memory of 1172	2908	Logo1_.exe	21
PID 2908 wrote to memory of 1172	2908	Logo1_.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1172
- C:\Users\Admin\AppData\Local\Temp\bba51aa558cb580d6e7c475b34dea201d622e021b35da45a1163aa6fcc580bc8.exe
  "C:\Users\Admin\AppData\Local\Temp\bba51aa558cb580d6e7c475b34dea201d622e021b35da45a1163aa6fcc580bc8.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1728
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$a233A.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2668
  - - C:\Users\Admin\AppData\Local\Temp\bba51aa558cb580d6e7c475b34dea201d622e021b35da45a1163aa6fcc580bc8.exe
      "C:\Users\Admin\AppData\Local\Temp\bba51aa558cb580d6e7c475b34dea201d622e021b35da45a1163aa6fcc580bc8.exe"
      4⤵
      Executes dropped EXE
      PID:2804
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2908
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2584
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
254KB

MD5
18e65d907d829563c7ce11bb985b4e84

SHA1
a9c8843656dcc4627d61f5bdcc9dbc99e2bee722

SHA256
0aa7e3650145bb8761df0e61535e95ad77a3a1872ad2fd0d1c7b70749ffe60e9

SHA512
5450a6a00a9aed6f9686e73a35038606ac9b9f0a33db90dd0e5fa100a61c7efb35e05a13dc13f6ffe7070ba8e9bdfa04a1fbe6df6e060ee333548cc3c6798406

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
474KB

MD5
8beab7d90559fe385c30b08b3cc454d2

SHA1
65e627284e5c6b1a28618d976575bbade15d7160

SHA256
3662c245331ac74241676bc8de866ceadf1b77fd58bd094b05f8921c287f7995

SHA512
5c2544684b45354d204d6be7548c57a7e3b00f4042d535dfd2ac4670a99f2ca0590bcd781992178ccf83e56af38db13d646c10c166a05983ebdb050441d2d887

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a233A.bat

Filesize
722B

MD5
82fe7c50b789a1ae6cda8f1524bc3f1d

SHA1
39d0895e0a58d622ec0452bef87c12b8e8ab06f3

SHA256
484c54f02caaf81db34a3caa71a1bccefbec87d3c13534b01b83a7c91216899e

SHA512
6f55fe7e64b72bf5d85803ba38145f039d084e2cd47e30a2ca9e69e45b170a9fbf0b02110ed58931e8e97d001e40b65f46ca83b78f767de998e2c5b095b51f33

Download Submit
C:\Users\Admin\AppData\Local\Temp\bba51aa558cb580d6e7c475b34dea201d622e021b35da45a1163aa6fcc580bc8.exe.exe

Filesize
59KB

MD5
dfc18f7068913dde25742b856788d7ca

SHA1
cbaa23f782c2ddcd7c9ff024fd0b096952a2b387

SHA256
ff4ac75c02247000da084de006c214d3dd3583867bd3533ba788e22734c7a2bf

SHA512
d0c7ec1dae41a803325b51c12490c355ed779d297daa35247889950491e52427810132f0829fc7ffa3022f1a106f4e4ba78ed612223395313a6f267e9ab24945

Download Submit
C:\Windows\Logo1_.exe

Filesize
29KB

MD5
59a3b94b96eabb2e6f66bb392487225e

SHA1
32a84af834c0522cafb7d65911978a7da266ef50

SHA256
58c5cd7b74f349cc46e27f7db6fd3a1f6016d7d755f39ecba3afdefb2b9e81f2

SHA512
623d9390f1d0b0987eb611d334b61a306bc9ee0bae8536e76578d90448d85a731aadebf8f0792da54bb485819ec31b236baa5611aece214e11830e74c2545048

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-1298544033-3225604241-2703760938-1000\_desktop.ini

Filesize
9B

MD5
27729a3995958245e2d6799df42e26e7

SHA1
dfe386f53277c8387b50122f3fda9bc2467815ba

SHA256
9313041e89d4585b2606afa4809b101e7e8a2c944d063a28c796b0c0f070b5f1

SHA512
ba9157cea7ca5c01b52e2a4a758f4e12e018990e49f1ece5fa6d83423f37a0a4dd5246d9b01e5e212d5e8c36a66a8d0e2645bc73753671295965a855a5028ec6

Download Submit
memory/1172-29-0x0000000002D60000-0x0000000002D61000-memory.dmp

Filesize
4KB

Download
memory/1728-16-0x0000000000440000-0x0000000000476000-memory.dmp

Filesize
216KB

Download
memory/1728-15-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1728-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2908-32-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2908-46-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2908-91-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2908-97-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2908-472-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2908-1850-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2908-39-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2908-3310-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2908-18-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download