ee89c8b0363b38de075695bd849e4ead1ab1b1194f21cb15c68964f6e8f5f125

Analysis

max time kernel
149s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
24/04/2024, 21:17

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ee89c8b0363b38de075695bd849e4ead1ab1b1194f21cb15c68964f6e8f5f125.exe
Size

5.7MB
MD5

239bd1e0a3fb91656047fbe28e25bd5f
SHA1

089fc2a3db6256493e46cb4d053a0869864ab8fc
SHA256

ee89c8b0363b38de075695bd849e4ead1ab1b1194f21cb15c68964f6e8f5f125
SHA512

ffc078d45ceda7d3cbdabc007e2716deff41778efdc3e15995cd26854cedbeece18a8faa68aaca6794ce37679a94a8a4c0cd6f75da85c1e53912c4409f36b6dc
SSDEEP

49152:VPv94AEsKU8ggw1g+1CART5eBiyKS3EI3wybn20DCYIHvc8ixuZm9+fWsw6dTPBJ:RKUgTH2M2m9UMpu1QfLczqssnKSk

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2876	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2928	Logo1_.exe
2636	ee89c8b0363b38de075695bd849e4ead1ab1b1194f21cb15c68964f6e8f5f125.exe

Loads dropped DLL 1 IoCs

pid	Process
2876	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\DVD Maker\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Computers\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTool\Project Report Type\Fancy\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ka\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ks_IN\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\eu\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SONORA\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\hy\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\PROOF\3082\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\pt_PT\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ug\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\3082\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1036\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\is\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sq\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Journal\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Mail\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ky\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Triedit\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\Components\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\mai\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\locale\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\be\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\gd\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\tet\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\zh_TW\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	ee89c8b0363b38de075695bd849e4ead1ab1b1194f21cb15c68964f6e8f5f125.exe
File created	C:\Windows\Logo1_.exe	ee89c8b0363b38de075695bd849e4ead1ab1b1194f21cb15c68964f6e8f5f125.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2928	Logo1_.exe
2928	Logo1_.exe
2928	Logo1_.exe
2928	Logo1_.exe
2928	Logo1_.exe
2928	Logo1_.exe
2928	Logo1_.exe
2928	Logo1_.exe
2928	Logo1_.exe
2928	Logo1_.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2084 wrote to memory of 2876	2084	ee89c8b0363b38de075695bd849e4ead1ab1b1194f21cb15c68964f6e8f5f125.exe	28
PID 2084 wrote to memory of 2876	2084	ee89c8b0363b38de075695bd849e4ead1ab1b1194f21cb15c68964f6e8f5f125.exe	28
PID 2084 wrote to memory of 2876	2084	ee89c8b0363b38de075695bd849e4ead1ab1b1194f21cb15c68964f6e8f5f125.exe	28
PID 2084 wrote to memory of 2876	2084	ee89c8b0363b38de075695bd849e4ead1ab1b1194f21cb15c68964f6e8f5f125.exe	28
PID 2084 wrote to memory of 2928	2084	ee89c8b0363b38de075695bd849e4ead1ab1b1194f21cb15c68964f6e8f5f125.exe	29
PID 2084 wrote to memory of 2928	2084	ee89c8b0363b38de075695bd849e4ead1ab1b1194f21cb15c68964f6e8f5f125.exe	29
PID 2084 wrote to memory of 2928	2084	ee89c8b0363b38de075695bd849e4ead1ab1b1194f21cb15c68964f6e8f5f125.exe	29
PID 2084 wrote to memory of 2928	2084	ee89c8b0363b38de075695bd849e4ead1ab1b1194f21cb15c68964f6e8f5f125.exe	29
PID 2928 wrote to memory of 2600	2928	Logo1_.exe	31
PID 2928 wrote to memory of 2600	2928	Logo1_.exe	31
PID 2928 wrote to memory of 2600	2928	Logo1_.exe	31
PID 2928 wrote to memory of 2600	2928	Logo1_.exe	31
PID 2600 wrote to memory of 2776	2600	net.exe	33
PID 2600 wrote to memory of 2776	2600	net.exe	33
PID 2600 wrote to memory of 2776	2600	net.exe	33
PID 2600 wrote to memory of 2776	2600	net.exe	33
PID 2928 wrote to memory of 1144	2928	Logo1_.exe	20
PID 2928 wrote to memory of 1144	2928	Logo1_.exe	20

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1144
- C:\Users\Admin\AppData\Local\Temp\ee89c8b0363b38de075695bd849e4ead1ab1b1194f21cb15c68964f6e8f5f125.exe
  "C:\Users\Admin\AppData\Local\Temp\ee89c8b0363b38de075695bd849e4ead1ab1b1194f21cb15c68964f6e8f5f125.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2084
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$a1371.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    PID:2876
  - - C:\Users\Admin\AppData\Local\Temp\ee89c8b0363b38de075695bd849e4ead1ab1b1194f21cb15c68964f6e8f5f125.exe
      "C:\Users\Admin\AppData\Local\Temp\ee89c8b0363b38de075695bd849e4ead1ab1b1194f21cb15c68964f6e8f5f125.exe"
      4⤵
      Executes dropped EXE
      PID:2636
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2928
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2600
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
254KB

MD5
8b9d754f6a062a360f1eca184e4360bd

SHA1
29dff755cbcee35a9daf3b7a548b569c1126b616

SHA256
e17ac11d2dd6a2fa4d9adb98701499f6a0c7f748830c98f6d780cdf1a0af6789

SHA512
2722e3e400b4b27ef20c7a96b64d98fdc729a48b3f199ad87dbf3cef5912b58c6604a2b69f737ef211093b9c0ec99bbc7d5885a07f61a619d4492b5ffbe198ef

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
474KB

MD5
e96712cc2991fab37a21ceeeee83b1f6

SHA1
e7894f4029baf5faa81584bab7d20acb0feadf5f

SHA256
fc5ecf67ef00e72d234c1b58be4d807a7fa2603cf66085204bacabb796275153

SHA512
fd8ba411e0083b3120431f23f272daf3923c96c96a15f7f861565b4de85fce7bf5aafd42d15cf45c559b8e7192513a31b9167ec7c5b6f52823bf3dc20701a06e

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a1371.bat

Filesize
722B

MD5
7ed62da831e340821025433184a033b9

SHA1
356f92b52e0bf0cd18a045e0607aa96ae0a48aaf

SHA256
6d252c3e94b5dc3fa1c96f754d690222a75b86cd16e82b57cd97c58fba346f1f

SHA512
c8a7f842170ec45bd572a35cb39e7daba94fc990e7da2f6699628d714f5c383e38bab551538153934fd9d088e0c1bfc99706f5b539b0a73a7c3ac33be90fc16a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ee89c8b0363b38de075695bd849e4ead1ab1b1194f21cb15c68964f6e8f5f125.exe.exe

Filesize
5.7MB

MD5
ba18e99b3e17adb5b029eaebc457dd89

SHA1
ec0458f3c00d35b323f08d4e1cc2e72899429c38

SHA256
f5ee36de8edf9be2ac2752b219cfdcb7ca1677071b8e116cb876306e9f1b6628

SHA512
1f41929e6f5b555b60c411c7810cbf14e3af26100df5ac4533ec3739a278c1b925687284660efb4868e3741305098e2737836229efc9fe46c97a6057c10e677c

Download Submit
C:\Windows\Logo1_.exe

Filesize
29KB

MD5
24743dc5d84b6ed4f72fe9d489cdc87d

SHA1
0617cf95dbb842ac82434416264c2a8e4cc2e9b0

SHA256
c1d1c76da5241e76615ed163fa7b64feca7463f70cd4f615459788da4705a73d

SHA512
e1b1f1815c661d4287dbfe2f485fbcff90c96e0cd5905a5701527b54fcd36e6cb93f49ce87369a669bc2c5753d78d0af7c889076062f53557600250bb498c25a

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3452737119-3959686427-228443150-1000\_desktop.ini

Filesize
9B

MD5
f29b71f66ac42a28a8d1e12a13d61861

SHA1
bd61fbc8b6eed4cae3fa29d7b950784258be10cd

SHA256
9a5e4ff44f8f5bb21798074ea03e493911b59680e37191522562dece826da1cf

SHA512
90c31cda60a9a63e3fa78e99f1104d1a9c9f811e11b62f75063b6007ae284c8c233b5d1235defab7ae0deec3b7892c85af9319219405c44d16fa29a3215f50e0

Download Submit
memory/1144-29-0x0000000002DC0000-0x0000000002DC1000-memory.dmp

Filesize
4KB

Download
memory/2084-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2084-16-0x0000000000230000-0x0000000000266000-memory.dmp

Filesize
216KB

Download
memory/2084-15-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2928-38-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2928-44-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2928-90-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2928-96-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2928-621-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2928-1849-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2928-2281-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2928-31-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2928-3309-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2928-18-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download