b8544ba9a5413644392904c57913001d88babd969f619c3c33831bf942c2b345

Analysis

max time kernel
150s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
25/04/2024, 03:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b8544ba9a5413644392904c57913001d88babd969f619c3c33831bf942c2b345.exe
Size

43KB
MD5

ef0a29e6e6363507e4fff88083e810e9
SHA1

d36e51f9c7f55277782be73021ef1c2a2f8c05c8
SHA256

b8544ba9a5413644392904c57913001d88babd969f619c3c33831bf942c2b345
SHA512

1ad4f878c155abff0da800ce1d837536c0237fd4f6c5db9d523592a265f277c44a6466d6616739f5ebe389ec14ff1cd6cb2b11773f42c502c1af6185c82c96c7
SSDEEP

768:pox16GVRu1yK9fMnJG2V9dHS8/WQ3655Kv1X/qY1MSd:pM3SHuJV9NDHqaNrFd

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2084	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2956	Logo1_.exe
2812	b8544ba9a5413644392904c57913001d88babd969f619c3c33831bf942c2b345.exe

Loads dropped DLL 1 IoCs

pid	Process
2084	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ICE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\North_Dakota\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\lua\meta\art\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\kn\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Cultures\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSPUB.EXE	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\applet\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\locale\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk16\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Minesweeper\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Photo Viewer\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\.data\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\hrtfs\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\AccessWeb\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\1033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\unpack200.exe	Logo1_.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\AccessWeb\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre7\lib\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\nb\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15\windows-amd64\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Atlantic\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\de\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\kn\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ach\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\requests\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUECALM\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Hearts\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Journal\en-US\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Logo1_.exe	b8544ba9a5413644392904c57913001d88babd969f619c3c33831bf942c2b345.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe
File created	C:\Windows\rundl132.exe	b8544ba9a5413644392904c57913001d88babd969f619c3c33831bf942c2b345.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2956	Logo1_.exe
2956	Logo1_.exe
2956	Logo1_.exe
2956	Logo1_.exe
2956	Logo1_.exe
2956	Logo1_.exe
2956	Logo1_.exe
2956	Logo1_.exe
2956	Logo1_.exe
2956	Logo1_.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2812	b8544ba9a5413644392904c57913001d88babd969f619c3c33831bf942c2b345.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2140 wrote to memory of 2084	2140	b8544ba9a5413644392904c57913001d88babd969f619c3c33831bf942c2b345.exe	28
PID 2140 wrote to memory of 2084	2140	b8544ba9a5413644392904c57913001d88babd969f619c3c33831bf942c2b345.exe	28
PID 2140 wrote to memory of 2084	2140	b8544ba9a5413644392904c57913001d88babd969f619c3c33831bf942c2b345.exe	28
PID 2140 wrote to memory of 2084	2140	b8544ba9a5413644392904c57913001d88babd969f619c3c33831bf942c2b345.exe	28
PID 2140 wrote to memory of 2956	2140	b8544ba9a5413644392904c57913001d88babd969f619c3c33831bf942c2b345.exe	30
PID 2140 wrote to memory of 2956	2140	b8544ba9a5413644392904c57913001d88babd969f619c3c33831bf942c2b345.exe	30
PID 2140 wrote to memory of 2956	2140	b8544ba9a5413644392904c57913001d88babd969f619c3c33831bf942c2b345.exe	30
PID 2140 wrote to memory of 2956	2140	b8544ba9a5413644392904c57913001d88babd969f619c3c33831bf942c2b345.exe	30
PID 2956 wrote to memory of 1608	2956	Logo1_.exe	31
PID 2956 wrote to memory of 1608	2956	Logo1_.exe	31
PID 2956 wrote to memory of 1608	2956	Logo1_.exe	31
PID 2956 wrote to memory of 1608	2956	Logo1_.exe	31
PID 1608 wrote to memory of 2896	1608	net.exe	33
PID 1608 wrote to memory of 2896	1608	net.exe	33
PID 1608 wrote to memory of 2896	1608	net.exe	33
PID 1608 wrote to memory of 2896	1608	net.exe	33
PID 2084 wrote to memory of 2812	2084	cmd.exe	34
PID 2084 wrote to memory of 2812	2084	cmd.exe	34
PID 2084 wrote to memory of 2812	2084	cmd.exe	34
PID 2084 wrote to memory of 2812	2084	cmd.exe	34
PID 2084 wrote to memory of 2812	2084	cmd.exe	34
PID 2084 wrote to memory of 2812	2084	cmd.exe	34
PID 2084 wrote to memory of 2812	2084	cmd.exe	34
PID 2956 wrote to memory of 1208	2956	Logo1_.exe	21
PID 2956 wrote to memory of 1208	2956	Logo1_.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1208
- C:\Users\Admin\AppData\Local\Temp\b8544ba9a5413644392904c57913001d88babd969f619c3c33831bf942c2b345.exe
  "C:\Users\Admin\AppData\Local\Temp\b8544ba9a5413644392904c57913001d88babd969f619c3c33831bf942c2b345.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2140
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$aC929.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2084
  - - C:\Users\Admin\AppData\Local\Temp\b8544ba9a5413644392904c57913001d88babd969f619c3c33831bf942c2b345.exe
      "C:\Users\Admin\AppData\Local\Temp\b8544ba9a5413644392904c57913001d88babd969f619c3c33831bf942c2b345.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: GetForegroundWindowSpam
      PID:2812
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2956
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1608
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
254KB

MD5
e8d86b98e2be1b151860ffad788c98f6

SHA1
a77001e28103aa64f8d99a552c109a5e8238c3cb

SHA256
754198155d59585c13493a5c8aff04617021d27d7a4d1eba2a424bc4d361d6fa

SHA512
c8bb8dae9af41bf3c4a7073b2274e9358af7da14a8f3cc990b2408af1ed2b0e0af6e603b78b34679a7da8e2d34b765e5a7aedd71fc78ac24e602fbe52430c074

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
474KB

MD5
b61885ba290eec9fdc6c7ce57815f7d6

SHA1
720464eb8ae053c20f4dce6f3aa894380b211726

SHA256
5c8129315d2bf867ce0775303c5c364412302f3e81bef4596def55237f6951da

SHA512
593ed7479c4ce927abb960baa06d035b3550d0d6629b4fdcbeb79d7ee2ac8694a982b816b9ed86fec19de5708d889f8d32446d0cb624a327be3d45940b235d8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aC929.bat

Filesize
722B

MD5
9dc6b583942644a9684018ec128ea9de

SHA1
8b4076619c3a7484f54a306f4632aff387da7086

SHA256
2985465f7980f6e3769b865069349a9375356749dce5feee9b9b7a967b050284

SHA512
1a425884faed6cf4facf8b9dd8ed7cadab5a39d44e57c29f7ccf3d6b6db1ae9548d3e07084fafc2952d1e0f01643ac67f28059e4a8be58eab80fd07126c1db4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\b8544ba9a5413644392904c57913001d88babd969f619c3c33831bf942c2b345.exe

Filesize
14KB

MD5
ad782ffac62e14e2269bf1379bccbaae

SHA1
9539773b550e902a35764574a2be2d05bc0d8afc

SHA256
1c8a77db924ebeb952052334dc95add388700c02b073b07973cd8fe0a0a360b8

SHA512
a1e9d6316ffc55f4751090961733e98c93b2a391666ff50b50e9dea39783746e501d14127e7ee9343926976d7e3cd224f13736530354d8466ea995dab35c8dc2

Download Submit
C:\Windows\rundl132.exe

Filesize
29KB

MD5
949e828fcf304b8b742f865a83728420

SHA1
e535024bef758c1bc206374283432981f39d8558

SHA256
fa8d0548528793612b7d70b0b76a5c9eaef6be1b5e537023ab80dca5d5908197

SHA512
71ad782d1cd3a28ba2ec6818cf19c8ec19b808fe80648b6e96b9fbec19e524fc7da35b8eee44241de120df40d7986141fbafb63c54f14aa3d193d6c1437f46bf

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-330940541-141609230-1670313778-1000\_desktop.ini

Filesize
9B

MD5
7ef570b2b21e58fd906ef1a980d64425

SHA1
18502489f652e74f8972bbfa100d5c163d719ab7

SHA256
c3ce1b9216b58ac7d9ed3b93e5e3a1d6a2473b53b5bc1f008a621def49517055

SHA512
e1175d861a79d62b85cd18661375f1c956dcc97e958765dc225f3aa4b0f0100ca9e17b9c61f5e18fc2a96e5167c0563f60645033aff1be1ec2f372c1b9a8b35f

Download Submit
memory/1208-29-0x0000000002A40000-0x0000000002A41000-memory.dmp

Filesize
4KB

Download
memory/2140-39-0x0000000001C70000-0x0000000001CA6000-memory.dmp

Filesize
216KB

Download
memory/2140-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2140-16-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2140-12-0x0000000001C70000-0x0000000001CA6000-memory.dmp

Filesize
216KB

Download
memory/2956-31-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2956-38-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2956-45-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2956-91-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2956-97-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2956-332-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2956-1850-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2956-3310-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2956-21-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download