5f1cfc835e681b195fba6e5ee705c48b42b49e6931c1f9c36d2364c9ba2f3429

Analysis

max time kernel
150s
max time network
126s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
25/04/2024, 05:06

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5f1cfc835e681b195fba6e5ee705c48b42b49e6931c1f9c36d2364c9ba2f3429.exe
Size

69KB
MD5

3aaddf893fa40bbca809d2d45c2ba154
SHA1

852419da99efc77618ffd4d99222b8c6afbffef5
SHA256

5f1cfc835e681b195fba6e5ee705c48b42b49e6931c1f9c36d2364c9ba2f3429
SHA512

2fd3782ebca3fd61dfc5524bdaf414bc6bcffd9a94b6d765b17b19029568f032ba3be3e209f55dd4d19bf0f24160f1282e327fa57b2e9a5be4c69c18a986ece0
SSDEEP

1536:TvfgLdQAQfcfymNaAxe9fSVziGuw2p2zmhjSk+Ab/Q:TftffjmNSxSsehPgbo

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2864	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2056	Logo1_.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\FreeCell\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\ONELEV.EXE	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mr\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\wmpenc.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SATIN\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\PUBBA\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Defender\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\be\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Triedit\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\INDUST\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Minesweeper\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\am\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\14\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Antarctica\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Mahjong\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RICEPAPR\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Mozilla Firefox\browser\VisualElements\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\brx\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\amd64\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_filter\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Triedit\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Help\1036\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\PROPLUS\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\th\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\misc.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Logo1_.exe	5f1cfc835e681b195fba6e5ee705c48b42b49e6931c1f9c36d2364c9ba2f3429.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe
File created	C:\Windows\rundl132.exe	5f1cfc835e681b195fba6e5ee705c48b42b49e6931c1f9c36d2364c9ba2f3429.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2056	Logo1_.exe
2056	Logo1_.exe
2056	Logo1_.exe
2056	Logo1_.exe
2056	Logo1_.exe
2056	Logo1_.exe
2056	Logo1_.exe
2056	Logo1_.exe
2056	Logo1_.exe
2056	Logo1_.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2020 wrote to memory of 2864	2020	5f1cfc835e681b195fba6e5ee705c48b42b49e6931c1f9c36d2364c9ba2f3429.exe	28
PID 2020 wrote to memory of 2864	2020	5f1cfc835e681b195fba6e5ee705c48b42b49e6931c1f9c36d2364c9ba2f3429.exe	28
PID 2020 wrote to memory of 2864	2020	5f1cfc835e681b195fba6e5ee705c48b42b49e6931c1f9c36d2364c9ba2f3429.exe	28
PID 2020 wrote to memory of 2864	2020	5f1cfc835e681b195fba6e5ee705c48b42b49e6931c1f9c36d2364c9ba2f3429.exe	28
PID 2020 wrote to memory of 2056	2020	5f1cfc835e681b195fba6e5ee705c48b42b49e6931c1f9c36d2364c9ba2f3429.exe	29
PID 2020 wrote to memory of 2056	2020	5f1cfc835e681b195fba6e5ee705c48b42b49e6931c1f9c36d2364c9ba2f3429.exe	29
PID 2020 wrote to memory of 2056	2020	5f1cfc835e681b195fba6e5ee705c48b42b49e6931c1f9c36d2364c9ba2f3429.exe	29
PID 2020 wrote to memory of 2056	2020	5f1cfc835e681b195fba6e5ee705c48b42b49e6931c1f9c36d2364c9ba2f3429.exe	29
PID 2056 wrote to memory of 2636	2056	Logo1_.exe	30
PID 2056 wrote to memory of 2636	2056	Logo1_.exe	30
PID 2056 wrote to memory of 2636	2056	Logo1_.exe	30
PID 2056 wrote to memory of 2636	2056	Logo1_.exe	30
PID 2636 wrote to memory of 2792	2636	net.exe	33
PID 2636 wrote to memory of 2792	2636	net.exe	33
PID 2636 wrote to memory of 2792	2636	net.exe	33
PID 2636 wrote to memory of 2792	2636	net.exe	33
PID 2056 wrote to memory of 1176	2056	Logo1_.exe	21
PID 2056 wrote to memory of 1176	2056	Logo1_.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1176
- C:\Users\Admin\AppData\Local\Temp\5f1cfc835e681b195fba6e5ee705c48b42b49e6931c1f9c36d2364c9ba2f3429.exe
  "C:\Users\Admin\AppData\Local\Temp\5f1cfc835e681b195fba6e5ee705c48b42b49e6931c1f9c36d2364c9ba2f3429.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2020
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$a6651.bat
    3⤵
    - Deletes itself
    PID:2864
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2056
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2636
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
251KB

MD5
e9eb46bcbd12000493ff44fdc5490d87

SHA1
a40615fd8328e12527f0da4ebaf4f3ad411cdde6

SHA256
7b29cc45e6821be2173dec5aba5c88df3ab9d6a0931e72a42e6d410edbed1eb0

SHA512
1af6ef087c2e0820749ce0b3a7ed81e4eafe81b9d9e70d1a761a69775074b5fe958df426b8114b66cf1369f03cb0d4d7dd47a904637cbc43f62331e78beb71b5

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
471KB

MD5
4cfdb20b04aa239d6f9e83084d5d0a77

SHA1
f22863e04cc1fd4435f785993ede165bd8245ac6

SHA256
30ed17ca6ae530e8bf002bcef6048f94dba4b3b10252308147031f5c86ace1b9

SHA512
35b4c2f68a7caa45f2bb14b168947e06831f358e191478a6659b49f30ca6f538dc910fe6067448d5d8af4cb8558825d70f94d4bd67709aee414b2be37d49be86

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a6651.bat

Filesize
722B

MD5
311bc7daefb12e7df10cf6b3999245a0

SHA1
eeaa2ac4ae25753f9b7f136f36a3860ddc9566fe

SHA256
00b477c91e3f88d50d1b716ebc12f9181e97713935eb7645a46ffb6fad19f62b

SHA512
bded668a824012da7ed549b448b5e19eecc9eaf84cd4c69c2f72d6a39094317846ed83c33828d75ba095a1f2791f1ae0ade023a134e6ba219f18457ff24d3c08

Download Submit
C:\Users\Admin\AppData\Local\Temp\5f1cfc835e681b195fba6e5ee705c48b42b49e6931c1f9c36d2364c9ba2f3429.exe.exe

Filesize
43KB

MD5
f0651d694d43f99cf398fda682b15b82

SHA1
a49048358ff50acf26324b722366c411c8df713e

SHA256
bad42564c55000a1589f0d04c0b68ab0dcb4a7087e190f738e58a6b5975eccdb

SHA512
b648321ced76f31c9ee130a34befecbc9b53751bd95d052b3fdceeb95d0318cf78f332dc561d98e29fb1aaae44ba118892203e20096150b3f546c773f108b0fb

Download Submit
C:\Windows\rundl132.exe

Filesize
26KB

MD5
572c0e09fec0692e5114e135e1c6935b

SHA1
d4ce9b35bd995fe81d4af850be15d5e330a882ac

SHA256
9a0b3ffb210335a1fbfceb3b82ab8c5d90b0e536cb263b6f568b10be32e5fadc

SHA512
05653816d9df36192b70bdef35fcb7562ad5722beed2798ae030c6f3fe304e467cbfdf753660367d485f94017c959efc5b22aff45e100034e56865e91050d79e

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-330940541-141609230-1670313778-1000\_desktop.ini

Filesize
9B

MD5
7ef570b2b21e58fd906ef1a980d64425

SHA1
18502489f652e74f8972bbfa100d5c163d719ab7

SHA256
c3ce1b9216b58ac7d9ed3b93e5e3a1d6a2473b53b5bc1f008a621def49517055

SHA512
e1175d861a79d62b85cd18661375f1c956dcc97e958765dc225f3aa4b0f0100ca9e17b9c61f5e18fc2a96e5167c0563f60645033aff1be1ec2f372c1b9a8b35f

Download Submit
memory/1176-28-0x0000000002210000-0x0000000002211000-memory.dmp

Filesize
4KB

Download
memory/2020-15-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2020-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2020-16-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2020-21-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2056-22-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2056-30-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2056-37-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2056-44-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2056-89-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2056-95-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2056-369-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2056-1849-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2056-3309-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download