ce76ab31a2da9203d75333f34351528ef102cabc075af94a4a88a096ee4871d4

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
25-04-2024 10:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ce76ab31a2da9203d75333f34351528ef102cabc075af94a4a88a096ee4871d4.exe
Size

487KB
MD5

40fba8c81a31f2d76c8582e45a52123e
SHA1

06c7c518c0c4887aa81b4db4ca39a3c96506a74d
SHA256

ce76ab31a2da9203d75333f34351528ef102cabc075af94a4a88a096ee4871d4
SHA512

dc1191dd8967a9d03506ee1eb9cdb9f531d5c25c62ed1fa9529de31de7c92b8a86b37a9ee58231cfe5704e17c5cc7f9f51881ff2a3cfc32abd6f5682f5ff26ef
SSDEEP

6144:XUuJoz1gL5pRTMTTjMkId/BynSx7dEe6XwzRaktNP08NhKs39zo43fTtl1fayCV4:U1gL5pRTcAkS/3hzN8qE43fm78V

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2548	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2820	Logo1_.exe
2844	ce76ab31a2da9203d75333f34351528ef102cabc075af94a4a88a096ee4871d4.exe

Loads dropped DLL 1 IoCs

pid	Process
2548	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\wa\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\DESIGNER\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ml\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\nb\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\nb\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sq\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\orbd.exe	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\1.0\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Web Folders\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSPUB.EXE	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ESEN\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSEnv\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\FreeCell\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ml\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ro\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SPRING\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\bs\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Triedit\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\gui\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Defender\MSASCui.exe	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\InfoPath.en-us\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CAPSULES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RIPPLE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jabswitch.exe	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\js\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Logo1_.exe	ce76ab31a2da9203d75333f34351528ef102cabc075af94a4a88a096ee4871d4.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe
File created	C:\Windows\rundl132.exe	ce76ab31a2da9203d75333f34351528ef102cabc075af94a4a88a096ee4871d4.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2820	Logo1_.exe
2820	Logo1_.exe
2820	Logo1_.exe
2820	Logo1_.exe
2820	Logo1_.exe
2820	Logo1_.exe
2820	Logo1_.exe
2820	Logo1_.exe
2820	Logo1_.exe
2820	Logo1_.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2188 wrote to memory of 2548	2188	ce76ab31a2da9203d75333f34351528ef102cabc075af94a4a88a096ee4871d4.exe	28
PID 2188 wrote to memory of 2548	2188	ce76ab31a2da9203d75333f34351528ef102cabc075af94a4a88a096ee4871d4.exe	28
PID 2188 wrote to memory of 2548	2188	ce76ab31a2da9203d75333f34351528ef102cabc075af94a4a88a096ee4871d4.exe	28
PID 2188 wrote to memory of 2548	2188	ce76ab31a2da9203d75333f34351528ef102cabc075af94a4a88a096ee4871d4.exe	28
PID 2188 wrote to memory of 2820	2188	ce76ab31a2da9203d75333f34351528ef102cabc075af94a4a88a096ee4871d4.exe	29
PID 2188 wrote to memory of 2820	2188	ce76ab31a2da9203d75333f34351528ef102cabc075af94a4a88a096ee4871d4.exe	29
PID 2188 wrote to memory of 2820	2188	ce76ab31a2da9203d75333f34351528ef102cabc075af94a4a88a096ee4871d4.exe	29
PID 2188 wrote to memory of 2820	2188	ce76ab31a2da9203d75333f34351528ef102cabc075af94a4a88a096ee4871d4.exe	29
PID 2820 wrote to memory of 2180	2820	Logo1_.exe	30
PID 2820 wrote to memory of 2180	2820	Logo1_.exe	30
PID 2820 wrote to memory of 2180	2820	Logo1_.exe	30
PID 2820 wrote to memory of 2180	2820	Logo1_.exe	30
PID 2180 wrote to memory of 2724	2180	net.exe	33
PID 2180 wrote to memory of 2724	2180	net.exe	33
PID 2180 wrote to memory of 2724	2180	net.exe	33
PID 2180 wrote to memory of 2724	2180	net.exe	33
PID 2548 wrote to memory of 2844	2548	cmd.exe	34
PID 2548 wrote to memory of 2844	2548	cmd.exe	34
PID 2548 wrote to memory of 2844	2548	cmd.exe	34
PID 2548 wrote to memory of 2844	2548	cmd.exe	34
PID 2820 wrote to memory of 1340	2820	Logo1_.exe	21
PID 2820 wrote to memory of 1340	2820	Logo1_.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1340
- C:\Users\Admin\AppData\Local\Temp\ce76ab31a2da9203d75333f34351528ef102cabc075af94a4a88a096ee4871d4.exe
  "C:\Users\Admin\AppData\Local\Temp\ce76ab31a2da9203d75333f34351528ef102cabc075af94a4a88a096ee4871d4.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2188
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$aEC0.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2548
  - - C:\Users\Admin\AppData\Local\Temp\ce76ab31a2da9203d75333f34351528ef102cabc075af94a4a88a096ee4871d4.exe
      "C:\Users\Admin\AppData\Local\Temp\ce76ab31a2da9203d75333f34351528ef102cabc075af94a4a88a096ee4871d4.exe"
      4⤵
      Executes dropped EXE
      PID:2844
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2820
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2180
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
474KB

MD5
e96712cc2991fab37a21ceeeee83b1f6

SHA1
e7894f4029baf5faa81584bab7d20acb0feadf5f

SHA256
fc5ecf67ef00e72d234c1b58be4d807a7fa2603cf66085204bacabb796275153

SHA512
fd8ba411e0083b3120431f23f272daf3923c96c96a15f7f861565b4de85fce7bf5aafd42d15cf45c559b8e7192513a31b9167ec7c5b6f52823bf3dc20701a06e

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aEC0.bat

Filesize
721B

MD5
60c493f461180c2d92cfdfce91d1930a

SHA1
5ceddf69740558467ce63f5ac00ac954acc895bf

SHA256
0383d239f9342273915c47666ec5d30ff4e783429ae8f05a4935513711a6d3d9

SHA512
63c3fc8abb62404cfb258191d9559cf05b39bc93284dd72246aa3f0d49123c951443a3a5f77ac9e6d78ecc28e09fba9e8e2b67ae0ae84253d0f9be1a43e5e0c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce76ab31a2da9203d75333f34351528ef102cabc075af94a4a88a096ee4871d4.exe.exe

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Windows\rundl132.exe

Filesize
29KB

MD5
abd597f85b4c46b3a4ef95ae1d8ae5a7

SHA1
8baccced6bbfc312df2e849a3ec6be673bff4eab

SHA256
b48d639e5cde89949427acf034bb6552302405c56a554159f78e174779a1115c

SHA512
8506b3d2dc36b5ae95e8a1b4290c53928bc749701ae8daa50eb0335a79d11a229ec54139f6db76edaa621e7777e2015496fde00d55cb73340a3bd5f097258e1e

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3627615824-4061627003-3019543961-1000\_desktop.ini

Filesize
9B

MD5
7ef570b2b21e58fd906ef1a980d64425

SHA1
18502489f652e74f8972bbfa100d5c163d719ab7

SHA256
c3ce1b9216b58ac7d9ed3b93e5e3a1d6a2473b53b5bc1f008a621def49517055

SHA512
e1175d861a79d62b85cd18661375f1c956dcc97e958765dc225f3aa4b0f0100ca9e17b9c61f5e18fc2a96e5167c0563f60645033aff1be1ec2f372c1b9a8b35f

Download Submit
memory/1340-29-0x0000000002D10000-0x0000000002D11000-memory.dmp

Filesize
4KB

Download
memory/2188-16-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2188-12-0x0000000000270000-0x00000000002A6000-memory.dmp

Filesize
216KB

Download
memory/2188-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2820-31-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2820-38-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2820-44-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2820-90-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2820-96-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2820-851-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2820-1849-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2820-2496-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2820-3309-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2820-21-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download