5b80c730ab1b5c846be147f226a97299f0fa5898d01bf6453d054e425b285396

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
26/04/2024, 07:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5b80c730ab1b5c846be147f226a97299f0fa5898d01bf6453d054e425b285396.exe
Size

4.9MB
MD5

f901967a06ab5123fc87e606be0b1616
SHA1

894cc947c7b32e20c6ffaeb6fb8ef7c4a923bf44
SHA256

5b80c730ab1b5c846be147f226a97299f0fa5898d01bf6453d054e425b285396
SHA512

0981a2fa6cdbb7b0e35a6a7376cea6b059c0b431e49bea61565d4a27c56689b78194b7a22211b84547543ef2ddb0267229759f34c0a23ac39db39a940e003312
SSDEEP

49152:aEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Nn9tJEUxDG0BYYrLA50IHLGff:QAI5pAdVrn9tbnR1VgBVmt

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2272	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2924	Logo1_.exe
2156	5b80c730ab1b5c846be147f226a97299f0fa5898d01bf6453d054e425b285396.exe

Loads dropped DLL 1 IoCs

pid	Process
2272	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Access.en-us\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\MSBuild\Microsoft\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre7\lib\zi\Antarctica\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightYellow\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\mai\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\or\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\1033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\SIGNUP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SpringGreen\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\it\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\keystore\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PROFILE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\uz\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\3082\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\is\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\ONELEV.EXE	Logo1_.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\Space Templates\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Mahjong\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Photo Viewer\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\HostSideAdapters\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_mixer\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\META-INF\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\hr\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\skins\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\vDll.dll	Logo1_.exe
File created	C:\Windows\rundl132.exe	5b80c730ab1b5c846be147f226a97299f0fa5898d01bf6453d054e425b285396.exe
File created	C:\Windows\Logo1_.exe	5b80c730ab1b5c846be147f226a97299f0fa5898d01bf6453d054e425b285396.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2924	Logo1_.exe
2924	Logo1_.exe
2924	Logo1_.exe
2924	Logo1_.exe
2924	Logo1_.exe
2924	Logo1_.exe
2924	Logo1_.exe
2924	Logo1_.exe
2924	Logo1_.exe
2924	Logo1_.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1808 wrote to memory of 2272	1808	5b80c730ab1b5c846be147f226a97299f0fa5898d01bf6453d054e425b285396.exe	28
PID 1808 wrote to memory of 2272	1808	5b80c730ab1b5c846be147f226a97299f0fa5898d01bf6453d054e425b285396.exe	28
PID 1808 wrote to memory of 2272	1808	5b80c730ab1b5c846be147f226a97299f0fa5898d01bf6453d054e425b285396.exe	28
PID 1808 wrote to memory of 2272	1808	5b80c730ab1b5c846be147f226a97299f0fa5898d01bf6453d054e425b285396.exe	28
PID 1808 wrote to memory of 2924	1808	5b80c730ab1b5c846be147f226a97299f0fa5898d01bf6453d054e425b285396.exe	29
PID 1808 wrote to memory of 2924	1808	5b80c730ab1b5c846be147f226a97299f0fa5898d01bf6453d054e425b285396.exe	29
PID 1808 wrote to memory of 2924	1808	5b80c730ab1b5c846be147f226a97299f0fa5898d01bf6453d054e425b285396.exe	29
PID 1808 wrote to memory of 2924	1808	5b80c730ab1b5c846be147f226a97299f0fa5898d01bf6453d054e425b285396.exe	29
PID 2924 wrote to memory of 2544	2924	Logo1_.exe	30
PID 2924 wrote to memory of 2544	2924	Logo1_.exe	30
PID 2924 wrote to memory of 2544	2924	Logo1_.exe	30
PID 2924 wrote to memory of 2544	2924	Logo1_.exe	30
PID 2544 wrote to memory of 2560	2544	net.exe	33
PID 2544 wrote to memory of 2560	2544	net.exe	33
PID 2544 wrote to memory of 2560	2544	net.exe	33
PID 2544 wrote to memory of 2560	2544	net.exe	33
PID 2272 wrote to memory of 2156	2272	cmd.exe	34
PID 2272 wrote to memory of 2156	2272	cmd.exe	34
PID 2272 wrote to memory of 2156	2272	cmd.exe	34
PID 2272 wrote to memory of 2156	2272	cmd.exe	34
PID 2924 wrote to memory of 1212	2924	Logo1_.exe	21
PID 2924 wrote to memory of 1212	2924	Logo1_.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1212
- C:\Users\Admin\AppData\Local\Temp\5b80c730ab1b5c846be147f226a97299f0fa5898d01bf6453d054e425b285396.exe
  "C:\Users\Admin\AppData\Local\Temp\5b80c730ab1b5c846be147f226a97299f0fa5898d01bf6453d054e425b285396.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1808
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$a163F.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2272
  - - C:\Users\Admin\AppData\Local\Temp\5b80c730ab1b5c846be147f226a97299f0fa5898d01bf6453d054e425b285396.exe
      "C:\Users\Admin\AppData\Local\Temp\5b80c730ab1b5c846be147f226a97299f0fa5898d01bf6453d054e425b285396.exe"
      4⤵
      Executes dropped EXE
      PID:2156
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2924
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2544
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
254KB

MD5
da3a4d0479cb34cd1dbd864b9fe7afa8

SHA1
c819c28d044275ad62ee2bbf9cad9cdcf13ae537

SHA256
402ca106b4801356a8a0c2ba9abcf8a323b3193c68c82066cbdf50ce6c71be4d

SHA512
a0dae98bf119c57fb548475f3a7d52e68f952876f0420bb2fabda483565c7fe8e24368eb7a458932b207f66fdafc3e0f65599ae9dcb9a7b4756cc7558682b18c

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
474KB

MD5
e96712cc2991fab37a21ceeeee83b1f6

SHA1
e7894f4029baf5faa81584bab7d20acb0feadf5f

SHA256
fc5ecf67ef00e72d234c1b58be4d807a7fa2603cf66085204bacabb796275153

SHA512
fd8ba411e0083b3120431f23f272daf3923c96c96a15f7f861565b4de85fce7bf5aafd42d15cf45c559b8e7192513a31b9167ec7c5b6f52823bf3dc20701a06e

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a163F.bat

Filesize
722B

MD5
c42d09977ff19753ac95bbb4d518a075

SHA1
6e314d6bdbb20d6f5c20c836742bf8d62bbd443b

SHA256
6a7cf085d0325eb37253522e50f9d1380a4faa75fc2e0217800e9075c10cfccd

SHA512
1b65a2aa1f440e4e0e8692b576288570ac0cd6eab7cb8063459c03df32f276c0616dd56d7e36f8ca3dd955643861d8a3578cb9156884285f9480fb1515534e8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\5b80c730ab1b5c846be147f226a97299f0fa5898d01bf6453d054e425b285396.exe.exe

Filesize
4.9MB

MD5
9fa020939f15510299bcf126720347c9

SHA1
eb090970a121d687187749e50a7c8aca165d3f5d

SHA256
9273866a2c65472475e94c9e35f30d46111f8f3312ad809cde88aa3719cfe72c

SHA512
2956d69394c113a0594c6a5452fd035e82f17a4d4382ed639192c7b12453a60e41e3ebe2b1e0df9787ca2e377376c10abd6968ca40132711fcd40b9b731117bd

Download Submit
C:\Windows\rundl132.exe

Filesize
29KB

MD5
9bcc3e645527978b32c6d1984175f69d

SHA1
d9dce23336396ddbfb4e54c207d755e9b8104b92

SHA256
3b15b041a301264dac387cd799e223d8d55f3652573aa7048a7bf4c01b5308e1

SHA512
a88275729c3768ca2ee9a9373bc5c97f1e70c5488de73ce1c46d5589978180608d44d87fa9e142b5f977d543cdd4130fb4fad1a4088bd65c39d448af1dbb5c6b

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3452737119-3959686427-228443150-1000\_desktop.ini

Filesize
9B

MD5
c1decdd7d6df1d9437bb5f2bc5fe1486

SHA1
d71402dc8d37a148651cb5017219322267c7b922

SHA256
bd6d31806e5ebc86100e3c7ed2cf5348757149082d775fa986d41e8554ce8089

SHA512
ebbaed70f5d858508011ec3f251e16aa09c861b3d6dcc62ed28f293b37dfda2434b0e36f898bc62fca3107ee6356c77e5662a76085f191a63913013837cc0f07

Download Submit
memory/1212-29-0x00000000024B0000-0x00000000024B1000-memory.dmp

Filesize
4KB

Download
memory/1808-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1808-15-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1808-16-0x0000000000440000-0x0000000000476000-memory.dmp

Filesize
216KB

Download
memory/2924-38-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2924-44-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2924-90-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2924-96-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2924-727-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2924-1850-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2924-2264-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2924-31-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2924-3310-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2924-21-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download