575e12db9e94adcc737d89e8f76c625d8aa7fbf236f850bbc45847588086a9dc

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
27/04/2024, 18:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

575e12db9e94adcc737d89e8f76c625d8aa7fbf236f850bbc45847588086a9dc.exe
Size

1.9MB
MD5

f35a9284fa9d4f9c17b2f07f084d12e1
SHA1

4575a15e2ac462188fd0363d497e9b1490b43695
SHA256

575e12db9e94adcc737d89e8f76c625d8aa7fbf236f850bbc45847588086a9dc
SHA512

93a8971f2fc2213f88e694fb8c52b192c3a3ffe4c47915bfbc7c664b98048f401f47095c0d9196b6944426789c6d772ec93d89ed903d07df2cf7070ff896f063
SSDEEP

49152:S7S40cscbgsmEHafDgPvII13CMPzsP2q7F5kS:aPzsP2DS

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1936	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2332	Logo1_.exe
2100	575e12db9e94adcc737d89e8f76c625d8aa7fbf236f850bbc45847588086a9dc.exe

Loads dropped DLL 1 IoCs

pid	Process
1936	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Portable Devices\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PIXEL\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\an\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	Logo1_.exe
File created	C:\Program Files\DVD Maker\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\More Games\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\be\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\misc\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\HWRCustomization\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Document Themes 14\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\PROOF\1033\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\.settings\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\zu\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Defender\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CAPSULES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PublicAssemblies\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Checkers\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\nl\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Internet Explorer\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ff\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\More Games\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ms\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_extractor\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Journal\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\keystore\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_filter\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	Logo1_.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\requests\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\it-IT\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	575e12db9e94adcc737d89e8f76c625d8aa7fbf236f850bbc45847588086a9dc.exe
File created	C:\Windows\Logo1_.exe	575e12db9e94adcc737d89e8f76c625d8aa7fbf236f850bbc45847588086a9dc.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2332	Logo1_.exe
2332	Logo1_.exe
2332	Logo1_.exe
2332	Logo1_.exe
2332	Logo1_.exe
2332	Logo1_.exe
2332	Logo1_.exe
2332	Logo1_.exe
2332	Logo1_.exe
2332	Logo1_.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1520 wrote to memory of 1936	1520	575e12db9e94adcc737d89e8f76c625d8aa7fbf236f850bbc45847588086a9dc.exe	28
PID 1520 wrote to memory of 1936	1520	575e12db9e94adcc737d89e8f76c625d8aa7fbf236f850bbc45847588086a9dc.exe	28
PID 1520 wrote to memory of 1936	1520	575e12db9e94adcc737d89e8f76c625d8aa7fbf236f850bbc45847588086a9dc.exe	28
PID 1520 wrote to memory of 1936	1520	575e12db9e94adcc737d89e8f76c625d8aa7fbf236f850bbc45847588086a9dc.exe	28
PID 1520 wrote to memory of 2332	1520	575e12db9e94adcc737d89e8f76c625d8aa7fbf236f850bbc45847588086a9dc.exe	29
PID 1520 wrote to memory of 2332	1520	575e12db9e94adcc737d89e8f76c625d8aa7fbf236f850bbc45847588086a9dc.exe	29
PID 1520 wrote to memory of 2332	1520	575e12db9e94adcc737d89e8f76c625d8aa7fbf236f850bbc45847588086a9dc.exe	29
PID 1520 wrote to memory of 2332	1520	575e12db9e94adcc737d89e8f76c625d8aa7fbf236f850bbc45847588086a9dc.exe	29
PID 2332 wrote to memory of 3068	2332	Logo1_.exe	30
PID 2332 wrote to memory of 3068	2332	Logo1_.exe	30
PID 2332 wrote to memory of 3068	2332	Logo1_.exe	30
PID 2332 wrote to memory of 3068	2332	Logo1_.exe	30
PID 3068 wrote to memory of 2568	3068	net.exe	33
PID 3068 wrote to memory of 2568	3068	net.exe	33
PID 3068 wrote to memory of 2568	3068	net.exe	33
PID 3068 wrote to memory of 2568	3068	net.exe	33
PID 1936 wrote to memory of 2100	1936	cmd.exe	34
PID 1936 wrote to memory of 2100	1936	cmd.exe	34
PID 1936 wrote to memory of 2100	1936	cmd.exe	34
PID 1936 wrote to memory of 2100	1936	cmd.exe	34
PID 2332 wrote to memory of 1284	2332	Logo1_.exe	21
PID 2332 wrote to memory of 1284	2332	Logo1_.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1284
- C:\Users\Admin\AppData\Local\Temp\575e12db9e94adcc737d89e8f76c625d8aa7fbf236f850bbc45847588086a9dc.exe
  "C:\Users\Admin\AppData\Local\Temp\575e12db9e94adcc737d89e8f76c625d8aa7fbf236f850bbc45847588086a9dc.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1520
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$a2481.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1936
  - - C:\Users\Admin\AppData\Local\Temp\575e12db9e94adcc737d89e8f76c625d8aa7fbf236f850bbc45847588086a9dc.exe
      "C:\Users\Admin\AppData\Local\Temp\575e12db9e94adcc737d89e8f76c625d8aa7fbf236f850bbc45847588086a9dc.exe"
      4⤵
      Executes dropped EXE
      PID:2100
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2332
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3068
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
251KB

MD5
585299d6e0c75f1d3a3a6e2996e6acf4

SHA1
f1c15b113e03eb44a81da2cd56f4c3d9f5bbc215

SHA256
dace6ccccaad68170a6150c96034951787e5eeef6709db34d85b8dd0f2c528e5

SHA512
991142dae0257e069454c2d41616e6e6c1252be960ea63884c4c92770b67ee1434d7091a705076230c675d4dc42a815cece1662bdd00d1c06d4cdf677c3c20d5

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
471KB

MD5
4cfdb20b04aa239d6f9e83084d5d0a77

SHA1
f22863e04cc1fd4435f785993ede165bd8245ac6

SHA256
30ed17ca6ae530e8bf002bcef6048f94dba4b3b10252308147031f5c86ace1b9

SHA512
35b4c2f68a7caa45f2bb14b168947e06831f358e191478a6659b49f30ca6f538dc910fe6067448d5d8af4cb8558825d70f94d4bd67709aee414b2be37d49be86

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a2481.bat

Filesize
722B

MD5
bd411130af266c965cbfa258a1588df9

SHA1
d32fce9f9b2770dfd4c865002ea00fd6fd80cdac

SHA256
649b41f27775484d203c1d5a9df030c0eb973572c8e756f0a7a7c57ca01c426a

SHA512
ffc92d3ea0802b3e8d3ff152a41c6d9328b45d8f41a402db2085b4d5a3be0740ad773f24af99ad34d7beb9b83b712b006692dcaefe7d835b051dc155d3a30265

Download Submit
C:\Users\Admin\AppData\Local\Temp\575e12db9e94adcc737d89e8f76c625d8aa7fbf236f850bbc45847588086a9dc.exe.exe

Filesize
1.9MB

MD5
52176ef102c39d6912a5256535cf629b

SHA1
2cf33b2512df78ac047f0d117c6952478c4b057c

SHA256
4750d81cae87f8e9a6e4daa76bfef5772d8c8b99de45396491ebafada78e5a34

SHA512
76a268a5a8ae0170bb0c655d31872cf7e9f67395da37b691732d1e6a8db1c96c18c5a3019ee7decea8848a818642afee81ba0d7ec5a7cb1305454f13953d7347

Download Submit
C:\Windows\rundl132.exe

Filesize
26KB

MD5
073d37b425ac83ddebb5816919f7d353

SHA1
f154a0f9e3c30903aca7056ebd6d837f3989db6d

SHA256
e16c12380ba4ff0a472b08df28efdba5fd3de72a2c04dc141ad9792e3d7b902d

SHA512
f57fe35ec2a67a68cb6601488def77b510f8a44cbadc42d6517bd7da4049aa0b7becb8c546953783a499fb91d3572a1fe28dca01e48184ffcd43206fc638bd47

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2297530677-1229052932-2803917579-1000\_desktop.ini

Filesize
9B

MD5
7d02194d5f21d1288ee3e3f595122aba

SHA1
68e51fcc75148bf51da5ad67c7137b85946fc393

SHA256
a4da2cd5e1bd5b7cc915b0572d2805cb074c16122fa7e5a41fbc1203aafc3416

SHA512
b5aba933dbbe76d9c49da7e4bd9aa8449f164d1a6563feb65e795fd497f42a5c8cc317186adf817990a180e46499987a7403b68b0b089a38ccda0fc9f2dd6c1c

Download Submit
memory/1284-31-0x0000000002E80000-0x0000000002E81000-memory.dmp

Filesize
4KB

Download
memory/1520-16-0x0000000001C60000-0x0000000001C94000-memory.dmp

Filesize
208KB

Download
memory/1520-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1520-17-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1520-18-0x0000000001C60000-0x0000000001C94000-memory.dmp

Filesize
208KB

Download
memory/2100-29-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2332-33-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2332-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2332-47-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2332-92-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2332-98-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2332-1653-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2332-1852-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2332-3311-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download