1d50d30d6bbc81d23d79f7a7ba6dd696dec551505e2ee30f4566d94780560547

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
27/04/2024, 18:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1d50d30d6bbc81d23d79f7a7ba6dd696dec551505e2ee30f4566d94780560547.exe
Size

5.7MB
MD5

d2cea32067b734a56bdb984a733e0ed2
SHA1

0bec4374428e1f761c9eb0cc8a59e257582c34c8
SHA256

1d50d30d6bbc81d23d79f7a7ba6dd696dec551505e2ee30f4566d94780560547
SHA512

2b9a0770546b42207230d21c92b0fb48db45aaba87f6a723735a202853f084855f59fb88bf28b03c83ff15cbfee8d8d8571c0aea553f05f69038486d58b2584d
SSDEEP

49152:VPv94AEsKU8ggw1g+1CART5eBiyKS3EI3wybn20DCYIHvc8ixuZm9+fWsw6dTPBJ:RKUgTH2M2m9UMpu1QfLczqssnKSk

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2184	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2208	Logo1_.exe
2576	1d50d30d6bbc81d23d79f7a7ba6dd696dec551505e2ee30f4566d94780560547.exe

Loads dropped DLL 1 IoCs

pid	Process
2184	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Americana\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Solitaire\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Help\1042\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\oc\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Mail\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Portable Devices\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_chroma\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\Hearts.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\meta\art\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\INDUST\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\nb\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\ja\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ECLIPSE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\1033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\eu\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ro\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\WATERMAR\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Media Player\Icons\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CASCADE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Defender\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\wa\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BrightOrange\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\br\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\1031\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ca\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\WATER\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\de-DE\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	1d50d30d6bbc81d23d79f7a7ba6dd696dec551505e2ee30f4566d94780560547.exe
File created	C:\Windows\Logo1_.exe	1d50d30d6bbc81d23d79f7a7ba6dd696dec551505e2ee30f4566d94780560547.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2208	Logo1_.exe
2208	Logo1_.exe
2208	Logo1_.exe
2208	Logo1_.exe
2208	Logo1_.exe
2208	Logo1_.exe
2208	Logo1_.exe
2208	Logo1_.exe
2208	Logo1_.exe
2208	Logo1_.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3004 wrote to memory of 2184	3004	1d50d30d6bbc81d23d79f7a7ba6dd696dec551505e2ee30f4566d94780560547.exe	28
PID 3004 wrote to memory of 2184	3004	1d50d30d6bbc81d23d79f7a7ba6dd696dec551505e2ee30f4566d94780560547.exe	28
PID 3004 wrote to memory of 2184	3004	1d50d30d6bbc81d23d79f7a7ba6dd696dec551505e2ee30f4566d94780560547.exe	28
PID 3004 wrote to memory of 2184	3004	1d50d30d6bbc81d23d79f7a7ba6dd696dec551505e2ee30f4566d94780560547.exe	28
PID 3004 wrote to memory of 2208	3004	1d50d30d6bbc81d23d79f7a7ba6dd696dec551505e2ee30f4566d94780560547.exe	30
PID 3004 wrote to memory of 2208	3004	1d50d30d6bbc81d23d79f7a7ba6dd696dec551505e2ee30f4566d94780560547.exe	30
PID 3004 wrote to memory of 2208	3004	1d50d30d6bbc81d23d79f7a7ba6dd696dec551505e2ee30f4566d94780560547.exe	30
PID 3004 wrote to memory of 2208	3004	1d50d30d6bbc81d23d79f7a7ba6dd696dec551505e2ee30f4566d94780560547.exe	30
PID 2208 wrote to memory of 2256	2208	Logo1_.exe	31
PID 2208 wrote to memory of 2256	2208	Logo1_.exe	31
PID 2208 wrote to memory of 2256	2208	Logo1_.exe	31
PID 2208 wrote to memory of 2256	2208	Logo1_.exe	31
PID 2256 wrote to memory of 2724	2256	net.exe	33
PID 2256 wrote to memory of 2724	2256	net.exe	33
PID 2256 wrote to memory of 2724	2256	net.exe	33
PID 2256 wrote to memory of 2724	2256	net.exe	33
PID 2208 wrote to memory of 1196	2208	Logo1_.exe	21
PID 2208 wrote to memory of 1196	2208	Logo1_.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1196
- C:\Users\Admin\AppData\Local\Temp\1d50d30d6bbc81d23d79f7a7ba6dd696dec551505e2ee30f4566d94780560547.exe
  "C:\Users\Admin\AppData\Local\Temp\1d50d30d6bbc81d23d79f7a7ba6dd696dec551505e2ee30f4566d94780560547.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:3004
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$a228E.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    PID:2184
  - - C:\Users\Admin\AppData\Local\Temp\1d50d30d6bbc81d23d79f7a7ba6dd696dec551505e2ee30f4566d94780560547.exe
      "C:\Users\Admin\AppData\Local\Temp\1d50d30d6bbc81d23d79f7a7ba6dd696dec551505e2ee30f4566d94780560547.exe"
      4⤵
      Executes dropped EXE
      PID:2576
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2208
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2256
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
254KB

MD5
1636cea2485ca2025e21fbbaad2ebbd2

SHA1
6fad881a9814d125c89d18d6e7537d91d43838b2

SHA256
0ea98228f99cf38e71adec14044df4e99880e42269dc9f094b191da8cbe1d053

SHA512
5f109e3bd15bd2a59fd41c117f7951d3ea6155e8b7a588f3929710986b791982d0365014ab77111c1bffbb2bafd5ea04f277e3e8d95436fc0789a9268c6e2aa3

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
474KB

MD5
e85807cbaf1c00d5c04e60d82117ed94

SHA1
2e586d30d725be909a6f4de38b582fc0bfe57c01

SHA256
eb0caf5692f857aadb09867f6526b1dd6f02c9980ccb8d7d58e09342c87fdda9

SHA512
af0d2fce26f6ddbf90d3a3359a9ac6740e4d9c830d65137914c3b85f68f9ae390f4454c90ed8fc5210a3c7ac45690d50690379996b5befa61a5853f93d041495

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a228E.bat

Filesize
722B

MD5
a8273728cc9b7f5678061fb59937ba45

SHA1
dd0402fbba7b8c668c94c017eec8d5be17713978

SHA256
f61ae938a1fcd783d600e5599fde7c53fd0aa27874a39dcc2c50ab1a85e5ca86

SHA512
f15d3a7be982ac7f941a00f0084b55a05640f68314edb265028e69c130651c1d95ec49f8a47e62fe8d735bf3c84e21a05968f1f4a908a11582f638dfcc066eb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\1d50d30d6bbc81d23d79f7a7ba6dd696dec551505e2ee30f4566d94780560547.exe.exe

Filesize
5.7MB

MD5
ba18e99b3e17adb5b029eaebc457dd89

SHA1
ec0458f3c00d35b323f08d4e1cc2e72899429c38

SHA256
f5ee36de8edf9be2ac2752b219cfdcb7ca1677071b8e116cb876306e9f1b6628

SHA512
1f41929e6f5b555b60c411c7810cbf14e3af26100df5ac4533ec3739a278c1b925687284660efb4868e3741305098e2737836229efc9fe46c97a6057c10e677c

Download Submit
C:\Windows\rundl132.exe

Filesize
29KB

MD5
3694524f0d407d1b4701670631cb329f

SHA1
b2e469373326f83e8fb4d47292461a8e40c7bcc5

SHA256
2006d7933127865f73262d653cbbd942766b7ffae304e623e02110af32049178

SHA512
5151fb5b7c1785e76f5f76be39abe81ef258993d4996fdef00f4d414ab5239bfbe482c41a43b35d5c575067a35187e7d795ad4089144a0705ff7714b05702b3f

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-1298544033-3225604241-2703760938-1000\_desktop.ini

Filesize
9B

MD5
7d02194d5f21d1288ee3e3f595122aba

SHA1
68e51fcc75148bf51da5ad67c7137b85946fc393

SHA256
a4da2cd5e1bd5b7cc915b0572d2805cb074c16122fa7e5a41fbc1203aafc3416

SHA512
b5aba933dbbe76d9c49da7e4bd9aa8449f164d1a6563feb65e795fd497f42a5c8cc317186adf817990a180e46499987a7403b68b0b089a38ccda0fc9f2dd6c1c

Download Submit
memory/1196-31-0x00000000025D0000-0x00000000025D1000-memory.dmp

Filesize
4KB

Download
memory/2208-665-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2208-98-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2208-33-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2208-3311-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2208-40-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2208-46-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2208-92-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2208-23-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2208-2337-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2208-1851-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3004-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3004-17-0x00000000002A0000-0x00000000002D6000-memory.dmp

Filesize
216KB

Download
memory/3004-19-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3004-15-0x00000000002A0000-0x00000000002D6000-memory.dmp

Filesize
216KB

Download