5e5cb0625435890f97c29b0043d1313b69bfd71a26d0ebe6b9ad52d1bfc5b368

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
27-04-2024 19:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e5cb0625435890f97c29b0043d1313b69bfd71a26d0ebe6b9ad52d1bfc5b368.exe
Size

2.8MB
MD5

3e9df46a946ccb96b868bcb0cee78ec9
SHA1

80f2d00e4d3227ef14efd8a859a7224a87dc7464
SHA256

5e5cb0625435890f97c29b0043d1313b69bfd71a26d0ebe6b9ad52d1bfc5b368
SHA512

44ea38fcfd4869d35fd9f3bbadb400339754236f991baf035fd9a02d557fda91758e7a63156a96aeab63cc6dfb98398be1fee531ba2224b94c8e0c84811b30dc
SSDEEP

49152:y6gLKJuMarhVnMFwTH8/giBiBcbk4ZxZ2DqFeVMhuxcPh:Xd1XdhBiiMa7

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2332	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2124	Logo1_.exe
2664	5e5cb0625435890f97c29b0043d1313b69bfd71a26d0ebe6b9ad52d1bfc5b368.exe

Loads dropped DLL 1 IoCs

pid	Process
2332	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\1028\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Library\Analysis\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Library\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\ja\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\zu\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RMNSQUE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\lib\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\bn_IN\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ENFR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\1049\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveDocumentReview\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Mail\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ka\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\co\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fr\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\mr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Indiana\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EDGE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\is\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Atlantic\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\da\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\in_sidebar\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\vDll.dll	Logo1_.exe
File created	C:\Windows\rundl132.exe	5e5cb0625435890f97c29b0043d1313b69bfd71a26d0ebe6b9ad52d1bfc5b368.exe
File created	C:\Windows\Logo1_.exe	5e5cb0625435890f97c29b0043d1313b69bfd71a26d0ebe6b9ad52d1bfc5b368.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2124	Logo1_.exe
2124	Logo1_.exe
2124	Logo1_.exe
2124	Logo1_.exe
2124	Logo1_.exe
2124	Logo1_.exe
2124	Logo1_.exe
2124	Logo1_.exe
2124	Logo1_.exe
2124	Logo1_.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1244 wrote to memory of 2332	1244	5e5cb0625435890f97c29b0043d1313b69bfd71a26d0ebe6b9ad52d1bfc5b368.exe	28
PID 1244 wrote to memory of 2332	1244	5e5cb0625435890f97c29b0043d1313b69bfd71a26d0ebe6b9ad52d1bfc5b368.exe	28
PID 1244 wrote to memory of 2332	1244	5e5cb0625435890f97c29b0043d1313b69bfd71a26d0ebe6b9ad52d1bfc5b368.exe	28
PID 1244 wrote to memory of 2332	1244	5e5cb0625435890f97c29b0043d1313b69bfd71a26d0ebe6b9ad52d1bfc5b368.exe	28
PID 1244 wrote to memory of 2124	1244	5e5cb0625435890f97c29b0043d1313b69bfd71a26d0ebe6b9ad52d1bfc5b368.exe	29
PID 1244 wrote to memory of 2124	1244	5e5cb0625435890f97c29b0043d1313b69bfd71a26d0ebe6b9ad52d1bfc5b368.exe	29
PID 1244 wrote to memory of 2124	1244	5e5cb0625435890f97c29b0043d1313b69bfd71a26d0ebe6b9ad52d1bfc5b368.exe	29
PID 1244 wrote to memory of 2124	1244	5e5cb0625435890f97c29b0043d1313b69bfd71a26d0ebe6b9ad52d1bfc5b368.exe	29
PID 2124 wrote to memory of 2564	2124	Logo1_.exe	31
PID 2124 wrote to memory of 2564	2124	Logo1_.exe	31
PID 2124 wrote to memory of 2564	2124	Logo1_.exe	31
PID 2124 wrote to memory of 2564	2124	Logo1_.exe	31
PID 2564 wrote to memory of 2520	2564	net.exe	33
PID 2564 wrote to memory of 2520	2564	net.exe	33
PID 2564 wrote to memory of 2520	2564	net.exe	33
PID 2564 wrote to memory of 2520	2564	net.exe	33
PID 2124 wrote to memory of 1284	2124	Logo1_.exe	21
PID 2124 wrote to memory of 1284	2124	Logo1_.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1284
- C:\Users\Admin\AppData\Local\Temp\5e5cb0625435890f97c29b0043d1313b69bfd71a26d0ebe6b9ad52d1bfc5b368.exe
  "C:\Users\Admin\AppData\Local\Temp\5e5cb0625435890f97c29b0043d1313b69bfd71a26d0ebe6b9ad52d1bfc5b368.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1244
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$a23F5.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    PID:2332
  - - C:\Users\Admin\AppData\Local\Temp\5e5cb0625435890f97c29b0043d1313b69bfd71a26d0ebe6b9ad52d1bfc5b368.exe
      "C:\Users\Admin\AppData\Local\Temp\5e5cb0625435890f97c29b0043d1313b69bfd71a26d0ebe6b9ad52d1bfc5b368.exe"
      4⤵
      Executes dropped EXE
      PID:2664
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2124
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2564
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
254KB

MD5
8fd50e583cb95108d2c309d0915e2f89

SHA1
cda2df6c04d470b446051532fda9ccf936767f47

SHA256
5345eac2796deb5dfe759d9c22590a2b11591d0471781672b86f1ad709be47af

SHA512
9337e56a666962b11f1b39989c8bb47f50015753f38968b43a420da992afce0e4a6007d8e5bc14aa646b7faa8c8acd9473dfce3ab0e7a356363293c1cd91bcd3

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
474KB

MD5
39c5a9489ed322953eb7a6b19e76fd6e

SHA1
79cae6e0d91eb10b9f5d85eb553f2431eb80f4b2

SHA256
cc7d0e41e68d59ec4000817d4effabd46a1806fb2e1a56045d983015e79f4224

SHA512
8cf752bf542ff6ca99725f897e73457242486cb4698ae57a19966580a85be19b49775282dd3e3c67899d11e15c3ce213053220ee0a3bb6d35220405b56949004

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a23F5.bat

Filesize
722B

MD5
d53af6cee49c37ccf39322cfe0b3486f

SHA1
3c9ef65e15130187112423e31fd93a1728423463

SHA256
d1601d76c7aeb9ea84a57d376eeaee34392b9e4cc9c817b517fea30ce8e11144

SHA512
9aa2a1496b0a4f4ff43b2df20b8e8ecd5d1bfc041a272d2ad81acb6561c0f8a1714b87ff19262b4b2dfcea1cd96ef5666b7c6d158195c4af731021c84b50339e

Download Submit
C:\Users\Admin\AppData\Local\Temp\5e5cb0625435890f97c29b0043d1313b69bfd71a26d0ebe6b9ad52d1bfc5b368.exe.exe

Filesize
2.8MB

MD5
095092f4e746810c5829038d48afd55a

SHA1
246eb3d41194dddc826049bbafeb6fc522ec044a

SHA256
2f606012843d144610dc7be55d1716d5d106cbc6acbce57561dc0e62c38b8588

SHA512
7f36fc03bfed0f3cf6ac3406c819993bf995e4f8c26a7589e9032c14b5a9c7048f5567f77b3b15f946c5282fc0be6308a92eab7879332d74c400d0c139ce8400

Download Submit
C:\Windows\Logo1_.exe

Filesize
29KB

MD5
21c07957c0adc8fbf331aaa427c0163e

SHA1
b837d3f09f6db0a7ec9c45e49a632c8812a37e4c

SHA256
f7bbf8b8c0af73001d32b5e3f714a65577537a34a6a9670e9980317f2b18caf2

SHA512
d0b1fce96e704d11776be16b1ddbf90e32874474491346ab20ba7445b6df62486d73dd60edada9ac2eec818b0018866f67d8837a24efc89ea9cc6025f18e4b27

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2297530677-1229052932-2803917579-1000\_desktop.ini

Filesize
9B

MD5
7d02194d5f21d1288ee3e3f595122aba

SHA1
68e51fcc75148bf51da5ad67c7137b85946fc393

SHA256
a4da2cd5e1bd5b7cc915b0572d2805cb074c16122fa7e5a41fbc1203aafc3416

SHA512
b5aba933dbbe76d9c49da7e4bd9aa8449f164d1a6563feb65e795fd497f42a5c8cc317186adf817990a180e46499987a7403b68b0b089a38ccda0fc9f2dd6c1c

Download Submit
memory/1244-16-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1244-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1284-29-0x0000000002F00000-0x0000000002F01000-memory.dmp

Filesize
4KB

Download
memory/2124-38-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2124-44-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2124-90-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2124-96-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2124-914-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2124-1850-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2124-31-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2124-3265-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2124-3310-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2124-18-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download