c6d0563e34ab457079ae3417813980d1899dbee2c28ad167a6998bd6b68e0a70

Analysis

max time kernel
150s
max time network
117s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
29/04/2024, 22:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c6d0563e34ab457079ae3417813980d1899dbee2c28ad167a6998bd6b68e0a70.exe
Size

959KB
MD5

75020494537a2bdb2943882d40dd8195
SHA1

c12e379e368a2f16d734187a5a93f34dcd841f68
SHA256

c6d0563e34ab457079ae3417813980d1899dbee2c28ad167a6998bd6b68e0a70
SHA512

dbc5c283e2abe941c1c7333abb5d426c22c4066b4072cd8fab26875b1267dec2256263ebff3117d0b3123d05d156b8c583e0169beb1afb5e42561d3821ffb7b1
SSDEEP

12288:dRKcv8Nh7py6Rmi78gkPH3aPI9vyVg/0paQuj3IdD02fKBjtp/:aBpDRmi78gkPXlyo0G/jr

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2936	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2980	Logo1_.exe
2564	c6d0563e34ab457079ae3417813980d1899dbee2c28ad167a6998bd6b68e0a70.exe

Loads dropped DLL 2 IoCs

pid	Process
2936	cmd.exe
2936	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Document Parts\1033\14\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VC\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre7\bin\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\FreeCell\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\nl\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Checkers\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Mail\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RICEPAPR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\AppInfoDocument\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\lv\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ARFR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Triedit\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\STARTUP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\STARTUP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Spades\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ENES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fy\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ECLIPSE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PPTICO.EXE	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\1033\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMV12\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\PROOF\1036\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\hu\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	c6d0563e34ab457079ae3417813980d1899dbee2c28ad167a6998bd6b68e0a70.exe
File created	C:\Windows\Logo1_.exe	c6d0563e34ab457079ae3417813980d1899dbee2c28ad167a6998bd6b68e0a70.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2980	Logo1_.exe
2980	Logo1_.exe
2980	Logo1_.exe
2980	Logo1_.exe
2980	Logo1_.exe
2980	Logo1_.exe
2980	Logo1_.exe
2980	Logo1_.exe
2980	Logo1_.exe
2980	Logo1_.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2564	c6d0563e34ab457079ae3417813980d1899dbee2c28ad167a6998bd6b68e0a70.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeRestorePrivilege	2564	c6d0563e34ab457079ae3417813980d1899dbee2c28ad167a6998bd6b68e0a70.exe
Token: 35	2564	c6d0563e34ab457079ae3417813980d1899dbee2c28ad167a6998bd6b68e0a70.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2276 wrote to memory of 2936	2276	c6d0563e34ab457079ae3417813980d1899dbee2c28ad167a6998bd6b68e0a70.exe	28
PID 2276 wrote to memory of 2936	2276	c6d0563e34ab457079ae3417813980d1899dbee2c28ad167a6998bd6b68e0a70.exe	28
PID 2276 wrote to memory of 2936	2276	c6d0563e34ab457079ae3417813980d1899dbee2c28ad167a6998bd6b68e0a70.exe	28
PID 2276 wrote to memory of 2936	2276	c6d0563e34ab457079ae3417813980d1899dbee2c28ad167a6998bd6b68e0a70.exe	28
PID 2276 wrote to memory of 2980	2276	c6d0563e34ab457079ae3417813980d1899dbee2c28ad167a6998bd6b68e0a70.exe	29
PID 2276 wrote to memory of 2980	2276	c6d0563e34ab457079ae3417813980d1899dbee2c28ad167a6998bd6b68e0a70.exe	29
PID 2276 wrote to memory of 2980	2276	c6d0563e34ab457079ae3417813980d1899dbee2c28ad167a6998bd6b68e0a70.exe	29
PID 2276 wrote to memory of 2980	2276	c6d0563e34ab457079ae3417813980d1899dbee2c28ad167a6998bd6b68e0a70.exe	29
PID 2980 wrote to memory of 2676	2980	Logo1_.exe	31
PID 2980 wrote to memory of 2676	2980	Logo1_.exe	31
PID 2980 wrote to memory of 2676	2980	Logo1_.exe	31
PID 2980 wrote to memory of 2676	2980	Logo1_.exe	31
PID 2936 wrote to memory of 2564	2936	cmd.exe	32
PID 2936 wrote to memory of 2564	2936	cmd.exe	32
PID 2936 wrote to memory of 2564	2936	cmd.exe	32
PID 2936 wrote to memory of 2564	2936	cmd.exe	32
PID 2676 wrote to memory of 2524	2676	net.exe	34
PID 2676 wrote to memory of 2524	2676	net.exe	34
PID 2676 wrote to memory of 2524	2676	net.exe	34
PID 2676 wrote to memory of 2524	2676	net.exe	34
PID 2980 wrote to memory of 1200	2980	Logo1_.exe	21
PID 2980 wrote to memory of 1200	2980	Logo1_.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1200
- C:\Users\Admin\AppData\Local\Temp\c6d0563e34ab457079ae3417813980d1899dbee2c28ad167a6998bd6b68e0a70.exe
  "C:\Users\Admin\AppData\Local\Temp\c6d0563e34ab457079ae3417813980d1899dbee2c28ad167a6998bd6b68e0a70.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2276
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$aA6C.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2936
  - - C:\Users\Admin\AppData\Local\Temp\c6d0563e34ab457079ae3417813980d1899dbee2c28ad167a6998bd6b68e0a70.exe
      "C:\Users\Admin\AppData\Local\Temp\c6d0563e34ab457079ae3417813980d1899dbee2c28ad167a6998bd6b68e0a70.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      PID:2564
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2980
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2676
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
254KB

MD5
e6c8364dd1105519b5096bfd35aa7ede

SHA1
6fdf70f2b2374e0603f98838f35c982a8b476aac

SHA256
ae3ac770ef6425cbd4adeb26b0a102182ed71a21c31a22a597caee6609e71a43

SHA512
abf753aa2fa64748e72f571d2e480a26c92f0ae93edcc7584c2fa2d2a501be7859405fed31e3d98caf5ed23e63b318922078f9645e156859017dcf97f95dddff

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
474KB

MD5
8beab7d90559fe385c30b08b3cc454d2

SHA1
65e627284e5c6b1a28618d976575bbade15d7160

SHA256
3662c245331ac74241676bc8de866ceadf1b77fd58bd094b05f8921c287f7995

SHA512
5c2544684b45354d204d6be7548c57a7e3b00f4042d535dfd2ac4670a99f2ca0590bcd781992178ccf83e56af38db13d646c10c166a05983ebdb050441d2d887

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aA6C.bat

Filesize
721B

MD5
e7c5aa7fd66a144c97c7fe81c6cd31ba

SHA1
e1505504f0c056e6400ca809bd73095f397000b2

SHA256
0ad89f27a753bbb0385212173c135221481dd5ec83d451a1cb8b70aafaa731c0

SHA512
218457b550c2c322bfeebb2cbc0687bf7f8d37c8869f222db1fed91c1f11cd0b28fde2940fc50039f9b1a8f9beafd36404829e19b3e7f10c21ac2a9273ed4675

Download Submit
C:\Users\Admin\AppData\Local\Temp\c6d0563e34ab457079ae3417813980d1899dbee2c28ad167a6998bd6b68e0a70.exe.exe

Filesize
930KB

MD5
30ac0b832d75598fb3ec37b6f2a8c86a

SHA1
6f47dbfd6ff36df7ba581a4cef024da527dc3046

SHA256
1ea0839c8dc95ad2c060af7d042c40c0daed58ce8e4524c0fba12fd73e4afb74

SHA512
505870601a4389b7ed2c8fecf85835adfd2944cbc10801f74bc4e08f5a0d6ecc9a52052fc37e216304cd1655129021862294a698ed36b3b43d428698f7263057

Download Submit
C:\Windows\Logo1_.exe

Filesize
29KB

MD5
03973cef2ce9ef838925b809f4642c92

SHA1
f12bf865a7e4a89996ed0e75b92999af0fc55cc6

SHA256
60c5eaa615c1089024b316e63ea3e2430bc32be662c8936ffee89b2b0e6b711b

SHA512
a1466e20bdf93aed87c7a5edaef24165e07a3d6f833cc5953e2c61b674b48f1a4432eaf9f2694851543d7845bef862e0ae50f89ea86ce981863106f197a9482d

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3452737119-3959686427-228443150-1000\_desktop.ini

Filesize
9B

MD5
73b8aef84e892e3f77d41747dce253db

SHA1
d642a92c96e4ed570d998a73e42fc24fafe8caf9

SHA256
a81f7465f537233bbd4b8fa9034e52a8ceffcdf97bf36244c4d404ebec14eb24

SHA512
9b0690efee220355932375db333b5487c369ca9fdcf8497bcb5283d78d21fb4fefb7c06bbe533fb1f18fd3b32256a013090af6dd957b9d09cc373d0d5b89cf6d

Download Submit
memory/1200-29-0x0000000002D80000-0x0000000002D81000-memory.dmp

Filesize
4KB

Download
memory/2276-16-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2276-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2980-17-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2980-45-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2980-92-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2980-98-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2980-580-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2980-1851-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2980-2175-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2980-39-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2980-3311-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2980-32-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download