9f8a85884e7dc3c2299fa60281206818bc4b7c25908dd1d77da9b7b4ae17fa80

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
03-05-2024 14:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9f8a85884e7dc3c2299fa60281206818bc4b7c25908dd1d77da9b7b4ae17fa80.exe
Size

2.8MB
MD5

17b9b8ea2a0b78308ec3efd866f96af5
SHA1

da3ba0305ad3f6b422734005c1302251d8a09d54
SHA256

9f8a85884e7dc3c2299fa60281206818bc4b7c25908dd1d77da9b7b4ae17fa80
SHA512

f0ca4fb079f19a27c73962ee241f8e1e12e2d6acf7c52b3b273b72a3ff5367bf367f7c25de93b1af39ce57808598940b9b9bcdb4c117ccb7d03a43bf2adb6cc0
SSDEEP

49152:y7z6gLKJuMarhVnMFwTH8/giBiBcbk4ZxZ2DqFeVMhuxcPh:3d1XdhBiiMa7

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2148	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2768	Logo1_.exe
2712	9f8a85884e7dc3c2299fa60281206818bc4b7c25908dd1d77da9b7b4ae17fa80.exe

Loads dropped DLL 1 IoCs

pid	Process
2148	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\SCANPST.EXE	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Sort\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Document Parts\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Mozilla Firefox\browser\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\cy\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\en_GB\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CAPSULES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\fonts\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\meta\art\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LEVEL\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\fonts\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\modules\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RADIAL\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Chess\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Defender\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\zu\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\ImagingDevices.exe	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUECALM\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SpringGreen\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaire.exe	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\PROPLUS\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\nn\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\More Games\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RIPPLE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\nl\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proofing.en-us\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\META-INF\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\DEEPBLUE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\css\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	9f8a85884e7dc3c2299fa60281206818bc4b7c25908dd1d77da9b7b4ae17fa80.exe
File created	C:\Windows\Logo1_.exe	9f8a85884e7dc3c2299fa60281206818bc4b7c25908dd1d77da9b7b4ae17fa80.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2768	Logo1_.exe
2768	Logo1_.exe
2768	Logo1_.exe
2768	Logo1_.exe
2768	Logo1_.exe
2768	Logo1_.exe
2768	Logo1_.exe
2768	Logo1_.exe
2768	Logo1_.exe
2768	Logo1_.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2764 wrote to memory of 2148	2764	9f8a85884e7dc3c2299fa60281206818bc4b7c25908dd1d77da9b7b4ae17fa80.exe	28
PID 2764 wrote to memory of 2148	2764	9f8a85884e7dc3c2299fa60281206818bc4b7c25908dd1d77da9b7b4ae17fa80.exe	28
PID 2764 wrote to memory of 2148	2764	9f8a85884e7dc3c2299fa60281206818bc4b7c25908dd1d77da9b7b4ae17fa80.exe	28
PID 2764 wrote to memory of 2148	2764	9f8a85884e7dc3c2299fa60281206818bc4b7c25908dd1d77da9b7b4ae17fa80.exe	28
PID 2764 wrote to memory of 2768	2764	9f8a85884e7dc3c2299fa60281206818bc4b7c25908dd1d77da9b7b4ae17fa80.exe	29
PID 2764 wrote to memory of 2768	2764	9f8a85884e7dc3c2299fa60281206818bc4b7c25908dd1d77da9b7b4ae17fa80.exe	29
PID 2764 wrote to memory of 2768	2764	9f8a85884e7dc3c2299fa60281206818bc4b7c25908dd1d77da9b7b4ae17fa80.exe	29
PID 2764 wrote to memory of 2768	2764	9f8a85884e7dc3c2299fa60281206818bc4b7c25908dd1d77da9b7b4ae17fa80.exe	29
PID 2768 wrote to memory of 2540	2768	Logo1_.exe	31
PID 2768 wrote to memory of 2540	2768	Logo1_.exe	31
PID 2768 wrote to memory of 2540	2768	Logo1_.exe	31
PID 2768 wrote to memory of 2540	2768	Logo1_.exe	31
PID 2540 wrote to memory of 2588	2540	net.exe	33
PID 2540 wrote to memory of 2588	2540	net.exe	33
PID 2540 wrote to memory of 2588	2540	net.exe	33
PID 2540 wrote to memory of 2588	2540	net.exe	33
PID 2768 wrote to memory of 1224	2768	Logo1_.exe	21
PID 2768 wrote to memory of 1224	2768	Logo1_.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1224
- C:\Users\Admin\AppData\Local\Temp\9f8a85884e7dc3c2299fa60281206818bc4b7c25908dd1d77da9b7b4ae17fa80.exe
  "C:\Users\Admin\AppData\Local\Temp\9f8a85884e7dc3c2299fa60281206818bc4b7c25908dd1d77da9b7b4ae17fa80.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2764
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$a26F1.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    PID:2148
  - - C:\Users\Admin\AppData\Local\Temp\9f8a85884e7dc3c2299fa60281206818bc4b7c25908dd1d77da9b7b4ae17fa80.exe
      "C:\Users\Admin\AppData\Local\Temp\9f8a85884e7dc3c2299fa60281206818bc4b7c25908dd1d77da9b7b4ae17fa80.exe"
      4⤵
      Executes dropped EXE
      PID:2712
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2768
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2540
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
251KB

MD5
24283b222a74d715d8e092d15038a868

SHA1
628b219145fda6f32ceab3c1cc5071384ea8e3c5

SHA256
25a38261dbe7abebd43760da429d01264e764d198ce6a07ab91aecf1d031cdad

SHA512
9390746b7eb3242771671f53c5b26cf1548325fb53257402f1e0653962e4e35da8cde615efb4d6f997c9a78580bdb1222857c01da2d7d02e4483e258aa9b960b

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
471KB

MD5
4cfdb20b04aa239d6f9e83084d5d0a77

SHA1
f22863e04cc1fd4435f785993ede165bd8245ac6

SHA256
30ed17ca6ae530e8bf002bcef6048f94dba4b3b10252308147031f5c86ace1b9

SHA512
35b4c2f68a7caa45f2bb14b168947e06831f358e191478a6659b49f30ca6f538dc910fe6067448d5d8af4cb8558825d70f94d4bd67709aee414b2be37d49be86

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a26F1.bat

Filesize
722B

MD5
cad6856afc2426d3f7c765593def46a6

SHA1
228137cc18a68d5d95e47159bb4f5f4fcea6b105

SHA256
79ca5db5a8f8593975e96d97f73b39191345ff82d269e295da83bdfeb32bd1c4

SHA512
72db48044701f47c43346463e3be3a907a6435475d8cf9fdbacd1f7b4a76d604005bf2afdd035bedd08e1df09c2621a6bc2872d7b2b8cb80448c12bd01f7cfa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\9f8a85884e7dc3c2299fa60281206818bc4b7c25908dd1d77da9b7b4ae17fa80.exe.exe

Filesize
2.8MB

MD5
095092f4e746810c5829038d48afd55a

SHA1
246eb3d41194dddc826049bbafeb6fc522ec044a

SHA256
2f606012843d144610dc7be55d1716d5d106cbc6acbce57561dc0e62c38b8588

SHA512
7f36fc03bfed0f3cf6ac3406c819993bf995e4f8c26a7589e9032c14b5a9c7048f5567f77b3b15f946c5282fc0be6308a92eab7879332d74c400d0c139ce8400

Download Submit
C:\Windows\Logo1_.exe

Filesize
26KB

MD5
6f0c2f9883c615873a528106e6c3297d

SHA1
5a6e57408fa9050f489327dd8bed1bdda1e28f4e

SHA256
44962a9be3407c4890486cf7f87be01fb11b1f5f5b4390b7c748e4d0273040e2

SHA512
9a74a8e3af24b6bfb248152638079c615598dd51e18cc04769fa63e35ace376c087f597c9a8b39685f6b55a9474e83bea10204d523a976dc1daa2f691341897f

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2721934792-624042501-2768869379-1000\_desktop.ini

Filesize
8B

MD5
0282826728a8bfe9c3f290391e4f323c

SHA1
ab69946ecc2824015e04a669b8434e8eb2a658aa

SHA256
0c3ddb95f5308286721e2d55c16a3170674b54fc8d17c1f02bee1b6850ce2ee9

SHA512
fde2cb3a9b14fa79fdb7615c094a85aee3baf100511872c0b3986349edefe5a2dc4513929587852c1672e9632c8a6c95284fab82397133dec597bb8fe618fb0e

Download Submit
memory/1224-29-0x0000000002DF0000-0x0000000002DF1000-memory.dmp

Filesize
4KB

Download
memory/2764-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2764-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2768-21-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2768-44-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2768-90-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2768-96-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2768-1208-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2768-1849-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2768-38-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2768-3308-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2768-31-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download