950f2966e7280cf6eb404827773d98316e44d48ac80b06f8887774eac421f087

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
04/05/2024, 22:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

950f2966e7280cf6eb404827773d98316e44d48ac80b06f8887774eac421f087.exe
Size

258KB
MD5

f19cc9a7734b97f56462b477685c4603
SHA1

5a0e2faaa8edd06ab5f60e479c0640ff79714055
SHA256

950f2966e7280cf6eb404827773d98316e44d48ac80b06f8887774eac421f087
SHA512

e312419bedb73a6d6d60eb771fea3155bb72d2e35a3401c0c17c631e223232e2b90c60f8e8327f092cbffaab00fb77b9870db8e31670ac83829c0541e479395d
SSDEEP

1536:m3SHmLKarIpYQILFkbeumIkA39xSZW175V7UZQJ0UjsWpcdVO4Mqg+aJRaCAd1uq:mkF3plLRkgUA1nQZwFGVO4Mqg+WDY

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2092	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2156	Logo1_.exe
2680	950f2966e7280cf6eb404827773d98316e44d48ac80b06f8887774eac421f087.exe

Loads dropped DLL 1 IoCs

pid	Process
2092	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jre7\lib\zi\Indian\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\deploy\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre7\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\id\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ml\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\DEEPBLUE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ach\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTool\Project Report Type\Basic\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Mahjong\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\cs\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\lv\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\requests\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\lua\modules\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SpringGreen\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\dtplugin\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Mahjong\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\is\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\th\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\COMPASS\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Minesweeper\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Outlook.en-us\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sv\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\lt\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\wmpshare.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Solitaire\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ckb\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AXIS\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.update\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\Adobe AIR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\shvlzm.exe	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CAPSULES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Minesweeper\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe
File created	C:\Windows\rundl132.exe	950f2966e7280cf6eb404827773d98316e44d48ac80b06f8887774eac421f087.exe
File created	C:\Windows\Logo1_.exe	950f2966e7280cf6eb404827773d98316e44d48ac80b06f8887774eac421f087.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2156	Logo1_.exe
2156	Logo1_.exe
2156	Logo1_.exe
2156	Logo1_.exe
2156	Logo1_.exe
2156	Logo1_.exe
2156	Logo1_.exe
2156	Logo1_.exe
2156	Logo1_.exe
2156	Logo1_.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2748 wrote to memory of 2092	2748	950f2966e7280cf6eb404827773d98316e44d48ac80b06f8887774eac421f087.exe	28
PID 2748 wrote to memory of 2092	2748	950f2966e7280cf6eb404827773d98316e44d48ac80b06f8887774eac421f087.exe	28
PID 2748 wrote to memory of 2092	2748	950f2966e7280cf6eb404827773d98316e44d48ac80b06f8887774eac421f087.exe	28
PID 2748 wrote to memory of 2092	2748	950f2966e7280cf6eb404827773d98316e44d48ac80b06f8887774eac421f087.exe	28
PID 2748 wrote to memory of 2156	2748	950f2966e7280cf6eb404827773d98316e44d48ac80b06f8887774eac421f087.exe	30
PID 2748 wrote to memory of 2156	2748	950f2966e7280cf6eb404827773d98316e44d48ac80b06f8887774eac421f087.exe	30
PID 2748 wrote to memory of 2156	2748	950f2966e7280cf6eb404827773d98316e44d48ac80b06f8887774eac421f087.exe	30
PID 2748 wrote to memory of 2156	2748	950f2966e7280cf6eb404827773d98316e44d48ac80b06f8887774eac421f087.exe	30
PID 2156 wrote to memory of 2576	2156	Logo1_.exe	31
PID 2156 wrote to memory of 2576	2156	Logo1_.exe	31
PID 2156 wrote to memory of 2576	2156	Logo1_.exe	31
PID 2156 wrote to memory of 2576	2156	Logo1_.exe	31
PID 2092 wrote to memory of 2680	2092	cmd.exe	32
PID 2092 wrote to memory of 2680	2092	cmd.exe	32
PID 2092 wrote to memory of 2680	2092	cmd.exe	32
PID 2092 wrote to memory of 2680	2092	cmd.exe	32
PID 2092 wrote to memory of 2680	2092	cmd.exe	32
PID 2092 wrote to memory of 2680	2092	cmd.exe	32
PID 2092 wrote to memory of 2680	2092	cmd.exe	32
PID 2576 wrote to memory of 2624	2576	net.exe	34
PID 2576 wrote to memory of 2624	2576	net.exe	34
PID 2576 wrote to memory of 2624	2576	net.exe	34
PID 2576 wrote to memory of 2624	2576	net.exe	34
PID 2156 wrote to memory of 1204	2156	Logo1_.exe	21
PID 2156 wrote to memory of 1204	2156	Logo1_.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1204
- C:\Users\Admin\AppData\Local\Temp\950f2966e7280cf6eb404827773d98316e44d48ac80b06f8887774eac421f087.exe
  "C:\Users\Admin\AppData\Local\Temp\950f2966e7280cf6eb404827773d98316e44d48ac80b06f8887774eac421f087.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2748
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$aC50.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2092
  - - C:\Users\Admin\AppData\Local\Temp\950f2966e7280cf6eb404827773d98316e44d48ac80b06f8887774eac421f087.exe
      "C:\Users\Admin\AppData\Local\Temp\950f2966e7280cf6eb404827773d98316e44d48ac80b06f8887774eac421f087.exe"
      4⤵
      Executes dropped EXE
      PID:2680
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2156
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2576
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
252KB

MD5
065232d2dd6f81acb20913c1f50e7b41

SHA1
4f480119787a632d92084bdd551ef1eb05f1049f

SHA256
a8895855fe3198e67754edfaa7106c71b7f4022aadd49a601b1395b635a31fea

SHA512
2e737bf8448f4ede0fc8af3cdbfa0904397774d137a0df8febfda330e50644ba14831714705418b3cb7577ad775c4e83551b449604d444e9638f96b3a2a8188a

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
472KB

MD5
88eb1bca8c399bc3f46e99cdde2f047e

SHA1
55fafbceb011e1af2edced978686a90971bd95f2

SHA256
42fd78c05bc240d4ded16ac974f17c336f6ae3a1814d548021c48a942cc30428

SHA512
149d4de0c024e25a13a7bb17471e6f48391d4f26b1c8388672320eed1c255f84219ad7b72bbebc531ae558d5192dd4bb6d0dddd6c65a45300c8e8348a4fb3728

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aC50.bat

Filesize
721B

MD5
2aa072afbe5f13f5476bbf9979b48c52

SHA1
74e761799c05e5dbaf7492e3e6f9a87f7d785386

SHA256
85b8ad2ff895e9de36bb24d9387c304ae1b4276da96567b2bb800e35a4288e8d

SHA512
7ca1e64df8a14077ade9b29fae902ba155ce9ca1f7587c50e58c59ad1e013bbbcd442fbbf02e944b5dc2839e371c77066dbdb8588bc5b7a547ce18eb017ad013

Download Submit
C:\Users\Admin\AppData\Local\Temp\950f2966e7280cf6eb404827773d98316e44d48ac80b06f8887774eac421f087.exe.exe

Filesize
231KB

MD5
6f581a41167d2d484fcba20e6fc3c39a

SHA1
d48de48d24101b9baaa24f674066577e38e6b75c

SHA256
3eb8d53778eab9fb13b4c97aeab56e4bad2a6ea3748d342f22eaf4d7aa3185a7

SHA512
e1177b6cea89445d58307b3327c78909adff225497f9abb8de571cdd114b547a8f515ec3ab038b583bf752a085b231f6329d6ca82fbe6be8a58cd97a1dbaf0f6

Download Submit
C:\Windows\Logo1_.exe

Filesize
27KB

MD5
d40dec8d7ee2548338a0dd2e171f2aa9

SHA1
5a0b6e764845325d3fc97c9b3efe3d15ec0ce8b5

SHA256
213794103143dff557da1d81f8cae8ca429e01242c6b4ad53c9af66470741629

SHA512
64c91f16697c8490ecc7a9194b3d3ecc57abcfa7ba65e90069eca35e333d15f1ab0b785a96f32980dbbd110d4f588a95390fd6068a106b5a18368ee3a923d88e

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3627615824-4061627003-3019543961-1000\_desktop.ini

Filesize
8B

MD5
5979a5ab5d6ce7068aff133101a79c52

SHA1
8ec7729d3782fc978cc50f9b3217fc8309ae7733

SHA256
6b009cde89047fc55503dc0b3649d341e98320a0438d044bc8fb068d0c919ef1

SHA512
213c10a6b5b394b2736619ed0418ba715e643dfa08b5827757dd64b1718ddec6a44822ff4b192bd594997cc13bc2027d03c029537ed2f12591b370ec1f242f2d

Download Submit
memory/1204-29-0x0000000002D70000-0x0000000002D71000-memory.dmp

Filesize
4KB

Download
memory/2156-96-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2156-31-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2156-38-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2156-44-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2156-90-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2156-844-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2156-1849-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2156-2904-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2156-3309-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2156-18-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2748-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2748-17-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download