8ac8f9e48f98220388d6b1c8adb0a3ddc4ebc48d685051477017a1ee37a38149

Analysis

max time kernel
149s
max time network
118s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
09/05/2024, 14:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8ac8f9e48f98220388d6b1c8adb0a3ddc4ebc48d685051477017a1ee37a38149.exe
Size

481KB
MD5

47fc7aa6caac37c5ed30c157c148c311
SHA1

4588d0f736d617a190f7c945923d843f2eb91772
SHA256

8ac8f9e48f98220388d6b1c8adb0a3ddc4ebc48d685051477017a1ee37a38149
SHA512

0e7ba3c770c217c844913bac1613b9f95f6ed704e89d8a3be701db68564f25565f1ae34fcf6d6df1a975260cc96c22f094261520c5b68e393b4f44e2eea15f32
SSDEEP

6144:OuJ6WdC+v3cpQvYJvKPSwv2nPEuJ1fHbIop44Sm5FpxyN90vEbsN7:9EpQQJvKPSwvY1fHTHy90w67

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2168	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2804	Logo1_.exe
2916	8ac8f9e48f98220388d6b1c8adb0a3ddc4ebc48d685051477017a1ee37a38149.exe

Loads dropped DLL 1 IoCs

pid	Process
2168	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ie\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightOrange\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SpringGreen\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ARCTIC\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Minesweeper\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RICEPAPR\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\XLSTART\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\text_renderer\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fa\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CASCADE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\1033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\de\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\gd\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\hr\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\GrayCheck\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre7\lib\zi\Etc\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\control\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ACCICONS.EXE	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ast\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre7\lib\zi\SystemV\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Hearts\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\gui\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ARCTIC\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Stationery\1033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	8ac8f9e48f98220388d6b1c8adb0a3ddc4ebc48d685051477017a1ee37a38149.exe
File created	C:\Windows\Logo1_.exe	8ac8f9e48f98220388d6b1c8adb0a3ddc4ebc48d685051477017a1ee37a38149.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2804	Logo1_.exe
2804	Logo1_.exe
2804	Logo1_.exe
2804	Logo1_.exe
2804	Logo1_.exe
2804	Logo1_.exe
2804	Logo1_.exe
2804	Logo1_.exe
2804	Logo1_.exe
2804	Logo1_.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 1848 wrote to memory of 2168	1848	8ac8f9e48f98220388d6b1c8adb0a3ddc4ebc48d685051477017a1ee37a38149.exe	28
PID 1848 wrote to memory of 2168	1848	8ac8f9e48f98220388d6b1c8adb0a3ddc4ebc48d685051477017a1ee37a38149.exe	28
PID 1848 wrote to memory of 2168	1848	8ac8f9e48f98220388d6b1c8adb0a3ddc4ebc48d685051477017a1ee37a38149.exe	28
PID 1848 wrote to memory of 2168	1848	8ac8f9e48f98220388d6b1c8adb0a3ddc4ebc48d685051477017a1ee37a38149.exe	28
PID 1848 wrote to memory of 2804	1848	8ac8f9e48f98220388d6b1c8adb0a3ddc4ebc48d685051477017a1ee37a38149.exe	29
PID 1848 wrote to memory of 2804	1848	8ac8f9e48f98220388d6b1c8adb0a3ddc4ebc48d685051477017a1ee37a38149.exe	29
PID 1848 wrote to memory of 2804	1848	8ac8f9e48f98220388d6b1c8adb0a3ddc4ebc48d685051477017a1ee37a38149.exe	29
PID 1848 wrote to memory of 2804	1848	8ac8f9e48f98220388d6b1c8adb0a3ddc4ebc48d685051477017a1ee37a38149.exe	29
PID 2168 wrote to memory of 2916	2168	cmd.exe	32
PID 2168 wrote to memory of 2916	2168	cmd.exe	32
PID 2168 wrote to memory of 2916	2168	cmd.exe	32
PID 2168 wrote to memory of 2916	2168	cmd.exe	32
PID 2168 wrote to memory of 2916	2168	cmd.exe	32
PID 2168 wrote to memory of 2916	2168	cmd.exe	32
PID 2168 wrote to memory of 2916	2168	cmd.exe	32
PID 2804 wrote to memory of 2744	2804	Logo1_.exe	31
PID 2804 wrote to memory of 2744	2804	Logo1_.exe	31
PID 2804 wrote to memory of 2744	2804	Logo1_.exe	31
PID 2804 wrote to memory of 2744	2804	Logo1_.exe	31
PID 2744 wrote to memory of 2772	2744	net.exe	34
PID 2744 wrote to memory of 2772	2744	net.exe	34
PID 2744 wrote to memory of 2772	2744	net.exe	34
PID 2744 wrote to memory of 2772	2744	net.exe	34
PID 2804 wrote to memory of 1208	2804	Logo1_.exe	21
PID 2804 wrote to memory of 1208	2804	Logo1_.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1208
- C:\Users\Admin\AppData\Local\Temp\8ac8f9e48f98220388d6b1c8adb0a3ddc4ebc48d685051477017a1ee37a38149.exe
  "C:\Users\Admin\AppData\Local\Temp\8ac8f9e48f98220388d6b1c8adb0a3ddc4ebc48d685051477017a1ee37a38149.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1848
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$a1B9C.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2168
  - - C:\Users\Admin\AppData\Local\Temp\8ac8f9e48f98220388d6b1c8adb0a3ddc4ebc48d685051477017a1ee37a38149.exe
      "C:\Users\Admin\AppData\Local\Temp\8ac8f9e48f98220388d6b1c8adb0a3ddc4ebc48d685051477017a1ee37a38149.exe"
      4⤵
      Executes dropped EXE
      PID:2916
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2804
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2744
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
254KB

MD5
6dbfa871d18aa4c685e00f03cc40e191

SHA1
ef9dba44feb63da5dcc1859ea9705622b2cee7bc

SHA256
33d8e5692cce3bda96d8788ed5fb77cec05be84e18c511df639e13cd6062d6a8

SHA512
cacf2c539ef66fa01408d568a35c9b556e2e4fc7687e0e8371d5a3906722603f2853792cf3468e4fca1432e809569dfd80b21edb54ac2c747a78e454c67e45c1

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
474KB

MD5
ba4aad1c708a17aec1e5e73cfb94e6b0

SHA1
494510ded064f7ac8ce261301b64dce9c0e23dd7

SHA256
5088353f6ff05c644d05f09e324a46f38a561c815f50eb7dc4a8378f49c7587e

SHA512
29b0603190eafba6a03c1dce970501dfe796e642e6d9d5cb9a2e7c9312cad74e5b1126c6bf9bcabfd740a760bef2ea28289d9b9b773ea3e84dc0af726656be5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a1B9C.bat

Filesize
722B

MD5
a2f3e754e29899f9d95ff21c76067e55

SHA1
823a8dcbcfb48f835175ebd2df160e4bfd55ef30

SHA256
f42709e7a4dc3a813a5cb935ad434159b370f76db1a677078ef28524a93e7c2a

SHA512
2db4ec698d7dba6d57220052cfcceafbe3b1490facdf1c25692833804d36ea1b25a54dd5804949219e87c8570b557eb78c1a594d8c8050271a74119bacec2b38

Download Submit
C:\Users\Admin\AppData\Local\Temp\8ac8f9e48f98220388d6b1c8adb0a3ddc4ebc48d685051477017a1ee37a38149.exe.exe

Filesize
452KB

MD5
95b8a4245a6cd37d36e56fae5a23e2b1

SHA1
139e0223e64a2d4f7ae94e347c657bdb86dfd5ff

SHA256
e69c4abcc4d2f130e66560fc27829b4fe62a2b1f66933790a3060bd7f4fcd878

SHA512
9114af555b9d97c87834982c80d9a4a7cc97b8678ed55d96a1a02999b551e9e018d376b404d0925bbb87dcd2aa8e0fa8bf7745f60096a7df01cd918002fb0bf1

Download Submit
C:\Windows\Logo1_.exe

Filesize
29KB

MD5
693e6f028a3f9f068a0b5e7250537d55

SHA1
2c79b8c2a6f4ebac7bf248a36d561fdc2b3532ff

SHA256
862b4192b217938a0a759e4ff19510ba65521b62927794e45a13b666ac90be72

SHA512
3645bc60a4185bc11f698608b757bd8d1181c7bba3b0ff801df0c40b9c721acab28352c947a4f93647fec238616af0b43f1f1d7a066617ddbe1c1eed858d5d4a

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2737914667-933161113-3798636211-1000\_desktop.ini

Filesize
8B

MD5
d970a2bfcaa076939c06270d1a48dec8

SHA1
7a558f4d64c3e98bcfd2af83f28e6fbd207a39e1

SHA256
bdc6872f9a0a011a670907f0fedad9b88e283c5af545cf9f6bd73c3709967d44

SHA512
ea4c16930628455852ce343f8ae248b6df869b8da10b10928ebb802129f73d9761971811de317c7d3121b815340027782ec15d385d1d2d7df8fd0a46b62974c2

Download Submit
memory/1208-30-0x00000000026D0000-0x00000000026D1000-memory.dmp

Filesize
4KB

Download
memory/1848-12-0x00000000003C0000-0x00000000003F6000-memory.dmp

Filesize
216KB

Download
memory/1848-18-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1848-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2804-33-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2804-46-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2804-92-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2804-98-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2804-417-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2804-1875-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2804-40-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2804-3335-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2804-19-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download