b80956497bb899626e68bc29df7add3d2960b35a1cee1f7becff9611ef3cf9fa

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
09/05/2024, 18:14

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b80956497bb899626e68bc29df7add3d2960b35a1cee1f7becff9611ef3cf9fa.exe
Size

66KB
MD5

ddef46ea7a580969d02d45b712a91829
SHA1

a878b05b1b56af46aa856199079c6f59c540c4b8
SHA256

b80956497bb899626e68bc29df7add3d2960b35a1cee1f7becff9611ef3cf9fa
SHA512

e2b09c3f0e3e4f4ae7dc565749080ed62e50e896795b59ee43f2827cb4da96c10ed0f5d591ad9ceca5650abc1b6713cadc2bf98cc3240fe79ab27e47e30858ae
SSDEEP

1536:pFg3SHuJV9NBriw+d9bHrkT5gUHz7FxtJ:pFgkuJVLBrBkfkT5xHzD

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2720	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2056	Logo1_.exe
2600	b80956497bb899626e68bc29df7add3d2960b35a1cee1f7becff9611ef3cf9fa.exe

Loads dropped DLL 1 IoCs

pid	Process
2720	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\nn\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Services\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BrightYellow\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\it\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Journal\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PIXEL\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre7\lib\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\lv\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Journal\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUECALM\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ARFR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\co\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Journal\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\InfoPath.en-us\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Google\Update\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Mail\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Biscay\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightOrange\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ml\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\PROOF\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PIXEL\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\br\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sk\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\text_renderer\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PAPYRUS\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Mail\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bg\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\mk\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PROOF\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BrightOrange\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\vDll.dll	Logo1_.exe
File created	C:\Windows\rundl132.exe	b80956497bb899626e68bc29df7add3d2960b35a1cee1f7becff9611ef3cf9fa.exe
File created	C:\Windows\Logo1_.exe	b80956497bb899626e68bc29df7add3d2960b35a1cee1f7becff9611ef3cf9fa.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2056	Logo1_.exe
2056	Logo1_.exe
2056	Logo1_.exe
2056	Logo1_.exe
2056	Logo1_.exe
2056	Logo1_.exe
2056	Logo1_.exe
2056	Logo1_.exe
2056	Logo1_.exe
2056	Logo1_.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2128 wrote to memory of 2720	2128	b80956497bb899626e68bc29df7add3d2960b35a1cee1f7becff9611ef3cf9fa.exe	28
PID 2128 wrote to memory of 2720	2128	b80956497bb899626e68bc29df7add3d2960b35a1cee1f7becff9611ef3cf9fa.exe	28
PID 2128 wrote to memory of 2720	2128	b80956497bb899626e68bc29df7add3d2960b35a1cee1f7becff9611ef3cf9fa.exe	28
PID 2128 wrote to memory of 2720	2128	b80956497bb899626e68bc29df7add3d2960b35a1cee1f7becff9611ef3cf9fa.exe	28
PID 2128 wrote to memory of 2056	2128	b80956497bb899626e68bc29df7add3d2960b35a1cee1f7becff9611ef3cf9fa.exe	29
PID 2128 wrote to memory of 2056	2128	b80956497bb899626e68bc29df7add3d2960b35a1cee1f7becff9611ef3cf9fa.exe	29
PID 2128 wrote to memory of 2056	2128	b80956497bb899626e68bc29df7add3d2960b35a1cee1f7becff9611ef3cf9fa.exe	29
PID 2128 wrote to memory of 2056	2128	b80956497bb899626e68bc29df7add3d2960b35a1cee1f7becff9611ef3cf9fa.exe	29
PID 2720 wrote to memory of 2600	2720	cmd.exe	32
PID 2720 wrote to memory of 2600	2720	cmd.exe	32
PID 2720 wrote to memory of 2600	2720	cmd.exe	32
PID 2720 wrote to memory of 2600	2720	cmd.exe	32
PID 2056 wrote to memory of 2520	2056	Logo1_.exe	31
PID 2056 wrote to memory of 2520	2056	Logo1_.exe	31
PID 2056 wrote to memory of 2520	2056	Logo1_.exe	31
PID 2056 wrote to memory of 2520	2056	Logo1_.exe	31
PID 2520 wrote to memory of 2824	2520	net.exe	34
PID 2520 wrote to memory of 2824	2520	net.exe	34
PID 2520 wrote to memory of 2824	2520	net.exe	34
PID 2520 wrote to memory of 2824	2520	net.exe	34
PID 2056 wrote to memory of 1120	2056	Logo1_.exe	20
PID 2056 wrote to memory of 1120	2056	Logo1_.exe	20

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1120
- C:\Users\Admin\AppData\Local\Temp\b80956497bb899626e68bc29df7add3d2960b35a1cee1f7becff9611ef3cf9fa.exe
  "C:\Users\Admin\AppData\Local\Temp\b80956497bb899626e68bc29df7add3d2960b35a1cee1f7becff9611ef3cf9fa.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2128
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$a1C09.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2720
  - - C:\Users\Admin\AppData\Local\Temp\b80956497bb899626e68bc29df7add3d2960b35a1cee1f7becff9611ef3cf9fa.exe
      "C:\Users\Admin\AppData\Local\Temp\b80956497bb899626e68bc29df7add3d2960b35a1cee1f7becff9611ef3cf9fa.exe"
      4⤵
      Executes dropped EXE
      PID:2600
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2056
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2520
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
254KB

MD5
038f53881b6000fae7fb0f2512e2e3b4

SHA1
d1aaba1723aef39db69eec8b0b5e2bc985b0340c

SHA256
f75dbc79b2e82e51a48740bf3ab4ce259077dbea5224415bbe6bd3019a6e58aa

SHA512
55c0a3607507c11082f47e84dcf504e70653a7b7c44b45e61d2d676caea77977e9a664d6e64f118e63f63551ed149de81b947dafb21147358961a87d3a6449c9

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
474KB

MD5
39d0021b923509b5e31096b0f119bada

SHA1
5cdb5aacdc36fc52472de30f738c1770c0be28fa

SHA256
6245380525c0df016952045413482bc868b12263353c73d1834e268a634fbd1c

SHA512
eb9a24f56f778ab8738acef21ec58815e108f2bfe69d4dfb28c1628a67e0037bcc557591fcdf754815351a8da77fd0315a1271ac1a5ac6d9b3e6c3822519c1cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a1C09.bat

Filesize
722B

MD5
75fae892f57c49bd95e2b7e9418131e5

SHA1
e458b1d4b214a5c32edddfcdf58b299e7323e1e1

SHA256
97cb103e272f4e1da9e54b3f47609e79cb539e922ef01ce8625114140501843c

SHA512
84cffb02a54add5e96bcc09f3c7c2e62031b3f102ca631fb4b656e4b477bc083d6139fadce2157158e31087595702102510b36bda7fb19ba4989f77484ba3f3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\b80956497bb899626e68bc29df7add3d2960b35a1cee1f7becff9611ef3cf9fa.exe.exe

Filesize
36KB

MD5
9f498971cbe636662f3d210747d619e1

SHA1
44b8e2732fa1e2f204fc70eaa1cb406616250085

SHA256
8adf6748981c3e7b62f5dbca992be6675574fffbce7673743f2d7fe787d56a41

SHA512
b73083c2f7b028d2946cb8f7b4fe2289fedaa4175364a2aac37db0aeff4602aede772ccc9eba7e6dcfcb7276e52604ca45d8021952201b5834485b48bca3dc93

Download Submit
C:\Windows\Logo1_.exe

Filesize
29KB

MD5
5e018d2d2708c2c26f202ce9a1636981

SHA1
19323e5de5e2454df2833765cf0b9613e706528f

SHA256
2329b064ddf71027fc85df068546906b467b214aa6a59b777e7e15a4a3c00434

SHA512
b1a699fd131e2168ac644bfb7224b21a69e0ce65afb6613aa040e458881860a3fdbe9aefd31cd64c3d51542c9e750a0fc706494b31731defc79e5ce1c6d7d2b8

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-481678230-3773327859-3495911762-1000\_desktop.ini

Filesize
8B

MD5
d970a2bfcaa076939c06270d1a48dec8

SHA1
7a558f4d64c3e98bcfd2af83f28e6fbd207a39e1

SHA256
bdc6872f9a0a011a670907f0fedad9b88e283c5af545cf9f6bd73c3709967d44

SHA512
ea4c16930628455852ce343f8ae248b6df869b8da10b10928ebb802129f73d9761971811de317c7d3121b815340027782ec15d385d1d2d7df8fd0a46b62974c2

Download Submit
memory/1120-29-0x00000000030F0000-0x00000000030F1000-memory.dmp

Filesize
4KB

Download
memory/2056-97-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2056-39-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2056-45-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2056-91-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2056-32-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2056-611-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2056-1875-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2056-2096-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2056-18-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2056-3335-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2128-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2128-16-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download