e59abe31b0d086dbb3eaf989bed1c6638d10772cf0733b828220e87ba51d390b

Analysis

max time kernel
149s
max time network
126s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
10-05-2024 16:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e59abe31b0d086dbb3eaf989bed1c6638d10772cf0733b828220e87ba51d390b.exe
Size

797KB
MD5

f35f37d1b74d94d33a751aacce2758b3
SHA1

1f0401fc2400f9b571a0d794789b010a7ec9d5c7
SHA256

e59abe31b0d086dbb3eaf989bed1c6638d10772cf0733b828220e87ba51d390b
SHA512

fe932b7e6145f179a6596fe6fe48791c30294e7275ce63f499db7a8b4cea00be17ec6f2b42537edc80147a3edc6340a2edffe358666d87299dff0068f1bc38ae
SSDEEP

12288:H7+e9rLQpfaUkAL1g4vJJxpsAu9hdZz/7re/fdo9WMhdfz0fYsKEbvCKlG:H7BrLFUkU1g4hJzQZz/ef7+zyKKs

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2108	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2360	Logo1_.exe
1916	e59abe31b0d086dbb3eaf989bed1c6638d10772cf0733b828220e87ba51d390b.exe

Loads dropped DLL 2 IoCs

pid	Process
2108	cmd.exe
2108	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Checkers\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Chess\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Mail\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\1028\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\lo\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\shvlzm.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\eo\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_mixer\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\PROOF\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\brx\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ta\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Hearts\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre7\lib\security\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.fr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ps\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sr\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\zh_TW\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\TTS20\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\as_IN\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DAO\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\144DPI\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\FreeCell\_desktop.ini	Logo1_.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ku_IQ\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\STRTEDGE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\is\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\pt_PT\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\locale\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	e59abe31b0d086dbb3eaf989bed1c6638d10772cf0733b828220e87ba51d390b.exe
File created	C:\Windows\Logo1_.exe	e59abe31b0d086dbb3eaf989bed1c6638d10772cf0733b828220e87ba51d390b.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2360	Logo1_.exe
2360	Logo1_.exe
2360	Logo1_.exe
2360	Logo1_.exe
2360	Logo1_.exe
2360	Logo1_.exe
2360	Logo1_.exe
2360	Logo1_.exe
2360	Logo1_.exe
2360	Logo1_.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1244 wrote to memory of 2108	1244	e59abe31b0d086dbb3eaf989bed1c6638d10772cf0733b828220e87ba51d390b.exe	28
PID 1244 wrote to memory of 2108	1244	e59abe31b0d086dbb3eaf989bed1c6638d10772cf0733b828220e87ba51d390b.exe	28
PID 1244 wrote to memory of 2108	1244	e59abe31b0d086dbb3eaf989bed1c6638d10772cf0733b828220e87ba51d390b.exe	28
PID 1244 wrote to memory of 2108	1244	e59abe31b0d086dbb3eaf989bed1c6638d10772cf0733b828220e87ba51d390b.exe	28
PID 1244 wrote to memory of 2360	1244	e59abe31b0d086dbb3eaf989bed1c6638d10772cf0733b828220e87ba51d390b.exe	29
PID 1244 wrote to memory of 2360	1244	e59abe31b0d086dbb3eaf989bed1c6638d10772cf0733b828220e87ba51d390b.exe	29
PID 1244 wrote to memory of 2360	1244	e59abe31b0d086dbb3eaf989bed1c6638d10772cf0733b828220e87ba51d390b.exe	29
PID 1244 wrote to memory of 2360	1244	e59abe31b0d086dbb3eaf989bed1c6638d10772cf0733b828220e87ba51d390b.exe	29
PID 2360 wrote to memory of 3032	2360	Logo1_.exe	31
PID 2360 wrote to memory of 3032	2360	Logo1_.exe	31
PID 2360 wrote to memory of 3032	2360	Logo1_.exe	31
PID 2360 wrote to memory of 3032	2360	Logo1_.exe	31
PID 2108 wrote to memory of 1916	2108	cmd.exe	33
PID 2108 wrote to memory of 1916	2108	cmd.exe	33
PID 2108 wrote to memory of 1916	2108	cmd.exe	33
PID 2108 wrote to memory of 1916	2108	cmd.exe	33
PID 3032 wrote to memory of 2708	3032	net.exe	34
PID 3032 wrote to memory of 2708	3032	net.exe	34
PID 3032 wrote to memory of 2708	3032	net.exe	34
PID 3032 wrote to memory of 2708	3032	net.exe	34
PID 2360 wrote to memory of 1204	2360	Logo1_.exe	21
PID 2360 wrote to memory of 1204	2360	Logo1_.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1204
- C:\Users\Admin\AppData\Local\Temp\e59abe31b0d086dbb3eaf989bed1c6638d10772cf0733b828220e87ba51d390b.exe
  "C:\Users\Admin\AppData\Local\Temp\e59abe31b0d086dbb3eaf989bed1c6638d10772cf0733b828220e87ba51d390b.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1244
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$a1822.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2108
  - - C:\Users\Admin\AppData\Local\Temp\e59abe31b0d086dbb3eaf989bed1c6638d10772cf0733b828220e87ba51d390b.exe
      "C:\Users\Admin\AppData\Local\Temp\e59abe31b0d086dbb3eaf989bed1c6638d10772cf0733b828220e87ba51d390b.exe"
      4⤵
      Executes dropped EXE
      PID:1916
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2360
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3032
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
251KB

MD5
10fccb391b46e22576a736c690ae86fd

SHA1
21afa059afff34817aa54c752331a5794c3cbccb

SHA256
ba1f1a20b68217c37fa865680f639db00a8af1a690b3cf9f385bdc69248919fa

SHA512
aaa174c985d7f0681b43e5747a9e9cef3519a3f63fcbcf519b0a0a14641baa7da9909fb9ff1a4f6d085b66f94c6af906a446f5bf27dbdaed939afbda000a5033

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
471KB

MD5
55533571d8f7e55a642f7b06f90493f1

SHA1
76598f706cd94069e921e44277a6abd4a034d81b

SHA256
389bb1e2cb30fd3071199a1383370dcd5966726c0128b78a5c21d4b3b560fe16

SHA512
6eea20952c4724af9c7cb1dda065ea43bc5a162d1492805d9aa7a1448a7022ab017a0cdc4c7e8a8d227a8809d8b876c1242b59eaaeddebd6c6fbc3db77c0e374

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a1822.bat

Filesize
722B

MD5
b86499dd0edb1a9230c96478e9692b0f

SHA1
82b83a57c496d0f0f495ca1cba691f954d4c2c48

SHA256
472e4dfe8e97a18559f754483fced75c5abc61a903716e3cb2ddff7bc4cca7cd

SHA512
f54b9e6ba1c7179d82791dae06e24ea7975142605258166340129f4c0db5f0f9117b27f28735043994c857657beb3f82804b0fc6365f8d39c5689de7cc80cc4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\e59abe31b0d086dbb3eaf989bed1c6638d10772cf0733b828220e87ba51d390b.exe.exe

Filesize
771KB

MD5
76ac599d68401f86b375936f136aa6b1

SHA1
ed9067aae50d0fec8af1c592d8e08bcb12039158

SHA256
3c40c2a1f8448c707e3b233c302fc25fda91bd02bfac86d7869135b72e5c24f3

SHA512
207eb613d6e5a3f42ad14d352ddde6ff3443935ecfeb9c2263f60ce62790b5f91be24e5fa8836458b52a664a270ab5b6cc88a54e0539b4cf2fed235b1480c9cb

Download Submit
C:\Windows\Logo1_.exe

Filesize
26KB

MD5
7f27bae91113fe90205a6cf904da4a36

SHA1
f85b2bf9462a6695a9cbe98b22dd8df4d769957e

SHA256
a3cd685b3424c7db3cb51422aeba14ea98991e59b914e883746767e7a3f46221

SHA512
3d45a313fe9de1167e3755c46dfe6d2c9eacd55868e5790375550fafe84a35efc6ee3fe9d79d6a3f7c912965aaf2f0eb4a24b69006c8dff91358870d765c2fd5

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3691908287-3775019229-3534252667-1000\_desktop.ini

Filesize
9B

MD5
4d28283e4d415600ffc2f8fda6d8c91e

SHA1
053dcb8d5d84b75459bc82d8740ee4684d680016

SHA256
b855effeaf01610130d3f38de35bc7f98bfc6643d98d4198af18534f048e8df7

SHA512
73a758cd5e5ac48d62dd89719be604214895e0cc9a10ff7464a6cf9161a37fd27d15dd2d2565f18198b381ac6442bcb36f38614df7b1176061a83616517a7edb

Download Submit
memory/1204-33-0x0000000002500000-0x0000000002501000-memory.dmp

Filesize
4KB

Download
memory/1244-12-0x00000000005D0000-0x0000000000604000-memory.dmp

Filesize
208KB

Download
memory/1244-16-0x00000000005D0000-0x0000000000604000-memory.dmp

Filesize
208KB

Download
memory/1244-18-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1244-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1916-35-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/1916-31-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2360-36-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2360-43-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2360-50-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2360-95-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2360-101-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2360-929-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2360-1878-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2360-2382-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2360-3338-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2360-20-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download