680de1c9f63ebf23044b8d7ab982c192bbea8a6c3c3cab9c672aa2f20030eb89

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
10/05/2024, 16:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

680de1c9f63ebf23044b8d7ab982c192bbea8a6c3c3cab9c672aa2f20030eb89.exe
Size

41KB
MD5

5ffdc82dae83ac12b2475a963b09d563
SHA1

cedec18c3a1aef6b0ddb36849ced7d53c4b351c5
SHA256

680de1c9f63ebf23044b8d7ab982c192bbea8a6c3c3cab9c672aa2f20030eb89
SHA512

667168634b1ab4e36bde2288cb56bd9d1e8a44287e6029d9949e59392164531f1ec3d9e688fae1a3af475cad121f3889dcdecb59b2beb80035c485188bc512fb
SSDEEP

768:59m216GVRu1yK9fMFLKaTxsujCT7pZpYIWQ3655Kv1X/qY1MSd:yw3SHmLKarIpYIHqaNrFd

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2368	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2364	Logo1_.exe
2648	680de1c9f63ebf23044b8d7ab982c192bbea8a6c3c3cab9c672aa2f20030eb89.exe

Loads dropped DLL 1 IoCs

pid	Process
2368	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\dtplugin\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\locale\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Desert\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Photo Viewer\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SoftBlue\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\Contracts\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{2C18FE73-0135-4FFC-BCB7-4B0A9050B077}\chrome_installer.exe	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\nn\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\ImagingDevices.exe	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\TTS20\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\AccessWeb\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\DW\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Internet Explorer\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Media Player\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ckb\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe	Logo1_.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Oasis\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ks_IN\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Mail\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	Logo1_.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Outlook.en-us\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\cs\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Mail\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\1033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Minesweeper\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\More Games\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Web Folders\1033\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\cs\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\en-US\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	680de1c9f63ebf23044b8d7ab982c192bbea8a6c3c3cab9c672aa2f20030eb89.exe
File created	C:\Windows\Logo1_.exe	680de1c9f63ebf23044b8d7ab982c192bbea8a6c3c3cab9c672aa2f20030eb89.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2364	Logo1_.exe
2364	Logo1_.exe
2364	Logo1_.exe
2364	Logo1_.exe
2364	Logo1_.exe
2364	Logo1_.exe
2364	Logo1_.exe
2364	Logo1_.exe
2364	Logo1_.exe
2364	Logo1_.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2648	680de1c9f63ebf23044b8d7ab982c192bbea8a6c3c3cab9c672aa2f20030eb89.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2176 wrote to memory of 2368	2176	680de1c9f63ebf23044b8d7ab982c192bbea8a6c3c3cab9c672aa2f20030eb89.exe	28
PID 2176 wrote to memory of 2368	2176	680de1c9f63ebf23044b8d7ab982c192bbea8a6c3c3cab9c672aa2f20030eb89.exe	28
PID 2176 wrote to memory of 2368	2176	680de1c9f63ebf23044b8d7ab982c192bbea8a6c3c3cab9c672aa2f20030eb89.exe	28
PID 2176 wrote to memory of 2368	2176	680de1c9f63ebf23044b8d7ab982c192bbea8a6c3c3cab9c672aa2f20030eb89.exe	28
PID 2176 wrote to memory of 2364	2176	680de1c9f63ebf23044b8d7ab982c192bbea8a6c3c3cab9c672aa2f20030eb89.exe	30
PID 2176 wrote to memory of 2364	2176	680de1c9f63ebf23044b8d7ab982c192bbea8a6c3c3cab9c672aa2f20030eb89.exe	30
PID 2176 wrote to memory of 2364	2176	680de1c9f63ebf23044b8d7ab982c192bbea8a6c3c3cab9c672aa2f20030eb89.exe	30
PID 2176 wrote to memory of 2364	2176	680de1c9f63ebf23044b8d7ab982c192bbea8a6c3c3cab9c672aa2f20030eb89.exe	30
PID 2364 wrote to memory of 3060	2364	Logo1_.exe	31
PID 2364 wrote to memory of 3060	2364	Logo1_.exe	31
PID 2364 wrote to memory of 3060	2364	Logo1_.exe	31
PID 2364 wrote to memory of 3060	2364	Logo1_.exe	31
PID 2368 wrote to memory of 2648	2368	cmd.exe	33
PID 2368 wrote to memory of 2648	2368	cmd.exe	33
PID 2368 wrote to memory of 2648	2368	cmd.exe	33
PID 2368 wrote to memory of 2648	2368	cmd.exe	33
PID 2368 wrote to memory of 2648	2368	cmd.exe	33
PID 2368 wrote to memory of 2648	2368	cmd.exe	33
PID 2368 wrote to memory of 2648	2368	cmd.exe	33
PID 3060 wrote to memory of 2584	3060	net.exe	34
PID 3060 wrote to memory of 2584	3060	net.exe	34
PID 3060 wrote to memory of 2584	3060	net.exe	34
PID 3060 wrote to memory of 2584	3060	net.exe	34
PID 2364 wrote to memory of 1196	2364	Logo1_.exe	21
PID 2364 wrote to memory of 1196	2364	Logo1_.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1196
- C:\Users\Admin\AppData\Local\Temp\680de1c9f63ebf23044b8d7ab982c192bbea8a6c3c3cab9c672aa2f20030eb89.exe
  "C:\Users\Admin\AppData\Local\Temp\680de1c9f63ebf23044b8d7ab982c192bbea8a6c3c3cab9c672aa2f20030eb89.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2176
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$aB95.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2368
  - - C:\Users\Admin\AppData\Local\Temp\680de1c9f63ebf23044b8d7ab982c192bbea8a6c3c3cab9c672aa2f20030eb89.exe
      "C:\Users\Admin\AppData\Local\Temp\680de1c9f63ebf23044b8d7ab982c192bbea8a6c3c3cab9c672aa2f20030eb89.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: GetForegroundWindowSpam
      PID:2648
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2364
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3060
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
252KB

MD5
8d0bfb85554753d93e3f43fa8c348316

SHA1
c5c96d9bfadbe04dbdf264e8febf26e6f06d3a8f

SHA256
135a3e38a38266f018936e3e15e609147aec5d4df839113c6aa56ecf02c5a391

SHA512
06d02a540927206ca8d52f563efe1fc89f40d38fe7e411b12b4a92bbb9c330275f8787ec9d8a2e615ee110651a6f38d353548f8d0b3e28c5d0d1e7ebeebfc273

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
472KB

MD5
88eb1bca8c399bc3f46e99cdde2f047e

SHA1
55fafbceb011e1af2edced978686a90971bd95f2

SHA256
42fd78c05bc240d4ded16ac974f17c336f6ae3a1814d548021c48a942cc30428

SHA512
149d4de0c024e25a13a7bb17471e6f48391d4f26b1c8388672320eed1c255f84219ad7b72bbebc531ae558d5192dd4bb6d0dddd6c65a45300c8e8348a4fb3728

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aB95.bat

Filesize
721B

MD5
096fc007fb0e5e47b7de83c5b5aa3612

SHA1
454132b3660acf30d9dacb166aeeb97fa399b2df

SHA256
c59601fde8f944a5c3a583b9b8e8dbbd329eaebb3abdc570582f6876b9c11bdd

SHA512
2077f3f004373deffc39eb8014cc818dae08a441f419a0200dbfddd4b30067a19a4c42e6b55b7fc0fabc892338207ace038e5ca0081923587c60ad12e731276f

Download Submit
C:\Users\Admin\AppData\Local\Temp\680de1c9f63ebf23044b8d7ab982c192bbea8a6c3c3cab9c672aa2f20030eb89.exe

Filesize
14KB

MD5
ad782ffac62e14e2269bf1379bccbaae

SHA1
9539773b550e902a35764574a2be2d05bc0d8afc

SHA256
1c8a77db924ebeb952052334dc95add388700c02b073b07973cd8fe0a0a360b8

SHA512
a1e9d6316ffc55f4751090961733e98c93b2a391666ff50b50e9dea39783746e501d14127e7ee9343926976d7e3cd224f13736530354d8466ea995dab35c8dc2

Download Submit
C:\Windows\rundl132.exe

Filesize
27KB

MD5
452dc122926f718d5eff28db8c13b873

SHA1
5105726d0ed51fd22fbfbb455de7e8d7407796f0

SHA256
84bca73a7f4ce6b978f07073a6db9cf897b3bb7267fe484f9565a31e1751dc40

SHA512
42b28dcbf7b14466f803ad975ba3a30a24d8d4e0090d9e12bdd3124832986bed0daf4fd002b30360624c296d2323bcdec97c75de0b4aa9094766bafddbc250f7

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2721934792-624042501-2768869379-1000\_desktop.ini

Filesize
9B

MD5
4d28283e4d415600ffc2f8fda6d8c91e

SHA1
053dcb8d5d84b75459bc82d8740ee4684d680016

SHA256
b855effeaf01610130d3f38de35bc7f98bfc6643d98d4198af18534f048e8df7

SHA512
73a758cd5e5ac48d62dd89719be604214895e0cc9a10ff7464a6cf9161a37fd27d15dd2d2565f18198b381ac6442bcb36f38614df7b1176061a83616517a7edb

Download Submit
memory/1196-29-0x0000000003CA0000-0x0000000003CA1000-memory.dmp

Filesize
4KB

Download
memory/2176-16-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2176-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2364-39-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2364-45-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2364-91-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2364-97-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2364-853-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2364-1850-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2364-32-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2364-2597-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2364-3310-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2364-21-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download