acaa70b42a9ebf427eca692ee41975a3f2d6d79ce8e71d21d27f18de6f0547b6

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
13/05/2024, 20:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

acaa70b42a9ebf427eca692ee41975a3f2d6d79ce8e71d21d27f18de6f0547b6.exe
Size

487KB
MD5

53c0b44c4428fe84fef965589e0e02e2
SHA1

e94d4fa831efb3d1fd028fd30267115e027072f4
SHA256

acaa70b42a9ebf427eca692ee41975a3f2d6d79ce8e71d21d27f18de6f0547b6
SHA512

0eab0e276c539747c87f0aee184929b6d005fef401e8c1acf68d6974f17782ee2dceab5b4160152965d1b56332cf7eb64d2f9b6ef5e25369ff8187d0a63b6106
SSDEEP

6144:MtuJoz1gL5pRTMTTjMkId/BynSx7dEe6XwzRaktNP08NhKs39zo43fTtl1fayCV4:g1gL5pRTcAkS/3hzN8qE43fm78V

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2004	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
1704	Logo1_.exe
2628	acaa70b42a9ebf427eca692ee41975a3f2d6d79ce8e71d21d27f18de6f0547b6.exe

Loads dropped DLL 1 IoCs

pid	Process
2004	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Mail\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Media Player\Skins\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\sidebar.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\hrtfs\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\meta_engine\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Updater6\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office64.en-us\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\el\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Purble Place\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Slate\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\ext\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mr\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\PROOF\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\14\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Sort\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\et\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Mail\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Publisher.en-us\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\Verisign\Components\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightYellow\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SpringGreen\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ENFR\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Google\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\vi\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmiregistry.exe	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\More Games\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ar\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\zh_TW\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	acaa70b42a9ebf427eca692ee41975a3f2d6d79ce8e71d21d27f18de6f0547b6.exe
File created	C:\Windows\Logo1_.exe	acaa70b42a9ebf427eca692ee41975a3f2d6d79ce8e71d21d27f18de6f0547b6.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1704	Logo1_.exe
1704	Logo1_.exe
1704	Logo1_.exe
1704	Logo1_.exe
1704	Logo1_.exe
1704	Logo1_.exe
1704	Logo1_.exe
1704	Logo1_.exe
1704	Logo1_.exe
1704	Logo1_.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1916 wrote to memory of 2004	1916	acaa70b42a9ebf427eca692ee41975a3f2d6d79ce8e71d21d27f18de6f0547b6.exe	28
PID 1916 wrote to memory of 2004	1916	acaa70b42a9ebf427eca692ee41975a3f2d6d79ce8e71d21d27f18de6f0547b6.exe	28
PID 1916 wrote to memory of 2004	1916	acaa70b42a9ebf427eca692ee41975a3f2d6d79ce8e71d21d27f18de6f0547b6.exe	28
PID 1916 wrote to memory of 2004	1916	acaa70b42a9ebf427eca692ee41975a3f2d6d79ce8e71d21d27f18de6f0547b6.exe	28
PID 1916 wrote to memory of 1704	1916	acaa70b42a9ebf427eca692ee41975a3f2d6d79ce8e71d21d27f18de6f0547b6.exe	29
PID 1916 wrote to memory of 1704	1916	acaa70b42a9ebf427eca692ee41975a3f2d6d79ce8e71d21d27f18de6f0547b6.exe	29
PID 1916 wrote to memory of 1704	1916	acaa70b42a9ebf427eca692ee41975a3f2d6d79ce8e71d21d27f18de6f0547b6.exe	29
PID 1916 wrote to memory of 1704	1916	acaa70b42a9ebf427eca692ee41975a3f2d6d79ce8e71d21d27f18de6f0547b6.exe	29
PID 1704 wrote to memory of 2696	1704	Logo1_.exe	31
PID 1704 wrote to memory of 2696	1704	Logo1_.exe	31
PID 1704 wrote to memory of 2696	1704	Logo1_.exe	31
PID 1704 wrote to memory of 2696	1704	Logo1_.exe	31
PID 2004 wrote to memory of 2628	2004	cmd.exe	33
PID 2004 wrote to memory of 2628	2004	cmd.exe	33
PID 2004 wrote to memory of 2628	2004	cmd.exe	33
PID 2004 wrote to memory of 2628	2004	cmd.exe	33
PID 2696 wrote to memory of 2508	2696	net.exe	34
PID 2696 wrote to memory of 2508	2696	net.exe	34
PID 2696 wrote to memory of 2508	2696	net.exe	34
PID 2696 wrote to memory of 2508	2696	net.exe	34
PID 1704 wrote to memory of 1208	1704	Logo1_.exe	21
PID 1704 wrote to memory of 1208	1704	Logo1_.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1208
- C:\Users\Admin\AppData\Local\Temp\acaa70b42a9ebf427eca692ee41975a3f2d6d79ce8e71d21d27f18de6f0547b6.exe
  "C:\Users\Admin\AppData\Local\Temp\acaa70b42a9ebf427eca692ee41975a3f2d6d79ce8e71d21d27f18de6f0547b6.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1916
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$a167D.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2004
  - - C:\Users\Admin\AppData\Local\Temp\acaa70b42a9ebf427eca692ee41975a3f2d6d79ce8e71d21d27f18de6f0547b6.exe
      "C:\Users\Admin\AppData\Local\Temp\acaa70b42a9ebf427eca692ee41975a3f2d6d79ce8e71d21d27f18de6f0547b6.exe"
      4⤵
      Executes dropped EXE
      PID:2628
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1704
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2696
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
254KB

MD5
f134d58f0c72c193a05ff5819d09f8d6

SHA1
85c6d5b8cb938c5b8b7437693a4f6e97caa94fdf

SHA256
0b329835e955ce06b673448b91b9bea022bc741cd855123dd5f8988d4385b031

SHA512
27c84f45bacb5c95ca340b6a8da7a81ece4cdb3adf2c3f85726f79c7a35cf7b6eb37c6703b6c275d5861ea0585c43c2bbc95f5331aec240ee234fceb72ed33c6

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
474KB

MD5
39d0021b923509b5e31096b0f119bada

SHA1
5cdb5aacdc36fc52472de30f738c1770c0be28fa

SHA256
6245380525c0df016952045413482bc868b12263353c73d1834e268a634fbd1c

SHA512
eb9a24f56f778ab8738acef21ec58815e108f2bfe69d4dfb28c1628a67e0037bcc557591fcdf754815351a8da77fd0315a1271ac1a5ac6d9b3e6c3822519c1cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a167D.bat

Filesize
722B

MD5
da475d3a07c3b28652b0df2267170395

SHA1
0f8a109206683a9416fb1e18a2f8f7da9d82a318

SHA256
aac168f7c7fb8e50e74b7bf2b46fee3fc6c90d70c5959b9b38f6dcbe84334cb1

SHA512
97e4652a6e21a7ab2fc63ffc8fb6e543d55dda307198276dff557b928212b2f3fbbf4f9143b13e1a71529df976e6e1348556150b54da3a0476b95c7b4e9a7b1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\acaa70b42a9ebf427eca692ee41975a3f2d6d79ce8e71d21d27f18de6f0547b6.exe.exe

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Windows\Logo1_.exe

Filesize
29KB

MD5
af29fb6a5adf025d9127df13f942d7d2

SHA1
72d13969443440eb123cfb43f924c4959eae7638

SHA256
d83088ef692a221a033bfb31d7178f7f04182df4480ac946b53807fda9cdd040

SHA512
10c6c2a56386b35f52e8b220def9cace7a57a70672a97aeb3c95df14d832416d6057fabccd86c4f473e354a87e378ff0ac3cf0e503ee3db9f909897ef7776079

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2737914667-933161113-3798636211-1000\_desktop.ini

Filesize
9B

MD5
392ab9dcf5a9daf53626ea1f2e61d0b9

SHA1
0a2cdc7f8f9edf33f9fde3f8b90e0020190c8fb7

SHA256
9bbc94aad502d7d7a7f502ddb9cbd93b1c89eff13e445971c94ac09215ada67d

SHA512
5d1fea63a7793a65dc63c32cfe3ab2e1af941ded8e760f08fbe991e5b30433f86f920d717235a635020740c8f6f7996b4b8e8147e331b29141fcbb7bdc68144d

Download Submit
memory/1208-30-0x0000000002D00000-0x0000000002D01000-memory.dmp

Filesize
4KB

Download
memory/1704-92-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1704-33-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1704-40-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1704-46-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1704-98-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1704-533-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1704-1875-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1704-3335-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1916-19-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1916-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1916-17-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/1916-12-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download