e1608cad6ac31f0580dedb476e451b959927c28206ccf7d25946662bcf89d8a9

Analysis

max time kernel
150s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
19/05/2024, 23:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e1608cad6ac31f0580dedb476e451b959927c28206ccf7d25946662bcf89d8a9.exe
Size

1.6MB
MD5

00299d55cfd77172abf8cc55a13ae031
SHA1

5bc6cac294012f318d5aec6ed9165b758413b540
SHA256

e1608cad6ac31f0580dedb476e451b959927c28206ccf7d25946662bcf89d8a9
SHA512

3146d9bbce99233824bd9e9d7b32ae56f9af3bedf9a5a7abc73facf39a67789fbc35464a74e44a5b04b057132f152437be8776bdd7695bec3d05767f18781bc1
SSDEEP

49152:69VTJHyRQCRsuk/JISsG0VJKSmvhQtNwnZHJgXyGOdg:6URQ7DBISsG0VMSmpQTwtaL7

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1296	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2184	Logo1_.exe
2724	e1608cad6ac31f0580dedb476e451b959927c28206ccf7d25946662bcf89d8a9.exe

Loads dropped DLL 1 IoCs

pid	Process
1296	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SLATE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Journal\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Minesweeper\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\wa\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	Logo1_.exe
File created	C:\Program Files\Windows Journal\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\in_sidebar\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\MEDIA\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Defender\MpCmdRun.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\kk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\visualization\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Outlook.en-us\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AXIS\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\QUAD\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ssvagent.exe	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Computers\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RMNSQUE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	Logo1_.exe
File created	C:\Program Files (x86)\Windows Media Player\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\km\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ckb\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\nb\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\STRTEDGE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ky\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Journal\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bn\LC_MESSAGES\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	e1608cad6ac31f0580dedb476e451b959927c28206ccf7d25946662bcf89d8a9.exe
File created	C:\Windows\Logo1_.exe	e1608cad6ac31f0580dedb476e451b959927c28206ccf7d25946662bcf89d8a9.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2184	Logo1_.exe
2184	Logo1_.exe
2184	Logo1_.exe
2184	Logo1_.exe
2184	Logo1_.exe
2184	Logo1_.exe
2184	Logo1_.exe
2184	Logo1_.exe
2184	Logo1_.exe
2184	Logo1_.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2724	e1608cad6ac31f0580dedb476e451b959927c28206ccf7d25946662bcf89d8a9.exe
2724	e1608cad6ac31f0580dedb476e451b959927c28206ccf7d25946662bcf89d8a9.exe
2724	e1608cad6ac31f0580dedb476e451b959927c28206ccf7d25946662bcf89d8a9.exe
2724	e1608cad6ac31f0580dedb476e451b959927c28206ccf7d25946662bcf89d8a9.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
2724	e1608cad6ac31f0580dedb476e451b959927c28206ccf7d25946662bcf89d8a9.exe
2724	e1608cad6ac31f0580dedb476e451b959927c28206ccf7d25946662bcf89d8a9.exe
2724	e1608cad6ac31f0580dedb476e451b959927c28206ccf7d25946662bcf89d8a9.exe
2724	e1608cad6ac31f0580dedb476e451b959927c28206ccf7d25946662bcf89d8a9.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2724	e1608cad6ac31f0580dedb476e451b959927c28206ccf7d25946662bcf89d8a9.exe
2724	e1608cad6ac31f0580dedb476e451b959927c28206ccf7d25946662bcf89d8a9.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2752 wrote to memory of 1296	2752	e1608cad6ac31f0580dedb476e451b959927c28206ccf7d25946662bcf89d8a9.exe	28
PID 2752 wrote to memory of 1296	2752	e1608cad6ac31f0580dedb476e451b959927c28206ccf7d25946662bcf89d8a9.exe	28
PID 2752 wrote to memory of 1296	2752	e1608cad6ac31f0580dedb476e451b959927c28206ccf7d25946662bcf89d8a9.exe	28
PID 2752 wrote to memory of 1296	2752	e1608cad6ac31f0580dedb476e451b959927c28206ccf7d25946662bcf89d8a9.exe	28
PID 2752 wrote to memory of 2184	2752	e1608cad6ac31f0580dedb476e451b959927c28206ccf7d25946662bcf89d8a9.exe	29
PID 2752 wrote to memory of 2184	2752	e1608cad6ac31f0580dedb476e451b959927c28206ccf7d25946662bcf89d8a9.exe	29
PID 2752 wrote to memory of 2184	2752	e1608cad6ac31f0580dedb476e451b959927c28206ccf7d25946662bcf89d8a9.exe	29
PID 2752 wrote to memory of 2184	2752	e1608cad6ac31f0580dedb476e451b959927c28206ccf7d25946662bcf89d8a9.exe	29
PID 2184 wrote to memory of 2596	2184	Logo1_.exe	31
PID 2184 wrote to memory of 2596	2184	Logo1_.exe	31
PID 2184 wrote to memory of 2596	2184	Logo1_.exe	31
PID 2184 wrote to memory of 2596	2184	Logo1_.exe	31
PID 2596 wrote to memory of 2604	2596	net.exe	33
PID 2596 wrote to memory of 2604	2596	net.exe	33
PID 2596 wrote to memory of 2604	2596	net.exe	33
PID 2596 wrote to memory of 2604	2596	net.exe	33
PID 1296 wrote to memory of 2724	1296	cmd.exe	34
PID 1296 wrote to memory of 2724	1296	cmd.exe	34
PID 1296 wrote to memory of 2724	1296	cmd.exe	34
PID 1296 wrote to memory of 2724	1296	cmd.exe	34
PID 1296 wrote to memory of 2724	1296	cmd.exe	34
PID 1296 wrote to memory of 2724	1296	cmd.exe	34
PID 1296 wrote to memory of 2724	1296	cmd.exe	34
PID 2184 wrote to memory of 1200	2184	Logo1_.exe	21
PID 2184 wrote to memory of 1200	2184	Logo1_.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1200
- C:\Users\Admin\AppData\Local\Temp\e1608cad6ac31f0580dedb476e451b959927c28206ccf7d25946662bcf89d8a9.exe
  "C:\Users\Admin\AppData\Local\Temp\e1608cad6ac31f0580dedb476e451b959927c28206ccf7d25946662bcf89d8a9.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2752
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$a27CC.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1296
  - - C:\Users\Admin\AppData\Local\Temp\e1608cad6ac31f0580dedb476e451b959927c28206ccf7d25946662bcf89d8a9.exe
      "C:\Users\Admin\AppData\Local\Temp\e1608cad6ac31f0580dedb476e451b959927c28206ccf7d25946662bcf89d8a9.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      PID:2724
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2184
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2596
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
254KB

MD5
c2313644c3961c77fb35668603775f6b

SHA1
34857a41ad8b6ce8f1458615465a73c8ef5b5e49

SHA256
fd99eadf4c8d7924770f0969d9f847d74e965cac870b846ed737eff514b7fd64

SHA512
272443283ed7073bf9ce4fac0b94ff80fdbe92cd70c310904b81306d555abb0c71f712488fa49c58a0c95f7510ede226c4f40f7a7214d4c99e37fdd8a4bc0f9d

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
474KB

MD5
6eabc463f8025a7e6e65f38cba22f126

SHA1
3e430ee5ec01c5509ed750b88d3473e7990dfe95

SHA256
cc8da3ecd355b519d81415d279ed037c725ba221bf323d250aa92ee2b2b88ca7

SHA512
c8fde7026ac8633403bbefee4b044457184388fb7343d8c46f5f7f272724227976bf485ea91da49e2a85dd0cfb73f260ac705d8007333dd3e5539fe5ed67e3ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a27CC.bat

Filesize
722B

MD5
b4dbdb21bf6aab2eaef82cb2b45c4e4d

SHA1
844b237897851a2b472e8d9dfa122daff26019c4

SHA256
b9549517e27c7df7919875e93f5db2c7aef671211e2689f7407a6df1ac7d5faa

SHA512
5920ee55577f9833fe587b08da03baed155200e039a9bf9a6994650e24f0e93ea5b673747f80da5ab60ec0bc2e80bb474bf94068ef373d15e55a1407b8305a86

Download Submit
C:\Users\Admin\AppData\Local\Temp\e1608cad6ac31f0580dedb476e451b959927c28206ccf7d25946662bcf89d8a9.exe.exe

Filesize
1.6MB

MD5
ada617b0cdf2bcd08558a99814d465c4

SHA1
cc098290554d4e9bd1bd1009f2474cc06866cff6

SHA256
5f2b689531b9eda96489442b000cf3203af38838c71fc10229db9b375e3c1055

SHA512
b5b49f41258e5e6c8254bd4204a550a26b447de15d1ba78b7fd24f99938e3b4778037264ac6e2e5c0c45c59efa5b87ccfc68f05f70ec6ad0e329d5bede8bbcdf

Download Submit
C:\Windows\rundl132.exe

Filesize
29KB

MD5
599a7881ecc7bdb52e885c2f88f39623

SHA1
f1e4628628939c353e3f51e46dd638c844db0588

SHA256
e54026cfa7a56a1cdbe7c78228b9d123e8e7f8f1044609385e1990bc4091872d

SHA512
68542351fa49e3ace39596d63e89b24ae31f3cb6a27f315bd7922aa8ff17601da5663e3c25e802154d5e97bcfdb569365372ad32cb2459485373d574fe1809ba

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-1298544033-3225604241-2703760938-1000\_desktop.ini

Filesize
9B

MD5
626b7ac8db42922bd5ad061459a997cd

SHA1
1d94c0679bc448cde1fc2da8cea39b910af74f3b

SHA256
ec459940188be916789d5d79bd7826fecb6ad8f47d606e862d95946998d36208

SHA512
cff25aa56e8d7d33dddf326fe1fdc1fc11e4269e0b03caa2f8baa637a549b1e0878ea933333cc82c03fb3930d0ae1b8735bfdbf1337e696b5bd062b693847f20

Download Submit
memory/1200-30-0x0000000002500000-0x0000000002501000-memory.dmp

Filesize
4KB

Download
memory/2184-91-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2184-32-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2184-39-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2184-45-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2184-97-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2184-540-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2184-1850-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2184-3310-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2184-19-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2752-16-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2752-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2752-17-0x00000000001B0000-0x00000000001E6000-memory.dmp

Filesize
216KB

Download