775afdc737b42a46435956b6529c3dd91671b3290f61a0fa52235ed2d0d4cf2a

Analysis

max time kernel
150s
max time network
118s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
23/05/2024, 21:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

775afdc737b42a46435956b6529c3dd91671b3290f61a0fa52235ed2d0d4cf2a.exe
Size

70KB
MD5

e2942eefba935dca0e9a040cef205f1b
SHA1

15bb8b1e40e8f176bb6520d219a0b39892ab30d5
SHA256

775afdc737b42a46435956b6529c3dd91671b3290f61a0fa52235ed2d0d4cf2a
SHA512

8c1aae6d67d47dfb0e2b1f0136fe0ce8b54ed21b9bdf18d968a5f5bfc82627ae658b851854c014f347df687ff07a46bf156b3ff4596c70d499589b92eb23f4f9
SSDEEP

1536:p1uu6h3SHuJV9NdEToa9D4ZQKbgZi1dst7x9PxQ:p1tQkuJVLtlZQKbgZi1St7xQ

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2008	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2228	Logo1_.exe
2136	775afdc737b42a46435956b6529c3dd91671b3290f61a0fa52235ed2d0d4cf2a.exe

Loads dropped DLL 1 IoCs

pid	Process
2008	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Mozilla Firefox\browser\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\nn\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\uz\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\fonts\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\FreeCell\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Mail\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\FAX\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\STS2\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SKY\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ECHO\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\kn\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\ext\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\XLSTART\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\th\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Mail\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\th\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTool\Project Report Type\Basic\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\kn\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\META-INF\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	775afdc737b42a46435956b6529c3dd91671b3290f61a0fa52235ed2d0d4cf2a.exe
File created	C:\Windows\Logo1_.exe	775afdc737b42a46435956b6529c3dd91671b3290f61a0fa52235ed2d0d4cf2a.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2228	Logo1_.exe
2228	Logo1_.exe
2228	Logo1_.exe
2228	Logo1_.exe
2228	Logo1_.exe
2228	Logo1_.exe
2228	Logo1_.exe
2228	Logo1_.exe
2228	Logo1_.exe
2228	Logo1_.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1512 wrote to memory of 2008	1512	775afdc737b42a46435956b6529c3dd91671b3290f61a0fa52235ed2d0d4cf2a.exe	28
PID 1512 wrote to memory of 2008	1512	775afdc737b42a46435956b6529c3dd91671b3290f61a0fa52235ed2d0d4cf2a.exe	28
PID 1512 wrote to memory of 2008	1512	775afdc737b42a46435956b6529c3dd91671b3290f61a0fa52235ed2d0d4cf2a.exe	28
PID 1512 wrote to memory of 2008	1512	775afdc737b42a46435956b6529c3dd91671b3290f61a0fa52235ed2d0d4cf2a.exe	28
PID 1512 wrote to memory of 2228	1512	775afdc737b42a46435956b6529c3dd91671b3290f61a0fa52235ed2d0d4cf2a.exe	29
PID 1512 wrote to memory of 2228	1512	775afdc737b42a46435956b6529c3dd91671b3290f61a0fa52235ed2d0d4cf2a.exe	29
PID 1512 wrote to memory of 2228	1512	775afdc737b42a46435956b6529c3dd91671b3290f61a0fa52235ed2d0d4cf2a.exe	29
PID 1512 wrote to memory of 2228	1512	775afdc737b42a46435956b6529c3dd91671b3290f61a0fa52235ed2d0d4cf2a.exe	29
PID 2008 wrote to memory of 2136	2008	cmd.exe	32
PID 2008 wrote to memory of 2136	2008	cmd.exe	32
PID 2008 wrote to memory of 2136	2008	cmd.exe	32
PID 2008 wrote to memory of 2136	2008	cmd.exe	32
PID 2228 wrote to memory of 2900	2228	Logo1_.exe	31
PID 2228 wrote to memory of 2900	2228	Logo1_.exe	31
PID 2228 wrote to memory of 2900	2228	Logo1_.exe	31
PID 2228 wrote to memory of 2900	2228	Logo1_.exe	31
PID 2900 wrote to memory of 2684	2900	net.exe	34
PID 2900 wrote to memory of 2684	2900	net.exe	34
PID 2900 wrote to memory of 2684	2900	net.exe	34
PID 2900 wrote to memory of 2684	2900	net.exe	34
PID 2228 wrote to memory of 1208	2228	Logo1_.exe	21
PID 2228 wrote to memory of 1208	2228	Logo1_.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1208
- C:\Users\Admin\AppData\Local\Temp\775afdc737b42a46435956b6529c3dd91671b3290f61a0fa52235ed2d0d4cf2a.exe
  "C:\Users\Admin\AppData\Local\Temp\775afdc737b42a46435956b6529c3dd91671b3290f61a0fa52235ed2d0d4cf2a.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1512
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$a121A.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2008
  - - C:\Users\Admin\AppData\Local\Temp\775afdc737b42a46435956b6529c3dd91671b3290f61a0fa52235ed2d0d4cf2a.exe
      "C:\Users\Admin\AppData\Local\Temp\775afdc737b42a46435956b6529c3dd91671b3290f61a0fa52235ed2d0d4cf2a.exe"
      4⤵
      Executes dropped EXE
      PID:2136
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2228
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2900
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
254KB

MD5
64b7a498ca89b776d45ec09d763d04b6

SHA1
5ebd2388f8ac29c201b2bfad06f6fee29716c7b5

SHA256
e3332364253c392c3e72a3b8adef2d82014651656eea38e186936c9d638c0197

SHA512
049b2a3836575250f285d9bba5c1cefecbb9fcf2eed9baf1e7e553625f705ce2dac61355bcd4b5f619c40f44a45f7aa74802e42e436e3211a0e26035d2644453

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
474KB

MD5
efd7eb57eac26ceed86796e715a515cf

SHA1
b73c76cc488eeac0431bb894b463069ac98cfc0f

SHA256
a3407b078b7dd03a472e3d1023845b2d2887063a804fbcc8c66ac11808203ace

SHA512
87be443ba04dd853f4afaf84b5d070c2ea42779833d1253c9106cb26e8fd07acdf94f0ca02a999365b787a4c1a2bff960082dcb345349ab19d9703eb9c17b2ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a121A.bat

Filesize
722B

MD5
69d7ef1aa32bec192f3688545bb53586

SHA1
af786625b2021904c7ac7637e59520123de556c2

SHA256
336f817070fe3e86dbecc6e7b3c194e6a56cc489b888fbf429881368b45793ae

SHA512
4f952daea814f83809abdfb56853e599d926e808742bc2bef3f60872d7d83b5fc0904bd6001911894e2e8b118f04fb942260af80f16cb94b99cfd00f6375a1f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\775afdc737b42a46435956b6529c3dd91671b3290f61a0fa52235ed2d0d4cf2a.exe.exe

Filesize
41KB

MD5
977e405c109268909fd24a94cc23d4f0

SHA1
af5d032c2b6caa2164cf298e95b09060665c4188

SHA256
cd24c61fe7dc3896c6c928c92a2adc58fab0a3ff61ef7ddcac1ba794182ab12f

SHA512
12b4b59c1a8e65e72aa07ee4b6b6cd9fdedead01d5ce8e30f16ca26b5d733655e23a71c1d273a950a5b1a6cce810b696612de4a1148ac5f468ddf05d4549eed5

Download Submit
C:\Windows\Logo1_.exe

Filesize
29KB

MD5
df2c093eb893bac680bb0fdf75ef20a2

SHA1
896bb694b57022440cb713947facaaa6b227a92e

SHA256
faba7487ab383c4855ba29a1bd408c6a3947af3a3189f41ba7648c5289b89983

SHA512
ed7a8c0d189321a807ac92ed2ab4056b26df2b9fba51a57065f55a190e1bdd2b3a7cd274e9b3437577abc4af96746a6cf2f4374290c49ec113ce8527733862d6

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2248906074-2862704502-246302768-1000\_desktop.ini

Filesize
9B

MD5
31874817e0fb055be8d2c971c0e3bbde

SHA1
ee8a35d6a86cb6d13f354d67d912e194bb09c74b

SHA256
94de8b492bc2db9a9592f7c9433547eb7f80826ed67f48d2bb7e22db9d49f544

SHA512
55747c69ae50fa212576d095f60cf33b42e26789cf8c34fc5120a45b1988aae95f91d9e37cb17298c5ac5243b2e4c40e1d0e084ce7fe14bceb4ebb318c65c944

Download Submit
memory/1208-31-0x0000000002F10000-0x0000000002F11000-memory.dmp

Filesize
4KB

Download
memory/1512-17-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1512-16-0x00000000003C0000-0x00000000003F6000-memory.dmp

Filesize
216KB

Download
memory/1512-18-0x00000000003C0000-0x00000000003F6000-memory.dmp

Filesize
216KB

Download
memory/1512-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2228-98-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2228-46-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2228-92-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2228-40-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2228-612-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2228-1852-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2228-2120-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2228-20-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2228-3312-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2228-33-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download