2a5b6d0a372e5c0b89c6c0f5ee400fd05bd130f5ffecafb7f7ecdd4e1e1e7f34

Analysis

max time kernel
150s
max time network
126s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
26/05/2024, 12:54

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2a5b6d0a372e5c0b89c6c0f5ee400fd05bd130f5ffecafb7f7ecdd4e1e1e7f34.exe
Size

2.7MB
MD5

e9e2646b9d402452b852b96c29b27a1a
SHA1

d4284a8fcfbb849a32a0d6aae983a96da70522ba
SHA256

2a5b6d0a372e5c0b89c6c0f5ee400fd05bd130f5ffecafb7f7ecdd4e1e1e7f34
SHA512

37a399ba4439a152e004ce22c51d286b86a86bca86ac5851b85ad015fdfc606ac683e4c2bce2b281c0d78b088df9b0f74ee0cc0472307d63cb11ef13476c2fea
SSDEEP

49152:Z7QnGW4GQphM8gHoz0+vaQjz7i0r2QGXOcNA+0XBZgcqcocP:xFTJIdK2QF/

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2688	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
2620	Logo1_.exe
2600	2a5b6d0a372e5c0b89c6c0f5ee400fd05bd130f5ffecafb7f7ecdd4e1e1e7f34.exe
2380	2a5b6d0a372e5c0b89c6c0f5ee400fd05bd130f5ffecafb7f7ecdd4e1e1e7f34.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\1.7\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Discussion\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\gu\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Library\Analysis\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\visualization\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\an\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\SpeechEngines\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Slate\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EXPEDITN\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\or\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\SubsetList\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\control\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CONCRETE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\br\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	Logo1_.exe
File opened for modification	C:\Program Files\Windows Journal\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\on_desktop\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_filter\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Internet Explorer\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Slate\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\MSBuild\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\More Games\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\gui\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\zh_TW\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\14\BIN\1033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Stationery\1033\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_output\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BrightYellow\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	2a5b6d0a372e5c0b89c6c0f5ee400fd05bd130f5ffecafb7f7ecdd4e1e1e7f34.exe
File created	C:\Windows\Logo1_.exe	2a5b6d0a372e5c0b89c6c0f5ee400fd05bd130f5ffecafb7f7ecdd4e1e1e7f34.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2620	Logo1_.exe
2620	Logo1_.exe
2620	Logo1_.exe
2620	Logo1_.exe
2620	Logo1_.exe
2620	Logo1_.exe
2620	Logo1_.exe
2620	Logo1_.exe
2620	Logo1_.exe
2620	Logo1_.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1692 wrote to memory of 2688	1692	2a5b6d0a372e5c0b89c6c0f5ee400fd05bd130f5ffecafb7f7ecdd4e1e1e7f34.exe	28
PID 1692 wrote to memory of 2688	1692	2a5b6d0a372e5c0b89c6c0f5ee400fd05bd130f5ffecafb7f7ecdd4e1e1e7f34.exe	28
PID 1692 wrote to memory of 2688	1692	2a5b6d0a372e5c0b89c6c0f5ee400fd05bd130f5ffecafb7f7ecdd4e1e1e7f34.exe	28
PID 1692 wrote to memory of 2688	1692	2a5b6d0a372e5c0b89c6c0f5ee400fd05bd130f5ffecafb7f7ecdd4e1e1e7f34.exe	28
PID 1692 wrote to memory of 2620	1692	2a5b6d0a372e5c0b89c6c0f5ee400fd05bd130f5ffecafb7f7ecdd4e1e1e7f34.exe	30
PID 1692 wrote to memory of 2620	1692	2a5b6d0a372e5c0b89c6c0f5ee400fd05bd130f5ffecafb7f7ecdd4e1e1e7f34.exe	30
PID 1692 wrote to memory of 2620	1692	2a5b6d0a372e5c0b89c6c0f5ee400fd05bd130f5ffecafb7f7ecdd4e1e1e7f34.exe	30
PID 1692 wrote to memory of 2620	1692	2a5b6d0a372e5c0b89c6c0f5ee400fd05bd130f5ffecafb7f7ecdd4e1e1e7f34.exe	30
PID 2620 wrote to memory of 2536	2620	Logo1_.exe	31
PID 2620 wrote to memory of 2536	2620	Logo1_.exe	31
PID 2620 wrote to memory of 2536	2620	Logo1_.exe	31
PID 2620 wrote to memory of 2536	2620	Logo1_.exe	31
PID 2536 wrote to memory of 2456	2536	net.exe	33
PID 2536 wrote to memory of 2456	2536	net.exe	33
PID 2536 wrote to memory of 2456	2536	net.exe	33
PID 2536 wrote to memory of 2456	2536	net.exe	33
PID 2620 wrote to memory of 1408	2620	Logo1_.exe	21
PID 2620 wrote to memory of 1408	2620	Logo1_.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1408
- C:\Users\Admin\AppData\Local\Temp\2a5b6d0a372e5c0b89c6c0f5ee400fd05bd130f5ffecafb7f7ecdd4e1e1e7f34.exe
  "C:\Users\Admin\AppData\Local\Temp\2a5b6d0a372e5c0b89c6c0f5ee400fd05bd130f5ffecafb7f7ecdd4e1e1e7f34.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1692
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$a8BEB.bat
    3⤵
    - Deletes itself
    PID:2688
  - - C:\Users\Admin\AppData\Local\Temp\2a5b6d0a372e5c0b89c6c0f5ee400fd05bd130f5ffecafb7f7ecdd4e1e1e7f34.exe
      "C:\Users\Admin\AppData\Local\Temp\2a5b6d0a372e5c0b89c6c0f5ee400fd05bd130f5ffecafb7f7ecdd4e1e1e7f34.exe"
      4⤵
      Executes dropped EXE
      PID:2600
  - - C:\Users\Admin\AppData\Local\Temp\2a5b6d0a372e5c0b89c6c0f5ee400fd05bd130f5ffecafb7f7ecdd4e1e1e7f34.exe
      "C:\Users\Admin\AppData\Local\Temp\2a5b6d0a372e5c0b89c6c0f5ee400fd05bd130f5ffecafb7f7ecdd4e1e1e7f34.exe"
      4⤵
      Executes dropped EXE
      PID:2380
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2620
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2536
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
251KB

MD5
a4be970114fde7b4347a171ef559737b

SHA1
9ff5a5c55eca69d00aa5cf88a86831f2954ee214

SHA256
54f93dd3fd4b973502236e7372591290aef4913ed31ab38fa17c4b0e52b86e21

SHA512
e4fb957ac171ac1bbca431fbfbb8c9142b5493e3b875db7f61182c91adce87d29b410c766d5043b8bee276f9024b7b14ee636106a037db8f35d545b20ec635ce

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
471KB

MD5
99ea9b604a7a734d3087fa6159684c42

SHA1
709fa1068ad4d560fe03e05b68056f1b0bedbfc8

SHA256
3f733f9e6fec7c4165ca8ba41eb23f604a248babe794c4ad2c6c3ce8032aab1c

SHA512
7af8008c7e187f925c62efc97e1891a7a38d089302dba39fbde137fb895e0592847ed0982c824c2075be8e6b95b6ce165ecb848ab85adf53779ebef613410fbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a8BEB.bat

Filesize
722B

MD5
4c9da1ffd0bb2e7ef029e2218a4b377a

SHA1
f9a7b482cf726245b5420fb2ed88dee5c8dbde90

SHA256
a15cbb717a0b6a8a416a57a678eb8852d17d2e3205c3e01e4924425309d0f616

SHA512
a72d32beaffc597c5f1ca0c5c40095440a3327151fd7cb12894fa8f7749769d530e0fa2d53b5112e946ba37c2ae61806f663dae65fef27faa47542050ae88349

Download Submit
C:\Users\Admin\AppData\Local\Temp\2a5b6d0a372e5c0b89c6c0f5ee400fd05bd130f5ffecafb7f7ecdd4e1e1e7f34.exe.exe

Filesize
2.6MB

MD5
ea473dc8d0af2407234bcf39c8960f52

SHA1
000b72c6d34a7e71f300dcbd3d183030f1d082ee

SHA256
1a07065356771c16dd691fe0606f649f7857c39387e3b528a9bb6f1b20f228c4

SHA512
7ea2a2bfd6d3408f3131b58bf938d85508d25a1196d65ce6bf9e4372c14054ad19198f875f348b1b7a86ef47b3b9371f124bfb7a47682566a13098c7b2dce2ab

Download Submit
C:\Windows\Logo1_.exe

Filesize
26KB

MD5
86f9430d4925c4f45151eea124081d83

SHA1
52df34b47184ed2700bbd92b68874c73592b6d1d

SHA256
41b9e2bf3ce43d681d6dde91ffff8a23adcc4da2076516de2bf2631708b74350

SHA512
910bce524874bbe43de4e9309b1e7aa6a547a6592e3cdcff1f992c156142dc4bf493d23218f635bb6f6366bc1616d96d6ca885d651c0b4be87ab845901f4e3e8

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-330940541-141609230-1670313778-1000\_desktop.ini

Filesize
9B

MD5
a470ca2426c102d035971b2e504d921b

SHA1
1720ef61e5c8e2ad6da9992a78940228fc81d615

SHA256
13721d3153b316d1b54c64b67de19ae5147cb78e332448e6b800f6d510c269f5

SHA512
c12907d26eac47d219aaa47b11d243738b0e698f898f9f2bd199652bc094197227ce12bc5fc96f5da25f1fd7b5904fe71ee3792105b05ac13a135d89aa1c1831

Download Submit
memory/1408-64-0x0000000002570000-0x0000000002571000-memory.dmp

Filesize
4KB

Download
memory/1692-15-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1692-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2620-69-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2620-76-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2620-82-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2620-128-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2620-134-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2620-575-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2620-1887-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2620-3347-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2620-17-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2688-58-0x00000000022C0000-0x00000000022C1000-memory.dmp

Filesize
4KB

Download