c8d0a50a2fe566f6e52f19e702165e00c2408d6eaefc3092d0e4adefec737c82

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
27-05-2024 09:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c8d0a50a2fe566f6e52f19e702165e00c2408d6eaefc3092d0e4adefec737c82.exe
Size

515KB
MD5

20e02be51c1ff69bb57d36541f46ca37
SHA1

06e01e0fb8b5a9e0c2b29e771b8eff52f3b5046a
SHA256

c8d0a50a2fe566f6e52f19e702165e00c2408d6eaefc3092d0e4adefec737c82
SHA512

4ecac9ff8c608bb77c9dd2fe864b26c5dfb2d4ba6868dd1250e0c37ea77d9d3ed4c1102bed599c7dbb1a75ebcac70bada5b99f314bdc67515265fab003dc200e
SSDEEP

6144:5uJeVK6qoJmiqV3Iv0dQwxOWMYty+Nm6lxpvc5ihULkfIExFaHxXCD1wBJQcYbVC:JVKGW00SgOWMY5NmIvc5KfxHaFJB

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1828	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
316	Logo1_.exe
2640	c8d0a50a2fe566f6e52f19e702165e00c2408d6eaefc3092d0e4adefec737c82.exe

Loads dropped DLL 1 IoCs

pid	Process
1828	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Internet Explorer\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Calendar\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Reference Assemblies\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sl\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Help\3082\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ky\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.151\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\1033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\hy\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Help\1036\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\3082\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\spu\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Library\SOLVER\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\144DPI\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ml\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ECHO\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\VPREVIEW.EXE	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SpringGreen\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ku_IQ\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fa\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\PROOF\3082\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\lua\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Oasis\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\hu\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	c8d0a50a2fe566f6e52f19e702165e00c2408d6eaefc3092d0e4adefec737c82.exe
File created	C:\Windows\Logo1_.exe	c8d0a50a2fe566f6e52f19e702165e00c2408d6eaefc3092d0e4adefec737c82.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
316	Logo1_.exe
316	Logo1_.exe
316	Logo1_.exe
316	Logo1_.exe
316	Logo1_.exe
316	Logo1_.exe
316	Logo1_.exe
316	Logo1_.exe
316	Logo1_.exe
316	Logo1_.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2896 wrote to memory of 1828	2896	c8d0a50a2fe566f6e52f19e702165e00c2408d6eaefc3092d0e4adefec737c82.exe	29
PID 2896 wrote to memory of 1828	2896	c8d0a50a2fe566f6e52f19e702165e00c2408d6eaefc3092d0e4adefec737c82.exe	29
PID 2896 wrote to memory of 1828	2896	c8d0a50a2fe566f6e52f19e702165e00c2408d6eaefc3092d0e4adefec737c82.exe	29
PID 2896 wrote to memory of 1828	2896	c8d0a50a2fe566f6e52f19e702165e00c2408d6eaefc3092d0e4adefec737c82.exe	29
PID 2896 wrote to memory of 316	2896	c8d0a50a2fe566f6e52f19e702165e00c2408d6eaefc3092d0e4adefec737c82.exe	30
PID 2896 wrote to memory of 316	2896	c8d0a50a2fe566f6e52f19e702165e00c2408d6eaefc3092d0e4adefec737c82.exe	30
PID 2896 wrote to memory of 316	2896	c8d0a50a2fe566f6e52f19e702165e00c2408d6eaefc3092d0e4adefec737c82.exe	30
PID 2896 wrote to memory of 316	2896	c8d0a50a2fe566f6e52f19e702165e00c2408d6eaefc3092d0e4adefec737c82.exe	30
PID 1828 wrote to memory of 2640	1828	cmd.exe	33
PID 1828 wrote to memory of 2640	1828	cmd.exe	33
PID 1828 wrote to memory of 2640	1828	cmd.exe	33
PID 1828 wrote to memory of 2640	1828	cmd.exe	33
PID 316 wrote to memory of 2616	316	Logo1_.exe	32
PID 316 wrote to memory of 2616	316	Logo1_.exe	32
PID 316 wrote to memory of 2616	316	Logo1_.exe	32
PID 316 wrote to memory of 2616	316	Logo1_.exe	32
PID 2616 wrote to memory of 2836	2616	net.exe	35
PID 2616 wrote to memory of 2836	2616	net.exe	35
PID 2616 wrote to memory of 2836	2616	net.exe	35
PID 2616 wrote to memory of 2836	2616	net.exe	35
PID 316 wrote to memory of 1204	316	Logo1_.exe	21
PID 316 wrote to memory of 1204	316	Logo1_.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1204
- C:\Users\Admin\AppData\Local\Temp\c8d0a50a2fe566f6e52f19e702165e00c2408d6eaefc3092d0e4adefec737c82.exe
  "C:\Users\Admin\AppData\Local\Temp\c8d0a50a2fe566f6e52f19e702165e00c2408d6eaefc3092d0e4adefec737c82.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2896
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$a1BEA.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1828
  - - C:\Users\Admin\AppData\Local\Temp\c8d0a50a2fe566f6e52f19e702165e00c2408d6eaefc3092d0e4adefec737c82.exe
      "C:\Users\Admin\AppData\Local\Temp\c8d0a50a2fe566f6e52f19e702165e00c2408d6eaefc3092d0e4adefec737c82.exe"
      4⤵
      Executes dropped EXE
      PID:2640
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:316
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2616
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
254KB

MD5
15fc4128f757c2330dffa91f5545b44e

SHA1
1be43151179b1727f754a129c6222b0936bef468

SHA256
2d909fc004a3492877512429c5d08df6161f63353bbb557a64b50d0e21bb2a49

SHA512
b0a666b25a5e938561d792aa969b4f007aafef8063d731c36fa02f57d2df0065f10e8d0827488c8dc6e3243c6b749bc64ed73b8a64ccad471362f3cfd16dddc2

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
474KB

MD5
1570c8967b0e748fd6f41fb77a3049c8

SHA1
46d512030ad234354e8e6185e872733055b9d37c

SHA256
2c82d60020b35ca731043d06c527d4c5bfb4c89098a52a5b58e3122e2a12064b

SHA512
8dcda676cd3a7ee79b210b0a07eecc38adaa0ebded65307ac924be0eec8980e80ea6dae06fe0bffd75038e89b4baa66919c15d678c82f456dd53e9c347357ec2

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a1BEA.bat

Filesize
722B

MD5
4e339367c990edef7021cc1c13f08162

SHA1
dba0b476ac061da08738cb3353e01fe3ce398340

SHA256
5a9fb59ede9f8c5f319a0e2c3a488841842db2d8ba9d6df2bfed859ab2f4a786

SHA512
eeeb6a0f2d022b69f435b79339331cfb22ea8a6e442b725eeafdaefc6356fcd6e838f254d355f5ad9b7aecc9ba8e4cbed80c0e78264787662607972e4a05b90c

Download Submit
C:\Users\Admin\AppData\Local\Temp\c8d0a50a2fe566f6e52f19e702165e00c2408d6eaefc3092d0e4adefec737c82.exe.exe

Filesize
486KB

MD5
0319d23a5b85b2fd83da101229a0784b

SHA1
876ef2ab9d62f80ed7c691715123f9ebe4e07e6e

SHA256
4ee9a5f339076ea65fb17a15a2bcd6a1c21bbd7db7b8fbd7a8ee178c8a3551ae

SHA512
c58f23c7cb888e2a6d535b6f11200dd6b0f668b24aa22dea8fe80bf0c0d26ea054c41b7422fc80bd2c7c76783f55c2ca9f874eaa4560f08a805bfddcd639d72a

Download Submit
C:\Windows\Logo1_.exe

Filesize
29KB

MD5
cbb85133030f0d4412d80c949bbaf411

SHA1
57898b4c8d29336bb66a7e0db0d612e97777d5e8

SHA256
2e1e7e6847838b8a544662092e1293c560f5339dd60b2c863465a5e2f2e026d7

SHA512
d58bcc296ee8b679bdb0506d91dd64e676d24a09a9bf7f23cff1b618af1569ae4efbd8a920e1fd07eb289df8edc09488fb24cff15312c721d110f2ccd31515e6

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2737914667-933161113-3798636211-1000\_desktop.ini

Filesize
9B

MD5
fa1e1ef0fdda97877a13339b28fa95e5

SHA1
7e2cffca41118e7b2d62963bd940630b15b85653

SHA256
968b715c081472526487d60da8968e9b3bde2dac103f69beb3f6abe6ef7bc191

SHA512
3d55913a97aa89a7201342705640c1d031d19ad8aca4939219067f84e3fe118f47b4e388f490f69f605683d3854425c3de188f731886405474ae8e3d42c86f4f

Download Submit
memory/316-102-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/316-547-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/316-20-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/316-36-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/316-3339-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/316-43-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/316-2028-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/316-50-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/316-96-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/316-1879-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1204-34-0x0000000002D40000-0x0000000002D41000-memory.dmp

Filesize
4KB

Download
memory/2896-18-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2896-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2896-44-0x0000000000220000-0x0000000000256000-memory.dmp

Filesize
216KB

Download
memory/2896-17-0x0000000000220000-0x0000000000256000-memory.dmp

Filesize
216KB

Download
memory/2896-16-0x0000000000220000-0x0000000000256000-memory.dmp

Filesize
216KB

Download