33ca50c4f96973afec1dac7bc22211b554b7a4a458e7272ad3d5b2fc7e6a229e

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
30/05/2024, 03:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

33ca50c4f96973afec1dac7bc22211b554b7a4a458e7272ad3d5b2fc7e6a229e.exe
Size

959KB
MD5

ecb2a6231699f4fe3c9da36d001494b5
SHA1

a4293e7d2783e194b745e164451d0355be3a9ae9
SHA256

33ca50c4f96973afec1dac7bc22211b554b7a4a458e7272ad3d5b2fc7e6a229e
SHA512

e6fe76b1c270830ac47f1b67e4ef8d42d600083173c0bcb9ba70449e08754cf3b7379fad4ba172b4d88bdfef31b6a305f1f287c738ac5a1b7025ee1a4a198602
SSDEEP

12288:QRKcv8Nh7py6Rmi78gkPH3aPI9vyVg/0paQuj3IdD02fKBjtp/:lBpDRmi78gkPXlyo0G/jr

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1448	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
1388	Logo1_.exe
2596	33ca50c4f96973afec1dac7bc22211b554b7a4a458e7272ad3d5b2fc7e6a229e.exe

Loads dropped DLL 2 IoCs

pid	Process
1448	cmd.exe
1448	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ga\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\vi\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\da\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre7\lib\zi\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\SpeechEngines\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\audio_mixer\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\DAO\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\text_renderer\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ssvagent.exe	Logo1_.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\sidebar.exe	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VGX\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RMNSQUE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre7\lib\images\cursors\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Hearts\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fur\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMFormServices\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Wordconv.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sl\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proofing.en-us\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Document Parts\1033\14\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mai\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSClientDataMgr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\Adobe AIR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\sidebar.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bn_IN\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fa\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\services_discovery\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\3082\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Portal\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	33ca50c4f96973afec1dac7bc22211b554b7a4a458e7272ad3d5b2fc7e6a229e.exe
File created	C:\Windows\Logo1_.exe	33ca50c4f96973afec1dac7bc22211b554b7a4a458e7272ad3d5b2fc7e6a229e.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1388	Logo1_.exe
1388	Logo1_.exe
1388	Logo1_.exe
1388	Logo1_.exe
1388	Logo1_.exe
1388	Logo1_.exe
1388	Logo1_.exe
1388	Logo1_.exe
1388	Logo1_.exe
1388	Logo1_.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2596	33ca50c4f96973afec1dac7bc22211b554b7a4a458e7272ad3d5b2fc7e6a229e.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeRestorePrivilege	2596	33ca50c4f96973afec1dac7bc22211b554b7a4a458e7272ad3d5b2fc7e6a229e.exe
Token: 35	2596	33ca50c4f96973afec1dac7bc22211b554b7a4a458e7272ad3d5b2fc7e6a229e.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2172 wrote to memory of 1448	2172	33ca50c4f96973afec1dac7bc22211b554b7a4a458e7272ad3d5b2fc7e6a229e.exe	28
PID 2172 wrote to memory of 1448	2172	33ca50c4f96973afec1dac7bc22211b554b7a4a458e7272ad3d5b2fc7e6a229e.exe	28
PID 2172 wrote to memory of 1448	2172	33ca50c4f96973afec1dac7bc22211b554b7a4a458e7272ad3d5b2fc7e6a229e.exe	28
PID 2172 wrote to memory of 1448	2172	33ca50c4f96973afec1dac7bc22211b554b7a4a458e7272ad3d5b2fc7e6a229e.exe	28
PID 2172 wrote to memory of 1388	2172	33ca50c4f96973afec1dac7bc22211b554b7a4a458e7272ad3d5b2fc7e6a229e.exe	30
PID 2172 wrote to memory of 1388	2172	33ca50c4f96973afec1dac7bc22211b554b7a4a458e7272ad3d5b2fc7e6a229e.exe	30
PID 2172 wrote to memory of 1388	2172	33ca50c4f96973afec1dac7bc22211b554b7a4a458e7272ad3d5b2fc7e6a229e.exe	30
PID 2172 wrote to memory of 1388	2172	33ca50c4f96973afec1dac7bc22211b554b7a4a458e7272ad3d5b2fc7e6a229e.exe	30
PID 1388 wrote to memory of 2980	1388	Logo1_.exe	31
PID 1388 wrote to memory of 2980	1388	Logo1_.exe	31
PID 1388 wrote to memory of 2980	1388	Logo1_.exe	31
PID 1388 wrote to memory of 2980	1388	Logo1_.exe	31
PID 2980 wrote to memory of 2620	2980	net.exe	33
PID 2980 wrote to memory of 2620	2980	net.exe	33
PID 2980 wrote to memory of 2620	2980	net.exe	33
PID 2980 wrote to memory of 2620	2980	net.exe	33
PID 1448 wrote to memory of 2596	1448	cmd.exe	34
PID 1448 wrote to memory of 2596	1448	cmd.exe	34
PID 1448 wrote to memory of 2596	1448	cmd.exe	34
PID 1448 wrote to memory of 2596	1448	cmd.exe	34
PID 1388 wrote to memory of 1192	1388	Logo1_.exe	21
PID 1388 wrote to memory of 1192	1388	Logo1_.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1192
- C:\Users\Admin\AppData\Local\Temp\33ca50c4f96973afec1dac7bc22211b554b7a4a458e7272ad3d5b2fc7e6a229e.exe
  "C:\Users\Admin\AppData\Local\Temp\33ca50c4f96973afec1dac7bc22211b554b7a4a458e7272ad3d5b2fc7e6a229e.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2172
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$a786B.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1448
  - - C:\Users\Admin\AppData\Local\Temp\33ca50c4f96973afec1dac7bc22211b554b7a4a458e7272ad3d5b2fc7e6a229e.exe
      "C:\Users\Admin\AppData\Local\Temp\33ca50c4f96973afec1dac7bc22211b554b7a4a458e7272ad3d5b2fc7e6a229e.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      PID:2596
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1388
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2980
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
254KB

MD5
6594c9dee8b3a34129af16b59eab751a

SHA1
1edcd1a1f91ea569dedc1391610e2438b25dc3a1

SHA256
cb2c2d9ba31f305f280301882b6e859d27fc2210e2ab2a21232afb8a38d07571

SHA512
d53d9ec26500f4d4f2c19c036c57ef97d97b09f634a5772c7e31d088b22db508544beea563d50b51c336aef4ec737a9a39cf56f9df68676ff6e97900362541d3

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
474KB

MD5
6f0ec1ca208b0521f58bcd694897df06

SHA1
808a16d524301513af8ee772936f6bdcf41623a6

SHA256
53b5d4205b0f2ae4ba0051244fffcaf0cfecbf78dfc448e4d2e68e53e15f15bf

SHA512
d8318484059a9988dae4b8a53d1ccec1a54ed825e1937d70fccc9bd26222a0c4b23718f368e6d193e6dd7b9d999e5e8d5f23717ea160468b6287004a722503f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a786B.bat

Filesize
722B

MD5
e73bb8b1828c4df03339422830161389

SHA1
76712bc03ae4217c4b9bec4f8fb14913acb76fda

SHA256
25bb746d78496c36d6abe410990a8fec166b40b2b708986b873ca696a9b37a89

SHA512
67b61bb88a6e28678ee3b17f4ce60e8496c5bcd90a2713c1a4eb059707f0f02bfdde52f14979e5576dc47eb1b284784e919eb7ae7688ecaedc8c036d244ce64c

Download Submit
C:\Users\Admin\AppData\Local\Temp\33ca50c4f96973afec1dac7bc22211b554b7a4a458e7272ad3d5b2fc7e6a229e.exe.exe

Filesize
930KB

MD5
30ac0b832d75598fb3ec37b6f2a8c86a

SHA1
6f47dbfd6ff36df7ba581a4cef024da527dc3046

SHA256
1ea0839c8dc95ad2c060af7d042c40c0daed58ce8e4524c0fba12fd73e4afb74

SHA512
505870601a4389b7ed2c8fecf85835adfd2944cbc10801f74bc4e08f5a0d6ecc9a52052fc37e216304cd1655129021862294a698ed36b3b43d428698f7263057

Download Submit
C:\Windows\Logo1_.exe

Filesize
29KB

MD5
e138d7d47ace7dfa816f7ac64e8d4898

SHA1
9d0be22461b768c1f2541e204d6b0de4e6de18d6

SHA256
2cfdf912ecaf532855d684e10474a60243b5ed381d522669ee6c3c4ba0fffe75

SHA512
bbbcd2879ebe1e566ae56f98c45a76aad8f58201b791156328661b98a1adaa89b98e0e1888c1eac3052f298afad2b09da1817c1b8911fa2da77bc87e5927b568

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-330940541-141609230-1670313778-1000\_desktop.ini

Filesize
9B

MD5
588b2065b2adfd8dfd688104d02aad5a

SHA1
263f0ca294d728a13f51220aea8123aa257cc6e2

SHA256
f9ab49edf14c6bda17287f7caa63d3b3bb20a65215f1462cf05577a5c1c472e6

SHA512
99106035ac4547c81fd737f5f79ddd32ea10fde9e3ea97102472c871aa9f94ee3f68823bcc4bb308e92265a9c3cacd4b1f5c9f52f8d3e630cdf6bdcd3c737e2d

Download Submit
memory/1192-31-0x0000000002220000-0x0000000002221000-memory.dmp

Filesize
4KB

Download
memory/1388-19-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1388-34-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1388-41-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1388-48-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1388-94-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1388-100-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1388-264-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1388-1853-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1388-3313-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2172-18-0x0000000000220000-0x0000000000256000-memory.dmp

Filesize
216KB

Download
memory/2172-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2172-17-0x0000000000220000-0x0000000000256000-memory.dmp

Filesize
216KB

Download
memory/2172-15-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download