ee703982a8258bd7f378317b2e22f22911e656d0cb520604c7aa5bae476d511a

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
30/05/2024, 04:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ee703982a8258bd7f378317b2e22f22911e656d0cb520604c7aa5bae476d511a.exe
Size

179KB
MD5

81325cd4b583dd573500319142c6ec53
SHA1

2ca3d9cac674694e1366916117f9238b3576b4bb
SHA256

ee703982a8258bd7f378317b2e22f22911e656d0cb520604c7aa5bae476d511a
SHA512

c879f57aba2904a4a12037ef7939cc2a9c1ba3217179f6bdb505540fe2511b69b36638c2ac59b19233e952aa73e5472a200bc75873712a339a4a5888fabadb2a
SSDEEP

3072:xAyLd0K/JdOydO/COH//kxBsg87jT14yBHlMCTok+sul:XLZ/JdnOTHkxOg87GyBH9j+5l

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1856	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2272	Logo1_.exe
2676	ee703982a8258bd7f378317b2e22f22911e656d0cb520604c7aa5bae476d511a.exe

Loads dropped DLL 1 IoCs

pid	Process
1856	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\wmprph.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\klist.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\XLICONS.EXE	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\ONELEV.EXE	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ACCICONS.EXE	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ssvagent.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\orbd.exe	Logo1_.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\ImagingDevices.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\NAMECONTROLSERVER.EXE	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\IEContentService.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSTORDB.EXE	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\SELFCERT.EXE	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmiregistry.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	Logo1_.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	Logo1_.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{1FD4E3A4-6FE0-492C-90E9-7EE360CDB9FF}\chrome_installer.exe	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\shvlzm.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\pack200.exe	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\sidebar.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaw.exe	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ONENOTE.EXE	Logo1_.exe
File opened for modification	C:\Program Files\Windows Journal\PDIALOG.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jabswitch.exe	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Minesweeper\MineSweeper.exe	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	Logo1_.exe
File opened for modification	C:\Program Files\Windows Mail\wab.exe	Logo1_.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Logo1_.exe	ee703982a8258bd7f378317b2e22f22911e656d0cb520604c7aa5bae476d511a.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2272	Logo1_.exe
2272	Logo1_.exe
2272	Logo1_.exe
2272	Logo1_.exe
2272	Logo1_.exe
2272	Logo1_.exe
2272	Logo1_.exe
2272	Logo1_.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1808 wrote to memory of 1856	1808	ee703982a8258bd7f378317b2e22f22911e656d0cb520604c7aa5bae476d511a.exe	28
PID 1808 wrote to memory of 1856	1808	ee703982a8258bd7f378317b2e22f22911e656d0cb520604c7aa5bae476d511a.exe	28
PID 1808 wrote to memory of 1856	1808	ee703982a8258bd7f378317b2e22f22911e656d0cb520604c7aa5bae476d511a.exe	28
PID 1808 wrote to memory of 1856	1808	ee703982a8258bd7f378317b2e22f22911e656d0cb520604c7aa5bae476d511a.exe	28
PID 1808 wrote to memory of 2272	1808	ee703982a8258bd7f378317b2e22f22911e656d0cb520604c7aa5bae476d511a.exe	29
PID 1808 wrote to memory of 2272	1808	ee703982a8258bd7f378317b2e22f22911e656d0cb520604c7aa5bae476d511a.exe	29
PID 1808 wrote to memory of 2272	1808	ee703982a8258bd7f378317b2e22f22911e656d0cb520604c7aa5bae476d511a.exe	29
PID 1808 wrote to memory of 2272	1808	ee703982a8258bd7f378317b2e22f22911e656d0cb520604c7aa5bae476d511a.exe	29
PID 2272 wrote to memory of 2564	2272	Logo1_.exe	31
PID 2272 wrote to memory of 2564	2272	Logo1_.exe	31
PID 2272 wrote to memory of 2564	2272	Logo1_.exe	31
PID 2272 wrote to memory of 2564	2272	Logo1_.exe	31
PID 1856 wrote to memory of 2676	1856	cmd.exe	33
PID 1856 wrote to memory of 2676	1856	cmd.exe	33
PID 1856 wrote to memory of 2676	1856	cmd.exe	33
PID 1856 wrote to memory of 2676	1856	cmd.exe	33
PID 2564 wrote to memory of 2588	2564	net.exe	34
PID 2564 wrote to memory of 2588	2564	net.exe	34
PID 2564 wrote to memory of 2588	2564	net.exe	34
PID 2564 wrote to memory of 2588	2564	net.exe	34

C:\Users\Admin\AppData\Local\Temp\ee703982a8258bd7f378317b2e22f22911e656d0cb520604c7aa5bae476d511a.exe
"C:\Users\Admin\AppData\Local\Temp\ee703982a8258bd7f378317b2e22f22911e656d0cb520604c7aa5bae476d511a.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1808
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\$$a15D2.bat
  2⤵
  - Deletes itself
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1856
- - C:\Users\Admin\AppData\Local\Temp\ee703982a8258bd7f378317b2e22f22911e656d0cb520604c7aa5bae476d511a.exe
    "C:\Users\Admin\AppData\Local\Temp\ee703982a8258bd7f378317b2e22f22911e656d0cb520604c7aa5bae476d511a.exe"
    3⤵
    - Executes dropped EXE
    PID:2676
- C:\Windows\Logo1_.exe
  C:\Windows\Logo1_.exe
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2272
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2564
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      PID:2588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\$$a15D2.bat

Filesize
722B

MD5
03b5e508f8e3cce174e52b9a66e78625

SHA1
6c25f6b95f265bbca4de4d1fa0fea4dd8fd1ffa4

SHA256
0ba3ce75520b7c0cdf253e4eb47955b080397432235f36fc1c42c1eeaa381109

SHA512
73e9e468067ecbf433ace7c86c8f77ba30f80cb09853a2245f21094960bb6a6a8c58593f650b3640c30abb378848356901e02603dece1b9191ebcc6144dcf4e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ee703982a8258bd7f378317b2e22f22911e656d0cb520604c7aa5bae476d511a.exe.exe

Filesize
113KB

MD5
b777409e43897fbad31319874035055f

SHA1
fd279403092e23136b5c1afa1940d3c24816afd9

SHA256
cc1d59f183410a925944c92bb7e67c5f6985c158b0e9039172751ecd27874446

SHA512
5e7baf63f18024a7e040d50cfd35c26eaae38fb6472c5575c088c7f4121952422960622e5884f88c643c715322dbbbbde046aeabe0bb0d9774416aeec1fc5ae3

Download Submit
C:\Windows\Logo1_.exe

Filesize
66KB

MD5
bac152d659a8e5c8b297ee885a362ab7

SHA1
e35922075011a55e96a69695645985ed2e4d7336

SHA256
db778391e2816d919f43276cff95d64e544e28e8f4262a8722e9e904038af413

SHA512
ec5a747cd6602130886b0c04638eac550a8dc287368ff3fba6b526bd83f4f678b8ebc3d6482a0282aba720af556df91ae986cccef36c5b77465c4f0003c9a150

Download Submit
memory/1808-14-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2272-21-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2272-22-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2272-24-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2272-30-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2272-32-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2272-138-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2272-164-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2272-239-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download