0651eb83a85b3585562268b7f7f1c9a90a8205c01b83f4ce0fa95204100ce48b

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
05/06/2024, 14:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0651eb83a85b3585562268b7f7f1c9a90a8205c01b83f4ce0fa95204100ce48b.exe
Size

573KB
MD5

0fa358463d01292dc0c29cd2cb4d6ae9
SHA1

be8615293359814fefcdb50f4938d963c52daef7
SHA256

0651eb83a85b3585562268b7f7f1c9a90a8205c01b83f4ce0fa95204100ce48b
SHA512

2cbb5396bef624a3dfe784ecae721567146ad8c27a536dc4039d69176a73c48b6f67a9efe5dc92ad7ac0e9ccfce6e23c935d0900d4c3859a5c9dd2a5420d0c12
SSDEEP

6144:suJpE7cV3iwbAFRWAbd4nf0H05yqE6Hl0ChW0+ksllAXBu0lWGWUJJQ4t0BHQQfu:47a3iwbihym2g7XO3LWUQfh4Co

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1356	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2904	Logo1_.exe
2676	0651eb83a85b3585562268b7f7f1c9a90a8205c01b83f4ce0fa95204100ce48b.exe

Loads dropped DLL 1 IoCs

pid	Process
1356	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\VideoLAN\VLC\lua\extensions\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\tr\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\1033\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\br\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\IRIS\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Document Parts\1033\14\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Defender\MSASCui.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ARFR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\si\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\skins\fonts\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\on_desktop\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\am\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMV12\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DAO\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VGX\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\AppInfoDocument\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Checkers\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Biscay\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Triedit\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Excel.en-us\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\wmpconfig.exe	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\kab\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Triedit\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\fonts\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CLVIEW.EXE	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTool\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ku_IQ\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ms\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\STS2\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\hrtfs\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\PROOF\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Purble Place\en-US\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Logo1_.exe	0651eb83a85b3585562268b7f7f1c9a90a8205c01b83f4ce0fa95204100ce48b.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe
File created	C:\Windows\rundl132.exe	0651eb83a85b3585562268b7f7f1c9a90a8205c01b83f4ce0fa95204100ce48b.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2904	Logo1_.exe
2904	Logo1_.exe
2904	Logo1_.exe
2904	Logo1_.exe
2904	Logo1_.exe
2904	Logo1_.exe
2904	Logo1_.exe
2904	Logo1_.exe
2904	Logo1_.exe
2904	Logo1_.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1484 wrote to memory of 1356	1484	0651eb83a85b3585562268b7f7f1c9a90a8205c01b83f4ce0fa95204100ce48b.exe	28
PID 1484 wrote to memory of 1356	1484	0651eb83a85b3585562268b7f7f1c9a90a8205c01b83f4ce0fa95204100ce48b.exe	28
PID 1484 wrote to memory of 1356	1484	0651eb83a85b3585562268b7f7f1c9a90a8205c01b83f4ce0fa95204100ce48b.exe	28
PID 1484 wrote to memory of 1356	1484	0651eb83a85b3585562268b7f7f1c9a90a8205c01b83f4ce0fa95204100ce48b.exe	28
PID 1484 wrote to memory of 2904	1484	0651eb83a85b3585562268b7f7f1c9a90a8205c01b83f4ce0fa95204100ce48b.exe	29
PID 1484 wrote to memory of 2904	1484	0651eb83a85b3585562268b7f7f1c9a90a8205c01b83f4ce0fa95204100ce48b.exe	29
PID 1484 wrote to memory of 2904	1484	0651eb83a85b3585562268b7f7f1c9a90a8205c01b83f4ce0fa95204100ce48b.exe	29
PID 1484 wrote to memory of 2904	1484	0651eb83a85b3585562268b7f7f1c9a90a8205c01b83f4ce0fa95204100ce48b.exe	29
PID 1356 wrote to memory of 2676	1356	cmd.exe	32
PID 1356 wrote to memory of 2676	1356	cmd.exe	32
PID 1356 wrote to memory of 2676	1356	cmd.exe	32
PID 1356 wrote to memory of 2676	1356	cmd.exe	32
PID 2904 wrote to memory of 2600	2904	Logo1_.exe	31
PID 2904 wrote to memory of 2600	2904	Logo1_.exe	31
PID 2904 wrote to memory of 2600	2904	Logo1_.exe	31
PID 2904 wrote to memory of 2600	2904	Logo1_.exe	31
PID 2600 wrote to memory of 2256	2600	net.exe	34
PID 2600 wrote to memory of 2256	2600	net.exe	34
PID 2600 wrote to memory of 2256	2600	net.exe	34
PID 2600 wrote to memory of 2256	2600	net.exe	34
PID 2904 wrote to memory of 1192	2904	Logo1_.exe	21
PID 2904 wrote to memory of 1192	2904	Logo1_.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1192
- C:\Users\Admin\AppData\Local\Temp\0651eb83a85b3585562268b7f7f1c9a90a8205c01b83f4ce0fa95204100ce48b.exe
  "C:\Users\Admin\AppData\Local\Temp\0651eb83a85b3585562268b7f7f1c9a90a8205c01b83f4ce0fa95204100ce48b.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1484
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$a21E2.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1356
  - - C:\Users\Admin\AppData\Local\Temp\0651eb83a85b3585562268b7f7f1c9a90a8205c01b83f4ce0fa95204100ce48b.exe
      "C:\Users\Admin\AppData\Local\Temp\0651eb83a85b3585562268b7f7f1c9a90a8205c01b83f4ce0fa95204100ce48b.exe"
      4⤵
      Executes dropped EXE
      PID:2676
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2904
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2600
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
254KB

MD5
d53dfe8ee60a8ec53507b414770b008c

SHA1
3428891b51a84cc48294c7c504ff73815eb09ae6

SHA256
8b03c2b78678dc4c33f2301edcc9de1128c5cf44a1b532fcb5316c773914007f

SHA512
6a5e60f2952a04b6b209cc75ca997f3655cd8cf2a7aea2bc7799eb59e49e638abd7631a6cf3c1455933e961bb6ec1ff3561c6c14027ff4481054243e09af1ab7

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
474KB

MD5
1ca79e3c2539763b0aaac5de49795afe

SHA1
2d240aef9a2cce22578f42ebecd3058e37a404a8

SHA256
e3e49eceb810b34fc826d70c6556d927a363f29c90b347ee4cfd61d7ba3ff2d9

SHA512
4e24d3ebcefa6545d85517bbc5bff3285f85a5967da1642a6e4e53bc2c41efc8b9092a3bbb56c1670b215d623ff5c320bcb06f654ac97482a5dff0da208349e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a21E2.bat

Filesize
722B

MD5
10071bdb2ca6daa15c15fef375f61638

SHA1
be87d165daefe605a5107e48ae37b5430026484a

SHA256
560fdc5e0ffdac079102c57da66b3f876e4a808b5290054916fc815bd4246039

SHA512
bf08472de09a5de2e524acd0097b09a97e395c728195a1380e3c1170858286ce8fc7104575710c73da8a5874e19c914f10084c347de44dd2f002dd3642b35a77

Download Submit
C:\Users\Admin\AppData\Local\Temp\0651eb83a85b3585562268b7f7f1c9a90a8205c01b83f4ce0fa95204100ce48b.exe.exe

Filesize
544KB

MD5
9a1dd1d96481d61934dcc2d568971d06

SHA1
f136ef9bf8bd2fc753292fb5b7cf173a22675fb3

SHA256
8cebb25e240db3b6986fcaed6bc0b900fa09dad763a56fb71273529266c5c525

SHA512
7ac1581f8a29e778ba1a1220670796c47fa5b838417f8f635e2cb1998a01515cff3ee57045dacb78a8ec70d43754b970743aba600379fe6d9481958d32d8a5aa

Download Submit
C:\Windows\Logo1_.exe

Filesize
29KB

MD5
c3a6498aeafb967730b138db7706cfbd

SHA1
82c69ca3f3eaf8bb5fa8288db2b88bc735f18017

SHA256
9a8bea687af727ad62d8e900f8fa2c686600ddaaa69c8ff9f431a93e1aaae472

SHA512
0a06043720af675a122478c9c71dbb78730821361f7b88ac44a05471a870bfef32e6a8bbead08a4d35be897a031dca9bd46966ea9f7727ceb88d1fa6e1cb43a2

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2737914667-933161113-3798636211-1000\_desktop.ini

Filesize
8B

MD5
fa8bf97ffdb152205be1f3a9bd9faec3

SHA1
88a5a98b6074543e357ec7ad221eaee5e30ec82a

SHA256
08a129c008511d5fc4ee1e2ad0fad3d0b033407f74285a18c6fe956d5dc2c9cb

SHA512
ea0a63f52af441964e4a2cddede537d87f1ad78241c883cf40334801056879bb1639ae75b2d9e3cceb90471837263760fc7d6c6708819c7a73fec703ba098443

Download Submit
memory/1192-28-0x0000000002F00000-0x0000000002F01000-memory.dmp

Filesize
4KB

Download
memory/1484-16-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1484-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2904-17-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2904-43-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2904-89-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2904-95-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2904-537-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2904-1873-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2904-2170-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2904-37-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2904-3333-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2904-30-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download