b0598117bde646fc329f0e82979ba2b5434265a86ed6957f1142ad9b29d0047d

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
06/06/2024, 22:34

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b0598117bde646fc329f0e82979ba2b5434265a86ed6957f1142ad9b29d0047d.exe
Size

44KB
MD5

e4b5fb88512027d317e6f9d7c4117b9e
SHA1

ff4831cfd5aff8b45611282f64febb8a558dc6a9
SHA256

b0598117bde646fc329f0e82979ba2b5434265a86ed6957f1142ad9b29d0047d
SHA512

0bbaa9515c18571ebd49223c3219ca0456eec87de939285a2cb5b3242ca2e7a388fdbc378dc435845bddc9debe0646c7a9e95425f719005306aa31c28fb09d26
SSDEEP

768:l1ODKAaDMG8H92RwZNQSwcfymNBg+g61GoGwXnKxdLof0QrqzCUrMufiC9zp3:DfgLdQAQfcfymNG+KxdLof0KqzCUrVzp

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3060	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2208	Logo1_.exe
2580	b0598117bde646fc329f0e82979ba2b5434265a86ed6957f1142ad9b29d0047d.exe

Loads dropped DLL 6 IoCs

pid	Process
3060	cmd.exe
2444	WerFault.exe
2444	WerFault.exe
2444	WerFault.exe
2444	WerFault.exe
2444	WerFault.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\VideoLAN\VLC\plugins\logger\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DAO\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ach\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\az\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Media Player\Network Sharing\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ug\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre7\lib\zi\Africa\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Help\1036\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office64.WW\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\oc\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\FRAR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Swirl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Spades\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\gd\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SoftBlue\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\in_sidebar\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\modules\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\da\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sq\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\14\BIN\1033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk16\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Chess\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ast\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Kentucky\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\nb\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Mail\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Oasis\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	b0598117bde646fc329f0e82979ba2b5434265a86ed6957f1142ad9b29d0047d.exe
File created	C:\Windows\Logo1_.exe	b0598117bde646fc329f0e82979ba2b5434265a86ed6957f1142ad9b29d0047d.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Program crash 1 IoCs

pid	pid_target	Process
2444	2580	WerFault.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2208	Logo1_.exe
2208	Logo1_.exe
2208	Logo1_.exe
2208	Logo1_.exe
2208	Logo1_.exe
2208	Logo1_.exe
2208	Logo1_.exe
2208	Logo1_.exe
2208	Logo1_.exe
2208	Logo1_.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 2936 wrote to memory of 3060	2936	b0598117bde646fc329f0e82979ba2b5434265a86ed6957f1142ad9b29d0047d.exe	28
PID 2936 wrote to memory of 3060	2936	b0598117bde646fc329f0e82979ba2b5434265a86ed6957f1142ad9b29d0047d.exe	28
PID 2936 wrote to memory of 3060	2936	b0598117bde646fc329f0e82979ba2b5434265a86ed6957f1142ad9b29d0047d.exe	28
PID 2936 wrote to memory of 3060	2936	b0598117bde646fc329f0e82979ba2b5434265a86ed6957f1142ad9b29d0047d.exe	28
PID 2936 wrote to memory of 2208	2936	b0598117bde646fc329f0e82979ba2b5434265a86ed6957f1142ad9b29d0047d.exe	30
PID 2936 wrote to memory of 2208	2936	b0598117bde646fc329f0e82979ba2b5434265a86ed6957f1142ad9b29d0047d.exe	30
PID 2936 wrote to memory of 2208	2936	b0598117bde646fc329f0e82979ba2b5434265a86ed6957f1142ad9b29d0047d.exe	30
PID 2936 wrote to memory of 2208	2936	b0598117bde646fc329f0e82979ba2b5434265a86ed6957f1142ad9b29d0047d.exe	30
PID 2208 wrote to memory of 2032	2208	Logo1_.exe	31
PID 2208 wrote to memory of 2032	2208	Logo1_.exe	31
PID 2208 wrote to memory of 2032	2208	Logo1_.exe	31
PID 2208 wrote to memory of 2032	2208	Logo1_.exe	31
PID 3060 wrote to memory of 2580	3060	cmd.exe	32
PID 3060 wrote to memory of 2580	3060	cmd.exe	32
PID 3060 wrote to memory of 2580	3060	cmd.exe	32
PID 3060 wrote to memory of 2580	3060	cmd.exe	32
PID 2032 wrote to memory of 2736	2032	net.exe	34
PID 2032 wrote to memory of 2736	2032	net.exe	34
PID 2032 wrote to memory of 2736	2032	net.exe	34
PID 2032 wrote to memory of 2736	2032	net.exe	34
PID 2580 wrote to memory of 2444	2580	b0598117bde646fc329f0e82979ba2b5434265a86ed6957f1142ad9b29d0047d.exe	35
PID 2580 wrote to memory of 2444	2580	b0598117bde646fc329f0e82979ba2b5434265a86ed6957f1142ad9b29d0047d.exe	35
PID 2580 wrote to memory of 2444	2580	b0598117bde646fc329f0e82979ba2b5434265a86ed6957f1142ad9b29d0047d.exe	35
PID 2580 wrote to memory of 2444	2580	b0598117bde646fc329f0e82979ba2b5434265a86ed6957f1142ad9b29d0047d.exe	35
PID 2208 wrote to memory of 1204	2208	Logo1_.exe	21
PID 2208 wrote to memory of 1204	2208	Logo1_.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1204
- C:\Users\Admin\AppData\Local\Temp\b0598117bde646fc329f0e82979ba2b5434265a86ed6957f1142ad9b29d0047d.exe
  "C:\Users\Admin\AppData\Local\Temp\b0598117bde646fc329f0e82979ba2b5434265a86ed6957f1142ad9b29d0047d.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2936
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$aCDC.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:3060
  - - C:\Users\Admin\AppData\Local\Temp\b0598117bde646fc329f0e82979ba2b5434265a86ed6957f1142ad9b29d0047d.exe
      "C:\Users\Admin\AppData\Local\Temp\b0598117bde646fc329f0e82979ba2b5434265a86ed6957f1142ad9b29d0047d.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2580
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2580 -s 520
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:2444
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2208
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2032
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
251KB

MD5
ea3e7a80029fb4b8eaf381d61f94eb7e

SHA1
542cffe191c68dba2679f9e167d3f1e2c96a06f3

SHA256
f7d095c63ade32f4ba12501fb85ffb9f959d83c1e47076f2a05892339735715d

SHA512
0ee9e7288ea1fb905f14cf4983f1f591409ec671bef6f45b134aea0bdd8b0ba62251c77aa401a049b172b269cb442aa21fd4ae66730d137609e95e580d6a52bd

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
471KB

MD5
c6c8fde27f649c91ddaab8cb9ca344a6

SHA1
5e4865aec432a18107182f47edda176e8c566152

SHA256
32c3fed53bfc1d890e9bd1d771fdc7e2c81480e03f1425bce07b4045a192d100

SHA512
a8df7d1e852d871d7f16bae10c4ff049359583da88cc85a039f0298525839040d5363ce5ef4cbdb92a12a25785f73df83cf0df07752b78e6e6444f32160a2155

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aCDC.bat

Filesize
721B

MD5
be69c1734cd93704821c3ec30d6e49f0

SHA1
e1709ac326335fc216cc79bab18f5d4b9079d8bf

SHA256
1f2739707f56e677bf4f27838bdcfc4a8b1e804d14a6b315d046871cb55d2895

SHA512
7bd93b6ab182ae50ef3743431ee159f34ad230db40962aeef878170756504d56de3d08727f24f40137377e9033debd88c2ccbcaf2f6b15732e3ddcef392fe735

Download Submit
C:\Windows\Logo1_.exe

Filesize
26KB

MD5
feb8473549216daa0adec2e3945a3db8

SHA1
a0366043f5537172b5cc605afe339c28dce37d16

SHA256
23ffb3cc8727b16073e7944e36eabbf7b087f6923c78e88ed92c08b13af48671

SHA512
090cbae5bd60f40cc983cd6abd52af8ac083705e80fd08e676c72feff826844785f4d2e76c2a40bd85df0097eac64d4bf9fe008108051c2218cccfb6abd50848

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2297530677-1229052932-2803917579-1000\_desktop.ini

Filesize
8B

MD5
8de83b88f7ab26b8a33a1eeb970a7bc8

SHA1
ad3208ec0bdfacd12ad7291d0259ef41b6bfc425

SHA256
499baf65b91c9fff00cab334a4d8ab59d253993f173da5c33ff01ea4afc217fe

SHA512
9272af088cc70ebeb388cefda678d35e649433d3a6c5715f3537e2832b3fead9568d58a026c36ab711fdef87597419e8be80a5d809530a933f72328c413a5d7e

Download Submit
\Users\Admin\AppData\Local\Temp\b0598117bde646fc329f0e82979ba2b5434265a86ed6957f1142ad9b29d0047d.exe

Filesize
17KB

MD5
3571d69452c501ebe65102c2948227ae

SHA1
b75596a17e4ffd253b09484e32a6ba10208f6e6b

SHA256
a241c2d8c95a23b28bc87bf86a7e3abc2f8ca31009cdd3a97214d1d3084a87cc

SHA512
a29d6d9cba1b0f0fb059fb7d1411cc665d4d4ddfa46d77f2f8c52954c8461ed4fa8889be1a891619c31bfdaf7f4c11a615eec74537f7c10688aa8aeb0de2fde4

Download Submit
memory/1204-36-0x0000000002E00000-0x0000000002E01000-memory.dmp

Filesize
4KB

Download
memory/2208-971-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2208-103-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2208-38-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2208-3316-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2208-45-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2208-51-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2208-97-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2208-3105-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2208-1856-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2580-29-0x0000000000140000-0x0000000000148000-memory.dmp

Filesize
32KB

Download
memory/2580-28-0x00000000743FE000-0x00000000743FF000-memory.dmp

Filesize
4KB

Download
memory/2936-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2936-17-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2936-12-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download