4b6b8f0ad937c6f74b9279788531bdbb92edb0565e49f7ce4e8b0431712dcc50

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
06/06/2024, 18:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4b6b8f0ad937c6f74b9279788531bdbb92edb0565e49f7ce4e8b0431712dcc50.exe
Size

341KB
MD5

fb648981e436882a181ae1edf0f65e66
SHA1

7bed8cbe0589d99c1764c00906c75cd0e0c7113f
SHA256

4b6b8f0ad937c6f74b9279788531bdbb92edb0565e49f7ce4e8b0431712dcc50
SHA512

0da837f8d1a42e063da2b0054c3fd6937d4acbec62ae2e93970ac0341be09238eb20fc6d6ff127d43464e8d3f2d2fd42128dda8bbd510e32f569fec71d041c71
SSDEEP

6144:TVfjmN7juXfo9e3/QCeve3XoQupt55EhtcxtpiO11ivncfQivI5:p7+7jQJeve3Gpt55VR/onQQivI5

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2360	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2380	Logo1_.exe
2804	4b6b8f0ad937c6f74b9279788531bdbb92edb0565e49f7ce4e8b0431712dcc50.exe

Loads dropped DLL 6 IoCs

pid	Process
2360	cmd.exe
2692	WerFault.exe
2692	WerFault.exe
2692	WerFault.exe
2692	WerFault.exe
2692	WerFault.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\VideoLAN\VLC\locale\fa\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.fr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\in_sidebar\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre7\lib\fonts\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SoftBlue\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\zu\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.151\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Document Parts\1033\14\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\cgg\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\More Games\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Solitaire\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SoftBlue\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Updater6\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\North_Dakota\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Esl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ru\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\gui\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Triedit\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\el\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sv\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\extensions\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\ADDINS\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Mail\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\144DPI\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LEVEL\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Welcome Tool\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Wordconv.exe	Logo1_.exe
File created	C:\Program Files (x86)\Internet Explorer\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\cgg\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	4b6b8f0ad937c6f74b9279788531bdbb92edb0565e49f7ce4e8b0431712dcc50.exe
File created	C:\Windows\Logo1_.exe	4b6b8f0ad937c6f74b9279788531bdbb92edb0565e49f7ce4e8b0431712dcc50.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2380	Logo1_.exe
2380	Logo1_.exe
2380	Logo1_.exe
2380	Logo1_.exe
2380	Logo1_.exe
2380	Logo1_.exe
2380	Logo1_.exe
2380	Logo1_.exe
2380	Logo1_.exe
2380	Logo1_.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2864 wrote to memory of 2360	2864	4b6b8f0ad937c6f74b9279788531bdbb92edb0565e49f7ce4e8b0431712dcc50.exe	28
PID 2864 wrote to memory of 2360	2864	4b6b8f0ad937c6f74b9279788531bdbb92edb0565e49f7ce4e8b0431712dcc50.exe	28
PID 2864 wrote to memory of 2360	2864	4b6b8f0ad937c6f74b9279788531bdbb92edb0565e49f7ce4e8b0431712dcc50.exe	28
PID 2864 wrote to memory of 2360	2864	4b6b8f0ad937c6f74b9279788531bdbb92edb0565e49f7ce4e8b0431712dcc50.exe	28
PID 2864 wrote to memory of 2380	2864	4b6b8f0ad937c6f74b9279788531bdbb92edb0565e49f7ce4e8b0431712dcc50.exe	29
PID 2864 wrote to memory of 2380	2864	4b6b8f0ad937c6f74b9279788531bdbb92edb0565e49f7ce4e8b0431712dcc50.exe	29
PID 2864 wrote to memory of 2380	2864	4b6b8f0ad937c6f74b9279788531bdbb92edb0565e49f7ce4e8b0431712dcc50.exe	29
PID 2864 wrote to memory of 2380	2864	4b6b8f0ad937c6f74b9279788531bdbb92edb0565e49f7ce4e8b0431712dcc50.exe	29
PID 2380 wrote to memory of 3032	2380	Logo1_.exe	31
PID 2380 wrote to memory of 3032	2380	Logo1_.exe	31
PID 2380 wrote to memory of 3032	2380	Logo1_.exe	31
PID 2380 wrote to memory of 3032	2380	Logo1_.exe	31
PID 2360 wrote to memory of 2804	2360	cmd.exe	33
PID 2360 wrote to memory of 2804	2360	cmd.exe	33
PID 2360 wrote to memory of 2804	2360	cmd.exe	33
PID 2360 wrote to memory of 2804	2360	cmd.exe	33
PID 3032 wrote to memory of 2676	3032	net.exe	34
PID 3032 wrote to memory of 2676	3032	net.exe	34
PID 3032 wrote to memory of 2676	3032	net.exe	34
PID 3032 wrote to memory of 2676	3032	net.exe	34
PID 2804 wrote to memory of 2692	2804	4b6b8f0ad937c6f74b9279788531bdbb92edb0565e49f7ce4e8b0431712dcc50.exe	35
PID 2804 wrote to memory of 2692	2804	4b6b8f0ad937c6f74b9279788531bdbb92edb0565e49f7ce4e8b0431712dcc50.exe	35
PID 2804 wrote to memory of 2692	2804	4b6b8f0ad937c6f74b9279788531bdbb92edb0565e49f7ce4e8b0431712dcc50.exe	35
PID 2380 wrote to memory of 1176	2380	Logo1_.exe	21
PID 2380 wrote to memory of 1176	2380	Logo1_.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1176
- C:\Users\Admin\AppData\Local\Temp\4b6b8f0ad937c6f74b9279788531bdbb92edb0565e49f7ce4e8b0431712dcc50.exe
  "C:\Users\Admin\AppData\Local\Temp\4b6b8f0ad937c6f74b9279788531bdbb92edb0565e49f7ce4e8b0431712dcc50.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2864
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$a6A5.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2360
  - - C:\Users\Admin\AppData\Local\Temp\4b6b8f0ad937c6f74b9279788531bdbb92edb0565e49f7ce4e8b0431712dcc50.exe
      "C:\Users\Admin\AppData\Local\Temp\4b6b8f0ad937c6f74b9279788531bdbb92edb0565e49f7ce4e8b0431712dcc50.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2804
    - - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 2804 -s 512
        5⤵
        Loads dropped DLL
        
        PID:2692
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2380
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3032
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
251KB

MD5
ea3e7a80029fb4b8eaf381d61f94eb7e

SHA1
542cffe191c68dba2679f9e167d3f1e2c96a06f3

SHA256
f7d095c63ade32f4ba12501fb85ffb9f959d83c1e47076f2a05892339735715d

SHA512
0ee9e7288ea1fb905f14cf4983f1f591409ec671bef6f45b134aea0bdd8b0ba62251c77aa401a049b172b269cb442aa21fd4ae66730d137609e95e580d6a52bd

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
471KB

MD5
c6c8fde27f649c91ddaab8cb9ca344a6

SHA1
5e4865aec432a18107182f47edda176e8c566152

SHA256
32c3fed53bfc1d890e9bd1d771fdc7e2c81480e03f1425bce07b4045a192d100

SHA512
a8df7d1e852d871d7f16bae10c4ff049359583da88cc85a039f0298525839040d5363ce5ef4cbdb92a12a25785f73df83cf0df07752b78e6e6444f32160a2155

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a6A5.bat

Filesize
721B

MD5
b361361dceea465090c64309a5c7a339

SHA1
dd45e79e2ec39e4aea55cb933c50472094813453

SHA256
d829799fc757408b315c8a9b60ddaf2cb564b273d92c0f5db18fbc7a2a5af4ab

SHA512
29e69869cfdd300f4ff9914934810d21f8f4720e762ff1ce7f385eeb53903098028f1d1381a900eb001f9f52ba37d71cb9356b972be91e3afd51074d9b0e3ffc

Download Submit
C:\Users\Admin\AppData\Local\Temp\4b6b8f0ad937c6f74b9279788531bdbb92edb0565e49f7ce4e8b0431712dcc50.exe.exe

Filesize
315KB

MD5
09ac2b6f268980a4d135fe651bbf3cbe

SHA1
eee57f93ff5ca7b28046f55d668e357c12e63d85

SHA256
4be96b9592273c3ab2ac051e088a68f13c0e8aa8217dd5e809763abd7db44618

SHA512
09683bdb47fb2fe77c1b99ce7b850001b8771c968f2ef8d0fb354a27111c8294a164ac7a6912176913e15a15073aa95594c0c0da69cc43c7e1306b088370b2e2

Download Submit
C:\Windows\Logo1_.exe

Filesize
26KB

MD5
feb8473549216daa0adec2e3945a3db8

SHA1
a0366043f5537172b5cc605afe339c28dce37d16

SHA256
23ffb3cc8727b16073e7944e36eabbf7b087f6923c78e88ed92c08b13af48671

SHA512
090cbae5bd60f40cc983cd6abd52af8ac083705e80fd08e676c72feff826844785f4d2e76c2a40bd85df0097eac64d4bf9fe008108051c2218cccfb6abd50848

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3452737119-3959686427-228443150-1000\_desktop.ini

Filesize
8B

MD5
8de83b88f7ab26b8a33a1eeb970a7bc8

SHA1
ad3208ec0bdfacd12ad7291d0259ef41b6bfc425

SHA256
499baf65b91c9fff00cab334a4d8ab59d253993f173da5c33ff01ea4afc217fe

SHA512
9272af088cc70ebeb388cefda678d35e649433d3a6c5715f3537e2832b3fead9568d58a026c36ab711fdef87597419e8be80a5d809530a933f72328c413a5d7e

Download Submit
memory/1176-38-0x0000000002AA0000-0x0000000002AA1000-memory.dmp

Filesize
4KB

Download
memory/2380-930-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2380-2447-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2380-20-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2380-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2380-47-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2380-54-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2380-100-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2380-106-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2380-3320-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2380-1860-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2804-31-0x000000013FC90000-0x000000013FCE0000-memory.dmp

Filesize
320KB

Download
memory/2804-30-0x000007FEF5BC3000-0x000007FEF5BC4000-memory.dmp

Filesize
4KB

Download
memory/2804-48-0x000007FEF5BC3000-0x000007FEF5BC4000-memory.dmp

Filesize
4KB

Download
memory/2864-17-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2864-18-0x0000000001DA0000-0x0000000001DD4000-memory.dmp

Filesize
208KB

Download
memory/2864-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2864-16-0x0000000001DA0000-0x0000000001DD4000-memory.dmp

Filesize
208KB

Download