5db8f82fe70f253ee38a5e3eadaae54b84c870d742b4fd485f24ee9abfe393e2

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10/06/2024, 02:42

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5db8f82fe70f253ee38a5e3eadaae54b84c870d742b4fd485f24ee9abfe393e2.exe
Size

710KB
MD5

26429c6d21c656747e6bfb417c359661
SHA1

05fd0dabf6b9fc863031d13dacc51bd444694194
SHA256

5db8f82fe70f253ee38a5e3eadaae54b84c870d742b4fd485f24ee9abfe393e2
SHA512

3873fb3e72003cd520e39754785e650be4c3b94a00dc1652e95ed9c0acefce61e36696cb16bf2b32c6895e81c7dbe791c3f906801c58f19c30b2c6560b73f2cc
SSDEEP

12288:77+IF7M9RCOr5HS2q9SelLrRsPx64XYH519ZJJn2rYTdY/mx:77ReRt4blvOBqrZuYJR

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1904	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
1740	Logo1_.exe
2200	5db8f82fe70f253ee38a5e3eadaae54b84c870d742b4fd485f24ee9abfe393e2.exe

Loads dropped DLL 2 IoCs

pid	Process
1904	cmd.exe
1904	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Triedit\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PROOF\1036\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSPUB.EXE	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Spades\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\skins\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\visualization\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\amd64\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RADIAL\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\pt_PT\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\tnameserv.exe	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\my\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ug\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Mahjong\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ms\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Outlook.en-us\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\Mahjong.exe	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PublicAssemblies\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\fr-FR\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\vDll.dll	Logo1_.exe
File created	C:\Windows\rundl132.exe	5db8f82fe70f253ee38a5e3eadaae54b84c870d742b4fd485f24ee9abfe393e2.exe
File created	C:\Windows\Logo1_.exe	5db8f82fe70f253ee38a5e3eadaae54b84c870d742b4fd485f24ee9abfe393e2.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1740	Logo1_.exe
1740	Logo1_.exe
1740	Logo1_.exe
1740	Logo1_.exe
1740	Logo1_.exe
1740	Logo1_.exe
1740	Logo1_.exe
1740	Logo1_.exe
1740	Logo1_.exe
1740	Logo1_.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2200	5db8f82fe70f253ee38a5e3eadaae54b84c870d742b4fd485f24ee9abfe393e2.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 612 wrote to memory of 1904	612	5db8f82fe70f253ee38a5e3eadaae54b84c870d742b4fd485f24ee9abfe393e2.exe	28
PID 612 wrote to memory of 1904	612	5db8f82fe70f253ee38a5e3eadaae54b84c870d742b4fd485f24ee9abfe393e2.exe	28
PID 612 wrote to memory of 1904	612	5db8f82fe70f253ee38a5e3eadaae54b84c870d742b4fd485f24ee9abfe393e2.exe	28
PID 612 wrote to memory of 1904	612	5db8f82fe70f253ee38a5e3eadaae54b84c870d742b4fd485f24ee9abfe393e2.exe	28
PID 612 wrote to memory of 1740	612	5db8f82fe70f253ee38a5e3eadaae54b84c870d742b4fd485f24ee9abfe393e2.exe	29
PID 612 wrote to memory of 1740	612	5db8f82fe70f253ee38a5e3eadaae54b84c870d742b4fd485f24ee9abfe393e2.exe	29
PID 612 wrote to memory of 1740	612	5db8f82fe70f253ee38a5e3eadaae54b84c870d742b4fd485f24ee9abfe393e2.exe	29
PID 612 wrote to memory of 1740	612	5db8f82fe70f253ee38a5e3eadaae54b84c870d742b4fd485f24ee9abfe393e2.exe	29
PID 1904 wrote to memory of 2200	1904	cmd.exe	32
PID 1904 wrote to memory of 2200	1904	cmd.exe	32
PID 1904 wrote to memory of 2200	1904	cmd.exe	32
PID 1904 wrote to memory of 2200	1904	cmd.exe	32
PID 1740 wrote to memory of 2468	1740	Logo1_.exe	31
PID 1740 wrote to memory of 2468	1740	Logo1_.exe	31
PID 1740 wrote to memory of 2468	1740	Logo1_.exe	31
PID 1740 wrote to memory of 2468	1740	Logo1_.exe	31
PID 2468 wrote to memory of 2708	2468	net.exe	34
PID 2468 wrote to memory of 2708	2468	net.exe	34
PID 2468 wrote to memory of 2708	2468	net.exe	34
PID 2468 wrote to memory of 2708	2468	net.exe	34
PID 1740 wrote to memory of 1392	1740	Logo1_.exe	21
PID 1740 wrote to memory of 1392	1740	Logo1_.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1392
- C:\Users\Admin\AppData\Local\Temp\5db8f82fe70f253ee38a5e3eadaae54b84c870d742b4fd485f24ee9abfe393e2.exe
  "C:\Users\Admin\AppData\Local\Temp\5db8f82fe70f253ee38a5e3eadaae54b84c870d742b4fd485f24ee9abfe393e2.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:612
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$a7501.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1904
  - - C:\Users\Admin\AppData\Local\Temp\5db8f82fe70f253ee38a5e3eadaae54b84c870d742b4fd485f24ee9abfe393e2.exe
      "C:\Users\Admin\AppData\Local\Temp\5db8f82fe70f253ee38a5e3eadaae54b84c870d742b4fd485f24ee9abfe393e2.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: GetForegroundWindowSpam
      PID:2200
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1740
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2468
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
251KB

MD5
a3482d38fb05ed4551015ce2eaaa84ea

SHA1
50529e4b2da222e5f52e8f93bf9a7a4d240664b2

SHA256
7a87ec80697f5f137b7a163573a85294a0730702b57956053a0bdc19350397bc

SHA512
a776433be08b39ac207a911f3beb73d9a0f9ca40556aa0593f2b59d43fd60f928f4430c91037b2a64097ff4abc7aa562117096eaea827eb43851c88edeee37b6

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
471KB

MD5
99ea9b604a7a734d3087fa6159684c42

SHA1
709fa1068ad4d560fe03e05b68056f1b0bedbfc8

SHA256
3f733f9e6fec7c4165ca8ba41eb23f604a248babe794c4ad2c6c3ce8032aab1c

SHA512
7af8008c7e187f925c62efc97e1891a7a38d089302dba39fbde137fb895e0592847ed0982c824c2075be8e6b95b6ce165ecb848ab85adf53779ebef613410fbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a7501.bat

Filesize
722B

MD5
13a13d22b9308f642ef3daf10bd84f52

SHA1
68e1870cedb306f1fd9afc84684182b4ee573dba

SHA256
580722a7121abd53948921e29b9030ccdc3a1895b5028f3188bc188c75e7e0b0

SHA512
bb6daffa1884257f4e3a32d87478f57da0e5592cb483eba057523b9750dc0d38e29c0e6ac68b3c2e2d2916b15fb7755ffc1683b2ffb9f37d7ac38fae796f5779

Download Submit
C:\Users\Admin\AppData\Local\Temp\5db8f82fe70f253ee38a5e3eadaae54b84c870d742b4fd485f24ee9abfe393e2.exe.exe

Filesize
684KB

MD5
ed0293bc477e35dda89125b49bb84910

SHA1
7201fff9aaf0a437c948b8320488cdacdd9da1ee

SHA256
89d561f1f606b3dc7e8bbe1341fdd4eb359443885b1ab0d55f9528a9464d1a96

SHA512
fcd103ce684e015609bce13b4f718f5de52f2ab202da3ee69d14303205b05d790140df6e4e62087460700809bd42842b30218c94b71ce656916174d2a5eedb97

Download Submit
C:\Windows\Logo1_.exe

Filesize
26KB

MD5
7efbd2fe00598632f908c56af9fa85ba

SHA1
af7c0515e544a6b2532b527325064fbabe937eae

SHA256
a605256d75cfcd8a6ac740f8f08303ba8519be9b924a3d74ad32af93f1b570d8

SHA512
1288dc3056685167e795de758565f7f8f41d2c2b301a35c8d84f63fbba8d46cd4ef28d8fb9b00cd9177260df50111c66829dec6cb7759f15cd87280624487679

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-330940541-141609230-1670313778-1000\_desktop.ini

Filesize
9B

MD5
60b1ffe4d5892b7ae054738eec1fd425

SHA1
80d4e944617f4132b1c6917345b158f3693f35c8

SHA256
5e9944cc48c7ec641cf7b1b0125f47f26102c371a973612f0583f604bc3900d4

SHA512
7f5c200924dbb5531df997e6a35cb94f36b54f5651284b0d6404f0576301125ef72b410a170fca889d46c033063663cfc7791f9e4c3c30695af069053eee66cc

Download Submit
memory/612-15-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/612-16-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/612-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1392-31-0x0000000002730000-0x0000000002731000-memory.dmp

Filesize
4KB

Download
memory/1740-100-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1740-43-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1740-54-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1740-35-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1740-110-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1740-192-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1740-1864-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1740-3326-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1740-18-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2200-36-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/2200-45-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/2200-27-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download