845dc68ff96b0274c2bc3297d4aa7f93a9b528db816882d6ae255f9cd05b8b78

Analysis

max time kernel
149s
max time network
119s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
10/06/2024, 06:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

845dc68ff96b0274c2bc3297d4aa7f93a9b528db816882d6ae255f9cd05b8b78.exe
Size

1.1MB
MD5

9902df4359a173fb2d380c39a2eece7f
SHA1

af77c090421a15e5015765127f53f16d575e48fe
SHA256

845dc68ff96b0274c2bc3297d4aa7f93a9b528db816882d6ae255f9cd05b8b78
SHA512

b7d345a682bab87d2bfcda5fe8f48db3aefd213cd34c08298a9a647f3664a202f642d10ce27bc206e000d349424fea5d280111f614f76b864361d44ceb572a8a
SSDEEP

24576:G73brCwSmrVCPxMXhhoHSttm+FmRHFPwgxyYz7bZzr79:G7cxMroHWFgxyYz7Bh

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1384	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
1504	Logo1_.exe
2856	845dc68ff96b0274c2bc3297d4aa7f93a9b528db816882d6ae255f9cd05b8b78.exe

Loads dropped DLL 1 IoCs

pid	Process
1384	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Mail\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\More Games\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\zh_CN\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\br\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\META-INF\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Reference Assemblies\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre7\lib\jfr\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\mn\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Journal\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\management\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\FreeCell\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\ACCWIZ\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sq\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre7\lib\security\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Purble Place\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Solitaire\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ARCTIC\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\TTS20\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java-rmi.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Logo1_.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\cs\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\FreeCell\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Chess\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\kn\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\lua\playlist\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\.settings\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\sidebar.exe	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	845dc68ff96b0274c2bc3297d4aa7f93a9b528db816882d6ae255f9cd05b8b78.exe
File created	C:\Windows\Logo1_.exe	845dc68ff96b0274c2bc3297d4aa7f93a9b528db816882d6ae255f9cd05b8b78.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1504	Logo1_.exe
1504	Logo1_.exe
1504	Logo1_.exe
1504	Logo1_.exe
1504	Logo1_.exe
1504	Logo1_.exe
1504	Logo1_.exe
1504	Logo1_.exe
1504	Logo1_.exe
1504	Logo1_.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2824 wrote to memory of 1384	2824	845dc68ff96b0274c2bc3297d4aa7f93a9b528db816882d6ae255f9cd05b8b78.exe	28
PID 2824 wrote to memory of 1384	2824	845dc68ff96b0274c2bc3297d4aa7f93a9b528db816882d6ae255f9cd05b8b78.exe	28
PID 2824 wrote to memory of 1384	2824	845dc68ff96b0274c2bc3297d4aa7f93a9b528db816882d6ae255f9cd05b8b78.exe	28
PID 2824 wrote to memory of 1384	2824	845dc68ff96b0274c2bc3297d4aa7f93a9b528db816882d6ae255f9cd05b8b78.exe	28
PID 2824 wrote to memory of 1504	2824	845dc68ff96b0274c2bc3297d4aa7f93a9b528db816882d6ae255f9cd05b8b78.exe	29
PID 2824 wrote to memory of 1504	2824	845dc68ff96b0274c2bc3297d4aa7f93a9b528db816882d6ae255f9cd05b8b78.exe	29
PID 2824 wrote to memory of 1504	2824	845dc68ff96b0274c2bc3297d4aa7f93a9b528db816882d6ae255f9cd05b8b78.exe	29
PID 2824 wrote to memory of 1504	2824	845dc68ff96b0274c2bc3297d4aa7f93a9b528db816882d6ae255f9cd05b8b78.exe	29
PID 1504 wrote to memory of 2676	1504	Logo1_.exe	31
PID 1504 wrote to memory of 2676	1504	Logo1_.exe	31
PID 1504 wrote to memory of 2676	1504	Logo1_.exe	31
PID 1504 wrote to memory of 2676	1504	Logo1_.exe	31
PID 1384 wrote to memory of 2856	1384	cmd.exe	33
PID 1384 wrote to memory of 2856	1384	cmd.exe	33
PID 1384 wrote to memory of 2856	1384	cmd.exe	33
PID 1384 wrote to memory of 2856	1384	cmd.exe	33
PID 1384 wrote to memory of 2856	1384	cmd.exe	33
PID 1384 wrote to memory of 2856	1384	cmd.exe	33
PID 1384 wrote to memory of 2856	1384	cmd.exe	33
PID 2676 wrote to memory of 2604	2676	net.exe	34
PID 2676 wrote to memory of 2604	2676	net.exe	34
PID 2676 wrote to memory of 2604	2676	net.exe	34
PID 2676 wrote to memory of 2604	2676	net.exe	34
PID 1504 wrote to memory of 1092	1504	Logo1_.exe	18
PID 1504 wrote to memory of 1092	1504	Logo1_.exe	18

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1092
- C:\Users\Admin\AppData\Local\Temp\845dc68ff96b0274c2bc3297d4aa7f93a9b528db816882d6ae255f9cd05b8b78.exe
  "C:\Users\Admin\AppData\Local\Temp\845dc68ff96b0274c2bc3297d4aa7f93a9b528db816882d6ae255f9cd05b8b78.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2824
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$a1268.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1384
  - - C:\Users\Admin\AppData\Local\Temp\845dc68ff96b0274c2bc3297d4aa7f93a9b528db816882d6ae255f9cd05b8b78.exe
      "C:\Users\Admin\AppData\Local\Temp\845dc68ff96b0274c2bc3297d4aa7f93a9b528db816882d6ae255f9cd05b8b78.exe"
      4⤵
      Executes dropped EXE
      PID:2856
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1504
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2676
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
251KB

MD5
a4ba015a708f68eb1aa8cdcaa692f088

SHA1
71a846a78fcb6bafc5ccbe372484e0ef81bc39fa

SHA256
fcdc3c1af76e1bbb58c5c1112fda5c82aa1aca8acdfc8e5377424dcb34ae4d53

SHA512
fdda3c5ae6474100bc0dd0dbc8b9af8874f18feb03f7fdfb8ff7f8d484de579e2ea5336c36b8c7ae8b959df00529b36e0c396984f29de07b442f7e311c9f5931

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
471KB

MD5
28f6479e5c0b7a32e8ae773b9221a22a

SHA1
882e24734f4d42c4e0b95bb695c921ee66ae2042

SHA256
5ec41e0b29c00dd288859df2f583b0e771c11c01d8fd519fe2bd8921b3bed4f3

SHA512
d27c5c01bfe526652af0083bc17c4a3212fc00d594344b6a1a39999248623fba1ae14c79ec849c3567d1bf952cdf7e1e4fd5b22fde938227d89338529fb43685

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a1268.bat

Filesize
722B

MD5
1d39f2ec5f0e3082630516e2f4138eca

SHA1
def615a65bf2a088fadb9b13a69f4a81c36cf057

SHA256
b41fa5ca4e68d1157bd39a00ff1e29ef9a7f53fecd76a1524202c52a83c26804

SHA512
19843bbe30f02856d804c4e88be8a8330c305f7045b7100b097262cb0a5d43b9fa5b2f1291c50c53f1fb472a3004fdf3acfc11e96a2f2fc96cd3eaff8557ea57

Download Submit
C:\Users\Admin\AppData\Local\Temp\845dc68ff96b0274c2bc3297d4aa7f93a9b528db816882d6ae255f9cd05b8b78.exe.exe

Filesize
1.1MB

MD5
5da79eeea8fffd12b2b77db479eee6e1

SHA1
070dd08a345deb068adf817193e22973f0a37fd7

SHA256
d34c171aefa01500a3b2a59b05fdd622ec87888fd8b197ee6d0e815b98443f3f

SHA512
b743b0601eb5ccdcfa3a89e01f9e879b02a697a50eb2eb3844e07cfee613fda75a136486e2063612fdf2a338f8720ea07a689462f3da7eb9f48b0ab0f70558ce

Download Submit
C:\Windows\Logo1_.exe

Filesize
26KB

MD5
571380a64267656a16012c245c5bb39c

SHA1
4844d47d75a4d1a4fe2416687bbd56eddfc503f8

SHA256
0a318cb72048dd748f91e258575dca665b94bc314cf3599745caa374c1967f23

SHA512
d9b18cb5a0956c6445f3028748fc9868cfdb9c5696f19fed065367cec40ecfd39a0278538144c5c149ff2687055ba2c886326fa387e04240af55aae0cb396a10

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2248906074-2862704502-246302768-1000\_desktop.ini

Filesize
9B

MD5
60b1ffe4d5892b7ae054738eec1fd425

SHA1
80d4e944617f4132b1c6917345b158f3693f35c8

SHA256
5e9944cc48c7ec641cf7b1b0125f47f26102c371a973612f0583f604bc3900d4

SHA512
7f5c200924dbb5531df997e6a35cb94f36b54f5651284b0d6404f0576301125ef72b410a170fca889d46c033063663cfc7791f9e4c3c30695af069053eee66cc

Download Submit
memory/1092-30-0x0000000002E20000-0x0000000002E21000-memory.dmp

Filesize
4KB

Download
memory/1504-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1504-97-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1504-3310-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1504-2071-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1504-39-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1504-45-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1504-91-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1504-19-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1504-524-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1504-1850-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2824-17-0x00000000020D0000-0x0000000002104000-memory.dmp

Filesize
208KB

Download
memory/2824-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2824-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2824-12-0x00000000020D0000-0x0000000002104000-memory.dmp

Filesize
208KB

Download