de8d9dfd0bf29edd729faa69f5d37c512246f3133a805dd0bd41c733f0cdf4aa

Analysis

max time kernel
100s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10/06/2024, 06:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

de8d9dfd0bf29edd729faa69f5d37c512246f3133a805dd0bd41c733f0cdf4aa.exe
Size

437KB
MD5

a3cef060995db1884c1522632bf00653
SHA1

7e542ccaa9d6379c1fad52a46d9850b08072b267
SHA256

de8d9dfd0bf29edd729faa69f5d37c512246f3133a805dd0bd41c733f0cdf4aa
SHA512

88ad37680cee1c22617a00a80d854bb20ef5fd4af91640367593de692c1618890143ba4b960571ac447c58268cd8b1f8726b8625097758765f0d45b8eb81b56e
SSDEEP

12288:iU7+T0AWrA+gThCNwpEcAjq9Trv9g0Z9i3v9:37wMUUKvAjq9TRg0Z9iF

Score

9^/10

oss_ak

Malware Config

Signatures

detect oss ak 1 IoCs

oss ak information detected.

oss_ak

resource	yara_rule
behavioral1/files/0x003400000001508a-26.dat	detect_ak_stuff

Deletes itself 1 IoCs

pid	Process
1544	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2208	Logo1_.exe
2656	de8d9dfd0bf29edd729faa69f5d37c512246f3133a805dd0bd41c733f0cdf4aa.exe

Loads dropped DLL 1 IoCs

pid	Process
1544	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	Logo1_.exe
File created	C:\Program Files\DVD Maker\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\amd64\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	Logo1_.exe
File created	C:\Program Files\DVD Maker\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\locale\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\_desktop.ini	Logo1_.exe
File created	C:\Program Files\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	Logo1_.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\META-INF\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\META-INF\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	de8d9dfd0bf29edd729faa69f5d37c512246f3133a805dd0bd41c733f0cdf4aa.exe
File created	C:\Windows\Logo1_.exe	de8d9dfd0bf29edd729faa69f5d37c512246f3133a805dd0bd41c733f0cdf4aa.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2208	Logo1_.exe
2208	Logo1_.exe
2208	Logo1_.exe
2208	Logo1_.exe
2208	Logo1_.exe
2208	Logo1_.exe
2208	Logo1_.exe
2208	Logo1_.exe
2208	Logo1_.exe
2208	Logo1_.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 3000 wrote to memory of 1544	3000	de8d9dfd0bf29edd729faa69f5d37c512246f3133a805dd0bd41c733f0cdf4aa.exe	28
PID 3000 wrote to memory of 1544	3000	de8d9dfd0bf29edd729faa69f5d37c512246f3133a805dd0bd41c733f0cdf4aa.exe	28
PID 3000 wrote to memory of 1544	3000	de8d9dfd0bf29edd729faa69f5d37c512246f3133a805dd0bd41c733f0cdf4aa.exe	28
PID 3000 wrote to memory of 1544	3000	de8d9dfd0bf29edd729faa69f5d37c512246f3133a805dd0bd41c733f0cdf4aa.exe	28
PID 3000 wrote to memory of 2208	3000	de8d9dfd0bf29edd729faa69f5d37c512246f3133a805dd0bd41c733f0cdf4aa.exe	29
PID 3000 wrote to memory of 2208	3000	de8d9dfd0bf29edd729faa69f5d37c512246f3133a805dd0bd41c733f0cdf4aa.exe	29
PID 3000 wrote to memory of 2208	3000	de8d9dfd0bf29edd729faa69f5d37c512246f3133a805dd0bd41c733f0cdf4aa.exe	29
PID 3000 wrote to memory of 2208	3000	de8d9dfd0bf29edd729faa69f5d37c512246f3133a805dd0bd41c733f0cdf4aa.exe	29
PID 2208 wrote to memory of 2532	2208	Logo1_.exe	31
PID 2208 wrote to memory of 2532	2208	Logo1_.exe	31
PID 2208 wrote to memory of 2532	2208	Logo1_.exe	31
PID 2208 wrote to memory of 2532	2208	Logo1_.exe	31
PID 2532 wrote to memory of 2576	2532	net.exe	34
PID 2532 wrote to memory of 2576	2532	net.exe	34
PID 2532 wrote to memory of 2576	2532	net.exe	34
PID 2532 wrote to memory of 2576	2532	net.exe	34
PID 1544 wrote to memory of 2656	1544	cmd.exe	33
PID 1544 wrote to memory of 2656	1544	cmd.exe	33
PID 1544 wrote to memory of 2656	1544	cmd.exe	33
PID 1544 wrote to memory of 2656	1544	cmd.exe	33
PID 2208 wrote to memory of 1196	2208	Logo1_.exe	21
PID 2208 wrote to memory of 1196	2208	Logo1_.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1196
- C:\Users\Admin\AppData\Local\Temp\de8d9dfd0bf29edd729faa69f5d37c512246f3133a805dd0bd41c733f0cdf4aa.exe
  "C:\Users\Admin\AppData\Local\Temp\de8d9dfd0bf29edd729faa69f5d37c512246f3133a805dd0bd41c733f0cdf4aa.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:3000
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$a225F.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1544
  - - C:\Users\Admin\AppData\Local\Temp\de8d9dfd0bf29edd729faa69f5d37c512246f3133a805dd0bd41c733f0cdf4aa.exe
      "C:\Users\Admin\AppData\Local\Temp\de8d9dfd0bf29edd729faa69f5d37c512246f3133a805dd0bd41c733f0cdf4aa.exe"
      4⤵
      Executes dropped EXE
      PID:2656
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2208
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2532
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
251KB

MD5
1f3a1a9168dbe63459547cd13d0fde0b

SHA1
c04efb99a095e82bf5ccf7ca84975e038c26a24f

SHA256
185ac37c095e4bb0762713d5467a3ab24b00359db8ac1fb67f11b93718f10b9b

SHA512
68c1a38d74468106021c3ec65f70f9bfb6961528c9282466236d6d10d0fc79d751b87d634c0cdeca3c45c5c62d4b2f17d9c2f35a84e313e8fb70815914ae57d8

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
405KB

MD5
df237e69878d995bac782d82f5f1d253

SHA1
2f840581e688be2e17a29189cab2e7b3378495ee

SHA256
0e1517726d96d9615155f3b54c46a5e570a659f8ae897a7c250a55bca6bf0ae2

SHA512
2ca8eb5e35b2fc315650b17d74df577a35652ce753bd7296e8d48f2bd5d52848cbf86cea7999f509330cf40832c2a33101a895c423e47f9ee133484fe14a9bab

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a225F.bat

Filesize
722B

MD5
7d9b33fa043551317fa38d72cda53000

SHA1
ef773636424a5c5e53d8623d6fd6f7cdea72afba

SHA256
770c99ed1145f2263938e31ea5d27efe3faa97471b5cbe7f965810ada0cc7b42

SHA512
c5ca55f1d9b0dff811db1bbdd9b255036398a2b8a38c7dc552be27099f7256637f13e1fd5b7b550c597d8cf1adc60656ba9ef454b8d2c414cf70b1e2384d5360

Download Submit
C:\Users\Admin\AppData\Local\Temp\de8d9dfd0bf29edd729faa69f5d37c512246f3133a805dd0bd41c733f0cdf4aa.exe.exe

Filesize
410KB

MD5
ec1f17b80fe5ba414a9f952d930dd018

SHA1
0b830a8549ffddd3c5e7595d8ca17a05e86988fc

SHA256
0b7c5713b0353e068e873388f0fd4aa5af1070f1ebf26a9b446e32422e030e8e

SHA512
9bf31bdfe90eb433bd7f3541472bcdc67b24f2adcaa1eceeec1c9ce50effba239f718976997f5947f653d0d1a3f7459fe3153c371f73c16227b4cacdb4367931

Download Submit
C:\Windows\Logo1_.exe

Filesize
26KB

MD5
738139875a4e601cb15f0d1bce2a0073

SHA1
15d48505b97a2b1bae4c4775437735f3842513de

SHA256
986310af0e488e221fb864c816c7dd3e2e362d2bd22a69ab7bada3d23a4de3f5

SHA512
456367b9e8af79b6f0b22f69d9310dfcc93ab497680d239c21ca95bb3ed8659b544c020bb63b810d6902ecdaf740016bcdbefac2e2edc67ac3226258e3b8de18

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-1298544033-3225604241-2703760938-1000\_desktop.ini

Filesize
9B

MD5
60b1ffe4d5892b7ae054738eec1fd425

SHA1
80d4e944617f4132b1c6917345b158f3693f35c8

SHA256
5e9944cc48c7ec641cf7b1b0125f47f26102c371a973612f0583f604bc3900d4

SHA512
7f5c200924dbb5531df997e6a35cb94f36b54f5651284b0d6404f0576301125ef72b410a170fca889d46c033063663cfc7791f9e4c3c30695af069053eee66cc

Download Submit
memory/1196-30-0x00000000025C0000-0x00000000025C1000-memory.dmp

Filesize
4KB

Download
memory/2208-646-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2208-97-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2208-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2208-3310-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2208-39-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2208-45-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2208-91-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2208-19-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2208-2442-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2208-1850-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3000-17-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/3000-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3000-16-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/3000-15-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download