b6abe44b3cd916dd12a2da83e56b8b37612f67f86a6e65a54b823cb9cce656a9

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
11/06/2024, 07:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b6abe44b3cd916dd12a2da83e56b8b37612f67f86a6e65a54b823cb9cce656a9.exe
Size

940KB
MD5

76c4f4ba195592194f32f2503479cf55
SHA1

f9e7c610214f948893db8411bb291e3f0bff5198
SHA256

b6abe44b3cd916dd12a2da83e56b8b37612f67f86a6e65a54b823cb9cce656a9
SHA512

042c8034e5bdf4bdee2f3a0172a1d1281260a241304216ff19e36c00e58d1212c68a2cea610cae41a150d814798e12a86cef03e23d71984b7e13adb60878ef53
SSDEEP

6144:3VfjmNjJQu49F5tc5Y8HWJffsLr+kHqwLOyfld9lYBT15sS9oQHfSgtoqbc/XFBH:l7+FCjcdHEffoqKFBS+QXtzcHLPh2eJ

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2708	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
2932	Logo1_.exe
2784	b6abe44b3cd916dd12a2da83e56b8b37612f67f86a6e65a54b823cb9cce656a9.exe
1260	Explorer.EXE

Loads dropped DLL 1 IoCs

pid	Process
2708	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\my\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fi\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Mail\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\META-INF\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SLATE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Defender\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\3082\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ko\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_filter\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Library\SOLVER\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Calendar\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\CrashReports\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\Shared\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\1033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SLATE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Help\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Minesweeper\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\stream_out\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\Contracts\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Mail\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ar\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\in_sidebar\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\include\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\AppInfoDocument\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\es\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\dtplugin\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fur\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Defender\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\SIGNUP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\_desktop.ini	Logo1_.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	b6abe44b3cd916dd12a2da83e56b8b37612f67f86a6e65a54b823cb9cce656a9.exe
File created	C:\Windows\Logo1_.exe	b6abe44b3cd916dd12a2da83e56b8b37612f67f86a6e65a54b823cb9cce656a9.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File opened for modification	C:\Windows\DPINST.LOG	b6abe44b3cd916dd12a2da83e56b8b37612f67f86a6e65a54b823cb9cce656a9.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2932	Logo1_.exe
2932	Logo1_.exe
2932	Logo1_.exe
2932	Logo1_.exe
2932	Logo1_.exe
2932	Logo1_.exe
2932	Logo1_.exe
2932	Logo1_.exe
2932	Logo1_.exe
2932	Logo1_.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2784	b6abe44b3cd916dd12a2da83e56b8b37612f67f86a6e65a54b823cb9cce656a9.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2392 wrote to memory of 2708	2392	b6abe44b3cd916dd12a2da83e56b8b37612f67f86a6e65a54b823cb9cce656a9.exe	28
PID 2392 wrote to memory of 2708	2392	b6abe44b3cd916dd12a2da83e56b8b37612f67f86a6e65a54b823cb9cce656a9.exe	28
PID 2392 wrote to memory of 2708	2392	b6abe44b3cd916dd12a2da83e56b8b37612f67f86a6e65a54b823cb9cce656a9.exe	28
PID 2392 wrote to memory of 2708	2392	b6abe44b3cd916dd12a2da83e56b8b37612f67f86a6e65a54b823cb9cce656a9.exe	28
PID 2392 wrote to memory of 2932	2392	b6abe44b3cd916dd12a2da83e56b8b37612f67f86a6e65a54b823cb9cce656a9.exe	29
PID 2392 wrote to memory of 2932	2392	b6abe44b3cd916dd12a2da83e56b8b37612f67f86a6e65a54b823cb9cce656a9.exe	29
PID 2392 wrote to memory of 2932	2392	b6abe44b3cd916dd12a2da83e56b8b37612f67f86a6e65a54b823cb9cce656a9.exe	29
PID 2392 wrote to memory of 2932	2392	b6abe44b3cd916dd12a2da83e56b8b37612f67f86a6e65a54b823cb9cce656a9.exe	29
PID 2708 wrote to memory of 2784	2708	cmd.exe	32
PID 2708 wrote to memory of 2784	2708	cmd.exe	32
PID 2708 wrote to memory of 2784	2708	cmd.exe	32
PID 2708 wrote to memory of 2784	2708	cmd.exe	32
PID 2932 wrote to memory of 2156	2932	Logo1_.exe	31
PID 2932 wrote to memory of 2156	2932	Logo1_.exe	31
PID 2932 wrote to memory of 2156	2932	Logo1_.exe	31
PID 2932 wrote to memory of 2156	2932	Logo1_.exe	31
PID 2156 wrote to memory of 2660	2156	net.exe	34
PID 2156 wrote to memory of 2660	2156	net.exe	34
PID 2156 wrote to memory of 2660	2156	net.exe	34
PID 2156 wrote to memory of 2660	2156	net.exe	34
PID 2932 wrote to memory of 1260	2932	Logo1_.exe	21
PID 2932 wrote to memory of 1260	2932	Logo1_.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Executes dropped EXE
PID:1260
- C:\Users\Admin\AppData\Local\Temp\b6abe44b3cd916dd12a2da83e56b8b37612f67f86a6e65a54b823cb9cce656a9.exe
  "C:\Users\Admin\AppData\Local\Temp\b6abe44b3cd916dd12a2da83e56b8b37612f67f86a6e65a54b823cb9cce656a9.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2392
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$aED0.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2708
  - - C:\Users\Admin\AppData\Local\Temp\b6abe44b3cd916dd12a2da83e56b8b37612f67f86a6e65a54b823cb9cce656a9.exe
      "C:\Users\Admin\AppData\Local\Temp\b6abe44b3cd916dd12a2da83e56b8b37612f67f86a6e65a54b823cb9cce656a9.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious behavior: GetForegroundWindowSpam
      PID:2784
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2932
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2156
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
251KB

MD5
bcb9e88e90555be4406d1f1990dae6e5

SHA1
e73a89da48a32a78ec3637bc4192d9c2a34e86a7

SHA256
48f8e46b1ccbb647b81d781442c7f17b3bd9db20d9455812174437bcb80c4d7b

SHA512
3d8af1e295260a9fb048a3f140625959f6985ad31aa59873d54ba5e253d918876b7ab36caefc7365ac359883c97784fd168725cb7c7bc9ec792d396e6e90acda

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
471KB

MD5
4cfdb20b04aa239d6f9e83084d5d0a77

SHA1
f22863e04cc1fd4435f785993ede165bd8245ac6

SHA256
30ed17ca6ae530e8bf002bcef6048f94dba4b3b10252308147031f5c86ace1b9

SHA512
35b4c2f68a7caa45f2bb14b168947e06831f358e191478a6659b49f30ca6f538dc910fe6067448d5d8af4cb8558825d70f94d4bd67709aee414b2be37d49be86

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aED0.bat

Filesize
721B

MD5
26797a915f21a1ce99c0e61e4752b539

SHA1
38f7f1ab0aae3beb3f8d4f001868786da9404378

SHA256
5b289a7cc0f9c5b84e9adeaa900cec55b8a46a3ed33403c394eff522a9511455

SHA512
2b2f671960af12a8a035bc22b4891d7c541aa5fdb7a21e2e56187bd275c0aeb3d196597d4ccd2b124ddeeb4a210841de5f1ce87721cb1316c4929982fe8cd618

Download Submit
C:\Users\Admin\AppData\Local\Temp\b6abe44b3cd916dd12a2da83e56b8b37612f67f86a6e65a54b823cb9cce656a9.exe.exe

Filesize
913KB

MD5
e90140ff5f5ff7521ea52f94bec29f8c

SHA1
a3aaf4d6705984d2f0b97d277766ebc82a26011f

SHA256
0e25afc6f2c17e08afc91f7717b3669cb4de6f77dd62b78674b09e0d59e4aa3c

SHA512
f644e4c22be81aeddf380ec8b550c3774a6c8678b9ad4cb210235ae440bd9f1e16df84832babac21672b69a57ebd779bbfb562dd6158f91cc48367ef3e383a3e

Download Submit
C:\Windows\Logo1_.exe

Filesize
26KB

MD5
db1b9d89625483c2be503d426ab3dca2

SHA1
3f3b288bbbae204ca0d1298361d287a52050d1fa

SHA256
6d78e466f96a382cabdc9473590510a217411e74807d803b1ac6b53870298101

SHA512
c118d5f1ab8a5e08b9af12a612ce64a43b709237f7c2c8d94bf8f7b7f1e591070385a1352421f5fa89926268e6b372040a968a6b9ebaacc949efce9232d514d9

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3627615824-4061627003-3019543961-1000\_desktop.ini

Filesize
9B

MD5
3b22ce0fee2d1aaf2c66dcd142740e29

SHA1
94d542b4bb9854a9419753c38e6ffe747653d91c

SHA256
8284772f28954a109c16f1583e6e34e29f06673b34e04f268bda961b57ba9f79

SHA512
efd4900a49624170e51ea401f0845634f49484a49335845258dc3d41a12e2022bf413a6751fcbcfd1ec68cde506f3363beae57f20e8eaca8b214d28baa138c5b

Download Submit
memory/1260-32-0x0000000002600000-0x0000000002601000-memory.dmp

Filesize
4KB

Download
memory/2392-12-0x0000000000540000-0x0000000000574000-memory.dmp

Filesize
208KB

Download
memory/2392-18-0x0000000000540000-0x0000000000574000-memory.dmp

Filesize
208KB

Download
memory/2392-17-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2392-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2932-99-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2932-47-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2932-93-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2932-20-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2932-524-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2932-1852-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2932-2203-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2932-41-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2932-3312-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2932-34-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download