90fdacd4ce6f6a3efeeb4ca4d9b856f4ce29232f56f01ed71d5d5fa3d94a2a80

Analysis

max time kernel
149s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
12/06/2024, 23:45

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

90fdacd4ce6f6a3efeeb4ca4d9b856f4ce29232f56f01ed71d5d5fa3d94a2a80.exe
Size

389KB
MD5

862d054c3d16d3d265edbe551c03b333
SHA1

cf3672b911f20186596cc87d4e3e8effc4096aab
SHA256

90fdacd4ce6f6a3efeeb4ca4d9b856f4ce29232f56f01ed71d5d5fa3d94a2a80
SHA512

5bab9f24ec58b12f665f313ae08d8da1fdcb218240ddd7273dd4534e1037375b3781a7a46d2c7c22f9593725c58b3163fc846ebf6ff34eee89b49251f27a428f
SSDEEP

6144:YuJ6P2zPVz7jUBs8hqcBCi6dbfra4erJlt9A+xX1oOAisEIWmGeNkfGuYF1moHXG:NahVy41

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2320	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
1664	Logo1_.exe
2640	90fdacd4ce6f6a3efeeb4ca4d9b856f4ce29232f56f01ed71d5d5fa3d94a2a80.exe

Loads dropped DLL 1 IoCs

pid	Process
2320	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\META-INF\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\klist.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\Solitaire.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\tr\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\as_IN\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\he\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\gd\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CAPSULES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmid.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bn_IN\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\visualization\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\bin\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveDocumentReview\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fur\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\audio_output\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\km\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Access.en-us\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Triedit\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SpringGreen\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSClientDataMgr\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ja\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\SpringGreen\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\QUERIES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Logo1_.exe	90fdacd4ce6f6a3efeeb4ca4d9b856f4ce29232f56f01ed71d5d5fa3d94a2a80.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe
File created	C:\Windows\rundl132.exe	90fdacd4ce6f6a3efeeb4ca4d9b856f4ce29232f56f01ed71d5d5fa3d94a2a80.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1664	Logo1_.exe
1664	Logo1_.exe
1664	Logo1_.exe
1664	Logo1_.exe
1664	Logo1_.exe
1664	Logo1_.exe
1664	Logo1_.exe
1664	Logo1_.exe
1664	Logo1_.exe
1664	Logo1_.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2240 wrote to memory of 2320	2240	90fdacd4ce6f6a3efeeb4ca4d9b856f4ce29232f56f01ed71d5d5fa3d94a2a80.exe	28
PID 2240 wrote to memory of 2320	2240	90fdacd4ce6f6a3efeeb4ca4d9b856f4ce29232f56f01ed71d5d5fa3d94a2a80.exe	28
PID 2240 wrote to memory of 2320	2240	90fdacd4ce6f6a3efeeb4ca4d9b856f4ce29232f56f01ed71d5d5fa3d94a2a80.exe	28
PID 2240 wrote to memory of 2320	2240	90fdacd4ce6f6a3efeeb4ca4d9b856f4ce29232f56f01ed71d5d5fa3d94a2a80.exe	28
PID 2240 wrote to memory of 1664	2240	90fdacd4ce6f6a3efeeb4ca4d9b856f4ce29232f56f01ed71d5d5fa3d94a2a80.exe	29
PID 2240 wrote to memory of 1664	2240	90fdacd4ce6f6a3efeeb4ca4d9b856f4ce29232f56f01ed71d5d5fa3d94a2a80.exe	29
PID 2240 wrote to memory of 1664	2240	90fdacd4ce6f6a3efeeb4ca4d9b856f4ce29232f56f01ed71d5d5fa3d94a2a80.exe	29
PID 2240 wrote to memory of 1664	2240	90fdacd4ce6f6a3efeeb4ca4d9b856f4ce29232f56f01ed71d5d5fa3d94a2a80.exe	29
PID 1664 wrote to memory of 2620	1664	Logo1_.exe	31
PID 1664 wrote to memory of 2620	1664	Logo1_.exe	31
PID 1664 wrote to memory of 2620	1664	Logo1_.exe	31
PID 1664 wrote to memory of 2620	1664	Logo1_.exe	31
PID 2620 wrote to memory of 2512	2620	net.exe	33
PID 2620 wrote to memory of 2512	2620	net.exe	33
PID 2620 wrote to memory of 2512	2620	net.exe	33
PID 2620 wrote to memory of 2512	2620	net.exe	33
PID 2320 wrote to memory of 2640	2320	cmd.exe	34
PID 2320 wrote to memory of 2640	2320	cmd.exe	34
PID 2320 wrote to memory of 2640	2320	cmd.exe	34
PID 2320 wrote to memory of 2640	2320	cmd.exe	34
PID 1664 wrote to memory of 1148	1664	Logo1_.exe	20
PID 1664 wrote to memory of 1148	1664	Logo1_.exe	20

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1148
- C:\Users\Admin\AppData\Local\Temp\90fdacd4ce6f6a3efeeb4ca4d9b856f4ce29232f56f01ed71d5d5fa3d94a2a80.exe
  "C:\Users\Admin\AppData\Local\Temp\90fdacd4ce6f6a3efeeb4ca4d9b856f4ce29232f56f01ed71d5d5fa3d94a2a80.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2240
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$aCAE.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2320
  - - C:\Users\Admin\AppData\Local\Temp\90fdacd4ce6f6a3efeeb4ca4d9b856f4ce29232f56f01ed71d5d5fa3d94a2a80.exe
      "C:\Users\Admin\AppData\Local\Temp\90fdacd4ce6f6a3efeeb4ca4d9b856f4ce29232f56f01ed71d5d5fa3d94a2a80.exe"
      4⤵
      Executes dropped EXE
      PID:2640
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1664
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2620
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
254KB

MD5
48b536408ac1a66263ed8da4ec21add8

SHA1
62d20d73d6035d5ce1e1bf1068ff3bf52d609c3b

SHA256
fbc2cf414606174f3555d76fe647557b72ac47e6bda0864fd8c5dad738df1733

SHA512
44f09df70cb4cafa63f88899b0b0fa07bf8fcd5d0106a9a945453de7570c37985039c4a7267708815b6c707539e9a4472d329f010f6a692c5c1fcaab6c41f1c0

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
474KB

MD5
de4228cb7a5a7f082477f6a504b822a7

SHA1
dfd84f0b6f4977bfda43b1827aa747a9a5a8a38b

SHA256
8c5089a062734aa1a66e70700d4f33f2f54157c4bb3ed4d6ce1a852de8b6f90b

SHA512
a3b64b10a22dedebfa48e7705e148d50df480fa9bb0669bc06951ab0ff5f97657f72dc8b71db610499ee38ecae9ae494265841a737806bed7c061d0b634913c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aCAE.bat

Filesize
721B

MD5
256db8328a5be3c63e955f1a70b6dce6

SHA1
f8188dad1e2a79c9db4b3cbf1a1eb78ab74f4bc7

SHA256
f3612d309bd7d79a3004d635b30f5d2c16991867ddecc6547bec84a4b6114cac

SHA512
ad346c643bfcdc0342016517dddda086c963ace75127625bab60511b6d9d3fe8a4fd2fefe745eba434698a50dc0905d5612633e3ec4c2b475d3774d78e61d682

Download Submit
C:\Users\Admin\AppData\Local\Temp\90fdacd4ce6f6a3efeeb4ca4d9b856f4ce29232f56f01ed71d5d5fa3d94a2a80.exe.exe

Filesize
360KB

MD5
5fbd45261a2de3bb42f489e825a9a935

SHA1
ff388f6e9efe651ec62c4152c1739783e7899293

SHA256
9e63701598199d5c47217e23b44d0e3ec5d53f5419166b1b6c68a7e9e8fc47a4

SHA512
7f22b1995a07016adb342c551454d602bfbe511525139aee8581b62116608e9e278fd81c26382f1333c7eccded4474196e73c093bb5cbf8e8f203e865024c058

Download Submit
C:\Windows\rundl132.exe

Filesize
29KB

MD5
9fcfb6b631b5a62c2af6f852de61dc71

SHA1
02149b5ae9d7c72cc2df500a9cf25ef4234614e1

SHA256
470ca7731bbe27be0922d68e5479cc10f87a1b29acfbe44a506414761a379a2a

SHA512
69076244e4c53b09a9d3595e6b53201013ce006da986542f8375223640e5ce66d000c9f02c71d3856ea0f3f788c139fce670ae26c571bd71d801bd67e15cb66a

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2297530677-1229052932-2803917579-1000\_desktop.ini

Filesize
9B

MD5
1f206a052c160fd77308863abd810887

SHA1
3b27ec1dc4b51fb7f1793a9ca9bb0d2e53e60eb1

SHA256
45129bd309ca763a88c6bf438896e82b939d6491036658c4512c57f8353938c1

SHA512
bd7857c146b01a49d34d4eb84053353eeb586bee6916426179305d5e2360559adea4040fe2184a3a803943ff4e6526cc38c665f9a808355619628868d53fbed5

Download Submit
memory/1148-31-0x0000000002580000-0x0000000002581000-memory.dmp

Filesize
4KB

Download
memory/1664-635-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1664-98-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1664-33-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1664-3311-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1664-40-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1664-46-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1664-92-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1664-23-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1664-2101-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1664-1851-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2240-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2240-17-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2240-16-0x0000000000220000-0x0000000000256000-memory.dmp

Filesize
216KB

Download
memory/2240-18-0x0000000000220000-0x0000000000256000-memory.dmp

Filesize
216KB

Download