cc9799e73e7d7378868610ead47bd9fcc8e0b7b2114fa972128f49df70c864e2

Analysis

max time kernel
150s
max time network
119s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
24-06-2024 18:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cc9799e73e7d7378868610ead47bd9fcc8e0b7b2114fa972128f49df70c864e2.exe
Size

959KB
MD5

5d2d3f8ac618ff5e41745aa8493c8cf4
SHA1

7b47ba7124b23f4012a94cc11e5c7b712dd85b6f
SHA256

cc9799e73e7d7378868610ead47bd9fcc8e0b7b2114fa972128f49df70c864e2
SHA512

2fb22c6556fd74e37ddfc49971625b46e2ad33c5857b9ded9ad74d817cac96630a6b2a1b0d4ab5ad29c1ff20da5e46a0f9c600e5c18ddc5dad0b0d3c3852f013
SSDEEP

12288:kRKcv8Nh7py6Rmi78gkPH3aPI9vyVg/0paQuj3IdD02fKBjtp/:JBpDRmi78gkPXlyo0G/jr

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2304	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2292	Logo1_.exe
2664	cc9799e73e7d7378868610ead47bd9fcc8e0b7b2114fa972128f49df70c864e2.exe

Loads dropped DLL 2 IoCs

pid	Process
2304	cmd.exe
2304	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\am_ET\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\skins\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\gu\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\META-INF\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Journal\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Mail\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\COMPASS\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Google\Update\Install\{9DE7027D-B8EC-4BBC-9990-0AF535C09D17}\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AFTRNOON\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Biscay\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre7\lib\zi\Indian\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\policytool.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\lv\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Antarctica\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre7\bin\server\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Journal\Templates\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VBA\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files\MSBuild\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ECHO\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\1033\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Help\1049\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\PROPLUS\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightOrange\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightYellow\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\Verisign\Components\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sv\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\te\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\pt_BR\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\locale\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	cc9799e73e7d7378868610ead47bd9fcc8e0b7b2114fa972128f49df70c864e2.exe
File created	C:\Windows\Logo1_.exe	cc9799e73e7d7378868610ead47bd9fcc8e0b7b2114fa972128f49df70c864e2.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2292	Logo1_.exe
2292	Logo1_.exe
2292	Logo1_.exe
2292	Logo1_.exe
2292	Logo1_.exe
2292	Logo1_.exe
2292	Logo1_.exe
2292	Logo1_.exe
2292	Logo1_.exe
2292	Logo1_.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2664	cc9799e73e7d7378868610ead47bd9fcc8e0b7b2114fa972128f49df70c864e2.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeRestorePrivilege	2664	cc9799e73e7d7378868610ead47bd9fcc8e0b7b2114fa972128f49df70c864e2.exe
Token: 35	2664	cc9799e73e7d7378868610ead47bd9fcc8e0b7b2114fa972128f49df70c864e2.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2804 wrote to memory of 2304	2804	cc9799e73e7d7378868610ead47bd9fcc8e0b7b2114fa972128f49df70c864e2.exe	28
PID 2804 wrote to memory of 2304	2804	cc9799e73e7d7378868610ead47bd9fcc8e0b7b2114fa972128f49df70c864e2.exe	28
PID 2804 wrote to memory of 2304	2804	cc9799e73e7d7378868610ead47bd9fcc8e0b7b2114fa972128f49df70c864e2.exe	28
PID 2804 wrote to memory of 2304	2804	cc9799e73e7d7378868610ead47bd9fcc8e0b7b2114fa972128f49df70c864e2.exe	28
PID 2804 wrote to memory of 2292	2804	cc9799e73e7d7378868610ead47bd9fcc8e0b7b2114fa972128f49df70c864e2.exe	29
PID 2804 wrote to memory of 2292	2804	cc9799e73e7d7378868610ead47bd9fcc8e0b7b2114fa972128f49df70c864e2.exe	29
PID 2804 wrote to memory of 2292	2804	cc9799e73e7d7378868610ead47bd9fcc8e0b7b2114fa972128f49df70c864e2.exe	29
PID 2804 wrote to memory of 2292	2804	cc9799e73e7d7378868610ead47bd9fcc8e0b7b2114fa972128f49df70c864e2.exe	29
PID 2304 wrote to memory of 2664	2304	cmd.exe	32
PID 2304 wrote to memory of 2664	2304	cmd.exe	32
PID 2304 wrote to memory of 2664	2304	cmd.exe	32
PID 2304 wrote to memory of 2664	2304	cmd.exe	32
PID 2292 wrote to memory of 2624	2292	Logo1_.exe	31
PID 2292 wrote to memory of 2624	2292	Logo1_.exe	31
PID 2292 wrote to memory of 2624	2292	Logo1_.exe	31
PID 2292 wrote to memory of 2624	2292	Logo1_.exe	31
PID 2624 wrote to memory of 2808	2624	net.exe	34
PID 2624 wrote to memory of 2808	2624	net.exe	34
PID 2624 wrote to memory of 2808	2624	net.exe	34
PID 2624 wrote to memory of 2808	2624	net.exe	34
PID 2292 wrote to memory of 1200	2292	Logo1_.exe	21
PID 2292 wrote to memory of 1200	2292	Logo1_.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1200
- C:\Users\Admin\AppData\Local\Temp\cc9799e73e7d7378868610ead47bd9fcc8e0b7b2114fa972128f49df70c864e2.exe
  "C:\Users\Admin\AppData\Local\Temp\cc9799e73e7d7378868610ead47bd9fcc8e0b7b2114fa972128f49df70c864e2.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2804
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$aCCD.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2304
  - - C:\Users\Admin\AppData\Local\Temp\cc9799e73e7d7378868610ead47bd9fcc8e0b7b2114fa972128f49df70c864e2.exe
      "C:\Users\Admin\AppData\Local\Temp\cc9799e73e7d7378868610ead47bd9fcc8e0b7b2114fa972128f49df70c864e2.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      PID:2664
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2292
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2624
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
254KB

MD5
1c6550eaee43182bf9e35c8b58e53ea1

SHA1
dcc4f985c8317236e6c80f955711ac9610e65b01

SHA256
5cbb1c5a14d9efec6356239f432c3771815ec861034153a4a01ddd64197362e9

SHA512
e2022d7d803dc67b79e245a83d011352c295f9c43b7b4fb382c8d68cbc2a729345789d08b4c91e4239a523518c53ec6a28514cd9033cdf7008083d4f329ce9f3

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
474KB

MD5
ab3456f4e27aab57969f3d11711b42b7

SHA1
8870321aece44a164ca26e2c9c4a82135a4b955e

SHA256
573a9c02df931885a3cd18a62509689ef612c873b7a8933130767ed2f3e021ef

SHA512
94f9e916b4bf26a7d63324520b00189ec72d5c5fa84d990d8030a14dbc5b37dd9e342202ca18eb24db1d7e26df97015df24b47d4070cfd0c9921f9a0f8c0ffb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aCCD.bat

Filesize
721B

MD5
c423c06f34e4730011022df845746edf

SHA1
87161a514d4ccee4a8996cdc7b34b820235a55a4

SHA256
420bbcd8c06072fa8d3a7d85013a174c6bac7176466f5c7d01f43d50a48d96f0

SHA512
a1a27ba88f44e04797d5f3c9973eda2caf2a0d9918b0d63e5e3e76ca346d2683b7050f29c0cdba93fa03437e0be159ac08d4e5fe0f8b8e630c702f39d61ed20c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cc9799e73e7d7378868610ead47bd9fcc8e0b7b2114fa972128f49df70c864e2.exe.exe

Filesize
930KB

MD5
30ac0b832d75598fb3ec37b6f2a8c86a

SHA1
6f47dbfd6ff36df7ba581a4cef024da527dc3046

SHA256
1ea0839c8dc95ad2c060af7d042c40c0daed58ce8e4524c0fba12fd73e4afb74

SHA512
505870601a4389b7ed2c8fecf85835adfd2944cbc10801f74bc4e08f5a0d6ecc9a52052fc37e216304cd1655129021862294a698ed36b3b43d428698f7263057

Download Submit
C:\Windows\Logo1_.exe

Filesize
29KB

MD5
3e905af44525ae41bac2cd0c768ff3fd

SHA1
5541cb5ea4e36123be9d93a63c6374ca532c3b36

SHA256
12ac2567f5a9c10e10d4ae42305278d2a342629a943109978ae14dc90ce8fef3

SHA512
e8c203087dfbdb6648ac683622940a2507735a723bc13c450ed3130704537116dc9a762a732c1daaa4d880439ce2c29b1987181a1007ff665892865194e21d93

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-1340930862-1405011213-2821322012-1000\_desktop.ini

Filesize
9B

MD5
f0a92d08416cb87dc153ea387c708411

SHA1
37c1e98506bdb3d5ea2e7fcb62bb91c9bf5b4fb1

SHA256
478ccf01e44e5bd446e37007b199568a73c0452e34ce917945fd820710107464

SHA512
1dd7d96307c01abb2985ed1d39617787563174f5b90df9786106259ea12a08bdf39662c440bdc4b3ac4f6bb499a4aaf058ed18e06ef72be5f82f01b7150ec9a5

Download Submit
memory/1200-32-0x0000000002E90000-0x0000000002E91000-memory.dmp

Filesize
4KB

Download
memory/2292-464-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2292-101-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2292-35-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2292-20-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2292-42-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2292-48-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2292-95-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2292-3338-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2292-1979-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2292-1878-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2804-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2804-19-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2804-17-0x0000000000220000-0x0000000000256000-memory.dmp

Filesize
216KB

Download
memory/2804-18-0x0000000000220000-0x0000000000256000-memory.dmp

Filesize
216KB

Download