6dbf54de4dc1302368ea5d56fcaaca7848d098efceb8dc10687c6737ceef1e26

Analysis

max time kernel
150s
max time network
119s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
27/06/2024, 19:29

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

6dbf54de4dc1302368ea5d56fcaaca7848d098efceb8dc10687c6737ceef1e26.exe
Size

387KB
MD5

b210ae318e39fbffe1d0d9f9592cba50
SHA1

9b0a7500baf8b4a7ef85b082c2c65382bbbe5ed8
SHA256

6dbf54de4dc1302368ea5d56fcaaca7848d098efceb8dc10687c6737ceef1e26
SHA512

bcb3a9215e782c423f2fb557d47ea8ab6ffc01a62f4ba60516a190d307a8a98eb653fae489ae43d9e5a36fa8ab979bc9670f6c3c988f86310c6329f3ebbe40a9
SSDEEP

6144:TgFpIP2zPVz7jUBs8hqcBCi6dbfra4erJlt9A+xX1oOAisEIWmGeNkfGuYF1moH2:apFahVy41

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2348	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2688	Logo1_.exe
2752	6dbf54de4dc1302368ea5d56fcaaca7848d098efceb8dc10687c6737ceef1e26.exe

Loads dropped DLL 1 IoCs

pid	Process
2348	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\pt_PT\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Minesweeper\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Checkers\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Acrobat\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PROOF\1036\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\North_Dakota\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ar\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hr\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\or_IN\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fr\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fa\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ru\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AXIS\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Purble Place\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fi\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CLVIEW.EXE	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Mozilla Firefox\gmp-clearkey\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\Verisign\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\People\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\3082\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\tr\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	Logo1_.exe
File created	C:\Program Files (x86)\Windows Portable Devices\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\nb\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\1.7\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\mai\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Journal\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BrightOrange\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\vDll.dll	Logo1_.exe
File created	C:\Windows\rundl132.exe	6dbf54de4dc1302368ea5d56fcaaca7848d098efceb8dc10687c6737ceef1e26.exe
File created	C:\Windows\Logo1_.exe	6dbf54de4dc1302368ea5d56fcaaca7848d098efceb8dc10687c6737ceef1e26.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2688	Logo1_.exe
2688	Logo1_.exe
2688	Logo1_.exe
2688	Logo1_.exe
2688	Logo1_.exe
2688	Logo1_.exe
2688	Logo1_.exe
2688	Logo1_.exe
2688	Logo1_.exe
2688	Logo1_.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2416 wrote to memory of 2348	2416	6dbf54de4dc1302368ea5d56fcaaca7848d098efceb8dc10687c6737ceef1e26.exe	28
PID 2416 wrote to memory of 2348	2416	6dbf54de4dc1302368ea5d56fcaaca7848d098efceb8dc10687c6737ceef1e26.exe	28
PID 2416 wrote to memory of 2348	2416	6dbf54de4dc1302368ea5d56fcaaca7848d098efceb8dc10687c6737ceef1e26.exe	28
PID 2416 wrote to memory of 2348	2416	6dbf54de4dc1302368ea5d56fcaaca7848d098efceb8dc10687c6737ceef1e26.exe	28
PID 2416 wrote to memory of 2688	2416	6dbf54de4dc1302368ea5d56fcaaca7848d098efceb8dc10687c6737ceef1e26.exe	30
PID 2416 wrote to memory of 2688	2416	6dbf54de4dc1302368ea5d56fcaaca7848d098efceb8dc10687c6737ceef1e26.exe	30
PID 2416 wrote to memory of 2688	2416	6dbf54de4dc1302368ea5d56fcaaca7848d098efceb8dc10687c6737ceef1e26.exe	30
PID 2416 wrote to memory of 2688	2416	6dbf54de4dc1302368ea5d56fcaaca7848d098efceb8dc10687c6737ceef1e26.exe	30
PID 2688 wrote to memory of 2648	2688	Logo1_.exe	31
PID 2688 wrote to memory of 2648	2688	Logo1_.exe	31
PID 2688 wrote to memory of 2648	2688	Logo1_.exe	31
PID 2688 wrote to memory of 2648	2688	Logo1_.exe	31
PID 2348 wrote to memory of 2752	2348	cmd.exe	33
PID 2348 wrote to memory of 2752	2348	cmd.exe	33
PID 2348 wrote to memory of 2752	2348	cmd.exe	33
PID 2348 wrote to memory of 2752	2348	cmd.exe	33
PID 2648 wrote to memory of 2516	2648	net.exe	34
PID 2648 wrote to memory of 2516	2648	net.exe	34
PID 2648 wrote to memory of 2516	2648	net.exe	34
PID 2648 wrote to memory of 2516	2648	net.exe	34
PID 2688 wrote to memory of 1200	2688	Logo1_.exe	21
PID 2688 wrote to memory of 1200	2688	Logo1_.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1200
- C:\Users\Admin\AppData\Local\Temp\6dbf54de4dc1302368ea5d56fcaaca7848d098efceb8dc10687c6737ceef1e26.exe
  "C:\Users\Admin\AppData\Local\Temp\6dbf54de4dc1302368ea5d56fcaaca7848d098efceb8dc10687c6737ceef1e26.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2416
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$a12E5.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2348
  - - C:\Users\Admin\AppData\Local\Temp\6dbf54de4dc1302368ea5d56fcaaca7848d098efceb8dc10687c6737ceef1e26.exe
      "C:\Users\Admin\AppData\Local\Temp\6dbf54de4dc1302368ea5d56fcaaca7848d098efceb8dc10687c6737ceef1e26.exe"
      4⤵
      Executes dropped EXE
      PID:2752
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2688
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2648
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
252KB

MD5
0bb79e57fbdff78acdebb87a5129acaa

SHA1
5796954e12c59618f8606f12fd0320417af6791d

SHA256
a5eefee1cc1e29be34f45299ac63b4aa86ec250142214f6a3916814a99b7ace8

SHA512
4026795b328bd5017e104f083cd15fe227cdb11e8f2168199362de602fc72769275e6065b3a2ae44d8b5eb448de2e4e509fefc39a4979d8e8226b08dc0cf14cd

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
472KB

MD5
88eb1bca8c399bc3f46e99cdde2f047e

SHA1
55fafbceb011e1af2edced978686a90971bd95f2

SHA256
42fd78c05bc240d4ded16ac974f17c336f6ae3a1814d548021c48a942cc30428

SHA512
149d4de0c024e25a13a7bb17471e6f48391d4f26b1c8388672320eed1c255f84219ad7b72bbebc531ae558d5192dd4bb6d0dddd6c65a45300c8e8348a4fb3728

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a12E5.bat

Filesize
722B

MD5
6fe243a5c6869c3d348e20604e24b250

SHA1
8f21e6405b07fc712c6236cf3234b72dd4f46e85

SHA256
7d815d3efc962f9bd28875e85d3b64306f04ae806f06a45515eb82c7bc1bef69

SHA512
e98adec229b8539ff9ed4109604b4dadf57f9be3527e4b0f55106bd0c8d93cf13034b6237d9818699101bcc23a256a0dd439b10248a7bc2d17c3a3106405c4b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\6dbf54de4dc1302368ea5d56fcaaca7848d098efceb8dc10687c6737ceef1e26.exe.exe

Filesize
360KB

MD5
5fbd45261a2de3bb42f489e825a9a935

SHA1
ff388f6e9efe651ec62c4152c1739783e7899293

SHA256
9e63701598199d5c47217e23b44d0e3ec5d53f5419166b1b6c68a7e9e8fc47a4

SHA512
7f22b1995a07016adb342c551454d602bfbe511525139aee8581b62116608e9e278fd81c26382f1333c7eccded4474196e73c093bb5cbf8e8f203e865024c058

Download Submit
C:\Windows\Logo1_.exe

Filesize
27KB

MD5
19e86e0420bcd63808bdfe6d80cef24f

SHA1
a07d31c895d6a364c3ab4b61db2b050d9c239b68

SHA256
c3aa975a886c3bce898a9305c93c75d24099f77fe98504e5364a4d5b33fed5fc

SHA512
a6f4deefd68985bdbfd6c0dfa44647f1d8b7c01499fe44d5afaedfcebdf0de4ec182f227a45fc6103e295c9e7fbe0346dc127cf0f86eae9db4be5e0b5eedb446

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2737914667-933161113-3798636211-1000\_desktop.ini

Filesize
9B

MD5
7d17b811a66f09661920bf5af1f95ae9

SHA1
f974fb71f0c9242357d308243f16d5509a0fb040

SHA256
1ffbf32a83283a76202c268eb3ea579c4b39aa6fb11fc42ad18318286fbf749c

SHA512
019689bb28dd360a9b3fe6696944854f806ebe877734f4f8533f7c2508d371049a96f6c7bd5dda908ab91686dbfba4a54335cbc6c4d649775e62912f0af730e3

Download Submit
memory/1200-29-0x0000000002E00000-0x0000000002E01000-memory.dmp

Filesize
4KB

Download
memory/2416-17-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2416-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2688-18-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2688-44-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2688-90-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2688-96-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2688-858-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2688-1873-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2688-38-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2688-3008-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2688-3333-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2688-31-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download