5844050d8367d23173edd7909277a5c6287563546c0de063228af86e08811540

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
04/07/2024, 01:37

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5844050d8367d23173edd7909277a5c6287563546c0de063228af86e08811540.exe
Size

514KB
MD5

f833de8ce584c3ccf5a90f2d4a3ac7df
SHA1

54208f8acc68611d8408b02f8355940605e5d47c
SHA256

5844050d8367d23173edd7909277a5c6287563546c0de063228af86e08811540
SHA512

6da00d50089362b9253c112c38d9a548c0b743b0696a87b48a16ceb28743f76a901f02f9c426d6e1ca15d676478ac90b07bc082d0a2b8eb9c7047008d0d6640e
SSDEEP

12288:w7+kq9yRScSY9T4oDrcKrmFI6soifXBB:w71HSal4krcKCs1fBB

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2804	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
1648	Logo1_.exe
2400	5844050d8367d23173edd7909277a5c6287563546c0de063228af86e08811540.exe

Loads dropped DLL 1 IoCs

pid	Process
2804	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	Logo1_.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jp2launcher.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\1033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BabyBlue\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15\windows-amd64\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre7\lib\amd64\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\PowerPoint.en-us\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PPTICO.EXE	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Slate\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\1033\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Lime\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\uk\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	Logo1_.exe
File created	C:\Program Files\Microsoft Games\FreeCell\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\kk\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VGX\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre7\lib\applet\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\bn\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Indiana\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Publisher.en-us\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Americana\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sr\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Library\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\css\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Logo1_.exe	5844050d8367d23173edd7909277a5c6287563546c0de063228af86e08811540.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe
File created	C:\Windows\rundl132.exe	5844050d8367d23173edd7909277a5c6287563546c0de063228af86e08811540.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1648	Logo1_.exe
1648	Logo1_.exe
1648	Logo1_.exe
1648	Logo1_.exe
1648	Logo1_.exe
1648	Logo1_.exe
1648	Logo1_.exe
1648	Logo1_.exe
1648	Logo1_.exe
1648	Logo1_.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1924 wrote to memory of 2804	1924	5844050d8367d23173edd7909277a5c6287563546c0de063228af86e08811540.exe	28
PID 1924 wrote to memory of 2804	1924	5844050d8367d23173edd7909277a5c6287563546c0de063228af86e08811540.exe	28
PID 1924 wrote to memory of 2804	1924	5844050d8367d23173edd7909277a5c6287563546c0de063228af86e08811540.exe	28
PID 1924 wrote to memory of 2804	1924	5844050d8367d23173edd7909277a5c6287563546c0de063228af86e08811540.exe	28
PID 1924 wrote to memory of 1648	1924	5844050d8367d23173edd7909277a5c6287563546c0de063228af86e08811540.exe	30
PID 1924 wrote to memory of 1648	1924	5844050d8367d23173edd7909277a5c6287563546c0de063228af86e08811540.exe	30
PID 1924 wrote to memory of 1648	1924	5844050d8367d23173edd7909277a5c6287563546c0de063228af86e08811540.exe	30
PID 1924 wrote to memory of 1648	1924	5844050d8367d23173edd7909277a5c6287563546c0de063228af86e08811540.exe	30
PID 1648 wrote to memory of 2664	1648	Logo1_.exe	31
PID 1648 wrote to memory of 2664	1648	Logo1_.exe	31
PID 1648 wrote to memory of 2664	1648	Logo1_.exe	31
PID 1648 wrote to memory of 2664	1648	Logo1_.exe	31
PID 2804 wrote to memory of 2400	2804	cmd.exe	33
PID 2804 wrote to memory of 2400	2804	cmd.exe	33
PID 2804 wrote to memory of 2400	2804	cmd.exe	33
PID 2804 wrote to memory of 2400	2804	cmd.exe	33
PID 2664 wrote to memory of 2704	2664	net.exe	34
PID 2664 wrote to memory of 2704	2664	net.exe	34
PID 2664 wrote to memory of 2704	2664	net.exe	34
PID 2664 wrote to memory of 2704	2664	net.exe	34
PID 1648 wrote to memory of 1116	1648	Logo1_.exe	20
PID 1648 wrote to memory of 1116	1648	Logo1_.exe	20

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1116
- C:\Users\Admin\AppData\Local\Temp\5844050d8367d23173edd7909277a5c6287563546c0de063228af86e08811540.exe
  "C:\Users\Admin\AppData\Local\Temp\5844050d8367d23173edd7909277a5c6287563546c0de063228af86e08811540.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1924
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$a1526.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2804
  - - C:\Users\Admin\AppData\Local\Temp\5844050d8367d23173edd7909277a5c6287563546c0de063228af86e08811540.exe
      "C:\Users\Admin\AppData\Local\Temp\5844050d8367d23173edd7909277a5c6287563546c0de063228af86e08811540.exe"
      4⤵
      Executes dropped EXE
      PID:2400
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1648
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2664
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
251KB

MD5
4c3fd212cc5ed956f60495843becc77b

SHA1
26595066376fe8fe64ddcb29535bb4878b1ad5cb

SHA256
ce4129415f54bbaeba3477927086547e47a5b71846554d1da77c5c756df6c975

SHA512
71867510715894f3d76f0998dc81d6ddefc15357252bf33a901fb3c2e407b82a131411a1e2b0e8b053f3f10adaa7e9d30e862b691940ce12aa9af441807d80e4

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
471KB

MD5
4cfdb20b04aa239d6f9e83084d5d0a77

SHA1
f22863e04cc1fd4435f785993ede165bd8245ac6

SHA256
30ed17ca6ae530e8bf002bcef6048f94dba4b3b10252308147031f5c86ace1b9

SHA512
35b4c2f68a7caa45f2bb14b168947e06831f358e191478a6659b49f30ca6f538dc910fe6067448d5d8af4cb8558825d70f94d4bd67709aee414b2be37d49be86

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a1526.bat

Filesize
722B

MD5
6af404a29c04e840a1e164a98b26b732

SHA1
164ee9498247f2a3641aa97ce918ec5d8b3ee663

SHA256
e9ea9f899aff1217675f73b105d0713d400191798e9b18368ec01fa606277f9b

SHA512
017825cdd9c4a8199668a7b321c48402761cedff19d20b70dee45ead72ca09c347b2f911088951eff149ae79f36f8dec03590216242a018cff14847bc472dc09

Download Submit
C:\Users\Admin\AppData\Local\Temp\5844050d8367d23173edd7909277a5c6287563546c0de063228af86e08811540.exe.exe

Filesize
487KB

MD5
5507654084481bc0ccbd62eb216749bb

SHA1
929371f729c9338c496e030625c5d79d1d49d30d

SHA256
ca9610300afcb3e9d6a73ce7abd4781a72874262f8898850506ab29333f3ad2f

SHA512
ddc24f14e89e1a1a56c52ef2e63fe704fc71300aa7aa9f4705f3bf4e9668eb9f29b48715d23642529bb89c74a9b6735317450add8cbd97f6f44dbc877ccdcd42

Download Submit
C:\Windows\Logo1_.exe

Filesize
26KB

MD5
034241f60bbee67b5d0ef2f0402c0630

SHA1
eb97c3256b1ebd399bc4081c832f01d2989711a3

SHA256
9a805e95c3f8baee0a787071105adf81b901fcec850565453176b73e94729ef8

SHA512
7b90a79609e39816f366ef2c462cdf6ef835ddf31daaebdaf3d438bd8ffa7caafc6b166c1ea1d171a10d565fe6fb8daccd50ab689375682e7f13d203698277bc

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2297530677-1229052932-2803917579-1000\_desktop.ini

Filesize
8B

MD5
ee8c783242e20d39ed0878caba7b4548

SHA1
1556ec263d4ec9c198a44ea2ecc3c4141ef4509b

SHA256
83855d38f6399f8cd40257a5d87a328d41c21e0e50ad4c91de11897e03ad4532

SHA512
427491089ca5aecb5f365d6adf2e5c9d18a7acf93d471a425364dc504f581f29908df9abfa0fb721e768004737d6c250804dbf27b3c9e4b87532052810318f2a

Download Submit
memory/1116-30-0x0000000002DA0000-0x0000000002DA1000-memory.dmp

Filesize
4KB

Download
memory/1648-798-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1648-97-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1648-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1648-19-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1648-39-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1648-45-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1648-91-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1648-3310-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1648-2579-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1648-1850-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1924-18-0x00000000003A0000-0x00000000003D4000-memory.dmp

Filesize
208KB

Download
memory/1924-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1924-15-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1924-17-0x00000000003A0000-0x00000000003D4000-memory.dmp

Filesize
208KB

Download