92e1e01f8701852db9a1e65b1f2c5d2c9ae70b5fdd560b895c88840e6d350004

Analysis

max time kernel
150s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
05/07/2024, 00:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

92e1e01f8701852db9a1e65b1f2c5d2c9ae70b5fdd560b895c88840e6d350004.exe
Size

69KB
MD5

98251ccdedc6de7a72a6696c03d5090d
SHA1

ffcbacf6a9aba6f0239647d715c71f1c9b82710b
SHA256

92e1e01f8701852db9a1e65b1f2c5d2c9ae70b5fdd560b895c88840e6d350004
SHA512

df489b8efb941f36f640d79b44c8a6dde310e1a286f7e2de238cbe046a594952ed94f03e5c3437340f8b0e20db2eb149e69e7effcd3fc6bab7f6200da646260f
SSDEEP

1536:TfgLdQAQfcfymNg7fruKCq5MF5GBe1HH22irdWKHZQGDR2gjqrbl:TftffjmNg7Mq5MDHH22ihnDlGr5

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1200	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2476	Logo1_.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\applet\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LEVEL\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fy\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\co\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Internet Explorer\SIGNUP\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightOrange\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sl\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Library\Analysis\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Mahjong\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\More Games\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ug\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\More Games\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\es\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\lua\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\NAMECONTROLSERVER.EXE	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Solitaire\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaire.exe	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Photo Viewer\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SKY\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Oasis\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Defender\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Spades\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	Logo1_.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\pack200.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\WSS\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\amd64\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\zh_TW\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Offline\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Internet Explorer\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VGX\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\MSBuild\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Library\Analysis\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_output\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	92e1e01f8701852db9a1e65b1f2c5d2c9ae70b5fdd560b895c88840e6d350004.exe
File created	C:\Windows\Logo1_.exe	92e1e01f8701852db9a1e65b1f2c5d2c9ae70b5fdd560b895c88840e6d350004.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2476	Logo1_.exe
2476	Logo1_.exe
2476	Logo1_.exe
2476	Logo1_.exe
2476	Logo1_.exe
2476	Logo1_.exe
2476	Logo1_.exe
2476	Logo1_.exe
2476	Logo1_.exe
2476	Logo1_.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2008 wrote to memory of 1200	2008	92e1e01f8701852db9a1e65b1f2c5d2c9ae70b5fdd560b895c88840e6d350004.exe	28
PID 2008 wrote to memory of 1200	2008	92e1e01f8701852db9a1e65b1f2c5d2c9ae70b5fdd560b895c88840e6d350004.exe	28
PID 2008 wrote to memory of 1200	2008	92e1e01f8701852db9a1e65b1f2c5d2c9ae70b5fdd560b895c88840e6d350004.exe	28
PID 2008 wrote to memory of 1200	2008	92e1e01f8701852db9a1e65b1f2c5d2c9ae70b5fdd560b895c88840e6d350004.exe	28
PID 2008 wrote to memory of 2476	2008	92e1e01f8701852db9a1e65b1f2c5d2c9ae70b5fdd560b895c88840e6d350004.exe	29
PID 2008 wrote to memory of 2476	2008	92e1e01f8701852db9a1e65b1f2c5d2c9ae70b5fdd560b895c88840e6d350004.exe	29
PID 2008 wrote to memory of 2476	2008	92e1e01f8701852db9a1e65b1f2c5d2c9ae70b5fdd560b895c88840e6d350004.exe	29
PID 2008 wrote to memory of 2476	2008	92e1e01f8701852db9a1e65b1f2c5d2c9ae70b5fdd560b895c88840e6d350004.exe	29
PID 2476 wrote to memory of 2588	2476	Logo1_.exe	30
PID 2476 wrote to memory of 2588	2476	Logo1_.exe	30
PID 2476 wrote to memory of 2588	2476	Logo1_.exe	30
PID 2476 wrote to memory of 2588	2476	Logo1_.exe	30
PID 2588 wrote to memory of 2592	2588	net.exe	33
PID 2588 wrote to memory of 2592	2588	net.exe	33
PID 2588 wrote to memory of 2592	2588	net.exe	33
PID 2588 wrote to memory of 2592	2588	net.exe	33
PID 2476 wrote to memory of 1180	2476	Logo1_.exe	21
PID 2476 wrote to memory of 1180	2476	Logo1_.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1180
- C:\Users\Admin\AppData\Local\Temp\92e1e01f8701852db9a1e65b1f2c5d2c9ae70b5fdd560b895c88840e6d350004.exe
  "C:\Users\Admin\AppData\Local\Temp\92e1e01f8701852db9a1e65b1f2c5d2c9ae70b5fdd560b895c88840e6d350004.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2008
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$a316C.bat
    3⤵
    - Deletes itself
    PID:1200
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2476
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2588
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
251KB

MD5
533ce215a7c274602dc456ca375cef93

SHA1
76c502d7c45eca3fd96f6b04eb850e751bc785dd

SHA256
d70c9f73bbeed5cbc0df4a4d14bae68789f84d8092281337d2919322b288ce9c

SHA512
09d9dee36c48567921de4b7c31c4a822d5f9ed5e0b1cb0330031b320f40b5ba9b15e89dc37d52561094642c0ff16c14d32e81ed5b1dac06150fefbbd6f3365bf

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
471KB

MD5
4cfdb20b04aa239d6f9e83084d5d0a77

SHA1
f22863e04cc1fd4435f785993ede165bd8245ac6

SHA256
30ed17ca6ae530e8bf002bcef6048f94dba4b3b10252308147031f5c86ace1b9

SHA512
35b4c2f68a7caa45f2bb14b168947e06831f358e191478a6659b49f30ca6f538dc910fe6067448d5d8af4cb8558825d70f94d4bd67709aee414b2be37d49be86

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a316C.bat

Filesize
722B

MD5
313a3dcf32f7fa4afc442fd5f2e6f3cc

SHA1
0f80fd8840327720086b6b86e0b72ef38eaa749b

SHA256
c07dfd3776480485f3f6f096d2b0568b08de2196a5dde2bb8bd4fc409ea0330c

SHA512
08dca3840edd395d38fe2ce71bbdbaa668a496ad4696fd4b41d3dfd72852313a5718abc104615e02f7e282cade621989cbb9d18c92bbfbb4f9359972e1712e09

Download Submit
C:\Users\Admin\AppData\Local\Temp\92e1e01f8701852db9a1e65b1f2c5d2c9ae70b5fdd560b895c88840e6d350004.exe.exe

Filesize
43KB

MD5
014e9e117ea251d7afd81e5851c67cc2

SHA1
5bb10fa016ae167b81ee6eecbfcd876cbaf24fef

SHA256
52bee7d83624e3d994bf35420afdd113f710241859092cb07092901e49872854

SHA512
d34f3901a92682102940600caf52f60aa69364e232caf84d2fce2a092b27052e3e680cde6132562893a5f538477495c27731a1363e722fd3bc5ede95955ad1bd

Download Submit
C:\Windows\rundl132.exe

Filesize
26KB

MD5
2763933e4242551014d36b1dfcb631f7

SHA1
8fd2f3892904d8eb8ae9889e9d535a53caa9555b

SHA256
887c8250188b2f2c82d30ebfbe6ffb550d6a295464ac2d348063620577cdbd7d

SHA512
a018b563efd1fcaa228590aa68b772392e719ac46fd5bb76b04a82de265135b1baabb94bba9ed15bfd1824b12b797fc73ba70effb25ba01506d150dc449bb202

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-1298544033-3225604241-2703760938-1000\_desktop.ini

Filesize
8B

MD5
8ca26bb1fe4da60eed2a231635eb2857

SHA1
405090f7801e12b524dae9c7d0fef9a3fa8b41d8

SHA256
503d5e11de7bb526313442e7b0380b9fb27430b5ada8ad10b5008827c8a4fc54

SHA512
6852196fcd3912e037e41764f999dbb155b95d7b706e496159ac06845e46ec03a875d8a6a3a54e1316d9ce2986fdc17fdaa98024aa3a3c69f276d34ebf0c7426

Download Submit
memory/1180-27-0x0000000002A00000-0x0000000002A01000-memory.dmp

Filesize
4KB

Download
memory/2008-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2008-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2476-29-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2476-36-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2476-42-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2476-88-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2476-94-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2476-521-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2476-1847-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2476-1848-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2476-3307-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2476-21-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download