bb89c99ff6f2a0d17870f03af0c6e6f911b714eeb407eb18fdaf05b586ea22ca

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
12/07/2024, 14:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bb89c99ff6f2a0d17870f03af0c6e6f911b714eeb407eb18fdaf05b586ea22ca.exe
Size

334KB
MD5

08695bf50609a09d77a259a1ae6cde7f
SHA1

69209682abe55f697bb8d0fcdbcce92f4b27c9a6
SHA256

bb89c99ff6f2a0d17870f03af0c6e6f911b714eeb407eb18fdaf05b586ea22ca
SHA512

7916891a6ae2cc2480e8d9cbdf08cc02645d0e2630bc256e1a175c14a3577df889f3494e5f12346dd03a91dfafc74db1d29f40e556134cc6ffe1068f37d65175
SSDEEP

6144:DVfjmNI/+mdRYXCnuLDU0SwSttIHNzca7TcxXlShHqGM4mF5sAOj/dxC0WKEy8JX:Z7+cdRDuLDU0SwSttIHNzca7AxXCg4OH

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2420	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2432	Logo1_.exe
380	bb89c99ff6f2a0d17870f03af0c6e6f911b714eeb407eb18fdaf05b586ea22ca.exe

Loads dropped DLL 1 IoCs

pid	Process
2420	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CAPSULES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\DAO\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\1033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jabswitch.exe	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\gu\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\STRTEDGE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\policytool.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GROOVEMN.EXE	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bg\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ie\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RADIAL\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Logo1_.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ECLIPSE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Wordconv.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Library\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\th\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Lime\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Defender\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Acrobat\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\DESIGNER\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\applet\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightYellow\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\STARTUP\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\en_GB\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\kab\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ms\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\IRIS\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\or_IN\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Publisher.en-us\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Minesweeper\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\lt\LC_MESSAGES\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe
File created	C:\Windows\rundl132.exe	bb89c99ff6f2a0d17870f03af0c6e6f911b714eeb407eb18fdaf05b586ea22ca.exe
File created	C:\Windows\Logo1_.exe	bb89c99ff6f2a0d17870f03af0c6e6f911b714eeb407eb18fdaf05b586ea22ca.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2432	Logo1_.exe
2432	Logo1_.exe
2432	Logo1_.exe
2432	Logo1_.exe
2432	Logo1_.exe
2432	Logo1_.exe
2432	Logo1_.exe
2432	Logo1_.exe
2432	Logo1_.exe
2432	Logo1_.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2960 wrote to memory of 2420	2960	bb89c99ff6f2a0d17870f03af0c6e6f911b714eeb407eb18fdaf05b586ea22ca.exe	28
PID 2960 wrote to memory of 2420	2960	bb89c99ff6f2a0d17870f03af0c6e6f911b714eeb407eb18fdaf05b586ea22ca.exe	28
PID 2960 wrote to memory of 2420	2960	bb89c99ff6f2a0d17870f03af0c6e6f911b714eeb407eb18fdaf05b586ea22ca.exe	28
PID 2960 wrote to memory of 2420	2960	bb89c99ff6f2a0d17870f03af0c6e6f911b714eeb407eb18fdaf05b586ea22ca.exe	28
PID 2960 wrote to memory of 2432	2960	bb89c99ff6f2a0d17870f03af0c6e6f911b714eeb407eb18fdaf05b586ea22ca.exe	29
PID 2960 wrote to memory of 2432	2960	bb89c99ff6f2a0d17870f03af0c6e6f911b714eeb407eb18fdaf05b586ea22ca.exe	29
PID 2960 wrote to memory of 2432	2960	bb89c99ff6f2a0d17870f03af0c6e6f911b714eeb407eb18fdaf05b586ea22ca.exe	29
PID 2960 wrote to memory of 2432	2960	bb89c99ff6f2a0d17870f03af0c6e6f911b714eeb407eb18fdaf05b586ea22ca.exe	29
PID 2432 wrote to memory of 2288	2432	Logo1_.exe	30
PID 2432 wrote to memory of 2288	2432	Logo1_.exe	30
PID 2432 wrote to memory of 2288	2432	Logo1_.exe	30
PID 2432 wrote to memory of 2288	2432	Logo1_.exe	30
PID 2288 wrote to memory of 1432	2288	net.exe	33
PID 2288 wrote to memory of 1432	2288	net.exe	33
PID 2288 wrote to memory of 1432	2288	net.exe	33
PID 2288 wrote to memory of 1432	2288	net.exe	33
PID 2420 wrote to memory of 380	2420	cmd.exe	34
PID 2420 wrote to memory of 380	2420	cmd.exe	34
PID 2420 wrote to memory of 380	2420	cmd.exe	34
PID 2420 wrote to memory of 380	2420	cmd.exe	34
PID 2432 wrote to memory of 1180	2432	Logo1_.exe	21
PID 2432 wrote to memory of 1180	2432	Logo1_.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1180
- C:\Users\Admin\AppData\Local\Temp\bb89c99ff6f2a0d17870f03af0c6e6f911b714eeb407eb18fdaf05b586ea22ca.exe
  "C:\Users\Admin\AppData\Local\Temp\bb89c99ff6f2a0d17870f03af0c6e6f911b714eeb407eb18fdaf05b586ea22ca.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2960
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$aAC37.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2420
  - - C:\Users\Admin\AppData\Local\Temp\bb89c99ff6f2a0d17870f03af0c6e6f911b714eeb407eb18fdaf05b586ea22ca.exe
      "C:\Users\Admin\AppData\Local\Temp\bb89c99ff6f2a0d17870f03af0c6e6f911b714eeb407eb18fdaf05b586ea22ca.exe"
      4⤵
      Executes dropped EXE
      PID:380
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2432
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2288
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:1432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
251KB

MD5
a4be970114fde7b4347a171ef559737b

SHA1
9ff5a5c55eca69d00aa5cf88a86831f2954ee214

SHA256
54f93dd3fd4b973502236e7372591290aef4913ed31ab38fa17c4b0e52b86e21

SHA512
e4fb957ac171ac1bbca431fbfbb8c9142b5493e3b875db7f61182c91adce87d29b410c766d5043b8bee276f9024b7b14ee636106a037db8f35d545b20ec635ce

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
471KB

MD5
99ea9b604a7a734d3087fa6159684c42

SHA1
709fa1068ad4d560fe03e05b68056f1b0bedbfc8

SHA256
3f733f9e6fec7c4165ca8ba41eb23f604a248babe794c4ad2c6c3ce8032aab1c

SHA512
7af8008c7e187f925c62efc97e1891a7a38d089302dba39fbde137fb895e0592847ed0982c824c2075be8e6b95b6ce165ecb848ab85adf53779ebef613410fbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aAC37.bat

Filesize
722B

MD5
7adb11acbcd7fda9f57bf915e02b651b

SHA1
c76e90700b00a4bb3e5084e232f31d4355371905

SHA256
7d84254828d306ecdbf86218e61169270f4b13b1abb9462010804fcddefc5129

SHA512
2b7a803d21e40d47d818f70b7ce8769019585f115b0e238e2b96b5ec1462ce3844d97705a435674aee30ac43e827b78cc41e6b3094f35922636c0462e3516059

Download Submit
C:\Users\Admin\AppData\Local\Temp\bb89c99ff6f2a0d17870f03af0c6e6f911b714eeb407eb18fdaf05b586ea22ca.exe.exe

Filesize
308KB

MD5
880e88e7af7eb2b469fd7a276adf1bc5

SHA1
ee3dc170fffc305a5fccdf81d4dd680eb4257494

SHA256
4a43abaa67695802288077606cca19ad7d968d7ceea14c62150f2805f85838db

SHA512
65566017139f5e3631cdef0548c9306c4162a61eaa9c189e145e8b069b6a6efa01c8ec85bc091684286d6e82680eb2d28154c1c610951ba7db59fe966aba89c9

Download Submit
C:\Windows\rundl132.exe

Filesize
26KB

MD5
86f9430d4925c4f45151eea124081d83

SHA1
52df34b47184ed2700bbd92b68874c73592b6d1d

SHA256
41b9e2bf3ce43d681d6dde91ffff8a23adcc4da2076516de2bf2631708b74350

SHA512
910bce524874bbe43de4e9309b1e7aa6a547a6592e3cdcff1f992c156142dc4bf493d23218f635bb6f6366bc1616d96d6ca885d651c0b4be87ab845901f4e3e8

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3434294380-2554721341-1919518612-1000\_desktop.ini

Filesize
9B

MD5
ee036d7bfecde982d31263f77044a72f

SHA1
d575db536fac53ad7f9e8f28fbf32a34aaa54afd

SHA256
6bd2c0216839f407cec78332e286e5649b2f99169f532db4197696fb125339ee

SHA512
7fe9f2de5fb89d0f7d9ddd7a9196ac54c8d159b403a428ffaea985d6bcb73e8e98a9fe36ec4cd102aa76b37f96dcd5c7a2b1abd04634a3489cc3074b57914863

Download Submit
memory/1180-29-0x0000000002550000-0x0000000002551000-memory.dmp

Filesize
4KB

Download
memory/2432-96-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2432-38-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2432-44-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2432-90-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2432-31-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2432-631-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2432-1873-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2432-2379-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2432-3333-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2432-18-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2960-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2960-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download