c6ae378cc908d08479562ae277d2faaf261b3b96dfa29e358db4fef9584fe9ae

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
19/07/2024, 23:02

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c6ae378cc908d08479562ae277d2faaf261b3b96dfa29e358db4fef9584fe9ae.exe
Size

573KB
MD5

4ab2311c3efa42588cdac149bf585df3
SHA1

c3295d54c91dd9d24aca6d025f87066aa0387a82
SHA256

c6ae378cc908d08479562ae277d2faaf261b3b96dfa29e358db4fef9584fe9ae
SHA512

0b6df2a692566798c0b953a3308f1e52c0d3ff45726ea6c7aaeadf2342321358559f04f1610202ce1e62168c215d28611c4229db07dc532689468acc97614283
SSDEEP

6144:FuJpE7cV3iwbAFRWAbd4nf0H05yqE6Hl0ChW0+ksllAXBu0lWGWUJJQ4t0BHQQfu:D7a3iwbihym2g7XO3LWUQfh4Co

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
108	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2680	Logo1_.exe
2916	c6ae378cc908d08479562ae277d2faaf261b3b96dfa29e358db4fef9584fe9ae.exe

Loads dropped DLL 1 IoCs

pid	Process
108	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java-rmi.exe	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\1042\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ECHO\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ast\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ga\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ms\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Journal\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Shared Gadgets\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\1.0\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Internet Explorer\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\144DPI\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\14\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SoftBlue\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\demux\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Help\1028\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ff\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SpringGreen\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VC\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\policytool.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\css\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	c6ae378cc908d08479562ae277d2faaf261b3b96dfa29e358db4fef9584fe9ae.exe
File created	C:\Windows\Logo1_.exe	c6ae378cc908d08479562ae277d2faaf261b3b96dfa29e358db4fef9584fe9ae.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2680	Logo1_.exe
2680	Logo1_.exe
2680	Logo1_.exe
2680	Logo1_.exe
2680	Logo1_.exe
2680	Logo1_.exe
2680	Logo1_.exe
2680	Logo1_.exe
2680	Logo1_.exe
2680	Logo1_.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2756 wrote to memory of 108	2756	c6ae378cc908d08479562ae277d2faaf261b3b96dfa29e358db4fef9584fe9ae.exe	31
PID 2756 wrote to memory of 108	2756	c6ae378cc908d08479562ae277d2faaf261b3b96dfa29e358db4fef9584fe9ae.exe	31
PID 2756 wrote to memory of 108	2756	c6ae378cc908d08479562ae277d2faaf261b3b96dfa29e358db4fef9584fe9ae.exe	31
PID 2756 wrote to memory of 108	2756	c6ae378cc908d08479562ae277d2faaf261b3b96dfa29e358db4fef9584fe9ae.exe	31
PID 2756 wrote to memory of 2680	2756	c6ae378cc908d08479562ae277d2faaf261b3b96dfa29e358db4fef9584fe9ae.exe	32
PID 2756 wrote to memory of 2680	2756	c6ae378cc908d08479562ae277d2faaf261b3b96dfa29e358db4fef9584fe9ae.exe	32
PID 2756 wrote to memory of 2680	2756	c6ae378cc908d08479562ae277d2faaf261b3b96dfa29e358db4fef9584fe9ae.exe	32
PID 2756 wrote to memory of 2680	2756	c6ae378cc908d08479562ae277d2faaf261b3b96dfa29e358db4fef9584fe9ae.exe	32
PID 2680 wrote to memory of 2776	2680	Logo1_.exe	34
PID 2680 wrote to memory of 2776	2680	Logo1_.exe	34
PID 2680 wrote to memory of 2776	2680	Logo1_.exe	34
PID 2680 wrote to memory of 2776	2680	Logo1_.exe	34
PID 2776 wrote to memory of 2696	2776	net.exe	36
PID 2776 wrote to memory of 2696	2776	net.exe	36
PID 2776 wrote to memory of 2696	2776	net.exe	36
PID 2776 wrote to memory of 2696	2776	net.exe	36
PID 108 wrote to memory of 2916	108	cmd.exe	37
PID 108 wrote to memory of 2916	108	cmd.exe	37
PID 108 wrote to memory of 2916	108	cmd.exe	37
PID 108 wrote to memory of 2916	108	cmd.exe	37
PID 2680 wrote to memory of 1124	2680	Logo1_.exe	20
PID 2680 wrote to memory of 1124	2680	Logo1_.exe	20

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1124
- C:\Users\Admin\AppData\Local\Temp\c6ae378cc908d08479562ae277d2faaf261b3b96dfa29e358db4fef9584fe9ae.exe
  "C:\Users\Admin\AppData\Local\Temp\c6ae378cc908d08479562ae277d2faaf261b3b96dfa29e358db4fef9584fe9ae.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2756
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$aE15A.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:108
  - - C:\Users\Admin\AppData\Local\Temp\c6ae378cc908d08479562ae277d2faaf261b3b96dfa29e358db4fef9584fe9ae.exe
      "C:\Users\Admin\AppData\Local\Temp\c6ae378cc908d08479562ae277d2faaf261b3b96dfa29e358db4fef9584fe9ae.exe"
      4⤵
      Executes dropped EXE
      PID:2916
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2680
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2776
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
254KB

MD5
2f23f4e1efacb0e10c93de18de903b15

SHA1
c8003971a3eb07aa2f63fd4cb80582c2f6c5a895

SHA256
c11bbf970a4f483f0e5beeaefb8afb247abe6133b1c42c9f2f6b51ed13f52b93

SHA512
a9526b065dd729db5555826c35da470e546ac2a40f555ef40f5a415d5e90349b6d2099f700fd385ca2259d64cddb9a95b50d3d8a7450b6734d6739df87cd7692

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
474KB

MD5
1b12b9060b8875ff79fd921d924df171

SHA1
2cefdd8b0ba05d21051feb64909fef80f4d4f799

SHA256
b4e50274be3a43611ffaa568b252b827c66855f4f50024b31ac68712cdb4eaba

SHA512
26c4d288eb0525f4abaa9fa9704aabd30b21d0dc444a4d352edc92ca584b384c00dc16c3ba9b904ba9cf8718a0e51501e505873d5b09cfc76013eb8f5e5f393a

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aE15A.bat

Filesize
722B

MD5
147f65159e933ff8182643265de59b8f

SHA1
c3a9d29047be8e95f621991a76f52cdc630ce30b

SHA256
b387a1807d513ccc08a5d1235037698b8c6a21363c5234fd920156e65097e271

SHA512
ad026f0597ebe7824bfbbdf5e36d258c0a915c81da074fcf9862c74b8baf2eb0fbc6051b60dc89880536967247c0cf2e5f469b560ac05492f873e2dbe3b1fdbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\c6ae378cc908d08479562ae277d2faaf261b3b96dfa29e358db4fef9584fe9ae.exe.exe

Filesize
544KB

MD5
9a1dd1d96481d61934dcc2d568971d06

SHA1
f136ef9bf8bd2fc753292fb5b7cf173a22675fb3

SHA256
8cebb25e240db3b6986fcaed6bc0b900fa09dad763a56fb71273529266c5c525

SHA512
7ac1581f8a29e778ba1a1220670796c47fa5b838417f8f635e2cb1998a01515cff3ee57045dacb78a8ec70d43754b970743aba600379fe6d9481958d32d8a5aa

Download Submit
C:\Windows\Logo1_.exe

Filesize
29KB

MD5
9cd1b22ca5305c5cc480f0f2753b057b

SHA1
e39379b4793cce690ac333aa3ed5da75c213d20c

SHA256
363a187f7123111d576a91894824b5d5a9b840066a3825755f7f24431e30d7d5

SHA512
44bb942f2fd96984416cc05bbf3c2abfa2dcfe0960a38db6f3ca3d0eb9728fd306341be525dc405d9cd315eae29bd81d3f49729b29afba0d2cf1406e5fce9eb1

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3551809350-4263495960-1443967649-1000\_desktop.ini

Filesize
9B

MD5
1368e4d784ef82633de86fa6bc6e37f9

SHA1
77c7384e886b27647bb4f2fd364e7947e7b6abc6

SHA256
57507bed6cf91d70e66bd4cc287634889ef30b648cb7c44a4edec0e2cb68b772

SHA512
3cb7168e776eb564768e30eba43174014a85108ab306a7c07a1522fb42173c381a5bff9ac10944fd345dd5308061cbe2878c60d1e878f8768281c1adcf5dd85b

Download Submit
memory/1124-28-0x0000000002D10000-0x0000000002D11000-memory.dmp

Filesize
4KB

Download
memory/2680-37-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2680-30-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2680-43-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2680-89-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2680-95-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2680-826-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2680-1872-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2680-2733-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2680-3332-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2756-16-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2756-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download