ce8323fa5dd900df642c21ec4bd0541a494ef02a0a8a3d5a56d4dd00020f32ba

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
19-07-2024 04:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ce8323fa5dd900df642c21ec4bd0541a494ef02a0a8a3d5a56d4dd00020f32ba.exe
Size

662KB
MD5

5c6f89e6ea1900c80d60d041742bc195
SHA1

124a84560278a1d5c5995d6a76bfb2ffff71cfe1
SHA256

ce8323fa5dd900df642c21ec4bd0541a494ef02a0a8a3d5a56d4dd00020f32ba
SHA512

9f1012d02d0a2b4a1336d92034ffb68804b3501c6c4f40396819a41d1814e6607a8b91dfc2092c892c3efd10e406e78ed065186649b03b8999a5890c30fcace0
SSDEEP

6144:uuJpC9LRU0ySj14WH+JPb7uL8zRMnJjNhAp7SO8zRMnJjNhAp7S8FRcdEKFVAh7f:cPFlTz

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2876	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2588	Logo1_.exe
2600	ce8323fa5dd900df642c21ec4bd0541a494ef02a0a8a3d5a56d4dd00020f32ba.exe

Loads dropped DLL 1 IoCs

pid	Process
2876	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\META-INF\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\images\cursors\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\km\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\include\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Solitaire\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Shared Gadgets\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Help\en_US\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre7\bin\dtplugin\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Help\1036\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\server\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SoftBlue\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\si\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RIPPLE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SATIN\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Library\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\cmm\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\be\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Photo Viewer\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\Things\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ca\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\misc\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Outlook.en-us\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\te\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SLATE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTool\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre7\lib\zi\Etc\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Desert\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hi\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	ce8323fa5dd900df642c21ec4bd0541a494ef02a0a8a3d5a56d4dd00020f32ba.exe
File created	C:\Windows\Logo1_.exe	ce8323fa5dd900df642c21ec4bd0541a494ef02a0a8a3d5a56d4dd00020f32ba.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2588	Logo1_.exe
2588	Logo1_.exe
2588	Logo1_.exe
2588	Logo1_.exe
2588	Logo1_.exe
2588	Logo1_.exe
2588	Logo1_.exe
2588	Logo1_.exe
2588	Logo1_.exe
2588	Logo1_.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2840 wrote to memory of 2876	2840	ce8323fa5dd900df642c21ec4bd0541a494ef02a0a8a3d5a56d4dd00020f32ba.exe	30
PID 2840 wrote to memory of 2876	2840	ce8323fa5dd900df642c21ec4bd0541a494ef02a0a8a3d5a56d4dd00020f32ba.exe	30
PID 2840 wrote to memory of 2876	2840	ce8323fa5dd900df642c21ec4bd0541a494ef02a0a8a3d5a56d4dd00020f32ba.exe	30
PID 2840 wrote to memory of 2876	2840	ce8323fa5dd900df642c21ec4bd0541a494ef02a0a8a3d5a56d4dd00020f32ba.exe	30
PID 2840 wrote to memory of 2588	2840	ce8323fa5dd900df642c21ec4bd0541a494ef02a0a8a3d5a56d4dd00020f32ba.exe	32
PID 2840 wrote to memory of 2588	2840	ce8323fa5dd900df642c21ec4bd0541a494ef02a0a8a3d5a56d4dd00020f32ba.exe	32
PID 2840 wrote to memory of 2588	2840	ce8323fa5dd900df642c21ec4bd0541a494ef02a0a8a3d5a56d4dd00020f32ba.exe	32
PID 2840 wrote to memory of 2588	2840	ce8323fa5dd900df642c21ec4bd0541a494ef02a0a8a3d5a56d4dd00020f32ba.exe	32
PID 2588 wrote to memory of 2604	2588	Logo1_.exe	33
PID 2588 wrote to memory of 2604	2588	Logo1_.exe	33
PID 2588 wrote to memory of 2604	2588	Logo1_.exe	33
PID 2588 wrote to memory of 2604	2588	Logo1_.exe	33
PID 2604 wrote to memory of 2580	2604	net.exe	35
PID 2604 wrote to memory of 2580	2604	net.exe	35
PID 2604 wrote to memory of 2580	2604	net.exe	35
PID 2604 wrote to memory of 2580	2604	net.exe	35
PID 2876 wrote to memory of 2600	2876	cmd.exe	36
PID 2876 wrote to memory of 2600	2876	cmd.exe	36
PID 2876 wrote to memory of 2600	2876	cmd.exe	36
PID 2876 wrote to memory of 2600	2876	cmd.exe	36
PID 2588 wrote to memory of 1192	2588	Logo1_.exe	21
PID 2588 wrote to memory of 1192	2588	Logo1_.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1192
- C:\Users\Admin\AppData\Local\Temp\ce8323fa5dd900df642c21ec4bd0541a494ef02a0a8a3d5a56d4dd00020f32ba.exe
  "C:\Users\Admin\AppData\Local\Temp\ce8323fa5dd900df642c21ec4bd0541a494ef02a0a8a3d5a56d4dd00020f32ba.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2840
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$a63B3.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2876
  - - C:\Users\Admin\AppData\Local\Temp\ce8323fa5dd900df642c21ec4bd0541a494ef02a0a8a3d5a56d4dd00020f32ba.exe
      "C:\Users\Admin\AppData\Local\Temp\ce8323fa5dd900df642c21ec4bd0541a494ef02a0a8a3d5a56d4dd00020f32ba.exe"
      4⤵
      Executes dropped EXE
      PID:2600
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2588
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2604
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
254KB

MD5
576f46118027bdc1d7c8e8be75fb64c4

SHA1
661955a312849b675e85a66c15b41b163f2886a3

SHA256
a509a22398e49890b21ed2a4ef0811a77279c475771c7bced27b5ee9ef957e5c

SHA512
2227a3807baa854f1d36f742285a12bb0359779c3533ea932cf3481bbfe4a2887aabf316438fd5511506e3746dbef8ebfec299ef66c3fbae08763d8039464771

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
474KB

MD5
81e51673a97afb89c6762e25450e0afa

SHA1
63756c6fbc59b14d69aad2d9f6ec8a76161f8882

SHA256
ca803738679f2d4b2b0e993df8a2b069cd61043981d0f15e56c6270063b4327f

SHA512
0fb8a3eb57004d98ffab71aecc73724a077e796de3d723010f4afe241cd15c0e886d07a12b9927495c5b845bd50e6b4b491d611935b43b10f3fbe4b2d45e2ac3

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a63B3.bat

Filesize
722B

MD5
d9dc649336ce8873c45bee2415226a67

SHA1
534e9c58c4f92a6185fb12698dd9e1eb03d0de31

SHA256
d526670681bd127e5da13136820999b6a16cf685edc6a29c1973bdd70fded9af

SHA512
547020ab7886c5cd55baed7398f0c529a9eb4f5368ff317732f7442f144ddf6e1c1da562178c91549bc2e8b7815e25dffbdda643f3009d4f116a15756fc46f19

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce8323fa5dd900df642c21ec4bd0541a494ef02a0a8a3d5a56d4dd00020f32ba.exe.exe

Filesize
633KB

MD5
2e0d056ad62b6ef87a091003714fd512

SHA1
73150bddb5671c36413d9fbc94a668f132a2edc5

SHA256
cb83f04591cc1d602e650dd5c12f4470cf21b04328477bd6a52081f37c04bd7c

SHA512
b8e920f8b7547aec6f5771e3e6119b01157e5e36a92c67142b0d73ffe0d501d933581e1fc752e5bba9ce819e3897be9c146bebfc0018e91318b0c99d188a2580

Download Submit
C:\Windows\Logo1_.exe

Filesize
29KB

MD5
a138bbeeec7d59fbd516ef0237d829c6

SHA1
e32be6ab403d2f1af197ec5543e0142320078a2a

SHA256
046edb4bab763c08349077cc670cdfe5eaf12056913bdd6a0beb4acfe7e93e8f

SHA512
458ff81f98d79b44edf27d2b0b981d33e9678270dd206ac59ed0333a0f2535dd7062b75e56dbe5976fc80d67c89460278eec982b025743d9465fe5360119879c

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3450744190-3404161390-554719085-1000\_desktop.ini

Filesize
9B

MD5
1368e4d784ef82633de86fa6bc6e37f9

SHA1
77c7384e886b27647bb4f2fd364e7947e7b6abc6

SHA256
57507bed6cf91d70e66bd4cc287634889ef30b648cb7c44a4edec0e2cb68b772

SHA512
3cb7168e776eb564768e30eba43174014a85108ab306a7c07a1522fb42173c381a5bff9ac10944fd345dd5308061cbe2878c60d1e878f8768281c1adcf5dd85b

Download Submit
memory/1192-31-0x00000000025E0000-0x00000000025E1000-memory.dmp

Filesize
4KB

Download
memory/2588-999-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2588-98-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2588-33-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2588-3336-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2588-40-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2588-46-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2588-92-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2588-20-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2588-3165-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2588-1876-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2840-18-0x0000000000320000-0x0000000000356000-memory.dmp

Filesize
216KB

Download
memory/2840-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2840-17-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2840-16-0x0000000000320000-0x0000000000356000-memory.dmp

Filesize
216KB

Download