cb72a92792fe4d558f41df5285454b9a4b732d5e6c439d3db860edc7c6d263da

Analysis

max time kernel
149s
max time network
117s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
19/07/2024, 07:10

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

cb72a92792fe4d558f41df5285454b9a4b732d5e6c439d3db860edc7c6d263da.exe
Size

52KB
MD5

69d3b47a2977cefa5808deeaf5e920cb
SHA1

45bfcce62102af986d390a9d2bd370d2994bc82a
SHA256

cb72a92792fe4d558f41df5285454b9a4b732d5e6c439d3db860edc7c6d263da
SHA512

c44f5e24551479d3d384eef5d85ef9a9f67777b786c3d83fd89fad8840f14ada7b3f72237a2260e2408d8df0661a6a9bca53cd087fe46931ea27365b24527dc3
SSDEEP

768:pkG16GVRu1yK9fMnJG2V9dHS85qgt6jpYU5ltbDrYiI0oPxWExI:pkg3SHuJV9NP6jWWvr78Pxc

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2740	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2756	Logo1_.exe
2632	cb72a92792fe4d558f41df5285454b9a4b732d5e6c439d3db860edc7c6d263da.exe

Loads dropped DLL 5 IoCs

pid	Process
2740	cmd.exe
2592	WerFault.exe
2592	WerFault.exe
2592	WerFault.exe
2592	WerFault.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Biscay\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Mail\WinMail.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ie\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\Chess.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\extensions\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Mail\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\VPREVIEW.EXE	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\1036\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Lime\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\meta_engine\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ca\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\MSClientDataMgr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Welcome Tool\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OIS.EXE	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\InfoPath.en-us\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\misc.exe	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTool\Project Report Type\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\el\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\HostSideAdapters\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\BORDERS\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\d3d9\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RMNSQUE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Defender\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\applet\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\kinit.exe	Logo1_.exe
File created	C:\Program Files\Java\jre7\lib\fonts\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Stationery\1033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Logo1_.exe	cb72a92792fe4d558f41df5285454b9a4b732d5e6c439d3db860edc7c6d263da.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe
File created	C:\Windows\rundl132.exe	cb72a92792fe4d558f41df5285454b9a4b732d5e6c439d3db860edc7c6d263da.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2756	Logo1_.exe
2756	Logo1_.exe
2756	Logo1_.exe
2756	Logo1_.exe
2756	Logo1_.exe
2756	Logo1_.exe
2756	Logo1_.exe
2756	Logo1_.exe
2756	Logo1_.exe
2756	Logo1_.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2372 wrote to memory of 2740	2372	cb72a92792fe4d558f41df5285454b9a4b732d5e6c439d3db860edc7c6d263da.exe	31
PID 2372 wrote to memory of 2740	2372	cb72a92792fe4d558f41df5285454b9a4b732d5e6c439d3db860edc7c6d263da.exe	31
PID 2372 wrote to memory of 2740	2372	cb72a92792fe4d558f41df5285454b9a4b732d5e6c439d3db860edc7c6d263da.exe	31
PID 2372 wrote to memory of 2740	2372	cb72a92792fe4d558f41df5285454b9a4b732d5e6c439d3db860edc7c6d263da.exe	31
PID 2372 wrote to memory of 2756	2372	cb72a92792fe4d558f41df5285454b9a4b732d5e6c439d3db860edc7c6d263da.exe	33
PID 2372 wrote to memory of 2756	2372	cb72a92792fe4d558f41df5285454b9a4b732d5e6c439d3db860edc7c6d263da.exe	33
PID 2372 wrote to memory of 2756	2372	cb72a92792fe4d558f41df5285454b9a4b732d5e6c439d3db860edc7c6d263da.exe	33
PID 2372 wrote to memory of 2756	2372	cb72a92792fe4d558f41df5285454b9a4b732d5e6c439d3db860edc7c6d263da.exe	33
PID 2756 wrote to memory of 2832	2756	Logo1_.exe	34
PID 2756 wrote to memory of 2832	2756	Logo1_.exe	34
PID 2756 wrote to memory of 2832	2756	Logo1_.exe	34
PID 2756 wrote to memory of 2832	2756	Logo1_.exe	34
PID 2740 wrote to memory of 2632	2740	cmd.exe	36
PID 2740 wrote to memory of 2632	2740	cmd.exe	36
PID 2740 wrote to memory of 2632	2740	cmd.exe	36
PID 2740 wrote to memory of 2632	2740	cmd.exe	36
PID 2832 wrote to memory of 2724	2832	net.exe	37
PID 2832 wrote to memory of 2724	2832	net.exe	37
PID 2832 wrote to memory of 2724	2832	net.exe	37
PID 2832 wrote to memory of 2724	2832	net.exe	37
PID 2632 wrote to memory of 2592	2632	cb72a92792fe4d558f41df5285454b9a4b732d5e6c439d3db860edc7c6d263da.exe	38
PID 2632 wrote to memory of 2592	2632	cb72a92792fe4d558f41df5285454b9a4b732d5e6c439d3db860edc7c6d263da.exe	38
PID 2632 wrote to memory of 2592	2632	cb72a92792fe4d558f41df5285454b9a4b732d5e6c439d3db860edc7c6d263da.exe	38
PID 2756 wrote to memory of 1252	2756	Logo1_.exe	21
PID 2756 wrote to memory of 1252	2756	Logo1_.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1252
- C:\Users\Admin\AppData\Local\Temp\cb72a92792fe4d558f41df5285454b9a4b732d5e6c439d3db860edc7c6d263da.exe
  "C:\Users\Admin\AppData\Local\Temp\cb72a92792fe4d558f41df5285454b9a4b732d5e6c439d3db860edc7c6d263da.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2372
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$a18FD.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2740
  - - C:\Users\Admin\AppData\Local\Temp\cb72a92792fe4d558f41df5285454b9a4b732d5e6c439d3db860edc7c6d263da.exe
      "C:\Users\Admin\AppData\Local\Temp\cb72a92792fe4d558f41df5285454b9a4b732d5e6c439d3db860edc7c6d263da.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2632
    - - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 2632 -s 124
        5⤵
        Loads dropped DLL
        
        PID:2592
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2756
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2832
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
254KB

MD5
e07b271414d7901d4be3fef46b6234ad

SHA1
383c79a26054fb1d00f931222e5f7fd7cdc2987b

SHA256
84bb3d64de9f9a1c3b1c2359204a1986fdbe17ef226274213bb17fbf0ca2198c

SHA512
d989a243a0c6e0f1fa1e562f49be1263fd2d7962f289d4a0108f046ef6f2cd87b262a4b2fbd4a94be3f9e39ac656b402f8d8aa40600db3ee02b24cf0d78e08e3

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
474KB

MD5
6eabc463f8025a7e6e65f38cba22f126

SHA1
3e430ee5ec01c5509ed750b88d3473e7990dfe95

SHA256
cc8da3ecd355b519d81415d279ed037c725ba221bf323d250aa92ee2b2b88ca7

SHA512
c8fde7026ac8633403bbefee4b044457184388fb7343d8c46f5f7f272724227976bf485ea91da49e2a85dd0cfb73f260ac705d8007333dd3e5539fe5ed67e3ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a18FD.bat

Filesize
722B

MD5
7c467a97b86137298ab6e1042e68a91f

SHA1
707a7e68c851e42cc3b339ae390e3b3707f8f63c

SHA256
842a55b485d3e08152dfc5482c3c0806c601282df4f04cd9d54147e345df5514

SHA512
e4591a5e7def2be43607a71d78f1365d0adf26c99c38c5544234f83d09f20012a4824f01c679a0a36159a74a1f84c158934a2cdf17048f50afc7f0e09aadc522

Download Submit
C:\Windows\rundl132.exe

Filesize
29KB

MD5
9c93f08705742f729989246ec26c3dfa

SHA1
0b2a8d41f9b2e452aeae1f720f31814d667462ec

SHA256
f27ccbe73d56d0126cac6349b6ae5143af964c093c94570890cd38a01f200679

SHA512
f5dcb1ba3ea6191dd910fe0f781992d9344b42e2ea8034ab5775489a43971c613c995869f649d5de35656ec4b8e397de51e9e9eb0070ab8705ff14b46877ee2e

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2958949473-3205530200-1453100116-1000\_desktop.ini

Filesize
9B

MD5
1368e4d784ef82633de86fa6bc6e37f9

SHA1
77c7384e886b27647bb4f2fd364e7947e7b6abc6

SHA256
57507bed6cf91d70e66bd4cc287634889ef30b648cb7c44a4edec0e2cb68b772

SHA512
3cb7168e776eb564768e30eba43174014a85108ab306a7c07a1522fb42173c381a5bff9ac10944fd345dd5308061cbe2878c60d1e878f8768281c1adcf5dd85b

Download Submit
\Users\Admin\AppData\Local\Temp\cb72a92792fe4d558f41df5285454b9a4b732d5e6c439d3db860edc7c6d263da.exe

Filesize
23KB

MD5
3f9dbfee668294872ef01b90740b01d0

SHA1
99a4702b65485cd14736b1c2cdfb81b455dda01c

SHA256
40b32fea1fcadcb2db369475e2bba58b0b83f5c3bb647e2e63877726c35a9f86

SHA512
0113cec160d97ea0cce70860cc5b79b502d16191ee237a3abb84309499be193aa0127dbcb41fc05a90fa61484b061ec4332ad29a918db598e32fe832b74bd1e3

Download Submit
memory/1252-33-0x0000000002D90000-0x0000000002D91000-memory.dmp

Filesize
4KB

Download
memory/2372-16-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2372-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2756-18-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2756-49-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2756-95-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2756-101-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2756-667-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2756-1879-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2756-2150-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2756-43-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2756-3339-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2756-36-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download