8caaeabc3a2d01441e75dc6fb393b816e83c6b728851002ef504e635657a99c2

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
19/07/2024, 10:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8caaeabc3a2d01441e75dc6fb393b816e83c6b728851002ef504e635657a99c2.exe
Size

50KB
MD5

e149e6834b50e0c9322ea0ec2c15170b
SHA1

59a264cf50f452ae61c487b3f96292e3a9c9dad8
SHA256

8caaeabc3a2d01441e75dc6fb393b816e83c6b728851002ef504e635657a99c2
SHA512

2212cc5f5b8d701ca756cc7af2d5531728ed24a724f259d1a8488300eae118e2a9bc14b7239e182fa4c400a6ab71c2639565fbdcf698a36a6319931bf236c162
SSDEEP

768:Q1ODKAaDMG8H92RwZNQSwcfymNBg+g61GoLSkB2ZAUmgxH:CfgLdQAQfcfymNeK6

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2812	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
3060	Logo1_.exe
2648	8caaeabc3a2d01441e75dc6fb393b816e83c6b728851002ef504e635657a99c2.exe

Loads dropped DLL 2 IoCs

pid	Process
2812	cmd.exe
2812	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\VideoLAN\VLC\locale\my\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\nb\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PrivateAssemblies\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Help\1040\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ACCWIZ\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proofing.en-us\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CANYON\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\pl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\PROOF\1036\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sr\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\INDUST\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Internet Explorer\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\hr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\kn\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\tt\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\SIGNUP\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\AccessWeb\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\my\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CASCADE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Welcome Tool\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fur\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\services_discovery\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RMNSQUE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\ADDINS\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\es_MX\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Help\2052\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\en-US\css\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Logo1_.exe	8caaeabc3a2d01441e75dc6fb393b816e83c6b728851002ef504e635657a99c2.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe
File created	C:\Windows\rundl132.exe	8caaeabc3a2d01441e75dc6fb393b816e83c6b728851002ef504e635657a99c2.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3060	Logo1_.exe
3060	Logo1_.exe
3060	Logo1_.exe
3060	Logo1_.exe
3060	Logo1_.exe
3060	Logo1_.exe
3060	Logo1_.exe
3060	Logo1_.exe
3060	Logo1_.exe
3060	Logo1_.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2416 wrote to memory of 2812	2416	8caaeabc3a2d01441e75dc6fb393b816e83c6b728851002ef504e635657a99c2.exe	31
PID 2416 wrote to memory of 2812	2416	8caaeabc3a2d01441e75dc6fb393b816e83c6b728851002ef504e635657a99c2.exe	31
PID 2416 wrote to memory of 2812	2416	8caaeabc3a2d01441e75dc6fb393b816e83c6b728851002ef504e635657a99c2.exe	31
PID 2416 wrote to memory of 2812	2416	8caaeabc3a2d01441e75dc6fb393b816e83c6b728851002ef504e635657a99c2.exe	31
PID 2416 wrote to memory of 3060	2416	8caaeabc3a2d01441e75dc6fb393b816e83c6b728851002ef504e635657a99c2.exe	33
PID 2416 wrote to memory of 3060	2416	8caaeabc3a2d01441e75dc6fb393b816e83c6b728851002ef504e635657a99c2.exe	33
PID 2416 wrote to memory of 3060	2416	8caaeabc3a2d01441e75dc6fb393b816e83c6b728851002ef504e635657a99c2.exe	33
PID 2416 wrote to memory of 3060	2416	8caaeabc3a2d01441e75dc6fb393b816e83c6b728851002ef504e635657a99c2.exe	33
PID 3060 wrote to memory of 2732	3060	Logo1_.exe	34
PID 3060 wrote to memory of 2732	3060	Logo1_.exe	34
PID 3060 wrote to memory of 2732	3060	Logo1_.exe	34
PID 3060 wrote to memory of 2732	3060	Logo1_.exe	34
PID 2812 wrote to memory of 2648	2812	cmd.exe	36
PID 2812 wrote to memory of 2648	2812	cmd.exe	36
PID 2812 wrote to memory of 2648	2812	cmd.exe	36
PID 2812 wrote to memory of 2648	2812	cmd.exe	36
PID 2732 wrote to memory of 2788	2732	net.exe	37
PID 2732 wrote to memory of 2788	2732	net.exe	37
PID 2732 wrote to memory of 2788	2732	net.exe	37
PID 2732 wrote to memory of 2788	2732	net.exe	37
PID 3060 wrote to memory of 1256	3060	Logo1_.exe	21
PID 3060 wrote to memory of 1256	3060	Logo1_.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1256
- C:\Users\Admin\AppData\Local\Temp\8caaeabc3a2d01441e75dc6fb393b816e83c6b728851002ef504e635657a99c2.exe
  "C:\Users\Admin\AppData\Local\Temp\8caaeabc3a2d01441e75dc6fb393b816e83c6b728851002ef504e635657a99c2.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2416
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$aFA85.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2812
  - - C:\Users\Admin\AppData\Local\Temp\8caaeabc3a2d01441e75dc6fb393b816e83c6b728851002ef504e635657a99c2.exe
      "C:\Users\Admin\AppData\Local\Temp\8caaeabc3a2d01441e75dc6fb393b816e83c6b728851002ef504e635657a99c2.exe"
      4⤵
      Executes dropped EXE
      PID:2648
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3060
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2732
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
251KB

MD5
d887926a58cf404c1b043c6826782ee9

SHA1
15c9b705d45aaf1ce0dc6b4f87bb16f7b31df100

SHA256
fcd5641e425f1d0ff439bd0c31924c2ecf25e9a9abfa6a0607b249d43c4cf041

SHA512
be4078f410e3c51d51cf959d69e1abf3b705adce7ec4baf5a40eb4366872ea0d9cc08bda8d64af903a62de3fb015e66c840e040b80459e2017fd574aaada3a33

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
471KB

MD5
4cfdb20b04aa239d6f9e83084d5d0a77

SHA1
f22863e04cc1fd4435f785993ede165bd8245ac6

SHA256
30ed17ca6ae530e8bf002bcef6048f94dba4b3b10252308147031f5c86ace1b9

SHA512
35b4c2f68a7caa45f2bb14b168947e06831f358e191478a6659b49f30ca6f538dc910fe6067448d5d8af4cb8558825d70f94d4bd67709aee414b2be37d49be86

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aFA85.bat

Filesize
722B

MD5
06197b84b8970d84280f6a07af646222

SHA1
c9ac97a80d4bba578f55a9f99e089b579355167b

SHA256
37beab6ffd728f5a5d9002261609d6b967762b09f8a4881acba38bf7a7a4ba5d

SHA512
45201d40b62f2f05d8138054f5383812588cc8b2bad1c584c00fdbbb40d938fd6ff797683a700324fc2095e8be3dfa6783a5e7a05cafe6b6df1ccb57ca91f5e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\8caaeabc3a2d01441e75dc6fb393b816e83c6b728851002ef504e635657a99c2.exe.exe

Filesize
24KB

MD5
19e1e266dc889c4f87641cb07b589391

SHA1
893d64e4189eec187a9446ff955abed1144b1113

SHA256
c7de50d5674a0259625734daa4fc989de54641e78dead4bebb2cd3926a20d01b

SHA512
bb7d0ad6b44441bdbbc0c06d78f46ab506b585ebcedee439ec7ab0c6d5d742c0707ccb48fcc4cec0cd3c4f8d9346b6d9008f646049f2a96864365217c5b2a68f

Download Submit
C:\Windows\Logo1_.exe

Filesize
26KB

MD5
f85d04d350635e9f0363b173e23fc424

SHA1
27dc999478aebda72d6398c8516d898f03cfd74d

SHA256
c248aa3b61539f878316cc48a7afc8501ddc6a99cd334bbe13695d65adca677c

SHA512
4515a8f805bec76dad2da2ee1c4d8ae3c0393c50298f434aa4f960bc470bd4437d99df36bfd611e90348970a3570c2cac4f1aa1a473d4d335f01bbecc8b741a9

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2212144002-1172735686-1556890956-1000\_desktop.ini

Filesize
9B

MD5
1368e4d784ef82633de86fa6bc6e37f9

SHA1
77c7384e886b27647bb4f2fd364e7947e7b6abc6

SHA256
57507bed6cf91d70e66bd4cc287634889ef30b648cb7c44a4edec0e2cb68b772

SHA512
3cb7168e776eb564768e30eba43174014a85108ab306a7c07a1522fb42173c381a5bff9ac10944fd345dd5308061cbe2878c60d1e878f8768281c1adcf5dd85b

Download Submit
memory/1256-34-0x0000000002980000-0x0000000002981000-memory.dmp

Filesize
4KB

Download
memory/2416-17-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2416-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2416-12-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/2648-31-0x0000000074B20000-0x00000000750CB000-memory.dmp

Filesize
5.7MB

Download
memory/2648-32-0x0000000074B20000-0x00000000750CB000-memory.dmp

Filesize
5.7MB

Download
memory/2648-30-0x0000000074B21000-0x0000000074B22000-memory.dmp

Filesize
4KB

Download
memory/2648-36-0x0000000074B20000-0x00000000750CB000-memory.dmp

Filesize
5.7MB

Download
memory/3060-19-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3060-50-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3060-96-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3060-103-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3060-573-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3060-1879-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3060-44-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3060-3339-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3060-37-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download