96a87e5a59471878c9393aaee41492e0a3f24e916ea69a91a040d85b547a7d6f

Analysis

max time kernel
150s
max time network
19s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
19-07-2024 09:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

96a87e5a59471878c9393aaee41492e0a3f24e916ea69a91a040d85b547a7d6f.exe
Size

1.9MB
MD5

bc52023341f5ed2c75a79d7124732755
SHA1

e5d12d654b2e1970cddeb481044acda4cd1aa05a
SHA256

96a87e5a59471878c9393aaee41492e0a3f24e916ea69a91a040d85b547a7d6f
SHA512

d55813fe1c665f05346410c2cbe82b029754fec2f1f0e1c6e716c7fd2b6f79eff513429e7b8e0eba1e023299868f9675d0023dc25f4f4ed4019822b816fb050e
SSDEEP

49152:e7CykF8G2QX7Pn5s3pq4zLqhaQcH+SKNkfogHObHBh:pPPXPGpq4z3Jowm

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2116	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2448	Logo1_.exe
2740	96a87e5a59471878c9393aaee41492e0a3f24e916ea69a91a040d85b547a7d6f.exe

Loads dropped DLL 2 IoCs

pid	Process
2116	cmd.exe
2116	cmd.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0008000000018f08-25.dat	upx
behavioral1/memory/2740-31-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral1/memory/2740-51-0x0000000000400000-0x000000000041B000-memory.dmp	upx

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Mail\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Defender\MSASCui.exe	Logo1_.exe
File created	C:\Program Files\Windows Portable Devices\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PROOF\1033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\chkrzm.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Mail\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Chess\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Swirl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bg\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\oc\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmiregistry.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ms\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\it\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Checkers\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUEPRNT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CONCRETE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\GrayCheck\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\html\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Kentucky\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Document Parts\1033\14\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Checkers\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Logo1_.exe	96a87e5a59471878c9393aaee41492e0a3f24e916ea69a91a040d85b547a7d6f.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe
File created	C:\Windows\rundl132.exe	96a87e5a59471878c9393aaee41492e0a3f24e916ea69a91a040d85b547a7d6f.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2448	Logo1_.exe
2448	Logo1_.exe
2448	Logo1_.exe
2448	Logo1_.exe
2448	Logo1_.exe
2448	Logo1_.exe
2448	Logo1_.exe
2448	Logo1_.exe
2448	Logo1_.exe
2448	Logo1_.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2476 wrote to memory of 2116	2476	96a87e5a59471878c9393aaee41492e0a3f24e916ea69a91a040d85b547a7d6f.exe	28
PID 2476 wrote to memory of 2116	2476	96a87e5a59471878c9393aaee41492e0a3f24e916ea69a91a040d85b547a7d6f.exe	28
PID 2476 wrote to memory of 2116	2476	96a87e5a59471878c9393aaee41492e0a3f24e916ea69a91a040d85b547a7d6f.exe	28
PID 2476 wrote to memory of 2116	2476	96a87e5a59471878c9393aaee41492e0a3f24e916ea69a91a040d85b547a7d6f.exe	28
PID 2476 wrote to memory of 2448	2476	96a87e5a59471878c9393aaee41492e0a3f24e916ea69a91a040d85b547a7d6f.exe	29
PID 2476 wrote to memory of 2448	2476	96a87e5a59471878c9393aaee41492e0a3f24e916ea69a91a040d85b547a7d6f.exe	29
PID 2476 wrote to memory of 2448	2476	96a87e5a59471878c9393aaee41492e0a3f24e916ea69a91a040d85b547a7d6f.exe	29
PID 2476 wrote to memory of 2448	2476	96a87e5a59471878c9393aaee41492e0a3f24e916ea69a91a040d85b547a7d6f.exe	29
PID 2448 wrote to memory of 3064	2448	Logo1_.exe	31
PID 2448 wrote to memory of 3064	2448	Logo1_.exe	31
PID 2448 wrote to memory of 3064	2448	Logo1_.exe	31
PID 2448 wrote to memory of 3064	2448	Logo1_.exe	31
PID 3064 wrote to memory of 2656	3064	net.exe	33
PID 3064 wrote to memory of 2656	3064	net.exe	33
PID 3064 wrote to memory of 2656	3064	net.exe	33
PID 3064 wrote to memory of 2656	3064	net.exe	33
PID 2116 wrote to memory of 2740	2116	cmd.exe	34
PID 2116 wrote to memory of 2740	2116	cmd.exe	34
PID 2116 wrote to memory of 2740	2116	cmd.exe	34
PID 2116 wrote to memory of 2740	2116	cmd.exe	34
PID 2448 wrote to memory of 1208	2448	Logo1_.exe	20
PID 2448 wrote to memory of 1208	2448	Logo1_.exe	20

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1208
- C:\Users\Admin\AppData\Local\Temp\96a87e5a59471878c9393aaee41492e0a3f24e916ea69a91a040d85b547a7d6f.exe
  "C:\Users\Admin\AppData\Local\Temp\96a87e5a59471878c9393aaee41492e0a3f24e916ea69a91a040d85b547a7d6f.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2476
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$a47BA.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2116
  - - C:\Users\Admin\AppData\Local\Temp\96a87e5a59471878c9393aaee41492e0a3f24e916ea69a91a040d85b547a7d6f.exe
      "C:\Users\Admin\AppData\Local\Temp\96a87e5a59471878c9393aaee41492e0a3f24e916ea69a91a040d85b547a7d6f.exe"
      4⤵
      Executes dropped EXE
      PID:2740
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2448
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3064
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
251KB

MD5
4b280158399e1416c44e61e2a6b9945d

SHA1
a7e6a0693f9c779152377c025b6c05c0394101ef

SHA256
afa51fc66c22c7e4be1676043594ae396db5617962f7cd1c36fb6c846f763750

SHA512
0005f1e706f2f46e737a0fe43837de8e7c538ac41a905ef4f5e53937b6b52db0cec7248021f21c4097d90c7a161da9b9d25543e95d701453b43bbfabdf4a0157

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
471KB

MD5
4cfdb20b04aa239d6f9e83084d5d0a77

SHA1
f22863e04cc1fd4435f785993ede165bd8245ac6

SHA256
30ed17ca6ae530e8bf002bcef6048f94dba4b3b10252308147031f5c86ace1b9

SHA512
35b4c2f68a7caa45f2bb14b168947e06831f358e191478a6659b49f30ca6f538dc910fe6067448d5d8af4cb8558825d70f94d4bd67709aee414b2be37d49be86

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a47BA.bat

Filesize
722B

MD5
3a86da034f57fca346b6b6432d860b9f

SHA1
062262f49d26d3fdb96aeceb25053e52167c57c0

SHA256
c027a62409bdf1786e369caa0260b0beeb0e7a4bf6c2e4601c3597a1822308af

SHA512
1d44a48f154c25705ec89cc3c1cd1cd53ca1b90dc34cc87d9c668574921a814f4442d1e2ff86551feee4f03bdb6ef4f83fcdde019a0676a94582d4c8c96bea78

Download Submit
C:\Users\Admin\AppData\Local\Temp\96a87e5a59471878c9393aaee41492e0a3f24e916ea69a91a040d85b547a7d6f.exe.exe

Filesize
1.9MB

MD5
e7e595a4fcd9497e31f5b3b135d7dd26

SHA1
1bc4f303be1162dddd41e1afdb56ed3198231b41

SHA256
fa1d1214ed911fbc14b20f105dc55a645f609fe079692f387837fecb67b38809

SHA512
0cf7462f70a4afc41f6335918d3dcc5f417f2de2441ceb24fc1a67ebd95d9441422db337d1731681ca950ce176c9b1f45d18997d58d8f0a024ed59129cb5da6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\FE49DC.tmp

Filesize
226B

MD5
fd7cf2bf9f0325f6612a029a49d61b6d

SHA1
82a2057e0c900b2e676934e11266fb592cb2e910

SHA256
6cf1713125461643cf6e8db0cae4cbeda7a588729823b9e9e6443a72947cbe45

SHA512
c569c547a5b69cd869f0f5a564aa6b112d4a815c35f5c81a3a9e5d7ce2d8765ef588eedfa177e8cb9bf4fadb653777281b08df152d286902a2344f5fbdf0da96

Download Submit
C:\Windows\Logo1_.exe

Filesize
26KB

MD5
0b6cf88ce61714693670682b1f57024c

SHA1
b5b27f593b709b4f997bc0ba1fd60c6bf84fd4f9

SHA256
e55deb2f60014f01c2995d33d4b3e5f2049147c19d617ff2ae16b66ed281b4fa

SHA512
d88e7676961dccf99206dd57a97d4dff62b9081b42d57f6014f52754f795091ce74ccfe2d14ad5ca991fc98682ab4ad687b50f2d7e1dbca627bf523ffd578b73

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2212144002-1172735686-1556890956-1000\_desktop.ini

Filesize
9B

MD5
1368e4d784ef82633de86fa6bc6e37f9

SHA1
77c7384e886b27647bb4f2fd364e7947e7b6abc6

SHA256
57507bed6cf91d70e66bd4cc287634889ef30b648cb7c44a4edec0e2cb68b772

SHA512
3cb7168e776eb564768e30eba43174014a85108ab306a7c07a1522fb42173c381a5bff9ac10944fd345dd5308061cbe2878c60d1e878f8768281c1adcf5dd85b

Download Submit
memory/1208-48-0x0000000002A10000-0x0000000002A11000-memory.dmp

Filesize
4KB

Download
memory/2116-52-0x00000000001C0000-0x00000000001DB000-memory.dmp

Filesize
108KB

Download
memory/2116-27-0x00000000001C0000-0x00000000001DB000-memory.dmp

Filesize
108KB

Download
memory/2116-61-0x00000000001C0000-0x00000000001DB000-memory.dmp

Filesize
108KB

Download
memory/2116-29-0x00000000001C0000-0x00000000001DB000-memory.dmp

Filesize
108KB

Download
memory/2448-116-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2448-50-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2448-59-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2448-68-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2448-126-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2448-489-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2448-1904-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2448-21-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2448-3366-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2476-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2476-17-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2740-51-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2740-31-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download