223c293d86ae93865814e4d9039dad00de0f7a6fc7b69987bc873519055ae132

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
19-07-2024 17:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

223c293d86ae93865814e4d9039dad00de0f7a6fc7b69987bc873519055ae132.exe
Size

362KB
MD5

0020bf32989a2ab878e6a005c0f9332a
SHA1

990b71fa6e483fdf11c9db653293b4ea7999a5ea
SHA256

223c293d86ae93865814e4d9039dad00de0f7a6fc7b69987bc873519055ae132
SHA512

cfe3169127a2e3328a868189fb316282fe096964d8c1edf73e6c497ef52e15ac9df7382afd0b27e66bb7905710f3c06a87dd52b395e2a3aa5a27c5f2505d05e1
SSDEEP

6144:nFp9zU66bkWmchVySqkvAH3qo0wWJC6G/SMT4FWqC:FpRU66b5zhVymA/XSRh

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2772	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2708	Logo1_.exe
2792	223c293d86ae93865814e4d9039dad00de0f7a6fc7b69987bc873519055ae132.exe

Loads dropped DLL 1 IoCs

pid	Process
2772	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jre7\lib\zi\America\North_Dakota\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fr\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\Hearts.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\brx\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ja\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Google\Update\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Photo Viewer\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Atlantic\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\wabmig.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\hu\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Indiana\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\wa\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\skins\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\hi\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\si\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\es\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Chess\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Mail\WinMail.exe	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_filter\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CNFNOT32.EXE	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk16\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Journal\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Solitaire\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CAPSULES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ps\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\ONELEV.EXE	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\applet\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	223c293d86ae93865814e4d9039dad00de0f7a6fc7b69987bc873519055ae132.exe
File created	C:\Windows\Logo1_.exe	223c293d86ae93865814e4d9039dad00de0f7a6fc7b69987bc873519055ae132.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2708	Logo1_.exe
2708	Logo1_.exe
2708	Logo1_.exe
2708	Logo1_.exe
2708	Logo1_.exe
2708	Logo1_.exe
2708	Logo1_.exe
2708	Logo1_.exe
2708	Logo1_.exe
2708	Logo1_.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2728 wrote to memory of 2772	2728	223c293d86ae93865814e4d9039dad00de0f7a6fc7b69987bc873519055ae132.exe	30
PID 2728 wrote to memory of 2772	2728	223c293d86ae93865814e4d9039dad00de0f7a6fc7b69987bc873519055ae132.exe	30
PID 2728 wrote to memory of 2772	2728	223c293d86ae93865814e4d9039dad00de0f7a6fc7b69987bc873519055ae132.exe	30
PID 2728 wrote to memory of 2772	2728	223c293d86ae93865814e4d9039dad00de0f7a6fc7b69987bc873519055ae132.exe	30
PID 2728 wrote to memory of 2708	2728	223c293d86ae93865814e4d9039dad00de0f7a6fc7b69987bc873519055ae132.exe	32
PID 2728 wrote to memory of 2708	2728	223c293d86ae93865814e4d9039dad00de0f7a6fc7b69987bc873519055ae132.exe	32
PID 2728 wrote to memory of 2708	2728	223c293d86ae93865814e4d9039dad00de0f7a6fc7b69987bc873519055ae132.exe	32
PID 2728 wrote to memory of 2708	2728	223c293d86ae93865814e4d9039dad00de0f7a6fc7b69987bc873519055ae132.exe	32
PID 2708 wrote to memory of 2760	2708	Logo1_.exe	33
PID 2708 wrote to memory of 2760	2708	Logo1_.exe	33
PID 2708 wrote to memory of 2760	2708	Logo1_.exe	33
PID 2708 wrote to memory of 2760	2708	Logo1_.exe	33
PID 2760 wrote to memory of 2632	2760	net.exe	35
PID 2760 wrote to memory of 2632	2760	net.exe	35
PID 2760 wrote to memory of 2632	2760	net.exe	35
PID 2760 wrote to memory of 2632	2760	net.exe	35
PID 2772 wrote to memory of 2792	2772	cmd.exe	36
PID 2772 wrote to memory of 2792	2772	cmd.exe	36
PID 2772 wrote to memory of 2792	2772	cmd.exe	36
PID 2772 wrote to memory of 2792	2772	cmd.exe	36
PID 2708 wrote to memory of 1216	2708	Logo1_.exe	21
PID 2708 wrote to memory of 1216	2708	Logo1_.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1216
- C:\Users\Admin\AppData\Local\Temp\223c293d86ae93865814e4d9039dad00de0f7a6fc7b69987bc873519055ae132.exe
  "C:\Users\Admin\AppData\Local\Temp\223c293d86ae93865814e4d9039dad00de0f7a6fc7b69987bc873519055ae132.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2728
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$a5013.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2772
  - - C:\Users\Admin\AppData\Local\Temp\223c293d86ae93865814e4d9039dad00de0f7a6fc7b69987bc873519055ae132.exe
      "C:\Users\Admin\AppData\Local\Temp\223c293d86ae93865814e4d9039dad00de0f7a6fc7b69987bc873519055ae132.exe"
      4⤵
      Executes dropped EXE
      PID:2792
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2708
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2760
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
252KB

MD5
ff72e484a027a8927a68c541cc3843b6

SHA1
66568b275a2fdd26d5ae3ed52b6fc62b428e608c

SHA256
414c53c6c515069f22bd9f4b9c4616d6c12f292700b0e054c2f997ab1cde785b

SHA512
249bd751068854b985e95ff0adbdca563d07b51c3e96259e2f27c1a626e15f8d26b99753b8b195685e576c7c92366fecfeedd8fb35cc3f0b077d71dc589d574a

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
472KB

MD5
88eb1bca8c399bc3f46e99cdde2f047e

SHA1
55fafbceb011e1af2edced978686a90971bd95f2

SHA256
42fd78c05bc240d4ded16ac974f17c336f6ae3a1814d548021c48a942cc30428

SHA512
149d4de0c024e25a13a7bb17471e6f48391d4f26b1c8388672320eed1c255f84219ad7b72bbebc531ae558d5192dd4bb6d0dddd6c65a45300c8e8348a4fb3728

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a5013.bat

Filesize
722B

MD5
bcf20b599f828481036b4cbf95d227e9

SHA1
6625b4c08836f13e3bb4f430f7b0960a41fb53d7

SHA256
148d06b13c05919bef3e8fcc4e6ee4b2d916e062c31dd80b7e3aec2f6ac87d5a

SHA512
b04ce08cc4790bb7bc298a92109764f110efdf5195047019c4b4ad5d216eed8e4a8064360d9d88bbc6ccc720557223431720ab92e732d2211bacb38ce26bf0e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\223c293d86ae93865814e4d9039dad00de0f7a6fc7b69987bc873519055ae132.exe.exe

Filesize
335KB

MD5
40ac62c087648ccc2c58dae066d34c98

SHA1
0e87efb6ddfe59e534ea9e829cad35be8563e5f7

SHA256
482c4c1562490e164d5f17990253373691aa5eab55a81c7f890fe9583a9ea916

SHA512
0c1ff13ff88409d54fee2ceb07fe65135ce2a9aa6f8da51ac0158abb2cfbb3a898ef26f476931986f1367622f21a7c0b0e742d0f4de8be6e215596b0d88c518f

Download Submit
C:\Windows\Logo1_.exe

Filesize
27KB

MD5
ea017656bd9eac12b8894a56bc4ea1a3

SHA1
d4c793ef0db49a1dfc1795a02674140ce05cbf14

SHA256
bfceaabf687f4e06d6a813e4dd342f6858e5e1db3babd7c6c92e359bf662263b

SHA512
b63970d9b51520434a34e21451e0ad88bb7695a73acafddbb3d7d5582dcce1410e053dbfe815ffbdd5742c4124541f960bba54949f0ac4d50398b478a2687180

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-1385883288-3042840365-2734249351-1000\_desktop.ini

Filesize
9B

MD5
1368e4d784ef82633de86fa6bc6e37f9

SHA1
77c7384e886b27647bb4f2fd364e7947e7b6abc6

SHA256
57507bed6cf91d70e66bd4cc287634889ef30b648cb7c44a4edec0e2cb68b772

SHA512
3cb7168e776eb564768e30eba43174014a85108ab306a7c07a1522fb42173c381a5bff9ac10944fd345dd5308061cbe2878c60d1e878f8768281c1adcf5dd85b

Download Submit
memory/1216-29-0x0000000002CF0000-0x0000000002CF1000-memory.dmp

Filesize
4KB

Download
memory/2708-18-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2708-32-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2708-39-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2708-45-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2708-91-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2708-97-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2708-574-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2708-1874-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2708-2073-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2708-3334-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2728-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2728-16-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download