c997e0008550edc54333585cf5a0f08512b75ef1b1628aa78325ba8269db3c25

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
21/07/2024, 21:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c997e0008550edc54333585cf5a0f08512b75ef1b1628aa78325ba8269db3c25.exe
Size

573KB
MD5

48cd514c7aeb65e5c99c5b211b721c83
SHA1

02cb9f79e16fb3efc3100cd53d033b9974783448
SHA256

c997e0008550edc54333585cf5a0f08512b75ef1b1628aa78325ba8269db3c25
SHA512

725e64e2339e499683934fb38af3ba5a04a36d663c2657c98a10724399f4fa08d2f5f829b9934e0a8e85e911e258f70a78960438a89444744d2e8491f9733c0d
SSDEEP

6144:cuJpE7cV3iwbAFRWAbd4nf0H05yqE6Hl0ChW0+ksllAXBu0lWGWUJJQ4t0BHQQfu:I7a3iwbihym2g7XO3LWUQfh4Co

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2516	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2536	Logo1_.exe
2756	c997e0008550edc54333585cf5a0f08512b75ef1b1628aa78325ba8269db3c25.exe

Loads dropped DLL 1 IoCs

pid	Process
2516	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Hearts\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightYellow\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\Solitaire.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\nn\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\Mahjong.exe	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mr\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ug\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ff\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\pl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\locale\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ar\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_output\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\1041\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Argentina\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mn\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CLVIEW.EXE	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_chroma\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Google\Temp\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\WSS\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\FRAR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Purble Place\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CNFNOT32.EXE	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VC\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\7-Zip\Lang\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\lv\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\pt_PT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_filter\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\1.0\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Groove.en-us\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	c997e0008550edc54333585cf5a0f08512b75ef1b1628aa78325ba8269db3c25.exe
File created	C:\Windows\Logo1_.exe	c997e0008550edc54333585cf5a0f08512b75ef1b1628aa78325ba8269db3c25.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2536	Logo1_.exe
2536	Logo1_.exe
2536	Logo1_.exe
2536	Logo1_.exe
2536	Logo1_.exe
2536	Logo1_.exe
2536	Logo1_.exe
2536	Logo1_.exe
2536	Logo1_.exe
2536	Logo1_.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2384 wrote to memory of 2516	2384	c997e0008550edc54333585cf5a0f08512b75ef1b1628aa78325ba8269db3c25.exe	30
PID 2384 wrote to memory of 2516	2384	c997e0008550edc54333585cf5a0f08512b75ef1b1628aa78325ba8269db3c25.exe	30
PID 2384 wrote to memory of 2516	2384	c997e0008550edc54333585cf5a0f08512b75ef1b1628aa78325ba8269db3c25.exe	30
PID 2384 wrote to memory of 2516	2384	c997e0008550edc54333585cf5a0f08512b75ef1b1628aa78325ba8269db3c25.exe	30
PID 2384 wrote to memory of 2536	2384	c997e0008550edc54333585cf5a0f08512b75ef1b1628aa78325ba8269db3c25.exe	31
PID 2384 wrote to memory of 2536	2384	c997e0008550edc54333585cf5a0f08512b75ef1b1628aa78325ba8269db3c25.exe	31
PID 2384 wrote to memory of 2536	2384	c997e0008550edc54333585cf5a0f08512b75ef1b1628aa78325ba8269db3c25.exe	31
PID 2384 wrote to memory of 2536	2384	c997e0008550edc54333585cf5a0f08512b75ef1b1628aa78325ba8269db3c25.exe	31
PID 2536 wrote to memory of 2064	2536	Logo1_.exe	33
PID 2536 wrote to memory of 2064	2536	Logo1_.exe	33
PID 2536 wrote to memory of 2064	2536	Logo1_.exe	33
PID 2536 wrote to memory of 2064	2536	Logo1_.exe	33
PID 2064 wrote to memory of 476	2064	net.exe	35
PID 2064 wrote to memory of 476	2064	net.exe	35
PID 2064 wrote to memory of 476	2064	net.exe	35
PID 2064 wrote to memory of 476	2064	net.exe	35
PID 2516 wrote to memory of 2756	2516	cmd.exe	36
PID 2516 wrote to memory of 2756	2516	cmd.exe	36
PID 2516 wrote to memory of 2756	2516	cmd.exe	36
PID 2516 wrote to memory of 2756	2516	cmd.exe	36
PID 2536 wrote to memory of 1212	2536	Logo1_.exe	21
PID 2536 wrote to memory of 1212	2536	Logo1_.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1212
- C:\Users\Admin\AppData\Local\Temp\c997e0008550edc54333585cf5a0f08512b75ef1b1628aa78325ba8269db3c25.exe
  "C:\Users\Admin\AppData\Local\Temp\c997e0008550edc54333585cf5a0f08512b75ef1b1628aa78325ba8269db3c25.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2384
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$aBAA8.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2516
  - - C:\Users\Admin\AppData\Local\Temp\c997e0008550edc54333585cf5a0f08512b75ef1b1628aa78325ba8269db3c25.exe
      "C:\Users\Admin\AppData\Local\Temp\c997e0008550edc54333585cf5a0f08512b75ef1b1628aa78325ba8269db3c25.exe"
      4⤵
      Executes dropped EXE
      PID:2756
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2536
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2064
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
254KB

MD5
ee9535e8cb76ac708ef88c162e71867f

SHA1
4408c074c2b1844bfe0492fed6d1f0ddf9535abf

SHA256
9865f368f0d459b593aba527a42c13e95787ed577d90a67e8b5d9ac8b9957ca7

SHA512
21ff29520f97ba253056afb25f32df61453a2182896f87b8c769ea3881abcae80b97ad217bd5e66fd0d90b7cf4efb6a6df3c0a1e8a967303dc9e1986054af2d5

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
474KB

MD5
17e5de36cf448d652adab881a4557ec2

SHA1
c45337444120f4cc4a9a65b2bee63cd61618ca2a

SHA256
32568fb07078e0d4e77efac9ad862454dba63de5c5f920d9a14de709372f2430

SHA512
22678c9ca2d70d9a3377d1f2c6c91d7649adcaccee564acdf1bd6373e60f13f6e21fc09feed5b590475889996287961a1450542741ef0888a4a0b5e9c9812b92

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aBAA8.bat

Filesize
722B

MD5
cd892da7a09b0c351c6bf39e6c4cf319

SHA1
0870be95318fabd91248c53de87d0dfbcc180aa7

SHA256
0cef70b9a020effc18ac1243385de76036cfe439f6d8938e52ead7af1d3e462d

SHA512
ad1eb57afc19b6d13523c291cb6c8f88df8a3359fa5ac6684a9b7de4724a1f658468d9f8489b5436aa4840f05fc68209579df46bf88106de3a0eb5226037a4dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\c997e0008550edc54333585cf5a0f08512b75ef1b1628aa78325ba8269db3c25.exe.exe

Filesize
544KB

MD5
9a1dd1d96481d61934dcc2d568971d06

SHA1
f136ef9bf8bd2fc753292fb5b7cf173a22675fb3

SHA256
8cebb25e240db3b6986fcaed6bc0b900fa09dad763a56fb71273529266c5c525

SHA512
7ac1581f8a29e778ba1a1220670796c47fa5b838417f8f635e2cb1998a01515cff3ee57045dacb78a8ec70d43754b970743aba600379fe6d9481958d32d8a5aa

Download Submit
C:\Windows\Logo1_.exe

Filesize
29KB

MD5
3a5953621139d101a724889704eb0a6a

SHA1
da34c7e0efcff7dead3f7189cc829c7da642ede6

SHA256
6c0930c74442a286db1c2d3c0c84d652ff5b8175d3d3b8ac90501c480df5f44b

SHA512
4e10a0d8ba46ad723d4fa1cf496fcb07e0b270dd8ab6cc31b4f071915570f99861e199fcb12d47d219ca6c3123462ec8cdc329abdd3f6724aca2ea318e4ea245

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-1506706701-1246725540-2219210854-1000\_desktop.ini

Filesize
9B

MD5
2efce5174bcf8d378a924333f75e26ad

SHA1
4fe6e1d729b55d42eb9d74aca11b36a94402de14

SHA256
04ccb9bec2864153c72852867d8e65dca07eca4e5edcfb4beb62cb364dcd91fa

SHA512
24684969632fb0562a3a7a5fec91d869d627730d8e9d83a2b17e326d7047e3fbff205eec207914e42ecd50fef68a212c19f3599ded271c00e66acc22f1f04c16

Download Submit
memory/1212-29-0x00000000029F0000-0x00000000029F1000-memory.dmp

Filesize
4KB

Download
memory/2384-16-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2384-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2536-18-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2536-44-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2536-90-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2536-96-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2536-678-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2536-1873-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2536-38-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2536-2375-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2536-3333-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2536-31-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download