5cbeb007d9359a588e31e4e4ae5f0c84638f1c05411fb053e894932388819f38

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
21-07-2024 18:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5cbeb007d9359a588e31e4e4ae5f0c84638f1c05411fb053e894932388819f38.exe
Size

484KB
MD5

99fde31f13ca8a0524a5734ade4cb3e7
SHA1

c7882ba73a502f25aae095b0638bc8ab11481ddf
SHA256

5cbeb007d9359a588e31e4e4ae5f0c84638f1c05411fb053e894932388819f38
SHA512

387e0094c1b203d7f035bebe5a83ff65887b9742040637290e51196f8589f4aaacd5c0eb0ed55470aadc95dba45a44b9e1ed08d9d7bc1fe22f20f54261929f40
SSDEEP

6144:fVfjmNOz1gL5pRTMTTjMkId/BynSx7dEe6XwzRaktNP08NhKs39zo43fTtl1fay7:N7+I1gL5pRTcAkS/3hzN8qE43fm78V

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2012	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
1528	Logo1_.exe
2244	5cbeb007d9359a588e31e4e4ae5f0c84638f1c05411fb053e894932388819f38.exe

Loads dropped DLL 1 IoCs

pid	Process
2012	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\d3d11\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Slate\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\lib\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\SystemV\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mn\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\META-INF\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\PROOF\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\zh_TW\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Groove.en-us\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\gu\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Help\3082\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fy\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\MSBuild\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\cgg\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Shared Gadgets\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\STS2\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Hearts\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bn\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre7\lib\applet\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mk\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTool\Project Report Type\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Chess\fr-FR\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	5cbeb007d9359a588e31e4e4ae5f0c84638f1c05411fb053e894932388819f38.exe
File created	C:\Windows\Logo1_.exe	5cbeb007d9359a588e31e4e4ae5f0c84638f1c05411fb053e894932388819f38.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1528	Logo1_.exe
1528	Logo1_.exe
1528	Logo1_.exe
1528	Logo1_.exe
1528	Logo1_.exe
1528	Logo1_.exe
1528	Logo1_.exe
1528	Logo1_.exe
1528	Logo1_.exe
1528	Logo1_.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1512 wrote to memory of 2012	1512	5cbeb007d9359a588e31e4e4ae5f0c84638f1c05411fb053e894932388819f38.exe	30
PID 1512 wrote to memory of 2012	1512	5cbeb007d9359a588e31e4e4ae5f0c84638f1c05411fb053e894932388819f38.exe	30
PID 1512 wrote to memory of 2012	1512	5cbeb007d9359a588e31e4e4ae5f0c84638f1c05411fb053e894932388819f38.exe	30
PID 1512 wrote to memory of 2012	1512	5cbeb007d9359a588e31e4e4ae5f0c84638f1c05411fb053e894932388819f38.exe	30
PID 1512 wrote to memory of 1528	1512	5cbeb007d9359a588e31e4e4ae5f0c84638f1c05411fb053e894932388819f38.exe	31
PID 1512 wrote to memory of 1528	1512	5cbeb007d9359a588e31e4e4ae5f0c84638f1c05411fb053e894932388819f38.exe	31
PID 1512 wrote to memory of 1528	1512	5cbeb007d9359a588e31e4e4ae5f0c84638f1c05411fb053e894932388819f38.exe	31
PID 1512 wrote to memory of 1528	1512	5cbeb007d9359a588e31e4e4ae5f0c84638f1c05411fb053e894932388819f38.exe	31
PID 1528 wrote to memory of 620	1528	Logo1_.exe	32
PID 1528 wrote to memory of 620	1528	Logo1_.exe	32
PID 1528 wrote to memory of 620	1528	Logo1_.exe	32
PID 1528 wrote to memory of 620	1528	Logo1_.exe	32
PID 620 wrote to memory of 2424	620	net.exe	35
PID 620 wrote to memory of 2424	620	net.exe	35
PID 620 wrote to memory of 2424	620	net.exe	35
PID 620 wrote to memory of 2424	620	net.exe	35
PID 2012 wrote to memory of 2244	2012	cmd.exe	36
PID 2012 wrote to memory of 2244	2012	cmd.exe	36
PID 2012 wrote to memory of 2244	2012	cmd.exe	36
PID 2012 wrote to memory of 2244	2012	cmd.exe	36
PID 1528 wrote to memory of 1196	1528	Logo1_.exe	21
PID 1528 wrote to memory of 1196	1528	Logo1_.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1196
- C:\Users\Admin\AppData\Local\Temp\5cbeb007d9359a588e31e4e4ae5f0c84638f1c05411fb053e894932388819f38.exe
  "C:\Users\Admin\AppData\Local\Temp\5cbeb007d9359a588e31e4e4ae5f0c84638f1c05411fb053e894932388819f38.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1512
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$a9FD8.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2012
  - - C:\Users\Admin\AppData\Local\Temp\5cbeb007d9359a588e31e4e4ae5f0c84638f1c05411fb053e894932388819f38.exe
      "C:\Users\Admin\AppData\Local\Temp\5cbeb007d9359a588e31e4e4ae5f0c84638f1c05411fb053e894932388819f38.exe"
      4⤵
      Executes dropped EXE
      PID:2244
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1528
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:620
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
251KB

MD5
3f944fa5961dd60332a465bd6c42e07f

SHA1
df3841bdffdeaa91e0214b323172714632fd236f

SHA256
68b5de23db9dfa84a748968ab7da7aa0fc64b22bc8f35dcd00ce56cb97f0eb1c

SHA512
b5cfdd669fa251c4ddeb9c3342aff2812dcd678c78e95ef579e80ac37510ff34c56bbae1dc2e8ce99f19e55e79e0c17a61d0e348a3dbd84813aafdd86c7a1df0

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
471KB

MD5
99ea9b604a7a734d3087fa6159684c42

SHA1
709fa1068ad4d560fe03e05b68056f1b0bedbfc8

SHA256
3f733f9e6fec7c4165ca8ba41eb23f604a248babe794c4ad2c6c3ce8032aab1c

SHA512
7af8008c7e187f925c62efc97e1891a7a38d089302dba39fbde137fb895e0592847ed0982c824c2075be8e6b95b6ce165ecb848ab85adf53779ebef613410fbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a9FD8.bat

Filesize
722B

MD5
382f1cf17971459efeb2e35987799c12

SHA1
eda84315c87f2029d7caa100d49ba762bea03142

SHA256
881e2b1bc9beeffca40fb66cded935c9898d3772a88a035d463e87a39526435c

SHA512
a947319c3677904fca2d0f2ee6898834267155795664d10f13adde168fe9480cb726463de5db561de863b03dc98dfee512d1c4634c84254e42d31db2d4006430

Download Submit
C:\Users\Admin\AppData\Local\Temp\5cbeb007d9359a588e31e4e4ae5f0c84638f1c05411fb053e894932388819f38.exe.exe

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Windows\rundl132.exe

Filesize
26KB

MD5
ede08e8e12b90be2cfe1190ed3141fed

SHA1
98b6a57387c2278fb10ed0be35d68e1e0a462e7d

SHA256
cfd72e0036602b6f2ff6171657099432524a03ab5aa3bf8668603fef43bc294d

SHA512
13a3651720c3f4a25dff552a5d2bd5a500a225269d2f385a988622cffc635c28d1ce04b43c22d631a0c59da8688119cd95b05fa8d99cf1be69623063753331f7

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3294248377-1418901787-4083263181-1000\_desktop.ini

Filesize
9B

MD5
2efce5174bcf8d378a924333f75e26ad

SHA1
4fe6e1d729b55d42eb9d74aca11b36a94402de14

SHA256
04ccb9bec2864153c72852867d8e65dca07eca4e5edcfb4beb62cb364dcd91fa

SHA512
24684969632fb0562a3a7a5fec91d869d627730d8e9d83a2b17e326d7047e3fbff205eec207914e42ecd50fef68a212c19f3599ded271c00e66acc22f1f04c16

Download Submit
memory/1196-29-0x0000000002E30000-0x0000000002E31000-memory.dmp

Filesize
4KB

Download
memory/1512-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1512-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1528-18-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1528-44-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1528-90-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1528-96-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1528-627-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1528-1873-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1528-38-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1528-2455-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1528-3333-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1528-31-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download