5ba40698b1a213a1d1780ca20696cf672bc57b09a7e0e07c718017cb271c8040

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
02/08/2024, 18:54

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5ba40698b1a213a1d1780ca20696cf672bc57b09a7e0e07c718017cb271c8040.exe
Size

88KB
MD5

e8f347cf96d9873d5fae4119e5615aad
SHA1

fac177a04b50c32e4d92e1bccd8ee65370800159
SHA256

5ba40698b1a213a1d1780ca20696cf672bc57b09a7e0e07c718017cb271c8040
SHA512

dcd4eefd5cefbb69839a05fe988bc53ddabf62209e25c0131a962d1c0586bd0111f2d6029dba0dbd34bb14cf80d209cd17e12ce70df1a5c6e068acd5f7c2c888
SSDEEP

1536:p53SHuJV9Ntyapmebn4ddJZeY86iLflLJYEIs67rxo:p5kuJVL8LK4ddJMY86ipmns6S

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2544	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2952	Logo1_.exe
2840	5ba40698b1a213a1d1780ca20696cf672bc57b09a7e0e07c718017cb271c8040.exe

Loads dropped DLL 1 IoCs

pid	Process
2544	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ta\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SPRING\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUECALM\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ECHO\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\ADDINS\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\es_MX\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fy\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\MEDIA\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\NETWORK\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Google\Update\Install\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\_desktop.ini	Logo1_.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\SELFCERT.EXE	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Mozilla Firefox\browser\VisualElements\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Calendar\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Internet Explorer\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.en\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\144DPI\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\nb\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Sort\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\nl\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\af\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\bs\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ku_IQ\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	5ba40698b1a213a1d1780ca20696cf672bc57b09a7e0e07c718017cb271c8040.exe
File created	C:\Windows\Logo1_.exe	5ba40698b1a213a1d1780ca20696cf672bc57b09a7e0e07c718017cb271c8040.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5ba40698b1a213a1d1780ca20696cf672bc57b09a7e0e07c718017cb271c8040.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Logo1_.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2952	Logo1_.exe
2952	Logo1_.exe
2952	Logo1_.exe
2952	Logo1_.exe
2952	Logo1_.exe
2952	Logo1_.exe
2952	Logo1_.exe
2952	Logo1_.exe
2952	Logo1_.exe
2952	Logo1_.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 3028 wrote to memory of 2544	3028	5ba40698b1a213a1d1780ca20696cf672bc57b09a7e0e07c718017cb271c8040.exe	30
PID 3028 wrote to memory of 2544	3028	5ba40698b1a213a1d1780ca20696cf672bc57b09a7e0e07c718017cb271c8040.exe	30
PID 3028 wrote to memory of 2544	3028	5ba40698b1a213a1d1780ca20696cf672bc57b09a7e0e07c718017cb271c8040.exe	30
PID 3028 wrote to memory of 2544	3028	5ba40698b1a213a1d1780ca20696cf672bc57b09a7e0e07c718017cb271c8040.exe	30
PID 3028 wrote to memory of 2952	3028	5ba40698b1a213a1d1780ca20696cf672bc57b09a7e0e07c718017cb271c8040.exe	32
PID 3028 wrote to memory of 2952	3028	5ba40698b1a213a1d1780ca20696cf672bc57b09a7e0e07c718017cb271c8040.exe	32
PID 3028 wrote to memory of 2952	3028	5ba40698b1a213a1d1780ca20696cf672bc57b09a7e0e07c718017cb271c8040.exe	32
PID 3028 wrote to memory of 2952	3028	5ba40698b1a213a1d1780ca20696cf672bc57b09a7e0e07c718017cb271c8040.exe	32
PID 2952 wrote to memory of 1284	2952	Logo1_.exe	33
PID 2952 wrote to memory of 1284	2952	Logo1_.exe	33
PID 2952 wrote to memory of 1284	2952	Logo1_.exe	33
PID 2952 wrote to memory of 1284	2952	Logo1_.exe	33
PID 1284 wrote to memory of 2820	1284	net.exe	35
PID 2544 wrote to memory of 2840	2544	cmd.exe	36
PID 1284 wrote to memory of 2820	1284	net.exe	35
PID 1284 wrote to memory of 2820	1284	net.exe	35
PID 2544 wrote to memory of 2840	2544	cmd.exe	36
PID 2544 wrote to memory of 2840	2544	cmd.exe	36
PID 1284 wrote to memory of 2820	1284	net.exe	35
PID 2544 wrote to memory of 2840	2544	cmd.exe	36
PID 2952 wrote to memory of 1216	2952	Logo1_.exe	21
PID 2952 wrote to memory of 1216	2952	Logo1_.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1216
- C:\Users\Admin\AppData\Local\Temp\5ba40698b1a213a1d1780ca20696cf672bc57b09a7e0e07c718017cb271c8040.exe
  "C:\Users\Admin\AppData\Local\Temp\5ba40698b1a213a1d1780ca20696cf672bc57b09a7e0e07c718017cb271c8040.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3028
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$a8E6A.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2544
  - - C:\Users\Admin\AppData\Local\Temp\5ba40698b1a213a1d1780ca20696cf672bc57b09a7e0e07c718017cb271c8040.exe
      "C:\Users\Admin\AppData\Local\Temp\5ba40698b1a213a1d1780ca20696cf672bc57b09a7e0e07c718017cb271c8040.exe"
      4⤵
      Executes dropped EXE
      PID:2840
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2952
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1284
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
254KB

MD5
0d251b00fba311b711741b93516a3785

SHA1
81c9483c604969b5a77f624aae23bd77e70323db

SHA256
5d532031d275b82ff3ba64688b6db263b6ec730f562ca11f0149b6ec14ff5287

SHA512
79b29b9a7738bf5ff1ae82e78c55729ce1f1b75144cbe8437939b35057f1a2f66903af3691febf52944d5a4defe23645a411ad7ab46457332ad76094007ba842

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
474KB

MD5
17e5de36cf448d652adab881a4557ec2

SHA1
c45337444120f4cc4a9a65b2bee63cd61618ca2a

SHA256
32568fb07078e0d4e77efac9ad862454dba63de5c5f920d9a14de709372f2430

SHA512
22678c9ca2d70d9a3377d1f2c6c91d7649adcaccee564acdf1bd6373e60f13f6e21fc09feed5b590475889996287961a1450542741ef0888a4a0b5e9c9812b92

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a8E6A.bat

Filesize
722B

MD5
93bcf3376aa96b355cf87b8f0aabe4c8

SHA1
2c43be192f441c5e5ce7bd39087e2363706598b1

SHA256
234f66825564e005dafedb69157365511d1060692c2d1ec8afb9b57ba9fa796e

SHA512
1e3e25fbfa3384ea4a7cb590d8b66e145ce0f53dd9aa5c56ee0d40beee36d92b82d10f164ff0a6ebc863be6bfeca441c32f3e7f6578328419d1f82f1f197b452

Download Submit
C:\Users\Admin\AppData\Local\Temp\5ba40698b1a213a1d1780ca20696cf672bc57b09a7e0e07c718017cb271c8040.exe.exe

Filesize
59KB

MD5
dfc18f7068913dde25742b856788d7ca

SHA1
cbaa23f782c2ddcd7c9ff024fd0b096952a2b387

SHA256
ff4ac75c02247000da084de006c214d3dd3583867bd3533ba788e22734c7a2bf

SHA512
d0c7ec1dae41a803325b51c12490c355ed779d297daa35247889950491e52427810132f0829fc7ffa3022f1a106f4e4ba78ed612223395313a6f267e9ab24945

Download Submit
C:\Windows\Logo1_.exe

Filesize
29KB

MD5
2d3658d5db691d9c616d54054b23227e

SHA1
0c6fc3568cffa7b16a4d662057ceb57d8d7b84a1

SHA256
a1fb462e5251f6cbeb297bfca4e48872d92cc2f89b5a7d43d0a5f9e28e1705ff

SHA512
3cd103430d517aae3180d71cf54005b6921a2d36ef373fee43cca97ddeed7720b4c16853d066e80af6156748f399d194f2e58c71f6366599c24abaf264a55cf8

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3551809350-4263495960-1443967649-1000\_desktop.ini

Filesize
8B

MD5
5e797d005cfee3b802f98412c511983c

SHA1
1c65a747549afbed9971b65c604d64ec1f1ab898

SHA256
dcb1b824282c0cca0aaad7a62d7857039122e25a100766f82c85f227b36e4c88

SHA512
41116f81a81859b0608b0150a4cd791b3fba9e7516ff3eb98494a3802a3532dda052a2ed955d64c023fe6d8113079d7190df6f5bcc7ef86c8e743419a758706b

Download Submit
memory/1216-29-0x0000000002D80000-0x0000000002D81000-memory.dmp

Filesize
4KB

Download
memory/2952-96-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2952-31-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2952-38-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2952-44-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2952-90-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2952-1052-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2952-1873-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2952-2904-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2952-3333-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2952-18-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3028-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3028-16-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download