cb192eebf794a483a7e2aa22065303049655d4ba284fe318374a05e9f660dbc4

Analysis

max time kernel
150s
max time network
19s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25/09/2024, 13:58

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

cb192eebf794a483a7e2aa22065303049655d4ba284fe318374a05e9f660dbc4.exe
Size

573KB
MD5

edfa88ef27f8ef01448b227c7bcc3086
SHA1

c3b8fc53450f09d96bc4e681c021749ed2e58751
SHA256

cb192eebf794a483a7e2aa22065303049655d4ba284fe318374a05e9f660dbc4
SHA512

3626be9c8c6129d903d0662c17a8484787784e10a5fbe83772a332dcf7ea67a479354c5c0b02d839056ec8e40dbb0c8e8f76b8e1ba61d4e2f74a8c32e590ad57
SSDEEP

6144:uuJpE7cV3iwbAFRWAbd4nf0H05yqE6Hl0ChW0+ksllAXBu0lWGWUJJQ4t0BHQQfu:m7a3iwbihym2g7XO3LWUQfh4Co

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3036	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2176	Logo1_.exe
2804	cb192eebf794a483a7e2aa22065303049655d4ba284fe318374a05e9f660dbc4.exe

Loads dropped DLL 1 IoCs

pid	Process
3036	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\oc\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ps\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.update\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ko\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Triedit\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\1046\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUEPRNT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ECHO\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SPRING\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Mail\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\km\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DAO\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\InfoPath.en-us\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\BORDERS\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ie\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\ManagedObjects\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre7\lib\zi\Pacific\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\More Games\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\1033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\gd\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ku_IQ\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\MSClientDataMgr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\JOURNAL\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SKY\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\Components\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\lt\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\gd\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\demux\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre7\lib\zi\Australia\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Hearts\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	cb192eebf794a483a7e2aa22065303049655d4ba284fe318374a05e9f660dbc4.exe
File created	C:\Windows\Logo1_.exe	cb192eebf794a483a7e2aa22065303049655d4ba284fe318374a05e9f660dbc4.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cb192eebf794a483a7e2aa22065303049655d4ba284fe318374a05e9f660dbc4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Logo1_.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2176	Logo1_.exe
2176	Logo1_.exe
2176	Logo1_.exe
2176	Logo1_.exe
2176	Logo1_.exe
2176	Logo1_.exe
2176	Logo1_.exe
2176	Logo1_.exe
2176	Logo1_.exe
2176	Logo1_.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2256 wrote to memory of 3036	2256	cb192eebf794a483a7e2aa22065303049655d4ba284fe318374a05e9f660dbc4.exe	29
PID 2256 wrote to memory of 3036	2256	cb192eebf794a483a7e2aa22065303049655d4ba284fe318374a05e9f660dbc4.exe	29
PID 2256 wrote to memory of 3036	2256	cb192eebf794a483a7e2aa22065303049655d4ba284fe318374a05e9f660dbc4.exe	29
PID 2256 wrote to memory of 3036	2256	cb192eebf794a483a7e2aa22065303049655d4ba284fe318374a05e9f660dbc4.exe	29
PID 2256 wrote to memory of 2176	2256	cb192eebf794a483a7e2aa22065303049655d4ba284fe318374a05e9f660dbc4.exe	30
PID 2256 wrote to memory of 2176	2256	cb192eebf794a483a7e2aa22065303049655d4ba284fe318374a05e9f660dbc4.exe	30
PID 2256 wrote to memory of 2176	2256	cb192eebf794a483a7e2aa22065303049655d4ba284fe318374a05e9f660dbc4.exe	30
PID 2256 wrote to memory of 2176	2256	cb192eebf794a483a7e2aa22065303049655d4ba284fe318374a05e9f660dbc4.exe	30
PID 2176 wrote to memory of 2768	2176	Logo1_.exe	31
PID 2176 wrote to memory of 2768	2176	Logo1_.exe	31
PID 2176 wrote to memory of 2768	2176	Logo1_.exe	31
PID 2176 wrote to memory of 2768	2176	Logo1_.exe	31
PID 2768 wrote to memory of 2108	2768	net.exe	34
PID 2768 wrote to memory of 2108	2768	net.exe	34
PID 2768 wrote to memory of 2108	2768	net.exe	34
PID 2768 wrote to memory of 2108	2768	net.exe	34
PID 3036 wrote to memory of 2804	3036	cmd.exe	35
PID 3036 wrote to memory of 2804	3036	cmd.exe	35
PID 3036 wrote to memory of 2804	3036	cmd.exe	35
PID 3036 wrote to memory of 2804	3036	cmd.exe	35
PID 2176 wrote to memory of 1268	2176	Logo1_.exe	20
PID 2176 wrote to memory of 1268	2176	Logo1_.exe	20

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1268
- C:\Users\Admin\AppData\Local\Temp\cb192eebf794a483a7e2aa22065303049655d4ba284fe318374a05e9f660dbc4.exe
  "C:\Users\Admin\AppData\Local\Temp\cb192eebf794a483a7e2aa22065303049655d4ba284fe318374a05e9f660dbc4.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2256
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$a2349.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3036
  - - C:\Users\Admin\AppData\Local\Temp\cb192eebf794a483a7e2aa22065303049655d4ba284fe318374a05e9f660dbc4.exe
      "C:\Users\Admin\AppData\Local\Temp\cb192eebf794a483a7e2aa22065303049655d4ba284fe318374a05e9f660dbc4.exe"
      4⤵
      Executes dropped EXE
      PID:2804
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2176
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2768
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
254KB

MD5
517efefa2e7ef42a115d87fd57158c89

SHA1
9ed67f7e10ecb5727d6d26e5d2076a31833736e9

SHA256
9da33c33118cfcb955692a25b08a8c66375d85177e33b57a51086487747a8cc0

SHA512
ca0a58849e734e8cf463bbc07377f0bc72022aa7ae60b2d9793ae80003bcb51a8b01045f46ef5121642c4b7f42824221c1cb2d478578efb6fbd87e25cd8d9a63

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
474KB

MD5
6eabc463f8025a7e6e65f38cba22f126

SHA1
3e430ee5ec01c5509ed750b88d3473e7990dfe95

SHA256
cc8da3ecd355b519d81415d279ed037c725ba221bf323d250aa92ee2b2b88ca7

SHA512
c8fde7026ac8633403bbefee4b044457184388fb7343d8c46f5f7f272724227976bf485ea91da49e2a85dd0cfb73f260ac705d8007333dd3e5539fe5ed67e3ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a2349.bat

Filesize
722B

MD5
1dde292a37bb340047530e695d5f44e3

SHA1
6035b4ab9def5b96c4dc67850926bb3d61a18865

SHA256
8fb64f730ee97f5018248034fd8cdd3a42774c8367c81e1e6582e6a77e200045

SHA512
27f8ea068a182344a24ecb1d7fe619c47f2863ff89ff7f5b73f52032201c2432496ca98968d3aa76eb84c7cac4fe8e33fc969d78159c363a808c777f71a2a675

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb192eebf794a483a7e2aa22065303049655d4ba284fe318374a05e9f660dbc4.exe.exe

Filesize
544KB

MD5
9a1dd1d96481d61934dcc2d568971d06

SHA1
f136ef9bf8bd2fc753292fb5b7cf173a22675fb3

SHA256
8cebb25e240db3b6986fcaed6bc0b900fa09dad763a56fb71273529266c5c525

SHA512
7ac1581f8a29e778ba1a1220670796c47fa5b838417f8f635e2cb1998a01515cff3ee57045dacb78a8ec70d43754b970743aba600379fe6d9481958d32d8a5aa

Download Submit
C:\Windows\Logo1_.exe

Filesize
29KB

MD5
037a1557312e57791bd4eeba7dcc7213

SHA1
1e1a35c4488f9cd09e5e6dad09cc67293712c623

SHA256
4ec9caeaf890c301da3587508883df4337635dc6d24b77345322b8617cd18387

SHA512
49f4c6aa4fc8a344e026e5016f3192396ff01d06f4b5097e58fcba29b84df5d049ac1c053edfcadc0e831dc033e5a6d912bab3a9ada6cf79784e671de5521289

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-457978338-2990298471-2379561640-1000\_desktop.ini

Filesize
9B

MD5
e02899454c67c7d6d1af854fdcb53b67

SHA1
26fb213f7c299c2a4d8c4afd234ee0b751d7a30e

SHA256
0e67e90646d3ba7b46f935b205c9f89e8bff2dca7aeda3cd5dfb93868b262315

SHA512
e1519bebf62ab4cb28e630a201312812e04f815ec0663f7b68b478da97c0bf7c7c2238a8632540d3d1f37acbe83919fb198b39ebeb222c19faa2130ab65ffffa

Download Submit
memory/1268-30-0x0000000002B20000-0x0000000002B21000-memory.dmp

Filesize
4KB

Download
memory/2176-32-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2176-39-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2176-45-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2176-92-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2176-98-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2176-103-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2176-1874-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2176-19-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2176-3334-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2256-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2256-18-0x00000000003A0000-0x00000000003D6000-memory.dmp

Filesize
216KB

Download
memory/2256-16-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download