74fa27f3ec6bf34051a71f7c1d65b0fab0fe42e57dadcacd937ea6992b2e156a

Analysis

max time kernel
150s
max time network
126s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
24/10/2023, 08:32

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

74fa27f3ec6bf34051a71f7c1d65b0fab0fe42e57dadcacd937ea6992b2e156a.exe
Size

7.3MB
MD5

b239ed02e6f2c9f404dea34088896a15
SHA1

1d773e1716eab4ab19922840e6277f98880d187b
SHA256

74fa27f3ec6bf34051a71f7c1d65b0fab0fe42e57dadcacd937ea6992b2e156a
SHA512

2a9e8bc99548e1901144ba6363bd4b9e5b277c0b54ad65b036b7d6fba72be850b3f114ae93c011e9caa86ff149709ad3db7c865d69ec454b3f3491f8669c862f
SSDEEP

98304:amB9OWBVClfcaA1oZeSajfztbVCGQX4bME4bP8nQgMVQNKe5AJbI8D:ag9OHi1oZepfxUGGNQNKe

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2080	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2856	Logo1_.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\SAMPLES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ml\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\Verisign\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bn_IN\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\gu\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hr\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\144DPI\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Checkers\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\COMPASS\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ja\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Defender\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\HWRCustomization\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\lua\meta\reader\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Journal\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Mail\wab.exe	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre7\lib\zi\Africa\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RedistList\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BREEZE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CAPSULES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Calendar\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\COMPASS\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ECHO\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ckb\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Portable Devices\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ks_IN\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Library\SOLVER\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Swirl\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\as_IN\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EXPEDITN\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\Presentation Designs\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	74fa27f3ec6bf34051a71f7c1d65b0fab0fe42e57dadcacd937ea6992b2e156a.exe
File created	C:\Windows\Logo1_.exe	74fa27f3ec6bf34051a71f7c1d65b0fab0fe42e57dadcacd937ea6992b2e156a.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2856	Logo1_.exe
2856	Logo1_.exe
2856	Logo1_.exe
2856	Logo1_.exe
2856	Logo1_.exe
2856	Logo1_.exe
2856	Logo1_.exe
2856	Logo1_.exe
2856	Logo1_.exe
2856	Logo1_.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2516 wrote to memory of 2080	2516	74fa27f3ec6bf34051a71f7c1d65b0fab0fe42e57dadcacd937ea6992b2e156a.exe	28
PID 2516 wrote to memory of 2080	2516	74fa27f3ec6bf34051a71f7c1d65b0fab0fe42e57dadcacd937ea6992b2e156a.exe	28
PID 2516 wrote to memory of 2080	2516	74fa27f3ec6bf34051a71f7c1d65b0fab0fe42e57dadcacd937ea6992b2e156a.exe	28
PID 2516 wrote to memory of 2080	2516	74fa27f3ec6bf34051a71f7c1d65b0fab0fe42e57dadcacd937ea6992b2e156a.exe	28
PID 2516 wrote to memory of 2856	2516	74fa27f3ec6bf34051a71f7c1d65b0fab0fe42e57dadcacd937ea6992b2e156a.exe	30
PID 2516 wrote to memory of 2856	2516	74fa27f3ec6bf34051a71f7c1d65b0fab0fe42e57dadcacd937ea6992b2e156a.exe	30
PID 2516 wrote to memory of 2856	2516	74fa27f3ec6bf34051a71f7c1d65b0fab0fe42e57dadcacd937ea6992b2e156a.exe	30
PID 2516 wrote to memory of 2856	2516	74fa27f3ec6bf34051a71f7c1d65b0fab0fe42e57dadcacd937ea6992b2e156a.exe	30
PID 2856 wrote to memory of 2768	2856	Logo1_.exe	31
PID 2856 wrote to memory of 2768	2856	Logo1_.exe	31
PID 2856 wrote to memory of 2768	2856	Logo1_.exe	31
PID 2856 wrote to memory of 2768	2856	Logo1_.exe	31
PID 2768 wrote to memory of 2816	2768	net.exe	33
PID 2768 wrote to memory of 2816	2768	net.exe	33
PID 2768 wrote to memory of 2816	2768	net.exe	33
PID 2768 wrote to memory of 2816	2768	net.exe	33
PID 2856 wrote to memory of 1368	2856	Logo1_.exe	17
PID 2856 wrote to memory of 1368	2856	Logo1_.exe	17

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1368
- C:\Users\Admin\AppData\Local\Temp\74fa27f3ec6bf34051a71f7c1d65b0fab0fe42e57dadcacd937ea6992b2e156a.exe
  "C:\Users\Admin\AppData\Local\Temp\74fa27f3ec6bf34051a71f7c1d65b0fab0fe42e57dadcacd937ea6992b2e156a.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2516
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$a6690.bat
    3⤵
    - Deletes itself
    PID:2080
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2856
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2768
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
254KB

MD5
409b908151c60777cb30074aaa6b9c3a

SHA1
7caf4283327f3dac66db0ddce3b48a865de2b6f6

SHA256
706c9afae7d90be57e059a249a7401280e54fc07e22e137710eb322c40b1b511

SHA512
efbb88d749cccadeed792f16d0ab13a9ff47c662eb0f27ec2a161b810d787fb1d848b87da62de7b77ce5f890829f4eadf63c2ee39963367d521998829835f259

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
474KB

MD5
683b92ed9a7815ba566ea5750f489c6e

SHA1
489e66c67780380506f54f7fda32a7b9e98d5d70

SHA256
87f7a6e091d82bc6f773b756acf5f239100db9f6b931f29c6847480fa3365b5e

SHA512
86346fe0faffdfc6af5f4bcdc4bda683c65fb7f8879976a87767f0a26efdeb8e656c0577124f9259a3b21faa74b29fc73ea0a005d7425fc9822e00eca4e8f679

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a6690.bat

Filesize
722B

MD5
71c2bfe0724031a8efcb27ed9ba478ea

SHA1
cc1528357888db0b73419ff1a62ee1d7dc752b13

SHA256
5ece861c4d4232cb9c8a1bbeb56a824d735ae0c94c6bf5ccf760d8147ec4d827

SHA512
eb622926edb1125547e0dd6e750138b99a2a57efc2749d334cad22bdb9e29313859fdf449e38de3e49cec8e1bb13a8a237892e62eae3f3813deea9e07297a1a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a6690.bat

Filesize
722B

MD5
71c2bfe0724031a8efcb27ed9ba478ea

SHA1
cc1528357888db0b73419ff1a62ee1d7dc752b13

SHA256
5ece861c4d4232cb9c8a1bbeb56a824d735ae0c94c6bf5ccf760d8147ec4d827

SHA512
eb622926edb1125547e0dd6e750138b99a2a57efc2749d334cad22bdb9e29313859fdf449e38de3e49cec8e1bb13a8a237892e62eae3f3813deea9e07297a1a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\74fa27f3ec6bf34051a71f7c1d65b0fab0fe42e57dadcacd937ea6992b2e156a.exe.exe

Filesize
7.3MB

MD5
172b6d29b3cdcdf2b0b14332eb216161

SHA1
7534c39aecd8a968c8cdf34db4cb388d999a3065

SHA256
3bb1c042bf917e6577be28edce3243628e9ce4245e9abbc2cc0196ccca26630c

SHA512
71e4e14c689974821c0bb80637a53cd5234df0111b809612ac810846fe2ba9d288da20141455b984dd842c8343166f807f8da51e74b66fbe3aec181db72806ce

Download Submit
C:\Windows\Logo1_.exe

Filesize
29KB

MD5
b09b4b69692dfd845037b1444775e9cd

SHA1
4e5e5e156cf58d106f00ad03c0c8447e63f7ac03

SHA256
bf110258cb30a69df094871b49d77deac998dc61f6f483db5e78b810c4d7e3d4

SHA512
957c905aab4afe1843f81ca4728989f92d3f6323d53536d9f1d59be7879493ad48ee62a26d2376cabd57a81df04e7fd2160cf8a2bc9aef7a8d405429d2518972

Download Submit
C:\Windows\Logo1_.exe

Filesize
29KB

MD5
b09b4b69692dfd845037b1444775e9cd

SHA1
4e5e5e156cf58d106f00ad03c0c8447e63f7ac03

SHA256
bf110258cb30a69df094871b49d77deac998dc61f6f483db5e78b810c4d7e3d4

SHA512
957c905aab4afe1843f81ca4728989f92d3f6323d53536d9f1d59be7879493ad48ee62a26d2376cabd57a81df04e7fd2160cf8a2bc9aef7a8d405429d2518972

Download Submit
C:\Windows\Logo1_.exe

Filesize
29KB

MD5
b09b4b69692dfd845037b1444775e9cd

SHA1
4e5e5e156cf58d106f00ad03c0c8447e63f7ac03

SHA256
bf110258cb30a69df094871b49d77deac998dc61f6f483db5e78b810c4d7e3d4

SHA512
957c905aab4afe1843f81ca4728989f92d3f6323d53536d9f1d59be7879493ad48ee62a26d2376cabd57a81df04e7fd2160cf8a2bc9aef7a8d405429d2518972

Download Submit
C:\Windows\rundl132.exe

Filesize
29KB

MD5
b09b4b69692dfd845037b1444775e9cd

SHA1
4e5e5e156cf58d106f00ad03c0c8447e63f7ac03

SHA256
bf110258cb30a69df094871b49d77deac998dc61f6f483db5e78b810c4d7e3d4

SHA512
957c905aab4afe1843f81ca4728989f92d3f6323d53536d9f1d59be7879493ad48ee62a26d2376cabd57a81df04e7fd2160cf8a2bc9aef7a8d405429d2518972

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2084844033-2744876406-2053742436-1000\_desktop.ini

Filesize
10B

MD5
c7c7f47ac39a3689aa42e8b5b71256b9

SHA1
86fc39cae818841361deba9669378c5d3098e716

SHA256
104d6c8b7720b39014273428b8df0d6c10d1dd58a67e3247c7e103a51ecebf6a

SHA512
ef9f8e4c486c35a536d422945da4d40cdf9f6de0550488dedbd106991b7f5efdfeb7c2e9fd36573e4ced48608dd16547022304b588f6b4a9fcf79380f364d7c0

Download Submit
memory/1368-62-0x0000000002600000-0x0000000002601000-memory.dmp

Filesize
4KB

Download
memory/2080-56-0x00000000021C0000-0x00000000021C1000-memory.dmp

Filesize
4KB

Download
memory/2516-16-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2516-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2516-12-0x0000000001DA0000-0x0000000001DD6000-memory.dmp

Filesize
216KB

Download
memory/2856-67-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2856-128-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2856-129-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2856-134-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2856-249-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2856-1886-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2856-81-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2856-3346-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2856-75-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download