7a54c16a3a78bc4e11f47773d21f010cd9fd613ae719b5a185e47b72c352be8c

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20231025-en
resource tags

arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system
submitted
29-10-2023 23:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7a54c16a3a78bc4e11f47773d21f010cd9fd613ae719b5a185e47b72c352be8c.exe
Size

9.3MB
MD5

cc29177b5fd627224baed5dd0a121e19
SHA1

5c9a65bd6e463b751b13f2a639f28d59f91c2944
SHA256

7a54c16a3a78bc4e11f47773d21f010cd9fd613ae719b5a185e47b72c352be8c
SHA512

6f51d4b3f7e3083421fc1726e6bd9b954fbb176055736db34521c7b10862d4b122a4ecf761222503b80cec5242a902a62619a732f38c1ce4ad687cce9512e099
SSDEEP

98304:axfZeZiONXe0cK7jfI60f8BYNg3kQVLPXnmGLH376+MyUXnby:aNZekOte0cifXmZNg0ILPXnmGDm3

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2360	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2580	Logo1_.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Triedit\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\br\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ENFR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\GrayCheck\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\STRTEDGE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\jfr\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VGX\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SpringGreen\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fur\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\gu\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AFTRNOON\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Triedit\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\packetizer\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\tet\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\th\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Kentucky\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Mozilla Firefox\browser\VisualElements\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mai\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	Logo1_.exe
File created	C:\Program Files\Java\jre7\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\az\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\vi\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	7a54c16a3a78bc4e11f47773d21f010cd9fd613ae719b5a185e47b72c352be8c.exe
File created	C:\Windows\Logo1_.exe	7a54c16a3a78bc4e11f47773d21f010cd9fd613ae719b5a185e47b72c352be8c.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2580	Logo1_.exe
2580	Logo1_.exe
2580	Logo1_.exe
2580	Logo1_.exe
2580	Logo1_.exe
2580	Logo1_.exe
2580	Logo1_.exe
2580	Logo1_.exe
2580	Logo1_.exe
2580	Logo1_.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1740 wrote to memory of 2360	1740	7a54c16a3a78bc4e11f47773d21f010cd9fd613ae719b5a185e47b72c352be8c.exe	28
PID 1740 wrote to memory of 2360	1740	7a54c16a3a78bc4e11f47773d21f010cd9fd613ae719b5a185e47b72c352be8c.exe	28
PID 1740 wrote to memory of 2360	1740	7a54c16a3a78bc4e11f47773d21f010cd9fd613ae719b5a185e47b72c352be8c.exe	28
PID 1740 wrote to memory of 2360	1740	7a54c16a3a78bc4e11f47773d21f010cd9fd613ae719b5a185e47b72c352be8c.exe	28
PID 1740 wrote to memory of 2580	1740	7a54c16a3a78bc4e11f47773d21f010cd9fd613ae719b5a185e47b72c352be8c.exe	30
PID 1740 wrote to memory of 2580	1740	7a54c16a3a78bc4e11f47773d21f010cd9fd613ae719b5a185e47b72c352be8c.exe	30
PID 1740 wrote to memory of 2580	1740	7a54c16a3a78bc4e11f47773d21f010cd9fd613ae719b5a185e47b72c352be8c.exe	30
PID 1740 wrote to memory of 2580	1740	7a54c16a3a78bc4e11f47773d21f010cd9fd613ae719b5a185e47b72c352be8c.exe	30
PID 2580 wrote to memory of 2764	2580	Logo1_.exe	31
PID 2580 wrote to memory of 2764	2580	Logo1_.exe	31
PID 2580 wrote to memory of 2764	2580	Logo1_.exe	31
PID 2580 wrote to memory of 2764	2580	Logo1_.exe	31
PID 2764 wrote to memory of 1604	2764	net.exe	33
PID 2764 wrote to memory of 1604	2764	net.exe	33
PID 2764 wrote to memory of 1604	2764	net.exe	33
PID 2764 wrote to memory of 1604	2764	net.exe	33
PID 2580 wrote to memory of 1212	2580	Logo1_.exe	17
PID 2580 wrote to memory of 1212	2580	Logo1_.exe	17

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1212
- C:\Users\Admin\AppData\Local\Temp\7a54c16a3a78bc4e11f47773d21f010cd9fd613ae719b5a185e47b72c352be8c.exe
  "C:\Users\Admin\AppData\Local\Temp\7a54c16a3a78bc4e11f47773d21f010cd9fd613ae719b5a185e47b72c352be8c.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1740
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$a4F68.bat
    3⤵
    - Deletes itself
    PID:2360
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2580
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2764
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:1604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
254KB

MD5
bc75c9efd1365608938d2f535b108715

SHA1
2bdb183f4d4d1ea3b84b1aef86d117d5ae83f004

SHA256
c0f2d8d8b8b0269b0cf8292da7e33d2c01b1c7d2c99f3e5a3e403015aadf4a53

SHA512
aea259527b0bad2b3fbb6e4b92483957cf93ad9d32f147426fe9e97400b2f270c409cb802124cf76ce3165520ca1ae2f314068b0e6e9fef4a1a0059f78f6f019

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
474KB

MD5
683b92ed9a7815ba566ea5750f489c6e

SHA1
489e66c67780380506f54f7fda32a7b9e98d5d70

SHA256
87f7a6e091d82bc6f773b756acf5f239100db9f6b931f29c6847480fa3365b5e

SHA512
86346fe0faffdfc6af5f4bcdc4bda683c65fb7f8879976a87767f0a26efdeb8e656c0577124f9259a3b21faa74b29fc73ea0a005d7425fc9822e00eca4e8f679

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a4F68.bat

Filesize
722B

MD5
982331a8d3ca2eab116194b7c869cd4d

SHA1
6a1600643f83796564f56212b31f14967f4ff56f

SHA256
0162839ed5a85cc51f4c697ff138e93ce89ff4e8b2d332feee710c2142072856

SHA512
db3b891d4ff5ffd2519b7aa7adaaaa0ac41b564b3d0640a26839d0ddbec027988a74f0b98ba511edf89ddd4df9837d9bec7e75d70d6fb158dc5c5bf2f6642cb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a4F68.bat

Filesize
722B

MD5
982331a8d3ca2eab116194b7c869cd4d

SHA1
6a1600643f83796564f56212b31f14967f4ff56f

SHA256
0162839ed5a85cc51f4c697ff138e93ce89ff4e8b2d332feee710c2142072856

SHA512
db3b891d4ff5ffd2519b7aa7adaaaa0ac41b564b3d0640a26839d0ddbec027988a74f0b98ba511edf89ddd4df9837d9bec7e75d70d6fb158dc5c5bf2f6642cb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7a54c16a3a78bc4e11f47773d21f010cd9fd613ae719b5a185e47b72c352be8c.exe.exe

Filesize
9.3MB

MD5
b86f86ef5c09df3336638ad99b7c0c0f

SHA1
0428ad68c4dd86cebf917582d9de21ad2bdac97f

SHA256
3ef229a273ff767f0dbc891329fa906455e8f696beb5b6611efe9d6f657d7ced

SHA512
cd3ef6725bbc15c2090f3eee10af01766030a428ec39e8dab8f0174961e9aaef1a573fdbba3f7db0e251c5888a83b701cfab8055b28c30474405c2b00e826f97

Download Submit
C:\Windows\Logo1_.exe

Filesize
29KB

MD5
02e821242138028c3b47a66dc20a234b

SHA1
30cc9526d9f6d96c436838f219eda7e65799b6ac

SHA256
07b4df9c43324822bc45a08796e966119f7a3ee0d54751dbe5f0011c9e09afaf

SHA512
bee16d9a9ce3f1812f35abbeff17f72d48614a63d54d0ed510394158253e32288d240c2fb68dec40b617ab6f21f51044399aea55c8bcabd8b5de8f28a9c74a52

Download Submit
C:\Windows\Logo1_.exe

Filesize
29KB

MD5
02e821242138028c3b47a66dc20a234b

SHA1
30cc9526d9f6d96c436838f219eda7e65799b6ac

SHA256
07b4df9c43324822bc45a08796e966119f7a3ee0d54751dbe5f0011c9e09afaf

SHA512
bee16d9a9ce3f1812f35abbeff17f72d48614a63d54d0ed510394158253e32288d240c2fb68dec40b617ab6f21f51044399aea55c8bcabd8b5de8f28a9c74a52

Download Submit
C:\Windows\Logo1_.exe

Filesize
29KB

MD5
02e821242138028c3b47a66dc20a234b

SHA1
30cc9526d9f6d96c436838f219eda7e65799b6ac

SHA256
07b4df9c43324822bc45a08796e966119f7a3ee0d54751dbe5f0011c9e09afaf

SHA512
bee16d9a9ce3f1812f35abbeff17f72d48614a63d54d0ed510394158253e32288d240c2fb68dec40b617ab6f21f51044399aea55c8bcabd8b5de8f28a9c74a52

Download Submit
C:\Windows\rundl132.exe

Filesize
29KB

MD5
02e821242138028c3b47a66dc20a234b

SHA1
30cc9526d9f6d96c436838f219eda7e65799b6ac

SHA256
07b4df9c43324822bc45a08796e966119f7a3ee0d54751dbe5f0011c9e09afaf

SHA512
bee16d9a9ce3f1812f35abbeff17f72d48614a63d54d0ed510394158253e32288d240c2fb68dec40b617ab6f21f51044399aea55c8bcabd8b5de8f28a9c74a52

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-1861898231-3446828954-4278112889-1000\_desktop.ini

Filesize
10B

MD5
17de2acd7b02442c9cb0e8c0fccf8e96

SHA1
e062bd3af8ffe48988392987af8cbbddddffb804

SHA256
af7f402fe1458d28f48714376dd0e26175e667690e61b41c8bd0e61d818822d3

SHA512
e04d6d828edc3ef3443dfd40f72f76351bf981a16566cf0f31e60015f588440764461b52be088f549e8a2a6fa41370129e60d36b63b66f9a63c6df89f44fdbd8

Download Submit
memory/1212-62-0x0000000002AF0000-0x0000000002AF1000-memory.dmp

Filesize
4KB

Download
memory/1740-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1740-15-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2360-56-0x0000000002360000-0x0000000002361000-memory.dmp

Filesize
4KB

Download
memory/2580-75-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2580-81-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2580-127-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2580-134-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2580-215-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2580-1886-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2580-67-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2580-3346-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2580-20-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download