df9bf5e6ca8278fe3ddc6fc7b28b7add683b8b5ef1dfaaf6fc5ce90ba3b0f94a

Analysis

max time kernel
150s
max time network
125s
platform
windows7_x64
resource
win7-20231025-en
resource tags

arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system
submitted
01/11/2023, 17:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

df9bf5e6ca8278fe3ddc6fc7b28b7add683b8b5ef1dfaaf6fc5ce90ba3b0f94a.exe
Size

68KB
MD5

3652b87998946f9eaec771eae01f5384
SHA1

27251fbaa4df091f9c9401744e06adfb57a9c47d
SHA256

df9bf5e6ca8278fe3ddc6fc7b28b7add683b8b5ef1dfaaf6fc5ce90ba3b0f94a
SHA512

14e122203982c8a21ee75208ce7b2930b1764b74aad1c94bc22c0980a20a6237280bf0111adbfe92bdee73de7e4dd1dafc9e631af5bc7fad0dd2c8f215c7e787
SSDEEP

1536:AfgLdQAQfcfymN71gNnR1PL9YoOIlg0FJf:AftffjmNpgrlfF

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2880	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2060	Logo1_.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\More Games\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Solitaire\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access_output\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\es\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Mail\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bn\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\d3d11\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\it\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_chroma\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.en\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hr\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Help\1033\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\tl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Journal\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\Solitaire.exe	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\mk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PROOF\1033\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fr\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ja\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Computers\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Solitaire\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SoftBlue\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSEnv\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\bn_IN\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VC\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\AccessWeb\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk16\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SATIN\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	df9bf5e6ca8278fe3ddc6fc7b28b7add683b8b5ef1dfaaf6fc5ce90ba3b0f94a.exe
File created	C:\Windows\Logo1_.exe	df9bf5e6ca8278fe3ddc6fc7b28b7add683b8b5ef1dfaaf6fc5ce90ba3b0f94a.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2060	Logo1_.exe
2060	Logo1_.exe
2060	Logo1_.exe
2060	Logo1_.exe
2060	Logo1_.exe
2060	Logo1_.exe
2060	Logo1_.exe
2060	Logo1_.exe
2060	Logo1_.exe
2060	Logo1_.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2936 wrote to memory of 2880	2936	df9bf5e6ca8278fe3ddc6fc7b28b7add683b8b5ef1dfaaf6fc5ce90ba3b0f94a.exe	28
PID 2936 wrote to memory of 2880	2936	df9bf5e6ca8278fe3ddc6fc7b28b7add683b8b5ef1dfaaf6fc5ce90ba3b0f94a.exe	28
PID 2936 wrote to memory of 2880	2936	df9bf5e6ca8278fe3ddc6fc7b28b7add683b8b5ef1dfaaf6fc5ce90ba3b0f94a.exe	28
PID 2936 wrote to memory of 2880	2936	df9bf5e6ca8278fe3ddc6fc7b28b7add683b8b5ef1dfaaf6fc5ce90ba3b0f94a.exe	28
PID 2936 wrote to memory of 2060	2936	df9bf5e6ca8278fe3ddc6fc7b28b7add683b8b5ef1dfaaf6fc5ce90ba3b0f94a.exe	29
PID 2936 wrote to memory of 2060	2936	df9bf5e6ca8278fe3ddc6fc7b28b7add683b8b5ef1dfaaf6fc5ce90ba3b0f94a.exe	29
PID 2936 wrote to memory of 2060	2936	df9bf5e6ca8278fe3ddc6fc7b28b7add683b8b5ef1dfaaf6fc5ce90ba3b0f94a.exe	29
PID 2936 wrote to memory of 2060	2936	df9bf5e6ca8278fe3ddc6fc7b28b7add683b8b5ef1dfaaf6fc5ce90ba3b0f94a.exe	29
PID 2060 wrote to memory of 2184	2060	Logo1_.exe	31
PID 2060 wrote to memory of 2184	2060	Logo1_.exe	31
PID 2060 wrote to memory of 2184	2060	Logo1_.exe	31
PID 2060 wrote to memory of 2184	2060	Logo1_.exe	31
PID 2184 wrote to memory of 2104	2184	net.exe	33
PID 2184 wrote to memory of 2104	2184	net.exe	33
PID 2184 wrote to memory of 2104	2184	net.exe	33
PID 2184 wrote to memory of 2104	2184	net.exe	33
PID 2060 wrote to memory of 1220	2060	Logo1_.exe	13
PID 2060 wrote to memory of 1220	2060	Logo1_.exe	13

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1220
- C:\Users\Admin\AppData\Local\Temp\df9bf5e6ca8278fe3ddc6fc7b28b7add683b8b5ef1dfaaf6fc5ce90ba3b0f94a.exe
  "C:\Users\Admin\AppData\Local\Temp\df9bf5e6ca8278fe3ddc6fc7b28b7add683b8b5ef1dfaaf6fc5ce90ba3b0f94a.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2936
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$a3FDE.bat
    3⤵
    - Deletes itself
    PID:2880
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2060
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2184
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
251KB

MD5
dab6fbfac4de4cd21ce52fbdc780f038

SHA1
0bc7e1b4916c2203a78f9921a1c76ea969f9216b

SHA256
c20d2a815c50bc55f275b0e0322b0b2f29651fe9ea60481ae93d390da8d53133

SHA512
01823a147951eff6acc2122f174161b74bfc91e130e87b8e42f5df2b07526d9be045bc4e35933a2940792d71830cc42e1decc927f4b67c6a1ceb91ceef608cf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a3FDE.bat

Filesize
722B

MD5
d526e20fcec3b5c17069471362bcfe3f

SHA1
45e5ff86f9442d778e5b8cf40f979ecf2912ed5f

SHA256
46990f024b28181ca62f9e1e139407a89da030e3006b4ff2c12e2c27e05898d0

SHA512
dfe813e6c42936df4f04422522d63cba861d3ffe4cbe95472cba799bfbd588120df1c9413627518c7b1c0c715164bf3495994ca3deaa803af9f7f070364cb71e

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a3FDE.bat

Filesize
722B

MD5
d526e20fcec3b5c17069471362bcfe3f

SHA1
45e5ff86f9442d778e5b8cf40f979ecf2912ed5f

SHA256
46990f024b28181ca62f9e1e139407a89da030e3006b4ff2c12e2c27e05898d0

SHA512
dfe813e6c42936df4f04422522d63cba861d3ffe4cbe95472cba799bfbd588120df1c9413627518c7b1c0c715164bf3495994ca3deaa803af9f7f070364cb71e

Download Submit
C:\Users\Admin\AppData\Local\Temp\df9bf5e6ca8278fe3ddc6fc7b28b7add683b8b5ef1dfaaf6fc5ce90ba3b0f94a.exe.exe

Filesize
42KB

MD5
774057afbd4dccd6992989a593720e86

SHA1
633b8f0677043c18f9541c3cb9478f2eee3695d0

SHA256
a9d1c28a189b61f37375f0b29d38e4a82d394c77a1c84721e638e2526c35d4ff

SHA512
37fcd7fa6400f76647c5052c2a3b82316dc95f51befd3bac6eb555824d157766393ff3bafb3a6802ddb918ae4870081174e4fc70869ae180725755daca332df2

Download Submit
C:\Windows\Logo1_.exe

Filesize
26KB

MD5
006fea33f14c9da590dc8739811ffce2

SHA1
ad2319b507e25457427483b5d5a83f1f41aa19cc

SHA256
c24589d3af6a0fc94d9861e4e893d109cdbb2129051a178280fdd17a3e62af45

SHA512
f6117e3d55da2f84ac78babef6bc09df8955e37d73bfa351eb3e055c06f4f7aacc270a219bf28e0ec5d8c0b30c013d401bbd35dde42497501125490648156cca

Download Submit
C:\Windows\Logo1_.exe

Filesize
26KB

MD5
006fea33f14c9da590dc8739811ffce2

SHA1
ad2319b507e25457427483b5d5a83f1f41aa19cc

SHA256
c24589d3af6a0fc94d9861e4e893d109cdbb2129051a178280fdd17a3e62af45

SHA512
f6117e3d55da2f84ac78babef6bc09df8955e37d73bfa351eb3e055c06f4f7aacc270a219bf28e0ec5d8c0b30c013d401bbd35dde42497501125490648156cca

Download Submit
C:\Windows\Logo1_.exe

Filesize
26KB

MD5
006fea33f14c9da590dc8739811ffce2

SHA1
ad2319b507e25457427483b5d5a83f1f41aa19cc

SHA256
c24589d3af6a0fc94d9861e4e893d109cdbb2129051a178280fdd17a3e62af45

SHA512
f6117e3d55da2f84ac78babef6bc09df8955e37d73bfa351eb3e055c06f4f7aacc270a219bf28e0ec5d8c0b30c013d401bbd35dde42497501125490648156cca

Download Submit
C:\Windows\rundl132.exe

Filesize
26KB

MD5
006fea33f14c9da590dc8739811ffce2

SHA1
ad2319b507e25457427483b5d5a83f1f41aa19cc

SHA256
c24589d3af6a0fc94d9861e4e893d109cdbb2129051a178280fdd17a3e62af45

SHA512
f6117e3d55da2f84ac78babef6bc09df8955e37d73bfa351eb3e055c06f4f7aacc270a219bf28e0ec5d8c0b30c013d401bbd35dde42497501125490648156cca

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-1861898231-3446828954-4278112889-1000\_desktop.ini

Filesize
9B

MD5
4d72cff1ce9d97416bd764af363f34df

SHA1
e5377631a8a8ae98182121d4e15e878bd302dbc6

SHA256
023ab9831a0de101117d7d810372142f03ab43630ab99c68cbff7f11af67f861

SHA512
7489eb7b688a2ebd105c8f23c66ff71cb9f72546e4be795a888a12432d8b3ce50ca9dd173d9291ada405596864224e658af61479c70b2a7443161a533abce1e2

Download Submit
memory/1220-27-0x0000000002A20000-0x0000000002A21000-memory.dmp

Filesize
4KB

Download
memory/2060-36-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2060-21-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2060-29-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2060-42-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2060-88-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2060-95-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2060-101-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2060-1115-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2060-1848-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2060-3308-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2936-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2936-16-0x00000000002A0000-0x00000000002D4000-memory.dmp

Filesize
208KB

Download
memory/2936-15-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download