7c673f8006efc23338de05000041e5f36b81bce834571a4de3ee8e8b142d4b31

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
10/12/2023, 19:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7c673f8006efc23338de05000041e5f36b81bce834571a4de3ee8e8b142d4b31.exe
Size

274KB
MD5

bc144b9a06b9f5889453e0c532c409ff
SHA1

f776538e3506ce9aefa49012860e902f00dc3d19
SHA256

7c673f8006efc23338de05000041e5f36b81bce834571a4de3ee8e8b142d4b31
SHA512

28010192113a3e9565326f545111b47e1198677ec430e5c3bcd851a9a5c859475c4d8b451c700d2aeeaee073cb87ea2f1dc7caac026b6f66eb396259fb7287e6
SSDEEP

6144:uuJXo6iC5/7Z7mEGiin0u9HJAxdrt10xdUy95WkLmzdWsQELvLf884rxJp1VsCH:rlGp0Bk

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2876	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
1644	Logo1_.exe
2792	7c673f8006efc23338de05000041e5f36b81bce834571a4de3ee8e8b142d4b31.exe

Loads dropped DLL 1 IoCs

pid	Process
2876	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\VideoLAN\VLC\locale\as_IN\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\include\win32\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\is\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\tl\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Filters\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\lt\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\eu\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hi\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\GrayCheck\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PROOF\1033\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\tet\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Mail\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fi\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\te\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\keytool.exe	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Sort\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\Presentation Designs\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\AccessWeb\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CANYON\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\AddInSideAdapters\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java-rmi.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ga\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BabyBlue\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	7c673f8006efc23338de05000041e5f36b81bce834571a4de3ee8e8b142d4b31.exe
File created	C:\Windows\Logo1_.exe	7c673f8006efc23338de05000041e5f36b81bce834571a4de3ee8e8b142d4b31.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1644	Logo1_.exe
1644	Logo1_.exe
1644	Logo1_.exe
1644	Logo1_.exe
1644	Logo1_.exe
1644	Logo1_.exe
1644	Logo1_.exe
1644	Logo1_.exe
1644	Logo1_.exe
1644	Logo1_.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2144 wrote to memory of 2876	2144	7c673f8006efc23338de05000041e5f36b81bce834571a4de3ee8e8b142d4b31.exe	28
PID 2144 wrote to memory of 2876	2144	7c673f8006efc23338de05000041e5f36b81bce834571a4de3ee8e8b142d4b31.exe	28
PID 2144 wrote to memory of 2876	2144	7c673f8006efc23338de05000041e5f36b81bce834571a4de3ee8e8b142d4b31.exe	28
PID 2144 wrote to memory of 2876	2144	7c673f8006efc23338de05000041e5f36b81bce834571a4de3ee8e8b142d4b31.exe	28
PID 2144 wrote to memory of 1644	2144	7c673f8006efc23338de05000041e5f36b81bce834571a4de3ee8e8b142d4b31.exe	31
PID 2144 wrote to memory of 1644	2144	7c673f8006efc23338de05000041e5f36b81bce834571a4de3ee8e8b142d4b31.exe	31
PID 2144 wrote to memory of 1644	2144	7c673f8006efc23338de05000041e5f36b81bce834571a4de3ee8e8b142d4b31.exe	31
PID 2144 wrote to memory of 1644	2144	7c673f8006efc23338de05000041e5f36b81bce834571a4de3ee8e8b142d4b31.exe	31
PID 1644 wrote to memory of 2684	1644	Logo1_.exe	29
PID 1644 wrote to memory of 2684	1644	Logo1_.exe	29
PID 1644 wrote to memory of 2684	1644	Logo1_.exe	29
PID 1644 wrote to memory of 2684	1644	Logo1_.exe	29
PID 2684 wrote to memory of 1708	2684	net.exe	33
PID 2684 wrote to memory of 1708	2684	net.exe	33
PID 2684 wrote to memory of 1708	2684	net.exe	33
PID 2684 wrote to memory of 1708	2684	net.exe	33
PID 2876 wrote to memory of 2792	2876	cmd.exe	34
PID 2876 wrote to memory of 2792	2876	cmd.exe	34
PID 2876 wrote to memory of 2792	2876	cmd.exe	34
PID 2876 wrote to memory of 2792	2876	cmd.exe	34
PID 1644 wrote to memory of 1264	1644	Logo1_.exe	17
PID 1644 wrote to memory of 1264	1644	Logo1_.exe	17

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1264
- C:\Users\Admin\AppData\Local\Temp\7c673f8006efc23338de05000041e5f36b81bce834571a4de3ee8e8b142d4b31.exe
  "C:\Users\Admin\AppData\Local\Temp\7c673f8006efc23338de05000041e5f36b81bce834571a4de3ee8e8b142d4b31.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2144
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$a5300.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2876
  - - C:\Users\Admin\AppData\Local\Temp\7c673f8006efc23338de05000041e5f36b81bce834571a4de3ee8e8b142d4b31.exe
      "C:\Users\Admin\AppData\Local\Temp\7c673f8006efc23338de05000041e5f36b81bce834571a4de3ee8e8b142d4b31.exe"
      4⤵
      Executes dropped EXE
      PID:2792
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1644

C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
1⤵
- Suspicious use of WriteProcessMemory
PID:2684
- C:\Windows\SysWOW64\net1.exe
  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
  2⤵
  PID:1708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
254KB

MD5
bef317e3799d78b5ba784106da298459

SHA1
7ddd81ba1940d7fef804fd135f11f8ff96289edd

SHA256
078307fee8a648f31bbc9a5cc68690dbaf2d6a62127e153db7167a9fc818cb22

SHA512
1dfc39ec7ef5d078639c5ce73dd256f7668e7ce9c01c0b4c0be50a7c1d1844d4d2b73b4a8d8549fa26c1d50d164ab42729a7e83ba5f460c60a61434d4e400d59

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
474KB

MD5
4380a345b5ab5205744b88a0f56d97e7

SHA1
000ace7cc10e639ef0b3f73175e465468e54c488

SHA256
d16eb0c5d0513d7021bcd0cb1372be3a10fd1c7deb59c0992d259f97fd275024

SHA512
4d063cfcb6ed0a935658eb63fe3cb04f625b1b78a8633be123f78da473baf2a4e2d28df8d94abedcdfac1e9798eaee22dd2cc918a5431f48e4e2939bd1df0a3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a5300.bat

Filesize
722B

MD5
e7f4ed9825c5b57d056718d88b0a9131

SHA1
922e4eeb4500aaac0a18c4b082e31b2113792318

SHA256
18016f109797596f655a1fbb28a02725f56da15e53477ab957ec7b5a3a922915

SHA512
5bb92340d2181e1915ecd87d26b18f5489210c2b7d8050cf687b1324fdd8b77cefcc86213ee1b53c05890451b167a1ae9aff77c868f2dbdffb4954ecbf7c2739

Download Submit
C:\Users\Admin\AppData\Local\Temp\7c673f8006efc23338de05000041e5f36b81bce834571a4de3ee8e8b142d4b31.exe

Filesize
51KB

MD5
ca25e4a32597745804c032746652a996

SHA1
928eb3f7ff67ea35cd7aa18d92a9d7600eb4c3c7

SHA256
5567fdacfa55597d77a462ddcc21832f3a56c5bfbe88524fab3842ee6bb59eb7

SHA512
713a517dbc790cf113c6cd5fc69a2d429a626e02efd31ee8bb7b04b83e9e54b2f658c76398a8be7d824e5cbd5ef9f1d2e37867c57f360d688fb6f607999bf2a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7c673f8006efc23338de05000041e5f36b81bce834571a4de3ee8e8b142d4b31.exe.exe

Filesize
110KB

MD5
2727ae68a9d78707cfc3f2f46998e5e8

SHA1
4b6d0aa08e7c7f2ed7a187fe26cb0ad2868caa93

SHA256
795ca191e6b8b05959405c08fa71b5fac540e77a1fc7f24a7e41b18d9e45f0a2

SHA512
e43a3e0de12c53a4b8dd142a5d078f7a4fe914cabbb2d3b13053b10efea3b305725ad930066ba3c228f79dbd05fbb2770515d4576cbd8ce7af6424122902d62f

Download Submit
C:\Windows\Logo1_.exe

Filesize
29KB

MD5
78ce4689a30c165711d241279946b592

SHA1
121627ed289153e17fafb83bd5706a17b5c41ded

SHA256
a6e7e196daf899da3f28b720da0d08192774f2bde24c315b6e7e285abe8a6d28

SHA512
0313658fdf81aeb438f494b13fce5730b1bbd81be49a89829fb2c4b872e3da4293ebc7f515c188c827865dde468dac79ec261d5824188327c7e9b5be8c9b8aaf

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2952504676-3105837840-1406404655-1000\_desktop.ini

Filesize
10B

MD5
8daca9f1dc1e4dbf00c4f103a6c4b41b

SHA1
ec78c60ea1ca164776f9b78714317bccae17bede

SHA256
3e87a8de0c10e1f2569251c1c8eb7e81e3af99aa006285b5121e158e2e3137a6

SHA512
0f7797c451bb13c4bbebf77d20ecb0161b2a7690589f429bb85dcfbdae35301a91746559abd372e5d773e4c0e141f1c58f6e391dbbc0a52f2396282a1c45c02d

Download Submit
\Users\Admin\AppData\Local\Temp\7c673f8006efc23338de05000041e5f36b81bce834571a4de3ee8e8b142d4b31.exe

Filesize
89KB

MD5
f603870f13d8ad67a80b0da3c9f6a39b

SHA1
c6f092296cc43d4032207025bff45014ff20f5a2

SHA256
1ee999bcdf2fe149f28d5e48fb726f659b74b8df62b8d34d175c8247159901b6

SHA512
60934f68ce61d28fe38c33b5d7bd6342f89c2fcb2702b2e8e9ac1b9018a018497e3a4bb25360a2294cf4a231358af601d54a9b18cf33a4d0decdc7235586896d

Download Submit
memory/1264-30-0x0000000002210000-0x0000000002211000-memory.dmp

Filesize
4KB

Download
memory/1644-91-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1644-32-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1644-39-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1644-45-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1644-97-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1644-267-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1644-1850-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1644-3310-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1644-22-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2144-21-0x00000000003C0000-0x00000000003F6000-memory.dmp

Filesize
216KB

Download
memory/2144-15-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2144-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2144-17-0x00000000003C0000-0x00000000003F6000-memory.dmp

Filesize
216KB

Download