da974231098bb1dd2ca19fc806206d27a48ac5958d42dfe70c652d4c6d0a5068

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
12/01/2024, 12:33

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

da974231098bb1dd2ca19fc806206d27a48ac5958d42dfe70c652d4c6d0a5068.exe
Size

101KB
MD5

b04235b4ae92d1767f2f7fc1d9a57c3b
SHA1

cf8f7b2ca9aa6997bff7667ee1fff95481ada42b
SHA256

da974231098bb1dd2ca19fc806206d27a48ac5958d42dfe70c652d4c6d0a5068
SHA512

fb4c24bea5a31c7539a943278d5d6d76333d339580d1b3fc01d8264e3ab6cf13d68b8b915e40d2aba58abea6e728518e9831d202fc82ff9852e74f3e85ae66e6
SSDEEP

3072:7eftffhJCuU1GvE4pL4zv2NL6sRe5lxe:CVfhguCGvEaL4z6Re5S

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2800	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
2168	Logo1_.exe
2820	da974231098bb1dd2ca19fc806206d27a48ac5958d42dfe70c652d4c6d0a5068.exe
2544	da974231098bb1dd2ca19fc806206d27a48ac5958d42dfe70c652d4c6d0a5068.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\.data\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Document Parts\1033\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Media Player\Network Sharing\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ru\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LEVEL\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Americana\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\ja\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\1033\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\logger\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\cy\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hy\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Word.en-us\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\FRAR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\jfr\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\skins\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fr\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BREEZE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BrightYellow\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Hearts\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ko\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Swirl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bn_IN\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\SpringGreen\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Google\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Spades\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Mail\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\css\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	da974231098bb1dd2ca19fc806206d27a48ac5958d42dfe70c652d4c6d0a5068.exe
File created	C:\Windows\Logo1_.exe	da974231098bb1dd2ca19fc806206d27a48ac5958d42dfe70c652d4c6d0a5068.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2168	Logo1_.exe
2168	Logo1_.exe
2168	Logo1_.exe
2168	Logo1_.exe
2168	Logo1_.exe
2168	Logo1_.exe
2168	Logo1_.exe
2168	Logo1_.exe
2168	Logo1_.exe
2168	Logo1_.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2512 wrote to memory of 2800	2512	da974231098bb1dd2ca19fc806206d27a48ac5958d42dfe70c652d4c6d0a5068.exe	28
PID 2512 wrote to memory of 2800	2512	da974231098bb1dd2ca19fc806206d27a48ac5958d42dfe70c652d4c6d0a5068.exe	28
PID 2512 wrote to memory of 2800	2512	da974231098bb1dd2ca19fc806206d27a48ac5958d42dfe70c652d4c6d0a5068.exe	28
PID 2512 wrote to memory of 2800	2512	da974231098bb1dd2ca19fc806206d27a48ac5958d42dfe70c652d4c6d0a5068.exe	28
PID 2512 wrote to memory of 2168	2512	da974231098bb1dd2ca19fc806206d27a48ac5958d42dfe70c652d4c6d0a5068.exe	31
PID 2512 wrote to memory of 2168	2512	da974231098bb1dd2ca19fc806206d27a48ac5958d42dfe70c652d4c6d0a5068.exe	31
PID 2512 wrote to memory of 2168	2512	da974231098bb1dd2ca19fc806206d27a48ac5958d42dfe70c652d4c6d0a5068.exe	31
PID 2512 wrote to memory of 2168	2512	da974231098bb1dd2ca19fc806206d27a48ac5958d42dfe70c652d4c6d0a5068.exe	31
PID 2168 wrote to memory of 1972	2168	Logo1_.exe	29
PID 2168 wrote to memory of 1972	2168	Logo1_.exe	29
PID 2168 wrote to memory of 1972	2168	Logo1_.exe	29
PID 2168 wrote to memory of 1972	2168	Logo1_.exe	29
PID 1972 wrote to memory of 2652	1972	net.exe	33
PID 1972 wrote to memory of 2652	1972	net.exe	33
PID 1972 wrote to memory of 2652	1972	net.exe	33
PID 1972 wrote to memory of 2652	1972	net.exe	33
PID 2168 wrote to memory of 1372	2168	Logo1_.exe	8
PID 2168 wrote to memory of 1372	2168	Logo1_.exe	8

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1372
- C:\Users\Admin\AppData\Local\Temp\da974231098bb1dd2ca19fc806206d27a48ac5958d42dfe70c652d4c6d0a5068.exe
  "C:\Users\Admin\AppData\Local\Temp\da974231098bb1dd2ca19fc806206d27a48ac5958d42dfe70c652d4c6d0a5068.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2512
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$a17F4.bat
    3⤵
    - Deletes itself
    PID:2800
  - - C:\Users\Admin\AppData\Local\Temp\da974231098bb1dd2ca19fc806206d27a48ac5958d42dfe70c652d4c6d0a5068.exe
      "C:\Users\Admin\AppData\Local\Temp\da974231098bb1dd2ca19fc806206d27a48ac5958d42dfe70c652d4c6d0a5068.exe"
      4⤵
      Executes dropped EXE
      PID:2820
  - - C:\Users\Admin\AppData\Local\Temp\da974231098bb1dd2ca19fc806206d27a48ac5958d42dfe70c652d4c6d0a5068.exe
      "C:\Users\Admin\AppData\Local\Temp\da974231098bb1dd2ca19fc806206d27a48ac5958d42dfe70c652d4c6d0a5068.exe"
      4⤵
      Executes dropped EXE
      PID:2544
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2168

C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
1⤵
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Windows\SysWOW64\net1.exe
  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
  2⤵
  PID:2652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
251KB

MD5
52d4dc15c2ac290bd7d8f5c88ea1ef4e

SHA1
a82a1d61cbb7a7a6693386e0c85c5b509c4019d6

SHA256
05dbcbb2ce2995b620c7f08bfc0e2d52bfc298479611d44ec8c9c50ca030cb72

SHA512
6d164e78fa73b899a6a1a2295de910e015408672253b4e71b772791af6aed0e5ab3149a17ab53f185671ea7093a891b1725c9c47befeabc5af5e585edc139a3e

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
471KB

MD5
f9fc019eacb573ec828d2d9ff6a48318

SHA1
b91958dc8d178b6eeb35e829bab84d0fb12c2280

SHA256
bf9ba3df2bad76d15f4efe42c0c59f37b9454907958892df8ab996552658934e

SHA512
998ba7bc7cdd5df3e1acfda6f4f92ec9d27732e1e182177dff310f3c918f3be99626a3526bebdff5bb7eb980640434baf56e0f08bfd125168c0a9e37e7239305

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a17F4.bat

Filesize
722B

MD5
bde8f4749d7ed0afb0302c5d971ccd03

SHA1
9a848b6509493fefd85cffaf285d0001a66d2ae6

SHA256
a15d2ed4fd127410fa3e0f6022060c23959f46cf262eb8efc9ff661b036429aa

SHA512
71d3af89ea70027ff65dc5b848b27aea0610696f14d5212a360d00914291d0a751790b97b25519c7cfb9556f000c056b94a49a521794dc672746f2e30b852daf

Download Submit
C:\Users\Admin\AppData\Local\Temp\da974231098bb1dd2ca19fc806206d27a48ac5958d42dfe70c652d4c6d0a5068.exe

Filesize
64KB

MD5
102bbc51b21069a912b5abe2befc2594

SHA1
f33de03a35462ad254768c8ef12b53881f473fdf

SHA256
56e2df15f085ac7c65ff1b0f7f27032d04ea5b2d977fe81119c8bad81e2de65d

SHA512
4ec54cd8a384190b223d035ca24ee8142b5c552f16d84e4de801bbbac622f3697a4c44babcd459be7751305a32d6dd8cf08f4e68fcba91554bc55fe5076783d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\da974231098bb1dd2ca19fc806206d27a48ac5958d42dfe70c652d4c6d0a5068.exe.exe

Filesize
75KB

MD5
a7851a05e83f42f741a804320c485083

SHA1
b76d2e6eb6d2bf289a5118c908578906851460d0

SHA256
3600ff58fdb37f53562e626fd74d6f4d8d39925d711a96f221bb4aca7992926a

SHA512
eadbfbee79aa0f34b35e0a9c9d717b3c8ac18729df8e52332b696352a2a41d0da37119ab1cb81a10bb7854b930e6479686f8fa8b5a447d48213e3c1c9304ce7b

Download Submit
C:\Windows\Logo1_.exe

Filesize
26KB

MD5
3b87ff58bc104133916a7a30d3003760

SHA1
b9d39736d9659661bcd169f5792cd967f0ee430a

SHA256
2dea75339ef8773a1ba61b233c4d821f93a4eba1f7b1f776824acced8beec0ca

SHA512
30188c4d34cfb2b0017fb6c599c06aee4dac13cb6c4de52b08ebb3ee083791079a1e47d5f94f7772a5fbfd86fef3ddae55ba5e6dca0eaf1e61ed4b87120a8b26

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3627615824-4061627003-3019543961-1000\_desktop.ini

Filesize
9B

MD5
242aeb786105d703ec823e385bc6cb2a

SHA1
45c2b23f1b7d645e7345db310cb2d031d1670bdd

SHA256
74a26edf9895f7c6b0ecfd584a1aed3599749033a1f2388408f7f3c01eaffb4f

SHA512
d5006543b2a0244a9f3962dc17d760c1ebf707f958d677cb73e3063c0e6b7e59f6a2516ff5460cde828aa6685a4cd6721274b41fd8bfdf3fabec777fc3c94006

Download Submit
memory/1372-65-0x0000000002A30000-0x0000000002A31000-memory.dmp

Filesize
4KB

Download
memory/2168-70-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2168-135-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2168-3348-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2168-2815-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2168-77-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2168-84-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2168-129-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2168-21-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2168-1055-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2168-1888-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2512-15-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2512-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2512-17-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2800-59-0x0000000002510000-0x0000000002511000-memory.dmp

Filesize
4KB

Download