327a7e69cb102823ec0ff1f9cef546d465b7a67f1e38495d53129d406a14df2e

Analysis

max time kernel
149s
max time network
117s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
14/01/2024, 00:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

327a7e69cb102823ec0ff1f9cef546d465b7a67f1e38495d53129d406a14df2e.exe
Size

46KB
MD5

883d747a39aa4ff20c93f5732d14533f
SHA1

3a8f720eae459459b6ff869b1570912062aa3d9a
SHA256

327a7e69cb102823ec0ff1f9cef546d465b7a67f1e38495d53129d406a14df2e
SHA512

69e00490951d97cf379267e99dc014bf2d7e15805d2995deae35baf5eec3f2816bb404dacbeb9242a2bc151c5257bd5254d9f7ab9098cee27e394dabda285b0e
SSDEEP

768:kf01ODKAaDMG8H92RwZNQSwcfymNBg+g61GoLHnV9P8fGZ2Fl/flDG7OUf2hD:FfgLdQAQfcfymNTV9q/f2OUfS

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2940	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2160	Logo1_.exe
2656	327a7e69cb102823ec0ff1f9cef546d465b7a67f1e38495d53129d406a14df2e.exe

Loads dropped DLL 1 IoCs

pid	Process
2940	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\PowerPoint.en-us\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Minesweeper\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\1031\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\demux\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\si\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office64.en-us\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.update\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\playlist\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\id\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\More Games\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\bin\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaw.exe	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\mr\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\te\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\es\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\az\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Defender\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Argentina\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\Components\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMFormServices\InfoPathOMFormServicesV12\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\pt_BR\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	327a7e69cb102823ec0ff1f9cef546d465b7a67f1e38495d53129d406a14df2e.exe
File created	C:\Windows\Logo1_.exe	327a7e69cb102823ec0ff1f9cef546d465b7a67f1e38495d53129d406a14df2e.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2160	Logo1_.exe
2160	Logo1_.exe
2160	Logo1_.exe
2160	Logo1_.exe
2160	Logo1_.exe
2160	Logo1_.exe
2160	Logo1_.exe
2160	Logo1_.exe
2160	Logo1_.exe
2160	Logo1_.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2824 wrote to memory of 2940	2824	327a7e69cb102823ec0ff1f9cef546d465b7a67f1e38495d53129d406a14df2e.exe	28
PID 2824 wrote to memory of 2940	2824	327a7e69cb102823ec0ff1f9cef546d465b7a67f1e38495d53129d406a14df2e.exe	28
PID 2824 wrote to memory of 2940	2824	327a7e69cb102823ec0ff1f9cef546d465b7a67f1e38495d53129d406a14df2e.exe	28
PID 2824 wrote to memory of 2940	2824	327a7e69cb102823ec0ff1f9cef546d465b7a67f1e38495d53129d406a14df2e.exe	28
PID 2824 wrote to memory of 2160	2824	327a7e69cb102823ec0ff1f9cef546d465b7a67f1e38495d53129d406a14df2e.exe	29
PID 2824 wrote to memory of 2160	2824	327a7e69cb102823ec0ff1f9cef546d465b7a67f1e38495d53129d406a14df2e.exe	29
PID 2824 wrote to memory of 2160	2824	327a7e69cb102823ec0ff1f9cef546d465b7a67f1e38495d53129d406a14df2e.exe	29
PID 2824 wrote to memory of 2160	2824	327a7e69cb102823ec0ff1f9cef546d465b7a67f1e38495d53129d406a14df2e.exe	29
PID 2160 wrote to memory of 3012	2160	Logo1_.exe	30
PID 2160 wrote to memory of 3012	2160	Logo1_.exe	30
PID 2160 wrote to memory of 3012	2160	Logo1_.exe	30
PID 2160 wrote to memory of 3012	2160	Logo1_.exe	30
PID 3012 wrote to memory of 2644	3012	net.exe	33
PID 3012 wrote to memory of 2644	3012	net.exe	33
PID 3012 wrote to memory of 2644	3012	net.exe	33
PID 3012 wrote to memory of 2644	3012	net.exe	33
PID 2940 wrote to memory of 2656	2940	cmd.exe	34
PID 2940 wrote to memory of 2656	2940	cmd.exe	34
PID 2940 wrote to memory of 2656	2940	cmd.exe	34
PID 2940 wrote to memory of 2656	2940	cmd.exe	34
PID 2160 wrote to memory of 1256	2160	Logo1_.exe	7
PID 2160 wrote to memory of 1256	2160	Logo1_.exe	7

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1256
- C:\Users\Admin\AppData\Local\Temp\327a7e69cb102823ec0ff1f9cef546d465b7a67f1e38495d53129d406a14df2e.exe
  "C:\Users\Admin\AppData\Local\Temp\327a7e69cb102823ec0ff1f9cef546d465b7a67f1e38495d53129d406a14df2e.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2824
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$aDC6.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2940
  - - C:\Users\Admin\AppData\Local\Temp\327a7e69cb102823ec0ff1f9cef546d465b7a67f1e38495d53129d406a14df2e.exe
      "C:\Users\Admin\AppData\Local\Temp\327a7e69cb102823ec0ff1f9cef546d465b7a67f1e38495d53129d406a14df2e.exe"
      4⤵
      Executes dropped EXE
      PID:2656
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2160
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3012
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
251KB

MD5
920549b3749f17049173fc1c69ce5fcd

SHA1
1b5be37d2d800e23d87b4c415fdfc7ff875b8580

SHA256
ddaf4a789e331cc85e2503408634f6c90a5013d876588cdcd62f937159797980

SHA512
beb8eac40bf9fd6db8b88ecdac79afe2ced905c5216e06f3f401f536b3b1358b870470962b97b61721bfeec1820bf5446e6bce49aa5e3667e29f08ed776dcddb

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
471KB

MD5
4cfdb20b04aa239d6f9e83084d5d0a77

SHA1
f22863e04cc1fd4435f785993ede165bd8245ac6

SHA256
30ed17ca6ae530e8bf002bcef6048f94dba4b3b10252308147031f5c86ace1b9

SHA512
35b4c2f68a7caa45f2bb14b168947e06831f358e191478a6659b49f30ca6f538dc910fe6067448d5d8af4cb8558825d70f94d4bd67709aee414b2be37d49be86

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aDC6.bat

Filesize
721B

MD5
82e433b727baeb238a1c64f331df3a4d

SHA1
1fe0659dd79d507542f59ab1e7ec0f12a44f9bd9

SHA256
c9503bae5f426f9b856ba621b78daab6acb90720be222200801dc8bafe373a80

SHA512
97331b83025af06be70ce6d7dbd3c98844d843d493096094a4087c7770c3b859249fa04042a62476eb0759078f09c8d20166f1259c2c86158fd0295b0f92c7ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\327a7e69cb102823ec0ff1f9cef546d465b7a67f1e38495d53129d406a14df2e.exe.exe

Filesize
20KB

MD5
eecbaf85768c517873d9d252a80b195f

SHA1
029a51833a50acedd0cab3b4346e00c4410fe6e2

SHA256
db5e89efdc811020d02ecbcd908a118baadfaf65a54b2b6d8ff413a49b750e02

SHA512
fdd70770b4c42c03f85ce5c9b081df48313bc0415b1085193ea259c114befa93eff0136129b7d99f591268c546e8652512b468275b0b905497d576af9bdad4ec

Download Submit
C:\Windows\rundl132.exe

Filesize
26KB

MD5
f598376cea79e7f718da4683838390fe

SHA1
f78e230efc8c5e8c91a0b9b113ceaed1540b265a

SHA256
4b3bae74acc7982f6fced2e409db1a27fe3d1a12b183172722deb128d0f369fb

SHA512
4c522f02a7dd671865f570ca74faa19ba74287240856f8ed7c85cae0f079b66b5af92e5f4c0ec6d77b41b8c0fd58f030c7d16d20d7ad537eb9117ab7d1bbc831

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3470981204-343661084-3367201002-1000\_desktop.ini

Filesize
9B

MD5
0b7b9562015af2b7e19efc062b59ee14

SHA1
bca831ddb43ecb24747e57434d4b443497801c21

SHA256
7ef40a98b77a81085c0a426908276cbaead1573daf25f79344d7b4502d953774

SHA512
bd3c5f0408ac0ad1b82734cc0c4aca5fa6c96c901307f2e85dc4ce6d1db5a91ac6f7e4794e84286813fd94c648665a94f3496e5d22f6b0f624af4b795871f5a3

Download Submit
memory/1256-29-0x00000000025E0000-0x00000000025E1000-memory.dmp

Filesize
4KB

Download
memory/2160-38-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2160-31-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2160-21-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2160-44-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2160-90-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2160-96-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2160-911-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2160-1849-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2160-2660-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2160-3309-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2824-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2824-15-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2824-16-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download