12e7210413bdc8bb948539e36445da8d9607a803eb29d9512d2eb035583ff0ba

Analysis

max time kernel
150s
max time network
125s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
22/01/2024, 20:42

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

12e7210413bdc8bb948539e36445da8d9607a803eb29d9512d2eb035583ff0ba.exe
Size

1.2MB
MD5

197d0bf6264e56daf68f482df98ca74a
SHA1

15c4e1204bae02e804d32e24f8946ffb1c8c6ed0
SHA256

12e7210413bdc8bb948539e36445da8d9607a803eb29d9512d2eb035583ff0ba
SHA512

6d96a2ed523ad2c131074037cf5b83e9edf0444e4873785dffb8963cdba02c75b620f8405386431bebcbc1baa3ed44e29b68906714956b5001842eab13e1d0cb
SSDEEP

24576:e7tTp75vGetOrmT6VxjdP7mKf/el53YNEbqlrhV5L:e7QetOrmT6jpP7mK9EbKVL

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2192	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2436	Logo1_.exe
2820	12e7210413bdc8bb948539e36445da8d9607a803eb29d9512d2eb035583ff0ba.exe

Loads dropped DLL 1 IoCs

pid	Process
2192	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\VideoLAN\VLC\locale\sl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Internet Explorer\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ky\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Triedit\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Minesweeper\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Oasis\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE	Logo1_.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\ja\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_output\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Web Folders\1033\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\uk\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\wmlaunch.exe	Logo1_.exe
File created	C:\Program Files\Java\jre7\lib\zi\Etc\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_filter\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PROOF\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\PROPLUS\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Mail\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\1042\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fy\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\NAMECONTROLSERVER.EXE	Logo1_.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Library\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ff\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\de-DE\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	12e7210413bdc8bb948539e36445da8d9607a803eb29d9512d2eb035583ff0ba.exe
File created	C:\Windows\Logo1_.exe	12e7210413bdc8bb948539e36445da8d9607a803eb29d9512d2eb035583ff0ba.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2436	Logo1_.exe
2436	Logo1_.exe
2436	Logo1_.exe
2436	Logo1_.exe
2436	Logo1_.exe
2436	Logo1_.exe
2436	Logo1_.exe
2436	Logo1_.exe
2436	Logo1_.exe
2436	Logo1_.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2656 wrote to memory of 2192	2656	12e7210413bdc8bb948539e36445da8d9607a803eb29d9512d2eb035583ff0ba.exe	28
PID 2656 wrote to memory of 2192	2656	12e7210413bdc8bb948539e36445da8d9607a803eb29d9512d2eb035583ff0ba.exe	28
PID 2656 wrote to memory of 2192	2656	12e7210413bdc8bb948539e36445da8d9607a803eb29d9512d2eb035583ff0ba.exe	28
PID 2656 wrote to memory of 2192	2656	12e7210413bdc8bb948539e36445da8d9607a803eb29d9512d2eb035583ff0ba.exe	28
PID 2656 wrote to memory of 2436	2656	12e7210413bdc8bb948539e36445da8d9607a803eb29d9512d2eb035583ff0ba.exe	29
PID 2656 wrote to memory of 2436	2656	12e7210413bdc8bb948539e36445da8d9607a803eb29d9512d2eb035583ff0ba.exe	29
PID 2656 wrote to memory of 2436	2656	12e7210413bdc8bb948539e36445da8d9607a803eb29d9512d2eb035583ff0ba.exe	29
PID 2656 wrote to memory of 2436	2656	12e7210413bdc8bb948539e36445da8d9607a803eb29d9512d2eb035583ff0ba.exe	29
PID 2436 wrote to memory of 2292	2436	Logo1_.exe	31
PID 2436 wrote to memory of 2292	2436	Logo1_.exe	31
PID 2436 wrote to memory of 2292	2436	Logo1_.exe	31
PID 2436 wrote to memory of 2292	2436	Logo1_.exe	31
PID 2192 wrote to memory of 2820	2192	cmd.exe	33
PID 2192 wrote to memory of 2820	2192	cmd.exe	33
PID 2192 wrote to memory of 2820	2192	cmd.exe	33
PID 2192 wrote to memory of 2820	2192	cmd.exe	33
PID 2192 wrote to memory of 2820	2192	cmd.exe	33
PID 2192 wrote to memory of 2820	2192	cmd.exe	33
PID 2192 wrote to memory of 2820	2192	cmd.exe	33
PID 2292 wrote to memory of 2800	2292	net.exe	34
PID 2292 wrote to memory of 2800	2292	net.exe	34
PID 2292 wrote to memory of 2800	2292	net.exe	34
PID 2292 wrote to memory of 2800	2292	net.exe	34
PID 2436 wrote to memory of 1192	2436	Logo1_.exe	15
PID 2436 wrote to memory of 1192	2436	Logo1_.exe	15

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1192
- C:\Users\Admin\AppData\Local\Temp\12e7210413bdc8bb948539e36445da8d9607a803eb29d9512d2eb035583ff0ba.exe
  "C:\Users\Admin\AppData\Local\Temp\12e7210413bdc8bb948539e36445da8d9607a803eb29d9512d2eb035583ff0ba.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2656
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$a2E03.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2192
  - - C:\Users\Admin\AppData\Local\Temp\12e7210413bdc8bb948539e36445da8d9607a803eb29d9512d2eb035583ff0ba.exe
      "C:\Users\Admin\AppData\Local\Temp\12e7210413bdc8bb948539e36445da8d9607a803eb29d9512d2eb035583ff0ba.exe"
      4⤵
      Executes dropped EXE
      PID:2820
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2436
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2292
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
251KB

MD5
c75db7d2a5de1b427890b95716df0c29

SHA1
766c65540536ca717cc13fba183b93c9b62764b8

SHA256
22e2ebff999ae3c16599f5c2b6d617ea152b47139aa9b67d6e4ffe3497a2b92f

SHA512
81f28c7226197d87fb49b72fdc899d39bdd0f5fdcc1803cd3976d1dfb8909d888d3814c29bf5b30f446940f3076c5227b1f22365ba7a1a8b5b194d4b3c7a3835

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
471KB

MD5
c6c8fde27f649c91ddaab8cb9ca344a6

SHA1
5e4865aec432a18107182f47edda176e8c566152

SHA256
32c3fed53bfc1d890e9bd1d771fdc7e2c81480e03f1425bce07b4045a192d100

SHA512
a8df7d1e852d871d7f16bae10c4ff049359583da88cc85a039f0298525839040d5363ce5ef4cbdb92a12a25785f73df83cf0df07752b78e6e6444f32160a2155

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a2E03.bat

Filesize
722B

MD5
b149035686e03e683ac5e4872d8351d9

SHA1
cb07c9843c5d673f7ef43630fb819bc8c393ef10

SHA256
1fa39623977ba9a108c4cae2eb4459716fb52fdd596ccc91baaf29adcaf1b4c8

SHA512
016d5038fdb793500aa8da09d1251ae0fee80beb20f87ac8f007de43696113fcea14e8146af274935f6da40a4628cd444d2a8d35e1b3a7483fd5308af330ce6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\12e7210413bdc8bb948539e36445da8d9607a803eb29d9512d2eb035583ff0ba.exe.exe

Filesize
1.2MB

MD5
da2926199d937e5e6dca8f15c189b9d3

SHA1
bee107a4524b3a54768c7a01da8d9cd441b6d7d1

SHA256
b3e408a3ab8f27a979dc6216f0177137edbf0b12aa0c9f0963a7d31cc30f4024

SHA512
bf089cd73a1a1f90ec4c865f782f35b2c421449567ceae68b8c4a52e844cd1f0c413902aa87e9c305d79ac09b03ff23c6481919a585d72218e8247e130756768

Download Submit
C:\Windows\Logo1_.exe

Filesize
26KB

MD5
96561b006c0d21a4337e53c5d05029fd

SHA1
ec489e1d92b52c53662f28cd591d068d60b24b16

SHA256
a7af91485e93d2467d0dc2a1aafb6cda75418abdcae3b06302b78b943443b70c

SHA512
81d1a972660b01d771cba47f3ed7567acb94c448ce2a190783340a4bdf0808e8ccf53a1bbe46998596d90ff264b385d51203cfd71f22cd501cde040490725a2e

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-928733405-3780110381-2966456290-1000\_desktop.ini

Filesize
9B

MD5
627f23e6a85295eecfbaa9418a5501ac

SHA1
3aedd6b4b0d60e753e17c129fc49c6157fd013da

SHA256
f0b797dea0e5e1581d6d50754ef8f1f1a98209baa13b45563f349db53e3074ff

SHA512
54bb1e93614c2c878e83bfa7ddd9c646242251a7de1225c4d4672c0703720b901f6336233824c1df544d6ffda1d2dcccd1217035cfd55416ef3399b362abf950

Download Submit
memory/1192-29-0x0000000002AE0000-0x0000000002AE1000-memory.dmp

Filesize
4KB

Download
memory/2436-38-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2436-31-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2436-21-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2436-45-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2436-91-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2436-97-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2436-174-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2436-1850-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2436-3310-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2656-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2656-39-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2656-17-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2656-15-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download