adde0c7d43f4b198ac9a875a34df4e0a4e9b16f7fffdb5d0d72b2339c0a81331

Analysis

max time kernel
150s
max time network
127s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
20/02/2024, 22:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

adde0c7d43f4b198ac9a875a34df4e0a4e9b16f7fffdb5d0d72b2339c0a81331.exe
Size

3.3MB
MD5

7a077ab20849b6cc5c9182f89f579d2f
SHA1

bdfbd17751abf641a8c2a349c8387fd829d8e7ce
SHA256

adde0c7d43f4b198ac9a875a34df4e0a4e9b16f7fffdb5d0d72b2339c0a81331
SHA512

f6a0bdd22098ea3a5f78704736cdfb132e177da0e3bc68b4030a630cc8782d92e091088cde186c39751811e270d514a4f0404b2660b776e6415c7851e8c07a62
SSDEEP

98304:ZnQwzmQe7A3gATZ0HTEUj2bTmLQHZ7Jg6ZVeFVvnAfZBd:ZQ4uIULL6VyVvnAf

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2060	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2064	Logo1_.exe
2904	adde0c7d43f4b198ac9a875a34df4e0a4e9b16f7fffdb5d0d72b2339c0a81331.exe

Loads dropped DLL 1 IoCs

pid	Process
2060	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA6\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Media Player\Media Renderer\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\d3d11\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMFormServices\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\co\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\gu\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\tet\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmid.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bn_IN\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\et\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\it\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\be\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Word.en-us\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ca\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\TTS20\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\it\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\my\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\tr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EURO\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\en_GB\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\kk\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\zh_CN\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\klist.exe	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SONORA\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Mail\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Logo1_.exe	adde0c7d43f4b198ac9a875a34df4e0a4e9b16f7fffdb5d0d72b2339c0a81331.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe
File created	C:\Windows\rundl132.exe	adde0c7d43f4b198ac9a875a34df4e0a4e9b16f7fffdb5d0d72b2339c0a81331.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2064	Logo1_.exe
2064	Logo1_.exe
2064	Logo1_.exe
2064	Logo1_.exe
2064	Logo1_.exe
2064	Logo1_.exe
2064	Logo1_.exe
2064	Logo1_.exe
2064	Logo1_.exe
2064	Logo1_.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1180 wrote to memory of 2060	1180	adde0c7d43f4b198ac9a875a34df4e0a4e9b16f7fffdb5d0d72b2339c0a81331.exe	30
PID 1180 wrote to memory of 2060	1180	adde0c7d43f4b198ac9a875a34df4e0a4e9b16f7fffdb5d0d72b2339c0a81331.exe	30
PID 1180 wrote to memory of 2060	1180	adde0c7d43f4b198ac9a875a34df4e0a4e9b16f7fffdb5d0d72b2339c0a81331.exe	30
PID 1180 wrote to memory of 2060	1180	adde0c7d43f4b198ac9a875a34df4e0a4e9b16f7fffdb5d0d72b2339c0a81331.exe	30
PID 1180 wrote to memory of 2064	1180	adde0c7d43f4b198ac9a875a34df4e0a4e9b16f7fffdb5d0d72b2339c0a81331.exe	29
PID 1180 wrote to memory of 2064	1180	adde0c7d43f4b198ac9a875a34df4e0a4e9b16f7fffdb5d0d72b2339c0a81331.exe	29
PID 1180 wrote to memory of 2064	1180	adde0c7d43f4b198ac9a875a34df4e0a4e9b16f7fffdb5d0d72b2339c0a81331.exe	29
PID 1180 wrote to memory of 2064	1180	adde0c7d43f4b198ac9a875a34df4e0a4e9b16f7fffdb5d0d72b2339c0a81331.exe	29
PID 2064 wrote to memory of 1692	2064	Logo1_.exe	31
PID 2064 wrote to memory of 1692	2064	Logo1_.exe	31
PID 2064 wrote to memory of 1692	2064	Logo1_.exe	31
PID 2064 wrote to memory of 1692	2064	Logo1_.exe	31
PID 2060 wrote to memory of 2904	2060	cmd.exe	33
PID 2060 wrote to memory of 2904	2060	cmd.exe	33
PID 2060 wrote to memory of 2904	2060	cmd.exe	33
PID 2060 wrote to memory of 2904	2060	cmd.exe	33
PID 1692 wrote to memory of 2224	1692	net.exe	34
PID 1692 wrote to memory of 2224	1692	net.exe	34
PID 1692 wrote to memory of 2224	1692	net.exe	34
PID 1692 wrote to memory of 2224	1692	net.exe	34
PID 2064 wrote to memory of 1392	2064	Logo1_.exe	13
PID 2064 wrote to memory of 1392	2064	Logo1_.exe	13

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1392
- C:\Users\Admin\AppData\Local\Temp\adde0c7d43f4b198ac9a875a34df4e0a4e9b16f7fffdb5d0d72b2339c0a81331.exe
  "C:\Users\Admin\AppData\Local\Temp\adde0c7d43f4b198ac9a875a34df4e0a4e9b16f7fffdb5d0d72b2339c0a81331.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1180
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2064
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1692
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2224
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$aAE97.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2060
  - - C:\Users\Admin\AppData\Local\Temp\adde0c7d43f4b198ac9a875a34df4e0a4e9b16f7fffdb5d0d72b2339c0a81331.exe
      "C:\Users\Admin\AppData\Local\Temp\adde0c7d43f4b198ac9a875a34df4e0a4e9b16f7fffdb5d0d72b2339c0a81331.exe"
      4⤵
      Executes dropped EXE
      PID:2904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
251KB

MD5
7ef2913fc272a57a19fcf8462455aa97

SHA1
f39caed4f4bad2eaa6c7830771c42227bc1831f4

SHA256
e8629b61eb536fd383d308f941b792af2be1744c87bcadb83e5bce5b35e1394a

SHA512
6af4857c1b41f65fb826f81beca5df0f68b314c865813ece879dd32f353a7adbe4d2f9ca0c3af2e447338e74fd45e3669ded0c21f1c99f3d9641b389d03d1c02

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
471KB

MD5
4cfdb20b04aa239d6f9e83084d5d0a77

SHA1
f22863e04cc1fd4435f785993ede165bd8245ac6

SHA256
30ed17ca6ae530e8bf002bcef6048f94dba4b3b10252308147031f5c86ace1b9

SHA512
35b4c2f68a7caa45f2bb14b168947e06831f358e191478a6659b49f30ca6f538dc910fe6067448d5d8af4cb8558825d70f94d4bd67709aee414b2be37d49be86

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aAE97.bat

Filesize
722B

MD5
af1b73569b64f98c771a23f9de8da375

SHA1
9930c3132490860fe33e808f6fdf0a396b7ff8e3

SHA256
80cb67f41d55e01c902c9fe6172f5152a87177526ea9654dc214595a95076828

SHA512
0c795614ec23da7679a4456f4dd428d86ef7f108f7d8d6055ce5562d81432e076145dc5b989bc6074728c411e0309868dc05fb44d21370a055af1565794252b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\adde0c7d43f4b198ac9a875a34df4e0a4e9b16f7fffdb5d0d72b2339c0a81331.exe.exe

Filesize
3.3MB

MD5
d212ca9a75494cf665901f63f4d9b422

SHA1
88be01da898259b61f3a5a92496b5967ef3b57e5

SHA256
6401ce76a781fa0e430f55b49f4b35e34c8ab5c92f7e3d28655a13ba89a5a598

SHA512
ff5d14f6a53d6569f1d56c5019bbf4ca67b90ae80ce34d7013732edd49062643e6b47c42f3118af4e79ecb133763a85fe66d522f7d9a4203d8da894dc21e683e

Download Submit
C:\Windows\Logo1_.exe

Filesize
26KB

MD5
0901dc82d2fca942701b9f12bc1fd530

SHA1
6913b4c6a6ce2c7e162e986fe74cb5c135af37ac

SHA256
3bb60e8cfe0ffd2e771c2382401f634b2194d8883a42716bc46cf132ac163150

SHA512
9b1913e0641f72b7d1e9f8066266a50f1c4ee5ec0ea7432ece057f6db8636d9eaa507d5137f796015d27511563a75093890bd4b5d54d3c1dac750eab658a6c41

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3427588347-1492276948-3422228430-1000\_desktop.ini

Filesize
9B

MD5
b347a774e254ac3f0d6aaea35544ac50

SHA1
7f332d15a7648f7a698b3068a428811361f4e9ab

SHA256
1ebd1b85bb264260df3d9fb0a2062b29199c7b6137dcc98486874c1d257c73cd

SHA512
ce8615c90c8794f0aefeb0c6ce5da126732695e6be36b5e625f3a073d55c6f8cd88ca465b07e2c0e87355b5baad887a3f0b26c4eb262484a83d35565e72ba138

Download Submit
\Users\Admin\AppData\Local\Temp\adde0c7d43f4b198ac9a875a34df4e0a4e9b16f7fffdb5d0d72b2339c0a81331.exe

Filesize
3.1MB

MD5
a442311dda523ae54942ef319814c9b8

SHA1
c32c435706ffb26eecf651fffe132fd06accd6cd

SHA256
9cf19ec198a152507ffffad8760d46a70a855274b0a47b4b16b200be46007f03

SHA512
a22edf5b5efe447dddf3a92e3ed5ce1807cebb5ca69b8e5206133b4deb6d86f201072c2dc9fbdcaf54937d34a0096404ba94d4458efcbaffa6779c4aa72d5efc

Download Submit
memory/1180-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1180-17-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/1180-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1180-41-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/1180-12-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/1392-30-0x00000000026E0000-0x00000000026E1000-memory.dmp

Filesize
4KB

Download
memory/2064-33-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2064-47-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2064-93-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2064-99-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2064-141-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2064-1852-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2064-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2064-3312-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2064-19-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download