0014549b07099d35bd02e85b42cf07c36bc289e56d36b3aa3a38d356e2609080

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
20/02/2024, 12:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0014549b07099d35bd02e85b42cf07c36bc289e56d36b3aa3a38d356e2609080.exe
Size

209KB
MD5

d46c2e4f139469026284838b2dbc76f8
SHA1

dc7f2fa37c047e93ae1e5c913f0cfd7c03d5ac84
SHA256

0014549b07099d35bd02e85b42cf07c36bc289e56d36b3aa3a38d356e2609080
SHA512

47b225a4b6265521dca53794cb53920802065a46683fbd047c029d13350c14bae263129446843a55481cadc076e3d26ffd63869dec553c67d1e06602f0dae4de
SSDEEP

3072:CMftffjmNi8czzbjwY6c/gnNVitAsCx7nPQOH0uLHNjMl:CUVfjmNOz3wY6c/SN0nuSAy

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3024	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2696	Logo1_.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\am\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Triedit\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\North_Dakota\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA7\1033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\1041\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\amd64\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sv\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Reference Assemblies\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\fr\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\kk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\FREN\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AFTRNOON\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\1033\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\as_IN\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\pa\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Photo Viewer\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CANYON\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightYellow\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\intf\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\INFOPATH.EXE	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Document Parts\1033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\7-Zip\Lang\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\deploy\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ENES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BabyBlue\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\SoftBlue\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Library\Analysis\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Hearts\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	0014549b07099d35bd02e85b42cf07c36bc289e56d36b3aa3a38d356e2609080.exe
File created	C:\Windows\Logo1_.exe	0014549b07099d35bd02e85b42cf07c36bc289e56d36b3aa3a38d356e2609080.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2696	Logo1_.exe
2696	Logo1_.exe
2696	Logo1_.exe
2696	Logo1_.exe
2696	Logo1_.exe
2696	Logo1_.exe
2696	Logo1_.exe
2696	Logo1_.exe
2696	Logo1_.exe
2696	Logo1_.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 3024	2220	0014549b07099d35bd02e85b42cf07c36bc289e56d36b3aa3a38d356e2609080.exe	31
PID 2220 wrote to memory of 3024	2220	0014549b07099d35bd02e85b42cf07c36bc289e56d36b3aa3a38d356e2609080.exe	31
PID 2220 wrote to memory of 3024	2220	0014549b07099d35bd02e85b42cf07c36bc289e56d36b3aa3a38d356e2609080.exe	31
PID 2220 wrote to memory of 3024	2220	0014549b07099d35bd02e85b42cf07c36bc289e56d36b3aa3a38d356e2609080.exe	31
PID 2220 wrote to memory of 2696	2220	0014549b07099d35bd02e85b42cf07c36bc289e56d36b3aa3a38d356e2609080.exe	28
PID 2220 wrote to memory of 2696	2220	0014549b07099d35bd02e85b42cf07c36bc289e56d36b3aa3a38d356e2609080.exe	28
PID 2220 wrote to memory of 2696	2220	0014549b07099d35bd02e85b42cf07c36bc289e56d36b3aa3a38d356e2609080.exe	28
PID 2220 wrote to memory of 2696	2220	0014549b07099d35bd02e85b42cf07c36bc289e56d36b3aa3a38d356e2609080.exe	28
PID 2696 wrote to memory of 2804	2696	Logo1_.exe	29
PID 2696 wrote to memory of 2804	2696	Logo1_.exe	29
PID 2696 wrote to memory of 2804	2696	Logo1_.exe	29
PID 2696 wrote to memory of 2804	2696	Logo1_.exe	29
PID 2804 wrote to memory of 2968	2804	net.exe	33
PID 2804 wrote to memory of 2968	2804	net.exe	33
PID 2804 wrote to memory of 2968	2804	net.exe	33
PID 2804 wrote to memory of 2968	2804	net.exe	33
PID 2696 wrote to memory of 1380	2696	Logo1_.exe	16
PID 2696 wrote to memory of 1380	2696	Logo1_.exe	16

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1380
- C:\Users\Admin\AppData\Local\Temp\0014549b07099d35bd02e85b42cf07c36bc289e56d36b3aa3a38d356e2609080.exe
  "C:\Users\Admin\AppData\Local\Temp\0014549b07099d35bd02e85b42cf07c36bc289e56d36b3aa3a38d356e2609080.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2220
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2696
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2804
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2968
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$a5DAA.bat
    3⤵
    - Deletes itself
    PID:3024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
251KB

MD5
299ab7dbaeb02447f377af6a205c48f8

SHA1
00ca08a1744471210b83edb2dbbd88223fe1edce

SHA256
bd8886ea6cffa00bb88a3bf690aee0944e9c3fbe6a4cbf382c58993381278362

SHA512
82ad942b87226bb545120b3972ad4e90fcf9068e58f61943b4dc447e490a3c5233b55ee8abc9a493b9be13e07cb3662bae2d26f409c6c3b4539d58b940047f7f

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
471KB

MD5
4cfdb20b04aa239d6f9e83084d5d0a77

SHA1
f22863e04cc1fd4435f785993ede165bd8245ac6

SHA256
30ed17ca6ae530e8bf002bcef6048f94dba4b3b10252308147031f5c86ace1b9

SHA512
35b4c2f68a7caa45f2bb14b168947e06831f358e191478a6659b49f30ca6f538dc910fe6067448d5d8af4cb8558825d70f94d4bd67709aee414b2be37d49be86

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a5DAA.bat

Filesize
722B

MD5
63e4ba28c002d83e64cd03d6349ac42b

SHA1
ea4ec14a95cbed3d457b66744c2f6d3caf1ff72a

SHA256
7e1a59055c99552007a5b476317f76d400dfdc878c30ade85fcd597afd9aa3e9

SHA512
91b0da7c6f5437c5f2313e3e79d79d4bd1dc4c89076d188fb8dd81c151ae61d2a7e2282daf19c498f78b5524812c2c10c7ab68ff9c7a33d974ea572e683c7077

Download Submit
C:\Users\Admin\AppData\Local\Temp\0014549b07099d35bd02e85b42cf07c36bc289e56d36b3aa3a38d356e2609080.exe.exe

Filesize
183KB

MD5
662bdc84d0d9ac70c8534251a5fc6e89

SHA1
42d0b8274a7bf0acedd523675569115b9f6f21ee

SHA256
d5cbdfb3c92db54b8ca4394534b97d8eba0d89a982084617f29359bfdae532dd

SHA512
c1147e2b19d5a64f286b606fde28f2c558ed3353adddd256468b02ceb7dd8a5202c74ac940a9d7f38a8d27028464fa11baa0f732e4371cf56a61b14849aaa842

Download Submit
C:\Windows\rundl132.exe

Filesize
26KB

MD5
bcba863fad08b47d4a766181d455e05f

SHA1
d155fc0a4769bd10b1bdf2b582c4973dbdb8d15c

SHA256
40cf326f6c0152dc5fa9dfe0b2314e273d858ba3f6b18fd534d924604ddf55f7

SHA512
1dbec3b132c9bd0e5fb8da83d1e567db061eb2362da1fb339c5eef6a464ab4f69d625c2492c237262090f20b7fc2adc11fc362d2540bd955ecbbd85602e8c093

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3427588347-1492276948-3422228430-1000\_desktop.ini

Filesize
9B

MD5
b347a774e254ac3f0d6aaea35544ac50

SHA1
7f332d15a7648f7a698b3068a428811361f4e9ab

SHA256
1ebd1b85bb264260df3d9fb0a2062b29199c7b6137dcc98486874c1d257c73cd

SHA512
ce8615c90c8794f0aefeb0c6ce5da126732695e6be36b5e625f3a073d55c6f8cd88ca465b07e2c0e87355b5baad887a3f0b26c4eb262484a83d35565e72ba138

Download Submit
memory/1380-35-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/2220-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2220-16-0x0000000000320000-0x0000000000354000-memory.dmp

Filesize
208KB

Download
memory/2220-15-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2696-44-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2696-51-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2696-96-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2696-102-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2696-823-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2696-1886-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2696-37-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2696-3346-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2696-21-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3024-127-0x0000000002260000-0x0000000002261000-memory.dmp

Filesize
4KB

Download