a4efcd3afd58c0068811c02e1fefbf4455979e545cd93f5a8ede0addd42c5ec1

Analysis

max time kernel
149s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
24/02/2024, 18:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a4efcd3afd58c0068811c02e1fefbf4455979e545cd93f5a8ede0addd42c5ec1.exe
Size

87KB
MD5

5e6fc6f6b945b6acedf1e294a19bb3ae
SHA1

a19354c5d19a60f1f4758ca21a4742bf8709f61e
SHA256

a4efcd3afd58c0068811c02e1fefbf4455979e545cd93f5a8ede0addd42c5ec1
SHA512

ed83f357f405b19333b737a3664f0fa8573f8541a068d9415b5e02b1625bbd714611715eaf156d02ee1641d5cb077ce8f90de5329117d6d20191ff4ace9c7c74
SSDEEP

1536:jfgLdQAQfcfymN80IA0OVWwgiJ+cUVY3P5RHHxe:jftffjmNcAA3cHh1Hxe

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2916	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
1992	Logo1_.exe
2664	a4efcd3afd58c0068811c02e1fefbf4455979e545cd93f5a8ede0addd42c5ec1.exe

Loads dropped DLL 2 IoCs

pid	Process
2916	cmd.exe
2916	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\VideoLAN\VLC\locale\cgg\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ka\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\si\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	Logo1_.exe
File created	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\kn\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ta\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmid.exe	Logo1_.exe
File created	C:\Program Files\Windows Mail\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\tl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\tr\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\tr\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Portal\1033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightOrange\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Media Player\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\144DPI\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre7\bin\server\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\COMPASS\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ne\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\HWRCustomization\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BrightOrange\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Help\1036\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.en\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\on_desktop\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\WORDICON.EXE	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_output\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Triedit\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Chess\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jabswitch.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\1028\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SLATE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ks_IN\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\SELFCERT.EXE	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ru\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\es\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\vDll.dll	Logo1_.exe
File created	C:\Windows\rundl132.exe	a4efcd3afd58c0068811c02e1fefbf4455979e545cd93f5a8ede0addd42c5ec1.exe
File created	C:\Windows\Logo1_.exe	a4efcd3afd58c0068811c02e1fefbf4455979e545cd93f5a8ede0addd42c5ec1.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1992	Logo1_.exe
1992	Logo1_.exe
1992	Logo1_.exe
1992	Logo1_.exe
1992	Logo1_.exe
1992	Logo1_.exe
1992	Logo1_.exe
1992	Logo1_.exe
1992	Logo1_.exe
1992	Logo1_.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2876 wrote to memory of 2916	2876	a4efcd3afd58c0068811c02e1fefbf4455979e545cd93f5a8ede0addd42c5ec1.exe	28
PID 2876 wrote to memory of 2916	2876	a4efcd3afd58c0068811c02e1fefbf4455979e545cd93f5a8ede0addd42c5ec1.exe	28
PID 2876 wrote to memory of 2916	2876	a4efcd3afd58c0068811c02e1fefbf4455979e545cd93f5a8ede0addd42c5ec1.exe	28
PID 2876 wrote to memory of 2916	2876	a4efcd3afd58c0068811c02e1fefbf4455979e545cd93f5a8ede0addd42c5ec1.exe	28
PID 2876 wrote to memory of 1992	2876	a4efcd3afd58c0068811c02e1fefbf4455979e545cd93f5a8ede0addd42c5ec1.exe	29
PID 2876 wrote to memory of 1992	2876	a4efcd3afd58c0068811c02e1fefbf4455979e545cd93f5a8ede0addd42c5ec1.exe	29
PID 2876 wrote to memory of 1992	2876	a4efcd3afd58c0068811c02e1fefbf4455979e545cd93f5a8ede0addd42c5ec1.exe	29
PID 2876 wrote to memory of 1992	2876	a4efcd3afd58c0068811c02e1fefbf4455979e545cd93f5a8ede0addd42c5ec1.exe	29
PID 2916 wrote to memory of 2664	2916	cmd.exe	32
PID 2916 wrote to memory of 2664	2916	cmd.exe	32
PID 2916 wrote to memory of 2664	2916	cmd.exe	32
PID 2916 wrote to memory of 2664	2916	cmd.exe	32
PID 2916 wrote to memory of 2664	2916	cmd.exe	32
PID 2916 wrote to memory of 2664	2916	cmd.exe	32
PID 2916 wrote to memory of 2664	2916	cmd.exe	32
PID 1992 wrote to memory of 2696	1992	Logo1_.exe	31
PID 1992 wrote to memory of 2696	1992	Logo1_.exe	31
PID 1992 wrote to memory of 2696	1992	Logo1_.exe	31
PID 1992 wrote to memory of 2696	1992	Logo1_.exe	31
PID 2696 wrote to memory of 2812	2696	net.exe	34
PID 2696 wrote to memory of 2812	2696	net.exe	34
PID 2696 wrote to memory of 2812	2696	net.exe	34
PID 2696 wrote to memory of 2812	2696	net.exe	34
PID 1992 wrote to memory of 1212	1992	Logo1_.exe	20
PID 1992 wrote to memory of 1212	1992	Logo1_.exe	20

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1212
- C:\Users\Admin\AppData\Local\Temp\a4efcd3afd58c0068811c02e1fefbf4455979e545cd93f5a8ede0addd42c5ec1.exe
  "C:\Users\Admin\AppData\Local\Temp\a4efcd3afd58c0068811c02e1fefbf4455979e545cd93f5a8ede0addd42c5ec1.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2876
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$a11BC.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2916
  - - C:\Users\Admin\AppData\Local\Temp\a4efcd3afd58c0068811c02e1fefbf4455979e545cd93f5a8ede0addd42c5ec1.exe
      "C:\Users\Admin\AppData\Local\Temp\a4efcd3afd58c0068811c02e1fefbf4455979e545cd93f5a8ede0addd42c5ec1.exe"
      4⤵
      Executes dropped EXE
      PID:2664
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1992
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2696
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
251KB

MD5
2153650fc7062628c16d837b6f313275

SHA1
56b7be7558ed2e941321176d4cc1a004cb190628

SHA256
aecf2553c6f56db33cc482e22670eca33568dd39ee5a449152597f52d910dcb1

SHA512
0759f71edbd93a7d6848c2f764b3e1f8c865168ad34b1c7ad5f7b12fda7300de4709d3c17b79b398195f4f0951faa83efe11a72f859787ed71fd68f6f9c95df0

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
471KB

MD5
4cfdb20b04aa239d6f9e83084d5d0a77

SHA1
f22863e04cc1fd4435f785993ede165bd8245ac6

SHA256
30ed17ca6ae530e8bf002bcef6048f94dba4b3b10252308147031f5c86ace1b9

SHA512
35b4c2f68a7caa45f2bb14b168947e06831f358e191478a6659b49f30ca6f538dc910fe6067448d5d8af4cb8558825d70f94d4bd67709aee414b2be37d49be86

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a11BC.bat

Filesize
722B

MD5
501ea0fd7c7d0a34937b0344bdb8ecfc

SHA1
cf3d5e55ba4e030c3bcc8444b2d0eacf5f768518

SHA256
b0f3ca5e214c399a1e9cf934bbe716a30f9dc7f361e751992db76ccb689e63a1

SHA512
ca6836bc482ab1d9c66f2cac0630a863cf18fe5fa329ea9e962850842d02e68bad7e406ea81fca139ab298f59622d4f9abff1c6fd0e5c384eea6ddf105e33bf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\a4efcd3afd58c0068811c02e1fefbf4455979e545cd93f5a8ede0addd42c5ec1.exe.exe

Filesize
61KB

MD5
eb0c287736b22fc1eb08555dce0b377f

SHA1
deac9ddf91b9d177683c12a0da042b9293540ec3

SHA256
8cfa6d0d5c243a95c070284a1db42ebef0cf383476a150f9125869d752ecdfc6

SHA512
e77f794f67c6a0d1883653211e40304d7c45cf4d9dcaae9d00131c17b4770c478d20309bfa8db5b97931ece58b1a974db06e6ad8ac3718c48c62ad2cd9755adb

Download Submit
C:\Windows\Logo1_.exe

Filesize
26KB

MD5
5a074bce57cc5d988bd5eacb7dc8547d

SHA1
f20223a44b63bc4bb2759b7ee09f262e028e8103

SHA256
eb5b6f9c8578fd264191af6a68b5c70d3aa01d42b24d6b5a316a09da6a66f24b

SHA512
6c2a15820fba59fa8ddb196fc1869b2b33041e440af1042dd109bcfd77dbc07263cc83edf5b91d2d8f5a5ff94ebb4bec554e40267bd210ef27838905e0db64a2

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3452737119-3959686427-228443150-1000\_desktop.ini

Filesize
9B

MD5
cfe6f484be357c72eb43c1bf358667cc

SHA1
e3d7e0445522b691704b4118172728b6a29eb809

SHA256
da822ce24d9fbaf4a51165971caf1c53642c637bb0140121b9041e3b23b05946

SHA512
29d9ed22715e24413a7b4110e4a45e99110c8b7c0e4f6b0033d5b41f9564687e70aabb182ff809223355daccc6bebf4a90df3dfd6bbbc54649227bf38097b236

Download Submit
memory/1212-30-0x0000000002580000-0x0000000002581000-memory.dmp

Filesize
4KB

Download
memory/1992-39-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1992-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1992-18-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1992-45-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1992-91-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1992-97-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1992-709-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1992-1850-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1992-2406-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1992-3310-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2876-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2876-15-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2876-16-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download