20ec6eb479ce5033b2bb496319a125c19d76a43a547624cf140daa1470f1800d

Analysis

max time kernel
150s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
25/02/2024, 07:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

20ec6eb479ce5033b2bb496319a125c19d76a43a547624cf140daa1470f1800d.exe
Size

251KB
MD5

90fea2f5833c468575d5369841869659
SHA1

408b2c321d3673018860ddc03488257d27e04908
SHA256

20ec6eb479ce5033b2bb496319a125c19d76a43a547624cf140daa1470f1800d
SHA512

4c9c998236ca1490171c9b3e697e52f52165c286716b3d19e0ba1250dba44dc741f0e78509a1831d40122c0de978b03943bcc68b1e764a9df6ad64997b44f0f4
SSDEEP

6144:2fyVfjmNHgiC4bXqsTk90qC1AOb7eswf1Px++fD8PJ:2fM7+AitXqsTkiR7twRx+gD8PJ

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2104	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2884	Logo1_.exe
2404	20ec6eb479ce5033b2bb496319a125c19d76a43a547624cf140daa1470f1800d.exe

Loads dropped DLL 1 IoCs

pid	Process
2104	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Sidebar\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\or\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\locale\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fy\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\1033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Lime\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\zh_CN\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\en_GB\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\PROOF\3082\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\te\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Defender\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Checkers\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\es\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\et\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\uk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightOrange\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\meta_engine\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\eu\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CAPSULES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sv\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\security\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA7\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Oasis\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	20ec6eb479ce5033b2bb496319a125c19d76a43a547624cf140daa1470f1800d.exe
File created	C:\Windows\Logo1_.exe	20ec6eb479ce5033b2bb496319a125c19d76a43a547624cf140daa1470f1800d.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2884	Logo1_.exe
2884	Logo1_.exe
2884	Logo1_.exe
2884	Logo1_.exe
2884	Logo1_.exe
2884	Logo1_.exe
2884	Logo1_.exe
2884	Logo1_.exe
2884	Logo1_.exe
2884	Logo1_.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 1988 wrote to memory of 2104	1988	20ec6eb479ce5033b2bb496319a125c19d76a43a547624cf140daa1470f1800d.exe	28
PID 1988 wrote to memory of 2104	1988	20ec6eb479ce5033b2bb496319a125c19d76a43a547624cf140daa1470f1800d.exe	28
PID 1988 wrote to memory of 2104	1988	20ec6eb479ce5033b2bb496319a125c19d76a43a547624cf140daa1470f1800d.exe	28
PID 1988 wrote to memory of 2104	1988	20ec6eb479ce5033b2bb496319a125c19d76a43a547624cf140daa1470f1800d.exe	28
PID 1988 wrote to memory of 2884	1988	20ec6eb479ce5033b2bb496319a125c19d76a43a547624cf140daa1470f1800d.exe	30
PID 1988 wrote to memory of 2884	1988	20ec6eb479ce5033b2bb496319a125c19d76a43a547624cf140daa1470f1800d.exe	30
PID 1988 wrote to memory of 2884	1988	20ec6eb479ce5033b2bb496319a125c19d76a43a547624cf140daa1470f1800d.exe	30
PID 1988 wrote to memory of 2884	1988	20ec6eb479ce5033b2bb496319a125c19d76a43a547624cf140daa1470f1800d.exe	30
PID 2884 wrote to memory of 2628	2884	Logo1_.exe	31
PID 2884 wrote to memory of 2628	2884	Logo1_.exe	31
PID 2884 wrote to memory of 2628	2884	Logo1_.exe	31
PID 2884 wrote to memory of 2628	2884	Logo1_.exe	31
PID 2628 wrote to memory of 2648	2628	net.exe	34
PID 2628 wrote to memory of 2648	2628	net.exe	34
PID 2628 wrote to memory of 2648	2628	net.exe	34
PID 2628 wrote to memory of 2648	2628	net.exe	34
PID 2104 wrote to memory of 2404	2104	cmd.exe	33
PID 2104 wrote to memory of 2404	2104	cmd.exe	33
PID 2104 wrote to memory of 2404	2104	cmd.exe	33
PID 2104 wrote to memory of 2404	2104	cmd.exe	33
PID 2104 wrote to memory of 2404	2104	cmd.exe	33
PID 2104 wrote to memory of 2404	2104	cmd.exe	33
PID 2104 wrote to memory of 2404	2104	cmd.exe	33
PID 2884 wrote to memory of 1284	2884	Logo1_.exe	14
PID 2884 wrote to memory of 1284	2884	Logo1_.exe	14

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1284
- C:\Users\Admin\AppData\Local\Temp\20ec6eb479ce5033b2bb496319a125c19d76a43a547624cf140daa1470f1800d.exe
  "C:\Users\Admin\AppData\Local\Temp\20ec6eb479ce5033b2bb496319a125c19d76a43a547624cf140daa1470f1800d.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1988
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$a7291.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2104
  - - C:\Users\Admin\AppData\Local\Temp\20ec6eb479ce5033b2bb496319a125c19d76a43a547624cf140daa1470f1800d.exe
      "C:\Users\Admin\AppData\Local\Temp\20ec6eb479ce5033b2bb496319a125c19d76a43a547624cf140daa1470f1800d.exe"
      4⤵
      Executes dropped EXE
      PID:2404
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2884
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2628
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
471KB

MD5
a373a8be1ec81f756766fd14b3cb1843

SHA1
a983ad3b441e2f54288c8d5072827553060ce489

SHA256
d161e11512f4ef6f84d1a09e742ebd623a5c6b2cf3135bb1e1015e320fbd1bff

SHA512
e661f7fa5373eb5cf879a615260339ce8fc29bdf950aa8127814cb14e1e03cd55184451a894dbb098ef377816aa1a0c50711af1d4e1cae5804fed3abfc9cff94

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a7291.bat

Filesize
722B

MD5
737a19706455defaef8209e89c1c1c40

SHA1
44c1fb27280fd98e466ff288ce4453702a590970

SHA256
4f5a2f84f26fb2e8fa796dbd2ee63c5173686983c22c4395ece1cdd2646be8f0

SHA512
f511f5698b4db8fe52554a82cab588640769428878f86131b19fd3dd21ded3dd9744c54c6f29662578c39a4f0cdb6f054226c835e817147b83c14f77f23c2baa

Download Submit
C:\Users\Admin\AppData\Local\Temp\20ec6eb479ce5033b2bb496319a125c19d76a43a547624cf140daa1470f1800d.exe.exe

Filesize
224KB

MD5
d4b257c01bbaa68d15d8368475a4e227

SHA1
fafae083a882e163cfa8c77258baaab891c17df2

SHA256
dd6dd981c7f1a6673dc8cc3a0fe1fc8a54e059a9fdb0545b0dc9258299c0c546

SHA512
167494ecb32196e8e199d7d14a1c0498eee45ab8e8862e5441539fa569313bb602b9e979935c7cc5ba39300e54e8bdbdf2f502e4ea24b5e8339fd2c3685ca502

Download Submit
C:\Windows\rundl132.exe

Filesize
26KB

MD5
fa7d00657b69c5ef3a25b5881e27629c

SHA1
bb660492122bf6806bbfafd813ff350d8688dfa2

SHA256
d27b08158258661b12e9741980afae6edfa1bc61aefc03fac0682cc65bc7e3e4

SHA512
a777409c2c9355bf0c1c8a0baacd2026a98f1e9c993f980c9151fe524ff20dcb7399c3575325609eb37d2eb13e7e740efc61042cad4db0cd2a6539227ab38677

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-406356229-2805545415-1236085040-1000\_desktop.ini

Filesize
9B

MD5
a6bc0fa0eb5c759ba17f81f4ce455652

SHA1
b2feda30ea0f148bf795f29d8ecb189d413e2a1f

SHA256
44ff73e667b36a66728c495c39b0f21fd57ccc0fe4d4e5630f5463ca81e53613

SHA512
5326e0670e73a5d44acdd4aecf64b35708f380f781f5d54e21c6c94995803e20e2734f4144b8407cf84b60841133f9c714406b247d5bb16ff79c46ee9adcbe75

Download Submit
memory/1284-29-0x0000000002630000-0x0000000002631000-memory.dmp

Filesize
4KB

Download
memory/1988-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1988-12-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/1988-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2884-33-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2884-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2884-46-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2884-92-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2884-98-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2884-210-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2884-1852-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2884-3312-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2884-21-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download