6e2f218462b91bf437e52ef0f13779c7958d483c3918a6dea808878aa5693319

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
28/02/2024, 23:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6e2f218462b91bf437e52ef0f13779c7958d483c3918a6dea808878aa5693319.exe
Size

2.8MB
MD5

bed10402647b0c71e83f2308d35f7c24
SHA1

33aea471a0c92330d4a7297e3862e532a0368a1d
SHA256

6e2f218462b91bf437e52ef0f13779c7958d483c3918a6dea808878aa5693319
SHA512

e0fec39571c0795d9dd7f261fa1ec5352d11d1d496fef4f8bf030aacfd9d9cc62e6849b5672824ae094e6b65c6f5aa71c3126fe6de8002ce9e2be6bf91a4b738
SSDEEP

49152:X7T6gLKJuMarhVnMFwTH8/giBiBcbk4ZxZ2DqFeVMhuxcPh:Kd1XdhBiiMa7

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2972	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2888	Logo1_.exe
2448	6e2f218462b91bf437e52ef0f13779c7958d483c3918a6dea808878aa5693319.exe

Loads dropped DLL 1 IoCs

pid	Process
2972	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ru\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\visualization\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Mail\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA7\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Hearts\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\STS2\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\_desktop.ini	Logo1_.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Chess\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Desert\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightOrange\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk16\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\OneNote\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\Shared\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hu\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Library\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Reference Assemblies\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hy\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\Bibliography\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Swirl\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CASCADE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\gu\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\Hearts.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\da\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\AccessWeb\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Mail\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\.data\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Minesweeper\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bg\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	6e2f218462b91bf437e52ef0f13779c7958d483c3918a6dea808878aa5693319.exe
File created	C:\Windows\Logo1_.exe	6e2f218462b91bf437e52ef0f13779c7958d483c3918a6dea808878aa5693319.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2888	Logo1_.exe
2888	Logo1_.exe
2888	Logo1_.exe
2888	Logo1_.exe
2888	Logo1_.exe
2888	Logo1_.exe
2888	Logo1_.exe
2888	Logo1_.exe
2888	Logo1_.exe
2888	Logo1_.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1976 wrote to memory of 2972	1976	6e2f218462b91bf437e52ef0f13779c7958d483c3918a6dea808878aa5693319.exe	28
PID 1976 wrote to memory of 2972	1976	6e2f218462b91bf437e52ef0f13779c7958d483c3918a6dea808878aa5693319.exe	28
PID 1976 wrote to memory of 2972	1976	6e2f218462b91bf437e52ef0f13779c7958d483c3918a6dea808878aa5693319.exe	28
PID 1976 wrote to memory of 2972	1976	6e2f218462b91bf437e52ef0f13779c7958d483c3918a6dea808878aa5693319.exe	28
PID 1976 wrote to memory of 2888	1976	6e2f218462b91bf437e52ef0f13779c7958d483c3918a6dea808878aa5693319.exe	29
PID 1976 wrote to memory of 2888	1976	6e2f218462b91bf437e52ef0f13779c7958d483c3918a6dea808878aa5693319.exe	29
PID 1976 wrote to memory of 2888	1976	6e2f218462b91bf437e52ef0f13779c7958d483c3918a6dea808878aa5693319.exe	29
PID 1976 wrote to memory of 2888	1976	6e2f218462b91bf437e52ef0f13779c7958d483c3918a6dea808878aa5693319.exe	29
PID 2888 wrote to memory of 2672	2888	Logo1_.exe	31
PID 2888 wrote to memory of 2672	2888	Logo1_.exe	31
PID 2888 wrote to memory of 2672	2888	Logo1_.exe	31
PID 2888 wrote to memory of 2672	2888	Logo1_.exe	31
PID 2672 wrote to memory of 2532	2672	net.exe	33
PID 2672 wrote to memory of 2532	2672	net.exe	33
PID 2672 wrote to memory of 2532	2672	net.exe	33
PID 2672 wrote to memory of 2532	2672	net.exe	33
PID 2888 wrote to memory of 1200	2888	Logo1_.exe	18
PID 2888 wrote to memory of 1200	2888	Logo1_.exe	18

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1200
- C:\Users\Admin\AppData\Local\Temp\6e2f218462b91bf437e52ef0f13779c7958d483c3918a6dea808878aa5693319.exe
  "C:\Users\Admin\AppData\Local\Temp\6e2f218462b91bf437e52ef0f13779c7958d483c3918a6dea808878aa5693319.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1976
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$a148.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    PID:2972
  - - C:\Users\Admin\AppData\Local\Temp\6e2f218462b91bf437e52ef0f13779c7958d483c3918a6dea808878aa5693319.exe
      "C:\Users\Admin\AppData\Local\Temp\6e2f218462b91bf437e52ef0f13779c7958d483c3918a6dea808878aa5693319.exe"
      4⤵
      Executes dropped EXE
      PID:2448
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2888
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2672
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
251KB

MD5
72b78c7a0f4ed4969a8f107c0a03ec2a

SHA1
9d2c36fd60c6f5da7f2b53c00c0dd19f8f1734e3

SHA256
5ac58be3e267a5eaaf7eb8fe78e96254f37f6bffd1b203f0c7e2cc010f363f9d

SHA512
041ec2c15e297de846292a13b4af32d2a6f884e279fb9b387c12407ca756e80224c9319fbfd830e01b398991c139aeaf7bd30c7127bac3e8f1ec80fb9b3b5cc8

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
471KB

MD5
fce01a67577fb7ed0e3e01dad325c7ea

SHA1
e120f2e97491465d6cd86700fb30830214d9f8ab

SHA256
e23cc73613a5c5ce0937c9c9b219ba3f777b7e27a385e12280b570ade7144842

SHA512
823ad15be7d6f243b35016746481e1e53714e625cc621eeb3a82163fa2402e2ea4be2c076d0f0ca178cf99537e879b8b8142a939b299b14ad4efc49db23156d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a148.bat

Filesize
721B

MD5
77f3b24186005fd5fe3ad38f30d9a553

SHA1
53eee5c3e61c66ebbff655c61740d52847cfcf2e

SHA256
5dac2a89aadded6b3bc259e1aa890c0a857b6c861cc596df68009329466a8acc

SHA512
5daf7c280310b5144a2fb934344fcef9ae36a8188500a5591e2c31a1a12fb7b64f1a1d9d16683915d9d94aded3cad5179d533c8440526dc9c533422e0b8b5c07

Download Submit
C:\Users\Admin\AppData\Local\Temp\6e2f218462b91bf437e52ef0f13779c7958d483c3918a6dea808878aa5693319.exe.exe

Filesize
2.8MB

MD5
095092f4e746810c5829038d48afd55a

SHA1
246eb3d41194dddc826049bbafeb6fc522ec044a

SHA256
2f606012843d144610dc7be55d1716d5d106cbc6acbce57561dc0e62c38b8588

SHA512
7f36fc03bfed0f3cf6ac3406c819993bf995e4f8c26a7589e9032c14b5a9c7048f5567f77b3b15f946c5282fc0be6308a92eab7879332d74c400d0c139ce8400

Download Submit
C:\Windows\rundl132.exe

Filesize
26KB

MD5
117882df6beb3d0717ffa507994a5a45

SHA1
ca627aa3bd403f618ba52df98f058bd17575a937

SHA256
4a5e4f6790935a1b103d45a64f8677b8123d9a0bbb03fa6f62e4e27729f2d6e6

SHA512
af76c06ed35e1d70766de56fb839529f9b3c0be1c14694aa63d7bf4f470a08815a679b74153563b85f0fddf56f4f2632e2ea1b88fa6e05ee709df5ce8cfad1a4

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2721934792-624042501-2768869379-1000\_desktop.ini

Filesize
9B

MD5
20579de1c6702ea14f25df921a00274b

SHA1
fc7299007b5fb0580c7a3ef6ae0efd8aaf80a35f

SHA256
3eb24c26a19e67d7f499ccb30f78fc29bee126bafd13f41470223c1b8f2e1e4e

SHA512
e9a21ede4321b86e5d215d41321741f8db22b9eb92c1325026182c688311d5134041102a194d670abcbd182d2c91d5180ac9b7c9daaf9e41109a3b3d8e3c3d81

Download Submit
memory/1200-29-0x0000000003DB0000-0x0000000003DB1000-memory.dmp

Filesize
4KB

Download
memory/1976-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1976-12-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/1976-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2888-38-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2888-44-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2888-90-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2888-96-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2888-814-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2888-1849-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2888-31-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2888-2441-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2888-3309-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2888-21-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download