12127e1a505452f2476e535000783f803722e9bfb9efae49b906df8669af1980

Analysis

max time kernel
150s
max time network
118s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
28/02/2024, 19:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

12127e1a505452f2476e535000783f803722e9bfb9efae49b906df8669af1980.exe
Size

140KB
MD5

0a7a4f6fc64026bdf28b41d4d033a0cc
SHA1

1e8c8ab26094e3fa220a2706f3cdba4488149d5f
SHA256

12127e1a505452f2476e535000783f803722e9bfb9efae49b906df8669af1980
SHA512

2af6f32505d705ab9bdd9f78c68c74a73589e9912515612c15b94c3447cab444c780871e5714a806670ddd1036f1ac55af555a925ab620bf45b6d7b80006d80c
SSDEEP

3072:SftffjmNusOfCOv//kxBsg87j914yBHlMKTaEUk:iVfjmNvOzvkxOg87gyBHldU

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2368	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
1720	Logo1_.exe
2696	12127e1a505452f2476e535000783f803722e9bfb9efae49b906df8669af1980.exe

Loads dropped DLL 1 IoCs

pid	Process
2368	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Document Parts\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA6\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Lime\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\TTS20\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\People\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Photo Viewer\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Help\2052\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Desert\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre7\lib\cmm\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\applet\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\uz\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\el\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ne\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Photo Viewer\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\Servers\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\VPREVIEW.EXE	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bg\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Mahjong\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Help\1046\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ro\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\lua\extensions\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mk\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\SETLANG.EXE	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Wordconv.exe	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ONENOTE.EXE	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\vDll.dll	Logo1_.exe
File created	C:\Windows\rundl132.exe	12127e1a505452f2476e535000783f803722e9bfb9efae49b906df8669af1980.exe
File created	C:\Windows\Logo1_.exe	12127e1a505452f2476e535000783f803722e9bfb9efae49b906df8669af1980.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1720	Logo1_.exe
1720	Logo1_.exe
1720	Logo1_.exe
1720	Logo1_.exe
1720	Logo1_.exe
1720	Logo1_.exe
1720	Logo1_.exe
1720	Logo1_.exe
1720	Logo1_.exe
1720	Logo1_.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2004 wrote to memory of 2368	2004	12127e1a505452f2476e535000783f803722e9bfb9efae49b906df8669af1980.exe	28
PID 2004 wrote to memory of 2368	2004	12127e1a505452f2476e535000783f803722e9bfb9efae49b906df8669af1980.exe	28
PID 2004 wrote to memory of 2368	2004	12127e1a505452f2476e535000783f803722e9bfb9efae49b906df8669af1980.exe	28
PID 2004 wrote to memory of 2368	2004	12127e1a505452f2476e535000783f803722e9bfb9efae49b906df8669af1980.exe	28
PID 2004 wrote to memory of 1720	2004	12127e1a505452f2476e535000783f803722e9bfb9efae49b906df8669af1980.exe	29
PID 2004 wrote to memory of 1720	2004	12127e1a505452f2476e535000783f803722e9bfb9efae49b906df8669af1980.exe	29
PID 2004 wrote to memory of 1720	2004	12127e1a505452f2476e535000783f803722e9bfb9efae49b906df8669af1980.exe	29
PID 2004 wrote to memory of 1720	2004	12127e1a505452f2476e535000783f803722e9bfb9efae49b906df8669af1980.exe	29
PID 1720 wrote to memory of 2640	1720	Logo1_.exe	31
PID 1720 wrote to memory of 2640	1720	Logo1_.exe	31
PID 1720 wrote to memory of 2640	1720	Logo1_.exe	31
PID 1720 wrote to memory of 2640	1720	Logo1_.exe	31
PID 2368 wrote to memory of 2696	2368	cmd.exe	33
PID 2368 wrote to memory of 2696	2368	cmd.exe	33
PID 2368 wrote to memory of 2696	2368	cmd.exe	33
PID 2368 wrote to memory of 2696	2368	cmd.exe	33
PID 2640 wrote to memory of 2364	2640	net.exe	34
PID 2640 wrote to memory of 2364	2640	net.exe	34
PID 2640 wrote to memory of 2364	2640	net.exe	34
PID 2640 wrote to memory of 2364	2640	net.exe	34
PID 1720 wrote to memory of 1188	1720	Logo1_.exe	14
PID 1720 wrote to memory of 1188	1720	Logo1_.exe	14

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1188
- C:\Users\Admin\AppData\Local\Temp\12127e1a505452f2476e535000783f803722e9bfb9efae49b906df8669af1980.exe
  "C:\Users\Admin\AppData\Local\Temp\12127e1a505452f2476e535000783f803722e9bfb9efae49b906df8669af1980.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2004
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$a83B.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2368
  - - C:\Users\Admin\AppData\Local\Temp\12127e1a505452f2476e535000783f803722e9bfb9efae49b906df8669af1980.exe
      "C:\Users\Admin\AppData\Local\Temp\12127e1a505452f2476e535000783f803722e9bfb9efae49b906df8669af1980.exe"
      4⤵
      Executes dropped EXE
      PID:2696
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1720
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2640
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
251KB

MD5
511a2d5905efad810a21feada48ceb39

SHA1
6a4cf6d0a4bb651ea17966e3accbea68d62b9c3e

SHA256
e4286846db738761d9e779ad53e9ba92d875f9acc03f8086307e6f1f1173ebaf

SHA512
56e2dda4271555861074bca1121e1b512c64aacc991bc089ef546f11e619359d5b338762d76bf67c8a069293a542ef1f59715f19efceac2ead1fe5eafacc8d3c

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
471KB

MD5
4cfdb20b04aa239d6f9e83084d5d0a77

SHA1
f22863e04cc1fd4435f785993ede165bd8245ac6

SHA256
30ed17ca6ae530e8bf002bcef6048f94dba4b3b10252308147031f5c86ace1b9

SHA512
35b4c2f68a7caa45f2bb14b168947e06831f358e191478a6659b49f30ca6f538dc910fe6067448d5d8af4cb8558825d70f94d4bd67709aee414b2be37d49be86

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a83B.bat

Filesize
721B

MD5
7a587ef0e5c580ffcbaec771f6fa08fc

SHA1
de22f50ee1f58c2c20349e32324ea594a3e1553d

SHA256
92a53e33d6141930dcd5ca3c9a036c0f84bdd30d1f78ae0c0dec89d99a14d9d8

SHA512
2e66bf2676fb4433f63bf8a62d3c3d2f5a5619344411a712f6a46e9e2c02824b60d99541d87d3b7054c60add980d8cd6f0335a02950c798fabf28d95152465c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\12127e1a505452f2476e535000783f803722e9bfb9efae49b906df8669af1980.exe.exe

Filesize
114KB

MD5
6c80c1bf7daa513dd0620bd7b4df1d46

SHA1
dfa6ed503b0e3f5b803f525eb6d8073847c437c9

SHA256
b489419bb8438de7196b180da1923b98c912ab7db96e0ad63c2b3b5ee2b2808f

SHA512
fa238af9c2bce8f5bed9939264daff575002d9698c3206457fa716713c35a3660dbf06a851a1e43d9d5600ceae20816acf2b188d5f40ae478aa0e2d23cc5e733

Download Submit
C:\Windows\Logo1_.exe

Filesize
26KB

MD5
247aafc1af131a360429f437cdedad82

SHA1
02ab749c7aa28ae7beb232991754aecbc3e596ba

SHA256
318e25db58c0812b719310265b3dc04aa4e1fa756cef4e26b57162ab54fc0ad1

SHA512
2486fe7c037e6d57936521ea35098df0955a16438979d1335d48f7c912d0ee21b37225c14fb6a2ad62c268b84132883650684664c4370e7188105cd070bddf78

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2721934792-624042501-2768869379-1000\_desktop.ini

Filesize
9B

MD5
20579de1c6702ea14f25df921a00274b

SHA1
fc7299007b5fb0580c7a3ef6ae0efd8aaf80a35f

SHA256
3eb24c26a19e67d7f499ccb30f78fc29bee126bafd13f41470223c1b8f2e1e4e

SHA512
e9a21ede4321b86e5d215d41321741f8db22b9eb92c1325026182c688311d5134041102a194d670abcbd182d2c91d5180ac9b7c9daaf9e41109a3b3d8e3c3d81

Download Submit
memory/1188-29-0x0000000002480000-0x0000000002481000-memory.dmp

Filesize
4KB

Download
memory/1720-1849-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1720-31-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1720-38-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1720-44-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1720-90-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1720-96-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1720-666-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1720-2253-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1720-3309-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1720-19-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2004-12-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2004-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2004-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download