3af4017e49292c9b821fd4eb01d4872d953c9867e9c941676097df4790420097

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
05/03/2024, 12:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3af4017e49292c9b821fd4eb01d4872d953c9867e9c941676097df4790420097.exe
Size

44KB
MD5

5bdeac27a008158522a1e2fec3b9cb34
SHA1

592269cbcecf5cf8e0ae540b7786d5a918fb379c
SHA256

3af4017e49292c9b821fd4eb01d4872d953c9867e9c941676097df4790420097
SHA512

62d4b55e19f820371fb87f0e5f463cfacf73f7cb6965b33fe5547222ad258d4f72f9dafd466b62d2020a2a8bbbac35f6426047accd9671399050c9502e3f028e
SSDEEP

768:eX1ODKAaDMG8H92RwZNQSw+IlJIJJREIOAEeF12ZqpSIdUcvwQ9Uf2hW:ufgLdQAQfhJIJ0IO61KqpnxZUfX

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1560	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2508	Logo1_.exe
2748	3af4017e49292c9b821fd4eb01d4872d953c9867e9c941676097df4790420097.exe

Loads dropped DLL 5 IoCs

pid	Process
1560	cmd.exe
2832	WerFault.exe
2832	WerFault.exe
2832	WerFault.exe
2832	WerFault.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Media Player\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\tl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\es\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\IRIS\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hy\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\JOURNAL\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ENES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\DataType\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RIPPLE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\DESIGNER\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\mai\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\wa\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\XLICONS.EXE	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Oasis\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Discussion\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Welcome Tool\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre7\lib\images\cursors\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre7\lib\zi\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Mail\WinMail.exe	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\stream_extractor\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Defender\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSPUB.EXE	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Media Player\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\it-IT\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Logo1_.exe	3af4017e49292c9b821fd4eb01d4872d953c9867e9c941676097df4790420097.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe
File created	C:\Windows\rundl132.exe	3af4017e49292c9b821fd4eb01d4872d953c9867e9c941676097df4790420097.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2832	2748	WerFault.exe	34

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2508	Logo1_.exe
2508	Logo1_.exe
2508	Logo1_.exe
2508	Logo1_.exe
2508	Logo1_.exe
2508	Logo1_.exe
2508	Logo1_.exe
2508	Logo1_.exe
2508	Logo1_.exe
2508	Logo1_.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 2356 wrote to memory of 1560	2356	3af4017e49292c9b821fd4eb01d4872d953c9867e9c941676097df4790420097.exe	28
PID 2356 wrote to memory of 1560	2356	3af4017e49292c9b821fd4eb01d4872d953c9867e9c941676097df4790420097.exe	28
PID 2356 wrote to memory of 1560	2356	3af4017e49292c9b821fd4eb01d4872d953c9867e9c941676097df4790420097.exe	28
PID 2356 wrote to memory of 1560	2356	3af4017e49292c9b821fd4eb01d4872d953c9867e9c941676097df4790420097.exe	28
PID 2356 wrote to memory of 2508	2356	3af4017e49292c9b821fd4eb01d4872d953c9867e9c941676097df4790420097.exe	29
PID 2356 wrote to memory of 2508	2356	3af4017e49292c9b821fd4eb01d4872d953c9867e9c941676097df4790420097.exe	29
PID 2356 wrote to memory of 2508	2356	3af4017e49292c9b821fd4eb01d4872d953c9867e9c941676097df4790420097.exe	29
PID 2356 wrote to memory of 2508	2356	3af4017e49292c9b821fd4eb01d4872d953c9867e9c941676097df4790420097.exe	29
PID 2508 wrote to memory of 2608	2508	Logo1_.exe	30
PID 2508 wrote to memory of 2608	2508	Logo1_.exe	30
PID 2508 wrote to memory of 2608	2508	Logo1_.exe	30
PID 2508 wrote to memory of 2608	2508	Logo1_.exe	30
PID 2608 wrote to memory of 2684	2608	net.exe	33
PID 2608 wrote to memory of 2684	2608	net.exe	33
PID 2608 wrote to memory of 2684	2608	net.exe	33
PID 2608 wrote to memory of 2684	2608	net.exe	33
PID 1560 wrote to memory of 2748	1560	cmd.exe	34
PID 1560 wrote to memory of 2748	1560	cmd.exe	34
PID 1560 wrote to memory of 2748	1560	cmd.exe	34
PID 1560 wrote to memory of 2748	1560	cmd.exe	34
PID 2748 wrote to memory of 2832	2748	3af4017e49292c9b821fd4eb01d4872d953c9867e9c941676097df4790420097.exe	35
PID 2748 wrote to memory of 2832	2748	3af4017e49292c9b821fd4eb01d4872d953c9867e9c941676097df4790420097.exe	35
PID 2748 wrote to memory of 2832	2748	3af4017e49292c9b821fd4eb01d4872d953c9867e9c941676097df4790420097.exe	35
PID 2748 wrote to memory of 2832	2748	3af4017e49292c9b821fd4eb01d4872d953c9867e9c941676097df4790420097.exe	35
PID 2508 wrote to memory of 1144	2508	Logo1_.exe	20
PID 2508 wrote to memory of 1144	2508	Logo1_.exe	20

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1144
- C:\Users\Admin\AppData\Local\Temp\3af4017e49292c9b821fd4eb01d4872d953c9867e9c941676097df4790420097.exe
  "C:\Users\Admin\AppData\Local\Temp\3af4017e49292c9b821fd4eb01d4872d953c9867e9c941676097df4790420097.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2356
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$a1610.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1560
  - - C:\Users\Admin\AppData\Local\Temp\3af4017e49292c9b821fd4eb01d4872d953c9867e9c941676097df4790420097.exe
      "C:\Users\Admin\AppData\Local\Temp\3af4017e49292c9b821fd4eb01d4872d953c9867e9c941676097df4790420097.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2748
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2748 -s 148
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:2832
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2508
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2608
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
251KB

MD5
20157578c082f76ace74dbbd1118432e

SHA1
456923120de4eb2d9efa48aacf8d09bf08e0308d

SHA256
b143d8fe8a3e199453eac9ccc15de01e26882e9e1da8021b6ee045dbe0290468

SHA512
0916ccac8ca22868cd900a1bf62cafe6522cfe40649fcedfeec650badde7ed6cfc6949509209d85d46da67f616dddfe58ae6e5e209dcf5de9956157825b66a98

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
471KB

MD5
f9fc019eacb573ec828d2d9ff6a48318

SHA1
b91958dc8d178b6eeb35e829bab84d0fb12c2280

SHA256
bf9ba3df2bad76d15f4efe42c0c59f37b9454907958892df8ab996552658934e

SHA512
998ba7bc7cdd5df3e1acfda6f4f92ec9d27732e1e182177dff310f3c918f3be99626a3526bebdff5bb7eb980640434baf56e0f08bfd125168c0a9e37e7239305

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a1610.bat

Filesize
722B

MD5
1c4797072bbc767add1dfc1e6c79fefd

SHA1
df30bdec062756451dab74c3a50ccc29ef49ae15

SHA256
399744b53f6c974fb65974fae753ccbe9063b958976a7ec413ba8c99a8bede5c

SHA512
56b734add62400a081257b1d7b43c36d2cd395d85f90db2af307a8e2c195e61c82d32735770f51921e1da6589e2c93b3b2f29684ceb95a9f5eb5954d761410e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\3af4017e49292c9b821fd4eb01d4872d953c9867e9c941676097df4790420097.exe.exe

Filesize
18KB

MD5
f344d9d7bfe9968c258ceb0bcc91a386

SHA1
ec85058a634313725b308f883af6f8ba0c729b4b

SHA256
1b65136281048ad44c8a51a8332799f800347e05fb3a21f5e3305dcce1d72d4e

SHA512
86c74994b75ab0bc2f3c9cb38bc1b3bb51db5c6df2eba783b30f9b7f9a5c54b84f8a9c3bdb6ef6e0c64edeabfddfb0204570a147348406d8a3e30c661dc5822f

Download Submit
C:\Windows\rundl132.exe

Filesize
26KB

MD5
27474799bcd86ee6bc4dfdb0fabe45c3

SHA1
d2203d7dedafcaf3d1ddd21a51b92c15b1ad67b5

SHA256
237fe393824ae9f88eaf70c5e760de08384ed3c221769f499c2caef1aeb86290

SHA512
d84c4bd3709c00c83ee0466af993ae18a215c982395f6e2d11945e6a79eeff6c56192410a36427751bbfe58021cc7390fd28344efb5b47d4c7c719ff3a02b464

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2248906074-2862704502-246302768-1000\_desktop.ini

Filesize
8B

MD5
658d36413fa4de67d2edb254a0383bbf

SHA1
bd660e7319a5040c3af6edca0911a4ab4bdc33df

SHA256
0118c20e2d539544ae8e73767b080d41f4ff57be18407222143ebea26d6affa2

SHA512
f368a5a7d963fec63b9d599a1da34ae9eea37261f8c4d267d73624f5a36a0402f1f780317e094b240de3980a0a144929ea2076a23b134267cb0209b3172e1b7b

Download Submit
memory/1144-34-0x0000000002140000-0x0000000002141000-memory.dmp

Filesize
4KB

Download
memory/2356-21-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2356-46-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2356-16-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2356-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2356-15-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2508-98-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2508-52-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2508-22-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2508-104-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2508-837-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2508-1857-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2508-45-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2508-2522-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2508-3317-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2508-38-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download