a7fde82080e401f7378d2c0f69f3abb498605412064c661826c964e3207602ea

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
18/03/2024, 19:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a7fde82080e401f7378d2c0f69f3abb498605412064c661826c964e3207602ea.exe
Size

528KB
MD5

d5639252bec85e46d6a12eb34720e0c6
SHA1

9e28611c8d009e88d7493b0bce5cd37aab3aac24
SHA256

a7fde82080e401f7378d2c0f69f3abb498605412064c661826c964e3207602ea
SHA512

a1e2d0bbc5b04dfe8e126898c159a33784bf8bb9343925ec395a32c61497e4e88829221a25230a3dd2bfdb371acfe38210cd7fb842ba64c4308ecfbffd5cb56a
SSDEEP

12288:u7+x/wEmXsjvqI0M5xJ3xdbdMcPM3aDQ8lfb:u7lLvM5xrdXPMGQ8D

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2372	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
3044	Logo1_.exe
2460	a7fde82080e401f7378d2c0f69f3abb498605412064c661826c964e3207602ea.exe

Loads dropped DLL 2 IoCs

pid	Process
2372	cmd.exe
2372	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\SpringGreen\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Hearts\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\brx\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\kk\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\skins\fonts\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Document Parts\1033\14\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Minesweeper\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Minesweeper\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\dtplugin\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\uk\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ml\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\InfoPath.en-us\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Media Player\Icons\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Network Sharing\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\d3d11\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\Adobe AIR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\control\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\on_desktop\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ckb\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Cultures\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Access.en-us\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\include\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\my\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Solitaire\fr-FR\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	a7fde82080e401f7378d2c0f69f3abb498605412064c661826c964e3207602ea.exe
File created	C:\Windows\Logo1_.exe	a7fde82080e401f7378d2c0f69f3abb498605412064c661826c964e3207602ea.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3044	Logo1_.exe
3044	Logo1_.exe
3044	Logo1_.exe
3044	Logo1_.exe
3044	Logo1_.exe
3044	Logo1_.exe
3044	Logo1_.exe
3044	Logo1_.exe
3044	Logo1_.exe
3044	Logo1_.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2460	a7fde82080e401f7378d2c0f69f3abb498605412064c661826c964e3207602ea.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 3056 wrote to memory of 2372	3056	a7fde82080e401f7378d2c0f69f3abb498605412064c661826c964e3207602ea.exe	28
PID 3056 wrote to memory of 2372	3056	a7fde82080e401f7378d2c0f69f3abb498605412064c661826c964e3207602ea.exe	28
PID 3056 wrote to memory of 2372	3056	a7fde82080e401f7378d2c0f69f3abb498605412064c661826c964e3207602ea.exe	28
PID 3056 wrote to memory of 2372	3056	a7fde82080e401f7378d2c0f69f3abb498605412064c661826c964e3207602ea.exe	28
PID 3056 wrote to memory of 3044	3056	a7fde82080e401f7378d2c0f69f3abb498605412064c661826c964e3207602ea.exe	29
PID 3056 wrote to memory of 3044	3056	a7fde82080e401f7378d2c0f69f3abb498605412064c661826c964e3207602ea.exe	29
PID 3056 wrote to memory of 3044	3056	a7fde82080e401f7378d2c0f69f3abb498605412064c661826c964e3207602ea.exe	29
PID 3056 wrote to memory of 3044	3056	a7fde82080e401f7378d2c0f69f3abb498605412064c661826c964e3207602ea.exe	29
PID 3044 wrote to memory of 2632	3044	Logo1_.exe	30
PID 3044 wrote to memory of 2632	3044	Logo1_.exe	30
PID 3044 wrote to memory of 2632	3044	Logo1_.exe	30
PID 3044 wrote to memory of 2632	3044	Logo1_.exe	30
PID 2632 wrote to memory of 2732	2632	net.exe	33
PID 2632 wrote to memory of 2732	2632	net.exe	33
PID 2632 wrote to memory of 2732	2632	net.exe	33
PID 2632 wrote to memory of 2732	2632	net.exe	33
PID 2372 wrote to memory of 2460	2372	cmd.exe	34
PID 2372 wrote to memory of 2460	2372	cmd.exe	34
PID 2372 wrote to memory of 2460	2372	cmd.exe	34
PID 2372 wrote to memory of 2460	2372	cmd.exe	34
PID 3044 wrote to memory of 1064	3044	Logo1_.exe	18
PID 3044 wrote to memory of 1064	3044	Logo1_.exe	18

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1064
- C:\Users\Admin\AppData\Local\Temp\a7fde82080e401f7378d2c0f69f3abb498605412064c661826c964e3207602ea.exe
  "C:\Users\Admin\AppData\Local\Temp\a7fde82080e401f7378d2c0f69f3abb498605412064c661826c964e3207602ea.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:3056
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$a879.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2372
  - - C:\Users\Admin\AppData\Local\Temp\a7fde82080e401f7378d2c0f69f3abb498605412064c661826c964e3207602ea.exe
      "C:\Users\Admin\AppData\Local\Temp\a7fde82080e401f7378d2c0f69f3abb498605412064c661826c964e3207602ea.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2460
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3044
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2632
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
251KB

MD5
68450d8378d4d3ae3f6e6643e4d6fccd

SHA1
f77cd0e32945d0bfda54b9660c9a257c752ca355

SHA256
b8fcef9b6d2ed0f3cbe722b56f145cfe38482c4d7294fbd4ca35f71fe3372db5

SHA512
f618950a57ca31731129be1b58f104c822a1704c369eb1cd1cb77c52d66b34c5d4ca9001250f2347c50a71c066e476adc219efc22bbc0c85bf96abb9d28e5ff4

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
471KB

MD5
4cfdb20b04aa239d6f9e83084d5d0a77

SHA1
f22863e04cc1fd4435f785993ede165bd8245ac6

SHA256
30ed17ca6ae530e8bf002bcef6048f94dba4b3b10252308147031f5c86ace1b9

SHA512
35b4c2f68a7caa45f2bb14b168947e06831f358e191478a6659b49f30ca6f538dc910fe6067448d5d8af4cb8558825d70f94d4bd67709aee414b2be37d49be86

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a879.bat

Filesize
721B

MD5
7987014a724787837c3a3f490311a267

SHA1
850d015ac54aa080ab25a7f892ae9687fbd7555c

SHA256
1c6c7c6968fe9a5d2191052dfc244cd645feb4aabfb78f25af1a1af136f0b48d

SHA512
5ac29156e34cb897b938a8c05c8fa36fa05c9afbb3cad3d7197a7eea578da1cf433325a6396ac5ba7a8df244000ef8ef9c1f5885938386abec60f9eb590b8a79

Download Submit
C:\Users\Admin\AppData\Local\Temp\a7fde82080e401f7378d2c0f69f3abb498605412064c661826c964e3207602ea.exe.exe

Filesize
501KB

MD5
020f3b453cfb9f6279fb0f2cac0045fa

SHA1
732e27efbcd8542b94119cf39786b328cdb0bd25

SHA256
fc875d5ef4fccbb97b37ea4fe6cc5a291d02958af5c8efba37e0fdbd0b9e8c57

SHA512
ff188cac1dc476720670fa6ed3aae32ea7fffa44f26701733673e25e60faba0d98ee922c3bca25b1b01856df101a5d5d69561345ffc319efd01d70d703ca4f0a

Download Submit
C:\Windows\rundl132.exe

Filesize
26KB

MD5
aa28a1af77e8e4255d8e9e32c188b671

SHA1
f66e6ef87f2265e41bd1df64296ea2112867c901

SHA256
67f74a46b3d863897ae3b6686972e8d293e8e9b757cd88c22d3335c83bf09dda

SHA512
a2952bb68b687a8822e92e3ce8fd433b13b38dae28a6231685045f374f3f0f415209aa57964471ba16f1b5609abc9f104e7f879c5f51c3add709f6ae6543f4d7

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2721934792-624042501-2768869379-1000\_desktop.ini

Filesize
9B

MD5
54b7af1605eeb1f5569c4b61bc719660

SHA1
36ae9b4051c72b86fc5bad5d175acf9e9ed12076

SHA256
9b92406bdee720b5f88c329b99690d3721c7f917aa57c3febac6efcb7e938a2b

SHA512
83b77ba22dde00916a9be4d1e12d9ff8584c6e53c192107edca49ac6608fc82718a7d902e4143c2968e92cf53853d5b7a94f8b6d6a7c5d29c4add5ea04ae1704

Download Submit
memory/1064-31-0x0000000002E00000-0x0000000002E01000-memory.dmp

Filesize
4KB

Download
memory/3044-696-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3044-98-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3044-33-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3044-3311-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3044-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3044-46-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3044-92-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3044-22-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3044-2072-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3044-1851-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3056-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3056-15-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3056-16-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/3056-21-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download