341e37a9516c9b21c4d353881dee71c15bb8372b427a5d514c2e1d4624744a5c

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
29/03/2024, 15:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

341e37a9516c9b21c4d353881dee71c15bb8372b427a5d514c2e1d4624744a5c.exe
Size

84KB
MD5

643728a4f0251aa53eae065f3ba727f9
SHA1

0c2cad3f1694588662982b8fcb45885e3ce50713
SHA256

341e37a9516c9b21c4d353881dee71c15bb8372b427a5d514c2e1d4624744a5c
SHA512

fba3f94e7973f7d58fe4540f28b7254e9f4c36fc0dbb270baa6e0f4a561e24d7e8daa8cce73f7adbae95cc2b230050179be14c5ac8f87a6b9bf0553945070412
SSDEEP

1536:AfgLdQAQfcfymNsL4p5nkjXut+Mm6Q498gQwRFbBijuz9YCxrfZQIUk04Xf:AftffjmNsL4p5nkjXut+MtQ498gtRDrD

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2508	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2544	Logo1_.exe
2516	341e37a9516c9b21c4d353881dee71c15bb8372b427a5d514c2e1d4624744a5c.exe

Loads dropped DLL 1 IoCs

pid	Process
2508	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Sidebar\Shared Gadgets\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\1049\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Portal\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\extensions\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Groove.en-us\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\Services\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\3082\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	Logo1_.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\or\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\CrashReports\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\dtplugin\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\Bibliography\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA6\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\PROOF\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\SAMPLES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\es\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\1046\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VGX\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre7\bin\plugin2\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\oc\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA7\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\is\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ne\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Journal\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Network Sharing\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\az\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\lt\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\EURO\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\deploy\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\More Games\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\audio_output\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\js\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	341e37a9516c9b21c4d353881dee71c15bb8372b427a5d514c2e1d4624744a5c.exe
File created	C:\Windows\Logo1_.exe	341e37a9516c9b21c4d353881dee71c15bb8372b427a5d514c2e1d4624744a5c.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2544	Logo1_.exe
2544	Logo1_.exe
2544	Logo1_.exe
2544	Logo1_.exe
2544	Logo1_.exe
2544	Logo1_.exe
2544	Logo1_.exe
2544	Logo1_.exe
2544	Logo1_.exe
2544	Logo1_.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2700 wrote to memory of 2508	2700	341e37a9516c9b21c4d353881dee71c15bb8372b427a5d514c2e1d4624744a5c.exe	28
PID 2700 wrote to memory of 2508	2700	341e37a9516c9b21c4d353881dee71c15bb8372b427a5d514c2e1d4624744a5c.exe	28
PID 2700 wrote to memory of 2508	2700	341e37a9516c9b21c4d353881dee71c15bb8372b427a5d514c2e1d4624744a5c.exe	28
PID 2700 wrote to memory of 2508	2700	341e37a9516c9b21c4d353881dee71c15bb8372b427a5d514c2e1d4624744a5c.exe	28
PID 2700 wrote to memory of 2544	2700	341e37a9516c9b21c4d353881dee71c15bb8372b427a5d514c2e1d4624744a5c.exe	30
PID 2700 wrote to memory of 2544	2700	341e37a9516c9b21c4d353881dee71c15bb8372b427a5d514c2e1d4624744a5c.exe	30
PID 2700 wrote to memory of 2544	2700	341e37a9516c9b21c4d353881dee71c15bb8372b427a5d514c2e1d4624744a5c.exe	30
PID 2700 wrote to memory of 2544	2700	341e37a9516c9b21c4d353881dee71c15bb8372b427a5d514c2e1d4624744a5c.exe	30
PID 2544 wrote to memory of 2636	2544	Logo1_.exe	31
PID 2544 wrote to memory of 2636	2544	Logo1_.exe	31
PID 2544 wrote to memory of 2636	2544	Logo1_.exe	31
PID 2544 wrote to memory of 2636	2544	Logo1_.exe	31
PID 2508 wrote to memory of 2516	2508	cmd.exe	34
PID 2508 wrote to memory of 2516	2508	cmd.exe	34
PID 2508 wrote to memory of 2516	2508	cmd.exe	34
PID 2508 wrote to memory of 2516	2508	cmd.exe	34
PID 2636 wrote to memory of 2964	2636	net.exe	33
PID 2636 wrote to memory of 2964	2636	net.exe	33
PID 2636 wrote to memory of 2964	2636	net.exe	33
PID 2636 wrote to memory of 2964	2636	net.exe	33
PID 2544 wrote to memory of 1196	2544	Logo1_.exe	21
PID 2544 wrote to memory of 1196	2544	Logo1_.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1196
- C:\Users\Admin\AppData\Local\Temp\341e37a9516c9b21c4d353881dee71c15bb8372b427a5d514c2e1d4624744a5c.exe
  "C:\Users\Admin\AppData\Local\Temp\341e37a9516c9b21c4d353881dee71c15bb8372b427a5d514c2e1d4624744a5c.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2700
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$a25AA.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2508
  - - C:\Users\Admin\AppData\Local\Temp\341e37a9516c9b21c4d353881dee71c15bb8372b427a5d514c2e1d4624744a5c.exe
      "C:\Users\Admin\AppData\Local\Temp\341e37a9516c9b21c4d353881dee71c15bb8372b427a5d514c2e1d4624744a5c.exe"
      4⤵
      Executes dropped EXE
      PID:2516
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2544
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2636
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
251KB

MD5
7bccc2687df85a1835e6bbcf1b5ebdd4

SHA1
1a925ae4a0c41080cd05c90996666142c6c02119

SHA256
feca718c189c33d8766c401d21b38e8eb079893a4a98b0384f43892918d11bde

SHA512
58d00e2e1d6d1c067f3dd7600f6e60efe543f431f537132bac83e35f09cf8f22d7c5db80f7ce8382714eb94cd3c7c5fd73374c03ce0a9bb62327a0cb77a2ec3a

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
471KB

MD5
4cfdb20b04aa239d6f9e83084d5d0a77

SHA1
f22863e04cc1fd4435f785993ede165bd8245ac6

SHA256
30ed17ca6ae530e8bf002bcef6048f94dba4b3b10252308147031f5c86ace1b9

SHA512
35b4c2f68a7caa45f2bb14b168947e06831f358e191478a6659b49f30ca6f538dc910fe6067448d5d8af4cb8558825d70f94d4bd67709aee414b2be37d49be86

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a25AA.bat

Filesize
722B

MD5
9d2086ec7428d0cd0edb5fafceef7534

SHA1
c8557d35c1cf3b6d28f52c9e7b58719c6f533438

SHA256
e1d06c0f24db76ee696d2c5169df44788b25ffa463df41f4f2f4dfffbc583b55

SHA512
e38608d5598c66d2a9f9a8a29e131426607e9b2466d8cd260940547b5c1e56bea7c18f6554ade29ca565f8e874fd4cf2ef14b99a62e270bc5abfa022ae325a60

Download Submit
C:\Users\Admin\AppData\Local\Temp\341e37a9516c9b21c4d353881dee71c15bb8372b427a5d514c2e1d4624744a5c.exe

Filesize
58KB

MD5
7cf88ab9caf907ad8343eb90aa543812

SHA1
64e7c7a02968d9c0e6978dae303877091753dcb0

SHA256
6ed4924969f26ab0cf8119c3a15579314213bc6bf634d2e369b6082d6faceb4b

SHA512
e544b214b2ac2c7fdcac41664b335f3bbdea0dcb5e01913cc8be326f9daecae8524727894819fb6cf45e311b1c91de93e695e3a26c70903d51afbaa43e0ed08c

Download Submit
C:\Windows\Logo1_.exe

Filesize
26KB

MD5
f131c8a61871d776a2bd93bd9c68f965

SHA1
85a2d2377f7b90bb4387dcbbae3ad0dec87f8ada

SHA256
0bfaec6d73d24f0736ee92b9deba61082f08cdba8482866361fbb57acae7c3d4

SHA512
087e9f83e8a9b3c050de6e8fa4989bf614f23a515710f151b84a15f1444e1352b8ef1d7e4e2ae3bcae98bf7281c8597ed85ec9ea84da27651304577a0b7d32d7

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2721934792-624042501-2768869379-1000\_desktop.ini

Filesize
9B

MD5
9d515d16952bdb1cf51672ad091046bc

SHA1
5fe954c6d41499122182eb48cf6f9d203b9eae7c

SHA256
12ddf5d72be26a3f4fb46d905661e24bf30948454c9701f20e50436a238a25db

SHA512
d0f7522406355a837e55f5a99b6969ed4b0ccbc2e427b83a917eedffc37899b139c2b33ea73a90469a6045b3b71848bf97641528644a4a3f55d666223fa31d4b

Download Submit
memory/1196-33-0x00000000025B0000-0x00000000025B1000-memory.dmp

Filesize
4KB

Download
memory/2516-28-0x00000000002C0000-0x00000000002D4000-memory.dmp

Filesize
80KB

Download
memory/2516-30-0x0000000004C90000-0x0000000004CD0000-memory.dmp

Filesize
256KB

Download
memory/2516-46-0x0000000004C90000-0x0000000004CD0000-memory.dmp

Filesize
256KB

Download
memory/2516-31-0x0000000004C90000-0x0000000004CD0000-memory.dmp

Filesize
256KB

Download
memory/2516-29-0x0000000074290000-0x000000007497E000-memory.dmp

Filesize
6.9MB

Download
memory/2516-38-0x0000000074290000-0x000000007497E000-memory.dmp

Filesize
6.9MB

Download
memory/2544-37-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2544-45-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2544-52-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2544-98-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2544-105-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2544-1857-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2544-3317-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2700-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2700-12-0x00000000002B0000-0x00000000002E4000-memory.dmp

Filesize
208KB

Download
memory/2700-18-0x00000000002B0000-0x00000000002E4000-memory.dmp

Filesize
208KB

Download
memory/2700-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download