e32d4ef69676904520f91f05a8536555c5361ca45347b20bdfc981b2dc00646b

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
05-04-2024 22:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e32d4ef69676904520f91f05a8536555c5361ca45347b20bdfc981b2dc00646b.exe
Size

713KB
MD5

1a1764e17aca9df53ce80d01b3aa5d66
SHA1

59f1bc588a219a3fe6c58a7eaf00d4e97d923d24
SHA256

e32d4ef69676904520f91f05a8536555c5361ca45347b20bdfc981b2dc00646b
SHA512

4e7156e38868212b776bf1d1b734b13390809aa49f123e41f24948cb98968d13625bbe343145dcd553a343091c2bee0243df8771327231ebb7b63d748161c8db
SSDEEP

12288:FfC6Aj+TN5uixZN+8rKhUdTC/wE1ZD0Ca5ZIXV:dLOS2opPIXV

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
380	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
3000	Logo1_.exe
2708	e32d4ef69676904520f91f05a8536555c5361ca45347b20bdfc981b2dc00646b.exe
1132	Explorer.EXE

Loads dropped DLL 3 IoCs

pid	Process
380	cmd.exe
380	cmd.exe
1132	Explorer.EXE

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Mozilla Firefox\fonts\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Minesweeper\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\STS2\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\META-INF\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightYellow\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Mail\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	Logo1_.exe
File opened for modification	C:\Program Files\Windows Journal\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Mail\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\HostSideAdapters\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Lime\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\hi\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\on_desktop\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\lt\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fur\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\zh_TW\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BOLDSTRI\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\locale\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Network Sharing\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\or\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\DEEPBLUE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\policytool.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Triedit\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Reference Assemblies\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\InfoPath.en-us\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ml\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre7\lib\zi\Indian\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\km\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\bin\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	e32d4ef69676904520f91f05a8536555c5361ca45347b20bdfc981b2dc00646b.exe
File created	C:\Windows\Logo1_.exe	e32d4ef69676904520f91f05a8536555c5361ca45347b20bdfc981b2dc00646b.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3000	Logo1_.exe
3000	Logo1_.exe
3000	Logo1_.exe
3000	Logo1_.exe
3000	Logo1_.exe
3000	Logo1_.exe
3000	Logo1_.exe
3000	Logo1_.exe
3000	Logo1_.exe
3000	Logo1_.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2484 wrote to memory of 380	2484	e32d4ef69676904520f91f05a8536555c5361ca45347b20bdfc981b2dc00646b.exe	28
PID 2484 wrote to memory of 380	2484	e32d4ef69676904520f91f05a8536555c5361ca45347b20bdfc981b2dc00646b.exe	28
PID 2484 wrote to memory of 380	2484	e32d4ef69676904520f91f05a8536555c5361ca45347b20bdfc981b2dc00646b.exe	28
PID 2484 wrote to memory of 380	2484	e32d4ef69676904520f91f05a8536555c5361ca45347b20bdfc981b2dc00646b.exe	28
PID 2484 wrote to memory of 3000	2484	e32d4ef69676904520f91f05a8536555c5361ca45347b20bdfc981b2dc00646b.exe	29
PID 2484 wrote to memory of 3000	2484	e32d4ef69676904520f91f05a8536555c5361ca45347b20bdfc981b2dc00646b.exe	29
PID 2484 wrote to memory of 3000	2484	e32d4ef69676904520f91f05a8536555c5361ca45347b20bdfc981b2dc00646b.exe	29
PID 2484 wrote to memory of 3000	2484	e32d4ef69676904520f91f05a8536555c5361ca45347b20bdfc981b2dc00646b.exe	29
PID 3000 wrote to memory of 2624	3000	Logo1_.exe	30
PID 3000 wrote to memory of 2624	3000	Logo1_.exe	30
PID 3000 wrote to memory of 2624	3000	Logo1_.exe	30
PID 3000 wrote to memory of 2624	3000	Logo1_.exe	30
PID 2624 wrote to memory of 2528	2624	net.exe	33
PID 2624 wrote to memory of 2528	2624	net.exe	33
PID 2624 wrote to memory of 2528	2624	net.exe	33
PID 2624 wrote to memory of 2528	2624	net.exe	33
PID 380 wrote to memory of 2708	380	cmd.exe	34
PID 380 wrote to memory of 2708	380	cmd.exe	34
PID 380 wrote to memory of 2708	380	cmd.exe	34
PID 380 wrote to memory of 2708	380	cmd.exe	34
PID 3000 wrote to memory of 1132	3000	Logo1_.exe	20
PID 3000 wrote to memory of 1132	3000	Logo1_.exe	20

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1132
- C:\Users\Admin\AppData\Local\Temp\e32d4ef69676904520f91f05a8536555c5361ca45347b20bdfc981b2dc00646b.exe
  "C:\Users\Admin\AppData\Local\Temp\e32d4ef69676904520f91f05a8536555c5361ca45347b20bdfc981b2dc00646b.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2484
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$a19A8.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:380
  - - C:\Users\Admin\AppData\Local\Temp\e32d4ef69676904520f91f05a8536555c5361ca45347b20bdfc981b2dc00646b.exe
      "C:\Users\Admin\AppData\Local\Temp\e32d4ef69676904520f91f05a8536555c5361ca45347b20bdfc981b2dc00646b.exe"
      4⤵
      Executes dropped EXE
      PID:2708
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3000
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2624
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
254KB

MD5
482ad9c90eeec412920a41685f952240

SHA1
fcda964ca1368d8056aefc4ba8c0b453d56e46d8

SHA256
5dac6f75d81d27d156a8b629ec95d0821f2ed9a8b4b0b1aa213f3c4161d2eb10

SHA512
17d179602a87f526873e0a4b2594b9b23bdd2aed60ecc1c51c3d7dad1f31d09a4b645916a16135e26eb2792ad0b08be87c373ada3f5039c4972e8cd97116aa27

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
474KB

MD5
17e5de36cf448d652adab881a4557ec2

SHA1
c45337444120f4cc4a9a65b2bee63cd61618ca2a

SHA256
32568fb07078e0d4e77efac9ad862454dba63de5c5f920d9a14de709372f2430

SHA512
22678c9ca2d70d9a3377d1f2c6c91d7649adcaccee564acdf1bd6373e60f13f6e21fc09feed5b590475889996287961a1450542741ef0888a4a0b5e9c9812b92

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a19A8.bat

Filesize
722B

MD5
153dc221a260d542f163b450b60d6403

SHA1
e7e87a5f87208a22f7517f1d5513447a984baeb2

SHA256
e68190729b1c6ce8aea380c3921d811fae7eac8b2ecbe3f6c333195b3e3085cf

SHA512
38ee96a83693df75cfa70e52f3c2e6fd91cf6660ec50b9af3314b10ac9c0ecf97b884eee2f4e34867f471426d88ce118371b47b50aada28082884390e9ad6247

Download Submit
C:\Users\Admin\AppData\Local\Temp\e32d4ef69676904520f91f05a8536555c5361ca45347b20bdfc981b2dc00646b.exe.exe

Filesize
684KB

MD5
50f289df0c19484e970849aac4e6f977

SHA1
3dc77c8830836ab844975eb002149b66da2e10be

SHA256
b9b179b305c5268ad428b6ae59de10b4fe99cf0199bbc89b7017181905e97305

SHA512
877d852ea1062b90e2fd2f3c4dc7d05d9697e9a9b2929c830a770b62741f6a11e06de73275eb871113f11143faf1cb40d99f7c247862ffb778d26833ed5d7e38

Download Submit
C:\Windows\rundl132.exe

Filesize
29KB

MD5
8654bf4072502f2293cd4dcd31d0a1c9

SHA1
bfe53a00c4945021b183626dacb9a0ca4ac20169

SHA256
09285a30850d9bf13b421f8643aa95891ba8c20e4d59e668aabf84569f31eebd

SHA512
1f00dac7251b77e2c3c930231cbf257615f0634935ae95a8ea967e34dd4daf1b4972fe186f9013165075e64b84725767b1f50e5be52e6f2426b829589bbf653d

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2248906074-2862704502-246302768-1000\_desktop.ini

Filesize
8B

MD5
5f100629144d81dc74c26a0981eb2a00

SHA1
712df1d52fbbd6d84660a9e0c2d53e2b9568bcb8

SHA256
f669f4c43954e911517da8935526966d527e04c88f50563d928ddfc21897d5f5

SHA512
c0ed3cb7eba4e7a0195c0ca982f9d2903a2173375b0c2fd23286d9366dd3b097207564b1c1d26fdc7b86ab30345e9cf5909b7b3ceb1a73ebd70c5d1446a824ef

Download Submit
memory/1132-32-0x00000000025D0000-0x00000000025D1000-memory.dmp

Filesize
4KB

Download
memory/2484-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2484-16-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2484-12-0x0000000000290000-0x00000000002C6000-memory.dmp

Filesize
216KB

Download
memory/3000-41-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3000-47-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3000-93-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3000-99-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3000-718-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3000-1852-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3000-2342-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3000-34-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3000-3312-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3000-21-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download