4c7604d103bf2da6be5288d4a940802c1b4f8a60c93934bdf800651b731d7dcf

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
08/04/2024, 23:03

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4c7604d103bf2da6be5288d4a940802c1b4f8a60c93934bdf800651b731d7dcf.exe
Size

814KB
MD5

66a6442417f217ae3eebe44e29c40ed9
SHA1

050d7f28f6dc608678b865a5bd5ec26322f3441e
SHA256

4c7604d103bf2da6be5288d4a940802c1b4f8a60c93934bdf800651b731d7dcf
SHA512

1062e88b01a7178c0f0a42039519f6ff297329a7f50ef14608cf45ea2c07b8c656f7bb3bc3592f7540bb930ca62d96234d1154198dd588c2a378b03d2bc9901e
SSDEEP

12288:a7+nYA2vr6ogEjVurCRmCVd5s+kZJioNI2bOMj+PxkzPAKlaubaGDokSgI:a7+A6ogSVuIvsnXNI2WePqGggI

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1940	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
3068	Logo1_.exe
2620	4c7604d103bf2da6be5288d4a940802c1b4f8a60c93934bdf800651b731d7dcf.exe

Loads dropped DLL 4 IoCs

pid	Process
1940	cmd.exe
2620	4c7604d103bf2da6be5288d4a940802c1b4f8a60c93934bdf800651b731d7dcf.exe
2620	4c7604d103bf2da6be5288d4a940802c1b4f8a60c93934bdf800651b731d7dcf.exe
2620	4c7604d103bf2da6be5288d4a940802c1b4f8a60c93934bdf800651b731d7dcf.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Minesweeper\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fur\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre7\lib\zi\Pacific\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Groove.en-us\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\lua\meta\reader\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\cmm\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ms\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\brx\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\1049\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ach\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Internet Explorer\SIGNUP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Desert\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Reference Assemblies\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\More Games\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Mozilla Firefox\defaults\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ff\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Acrobat\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ru\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightYellow\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\ADDINS\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Mozilla Firefox\browser\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\be\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\on_desktop\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Mahjong\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AXIS\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ESEN\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\META-INF\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\lg\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\css\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe
File created	C:\Windows\rundl132.exe	4c7604d103bf2da6be5288d4a940802c1b4f8a60c93934bdf800651b731d7dcf.exe
File created	C:\Windows\Logo1_.exe	4c7604d103bf2da6be5288d4a940802c1b4f8a60c93934bdf800651b731d7dcf.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3068	Logo1_.exe
3068	Logo1_.exe
3068	Logo1_.exe
3068	Logo1_.exe
3068	Logo1_.exe
3068	Logo1_.exe
3068	Logo1_.exe
3068	Logo1_.exe
3068	Logo1_.exe
3068	Logo1_.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2620	4c7604d103bf2da6be5288d4a940802c1b4f8a60c93934bdf800651b731d7dcf.exe
2620	4c7604d103bf2da6be5288d4a940802c1b4f8a60c93934bdf800651b731d7dcf.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2492 wrote to memory of 1940	2492	4c7604d103bf2da6be5288d4a940802c1b4f8a60c93934bdf800651b731d7dcf.exe	28
PID 2492 wrote to memory of 1940	2492	4c7604d103bf2da6be5288d4a940802c1b4f8a60c93934bdf800651b731d7dcf.exe	28
PID 2492 wrote to memory of 1940	2492	4c7604d103bf2da6be5288d4a940802c1b4f8a60c93934bdf800651b731d7dcf.exe	28
PID 2492 wrote to memory of 1940	2492	4c7604d103bf2da6be5288d4a940802c1b4f8a60c93934bdf800651b731d7dcf.exe	28
PID 2492 wrote to memory of 3068	2492	4c7604d103bf2da6be5288d4a940802c1b4f8a60c93934bdf800651b731d7dcf.exe	29
PID 2492 wrote to memory of 3068	2492	4c7604d103bf2da6be5288d4a940802c1b4f8a60c93934bdf800651b731d7dcf.exe	29
PID 2492 wrote to memory of 3068	2492	4c7604d103bf2da6be5288d4a940802c1b4f8a60c93934bdf800651b731d7dcf.exe	29
PID 2492 wrote to memory of 3068	2492	4c7604d103bf2da6be5288d4a940802c1b4f8a60c93934bdf800651b731d7dcf.exe	29
PID 3068 wrote to memory of 2668	3068	Logo1_.exe	30
PID 3068 wrote to memory of 2668	3068	Logo1_.exe	30
PID 3068 wrote to memory of 2668	3068	Logo1_.exe	30
PID 3068 wrote to memory of 2668	3068	Logo1_.exe	30
PID 2668 wrote to memory of 2612	2668	net.exe	33
PID 2668 wrote to memory of 2612	2668	net.exe	33
PID 2668 wrote to memory of 2612	2668	net.exe	33
PID 2668 wrote to memory of 2612	2668	net.exe	33
PID 1940 wrote to memory of 2620	1940	cmd.exe	34
PID 1940 wrote to memory of 2620	1940	cmd.exe	34
PID 1940 wrote to memory of 2620	1940	cmd.exe	34
PID 1940 wrote to memory of 2620	1940	cmd.exe	34
PID 1940 wrote to memory of 2620	1940	cmd.exe	34
PID 1940 wrote to memory of 2620	1940	cmd.exe	34
PID 1940 wrote to memory of 2620	1940	cmd.exe	34
PID 3068 wrote to memory of 1232	3068	Logo1_.exe	21
PID 3068 wrote to memory of 1232	3068	Logo1_.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1232
- C:\Users\Admin\AppData\Local\Temp\4c7604d103bf2da6be5288d4a940802c1b4f8a60c93934bdf800651b731d7dcf.exe
  "C:\Users\Admin\AppData\Local\Temp\4c7604d103bf2da6be5288d4a940802c1b4f8a60c93934bdf800651b731d7dcf.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2492
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$a4B72.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1940
  - - C:\Users\Admin\AppData\Local\Temp\4c7604d103bf2da6be5288d4a940802c1b4f8a60c93934bdf800651b731d7dcf.exe
      "C:\Users\Admin\AppData\Local\Temp\4c7604d103bf2da6be5288d4a940802c1b4f8a60c93934bdf800651b731d7dcf.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:2620
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3068
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2668
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
251KB

MD5
bdd3464aea49ca900fe8117b64ff47d0

SHA1
f308a3758df2390222a82402fdcb9a92afbc25e0

SHA256
56d832ecc3aa469e861c02e1dbaf698a2bfcf08d6ba372af77b825b859a05495

SHA512
331ad7ed17c2a434a15d7b21fdc952b48727bfe88d376022561a8c7cc7c00abcfe74cdae7c49849b4d59d5d117098bce77afda1d11ebb9f96fffe3c58ac9cb45

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
471KB

MD5
4cfdb20b04aa239d6f9e83084d5d0a77

SHA1
f22863e04cc1fd4435f785993ede165bd8245ac6

SHA256
30ed17ca6ae530e8bf002bcef6048f94dba4b3b10252308147031f5c86ace1b9

SHA512
35b4c2f68a7caa45f2bb14b168947e06831f358e191478a6659b49f30ca6f538dc910fe6067448d5d8af4cb8558825d70f94d4bd67709aee414b2be37d49be86

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a4B72.bat

Filesize
722B

MD5
26132da741d95642f3ff02137b76fc05

SHA1
b8cc173416460e7c32d48b6741a7dbb41a14539e

SHA256
b53ddb7ba7a852cd94a4fbb96387c175486c801d3082ed01cf2f711d2f08ef2a

SHA512
848116915448275ee93efd616c30d2e49766ec638b13e011543457a25377856bbeeeb593d1b2d76ba39f2833db971a8b90e0a41c874cfa81c7000b7ecdf34bc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\4c7604d103bf2da6be5288d4a940802c1b4f8a60c93934bdf800651b731d7dcf.exe.exe

Filesize
788KB

MD5
d510e2bbed59214a60e755221d8e5262

SHA1
c8af27386d7ad43567ca6097c5fc1d8a106f3dcb

SHA256
2b752d76bbdf4de23bb221c03eeb876daf67e830301a9f454ae8aa001c0e4886

SHA512
8044df681026c7008014080a182bea6e10a262704d151fdfcdeef1d898bef9f92fc85fa3a0b3fe73a0846e4fb557dda38924231a1f07820819874032275fa8e5

Download Submit
C:\Windows\Logo1_.exe

Filesize
26KB

MD5
76bcbed55652b3673a38e8b5485a26dd

SHA1
ae6bccae0a0d85b7570e41662e28a2b142446bfd

SHA256
ac8d64d73b8c1cb938d670e19d94f4c4d2cf911c1a635889a7e97a3e3e20f846

SHA512
82ab92503cbd7bec2dabff7048de82d6fab409d3d776d47c2c02ac5d6550bb27bdc3e056ca27e72bb05bf771bf6cf61dbdba0853b12c769990179872f8aad0d1

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-1658372521-4246568289-2509113762-1000\_desktop.ini

Filesize
8B

MD5
255ecbb979663d12268a33c84c9dfaa7

SHA1
2e6e12d7d5e150454cb1829bef149ace5beb4065

SHA256
e931c8478dba7bd588b93658c3f40e87042ec4c7b5574e46b12abb47c4c4abd0

SHA512
401e2494bceea2883742a8fcbe31689a6327e5c408b6c8dc4650c91143192a98dad7d133486a48928de3e582ae7333d1247c1ee2646ddc66f04b3d751350225d

Download Submit
memory/1232-32-0x0000000002190000-0x0000000002191000-memory.dmp

Filesize
4KB

Download
memory/2492-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2492-13-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2492-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3068-34-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3068-47-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3068-93-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3068-99-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3068-233-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3068-1852-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3068-41-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3068-3312-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3068-21-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download