1f7af504348ab6f5df7f32f183a67bec10c1cf2ec6fe9dddb7df76eb97c2ab9e

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
10/04/2024, 23:08

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

1f7af504348ab6f5df7f32f183a67bec10c1cf2ec6fe9dddb7df76eb97c2ab9e.exe
Size

957KB
MD5

39c429cd98ca9863321e64fb61feaa3f
SHA1

6d4d409f5426da36b1a4f9c47352939c782e16e7
SHA256

1f7af504348ab6f5df7f32f183a67bec10c1cf2ec6fe9dddb7df76eb97c2ab9e
SHA512

e91b49e26c9cd52fc6ef277358480c280ce28b1ca5e3f5a111b70c179043a4a2565f8f85c87357867b4ca7ace32cc9ebb53218209e7130112357176c78a34e33
SSDEEP

12288:Bp7RKcv8Nh7py6Rmi78gkPH3aPI9vyVg/0paQuj3IdD02fKBjtp/:BpEBpDRmi78gkPXlyo0G/jr

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2960	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
888	Logo1_.exe
1040	1f7af504348ab6f5df7f32f183a67bec10c1cf2ec6fe9dddb7df76eb97c2ab9e.exe

Loads dropped DLL 2 IoCs

pid	Process
2960	cmd.exe
2960	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\VideoLAN\VLC\locale\brx\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VGX\_desktop.ini	Logo1_.exe
File created	C:\Program Files\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre7\lib\applet\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\lt\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ne\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUEPRNT\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightYellow\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\uz\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\applet\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\fonts\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSOUC.EXE	Logo1_.exe
File created	C:\Program Files\Google\Chrome\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Spades\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Cultures\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\az\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RMNSQUE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\FreeCell\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\STUDIO\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PublicAssemblies\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\DAO\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\ext\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaw.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\PROOF\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\INDUST\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Mail\it-IT\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\vDll.dll	Logo1_.exe
File created	C:\Windows\rundl132.exe	1f7af504348ab6f5df7f32f183a67bec10c1cf2ec6fe9dddb7df76eb97c2ab9e.exe
File created	C:\Windows\Logo1_.exe	1f7af504348ab6f5df7f32f183a67bec10c1cf2ec6fe9dddb7df76eb97c2ab9e.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
888	Logo1_.exe
888	Logo1_.exe
888	Logo1_.exe
888	Logo1_.exe
888	Logo1_.exe
888	Logo1_.exe
888	Logo1_.exe
888	Logo1_.exe
888	Logo1_.exe
888	Logo1_.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1040	1f7af504348ab6f5df7f32f183a67bec10c1cf2ec6fe9dddb7df76eb97c2ab9e.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeRestorePrivilege	1040	1f7af504348ab6f5df7f32f183a67bec10c1cf2ec6fe9dddb7df76eb97c2ab9e.exe
Token: 35	1040	1f7af504348ab6f5df7f32f183a67bec10c1cf2ec6fe9dddb7df76eb97c2ab9e.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1728 wrote to memory of 2960	1728	1f7af504348ab6f5df7f32f183a67bec10c1cf2ec6fe9dddb7df76eb97c2ab9e.exe	29
PID 1728 wrote to memory of 2960	1728	1f7af504348ab6f5df7f32f183a67bec10c1cf2ec6fe9dddb7df76eb97c2ab9e.exe	29
PID 1728 wrote to memory of 2960	1728	1f7af504348ab6f5df7f32f183a67bec10c1cf2ec6fe9dddb7df76eb97c2ab9e.exe	29
PID 1728 wrote to memory of 2960	1728	1f7af504348ab6f5df7f32f183a67bec10c1cf2ec6fe9dddb7df76eb97c2ab9e.exe	29
PID 1728 wrote to memory of 888	1728	1f7af504348ab6f5df7f32f183a67bec10c1cf2ec6fe9dddb7df76eb97c2ab9e.exe	30
PID 1728 wrote to memory of 888	1728	1f7af504348ab6f5df7f32f183a67bec10c1cf2ec6fe9dddb7df76eb97c2ab9e.exe	30
PID 1728 wrote to memory of 888	1728	1f7af504348ab6f5df7f32f183a67bec10c1cf2ec6fe9dddb7df76eb97c2ab9e.exe	30
PID 1728 wrote to memory of 888	1728	1f7af504348ab6f5df7f32f183a67bec10c1cf2ec6fe9dddb7df76eb97c2ab9e.exe	30
PID 888 wrote to memory of 2588	888	Logo1_.exe	32
PID 888 wrote to memory of 2588	888	Logo1_.exe	32
PID 888 wrote to memory of 2588	888	Logo1_.exe	32
PID 888 wrote to memory of 2588	888	Logo1_.exe	32
PID 2960 wrote to memory of 1040	2960	cmd.exe	35
PID 2960 wrote to memory of 1040	2960	cmd.exe	35
PID 2960 wrote to memory of 1040	2960	cmd.exe	35
PID 2960 wrote to memory of 1040	2960	cmd.exe	35
PID 2588 wrote to memory of 2676	2588	net.exe	34
PID 2588 wrote to memory of 2676	2588	net.exe	34
PID 2588 wrote to memory of 2676	2588	net.exe	34
PID 2588 wrote to memory of 2676	2588	net.exe	34
PID 888 wrote to memory of 1072	888	Logo1_.exe	18
PID 888 wrote to memory of 1072	888	Logo1_.exe	18

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1072
- C:\Users\Admin\AppData\Local\Temp\1f7af504348ab6f5df7f32f183a67bec10c1cf2ec6fe9dddb7df76eb97c2ab9e.exe
  "C:\Users\Admin\AppData\Local\Temp\1f7af504348ab6f5df7f32f183a67bec10c1cf2ec6fe9dddb7df76eb97c2ab9e.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1728
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$a15E1.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2960
  - - C:\Users\Admin\AppData\Local\Temp\1f7af504348ab6f5df7f32f183a67bec10c1cf2ec6fe9dddb7df76eb97c2ab9e.exe
      "C:\Users\Admin\AppData\Local\Temp\1f7af504348ab6f5df7f32f183a67bec10c1cf2ec6fe9dddb7df76eb97c2ab9e.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      PID:1040
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:888
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2588
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
252KB

MD5
884491f20ab9c19ff6a85edc42b37fdd

SHA1
7da4e52b211caa947498bdfc2fcfe7b56ad7940f

SHA256
efc0f29730656326febece0fefe652573822eea84510d777fa8b83fc94b68e5b

SHA512
a985f98008efaa59e861e8f23d19720ebbff976b58be58f6b7276c3c2deba58d544a8517fd7601cb30ed8064006e1c6ae8e832171515db6cba9687af2437b474

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
472KB

MD5
88eb1bca8c399bc3f46e99cdde2f047e

SHA1
55fafbceb011e1af2edced978686a90971bd95f2

SHA256
42fd78c05bc240d4ded16ac974f17c336f6ae3a1814d548021c48a942cc30428

SHA512
149d4de0c024e25a13a7bb17471e6f48391d4f26b1c8388672320eed1c255f84219ad7b72bbebc531ae558d5192dd4bb6d0dddd6c65a45300c8e8348a4fb3728

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a15E1.bat

Filesize
722B

MD5
3a9ed24cdba3ab19a28a172740d78dc3

SHA1
f738cbd23693222943332f961a062661741c1de2

SHA256
5318abc15349393375778274ac9271a14c3e6b4a5626c8e3074cce72b529020f

SHA512
dc332a514f1bebfa993bbbd94377d267704457addbefb1e05c88bffb9b37959899c033e0a838fe07d8dcc0d293df1d0f8b313d06350d173b44cab613ecd3db4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1f7af504348ab6f5df7f32f183a67bec10c1cf2ec6fe9dddb7df76eb97c2ab9e.exe.exe

Filesize
930KB

MD5
30ac0b832d75598fb3ec37b6f2a8c86a

SHA1
6f47dbfd6ff36df7ba581a4cef024da527dc3046

SHA256
1ea0839c8dc95ad2c060af7d042c40c0daed58ce8e4524c0fba12fd73e4afb74

SHA512
505870601a4389b7ed2c8fecf85835adfd2944cbc10801f74bc4e08f5a0d6ecc9a52052fc37e216304cd1655129021862294a698ed36b3b43d428698f7263057

Download Submit
C:\Windows\rundl132.exe

Filesize
27KB

MD5
a11c098e88fbd8e1071d87ba5b252080

SHA1
b9731f888d390d7e53a4e36ca91de322c74a624a

SHA256
ab5a703ea2abedf0285e3945bfb2d152daf3830070bcf23c6c8b0f76b7993e0f

SHA512
91903cdef6d361f7ee3015f82ab32798b080e0d418fba35f439ff9d3a245ce333953c1891c7cf0eb6172e62f503a5a54027802d40e943e6dc06ab310d44fc0ec

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2721934792-624042501-2768869379-1000\_desktop.ini

Filesize
9B

MD5
95b3e5fe04e8423c49a7f69a5d13771f

SHA1
615b63fb8bf07dbb0565ffd492067309645064c9

SHA256
1663db9b496c87701f6c8f6721e92994ffdd747f949ab1070fd844c4d63fb916

SHA512
d9a0d342e84c32d4c0aee97be7b9a102963d1aeab7edd87b080548f7dd144d851c558e6706bec441534d8e188938655c2b551e358d342309677511404a34ce81

Download Submit
memory/888-1851-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/888-98-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/888-32-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/888-21-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/888-39-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/888-45-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/888-92-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/888-3311-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/888-855-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/888-2868-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1072-30-0x0000000002DD0000-0x0000000002DD1000-memory.dmp

Filesize
4KB

Download
memory/1728-16-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1728-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1728-12-0x0000000000220000-0x0000000000255000-memory.dmp

Filesize
212KB

Download