747fef3108122d57f102937ff809001ae2cfadbb16632340fce716d2399df8b1

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10/04/2024, 14:12

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

747fef3108122d57f102937ff809001ae2cfadbb16632340fce716d2399df8b1.exe
Size

957KB
MD5

61faac4003ded5a5812e719de38bd630
SHA1

e2f6e58b171f3773d80769f8b6996fac1941d9b2
SHA256

747fef3108122d57f102937ff809001ae2cfadbb16632340fce716d2399df8b1
SHA512

0628dad76a15ee1c01147836dd852728cc5c99fa88d46286f1191c9f35a5f4724ac5fedbecdd32d27f068104f7a211300e1b23fecafd834b5ca38dcc3855af46
SSDEEP

12288:ep7RKcv8Nh7py6Rmi78gkPH3aPI9vyVg/0paQuj3IdD02fKBjtp/:epEBpDRmi78gkPXlyo0G/jr

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1884	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2236	Logo1_.exe
1680	747fef3108122d57f102937ff809001ae2cfadbb16632340fce716d2399df8b1.exe

Loads dropped DLL 2 IoCs

pid	Process
1884	cmd.exe
1884	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	Logo1_.exe
File created	C:\Program Files\Java\jre7\lib\cmm\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Indiana\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Minesweeper\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sr\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Chess\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Google\CrashReports\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\NETWORK\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SATIN\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VC\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\ONELEV.EXE	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\META-INF\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\et\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SoftBlue\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTool\Project Report Type\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\Components\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fy\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\pt_BR\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTool\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sl\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ne\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\co\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Help\en_US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BrightOrange\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BabyBlue\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	747fef3108122d57f102937ff809001ae2cfadbb16632340fce716d2399df8b1.exe
File created	C:\Windows\Logo1_.exe	747fef3108122d57f102937ff809001ae2cfadbb16632340fce716d2399df8b1.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2236	Logo1_.exe
2236	Logo1_.exe
2236	Logo1_.exe
2236	Logo1_.exe
2236	Logo1_.exe
2236	Logo1_.exe
2236	Logo1_.exe
2236	Logo1_.exe
2236	Logo1_.exe
2236	Logo1_.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1680	747fef3108122d57f102937ff809001ae2cfadbb16632340fce716d2399df8b1.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeRestorePrivilege	1680	747fef3108122d57f102937ff809001ae2cfadbb16632340fce716d2399df8b1.exe
Token: 35	1680	747fef3108122d57f102937ff809001ae2cfadbb16632340fce716d2399df8b1.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1968 wrote to memory of 1884	1968	747fef3108122d57f102937ff809001ae2cfadbb16632340fce716d2399df8b1.exe	28
PID 1968 wrote to memory of 1884	1968	747fef3108122d57f102937ff809001ae2cfadbb16632340fce716d2399df8b1.exe	28
PID 1968 wrote to memory of 1884	1968	747fef3108122d57f102937ff809001ae2cfadbb16632340fce716d2399df8b1.exe	28
PID 1968 wrote to memory of 1884	1968	747fef3108122d57f102937ff809001ae2cfadbb16632340fce716d2399df8b1.exe	28
PID 1968 wrote to memory of 2236	1968	747fef3108122d57f102937ff809001ae2cfadbb16632340fce716d2399df8b1.exe	30
PID 1968 wrote to memory of 2236	1968	747fef3108122d57f102937ff809001ae2cfadbb16632340fce716d2399df8b1.exe	30
PID 1968 wrote to memory of 2236	1968	747fef3108122d57f102937ff809001ae2cfadbb16632340fce716d2399df8b1.exe	30
PID 1968 wrote to memory of 2236	1968	747fef3108122d57f102937ff809001ae2cfadbb16632340fce716d2399df8b1.exe	30
PID 2236 wrote to memory of 2820	2236	Logo1_.exe	31
PID 2236 wrote to memory of 2820	2236	Logo1_.exe	31
PID 2236 wrote to memory of 2820	2236	Logo1_.exe	31
PID 2236 wrote to memory of 2820	2236	Logo1_.exe	31
PID 1884 wrote to memory of 1680	1884	cmd.exe	33
PID 1884 wrote to memory of 1680	1884	cmd.exe	33
PID 1884 wrote to memory of 1680	1884	cmd.exe	33
PID 1884 wrote to memory of 1680	1884	cmd.exe	33
PID 2820 wrote to memory of 1744	2820	net.exe	34
PID 2820 wrote to memory of 1744	2820	net.exe	34
PID 2820 wrote to memory of 1744	2820	net.exe	34
PID 2820 wrote to memory of 1744	2820	net.exe	34
PID 2236 wrote to memory of 1368	2236	Logo1_.exe	21
PID 2236 wrote to memory of 1368	2236	Logo1_.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1368
- C:\Users\Admin\AppData\Local\Temp\747fef3108122d57f102937ff809001ae2cfadbb16632340fce716d2399df8b1.exe
  "C:\Users\Admin\AppData\Local\Temp\747fef3108122d57f102937ff809001ae2cfadbb16632340fce716d2399df8b1.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1968
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$aA60F.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1884
  - - C:\Users\Admin\AppData\Local\Temp\747fef3108122d57f102937ff809001ae2cfadbb16632340fce716d2399df8b1.exe
      "C:\Users\Admin\AppData\Local\Temp\747fef3108122d57f102937ff809001ae2cfadbb16632340fce716d2399df8b1.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      PID:1680
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2236
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2820
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:1744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
252KB

MD5
b5c04d99eed307672a8deb8b7718a8aa

SHA1
9ce94d10b200241a594098c435d70dd3e6e89990

SHA256
08992cd838448e03e3ec818bd1ba776aef5b6f71ea4095d8ce504c3d02aa2de2

SHA512
a18954042f94b318fd04e86f7e4bf824d9fa5663515bca009baef55124937b8ed1c66a41e3afa76ad519058468daeb31555a14e339955cd81d68693547a80268

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
472KB

MD5
88eb1bca8c399bc3f46e99cdde2f047e

SHA1
55fafbceb011e1af2edced978686a90971bd95f2

SHA256
42fd78c05bc240d4ded16ac974f17c336f6ae3a1814d548021c48a942cc30428

SHA512
149d4de0c024e25a13a7bb17471e6f48391d4f26b1c8388672320eed1c255f84219ad7b72bbebc531ae558d5192dd4bb6d0dddd6c65a45300c8e8348a4fb3728

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aA60F.bat

Filesize
722B

MD5
3899171c59778d7e530b9a6b0fbc8fb4

SHA1
c0ebaf555f28e642a00c0b6a6274731fd43761d4

SHA256
d21e6d7f5b64b3ab9b61ffd5f853400b04eb8ebf9843550535691673cba7716c

SHA512
9ee8f25adcf319754e079e83b7641708236df9039efcf88d7e4239e262a52063ecbce965737948e7020d2773ad2e34c89788da84c7b3b5ca389ff4bd5d39fcc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\747fef3108122d57f102937ff809001ae2cfadbb16632340fce716d2399df8b1.exe.exe

Filesize
930KB

MD5
30ac0b832d75598fb3ec37b6f2a8c86a

SHA1
6f47dbfd6ff36df7ba581a4cef024da527dc3046

SHA256
1ea0839c8dc95ad2c060af7d042c40c0daed58ce8e4524c0fba12fd73e4afb74

SHA512
505870601a4389b7ed2c8fecf85835adfd2944cbc10801f74bc4e08f5a0d6ecc9a52052fc37e216304cd1655129021862294a698ed36b3b43d428698f7263057

Download Submit
C:\Windows\Logo1_.exe

Filesize
27KB

MD5
b549a2d14ce574567c4fec243a27851c

SHA1
5822837482a62de07e8fd8ce12edd9d268512f28

SHA256
7bcd0400f099571362dc785b7497154974e1e8b79d455745fca8f68bc37327c7

SHA512
9458d2bafc896e4fa9be8b6a0144dd74eb5ffc34c1b883623b3985b5073893ccfd72e682a304b2f84f51675431fcbb7be7afa3eec30ed2bcf435c072b53fc9fe

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-330940541-141609230-1670313778-1000\_desktop.ini

Filesize
9B

MD5
95b3e5fe04e8423c49a7f69a5d13771f

SHA1
615b63fb8bf07dbb0565ffd492067309645064c9

SHA256
1663db9b496c87701f6c8f6721e92994ffdd747f949ab1070fd844c4d63fb916

SHA512
d9a0d342e84c32d4c0aee97be7b9a102963d1aeab7edd87b080548f7dd144d851c558e6706bec441534d8e188938655c2b551e358d342309677511404a34ce81

Download Submit
memory/1368-30-0x0000000002650000-0x0000000002651000-memory.dmp

Filesize
4KB

Download
memory/1968-17-0x0000000000230000-0x0000000000265000-memory.dmp

Filesize
212KB

Download
memory/1968-15-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1968-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2236-32-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2236-45-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2236-92-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2236-98-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2236-262-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2236-1851-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2236-39-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2236-3311-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2236-21-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download