99f2db0db26146f097c0c811ebcc275dc0682642cc75abe86f8fc6455b9aa36f

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
16-04-2024 04:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

99f2db0db26146f097c0c811ebcc275dc0682642cc75abe86f8fc6455b9aa36f.exe
Size

573KB
MD5

e1eae81482621cdac8824ba25efae29d
SHA1

52689e758a44b270421e4cc4b2793828a1780fb7
SHA256

99f2db0db26146f097c0c811ebcc275dc0682642cc75abe86f8fc6455b9aa36f
SHA512

fe747b72628a8e13914b96b4bc2cba608c16661ec71e23b06d18b48af438872e5753f9fce65113d4da7cb73beabb86ce0aa0cf28472d151365b1cbd20aacd789
SSDEEP

6144:ruJpE7cV3iwbAFRWAbd4nf0H05yqE6Hl0ChW0+ksllAXBu0lWGWUJJQ4t0BHQQfu:t7a3iwbihym2g7XO3LWUQfh4Co

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2060	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
1972	Logo1_.exe
2524	99f2db0db26146f097c0c811ebcc275dc0682642cc75abe86f8fc6455b9aa36f.exe

Loads dropped DLL 1 IoCs

pid	Process
2060	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\am\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Mail\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\af\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Word.en-us\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\el\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ja\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ka\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.es\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ARFR\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\setup_wm.exe	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Minesweeper\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\keystore\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ms\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Cultures\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\1033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\kn\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\hrtfs\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Media Player\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SATIN\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\Things\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\GrayCheck\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Triedit\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Mail\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\WATER\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Mahjong\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\da\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	99f2db0db26146f097c0c811ebcc275dc0682642cc75abe86f8fc6455b9aa36f.exe
File created	C:\Windows\Logo1_.exe	99f2db0db26146f097c0c811ebcc275dc0682642cc75abe86f8fc6455b9aa36f.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1972	Logo1_.exe
1972	Logo1_.exe
1972	Logo1_.exe
1972	Logo1_.exe
1972	Logo1_.exe
1972	Logo1_.exe
1972	Logo1_.exe
1972	Logo1_.exe
1972	Logo1_.exe
1972	Logo1_.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1252 wrote to memory of 2060	1252	99f2db0db26146f097c0c811ebcc275dc0682642cc75abe86f8fc6455b9aa36f.exe	28
PID 1252 wrote to memory of 2060	1252	99f2db0db26146f097c0c811ebcc275dc0682642cc75abe86f8fc6455b9aa36f.exe	28
PID 1252 wrote to memory of 2060	1252	99f2db0db26146f097c0c811ebcc275dc0682642cc75abe86f8fc6455b9aa36f.exe	28
PID 1252 wrote to memory of 2060	1252	99f2db0db26146f097c0c811ebcc275dc0682642cc75abe86f8fc6455b9aa36f.exe	28
PID 1252 wrote to memory of 1972	1252	99f2db0db26146f097c0c811ebcc275dc0682642cc75abe86f8fc6455b9aa36f.exe	29
PID 1252 wrote to memory of 1972	1252	99f2db0db26146f097c0c811ebcc275dc0682642cc75abe86f8fc6455b9aa36f.exe	29
PID 1252 wrote to memory of 1972	1252	99f2db0db26146f097c0c811ebcc275dc0682642cc75abe86f8fc6455b9aa36f.exe	29
PID 1252 wrote to memory of 1972	1252	99f2db0db26146f097c0c811ebcc275dc0682642cc75abe86f8fc6455b9aa36f.exe	29
PID 1972 wrote to memory of 2860	1972	Logo1_.exe	31
PID 1972 wrote to memory of 2860	1972	Logo1_.exe	31
PID 1972 wrote to memory of 2860	1972	Logo1_.exe	31
PID 1972 wrote to memory of 2860	1972	Logo1_.exe	31
PID 2060 wrote to memory of 2524	2060	cmd.exe	33
PID 2060 wrote to memory of 2524	2060	cmd.exe	33
PID 2060 wrote to memory of 2524	2060	cmd.exe	33
PID 2060 wrote to memory of 2524	2060	cmd.exe	33
PID 2860 wrote to memory of 2584	2860	net.exe	34
PID 2860 wrote to memory of 2584	2860	net.exe	34
PID 2860 wrote to memory of 2584	2860	net.exe	34
PID 2860 wrote to memory of 2584	2860	net.exe	34
PID 1972 wrote to memory of 1392	1972	Logo1_.exe	21
PID 1972 wrote to memory of 1392	1972	Logo1_.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1392
- C:\Users\Admin\AppData\Local\Temp\99f2db0db26146f097c0c811ebcc275dc0682642cc75abe86f8fc6455b9aa36f.exe
  "C:\Users\Admin\AppData\Local\Temp\99f2db0db26146f097c0c811ebcc275dc0682642cc75abe86f8fc6455b9aa36f.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1252
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$a72DF.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2060
  - - C:\Users\Admin\AppData\Local\Temp\99f2db0db26146f097c0c811ebcc275dc0682642cc75abe86f8fc6455b9aa36f.exe
      "C:\Users\Admin\AppData\Local\Temp\99f2db0db26146f097c0c811ebcc275dc0682642cc75abe86f8fc6455b9aa36f.exe"
      4⤵
      Executes dropped EXE
      PID:2524
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1972
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2860
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
254KB

MD5
a036bc46b8f17b2af3637b788423d6b3

SHA1
f1ffdfb2ecf8ef1bfddcf0a2a42ac62c234bbf87

SHA256
bc659808d3143ea5818d3939662cc861ebc1b7d58c3dc08705017af49a700b1e

SHA512
b72703148c657255dc4f10b8b101f19385f0b487a503408b79d91bd1ace979e8374c938bf7d5bd590b1ef277b02837701252792b8b92917640591f27199aefe6

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a72DF.bat

Filesize
722B

MD5
50a111bfb5dc6e178b8177fa9ac54ba9

SHA1
ddfcbb793c0ff7594005e8e3d297ebc6512c3ddb

SHA256
ce07112ca19b4611ec3b1ef5f1871d37b934e9681a52dc712d48bcc824337293

SHA512
bda330c3d3ab53df6861fca6004232a36d215f2ddb5d0ae8b7c71932e7f2517d8967281b198f33f34a79f6f0176fe792ac3cdb02e4fe6a5511eb944c26ef02ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\99f2db0db26146f097c0c811ebcc275dc0682642cc75abe86f8fc6455b9aa36f.exe.exe

Filesize
544KB

MD5
9a1dd1d96481d61934dcc2d568971d06

SHA1
f136ef9bf8bd2fc753292fb5b7cf173a22675fb3

SHA256
8cebb25e240db3b6986fcaed6bc0b900fa09dad763a56fb71273529266c5c525

SHA512
7ac1581f8a29e778ba1a1220670796c47fa5b838417f8f635e2cb1998a01515cff3ee57045dacb78a8ec70d43754b970743aba600379fe6d9481958d32d8a5aa

Download Submit
C:\Windows\Logo1_.exe

Filesize
29KB

MD5
3779b7c17bd509ec3a5074fe2d4b29d1

SHA1
03ad48fea32d38ae5b61e125aece75b5eb4e564d

SHA256
6e33fc0dcbafb1c8b0f74ba3d95f64c1240c4a6ebb3e93888c6324b81a722453

SHA512
28a8fa23da21f7a77aaecb5dcb1ad0cce08d1118ef8644276ff258c583d0ab102ec861f1fe623b856e36e65d04db3dfb7db3973b2e1b56eff136b965da26aead

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-330940541-141609230-1670313778-1000\_desktop.ini

Filesize
9B

MD5
02ced53ce3f5b175c3bbec378047e7a7

SHA1
dafdf07efa697ec99b3d7b9f7512439a52ea618d

SHA256
485bb2341321a2837fd015a36963ea549c7c6f40985e165fd56c8a1e89b3f331

SHA512
669dde3ea8628704d40681a7f8974cf52985385c92a61a540c97c18c13eb4d451207ae171b2a56cd061cadbc90e672a84eb55111b1f5016846918d73fb075c99

Download Submit
memory/1252-16-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1252-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1252-17-0x0000000000290000-0x00000000002C6000-memory.dmp

Filesize
216KB

Download
memory/1252-12-0x0000000000290000-0x00000000002C6000-memory.dmp

Filesize
216KB

Download
memory/1392-30-0x00000000026F0000-0x00000000026F1000-memory.dmp

Filesize
4KB

Download
memory/1972-22-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1972-39-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1972-45-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1972-91-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1972-97-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1972-186-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1972-1850-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1972-32-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1972-3310-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download