e3017f3823b7481a248cab6a314442b5eddb52ef85cebbd1f77ab45b1bff7b86

Analysis

max time kernel
149s
max time network
118s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
16/04/2024, 07:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e3017f3823b7481a248cab6a314442b5eddb52ef85cebbd1f77ab45b1bff7b86.exe
Size

500KB
MD5

0bff15f8a1347955c184e10f9290dd44
SHA1

27bfae1981db690ed7f1c78de12ca68f575f4625
SHA256

e3017f3823b7481a248cab6a314442b5eddb52ef85cebbd1f77ab45b1bff7b86
SHA512

673a282f555e546e0d6db970a522a8d1b7d1caecf56e88de81be85d466442a5c11d60d6dc62ce158552d367d68fe0bb753c777666739f772623f56b51c593f1e
SSDEEP

6144:0dVfjmN2IIIIxcvYgcFmWnp7wbEj51RYELb6L9uv1tIAul6p+AOy6PUhU0XlSb7o:E7+argZWppuEP6LcWl6p+og9Pk7

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2508	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2504	Logo1_.exe
2004	e3017f3823b7481a248cab6a314442b5eddb52ef85cebbd1f77ab45b1bff7b86.exe

Loads dropped DLL 1 IoCs

pid	Process
2508	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaw.exe	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ps\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\nb\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\lua\playlist\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\TTS20\en-US\enu-dsk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\locale\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\tet\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Journal\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Services\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\oc\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Minesweeper\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Journal\Journal.exe	Logo1_.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\1046\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Publisher.en-us\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\misc.exe	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\3082\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ga\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Triedit\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Lime\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Defender\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\Space Templates\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\META-INF\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Mail\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\it\LC_MESSAGES\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\vDll.dll	Logo1_.exe
File created	C:\Windows\rundl132.exe	e3017f3823b7481a248cab6a314442b5eddb52ef85cebbd1f77ab45b1bff7b86.exe
File created	C:\Windows\Logo1_.exe	e3017f3823b7481a248cab6a314442b5eddb52ef85cebbd1f77ab45b1bff7b86.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2504	Logo1_.exe
2504	Logo1_.exe
2504	Logo1_.exe
2504	Logo1_.exe
2504	Logo1_.exe
2504	Logo1_.exe
2504	Logo1_.exe
2504	Logo1_.exe
2504	Logo1_.exe
2504	Logo1_.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2348 wrote to memory of 2508	2348	e3017f3823b7481a248cab6a314442b5eddb52ef85cebbd1f77ab45b1bff7b86.exe	28
PID 2348 wrote to memory of 2508	2348	e3017f3823b7481a248cab6a314442b5eddb52ef85cebbd1f77ab45b1bff7b86.exe	28
PID 2348 wrote to memory of 2508	2348	e3017f3823b7481a248cab6a314442b5eddb52ef85cebbd1f77ab45b1bff7b86.exe	28
PID 2348 wrote to memory of 2508	2348	e3017f3823b7481a248cab6a314442b5eddb52ef85cebbd1f77ab45b1bff7b86.exe	28
PID 2348 wrote to memory of 2504	2348	e3017f3823b7481a248cab6a314442b5eddb52ef85cebbd1f77ab45b1bff7b86.exe	29
PID 2348 wrote to memory of 2504	2348	e3017f3823b7481a248cab6a314442b5eddb52ef85cebbd1f77ab45b1bff7b86.exe	29
PID 2348 wrote to memory of 2504	2348	e3017f3823b7481a248cab6a314442b5eddb52ef85cebbd1f77ab45b1bff7b86.exe	29
PID 2348 wrote to memory of 2504	2348	e3017f3823b7481a248cab6a314442b5eddb52ef85cebbd1f77ab45b1bff7b86.exe	29
PID 2504 wrote to memory of 2676	2504	Logo1_.exe	30
PID 2504 wrote to memory of 2676	2504	Logo1_.exe	30
PID 2504 wrote to memory of 2676	2504	Logo1_.exe	30
PID 2504 wrote to memory of 2676	2504	Logo1_.exe	30
PID 2676 wrote to memory of 3028	2676	net.exe	33
PID 2676 wrote to memory of 3028	2676	net.exe	33
PID 2676 wrote to memory of 3028	2676	net.exe	33
PID 2676 wrote to memory of 3028	2676	net.exe	33
PID 2508 wrote to memory of 2004	2508	cmd.exe	34
PID 2508 wrote to memory of 2004	2508	cmd.exe	34
PID 2508 wrote to memory of 2004	2508	cmd.exe	34
PID 2508 wrote to memory of 2004	2508	cmd.exe	34
PID 2504 wrote to memory of 1112	2504	Logo1_.exe	20
PID 2504 wrote to memory of 1112	2504	Logo1_.exe	20

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1112
- C:\Users\Admin\AppData\Local\Temp\e3017f3823b7481a248cab6a314442b5eddb52ef85cebbd1f77ab45b1bff7b86.exe
  "C:\Users\Admin\AppData\Local\Temp\e3017f3823b7481a248cab6a314442b5eddb52ef85cebbd1f77ab45b1bff7b86.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2348
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$a140D.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2508
  - - C:\Users\Admin\AppData\Local\Temp\e3017f3823b7481a248cab6a314442b5eddb52ef85cebbd1f77ab45b1bff7b86.exe
      "C:\Users\Admin\AppData\Local\Temp\e3017f3823b7481a248cab6a314442b5eddb52ef85cebbd1f77ab45b1bff7b86.exe"
      4⤵
      Executes dropped EXE
      PID:2004
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2504
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2676
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:3028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
251KB

MD5
cd747b331519ffcc6805e37da9d18557

SHA1
2f325060de25fd11643e65c5c2d4c270ea698213

SHA256
8ffc8a2d08b441ca06abd0ff43de7173627fd14851a4692abc05337f0705b138

SHA512
5914f3ae245c35bb2db544e1ebfc3ad13d0b8166115eb331cf673071e4f7f4a5048f9138545c9e795bf32ef22dcf3af002594b24d572e9fa8eff11e412b11873

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
471KB

MD5
99ea9b604a7a734d3087fa6159684c42

SHA1
709fa1068ad4d560fe03e05b68056f1b0bedbfc8

SHA256
3f733f9e6fec7c4165ca8ba41eb23f604a248babe794c4ad2c6c3ce8032aab1c

SHA512
7af8008c7e187f925c62efc97e1891a7a38d089302dba39fbde137fb895e0592847ed0982c824c2075be8e6b95b6ce165ecb848ab85adf53779ebef613410fbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a140D.bat

Filesize
722B

MD5
98c0ee003e365cd7d8d3d135b36d87d6

SHA1
6cfdeec85edd4cf01f8eb706aa4eb8aa3cd162b1

SHA256
e7ccded862a8f200937f12eacf26ec2283cceb2b4e78a3ea3f87da582a38b2cc

SHA512
aab2420740372877a67eb54c8023a939a41f17575a309c6caeba2dd20165eeb0813c8a452f46b545878a6af74ea7b9162cc4d1d4aadc08c8dc0455ef3f818d75

Download Submit
C:\Users\Admin\AppData\Local\Temp\e3017f3823b7481a248cab6a314442b5eddb52ef85cebbd1f77ab45b1bff7b86.exe.exe

Filesize
474KB

MD5
e94bc2ef44a3327f32d5f08c4060b3de

SHA1
4cb047fd70505684c79b43790175ee7ca377dd73

SHA256
be39dc92ccdab21ac3e3157b0be14c4c81539001feedd3132800551d5885f64d

SHA512
8fda0679fb13fcfe5b94056caa6319c757f569c956e7c1eda1cb4886d93691509a1831a1c29116eb0a7266797fb796d3c7ea71f9ce43d9051eaac21628fd6412

Download Submit
C:\Windows\rundl132.exe

Filesize
26KB

MD5
1db2d1075a960d9a5c56f4b822cb985a

SHA1
417113208e3467d81239a961ffd7bf3dd419a852

SHA256
d098a0b2b602f4b516a6311d99f33b2c18d410e8f3c126a023f540272474d790

SHA512
54215acd66a9ee27349f9c2fe23fd07703e887900c05bd91875681ff29b0ecc8627d4e17861f06290dd924c3c5672b22d3fd839103921d7363cfed649b8ee144

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2297530677-1229052932-2803917579-1000\_desktop.ini

Filesize
9B

MD5
02ced53ce3f5b175c3bbec378047e7a7

SHA1
dafdf07efa697ec99b3d7b9f7512439a52ea618d

SHA256
485bb2341321a2837fd015a36963ea549c7c6f40985e165fd56c8a1e89b3f331

SHA512
669dde3ea8628704d40681a7f8974cf52985385c92a61a540c97c18c13eb4d451207ae171b2a56cd061cadbc90e672a84eb55111b1f5016846918d73fb075c99

Download Submit
memory/1112-29-0x0000000002CF0000-0x0000000002CF1000-memory.dmp

Filesize
4KB

Download
memory/2348-39-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2348-16-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2348-15-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2348-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2504-38-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2504-45-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2504-91-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2504-97-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2504-802-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2504-1850-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2504-31-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2504-2507-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2504-3310-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2504-21-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download