e2e98fcd909b8fb4253d7f6d378ce0f2ac39487d37a0a22acb450cf601f9393b

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
16/04/2024, 14:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e2e98fcd909b8fb4253d7f6d378ce0f2ac39487d37a0a22acb450cf601f9393b.exe
Size

959KB
MD5

cd8ba49dd982cd592962fea74c851e04
SHA1

3e966cbee45d91c52adcb88d98bd6000aba045a2
SHA256

e2e98fcd909b8fb4253d7f6d378ce0f2ac39487d37a0a22acb450cf601f9393b
SHA512

dd2fcca0de9649f5b8aba654baf2114e08be2e1173fd5cbc38ba9ad7ac5d08ce3afa9c386e1cfaccf8484403f79d84cc0640e4bce6f5d2b3203cc1db918d8e49
SSDEEP

12288:0RKcv8Nh7py6Rmi78gkPH3aPI9vyVg/0paQuj3IdD02fKBjtp/:ZBpDRmi78gkPXlyo0G/jr

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2496	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2616	Logo1_.exe
2812	e2e98fcd909b8fb4253d7f6d378ce0f2ac39487d37a0a22acb450cf601f9393b.exe

Loads dropped DLL 2 IoCs

pid	Process
2496	cmd.exe
2496	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Internet Explorer\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\tet\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Journal\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\HWRCustomization\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\he\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Internet Explorer\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\STARTUP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sl\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sq\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\Adobe AIR\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\cgg\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Solitaire\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CANYON\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\SoftBlue\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\VPREVIEW.EXE	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hu\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Hearts\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\misc\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\VisualElements\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\bg\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\nb\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\security\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Checkers\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\Verisign\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\vDll.dll	Logo1_.exe
File created	C:\Windows\rundl132.exe	e2e98fcd909b8fb4253d7f6d378ce0f2ac39487d37a0a22acb450cf601f9393b.exe
File created	C:\Windows\Logo1_.exe	e2e98fcd909b8fb4253d7f6d378ce0f2ac39487d37a0a22acb450cf601f9393b.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2616	Logo1_.exe
2616	Logo1_.exe
2616	Logo1_.exe
2616	Logo1_.exe
2616	Logo1_.exe
2616	Logo1_.exe
2616	Logo1_.exe
2616	Logo1_.exe
2616	Logo1_.exe
2616	Logo1_.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2812	e2e98fcd909b8fb4253d7f6d378ce0f2ac39487d37a0a22acb450cf601f9393b.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeRestorePrivilege	2812	e2e98fcd909b8fb4253d7f6d378ce0f2ac39487d37a0a22acb450cf601f9393b.exe
Token: 35	2812	e2e98fcd909b8fb4253d7f6d378ce0f2ac39487d37a0a22acb450cf601f9393b.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2176 wrote to memory of 2496	2176	e2e98fcd909b8fb4253d7f6d378ce0f2ac39487d37a0a22acb450cf601f9393b.exe	28
PID 2176 wrote to memory of 2496	2176	e2e98fcd909b8fb4253d7f6d378ce0f2ac39487d37a0a22acb450cf601f9393b.exe	28
PID 2176 wrote to memory of 2496	2176	e2e98fcd909b8fb4253d7f6d378ce0f2ac39487d37a0a22acb450cf601f9393b.exe	28
PID 2176 wrote to memory of 2496	2176	e2e98fcd909b8fb4253d7f6d378ce0f2ac39487d37a0a22acb450cf601f9393b.exe	28
PID 2176 wrote to memory of 2616	2176	e2e98fcd909b8fb4253d7f6d378ce0f2ac39487d37a0a22acb450cf601f9393b.exe	30
PID 2176 wrote to memory of 2616	2176	e2e98fcd909b8fb4253d7f6d378ce0f2ac39487d37a0a22acb450cf601f9393b.exe	30
PID 2176 wrote to memory of 2616	2176	e2e98fcd909b8fb4253d7f6d378ce0f2ac39487d37a0a22acb450cf601f9393b.exe	30
PID 2176 wrote to memory of 2616	2176	e2e98fcd909b8fb4253d7f6d378ce0f2ac39487d37a0a22acb450cf601f9393b.exe	30
PID 2616 wrote to memory of 2492	2616	Logo1_.exe	31
PID 2616 wrote to memory of 2492	2616	Logo1_.exe	31
PID 2616 wrote to memory of 2492	2616	Logo1_.exe	31
PID 2616 wrote to memory of 2492	2616	Logo1_.exe	31
PID 2496 wrote to memory of 2812	2496	cmd.exe	33
PID 2496 wrote to memory of 2812	2496	cmd.exe	33
PID 2496 wrote to memory of 2812	2496	cmd.exe	33
PID 2496 wrote to memory of 2812	2496	cmd.exe	33
PID 2492 wrote to memory of 2256	2492	net.exe	34
PID 2492 wrote to memory of 2256	2492	net.exe	34
PID 2492 wrote to memory of 2256	2492	net.exe	34
PID 2492 wrote to memory of 2256	2492	net.exe	34
PID 2616 wrote to memory of 1360	2616	Logo1_.exe	21
PID 2616 wrote to memory of 1360	2616	Logo1_.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1360
- C:\Users\Admin\AppData\Local\Temp\e2e98fcd909b8fb4253d7f6d378ce0f2ac39487d37a0a22acb450cf601f9393b.exe
  "C:\Users\Admin\AppData\Local\Temp\e2e98fcd909b8fb4253d7f6d378ce0f2ac39487d37a0a22acb450cf601f9393b.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2176
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$a4C4C.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2496
  - - C:\Users\Admin\AppData\Local\Temp\e2e98fcd909b8fb4253d7f6d378ce0f2ac39487d37a0a22acb450cf601f9393b.exe
      "C:\Users\Admin\AppData\Local\Temp\e2e98fcd909b8fb4253d7f6d378ce0f2ac39487d37a0a22acb450cf601f9393b.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      PID:2812
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2616
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2492
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
254KB

MD5
a7b27a17fac283c53acdcab0cc48a5fa

SHA1
95b4cdb62c61eec7ea5f57cc1ad70469ceb5764f

SHA256
892f194ccf74098c117ed206fb83921cb19810383c5ef8c5af78d590648422de

SHA512
b7bdca8417c815e066fe451e272d55f3200abf4aa8dce8c62a7905b963862c9b88eaa9c6f17070f249d678082c7127c1b61e5e9de7c0a628dbb7172072957eab

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
474KB

MD5
e85807cbaf1c00d5c04e60d82117ed94

SHA1
2e586d30d725be909a6f4de38b582fc0bfe57c01

SHA256
eb0caf5692f857aadb09867f6526b1dd6f02c9980ccb8d7d58e09342c87fdda9

SHA512
af0d2fce26f6ddbf90d3a3359a9ac6740e4d9c830d65137914c3b85f68f9ae390f4454c90ed8fc5210a3c7ac45690d50690379996b5befa61a5853f93d041495

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a4C4C.bat

Filesize
722B

MD5
50c9331f64c91848dadf7bb72efd6501

SHA1
46efec1b8f8f74eb02699e5387c40c8ed61c71b9

SHA256
be560c6ea3f47d1ab9f451d399a95c58f7eac6973fd9910666b8bf2a4954ca16

SHA512
d6d11fda43939b678452c280da1a3683240a48d04a0cef8dfecc29cf87c63c6264508524bd977cd0839af6b59a4583124d5039d918b6ba88df8fdf9e962b49dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\e2e98fcd909b8fb4253d7f6d378ce0f2ac39487d37a0a22acb450cf601f9393b.exe.exe

Filesize
930KB

MD5
30ac0b832d75598fb3ec37b6f2a8c86a

SHA1
6f47dbfd6ff36df7ba581a4cef024da527dc3046

SHA256
1ea0839c8dc95ad2c060af7d042c40c0daed58ce8e4524c0fba12fd73e4afb74

SHA512
505870601a4389b7ed2c8fecf85835adfd2944cbc10801f74bc4e08f5a0d6ecc9a52052fc37e216304cd1655129021862294a698ed36b3b43d428698f7263057

Download Submit
C:\Windows\rundl132.exe

Filesize
29KB

MD5
a8a13c8d7055a5a3cbc4682927cf64a4

SHA1
cac4936e99f3a78f63b59e8e7d6760146676fbd2

SHA256
064686b5d3f26aa24e64603ec1366fb604e260f831e946c0848283611012f058

SHA512
6b8f8d7cc0c3e1412d00aaa8d13b8ada8846dba4682afc78137d532395726c4c88c211fa1197b27b8d6e7d194274c72e9c30471b89f4894aec41ce00d65e020c

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-406356229-2805545415-1236085040-1000\_desktop.ini

Filesize
9B

MD5
02ced53ce3f5b175c3bbec378047e7a7

SHA1
dafdf07efa697ec99b3d7b9f7512439a52ea618d

SHA256
485bb2341321a2837fd015a36963ea549c7c6f40985e165fd56c8a1e89b3f331

SHA512
669dde3ea8628704d40681a7f8974cf52985385c92a61a540c97c18c13eb4d451207ae171b2a56cd061cadbc90e672a84eb55111b1f5016846918d73fb075c99

Download Submit
memory/1360-30-0x00000000025E0000-0x00000000025E1000-memory.dmp

Filesize
4KB

Download
memory/2176-16-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2176-15-0x0000000000220000-0x0000000000256000-memory.dmp

Filesize
216KB

Download
memory/2176-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2616-32-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2616-45-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2616-92-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2616-98-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2616-313-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2616-1851-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2616-39-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2616-3311-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2616-21-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download