a8a432c552b1646d588f01468b802d6dd9a9e5a334f543dae836ff45d4a6c642

Analysis

max time kernel
150s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
17/04/2024, 16:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a8a432c552b1646d588f01468b802d6dd9a9e5a334f543dae836ff45d4a6c642.exe
Size

46KB
MD5

d79888321c499f6fad20f1ba544eb714
SHA1

a787eaa77b1efcbeacc90f55a93af29f05288e87
SHA256

a8a432c552b1646d588f01468b802d6dd9a9e5a334f543dae836ff45d4a6c642
SHA512

f7ff96ff102133529503403b9903ed5b17ef3d9384b29bc98d63491f8f52775b5ba53bfa133772494db5bd8924ab629b4ea78a9bf515a3897f81aa263ae5b41d
SSDEEP

768:if1ODKAaDMG8H92RwZNQSwcfymNBg+g61GoLxo2Uy3:iNfgLdQAQfcfymN9oLQ

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2036	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
1456	Logo1_.exe
2556	a8a432c552b1646d588f01468b802d6dd9a9e5a334f543dae836ff45d4a6c642.exe

Loads dropped DLL 2 IoCs

pid	Process
2036	cmd.exe
2036	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bn_IN\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ml\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Mail\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\META-INF\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\pt_BR\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\co\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\FreeCell\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Solitaire\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\ext\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fa\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Photo Viewer\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\co\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\or\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Journal\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Africa\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ia\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\zu\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\pl\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\es\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Photo Viewer\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\mn\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\uk\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\az\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\it\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\am\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ca\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	a8a432c552b1646d588f01468b802d6dd9a9e5a334f543dae836ff45d4a6c642.exe
File created	C:\Windows\Logo1_.exe	a8a432c552b1646d588f01468b802d6dd9a9e5a334f543dae836ff45d4a6c642.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
1456	Logo1_.exe
1456	Logo1_.exe
1456	Logo1_.exe
1456	Logo1_.exe
1456	Logo1_.exe
1456	Logo1_.exe
1456	Logo1_.exe
1456	Logo1_.exe
1456	Logo1_.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1356 wrote to memory of 2036	1356	a8a432c552b1646d588f01468b802d6dd9a9e5a334f543dae836ff45d4a6c642.exe	28
PID 1356 wrote to memory of 2036	1356	a8a432c552b1646d588f01468b802d6dd9a9e5a334f543dae836ff45d4a6c642.exe	28
PID 1356 wrote to memory of 2036	1356	a8a432c552b1646d588f01468b802d6dd9a9e5a334f543dae836ff45d4a6c642.exe	28
PID 1356 wrote to memory of 2036	1356	a8a432c552b1646d588f01468b802d6dd9a9e5a334f543dae836ff45d4a6c642.exe	28
PID 1356 wrote to memory of 1456	1356	a8a432c552b1646d588f01468b802d6dd9a9e5a334f543dae836ff45d4a6c642.exe	30
PID 1356 wrote to memory of 1456	1356	a8a432c552b1646d588f01468b802d6dd9a9e5a334f543dae836ff45d4a6c642.exe	30
PID 1356 wrote to memory of 1456	1356	a8a432c552b1646d588f01468b802d6dd9a9e5a334f543dae836ff45d4a6c642.exe	30
PID 1356 wrote to memory of 1456	1356	a8a432c552b1646d588f01468b802d6dd9a9e5a334f543dae836ff45d4a6c642.exe	30
PID 1456 wrote to memory of 2552	1456	Logo1_.exe	31
PID 1456 wrote to memory of 2552	1456	Logo1_.exe	31
PID 1456 wrote to memory of 2552	1456	Logo1_.exe	31
PID 1456 wrote to memory of 2552	1456	Logo1_.exe	31
PID 2036 wrote to memory of 2556	2036	cmd.exe	34
PID 2036 wrote to memory of 2556	2036	cmd.exe	34
PID 2036 wrote to memory of 2556	2036	cmd.exe	34
PID 2036 wrote to memory of 2556	2036	cmd.exe	34
PID 2552 wrote to memory of 2684	2552	net.exe	33
PID 2552 wrote to memory of 2684	2552	net.exe	33
PID 2552 wrote to memory of 2684	2552	net.exe	33
PID 2552 wrote to memory of 2684	2552	net.exe	33
PID 1456 wrote to memory of 1224	1456	Logo1_.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1224
- C:\Users\Admin\AppData\Local\Temp\a8a432c552b1646d588f01468b802d6dd9a9e5a334f543dae836ff45d4a6c642.exe
  "C:\Users\Admin\AppData\Local\Temp\a8a432c552b1646d588f01468b802d6dd9a9e5a334f543dae836ff45d4a6c642.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1356
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$a3D8D.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2036
  - - C:\Users\Admin\AppData\Local\Temp\a8a432c552b1646d588f01468b802d6dd9a9e5a334f543dae836ff45d4a6c642.exe
      "C:\Users\Admin\AppData\Local\Temp\a8a432c552b1646d588f01468b802d6dd9a9e5a334f543dae836ff45d4a6c642.exe"
      4⤵
      Executes dropped EXE
      PID:2556
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1456
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2552
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\$$a3D8D.bat

Filesize
722B

MD5
33f472bb3e90d4f148d9eeb44617b9e1

SHA1
46bb8b6fd248894d350012bbf7be2f597d943fe6

SHA256
49e0603dedd4a1a500aca0130fd287c5dff3d8377ef9e743dbf298e099315bf6

SHA512
3486e0be8576335ca9d20d163260efe2ea9b1256c68de13ab93f831ca38d7f12e87eb0cca8379e454a19001715c10b7645a0ef4d908deb76d62df90418df8c21

Download Submit
C:\Users\Admin\AppData\Local\Temp\a8a432c552b1646d588f01468b802d6dd9a9e5a334f543dae836ff45d4a6c642.exe.exe

Filesize
20KB

MD5
b91da46b6689e4f6819a316ad95c7c9a

SHA1
2cf805f2e6cc5eb4c4d6a19ff9d4773fba18276c

SHA256
ee338be5228f2b2315b0d1501d66a2ee0090bde09d436136efa9d140e0563813

SHA512
17be2e125069307ddd1becfd9a4ea8770a8d14120c45acaf1d5acdad7a22b7918da28f968afd8d7fa5dba592582045b126576019180b9afa1553195369add112

Download Submit
C:\Windows\rundl132.exe

Filesize
26KB

MD5
ce9f4110e0c82d4f4ac0d494757f026d

SHA1
b323a01f4f770d783f1264eb0abf98660d5a5c6f

SHA256
32da035c377527be4b1ad7191b3400f3a6c25ebaed2019ba8080f82d5199e5df

SHA512
8c0f4fc0e3f7f757aa2a67ffc9b9b0d44f0a29a66470c37e848cef08063dbc2cb5237149c0681757ae4965318687a701acd312d35699d9bd9a5441fd509686a4

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3787592910-3720486031-2929222812-1000\_desktop.ini

Filesize
9B

MD5
2be02af4dacf3254e321ffba77f0b1c6

SHA1
d8349307ec08d45f2db9c9735bde8f13e27a551d

SHA256
766fe9c47ca710d9a00c08965550ee7de9cba2d32d67e4901e8cec7e33151d16

SHA512
57f61e1b939ed98e6db460ccdbc36a1460b727a99baac0e3b041666dedcef11fcd72a486d91ec7f0ee6e1aec40465719a6a5c22820c28be1066fe12fcd47ddd0

Download Submit
memory/1224-34-0x0000000002BB0000-0x0000000002BB1000-memory.dmp

Filesize
4KB

Download
memory/1356-12-0x00000000002B0000-0x00000000002E4000-memory.dmp

Filesize
208KB

Download
memory/1356-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1356-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1456-1866-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1456-1864-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1456-1181-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1456-21-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1456-112-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1456-110-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1456-104-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1456-58-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1456-42-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1456-51-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2556-29-0x000007FEF5510000-0x000007FEF5EAD000-memory.dmp

Filesize
9.6MB

Download
memory/2556-43-0x000007FEF5510000-0x000007FEF5EAD000-memory.dmp

Filesize
9.6MB

Download
memory/2556-52-0x0000000001E70000-0x0000000001EF0000-memory.dmp

Filesize
512KB

Download
memory/2556-44-0x0000000001E70000-0x0000000001EF0000-memory.dmp

Filesize
512KB

Download
memory/2556-41-0x0000000001E70000-0x0000000001EF0000-memory.dmp

Filesize
512KB

Download
memory/2556-40-0x0000000001E70000-0x0000000001EF0000-memory.dmp

Filesize
512KB

Download
memory/2556-39-0x0000000001E70000-0x0000000001EF0000-memory.dmp

Filesize
512KB

Download
memory/2556-38-0x0000000001E70000-0x0000000001EF0000-memory.dmp

Filesize
512KB

Download
memory/2556-32-0x0000000001E70000-0x0000000001EF0000-memory.dmp

Filesize
512KB

Download
memory/2556-31-0x000007FEF5510000-0x000007FEF5EAD000-memory.dmp

Filesize
9.6MB

Download
memory/2556-30-0x0000000001E70000-0x0000000001EF0000-memory.dmp

Filesize
512KB

Download