d718eb0687e73c66315de1d69ddcd0ed84d132f8dfa71ede1abf5cc0d09d14a8

Analysis

max time kernel
159s
max time network
140s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
17/04/2024, 17:21

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d718eb0687e73c66315de1d69ddcd0ed84d132f8dfa71ede1abf5cc0d09d14a8.exe
Size

136KB
MD5

16e115ed25248d44b556d48ddc3ec6a9
SHA1

ac809ac0aaaec7a1b9c7d263f416d4bed2ba7ce8
SHA256

d718eb0687e73c66315de1d69ddcd0ed84d132f8dfa71ede1abf5cc0d09d14a8
SHA512

c641c31d43e0ce5edcecb4becec6b6a340d9000d1dcac3926255cff1128e84f02371e90e345fa1b2f27daad9269dc47807711869a9c51fe84d049cb62ac55886
SSDEEP

3072:qftffjmNUEcXdw/M+0vkLOj0udo5rzahM9:qVfjmN+6JOYuy5Hac

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2384	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2388	Logo1_.exe
2528	d718eb0687e73c66315de1d69ddcd0ed84d132f8dfa71ede1abf5cc0d09d14a8.exe

Loads dropped DLL 1 IoCs

pid	Process
2384	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\in_sidebar\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\or\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\services_discovery\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Help\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PROFILE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Africa\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Hearts\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Journal\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sq\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VGX\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ky\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre7\lib\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\br\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\requests\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SpringGreen\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\144DPI\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre7\lib\zi\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Document Parts\1033\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre7\bin\plugin2\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\Servers\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\stream_filter\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.en\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\vi\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	d718eb0687e73c66315de1d69ddcd0ed84d132f8dfa71ede1abf5cc0d09d14a8.exe
File created	C:\Windows\Logo1_.exe	d718eb0687e73c66315de1d69ddcd0ed84d132f8dfa71ede1abf5cc0d09d14a8.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2388	Logo1_.exe
2388	Logo1_.exe
2388	Logo1_.exe
2388	Logo1_.exe
2388	Logo1_.exe
2388	Logo1_.exe
2388	Logo1_.exe
2388	Logo1_.exe
2388	Logo1_.exe
2388	Logo1_.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2768 wrote to memory of 2384	2768	d718eb0687e73c66315de1d69ddcd0ed84d132f8dfa71ede1abf5cc0d09d14a8.exe	28
PID 2768 wrote to memory of 2384	2768	d718eb0687e73c66315de1d69ddcd0ed84d132f8dfa71ede1abf5cc0d09d14a8.exe	28
PID 2768 wrote to memory of 2384	2768	d718eb0687e73c66315de1d69ddcd0ed84d132f8dfa71ede1abf5cc0d09d14a8.exe	28
PID 2768 wrote to memory of 2384	2768	d718eb0687e73c66315de1d69ddcd0ed84d132f8dfa71ede1abf5cc0d09d14a8.exe	28
PID 2768 wrote to memory of 2388	2768	d718eb0687e73c66315de1d69ddcd0ed84d132f8dfa71ede1abf5cc0d09d14a8.exe	29
PID 2768 wrote to memory of 2388	2768	d718eb0687e73c66315de1d69ddcd0ed84d132f8dfa71ede1abf5cc0d09d14a8.exe	29
PID 2768 wrote to memory of 2388	2768	d718eb0687e73c66315de1d69ddcd0ed84d132f8dfa71ede1abf5cc0d09d14a8.exe	29
PID 2768 wrote to memory of 2388	2768	d718eb0687e73c66315de1d69ddcd0ed84d132f8dfa71ede1abf5cc0d09d14a8.exe	29
PID 2388 wrote to memory of 2644	2388	Logo1_.exe	30
PID 2388 wrote to memory of 2644	2388	Logo1_.exe	30
PID 2388 wrote to memory of 2644	2388	Logo1_.exe	30
PID 2388 wrote to memory of 2644	2388	Logo1_.exe	30
PID 2644 wrote to memory of 2276	2644	net.exe	33
PID 2644 wrote to memory of 2276	2644	net.exe	33
PID 2644 wrote to memory of 2276	2644	net.exe	33
PID 2644 wrote to memory of 2276	2644	net.exe	33
PID 2388 wrote to memory of 1232	2388	Logo1_.exe	21
PID 2388 wrote to memory of 1232	2388	Logo1_.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1232
- C:\Users\Admin\AppData\Local\Temp\d718eb0687e73c66315de1d69ddcd0ed84d132f8dfa71ede1abf5cc0d09d14a8.exe
  "C:\Users\Admin\AppData\Local\Temp\d718eb0687e73c66315de1d69ddcd0ed84d132f8dfa71ede1abf5cc0d09d14a8.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2768
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$aA42B.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    PID:2384
  - - C:\Users\Admin\AppData\Local\Temp\d718eb0687e73c66315de1d69ddcd0ed84d132f8dfa71ede1abf5cc0d09d14a8.exe
      "C:\Users\Admin\AppData\Local\Temp\d718eb0687e73c66315de1d69ddcd0ed84d132f8dfa71ede1abf5cc0d09d14a8.exe"
      4⤵
      Executes dropped EXE
      PID:2528
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2388
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2644
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
251KB

MD5
fd6f44e4d35ec0931c86649241affe60

SHA1
995851d93e2138e4cb281df82f1be5eb43b04939

SHA256
eab6dde23c060009c5901cc57d777dcecc377653488629ea297d1ddc26242fa2

SHA512
9e3f0b5f0cf04b744faf6c3bb6c1a479e5df30775da848c35a039b4979896148dc27c6f8d5991e9249e70dfa3606e5d9ac8656b7f0b36ea0cc185ae28102dc1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aA42B.bat

Filesize
722B

MD5
7169892408ea0d1932b48daff108f47f

SHA1
17e41f633017957eb3e3818bcc6fbb1bf0fa2de2

SHA256
e5e411432567d80a25fab3cba2bf00ad2e363e8acfced49342ec75f26eb773f6

SHA512
011c828a681974e60091f4b48e4f9462eca84a9e7e82b4a8a8a23ed79ca5059fe633316e22a53d7aa7e245d2223c00d7d67494c253fa944e117236e41e8efadb

Download Submit
C:\Users\Admin\AppData\Local\Temp\d718eb0687e73c66315de1d69ddcd0ed84d132f8dfa71ede1abf5cc0d09d14a8.exe.exe

Filesize
110KB

MD5
269f0a767c1d8ac7480795a94e0e2b79

SHA1
041006a33fff863a72f46b6637abbf05f81bbac1

SHA256
17772f59c1f0a0b5c6131c64e68efed8eaf99cba9c2b8b39133ae5481bb90395

SHA512
546554125e278c6c1ba931811526bfeac286d6bc2374b56b31140f82f47c309a5bfb938f747693334712b3f241ed98e79184a103440e78ef89efff7efac8df31

Download Submit
C:\Windows\rundl132.exe

Filesize
26KB

MD5
88815581c4f3a29e86b20cc64958ad6b

SHA1
609bee0d923ce95ad593cd3e93102d99cf799189

SHA256
6b8d6e9d746565f48680b3d6b5a06759d0ae3d8cf57b3791e6dbdb1f24d07bf9

SHA512
16b69c9be1ea2d13a63f11f34dae1bf761f7f035cb5f1c8211ee16f522c08b0ba2bc9856dfab22bfcb5cb7ae6682ed94253c65e281951581d59d6ac9fd987f38

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2461186416-2307104501-1787948496-1000\_desktop.ini

Filesize
9B

MD5
2be02af4dacf3254e321ffba77f0b1c6

SHA1
d8349307ec08d45f2db9c9735bde8f13e27a551d

SHA256
766fe9c47ca710d9a00c08965550ee7de9cba2d32d67e4901e8cec7e33151d16

SHA512
57f61e1b939ed98e6db460ccdbc36a1460b727a99baac0e3b041666dedcef11fcd72a486d91ec7f0ee6e1aec40465719a6a5c22820c28be1066fe12fcd47ddd0

Download Submit
memory/1232-29-0x0000000002A50000-0x0000000002A51000-memory.dmp

Filesize
4KB

Download
memory/2388-31-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2388-21-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2388-38-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2388-44-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2388-90-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2388-96-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2388-266-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2388-1849-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2388-1855-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2768-12-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2768-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2768-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download