4fe060591a94e671aab07bbad83e1780e88d32e85cb66cb329e710961fbad08f

Analysis

max time kernel
150s
max time network
129s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
17/04/2024, 17:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4fe060591a94e671aab07bbad83e1780e88d32e85cb66cb329e710961fbad08f.exe
Size

48KB
MD5

618ce6572379d45e4178ec60654e62bf
SHA1

de6a49c5e3ef4c267c72cbeaaa540a9ed3cfc8f6
SHA256

4fe060591a94e671aab07bbad83e1780e88d32e85cb66cb329e710961fbad08f
SHA512

5bb5136e2060977ae1b5e86233927a8c361e73bf0e8e895bc40b782b6d3c5be90f96cb8ab44a767b957cc90456a1e1b509aaed123cb1c1b8603464cb377ac1de
SSDEEP

768:No1ODKAaDMG8H92RwZNQSwcfymNBg+g61GoL4AZR5wo/uDSw2MWKDGZAMxkEBJH:gfgLdQAQfcfymNxZRuhjWvx3H

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2920	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2896	Logo1_.exe
2420	4fe060591a94e671aab07bbad83e1780e88d32e85cb66cb329e710961fbad08f.exe

Loads dropped DLL 1 IoCs

pid	Process
2920	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mr\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\in_sidebar\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\1.7\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\MSBuild\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RADIAL\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\More Games\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ne\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_filter\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Mail\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft.NET\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fa\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\skins\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Triedit\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\TTS20\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ml\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RMNSQUE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\in_sidebar\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\OneNote\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Hearts\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Mahjong\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ug\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre7\lib\applet\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Portable Devices\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\management\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\GrayCheck\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BabyBlue\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\STS2\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\More Games\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fr\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fur\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\css\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	4fe060591a94e671aab07bbad83e1780e88d32e85cb66cb329e710961fbad08f.exe
File created	C:\Windows\Logo1_.exe	4fe060591a94e671aab07bbad83e1780e88d32e85cb66cb329e710961fbad08f.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2896	Logo1_.exe
2896	Logo1_.exe
2896	Logo1_.exe
2896	Logo1_.exe
2896	Logo1_.exe
2896	Logo1_.exe
2896	Logo1_.exe
2896	Logo1_.exe
2896	Logo1_.exe
2896	Logo1_.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2272 wrote to memory of 2920	2272	4fe060591a94e671aab07bbad83e1780e88d32e85cb66cb329e710961fbad08f.exe	28
PID 2272 wrote to memory of 2920	2272	4fe060591a94e671aab07bbad83e1780e88d32e85cb66cb329e710961fbad08f.exe	28
PID 2272 wrote to memory of 2920	2272	4fe060591a94e671aab07bbad83e1780e88d32e85cb66cb329e710961fbad08f.exe	28
PID 2272 wrote to memory of 2920	2272	4fe060591a94e671aab07bbad83e1780e88d32e85cb66cb329e710961fbad08f.exe	28
PID 2272 wrote to memory of 2896	2272	4fe060591a94e671aab07bbad83e1780e88d32e85cb66cb329e710961fbad08f.exe	29
PID 2272 wrote to memory of 2896	2272	4fe060591a94e671aab07bbad83e1780e88d32e85cb66cb329e710961fbad08f.exe	29
PID 2272 wrote to memory of 2896	2272	4fe060591a94e671aab07bbad83e1780e88d32e85cb66cb329e710961fbad08f.exe	29
PID 2272 wrote to memory of 2896	2272	4fe060591a94e671aab07bbad83e1780e88d32e85cb66cb329e710961fbad08f.exe	29
PID 2896 wrote to memory of 2592	2896	Logo1_.exe	30
PID 2896 wrote to memory of 2592	2896	Logo1_.exe	30
PID 2896 wrote to memory of 2592	2896	Logo1_.exe	30
PID 2896 wrote to memory of 2592	2896	Logo1_.exe	30
PID 2592 wrote to memory of 2696	2592	net.exe	33
PID 2592 wrote to memory of 2696	2592	net.exe	33
PID 2592 wrote to memory of 2696	2592	net.exe	33
PID 2592 wrote to memory of 2696	2592	net.exe	33
PID 2920 wrote to memory of 2420	2920	cmd.exe	34
PID 2920 wrote to memory of 2420	2920	cmd.exe	34
PID 2920 wrote to memory of 2420	2920	cmd.exe	34
PID 2920 wrote to memory of 2420	2920	cmd.exe	34
PID 2896 wrote to memory of 1376	2896	Logo1_.exe	21
PID 2896 wrote to memory of 1376	2896	Logo1_.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1376
- C:\Users\Admin\AppData\Local\Temp\4fe060591a94e671aab07bbad83e1780e88d32e85cb66cb329e710961fbad08f.exe
  "C:\Users\Admin\AppData\Local\Temp\4fe060591a94e671aab07bbad83e1780e88d32e85cb66cb329e710961fbad08f.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2272
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$a53CB.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2920
  - - C:\Users\Admin\AppData\Local\Temp\4fe060591a94e671aab07bbad83e1780e88d32e85cb66cb329e710961fbad08f.exe
      "C:\Users\Admin\AppData\Local\Temp\4fe060591a94e671aab07bbad83e1780e88d32e85cb66cb329e710961fbad08f.exe"
      4⤵
      Executes dropped EXE
      PID:2420
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2896
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2592
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
251KB

MD5
cc1433855d3007b8e23db2928fab3e8b

SHA1
b5bfab4aa8291161fb06da630817341d93cccd6a

SHA256
322e7846f65b2bf5b6a1df6d589c7a90d04407fa996fd1aa6af7f231f332356e

SHA512
6fc0f2b100380d8d8c3ace949c9804bdebef60353c803ed8b38b381c8533d598fc91f14cdfd24c30cc0a349e5549b9d34bc585758d6fcfa055242bb2c4d2b3b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a53CB.bat

Filesize
722B

MD5
2671ba7bb2a86dbe50a65b7ffcb5b6b7

SHA1
667775d551faf9ed23d8cbaa1e66ba06c947fd52

SHA256
4f37c79322c9320c8c5a6aa3b895b9204ba60acf23ad32f698bcf657571842c2

SHA512
3b458ed370146d2c9e96dbba57a6e2b92f9e69d0101f4f5e11e4a3e2a98585a7fc1aa49390e31c3f8483c69edd9314bb74901d6bf1cd53db2124663628029c33

Download Submit
C:\Users\Admin\AppData\Local\Temp\4fe060591a94e671aab07bbad83e1780e88d32e85cb66cb329e710961fbad08f.exe.exe

Filesize
22KB

MD5
9f05a1e47a07e807206c2e47c87be7c2

SHA1
31ce0f93e0592da8baf892db134836a9a6c3d69a

SHA256
cbe9c78b4211741f1f3613b0e4165ed7c1bf969a67e110bc41fe646b5bb1e997

SHA512
f8f319c20e9339967d87fe92514a0fc61f7dda83fd9ade906db633339ac171a57d6c1518b913790a238343c038646c1c14dd02d265676b816eac69f0a4cdd016

Download Submit
C:\Windows\rundl132.exe

Filesize
26KB

MD5
8c1c53a89dbd4ed410752c8373d31d4d

SHA1
fffbcec8de5833946ef316bd404bac3f431a8200

SHA256
80f1db329507dc01cc19447634fd21e12779dcdf37e32c9b6d0e35fc2ff80f82

SHA512
4b42cd180f301a85d667bd02114ef4e3440df85241061e405fe4c7a481a8e90d675392e4597e505e176acecd1046aef8c8bf831092f4ab8f0d38836488cf0af9

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2461186416-2307104501-1787948496-1000\_desktop.ini

Filesize
9B

MD5
2be02af4dacf3254e321ffba77f0b1c6

SHA1
d8349307ec08d45f2db9c9735bde8f13e27a551d

SHA256
766fe9c47ca710d9a00c08965550ee7de9cba2d32d67e4901e8cec7e33151d16

SHA512
57f61e1b939ed98e6db460ccdbc36a1460b727a99baac0e3b041666dedcef11fcd72a486d91ec7f0ee6e1aec40465719a6a5c22820c28be1066fe12fcd47ddd0

Download Submit
memory/1376-29-0x0000000002760000-0x0000000002761000-memory.dmp

Filesize
4KB

Download
memory/2272-17-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2272-15-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2272-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2896-31-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2896-38-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2896-44-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2896-91-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2896-96-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2896-1849-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2896-21-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2896-3309-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download