d8991767fbdd012e67ff0fb97f0aa62cc8aa6993a3eb532061c39b742861891f

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20240319-en
resource tags

arch:x64arch:x86image:win7-20240319-enlocale:en-usos:windows7-x64system
submitted
17-04-2024 20:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d8991767fbdd012e67ff0fb97f0aa62cc8aa6993a3eb532061c39b742861891f.exe
Size

326KB
MD5

4ecbc7d829651586a8c83450a14b1ee3
SHA1

d34347487b01eba6f4f13651bd94d5ae2ae43fa1
SHA256

d8991767fbdd012e67ff0fb97f0aa62cc8aa6993a3eb532061c39b742861891f
SHA512

ad8131e7d61d52ad381afff9e3fd1ef3f34ef42a17501ea3660e307447fb162a45971cec20ad8d7bca0ebac2c8cec76de5b1a31c072022851ebfc111bb428865
SSDEEP

6144:YVfjmNDZ6v5Ss3aXXDRfivkuIETBXbD4IbEMMcDN7Y7tcqGn63oFl:C7+xtXzRf2GETNbD461Mcp7YJhGnZFl

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2404	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2920	Logo1_.exe
2824	d8991767fbdd012e67ff0fb97f0aa62cc8aa6993a3eb532061c39b742861891f.exe

Loads dropped DLL 1 IoCs

pid	Process
2404	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\VideoLAN\VLC\locale\nn\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\ACCWIZ\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\144DPI\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Spades\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fy\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\lo\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Defender\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\plugin2\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\misc\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\am\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BREEZE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fur\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Media Renderer\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\es\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\wa\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSOUC.EXE	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Hearts\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ku_IQ\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\d3d11\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Biscay\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\sidebar.exe	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre7\lib\cmm\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_splitter\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GROOVEMN.EXE	Logo1_.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Mail\wabmig.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Cultures\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\1033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SKY\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Logo1_.exe	d8991767fbdd012e67ff0fb97f0aa62cc8aa6993a3eb532061c39b742861891f.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe
File created	C:\Windows\rundl132.exe	d8991767fbdd012e67ff0fb97f0aa62cc8aa6993a3eb532061c39b742861891f.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2920	Logo1_.exe
2920	Logo1_.exe
2920	Logo1_.exe
2920	Logo1_.exe
2920	Logo1_.exe
2920	Logo1_.exe
2920	Logo1_.exe
2920	Logo1_.exe
2920	Logo1_.exe
2920	Logo1_.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2912 wrote to memory of 2404	2912	d8991767fbdd012e67ff0fb97f0aa62cc8aa6993a3eb532061c39b742861891f.exe	28
PID 2912 wrote to memory of 2404	2912	d8991767fbdd012e67ff0fb97f0aa62cc8aa6993a3eb532061c39b742861891f.exe	28
PID 2912 wrote to memory of 2404	2912	d8991767fbdd012e67ff0fb97f0aa62cc8aa6993a3eb532061c39b742861891f.exe	28
PID 2912 wrote to memory of 2404	2912	d8991767fbdd012e67ff0fb97f0aa62cc8aa6993a3eb532061c39b742861891f.exe	28
PID 2912 wrote to memory of 2920	2912	d8991767fbdd012e67ff0fb97f0aa62cc8aa6993a3eb532061c39b742861891f.exe	29
PID 2912 wrote to memory of 2920	2912	d8991767fbdd012e67ff0fb97f0aa62cc8aa6993a3eb532061c39b742861891f.exe	29
PID 2912 wrote to memory of 2920	2912	d8991767fbdd012e67ff0fb97f0aa62cc8aa6993a3eb532061c39b742861891f.exe	29
PID 2912 wrote to memory of 2920	2912	d8991767fbdd012e67ff0fb97f0aa62cc8aa6993a3eb532061c39b742861891f.exe	29
PID 2920 wrote to memory of 2968	2920	Logo1_.exe	30
PID 2920 wrote to memory of 2968	2920	Logo1_.exe	30
PID 2920 wrote to memory of 2968	2920	Logo1_.exe	30
PID 2920 wrote to memory of 2968	2920	Logo1_.exe	30
PID 2968 wrote to memory of 2684	2968	net.exe	33
PID 2968 wrote to memory of 2684	2968	net.exe	33
PID 2968 wrote to memory of 2684	2968	net.exe	33
PID 2968 wrote to memory of 2684	2968	net.exe	33
PID 2404 wrote to memory of 2824	2404	cmd.exe	34
PID 2404 wrote to memory of 2824	2404	cmd.exe	34
PID 2404 wrote to memory of 2824	2404	cmd.exe	34
PID 2404 wrote to memory of 2824	2404	cmd.exe	34
PID 2920 wrote to memory of 1240	2920	Logo1_.exe	21
PID 2920 wrote to memory of 1240	2920	Logo1_.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1240
- C:\Users\Admin\AppData\Local\Temp\d8991767fbdd012e67ff0fb97f0aa62cc8aa6993a3eb532061c39b742861891f.exe
  "C:\Users\Admin\AppData\Local\Temp\d8991767fbdd012e67ff0fb97f0aa62cc8aa6993a3eb532061c39b742861891f.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2912
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$a36C9.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2404
  - - C:\Users\Admin\AppData\Local\Temp\d8991767fbdd012e67ff0fb97f0aa62cc8aa6993a3eb532061c39b742861891f.exe
      "C:\Users\Admin\AppData\Local\Temp\d8991767fbdd012e67ff0fb97f0aa62cc8aa6993a3eb532061c39b742861891f.exe"
      4⤵
      Executes dropped EXE
      PID:2824
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2920
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2968
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
251KB

MD5
b00440d6bd7b7056c3aed427243db648

SHA1
7f050fe9842b51432dc9dd8c6c6fd0bdc7e01d22

SHA256
4482a95202b4fdf65ff0eb2393263c0a279beb3b2daadfe5e5587d68d0d13531

SHA512
0faad1642e0074df2d6d19b36fdbd248bea2b34e770eaccc580ae69cdc39c1c6eb910966d0560225825ecc9d0fe482becb2266772c71d3f95c40967713031c07

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
471KB

MD5
4cfdb20b04aa239d6f9e83084d5d0a77

SHA1
f22863e04cc1fd4435f785993ede165bd8245ac6

SHA256
30ed17ca6ae530e8bf002bcef6048f94dba4b3b10252308147031f5c86ace1b9

SHA512
35b4c2f68a7caa45f2bb14b168947e06831f358e191478a6659b49f30ca6f538dc910fe6067448d5d8af4cb8558825d70f94d4bd67709aee414b2be37d49be86

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a36C9.bat

Filesize
722B

MD5
63ac607d955d6e8266aa3e10e9b352d2

SHA1
cd82bc886b4222ee056febc130ed5cc9fdbe1781

SHA256
d88100c679e725409574ad14e2932dbde1c50e552729001782b41fd5c651dd7a

SHA512
9634b79250f215902c61c3e57bbb5e13811aa32b6d685c8c8bff2e2ec3b40633609f4b1652d181d934a19c1b1ccd7a1e506feb2e2ee8440ef2b76393fb91d95e

Download Submit
C:\Users\Admin\AppData\Local\Temp\d8991767fbdd012e67ff0fb97f0aa62cc8aa6993a3eb532061c39b742861891f.exe.exe

Filesize
300KB

MD5
9b2a965815c5d8bdd6fd11233a76dfa5

SHA1
ee9660c990108e467b420384b513825f00cbebb9

SHA256
da65b87e6ca3899cb9fc08bec37197d407f476b6aa788d789e9c633e6e702097

SHA512
93d25c05d145f2ec11add5996edf78423f122b6693b3a25bf4512dfeca6aaa66196d3fcef24e0ce4b50e4d8f869014c8178429055665c1969df21b0aace36df6

Download Submit
C:\Windows\rundl132.exe

Filesize
26KB

MD5
46e5336e3ad9242352c0c3d72b6efb6d

SHA1
d825c1883bafe2ac98918da291276dadd1a2f41f

SHA256
1acd6390b27823123eb5e7e86dbf654aed0cb37362c1e72dc768fa404aa628d3

SHA512
df93feae99900e6876df0b6e8cccf798ecbcb88267f76b3d4a9626c7ce400bcfc86b7d2838747087b7860f2eb254464f177be2e7386f4176cdf0f9e40e01c0a4

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2610426812-2871295383-373749122-1000\_desktop.ini

Filesize
9B

MD5
2be02af4dacf3254e321ffba77f0b1c6

SHA1
d8349307ec08d45f2db9c9735bde8f13e27a551d

SHA256
766fe9c47ca710d9a00c08965550ee7de9cba2d32d67e4901e8cec7e33151d16

SHA512
57f61e1b939ed98e6db460ccdbc36a1460b727a99baac0e3b041666dedcef11fcd72a486d91ec7f0ee6e1aec40465719a6a5c22820c28be1066fe12fcd47ddd0

Download Submit
memory/1240-29-0x0000000002AE0000-0x0000000002AE1000-memory.dmp

Filesize
4KB

Download
memory/2912-17-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2912-15-0x0000000000230000-0x0000000000264000-memory.dmp

Filesize
208KB

Download
memory/2912-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2920-31-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2920-44-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2920-90-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2920-96-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2920-225-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2920-1865-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2920-38-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2920-3325-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2920-21-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download