c7a69705350f35a0ad3b43a891c36ac60d91a30d8a762c0a6962e7dfe3a1ed8f

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
18-04-2024 03:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c7a69705350f35a0ad3b43a891c36ac60d91a30d8a762c0a6962e7dfe3a1ed8f.exe
Size

1.3MB
MD5

26f01492112c759dd4685bba8b5c4339
SHA1

57492402848a85ccc398970cf98da91a85f4789a
SHA256

c7a69705350f35a0ad3b43a891c36ac60d91a30d8a762c0a6962e7dfe3a1ed8f
SHA512

5bfc97f37ab50816b926591660e955810c161bb99d0ef4626238510951f81c9d466a171f42d9dd93fe212c08638f94dc26e9e828a2851cef2bc7b5ff83100f9e
SSDEEP

24576:a7fEzYGzY3+GdRBuj8k2xGxFYrkcUHcRC8jviDS0:a7MjY3+G1m2YxFYri8jviDN

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2212	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
1300	Logo1_.exe
2832	c7a69705350f35a0ad3b43a891c36ac60d91a30d8a762c0a6962e7dfe3a1ed8f.exe
1204	Explorer.EXE

Loads dropped DLL 1 IoCs

pid	Process
2212	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SONORA\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Internet Explorer\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Slate\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Minesweeper\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\TTS20\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AXIS\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ECHO\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Minesweeper\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\VisualElements\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ug\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Mozilla Firefox\defaults\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Help\1028\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\shvlzm.exe	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\QUAD\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\NAMECONTROLSERVER.EXE	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Calendar\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Argentina\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\eu\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTool\Project Report Type\Fancy\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\id\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\PROOF\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Mail\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PAPYRUS\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\FreeCell\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\modules\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\FREN\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\SpeechEngines\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\es\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\mn\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\FRAR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\or\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\_desktop.ini	Logo1_.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	c7a69705350f35a0ad3b43a891c36ac60d91a30d8a762c0a6962e7dfe3a1ed8f.exe
File created	C:\Windows\Logo1_.exe	c7a69705350f35a0ad3b43a891c36ac60d91a30d8a762c0a6962e7dfe3a1ed8f.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe
File opened for modification	C:\Windows\UNINSTAL.tmp	c7a69705350f35a0ad3b43a891c36ac60d91a30d8a762c0a6962e7dfe3a1ed8f.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1300	Logo1_.exe
1300	Logo1_.exe
1300	Logo1_.exe
1300	Logo1_.exe
1300	Logo1_.exe
1300	Logo1_.exe
2832	c7a69705350f35a0ad3b43a891c36ac60d91a30d8a762c0a6962e7dfe3a1ed8f.exe
2832	c7a69705350f35a0ad3b43a891c36ac60d91a30d8a762c0a6962e7dfe3a1ed8f.exe
1300	Logo1_.exe
1300	Logo1_.exe
1300	Logo1_.exe
1300	Logo1_.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2832	c7a69705350f35a0ad3b43a891c36ac60d91a30d8a762c0a6962e7dfe3a1ed8f.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1096 wrote to memory of 2212	1096	c7a69705350f35a0ad3b43a891c36ac60d91a30d8a762c0a6962e7dfe3a1ed8f.exe	28
PID 1096 wrote to memory of 2212	1096	c7a69705350f35a0ad3b43a891c36ac60d91a30d8a762c0a6962e7dfe3a1ed8f.exe	28
PID 1096 wrote to memory of 2212	1096	c7a69705350f35a0ad3b43a891c36ac60d91a30d8a762c0a6962e7dfe3a1ed8f.exe	28
PID 1096 wrote to memory of 2212	1096	c7a69705350f35a0ad3b43a891c36ac60d91a30d8a762c0a6962e7dfe3a1ed8f.exe	28
PID 1096 wrote to memory of 1300	1096	c7a69705350f35a0ad3b43a891c36ac60d91a30d8a762c0a6962e7dfe3a1ed8f.exe	29
PID 1096 wrote to memory of 1300	1096	c7a69705350f35a0ad3b43a891c36ac60d91a30d8a762c0a6962e7dfe3a1ed8f.exe	29
PID 1096 wrote to memory of 1300	1096	c7a69705350f35a0ad3b43a891c36ac60d91a30d8a762c0a6962e7dfe3a1ed8f.exe	29
PID 1096 wrote to memory of 1300	1096	c7a69705350f35a0ad3b43a891c36ac60d91a30d8a762c0a6962e7dfe3a1ed8f.exe	29
PID 1300 wrote to memory of 2988	1300	Logo1_.exe	30
PID 1300 wrote to memory of 2988	1300	Logo1_.exe	30
PID 1300 wrote to memory of 2988	1300	Logo1_.exe	30
PID 1300 wrote to memory of 2988	1300	Logo1_.exe	30
PID 2988 wrote to memory of 2636	2988	net.exe	33
PID 2988 wrote to memory of 2636	2988	net.exe	33
PID 2988 wrote to memory of 2636	2988	net.exe	33
PID 2988 wrote to memory of 2636	2988	net.exe	33
PID 2212 wrote to memory of 2832	2212	cmd.exe	34
PID 2212 wrote to memory of 2832	2212	cmd.exe	34
PID 2212 wrote to memory of 2832	2212	cmd.exe	34
PID 2212 wrote to memory of 2832	2212	cmd.exe	34
PID 1300 wrote to memory of 1204	1300	Logo1_.exe	21
PID 1300 wrote to memory of 1204	1300	Logo1_.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Executes dropped EXE
PID:1204
- C:\Users\Admin\AppData\Local\Temp\c7a69705350f35a0ad3b43a891c36ac60d91a30d8a762c0a6962e7dfe3a1ed8f.exe
  "C:\Users\Admin\AppData\Local\Temp\c7a69705350f35a0ad3b43a891c36ac60d91a30d8a762c0a6962e7dfe3a1ed8f.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1096
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$a231A.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2212
  - - C:\Users\Admin\AppData\Local\Temp\c7a69705350f35a0ad3b43a891c36ac60d91a30d8a762c0a6962e7dfe3a1ed8f.exe
      "C:\Users\Admin\AppData\Local\Temp\c7a69705350f35a0ad3b43a891c36ac60d91a30d8a762c0a6962e7dfe3a1ed8f.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:2832
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1300
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2988
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
251KB

MD5
548ddcade423bdb543717d8073ac88d5

SHA1
0210f769b1b16ae5e569e65e20fafbd12f2d0e04

SHA256
052524488f71bf143183bbf817657f609e226b2830071e8dea7fcede4c0ec052

SHA512
8576336e7eb0b1132dc5c4eef772ba5f9b57844173f17d9c5cf1fbb09afa443313a1675fcd03e028c592ecc59d0f52ea44529c58f721ccfc2bc958ae292bb0b0

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
471KB

MD5
99ea9b604a7a734d3087fa6159684c42

SHA1
709fa1068ad4d560fe03e05b68056f1b0bedbfc8

SHA256
3f733f9e6fec7c4165ca8ba41eb23f604a248babe794c4ad2c6c3ce8032aab1c

SHA512
7af8008c7e187f925c62efc97e1891a7a38d089302dba39fbde137fb895e0592847ed0982c824c2075be8e6b95b6ce165ecb848ab85adf53779ebef613410fbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a231A.bat

Filesize
722B

MD5
929131825f29f65c55683a546ff53219

SHA1
c38f69c94c003e03ed2f39e315e996f47e850a2a

SHA256
88c32ca5ae151ad8ebb5b4a0acbfe6efc7896c8e21ad2050fd1e67aa3e27aa25

SHA512
36bf3bd10d8d1b6958bd934d9d173c172ccb5d884adeeabc8b06d115e9fc5300b26de37230f5135f5fefd340aea305a70a367ac51904aea2b623af106128592e

Download Submit
C:\Users\Admin\AppData\Local\Temp\c7a69705350f35a0ad3b43a891c36ac60d91a30d8a762c0a6962e7dfe3a1ed8f.exe.exe

Filesize
1.2MB

MD5
f0cdc40ab2003d0e90c5d65970ff2e01

SHA1
a8cd88192f07136a6d55953883db282e712e9e08

SHA256
e7f2bae55bcd25d60aa46a40ac5f7e748f603374e17db95b52d00e61486f07ce

SHA512
88a3213870b11b2b4f11724785cfd5f7d0f6d449b32fdef59e447bc586941cd632bf34ee1ef4c851274875ec7cf017c19140a25e71385beeca4f3ce5f1752a4c

Download Submit
C:\Windows\rundl132.exe

Filesize
26KB

MD5
bf432bacde0b936f7fd20c466ec0bfc9

SHA1
aff70b2cb9c409e3b63e7fc33f132441edad86db

SHA256
5d2e80c8e42ad3cf43ca754fb4597753ec8d80fc7d027e11f43536dd2f88d39e

SHA512
c134428f8da55038acf63eaae12357060574e2f062befc57c6a69c6833ab10a4eb08c6f36cd6433de1538f2b5b09ef8bb74acb8235856a5aac024914165c1a1a

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-1298544033-3225604241-2703760938-1000\_desktop.ini

Filesize
9B

MD5
72b7e38c6ba037d117f32b55c07b1a9c

SHA1
35e2435e512e17ca2be885e17d75913f06b90361

SHA256
e9719e3c653627668046bac84b77097bfb0cd018d68465c17130ed31d6d6eca6

SHA512
2bebd814b81ad2dc547802d42891d833caaad81d004758ec4373f9c7af2971eb822f0a559d2d5d4fca499912fea95e25bab22e92cb0c149d6a4c692eee6ee46a

Download Submit
memory/1096-40-0x00000000002C0000-0x00000000002F4000-memory.dmp

Filesize
208KB

Download
memory/1096-16-0x00000000002C0000-0x00000000002F4000-memory.dmp

Filesize
208KB

Download
memory/1096-15-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1096-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1204-30-0x0000000003D50000-0x0000000003D51000-memory.dmp

Filesize
4KB

Download
memory/1300-39-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1300-46-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1300-92-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1300-98-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1300-763-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1300-1851-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1300-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1300-2444-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1300-3311-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1300-21-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download