6f38f73d25201a22ca750ce221ce4482c78847f66bd16d3edadb355d73265cea

Analysis

max time kernel
149s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
18-04-2024 04:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6f38f73d25201a22ca750ce221ce4482c78847f66bd16d3edadb355d73265cea.exe
Size

315KB
MD5

513a025c239038d94d50854d525d086c
SHA1

c7a4589d37201e88b4aed295320ec3792c5c473d
SHA256

6f38f73d25201a22ca750ce221ce4482c78847f66bd16d3edadb355d73265cea
SHA512

21d53f9ca079055c2876247acb3d9ac1c359e5f01af6a6c69d84c6af75a82d46afe121b70c704ed2078509e8b2a164c76a0105408be5c0a61df1216709d739c0
SSDEEP

6144:MVfgPddVk7HWWxfjAzodx1VY8zGb5lUFpohHF1Lncn:OYrVk7HWcfjAzodxPl6lUFpoF3nk

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2912	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2796	Logo1_.exe
2604	6f38f73d25201a22ca750ce221ce4482c78847f66bd16d3edadb355d73265cea.exe

Loads dropped DLL 1 IoCs

pid	Process
2912	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\Verisign\Components\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ro\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ru\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Filters\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BREEZE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\HostSideAdapters\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Hearts\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\DAO\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\services_discovery\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaw.exe	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\QUAD\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA7\1033\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Document Parts\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk16\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Mahjong\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\et\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\visualization\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\bg\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\Verisign\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Media Player\Network Sharing\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\1036\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\WMPDMC.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\ONELEV.EXE	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\LISTS\1033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Sort\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\lg\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\lv\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Help\1033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\applet\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\lua\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\mai\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\js\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	6f38f73d25201a22ca750ce221ce4482c78847f66bd16d3edadb355d73265cea.exe
File created	C:\Windows\Logo1_.exe	6f38f73d25201a22ca750ce221ce4482c78847f66bd16d3edadb355d73265cea.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2796	Logo1_.exe
2796	Logo1_.exe
2796	Logo1_.exe
2796	Logo1_.exe
2796	Logo1_.exe
2796	Logo1_.exe
2796	Logo1_.exe
2796	Logo1_.exe
2796	Logo1_.exe
2796	Logo1_.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeTcbPrivilege	2604	6f38f73d25201a22ca750ce221ce4482c78847f66bd16d3edadb355d73265cea.exe
Token: SeDebugPrivilege	2604	6f38f73d25201a22ca750ce221ce4482c78847f66bd16d3edadb355d73265cea.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1228 wrote to memory of 2912	1228	6f38f73d25201a22ca750ce221ce4482c78847f66bd16d3edadb355d73265cea.exe	28
PID 1228 wrote to memory of 2912	1228	6f38f73d25201a22ca750ce221ce4482c78847f66bd16d3edadb355d73265cea.exe	28
PID 1228 wrote to memory of 2912	1228	6f38f73d25201a22ca750ce221ce4482c78847f66bd16d3edadb355d73265cea.exe	28
PID 1228 wrote to memory of 2912	1228	6f38f73d25201a22ca750ce221ce4482c78847f66bd16d3edadb355d73265cea.exe	28
PID 1228 wrote to memory of 2796	1228	6f38f73d25201a22ca750ce221ce4482c78847f66bd16d3edadb355d73265cea.exe	29
PID 1228 wrote to memory of 2796	1228	6f38f73d25201a22ca750ce221ce4482c78847f66bd16d3edadb355d73265cea.exe	29
PID 1228 wrote to memory of 2796	1228	6f38f73d25201a22ca750ce221ce4482c78847f66bd16d3edadb355d73265cea.exe	29
PID 1228 wrote to memory of 2796	1228	6f38f73d25201a22ca750ce221ce4482c78847f66bd16d3edadb355d73265cea.exe	29
PID 2796 wrote to memory of 2276	2796	Logo1_.exe	30
PID 2796 wrote to memory of 2276	2796	Logo1_.exe	30
PID 2796 wrote to memory of 2276	2796	Logo1_.exe	30
PID 2796 wrote to memory of 2276	2796	Logo1_.exe	30
PID 2276 wrote to memory of 2716	2276	net.exe	33
PID 2276 wrote to memory of 2716	2276	net.exe	33
PID 2276 wrote to memory of 2716	2276	net.exe	33
PID 2276 wrote to memory of 2716	2276	net.exe	33
PID 2912 wrote to memory of 2604	2912	cmd.exe	34
PID 2912 wrote to memory of 2604	2912	cmd.exe	34
PID 2912 wrote to memory of 2604	2912	cmd.exe	34
PID 2912 wrote to memory of 2604	2912	cmd.exe	34
PID 2796 wrote to memory of 1204	2796	Logo1_.exe	21
PID 2796 wrote to memory of 1204	2796	Logo1_.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1204
- C:\Users\Admin\AppData\Local\Temp\6f38f73d25201a22ca750ce221ce4482c78847f66bd16d3edadb355d73265cea.exe
  "C:\Users\Admin\AppData\Local\Temp\6f38f73d25201a22ca750ce221ce4482c78847f66bd16d3edadb355d73265cea.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1228
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$a1056.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2912
  - - C:\Users\Admin\AppData\Local\Temp\6f38f73d25201a22ca750ce221ce4482c78847f66bd16d3edadb355d73265cea.exe
      "C:\Users\Admin\AppData\Local\Temp\6f38f73d25201a22ca750ce221ce4482c78847f66bd16d3edadb355d73265cea.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2604
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2796
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2276
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
251KB

MD5
8ce669e0c5c16e39c632994123c0b7ab

SHA1
5edcc020a13794046f13bfe895d38fc14851a913

SHA256
4dd26f92c626b4b76622575336966f31d944aee9a848de1599072656a176a3ae

SHA512
b28a4bca6c759c4fdec69753e7113781d3f025e4b1697ab6a2e1705f40921b35ffe42fd2f858f809c0159789d0884fa416732ced303e5249e617d927f8b8df0d

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
471KB

MD5
1a0dbecba0dbb963c2f3b0448796d47a

SHA1
5c0b5d378d3614fe984ce2915b5720886992da0c

SHA256
1ea2fb84177a921bc3df4763c3da53a970e192f93f6175d09696ded019e50cf8

SHA512
8e25dc08fa6f280a6bc1ccacb1ce665ab055b5d539f8915915fc7536c90185a221cb0c50a02d34b521b871b8487a155b9c40a5f25df87306e1df24ca7e96da25

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a1056.bat

Filesize
722B

MD5
b1f9ebd21e0ce566c268da61f5412f4a

SHA1
4af49cc527977e0e30bf3c5cc329083a64a301e4

SHA256
cc1d7478039e7531363dd700062c86348497f68cd876b9125a0972619ac83153

SHA512
4c0e039a90cecdbc49eec5b59e51cc15afdb0a71bef0de0e2d46deb79c3832dbeee32ccfae3c8622be148152eef0a39e1c6a7ee2d2b883c2aee5fca0325cb84c

Download Submit
C:\Users\Admin\AppData\Local\Temp\6f38f73d25201a22ca750ce221ce4482c78847f66bd16d3edadb355d73265cea.exe.exe

Filesize
289KB

MD5
ac57e872037ded93a1cccfbc98d3356b

SHA1
0351eb8904007ffad1ca9b2f555ec651ca023e9d

SHA256
282f2d1c84ae87822883a091036b8816a4cfe2f993fbbaf6c20ff3d3ea5e18ea

SHA512
fa2a0581dec4af5f51b82b40f847a4b14149ba1e68a140783fb61377b7fd701cd788d6ecb4a232247dd346032fe92ee4ce0dcbfb5024c5e6128cc2e10ca34862

Download Submit
C:\Windows\Logo1_.exe

Filesize
26KB

MD5
fb302bb3e9a63790b545fbae9cf76e95

SHA1
36a3ff29e20e8c6a98e0ed0b62facf588e0de5c1

SHA256
e431f29fd728f254e78f03cb50ddea4203ab6863abe479d5cd89127a2a2ef391

SHA512
3c7b9db7a7030479e800f51971a223773c249758f4e38cff51214034b207cdcf427005476b3177662060e1d049d23d67627baa0548c16cc4db4236d4126d79b4

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3452737119-3959686427-228443150-1000\_desktop.ini

Filesize
9B

MD5
72b7e38c6ba037d117f32b55c07b1a9c

SHA1
35e2435e512e17ca2be885e17d75913f06b90361

SHA256
e9719e3c653627668046bac84b77097bfb0cd018d68465c17130ed31d6d6eca6

SHA512
2bebd814b81ad2dc547802d42891d833caaad81d004758ec4373f9c7af2971eb822f0a559d2d5d4fca499912fea95e25bab22e92cb0c149d6a4c692eee6ee46a

Download Submit
memory/1204-29-0x0000000002DA0000-0x0000000002DA1000-memory.dmp

Filesize
4KB

Download
memory/1228-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1228-15-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1228-16-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2796-38-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2796-44-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2796-90-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2796-96-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2796-767-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2796-1849-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2796-31-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2796-2452-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2796-3309-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2796-21-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download