e17b3aa00468520e55c51fe184b452f42b4a9a467e8e8d8a27859aab72aa91dc

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240319-en
resource tags

arch:x64arch:x86image:win7-20240319-enlocale:en-usos:windows7-x64system
submitted
18/04/2024, 05:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e17b3aa00468520e55c51fe184b452f42b4a9a467e8e8d8a27859aab72aa91dc.exe
Size

2.6MB
MD5

98ef900236b665b54db088265d79af97
SHA1

ec4692eb3da0d865d74b0954b2a60cdccdbd67bc
SHA256

e17b3aa00468520e55c51fe184b452f42b4a9a467e8e8d8a27859aab72aa91dc
SHA512

53af1b335a7020d6bf73740e3751348c266d471793787e8e32775a874f0b460f7dd4fe6740aee04feb8097984817bd75fed4520e61968111b97f8651c918481f
SSDEEP

49152:v7bpb4rs+SHGWcIKcBVAer/GpR/UVHitGofG:+rs9GWxvDnHofG

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1356	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2720	Logo1_.exe
2388	e17b3aa00468520e55c51fe184b452f42b4a9a467e8e8d8a27859aab72aa91dc.exe

Loads dropped DLL 2 IoCs

pid	Process
1356	cmd.exe
1356	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sv\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\REFINED\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Oasis\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTool\Project Report Type\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\is\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fr\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ta\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Help\1036\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SpringGreen\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Media Player\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\or_IN\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Media Player\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ru\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sk\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Journal\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\More Games\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Mail\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.en\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Computers\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Kentucky\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PIXEL\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Portal\1033\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BrightOrange\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\tr\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightYellow\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	e17b3aa00468520e55c51fe184b452f42b4a9a467e8e8d8a27859aab72aa91dc.exe
File created	C:\Windows\Logo1_.exe	e17b3aa00468520e55c51fe184b452f42b4a9a467e8e8d8a27859aab72aa91dc.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2720	Logo1_.exe
2720	Logo1_.exe
2720	Logo1_.exe
2720	Logo1_.exe
2720	Logo1_.exe
2720	Logo1_.exe
2720	Logo1_.exe
2720	Logo1_.exe
2720	Logo1_.exe
2720	Logo1_.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2876 wrote to memory of 1356	2876	e17b3aa00468520e55c51fe184b452f42b4a9a467e8e8d8a27859aab72aa91dc.exe	28
PID 2876 wrote to memory of 1356	2876	e17b3aa00468520e55c51fe184b452f42b4a9a467e8e8d8a27859aab72aa91dc.exe	28
PID 2876 wrote to memory of 1356	2876	e17b3aa00468520e55c51fe184b452f42b4a9a467e8e8d8a27859aab72aa91dc.exe	28
PID 2876 wrote to memory of 1356	2876	e17b3aa00468520e55c51fe184b452f42b4a9a467e8e8d8a27859aab72aa91dc.exe	28
PID 2876 wrote to memory of 2720	2876	e17b3aa00468520e55c51fe184b452f42b4a9a467e8e8d8a27859aab72aa91dc.exe	30
PID 2876 wrote to memory of 2720	2876	e17b3aa00468520e55c51fe184b452f42b4a9a467e8e8d8a27859aab72aa91dc.exe	30
PID 2876 wrote to memory of 2720	2876	e17b3aa00468520e55c51fe184b452f42b4a9a467e8e8d8a27859aab72aa91dc.exe	30
PID 2876 wrote to memory of 2720	2876	e17b3aa00468520e55c51fe184b452f42b4a9a467e8e8d8a27859aab72aa91dc.exe	30
PID 2720 wrote to memory of 2968	2720	Logo1_.exe	31
PID 2720 wrote to memory of 2968	2720	Logo1_.exe	31
PID 2720 wrote to memory of 2968	2720	Logo1_.exe	31
PID 2720 wrote to memory of 2968	2720	Logo1_.exe	31
PID 2968 wrote to memory of 2540	2968	net.exe	33
PID 2968 wrote to memory of 2540	2968	net.exe	33
PID 2968 wrote to memory of 2540	2968	net.exe	33
PID 2968 wrote to memory of 2540	2968	net.exe	33
PID 1356 wrote to memory of 2388	1356	cmd.exe	34
PID 1356 wrote to memory of 2388	1356	cmd.exe	34
PID 1356 wrote to memory of 2388	1356	cmd.exe	34
PID 1356 wrote to memory of 2388	1356	cmd.exe	34
PID 2720 wrote to memory of 1260	2720	Logo1_.exe	21
PID 2720 wrote to memory of 1260	2720	Logo1_.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1260
- C:\Users\Admin\AppData\Local\Temp\e17b3aa00468520e55c51fe184b452f42b4a9a467e8e8d8a27859aab72aa91dc.exe
  "C:\Users\Admin\AppData\Local\Temp\e17b3aa00468520e55c51fe184b452f42b4a9a467e8e8d8a27859aab72aa91dc.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2876
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$a4AA7.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1356
  - - C:\Users\Admin\AppData\Local\Temp\e17b3aa00468520e55c51fe184b452f42b4a9a467e8e8d8a27859aab72aa91dc.exe
      "C:\Users\Admin\AppData\Local\Temp\e17b3aa00468520e55c51fe184b452f42b4a9a467e8e8d8a27859aab72aa91dc.exe"
      4⤵
      Executes dropped EXE
      PID:2388
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2720
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2968
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
251KB

MD5
c9065b21312d82016ba315837bcbb463

SHA1
584ff81f3f1f2af881f7c53bd20350f6572f2459

SHA256
39fde63448890597c560aeeb55535ecd13b9ea6a3fdef145ff3410b73b275965

SHA512
a9c942c54f6c87688970d334f984d931cd1b6ba5b0bee77aee9d1d9f78cb8d2280fb68aedafe3beb61ec323d799bce7c0b47e454e6554b7699906e7961b306e6

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
471KB

MD5
4cfdb20b04aa239d6f9e83084d5d0a77

SHA1
f22863e04cc1fd4435f785993ede165bd8245ac6

SHA256
30ed17ca6ae530e8bf002bcef6048f94dba4b3b10252308147031f5c86ace1b9

SHA512
35b4c2f68a7caa45f2bb14b168947e06831f358e191478a6659b49f30ca6f538dc910fe6067448d5d8af4cb8558825d70f94d4bd67709aee414b2be37d49be86

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a4AA7.bat

Filesize
722B

MD5
a824a5d19eec181049575d7150475238

SHA1
ec0870443217d998636cd2d779de1de09d8d05ab

SHA256
6ecd920741357b74265a890c3b8c3eefe5676fe11f39e3b52f7859cbb0fa4f43

SHA512
dcd1aae544e71bd55d5b1cc502de10230e136ef3f720d77de380549cb6e58c877487102efb00663f32539f0ae57dd62c6e3227c62a36e90720a42d8b31ced1a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\e17b3aa00468520e55c51fe184b452f42b4a9a467e8e8d8a27859aab72aa91dc.exe.exe

Filesize
2.6MB

MD5
df04d57862c94114102c4209a997658c

SHA1
b82c2b27e5d94288b8832e72d67957b65c4d5dd5

SHA256
bc6c279f920323829a457ef43629f1bb4ccfd98df4356907a187d7f593c5e558

SHA512
1b137b17c270c0ee4d4a70f6c4bee7f4327b3d456257d7a89f4e5cd059f4aeb5e80a6fcd2651aae440622c370313509c41d15e7e5980a60b9243138dfadb7f99

Download Submit
C:\Windows\rundl132.exe

Filesize
26KB

MD5
05ce1806a05065eaca6b28992ab37804

SHA1
3733df8350135f974c068e0090e4155f059349b4

SHA256
9342f5e2bb17cfd88a108ddcc19ae65d39da4403bc6d10751a26f1b71e3f4755

SHA512
215f8e85d1e745ddbcf400c8ef7f6ba9d3ddc49151dcaefd1e5d7d7ee465b192918b3136f50964bfcde0b82d40d4b71eabce0fb396fcfd6b68885a647b133161

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2610426812-2871295383-373749122-1000\_desktop.ini

Filesize
9B

MD5
72b7e38c6ba037d117f32b55c07b1a9c

SHA1
35e2435e512e17ca2be885e17d75913f06b90361

SHA256
e9719e3c653627668046bac84b77097bfb0cd018d68465c17130ed31d6d6eca6

SHA512
2bebd814b81ad2dc547802d42891d833caaad81d004758ec4373f9c7af2971eb822f0a559d2d5d4fca499912fea95e25bab22e92cb0c149d6a4c692eee6ee46a

Download Submit
memory/1260-31-0x0000000002AA0000-0x0000000002AA1000-memory.dmp

Filesize
4KB

Download
memory/2388-34-0x0000000000400000-0x00000000006A4000-memory.dmp

Filesize
2.6MB

Download
memory/2388-43-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2388-29-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2720-21-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2720-33-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2720-41-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2720-50-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2720-98-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2720-106-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2720-715-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2720-1878-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2720-3340-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2876-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2876-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2876-20-0x00000000001B0000-0x00000000001E4000-memory.dmp

Filesize
208KB

Download