d41a11c5575808678a2fb1d32239089be0ad1805da27fb1c39883f371cf1c304

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
18/04/2024, 12:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d41a11c5575808678a2fb1d32239089be0ad1805da27fb1c39883f371cf1c304.exe
Size

1.7MB
MD5

c369a4ae450b75a05904abb90843fbc0
SHA1

cdc4308c0f7a23cdeccb573102a874b2cb3d7ce9
SHA256

d41a11c5575808678a2fb1d32239089be0ad1805da27fb1c39883f371cf1c304
SHA512

ca03ad4c6c2219e82ead2544cc549af0b888e473438d018a4f00264e93c973a3b53e02eda7bf706ff35b6799578ff14130189cb18e3dc85835e63ea0d5a1e785
SSDEEP

49152:B7m1YVxQFAPjBdS3v1sMRnN+ziLTlywFSOyw9x:UmQ/+GFxx

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1712	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2984	Logo1_.exe
2468	d41a11c5575808678a2fb1d32239089be0ad1805da27fb1c39883f371cf1c304.exe

Loads dropped DLL 1 IoCs

pid	Process
1712	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\AddInSideAdapters\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\14\BIN\1033\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ckb\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\da\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\More Games\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Chess\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\gl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SATIN\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Filters\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUEPRNT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Triedit\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\my\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CASCADE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ast\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Photo Viewer\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\keytool.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	Logo1_.exe
File created	C:\Program Files\Windows Mail\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ja\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bn\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\da\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ar\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\lg\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBBA\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\1.7\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\AccessWeb\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sk\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\mr\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	d41a11c5575808678a2fb1d32239089be0ad1805da27fb1c39883f371cf1c304.exe
File created	C:\Windows\Logo1_.exe	d41a11c5575808678a2fb1d32239089be0ad1805da27fb1c39883f371cf1c304.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2984	Logo1_.exe
2984	Logo1_.exe
2984	Logo1_.exe
2984	Logo1_.exe
2984	Logo1_.exe
2984	Logo1_.exe
2984	Logo1_.exe
2984	Logo1_.exe
2984	Logo1_.exe
2984	Logo1_.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2112 wrote to memory of 1712	2112	d41a11c5575808678a2fb1d32239089be0ad1805da27fb1c39883f371cf1c304.exe	28
PID 2112 wrote to memory of 1712	2112	d41a11c5575808678a2fb1d32239089be0ad1805da27fb1c39883f371cf1c304.exe	28
PID 2112 wrote to memory of 1712	2112	d41a11c5575808678a2fb1d32239089be0ad1805da27fb1c39883f371cf1c304.exe	28
PID 2112 wrote to memory of 1712	2112	d41a11c5575808678a2fb1d32239089be0ad1805da27fb1c39883f371cf1c304.exe	28
PID 2112 wrote to memory of 2984	2112	d41a11c5575808678a2fb1d32239089be0ad1805da27fb1c39883f371cf1c304.exe	30
PID 2112 wrote to memory of 2984	2112	d41a11c5575808678a2fb1d32239089be0ad1805da27fb1c39883f371cf1c304.exe	30
PID 2112 wrote to memory of 2984	2112	d41a11c5575808678a2fb1d32239089be0ad1805da27fb1c39883f371cf1c304.exe	30
PID 2112 wrote to memory of 2984	2112	d41a11c5575808678a2fb1d32239089be0ad1805da27fb1c39883f371cf1c304.exe	30
PID 2984 wrote to memory of 2676	2984	Logo1_.exe	31
PID 2984 wrote to memory of 2676	2984	Logo1_.exe	31
PID 2984 wrote to memory of 2676	2984	Logo1_.exe	31
PID 2984 wrote to memory of 2676	2984	Logo1_.exe	31
PID 2676 wrote to memory of 2980	2676	net.exe	33
PID 2676 wrote to memory of 2980	2676	net.exe	33
PID 2676 wrote to memory of 2980	2676	net.exe	33
PID 2676 wrote to memory of 2980	2676	net.exe	33
PID 1712 wrote to memory of 2468	1712	cmd.exe	34
PID 1712 wrote to memory of 2468	1712	cmd.exe	34
PID 1712 wrote to memory of 2468	1712	cmd.exe	34
PID 1712 wrote to memory of 2468	1712	cmd.exe	34
PID 2984 wrote to memory of 1204	2984	Logo1_.exe	21
PID 2984 wrote to memory of 1204	2984	Logo1_.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1204
- C:\Users\Admin\AppData\Local\Temp\d41a11c5575808678a2fb1d32239089be0ad1805da27fb1c39883f371cf1c304.exe
  "C:\Users\Admin\AppData\Local\Temp\d41a11c5575808678a2fb1d32239089be0ad1805da27fb1c39883f371cf1c304.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2112
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$aEDF.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1712
  - - C:\Users\Admin\AppData\Local\Temp\d41a11c5575808678a2fb1d32239089be0ad1805da27fb1c39883f371cf1c304.exe
      "C:\Users\Admin\AppData\Local\Temp\d41a11c5575808678a2fb1d32239089be0ad1805da27fb1c39883f371cf1c304.exe"
      4⤵
      Executes dropped EXE
      PID:2468
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2984
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2676
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
251KB

MD5
45774c8ec2b016b52c45ca7d6ee578d2

SHA1
6c2c889b7c1934e942909cee209f8b160730ff5f

SHA256
24f6589a2fbb1e56f64aa71a01bba71cba849a124e8cfad5fb3e8ef1f429823f

SHA512
d7b5b1e0489b2de3d57f4648917e2449d41354db3d711668615084dc755580360aac054ed59f0bb5cb6e11776c186f3989caa593d62836df3398093c3d7f7513

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
471KB

MD5
4cfdb20b04aa239d6f9e83084d5d0a77

SHA1
f22863e04cc1fd4435f785993ede165bd8245ac6

SHA256
30ed17ca6ae530e8bf002bcef6048f94dba4b3b10252308147031f5c86ace1b9

SHA512
35b4c2f68a7caa45f2bb14b168947e06831f358e191478a6659b49f30ca6f538dc910fe6067448d5d8af4cb8558825d70f94d4bd67709aee414b2be37d49be86

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aEDF.bat

Filesize
721B

MD5
5f9860fe07f8d2a2811ff2780fef3edf

SHA1
1b6f73e942f71991fd7545391cff476fc972fd44

SHA256
9cad246d1a4bae0c47ff9a00907b3c15d3637b591ab1d699937e0c04a189b7f4

SHA512
f1990df505fda184116bcd273222821247e7cb06f87a32035cf8c5f0afc743e56c7d6b54a920c00a78e1e3623c4cbfc6801a9d1dcd44fc25b24b13f98e943403

Download Submit
C:\Users\Admin\AppData\Local\Temp\d41a11c5575808678a2fb1d32239089be0ad1805da27fb1c39883f371cf1c304.exe.exe

Filesize
1.7MB

MD5
948214c8c606561c0f324c027dd501f1

SHA1
66981fbac344775703ae746b7f530e8159f0eeb5

SHA256
53f6d4136e31ceaa9c2ed6ccafc1a13f51dbbf97195ee93144156fab88b89ec2

SHA512
c535b8392c0c599fa983273a27173ed46922f0684fe61746f683e75355b6bcc337869fe3e94a2ad4e9f8dad7d00df080d55cd17ad3e9859004adcc6ffa004d03

Download Submit
C:\Windows\Logo1_.exe

Filesize
26KB

MD5
2f8e0fe049a417c233d31e6a612b71c4

SHA1
fb8881d3be3a8a2a4b947dbad788ee9d6710835a

SHA256
02a2e79235ec8c86144c28104871b1d5de5e2d873263fa3973464d729b646fa1

SHA512
315d25e82861ab1dc42c4ec250d97eda89d8f374cb675291f7f45116bfdd3761c615a050053c28e12b98e50017b0880ba82726603fbca3d26d26015da8fbdf5c

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2297530677-1229052932-2803917579-1000\_desktop.ini

Filesize
9B

MD5
72b7e38c6ba037d117f32b55c07b1a9c

SHA1
35e2435e512e17ca2be885e17d75913f06b90361

SHA256
e9719e3c653627668046bac84b77097bfb0cd018d68465c17130ed31d6d6eca6

SHA512
2bebd814b81ad2dc547802d42891d833caaad81d004758ec4373f9c7af2971eb822f0a559d2d5d4fca499912fea95e25bab22e92cb0c149d6a4c692eee6ee46a

Download Submit
memory/1204-29-0x0000000002A80000-0x0000000002A81000-memory.dmp

Filesize
4KB

Download
memory/2112-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2112-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2112-20-0x00000000003A0000-0x00000000003D4000-memory.dmp

Filesize
208KB

Download
memory/2984-38-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2984-44-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2984-90-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2984-96-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2984-974-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2984-1849-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2984-31-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2984-3182-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2984-3309-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2984-21-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download