7ef48a838fc52f8399bdc6fb900410fa02a29a983c5bc491edceef4f33748c45

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
18/04/2024, 14:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7ef48a838fc52f8399bdc6fb900410fa02a29a983c5bc491edceef4f33748c45.exe
Size

788KB
MD5

52c7dcefe0a2d27b523d9a669ca438cf
SHA1

baaee11d0fe53cc512dba7c9dd3a5f2533fe2433
SHA256

7ef48a838fc52f8399bdc6fb900410fa02a29a983c5bc491edceef4f33748c45
SHA512

da60748e7edee16e44faaf94a088a470d3e324086f2c5d471baa51c9a59cd5342acc23c1f8fa9323c287e42b3eae7068dcf4f79883dac5a4739f5be7637f91de
SSDEEP

12288:C7+3xvhrBVVaUOFH4OVlmgTwvLD3cJzNwOKhVIe:C7CbBVwUOuOU3cZaOIIe

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1936	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2492	Logo1_.exe
2676	7ef48a838fc52f8399bdc6fb900410fa02a29a983c5bc491edceef4f33748c45.exe

Loads dropped DLL 1 IoCs

pid	Process
1936	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Defender\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\InfoPath.en-us\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Web Folders\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hi\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\gl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\WSS\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\FreeCell\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\STRTEDGE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\Things\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Desert\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Antarctica\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BOLDSTRI\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ru\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\TTS20\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\it\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\ja\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\pl\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\dtplugin\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Journal\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Chess\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Mahjong\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Triedit\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\it\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\HWRCustomization\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\WSS\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hu\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\mr\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	7ef48a838fc52f8399bdc6fb900410fa02a29a983c5bc491edceef4f33748c45.exe
File created	C:\Windows\Logo1_.exe	7ef48a838fc52f8399bdc6fb900410fa02a29a983c5bc491edceef4f33748c45.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2492	Logo1_.exe
2492	Logo1_.exe
2492	Logo1_.exe
2492	Logo1_.exe
2492	Logo1_.exe
2492	Logo1_.exe
2492	Logo1_.exe
2492	Logo1_.exe
2492	Logo1_.exe
2492	Logo1_.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2924 wrote to memory of 1936	2924	7ef48a838fc52f8399bdc6fb900410fa02a29a983c5bc491edceef4f33748c45.exe	28
PID 2924 wrote to memory of 1936	2924	7ef48a838fc52f8399bdc6fb900410fa02a29a983c5bc491edceef4f33748c45.exe	28
PID 2924 wrote to memory of 1936	2924	7ef48a838fc52f8399bdc6fb900410fa02a29a983c5bc491edceef4f33748c45.exe	28
PID 2924 wrote to memory of 1936	2924	7ef48a838fc52f8399bdc6fb900410fa02a29a983c5bc491edceef4f33748c45.exe	28
PID 2924 wrote to memory of 2492	2924	7ef48a838fc52f8399bdc6fb900410fa02a29a983c5bc491edceef4f33748c45.exe	29
PID 2924 wrote to memory of 2492	2924	7ef48a838fc52f8399bdc6fb900410fa02a29a983c5bc491edceef4f33748c45.exe	29
PID 2924 wrote to memory of 2492	2924	7ef48a838fc52f8399bdc6fb900410fa02a29a983c5bc491edceef4f33748c45.exe	29
PID 2924 wrote to memory of 2492	2924	7ef48a838fc52f8399bdc6fb900410fa02a29a983c5bc491edceef4f33748c45.exe	29
PID 2492 wrote to memory of 2544	2492	Logo1_.exe	30
PID 2492 wrote to memory of 2544	2492	Logo1_.exe	30
PID 2492 wrote to memory of 2544	2492	Logo1_.exe	30
PID 2492 wrote to memory of 2544	2492	Logo1_.exe	30
PID 2544 wrote to memory of 2360	2544	net.exe	33
PID 2544 wrote to memory of 2360	2544	net.exe	33
PID 2544 wrote to memory of 2360	2544	net.exe	33
PID 2544 wrote to memory of 2360	2544	net.exe	33
PID 1936 wrote to memory of 2676	1936	cmd.exe	34
PID 1936 wrote to memory of 2676	1936	cmd.exe	34
PID 1936 wrote to memory of 2676	1936	cmd.exe	34
PID 1936 wrote to memory of 2676	1936	cmd.exe	34
PID 2492 wrote to memory of 1152	2492	Logo1_.exe	20
PID 2492 wrote to memory of 1152	2492	Logo1_.exe	20

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1152
- C:\Users\Admin\AppData\Local\Temp\7ef48a838fc52f8399bdc6fb900410fa02a29a983c5bc491edceef4f33748c45.exe
  "C:\Users\Admin\AppData\Local\Temp\7ef48a838fc52f8399bdc6fb900410fa02a29a983c5bc491edceef4f33748c45.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2924
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$aFD43.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1936
  - - C:\Users\Admin\AppData\Local\Temp\7ef48a838fc52f8399bdc6fb900410fa02a29a983c5bc491edceef4f33748c45.exe
      "C:\Users\Admin\AppData\Local\Temp\7ef48a838fc52f8399bdc6fb900410fa02a29a983c5bc491edceef4f33748c45.exe"
      4⤵
      Executes dropped EXE
      PID:2676
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2492
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2544
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
251KB

MD5
2c368c4079cec9a57fee722e7925399c

SHA1
ced4580a1bca5b5ca94dd72691ee8a812f300553

SHA256
0b7b6e95fb066be8fb5c68ad7e5513bd9a6e5de9b6493a7824f558e0b6271a63

SHA512
88678c361f1a9351d543324c8ad96fda1199f78fba987463d7bf790bf738d608b1f865aa8f356cc6b340a2213a6b16a688991cba2444f9e187a6feab2efe7152

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
471KB

MD5
4cfdb20b04aa239d6f9e83084d5d0a77

SHA1
f22863e04cc1fd4435f785993ede165bd8245ac6

SHA256
30ed17ca6ae530e8bf002bcef6048f94dba4b3b10252308147031f5c86ace1b9

SHA512
35b4c2f68a7caa45f2bb14b168947e06831f358e191478a6659b49f30ca6f538dc910fe6067448d5d8af4cb8558825d70f94d4bd67709aee414b2be37d49be86

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aFD43.bat

Filesize
722B

MD5
65683ad040c523a96bcfe25db403e38f

SHA1
b9ecf769eadb42c427d2d04e40d134e8d281e589

SHA256
a940e434048606eb78884952472a5ebb02281cf97eac9f9b8da7e14a32dce7b0

SHA512
a5d721b076f72ca0753d56e22297765bf4377fb94c696b28dc840a30f37236fe7685749106f3b522a6cbf56db6b4b97787b02abd47dff17f856912ed48843c7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ef48a838fc52f8399bdc6fb900410fa02a29a983c5bc491edceef4f33748c45.exe.exe

Filesize
762KB

MD5
e6ce6c136740c736fd5be4e18de82117

SHA1
cca1b677d6a97ffb121a25a1e2d36b0b03ddb9ea

SHA256
c623f1c54437a44ae29701e6b9c3e68f9fe6ffbde06d23fffc1d7843c9b1331d

SHA512
6a50b7325bce263f8d74a8b1216bd9307385972492414c3d1595f99833e5f6abd4fc2676eb0df0f49c012ac9e3fbeaca3d4723df5ecc1f7faa1ee1ea180fff52

Download Submit
C:\Windows\rundl132.exe

Filesize
26KB

MD5
487da9891a1e7032841518d66e9f99f4

SHA1
af90ab8039b6920e1ac83191780b324b3605a26f

SHA256
f2acf2477402b55c9f408c6fbde18ad3d2d5b1ea94a504dc60d651813349001c

SHA512
99d74cc9a5bd8141cf1e81a4e0474d178fe7812163620450bc1ce3fb5d5d494a5c91c6de55e315675d615a98ebfa43854267c57e4d02603d3b322b20dbe2ffaa

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2721934792-624042501-2768869379-1000\_desktop.ini

Filesize
9B

MD5
72b7e38c6ba037d117f32b55c07b1a9c

SHA1
35e2435e512e17ca2be885e17d75913f06b90361

SHA256
e9719e3c653627668046bac84b77097bfb0cd018d68465c17130ed31d6d6eca6

SHA512
2bebd814b81ad2dc547802d42891d833caaad81d004758ec4373f9c7af2971eb822f0a559d2d5d4fca499912fea95e25bab22e92cb0c149d6a4c692eee6ee46a

Download Submit
memory/1152-29-0x0000000002600000-0x0000000002601000-memory.dmp

Filesize
4KB

Download
memory/2492-1849-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2492-31-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2492-38-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2492-44-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2492-90-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2492-96-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2492-728-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2492-2333-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2492-3309-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2492-21-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2924-15-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2924-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2924-16-0x0000000000230000-0x0000000000264000-memory.dmp

Filesize
208KB

Download