98387475e633335b9a1cf7388ae5c2468bc31fc83a543d41b93709ebc9cea81c

Analysis

max time kernel
151s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
19/04/2024, 12:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

98387475e633335b9a1cf7388ae5c2468bc31fc83a543d41b93709ebc9cea81c.exe
Size

56KB
MD5

f8fe9336aa3bf10f2a864044f45e67dc
SHA1

7aa1c893ddae50f2796b3bbc17789a5d5e6103e2
SHA256

98387475e633335b9a1cf7388ae5c2468bc31fc83a543d41b93709ebc9cea81c
SHA512

97e74cf674940dbaa1c130e926efc826ce9a8c764d8e7e8b34ccfebf121f095085c832425bfa1f4653674b3f929c1f2b5ad6ef845389670d27fbf3ab1cbd3a60
SSDEEP

768:g1ODKAaDMG8H92RwZNQSwcfymNBg+g61GoL20v0A5+FXAi3jLuKO1p:yfgLdQAQfcfymNa0v0jFQmLk

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2700	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2016	Logo1_.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bn\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Lime\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\SAMPLES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\PowerPoint.en-us\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Solitaire\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\gu\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\mk\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA6\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Americana\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\FAX\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaw.exe	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\co\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\1046\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Slate\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fur\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hr\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\pl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Atlantic\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Journal\Templates\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Biscay\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\it\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\bs\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\he\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Hearts\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	98387475e633335b9a1cf7388ae5c2468bc31fc83a543d41b93709ebc9cea81c.exe
File created	C:\Windows\Logo1_.exe	98387475e633335b9a1cf7388ae5c2468bc31fc83a543d41b93709ebc9cea81c.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2016	Logo1_.exe
2016	Logo1_.exe
2016	Logo1_.exe
2016	Logo1_.exe
2016	Logo1_.exe
2016	Logo1_.exe
2016	Logo1_.exe
2016	Logo1_.exe
2016	Logo1_.exe
2016	Logo1_.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2092 wrote to memory of 2700	2092	98387475e633335b9a1cf7388ae5c2468bc31fc83a543d41b93709ebc9cea81c.exe	28
PID 2092 wrote to memory of 2700	2092	98387475e633335b9a1cf7388ae5c2468bc31fc83a543d41b93709ebc9cea81c.exe	28
PID 2092 wrote to memory of 2700	2092	98387475e633335b9a1cf7388ae5c2468bc31fc83a543d41b93709ebc9cea81c.exe	28
PID 2092 wrote to memory of 2700	2092	98387475e633335b9a1cf7388ae5c2468bc31fc83a543d41b93709ebc9cea81c.exe	28
PID 2092 wrote to memory of 2016	2092	98387475e633335b9a1cf7388ae5c2468bc31fc83a543d41b93709ebc9cea81c.exe	30
PID 2092 wrote to memory of 2016	2092	98387475e633335b9a1cf7388ae5c2468bc31fc83a543d41b93709ebc9cea81c.exe	30
PID 2092 wrote to memory of 2016	2092	98387475e633335b9a1cf7388ae5c2468bc31fc83a543d41b93709ebc9cea81c.exe	30
PID 2092 wrote to memory of 2016	2092	98387475e633335b9a1cf7388ae5c2468bc31fc83a543d41b93709ebc9cea81c.exe	30
PID 2016 wrote to memory of 2656	2016	Logo1_.exe	31
PID 2016 wrote to memory of 2656	2016	Logo1_.exe	31
PID 2016 wrote to memory of 2656	2016	Logo1_.exe	31
PID 2016 wrote to memory of 2656	2016	Logo1_.exe	31
PID 2656 wrote to memory of 2732	2656	net.exe	33
PID 2656 wrote to memory of 2732	2656	net.exe	33
PID 2656 wrote to memory of 2732	2656	net.exe	33
PID 2656 wrote to memory of 2732	2656	net.exe	33
PID 2016 wrote to memory of 1276	2016	Logo1_.exe	21
PID 2016 wrote to memory of 1276	2016	Logo1_.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1276
- C:\Users\Admin\AppData\Local\Temp\98387475e633335b9a1cf7388ae5c2468bc31fc83a543d41b93709ebc9cea81c.exe
  "C:\Users\Admin\AppData\Local\Temp\98387475e633335b9a1cf7388ae5c2468bc31fc83a543d41b93709ebc9cea81c.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2092
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$a495F.bat
    3⤵
    - Deletes itself
    PID:2700
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2016
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2656
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
251KB

MD5
f95b0d904fbb90914ba189536f7197b2

SHA1
fae8056fd49f3adb38fbfa495f16b208cc259008

SHA256
9524f3f1885ef8f28b91f9b62aa97ec1e7936649e8f76936b384b1a2165374be

SHA512
8d68e985676222cfb699092697879827e2b142dc6721d655a31f7a87458d8e531e3da772d0c580c87c161c5f2cd3242a1f2f809ed75a8dfc26e8975815b707dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a495F.bat

Filesize
722B

MD5
b0b2afdd87736f58573590a2de6addfe

SHA1
32b738fa5837e39ca524aa2eee654c9cd1a247b4

SHA256
d669a6b7f774ba60bbf762ba6094963cce4e168d0a76d4a8be76012843d6326a

SHA512
f56d1afb40b8af990b2c9f2134abbc98e8820d929fd84560d14038849974e526753192d970c2d38fe906e94b9614c3bf6979c5d6749d8373d798c533dbe389b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\98387475e633335b9a1cf7388ae5c2468bc31fc83a543d41b93709ebc9cea81c.exe.exe

Filesize
29KB

MD5
a78154852e264fafc12a68e766917a51

SHA1
59ba6cb5fd6f45b8e9b7d1e5426f13609657d718

SHA256
055daaa1b81c46af694cb85f3ebef12a278bd614da815afb9cae83a8e31097da

SHA512
780b75be89a9cfb8afedcb7f593e46ef882f1df795bd792c48997bc6f2c775a924c2d992e058d772913a8e9f65bf29b13bcb627751268af1aa48be01fc7ddc0a

Download Submit
C:\Windows\Logo1_.exe

Filesize
26KB

MD5
c582728215a384024dca2dcadf9a9436

SHA1
e225717735740772e228085fe782350a1db84194

SHA256
6a007e9214a972594185b0ca3c6c69b604138850f1b4063d2e53a94304f7d27d

SHA512
ad6c226e81c2fccbc20219367ca86a273df642fa68b3a34c37e0518432fdec84321e4fe537de2fb20bb4ffd7bea2615c67a16635a18283914468b2f1f5d89caf

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-778096762-2241304387-192235952-1000\_desktop.ini

Filesize
9B

MD5
c59aab012a570d8b20f60efcafb272be

SHA1
709df64d9a23340c6bc42f2bf8dfdca512bff2e0

SHA256
8a349242c7461f8fccc029421cd051ef8f140a8e3738d348a2354a3d5b9de220

SHA512
8c3f67dc02beaca59f0deaa4d8e33bc385b19df02d2a8b905b47148e21919f7d059f3883f02dad25a0d11dc807343390114753a7918171720d8cd72e84239e17

Download Submit
memory/1276-64-0x0000000002A00000-0x0000000002A01000-memory.dmp

Filesize
4KB

Download
memory/2016-130-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2016-136-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2016-3349-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2016-2728-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2016-69-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2016-1888-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2016-76-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2016-22-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2016-84-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2092-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2092-77-0x0000000000350000-0x0000000000384000-memory.dmp

Filesize
208KB

Download
memory/2092-21-0x0000000000350000-0x0000000000384000-memory.dmp

Filesize
208KB

Download
memory/2092-12-0x0000000000350000-0x0000000000384000-memory.dmp

Filesize
208KB

Download
memory/2092-17-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2700-58-0x0000000002200000-0x0000000002201000-memory.dmp

Filesize
4KB

Download