33dfc0fece5800a3ac3ec71324a6e2f8f8601c39b417570fd9f995a65661b49f

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
22/04/2024, 20:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

33dfc0fece5800a3ac3ec71324a6e2f8f8601c39b417570fd9f995a65661b49f.exe
Size

484KB
MD5

ed627d3fdb9e20e1efec35ec7452f0f2
SHA1

1974408c40d8e7c983ee1c923b0d1cd3ff86b50b
SHA256

33dfc0fece5800a3ac3ec71324a6e2f8f8601c39b417570fd9f995a65661b49f
SHA512

ec7581ef41b88bc7cf8bc18c1a924edfeb2bff7599b1164cf342786979700a767c7de08d0e6b29e01053456b1a9c5140bb07684b3199a9246337935c4d704bc9
SSDEEP

6144:KVfhguGz1gL5pRTMTTjMkId/BynSx7dEe6XwzRaktNP08NhKs39zo43fTtl1fay7:EJgug1gL5pRTcAkS/3hzN8qE43fm78V

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2476	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
3036	Logo1_.exe
2796	33dfc0fece5800a3ac3ec71324a6e2f8f8601c39b417570fd9f995a65661b49f.exe

Loads dropped DLL 1 IoCs

pid	Process
2476	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Mail\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Journal\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ach\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access_output\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RICEPAPR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ACCWIZ\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Welcome Tool\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\unpack200.exe	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\wmlaunch.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\text_renderer\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BOLDSTRI\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\REFINED\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\amd64\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre7\bin\server\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\gl\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hi\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre7\lib\images\cursors\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mn\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Photo Viewer\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\QUERIES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_chroma\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Checkers\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\sd\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\packetizer\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Antarctica\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Outlook.en-us\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\1033\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Defender\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Calendar\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\pa\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Triedit\es-ES\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	33dfc0fece5800a3ac3ec71324a6e2f8f8601c39b417570fd9f995a65661b49f.exe
File created	C:\Windows\Logo1_.exe	33dfc0fece5800a3ac3ec71324a6e2f8f8601c39b417570fd9f995a65661b49f.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3036	Logo1_.exe
3036	Logo1_.exe
3036	Logo1_.exe
3036	Logo1_.exe
3036	Logo1_.exe
3036	Logo1_.exe
3036	Logo1_.exe
3036	Logo1_.exe
3036	Logo1_.exe
3036	Logo1_.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 3004 wrote to memory of 2476	3004	33dfc0fece5800a3ac3ec71324a6e2f8f8601c39b417570fd9f995a65661b49f.exe	28
PID 3004 wrote to memory of 2476	3004	33dfc0fece5800a3ac3ec71324a6e2f8f8601c39b417570fd9f995a65661b49f.exe	28
PID 3004 wrote to memory of 2476	3004	33dfc0fece5800a3ac3ec71324a6e2f8f8601c39b417570fd9f995a65661b49f.exe	28
PID 3004 wrote to memory of 2476	3004	33dfc0fece5800a3ac3ec71324a6e2f8f8601c39b417570fd9f995a65661b49f.exe	28
PID 3004 wrote to memory of 3036	3004	33dfc0fece5800a3ac3ec71324a6e2f8f8601c39b417570fd9f995a65661b49f.exe	29
PID 3004 wrote to memory of 3036	3004	33dfc0fece5800a3ac3ec71324a6e2f8f8601c39b417570fd9f995a65661b49f.exe	29
PID 3004 wrote to memory of 3036	3004	33dfc0fece5800a3ac3ec71324a6e2f8f8601c39b417570fd9f995a65661b49f.exe	29
PID 3004 wrote to memory of 3036	3004	33dfc0fece5800a3ac3ec71324a6e2f8f8601c39b417570fd9f995a65661b49f.exe	29
PID 3036 wrote to memory of 2584	3036	Logo1_.exe	30
PID 3036 wrote to memory of 2584	3036	Logo1_.exe	30
PID 3036 wrote to memory of 2584	3036	Logo1_.exe	30
PID 3036 wrote to memory of 2584	3036	Logo1_.exe	30
PID 2584 wrote to memory of 2512	2584	net.exe	33
PID 2584 wrote to memory of 2512	2584	net.exe	33
PID 2584 wrote to memory of 2512	2584	net.exe	33
PID 2584 wrote to memory of 2512	2584	net.exe	33
PID 2476 wrote to memory of 2796	2476	cmd.exe	34
PID 2476 wrote to memory of 2796	2476	cmd.exe	34
PID 2476 wrote to memory of 2796	2476	cmd.exe	34
PID 2476 wrote to memory of 2796	2476	cmd.exe	34
PID 3036 wrote to memory of 1192	3036	Logo1_.exe	21
PID 3036 wrote to memory of 1192	3036	Logo1_.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1192
- C:\Users\Admin\AppData\Local\Temp\33dfc0fece5800a3ac3ec71324a6e2f8f8601c39b417570fd9f995a65661b49f.exe
  "C:\Users\Admin\AppData\Local\Temp\33dfc0fece5800a3ac3ec71324a6e2f8f8601c39b417570fd9f995a65661b49f.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:3004
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$a254C.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2476
  - - C:\Users\Admin\AppData\Local\Temp\33dfc0fece5800a3ac3ec71324a6e2f8f8601c39b417570fd9f995a65661b49f.exe
      "C:\Users\Admin\AppData\Local\Temp\33dfc0fece5800a3ac3ec71324a6e2f8f8601c39b417570fd9f995a65661b49f.exe"
      4⤵
      Executes dropped EXE
      PID:2796
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3036
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2584
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
251KB

MD5
593ea4d29a2c8cc7997860a78ec16b97

SHA1
6f483c3337cee43fbf961fa9b3d774fa7d34b9df

SHA256
d398094d698da304ecbee6de7a3efb1f6f6bc4444437a88c5a70c97800a978f5

SHA512
51bb70206577ae687e787422f91b9901888cb92a80febbc18969f5b2e27760448a1df28ca30c33b798287e202b3804c92d78a8a9b6bea19670a3884cd3e36b7f

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
471KB

MD5
f9fc019eacb573ec828d2d9ff6a48318

SHA1
b91958dc8d178b6eeb35e829bab84d0fb12c2280

SHA256
bf9ba3df2bad76d15f4efe42c0c59f37b9454907958892df8ab996552658934e

SHA512
998ba7bc7cdd5df3e1acfda6f4f92ec9d27732e1e182177dff310f3c918f3be99626a3526bebdff5bb7eb980640434baf56e0f08bfd125168c0a9e37e7239305

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a254C.bat

Filesize
722B

MD5
502fc4168d696921f6ac98d634243cab

SHA1
79abaf2087fa3295746faf4a1d6e7d0f37c989b4

SHA256
5644de967858398636885cebde9a63bf7e4850ef16155d8249a98c6acff2e6c0

SHA512
ff144c9fcf516765d6e5a18e76fb86721451e5e35c583142d95f528183517875e0090ae80da7a116f0876fefce17bd7d664f097a3ebeceda43c17570f3438783

Download Submit
C:\Users\Admin\AppData\Local\Temp\33dfc0fece5800a3ac3ec71324a6e2f8f8601c39b417570fd9f995a65661b49f.exe.exe

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Windows\rundl132.exe

Filesize
26KB

MD5
2b50af7538425b388b0ecbfe37eb19c6

SHA1
08e2154d0eeb1424d2b642f5f7d85c572744240e

SHA256
2e134ba6187087992ed1b352ba599d248f6153959edaace04074e0f5ea70775f

SHA512
5cf3f14fc65879feb726248bfb1af4a836ce4ec3a077f2e2f6afe3462ee489305fe6ba8b501652079ab4df08ce920e4dcf0039cbe7ee5ea83afe11bbef20886a

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3452737119-3959686427-228443150-1000\_desktop.ini

Filesize
9B

MD5
a4e284afce5c2e93b509543e6064da82

SHA1
77a7ae3e38b05410dcf335f8abe1df4d7f0b141c

SHA256
f4460d1a85b2980fa2b8d329adda0fd330f8157d7afc2d7b1bad62453ff1dfe8

SHA512
8f2147ca54c96b0b05bf69a7919b5bf54b20036ba8336f6ba379c2abb0d31139a91d315130040ef1d06450dd624d8a8661396eb082407b8f7455be4d61351821

Download Submit
memory/1192-29-0x0000000002090000-0x0000000002091000-memory.dmp

Filesize
4KB

Download
memory/3004-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3004-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3004-12-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/3036-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3036-46-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3036-92-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3036-98-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3036-752-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3036-1851-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3036-33-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3036-2439-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3036-3311-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3036-21-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download