f48334d323deeec1aa5205e267e913c9547fe190382bed98a7074a29facc284c

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
26/04/2024, 22:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f48334d323deeec1aa5205e267e913c9547fe190382bed98a7074a29facc284c.exe
Size

364KB
MD5

5020a33dc240eb771f76b7b6a36c2ebd
SHA1

fe2884c1adbd3e53446392880c9fa6fc965e641a
SHA256

f48334d323deeec1aa5205e267e913c9547fe190382bed98a7074a29facc284c
SHA512

db0d7d81d3db64ae54003bbeab9f8df1458e9feb65bce2eca5d993e7c0177755aadb41ee548431af5844f8913a4a54f1a955c758fc32e490b0389cb7d575745a
SSDEEP

6144:juJX2zU66bkWmchVySqkvAH3qo0wWJC6G/SMT4FWqC:9U66b5zhVymA/XSRh

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3024	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2520	Logo1_.exe
2676	f48334d323deeec1aa5205e267e913c9547fe190382bed98a7074a29facc284c.exe

Loads dropped DLL 1 IoCs

pid	Process
3024	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\JOURNAL\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BabyBlue\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA7\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\locale\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ks_IN\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\th\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\is\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\NETWORK\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\gmp-clearkey\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\da\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\SpringGreen\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Portal\1033\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LAYERS\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Excel.en-us\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Biscay\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ar\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\14\BIN\1033\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\XLSTART\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\TTS20\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSEnv\PublicAssemblies\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\TTS20\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\misc\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Help\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SONORA\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\ADDINS\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\amd64\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\km\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Help\1049\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Portable Devices\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ARFR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\setup_wm.exe	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\az\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fy\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\si\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sk\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe
File created	C:\Windows\rundl132.exe	f48334d323deeec1aa5205e267e913c9547fe190382bed98a7074a29facc284c.exe
File created	C:\Windows\Logo1_.exe	f48334d323deeec1aa5205e267e913c9547fe190382bed98a7074a29facc284c.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2520	Logo1_.exe
2520	Logo1_.exe
2520	Logo1_.exe
2520	Logo1_.exe
2520	Logo1_.exe
2520	Logo1_.exe
2520	Logo1_.exe
2520	Logo1_.exe
2520	Logo1_.exe
2520	Logo1_.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2036 wrote to memory of 3024	2036	f48334d323deeec1aa5205e267e913c9547fe190382bed98a7074a29facc284c.exe	28
PID 2036 wrote to memory of 3024	2036	f48334d323deeec1aa5205e267e913c9547fe190382bed98a7074a29facc284c.exe	28
PID 2036 wrote to memory of 3024	2036	f48334d323deeec1aa5205e267e913c9547fe190382bed98a7074a29facc284c.exe	28
PID 2036 wrote to memory of 3024	2036	f48334d323deeec1aa5205e267e913c9547fe190382bed98a7074a29facc284c.exe	28
PID 2036 wrote to memory of 2520	2036	f48334d323deeec1aa5205e267e913c9547fe190382bed98a7074a29facc284c.exe	30
PID 2036 wrote to memory of 2520	2036	f48334d323deeec1aa5205e267e913c9547fe190382bed98a7074a29facc284c.exe	30
PID 2036 wrote to memory of 2520	2036	f48334d323deeec1aa5205e267e913c9547fe190382bed98a7074a29facc284c.exe	30
PID 2036 wrote to memory of 2520	2036	f48334d323deeec1aa5205e267e913c9547fe190382bed98a7074a29facc284c.exe	30
PID 2520 wrote to memory of 2564	2520	Logo1_.exe	31
PID 2520 wrote to memory of 2564	2520	Logo1_.exe	31
PID 2520 wrote to memory of 2564	2520	Logo1_.exe	31
PID 2520 wrote to memory of 2564	2520	Logo1_.exe	31
PID 3024 wrote to memory of 2676	3024	cmd.exe	34
PID 3024 wrote to memory of 2676	3024	cmd.exe	34
PID 3024 wrote to memory of 2676	3024	cmd.exe	34
PID 3024 wrote to memory of 2676	3024	cmd.exe	34
PID 2564 wrote to memory of 2648	2564	net.exe	33
PID 2564 wrote to memory of 2648	2564	net.exe	33
PID 2564 wrote to memory of 2648	2564	net.exe	33
PID 2564 wrote to memory of 2648	2564	net.exe	33
PID 2520 wrote to memory of 1160	2520	Logo1_.exe	20
PID 2520 wrote to memory of 1160	2520	Logo1_.exe	20

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1160
- C:\Users\Admin\AppData\Local\Temp\f48334d323deeec1aa5205e267e913c9547fe190382bed98a7074a29facc284c.exe
  "C:\Users\Admin\AppData\Local\Temp\f48334d323deeec1aa5205e267e913c9547fe190382bed98a7074a29facc284c.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2036
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$aE72.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:3024
  - - C:\Users\Admin\AppData\Local\Temp\f48334d323deeec1aa5205e267e913c9547fe190382bed98a7074a29facc284c.exe
      "C:\Users\Admin\AppData\Local\Temp\f48334d323deeec1aa5205e267e913c9547fe190382bed98a7074a29facc284c.exe"
      4⤵
      Executes dropped EXE
      PID:2676
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2520
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2564
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
474KB

MD5
9fb61e4bc240909412c1859e57f46c9f

SHA1
e627cf0284b14993fa8cdaa8f391986dd3e681e0

SHA256
86948c2c33a23578d32926afa5b34e857bace16c827f6409ac0a677f00b93f27

SHA512
3fa22e348a93747ef1c631b6410bdbcf0ebbed61e229cdd2f320fda720a90d525a7c8d4372da6b8b2529b410ef59927a4c11aba1be201ac39bc42121e55ff4b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aE72.bat

Filesize
721B

MD5
939e30272a829b1d8ee1b7939f8749ad

SHA1
f9727f837a0974c331241247c34b63bb63deafbd

SHA256
6749b5dcbd88dc4047a4c4c546dfbefef589f3adb936f169024a46eeee116d79

SHA512
692363b65b60eb95f9d252eb161a7548c4085635d6a84154c58f0a574ba6721c1120e5a1fefbdaea974b54b698f2253401f5dba93486c90b4abb16415cbcca45

Download Submit
C:\Users\Admin\AppData\Local\Temp\f48334d323deeec1aa5205e267e913c9547fe190382bed98a7074a29facc284c.exe.exe

Filesize
335KB

MD5
40ac62c087648ccc2c58dae066d34c98

SHA1
0e87efb6ddfe59e534ea9e829cad35be8563e5f7

SHA256
482c4c1562490e164d5f17990253373691aa5eab55a81c7f890fe9583a9ea916

SHA512
0c1ff13ff88409d54fee2ceb07fe65135ce2a9aa6f8da51ac0158abb2cfbb3a898ef26f476931986f1367622f21a7c0b0e742d0f4de8be6e215596b0d88c518f

Download Submit
C:\Windows\Logo1_.exe

Filesize
29KB

MD5
7ad4e87b0cd43eaef9f601d3a5ec098e

SHA1
3590a3062cd73057ac6644ceb88646cadb30d3af

SHA256
81498756cc164063aec38129d44c383a13a0a9c53b72074dfae98736821ac5cd

SHA512
de70f1562dcc1583376dae1f05ac830f0ab90c6ef0675a609284293affcffabeecc528f3b157e61e2cd269ad20441ddc32296d71aa4ceb2788798c3327fb1774

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2297530677-1229052932-2803917579-1000\_desktop.ini

Filesize
9B

MD5
c1decdd7d6df1d9437bb5f2bc5fe1486

SHA1
d71402dc8d37a148651cb5017219322267c7b922

SHA256
bd6d31806e5ebc86100e3c7ed2cf5348757149082d775fa986d41e8554ce8089

SHA512
ebbaed70f5d858508011ec3f251e16aa09c861b3d6dcc62ed28f293b37dfda2434b0e36f898bc62fca3107ee6356c77e5662a76085f191a63913013837cc0f07

Download Submit
memory/1160-29-0x0000000002530000-0x0000000002531000-memory.dmp

Filesize
4KB

Download
memory/2036-16-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2036-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2520-18-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2520-38-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2520-44-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2520-90-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2520-96-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2520-942-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2520-1849-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2520-3276-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2520-3309-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2520-31-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download