376fa84cb0ae3a6ef317381aafb4efd1d470a37525c4dff283b4b42e19259762

Analysis

max time kernel
149s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
29/04/2024, 10:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

376fa84cb0ae3a6ef317381aafb4efd1d470a37525c4dff283b4b42e19259762.exe
Size

88KB
MD5

36e2805aeff16add3a7afa0597df2920
SHA1

82dc4d2815e976cb86945e27e4eefacd27d011d4
SHA256

376fa84cb0ae3a6ef317381aafb4efd1d470a37525c4dff283b4b42e19259762
SHA512

74d2cfaa154a48162498fb03ac625ece74ec73f7f23caf89c05561e4c28d22cffcdee0b9949ed86e75375b8594760b7145a0881f17aad7f75e3a841b29644eaf
SSDEEP

1536:oEJ93SHuJV97Rynyapmebn4ddJZeY86iLflLJYEIs67rxo:o0kuJV7LK4ddJMY86ipmns6S

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2272	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
1112	Logo1_.exe
2768	376fa84cb0ae3a6ef317381aafb4efd1d470a37525c4dff283b4b42e19259762.exe

Loads dropped DLL 1 IoCs

pid	Process
2272	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\DVD Maker\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\services_discovery\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA7\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\COMPASS\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\.data\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre7\lib\zi\SystemV\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\lv\_desktop.ini	Logo1_.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ne\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\Verisign\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\lua\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\zh_TW\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTool\Project Report Type\Fancy\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\VisualElements\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\cs\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Mail\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Media Player\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\14\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows NT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\nl\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\lv\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\kk\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\1046\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	376fa84cb0ae3a6ef317381aafb4efd1d470a37525c4dff283b4b42e19259762.exe
File created	C:\Windows\Logo1_.exe	376fa84cb0ae3a6ef317381aafb4efd1d470a37525c4dff283b4b42e19259762.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1112	Logo1_.exe
1112	Logo1_.exe
1112	Logo1_.exe
1112	Logo1_.exe
1112	Logo1_.exe
1112	Logo1_.exe
1112	Logo1_.exe
1112	Logo1_.exe
1112	Logo1_.exe
1112	Logo1_.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1808 wrote to memory of 2272	1808	376fa84cb0ae3a6ef317381aafb4efd1d470a37525c4dff283b4b42e19259762.exe	28
PID 1808 wrote to memory of 2272	1808	376fa84cb0ae3a6ef317381aafb4efd1d470a37525c4dff283b4b42e19259762.exe	28
PID 1808 wrote to memory of 2272	1808	376fa84cb0ae3a6ef317381aafb4efd1d470a37525c4dff283b4b42e19259762.exe	28
PID 1808 wrote to memory of 2272	1808	376fa84cb0ae3a6ef317381aafb4efd1d470a37525c4dff283b4b42e19259762.exe	28
PID 1808 wrote to memory of 1112	1808	376fa84cb0ae3a6ef317381aafb4efd1d470a37525c4dff283b4b42e19259762.exe	30
PID 1808 wrote to memory of 1112	1808	376fa84cb0ae3a6ef317381aafb4efd1d470a37525c4dff283b4b42e19259762.exe	30
PID 1808 wrote to memory of 1112	1808	376fa84cb0ae3a6ef317381aafb4efd1d470a37525c4dff283b4b42e19259762.exe	30
PID 1808 wrote to memory of 1112	1808	376fa84cb0ae3a6ef317381aafb4efd1d470a37525c4dff283b4b42e19259762.exe	30
PID 1112 wrote to memory of 2644	1112	Logo1_.exe	31
PID 1112 wrote to memory of 2644	1112	Logo1_.exe	31
PID 1112 wrote to memory of 2644	1112	Logo1_.exe	31
PID 1112 wrote to memory of 2644	1112	Logo1_.exe	31
PID 2272 wrote to memory of 2768	2272	cmd.exe	33
PID 2272 wrote to memory of 2768	2272	cmd.exe	33
PID 2272 wrote to memory of 2768	2272	cmd.exe	33
PID 2272 wrote to memory of 2768	2272	cmd.exe	33
PID 2644 wrote to memory of 2948	2644	net.exe	34
PID 2644 wrote to memory of 2948	2644	net.exe	34
PID 2644 wrote to memory of 2948	2644	net.exe	34
PID 2644 wrote to memory of 2948	2644	net.exe	34
PID 1112 wrote to memory of 1212	1112	Logo1_.exe	21
PID 1112 wrote to memory of 1212	1112	Logo1_.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1212
- C:\Users\Admin\AppData\Local\Temp\376fa84cb0ae3a6ef317381aafb4efd1d470a37525c4dff283b4b42e19259762.exe
  "C:\Users\Admin\AppData\Local\Temp\376fa84cb0ae3a6ef317381aafb4efd1d470a37525c4dff283b4b42e19259762.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1808
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$a1545.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2272
  - - C:\Users\Admin\AppData\Local\Temp\376fa84cb0ae3a6ef317381aafb4efd1d470a37525c4dff283b4b42e19259762.exe
      "C:\Users\Admin\AppData\Local\Temp\376fa84cb0ae3a6ef317381aafb4efd1d470a37525c4dff283b4b42e19259762.exe"
      4⤵
      Executes dropped EXE
      PID:2768
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1112
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2644
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
254KB

MD5
bae13e04f5e8c8d531786f2251bfbb8d

SHA1
16473dd7704fbed4d335ece111d8d75352f9c9f6

SHA256
f9b998d2548cc1b63b52d3bd4fe546a8ae5d5e8b0aeb65cd313807cca1112423

SHA512
4837ba7e379f8ebb2d0ded6e4fa7471a5936a453a79513bd4e6dfed05d56acf72cf30874ccb07f307af618ac39233e36a151aba76ccf3fce70655656f9c4587f

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
474KB

MD5
ff973db02a999ecbc9be9bb33499796d

SHA1
2fadc83cfc56463a638456cb4cf77be605793a9f

SHA256
bf3b2ca265dc1f3583cb5276da1f4c83404d5f547919d17d7bd4c328071507dd

SHA512
fb673f91884b3eb805809887432ac810c4d525db0bc5c1f7103b14e3d62284fb25e122c7e957981d864b699fb005e34d0c5583ac80436ecf673f22704d4e5ed0

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a1545.bat

Filesize
722B

MD5
55fd09a26c6789642de9323844552b82

SHA1
25b22581d5c0f8744a77a56c94a212fa9c9f603e

SHA256
b21a99dd2c7210e8558995a217ae2aa8310d559677da9a42b442689a21cbf1e3

SHA512
1d6c3d1213cfc65ee629bcddc12d6fe730f534d1075257615ff291dbee56d3bca1ad160d2514c99adf6b7ed3355c23c3f8f1283dd6997fa259a7b73d980972d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\376fa84cb0ae3a6ef317381aafb4efd1d470a37525c4dff283b4b42e19259762.exe.exe

Filesize
59KB

MD5
dfc18f7068913dde25742b856788d7ca

SHA1
cbaa23f782c2ddcd7c9ff024fd0b096952a2b387

SHA256
ff4ac75c02247000da084de006c214d3dd3583867bd3533ba788e22734c7a2bf

SHA512
d0c7ec1dae41a803325b51c12490c355ed779d297daa35247889950491e52427810132f0829fc7ffa3022f1a106f4e4ba78ed612223395313a6f267e9ab24945

Download Submit
C:\Windows\Logo1_.exe

Filesize
29KB

MD5
613ebc2c6b3cd0a071abf2ce8f025c87

SHA1
466db64217d98d6a149f2538bb7d6f569ce18cd7

SHA256
c7120fe704982e0bf67d30a32e48ccb5f84d4d9702c193599b397eda84cd849e

SHA512
3328a8ef51ae65a1ded3ad33b862c479919f30915d5f47f722622a390eb2486bb1a821c841381d1f39b09c6f06388114add299a4a280d1ed0ccdeefb5a31a530

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3452737119-3959686427-228443150-1000\_desktop.ini

Filesize
9B

MD5
73b8aef84e892e3f77d41747dce253db

SHA1
d642a92c96e4ed570d998a73e42fc24fafe8caf9

SHA256
a81f7465f537233bbd4b8fa9034e52a8ceffcdf97bf36244c4d404ebec14eb24

SHA512
9b0690efee220355932375db333b5487c369ca9fdcf8497bcb5283d78d21fb4fefb7c06bbe533fb1f18fd3b32256a013090af6dd957b9d09cc373d0d5b89cf6d

Download Submit
memory/1112-39-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1112-3170-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1112-32-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1112-22-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1112-45-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1112-91-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1112-97-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1112-856-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1112-1851-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1112-3311-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1212-30-0x00000000024B0000-0x00000000024B1000-memory.dmp

Filesize
4KB

Download
memory/1808-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1808-18-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1808-12-0x00000000002D0000-0x0000000000306000-memory.dmp

Filesize
216KB

Download