377664bb9ec4333499cf6fd8e5eaf8ed659e356b05cd61874ddcd9e0d344587b

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
01/05/2024, 07:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

377664bb9ec4333499cf6fd8e5eaf8ed659e356b05cd61874ddcd9e0d344587b.exe
Size

487KB
MD5

35b5cac8b83359c6bc1948c5905d2912
SHA1

fe5b54bfa84de7e128981f00f891fcdfb16c41f9
SHA256

377664bb9ec4333499cf6fd8e5eaf8ed659e356b05cd61874ddcd9e0d344587b
SHA512

ac77b307d2e9295ed27555a77032573a89ef6513d8cb9b5307fbdf8411e6e0f5626ae577ffc076990f7a4171a1428976c681cfb4c7f292a0399ba82d046051e3
SSDEEP

6144:wMuJoz1gL5pRTMTTjMkId/BynSx7dEe6XwzRaktNP08NhKs39zo43fTtl1fayCV4:ws1gL5pRTcAkS/3hzN8qE43fm78V

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1296	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2564	Logo1_.exe
2520	377664bb9ec4333499cf6fd8e5eaf8ed659e356b05cd61874ddcd9e0d344587b.exe

Loads dropped DLL 1 IoCs

pid	Process
1296	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\WATERMAR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PROOF\1033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Media Player\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ga\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\hrtfs\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ar\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\lg\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre7\lib\management\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Filters\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\fr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Mozilla Firefox\defaults\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\GrayCheck\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\control\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Mail\WinMail.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CANYON\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\1033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\hi\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\gmp-clearkey\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\gui\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1036\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\More Games\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\tr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\or\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ky\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Solitaire\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\cy\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ICE\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Logo1_.exe	377664bb9ec4333499cf6fd8e5eaf8ed659e356b05cd61874ddcd9e0d344587b.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe
File created	C:\Windows\rundl132.exe	377664bb9ec4333499cf6fd8e5eaf8ed659e356b05cd61874ddcd9e0d344587b.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2564	Logo1_.exe
2564	Logo1_.exe
2564	Logo1_.exe
2564	Logo1_.exe
2564	Logo1_.exe
2564	Logo1_.exe
2564	Logo1_.exe
2564	Logo1_.exe
2564	Logo1_.exe
2564	Logo1_.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1760 wrote to memory of 1296	1760	377664bb9ec4333499cf6fd8e5eaf8ed659e356b05cd61874ddcd9e0d344587b.exe	28
PID 1760 wrote to memory of 1296	1760	377664bb9ec4333499cf6fd8e5eaf8ed659e356b05cd61874ddcd9e0d344587b.exe	28
PID 1760 wrote to memory of 1296	1760	377664bb9ec4333499cf6fd8e5eaf8ed659e356b05cd61874ddcd9e0d344587b.exe	28
PID 1760 wrote to memory of 1296	1760	377664bb9ec4333499cf6fd8e5eaf8ed659e356b05cd61874ddcd9e0d344587b.exe	28
PID 1760 wrote to memory of 2564	1760	377664bb9ec4333499cf6fd8e5eaf8ed659e356b05cd61874ddcd9e0d344587b.exe	29
PID 1760 wrote to memory of 2564	1760	377664bb9ec4333499cf6fd8e5eaf8ed659e356b05cd61874ddcd9e0d344587b.exe	29
PID 1760 wrote to memory of 2564	1760	377664bb9ec4333499cf6fd8e5eaf8ed659e356b05cd61874ddcd9e0d344587b.exe	29
PID 1760 wrote to memory of 2564	1760	377664bb9ec4333499cf6fd8e5eaf8ed659e356b05cd61874ddcd9e0d344587b.exe	29
PID 2564 wrote to memory of 2576	2564	Logo1_.exe	30
PID 2564 wrote to memory of 2576	2564	Logo1_.exe	30
PID 2564 wrote to memory of 2576	2564	Logo1_.exe	30
PID 2564 wrote to memory of 2576	2564	Logo1_.exe	30
PID 2576 wrote to memory of 2600	2576	net.exe	33
PID 2576 wrote to memory of 2600	2576	net.exe	33
PID 2576 wrote to memory of 2600	2576	net.exe	33
PID 2576 wrote to memory of 2600	2576	net.exe	33
PID 1296 wrote to memory of 2520	1296	cmd.exe	34
PID 1296 wrote to memory of 2520	1296	cmd.exe	34
PID 1296 wrote to memory of 2520	1296	cmd.exe	34
PID 1296 wrote to memory of 2520	1296	cmd.exe	34
PID 2564 wrote to memory of 1200	2564	Logo1_.exe	21
PID 2564 wrote to memory of 1200	2564	Logo1_.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1200
- C:\Users\Admin\AppData\Local\Temp\377664bb9ec4333499cf6fd8e5eaf8ed659e356b05cd61874ddcd9e0d344587b.exe
  "C:\Users\Admin\AppData\Local\Temp\377664bb9ec4333499cf6fd8e5eaf8ed659e356b05cd61874ddcd9e0d344587b.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1760
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$a7AAC.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1296
  - - C:\Users\Admin\AppData\Local\Temp\377664bb9ec4333499cf6fd8e5eaf8ed659e356b05cd61874ddcd9e0d344587b.exe
      "C:\Users\Admin\AppData\Local\Temp\377664bb9ec4333499cf6fd8e5eaf8ed659e356b05cd61874ddcd9e0d344587b.exe"
      4⤵
      Executes dropped EXE
      PID:2520
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2564
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2576
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
254KB

MD5
f432d1f83593308d844634cd59fc919f

SHA1
f8a1d3fb03083b9efd3a0327993b95b4ebdefdf1

SHA256
f151d9509315c51577bf1e04c879680168de53daee04af9a087b11ffc1a8a704

SHA512
84e52bceb34de199db9348de7b11ae1874cd582ab2c46880a90b32ed2f35ff7a7a5023917f9d473235eae3279a0e5687ac849d87cc14124eb970adb3e688c1e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a7AAC.bat

Filesize
722B

MD5
70aa93ad3da68e0dd4749575a66faa74

SHA1
c2d5cae837b2686275890bed318739ac727f3824

SHA256
d70820c3d8a07c6c4358b8188afc3b384eb628644fcf4b809dfce5b6092303e1

SHA512
f8b5bdb6fc77495058139a3f5f6eb4b7270b7e50992421cbfc218699bd8cbda2ff7bd4390f04da26891f539c6700436fad40c77c9a582b4f5d02b5662d19676d

Download Submit
C:\Users\Admin\AppData\Local\Temp\377664bb9ec4333499cf6fd8e5eaf8ed659e356b05cd61874ddcd9e0d344587b.exe.exe

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Windows\Logo1_.exe

Filesize
29KB

MD5
f600d3b05604eed2eb0e978ecaec3752

SHA1
c7e79069cd2c171d732cf22ad3c471200b8261a8

SHA256
a5954e7b06481dc25f525a7bb4c62015368acfbc2d99634940e62d8a34e15ab9

SHA512
81fbc800450084e269e715130f3097c432ced7dcffaafffcc3c9b7f42fabc8ac24bc4b2d12f36cc84a1427335abc728fb53f648bb0e874ba582f87e73d56ff51

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-330940541-141609230-1670313778-1000\_desktop.ini

Filesize
8B

MD5
35a8ee2041a708d5071bff39818311c3

SHA1
31114ee16a39b8ada4130a94c1c36ed74a563d2a

SHA256
b2405b086204a9155a2dabf58717e53695089ece5d0af208cb960473ba350f8b

SHA512
f17fa8c794a47b0134ac4d8e83010e8dce1a0f2ab74a400c571d6470737e386f4eb1351be6c5b153dc063c49d333b69ddf67871d2e0ffb3c02d243be0015f1f0

Download Submit
memory/1200-30-0x0000000002A80000-0x0000000002A81000-memory.dmp

Filesize
4KB

Download
memory/1760-20-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1760-17-0x0000000000220000-0x0000000000256000-memory.dmp

Filesize
216KB

Download
memory/1760-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2564-32-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2564-39-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2564-45-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2564-91-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2564-97-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2564-275-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2564-1850-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2564-18-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2564-3310-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download