814d52765b064ee713b564ef3bbf4511a8424b3d966ece5027b48fc913350d21

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
03-05-2024 14:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

814d52765b064ee713b564ef3bbf4511a8424b3d966ece5027b48fc913350d21.exe
Size

819KB
MD5

46d9c70b081f916a9e85bbe6f59c9840
SHA1

f1e2fb1f9f6ebdbcd826fd945d0310c1bf8fe4b7
SHA256

814d52765b064ee713b564ef3bbf4511a8424b3d966ece5027b48fc913350d21
SHA512

1beaf3e9c9e42a0789ef4d7ec0555dfb4a968f21530a639820be3dd808beec089903d0d714a11bb099b9deb0eba010f7e2271ce563d1bdeec7aa9edc9a30c32f
SSDEEP

12288:d7+K/AwQ9izQ46IOwAyKm9vRlN3LUcqC0EWUl:d7L/AwQOdOwRVlN3L1qC0EFl

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2268	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
860	Logo1_.exe
2524	814d52765b064ee713b564ef3bbf4511a8424b3d966ece5027b48fc913350d21.exe

Loads dropped DLL 1 IoCs

pid	Process
2268	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	Logo1_.exe
File created	C:\Program Files (x86)\Windows Media Player\Skins\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\1033\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Solitaire\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\stream_out\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\_desktop.ini	Logo1_.exe
File created	C:\Program Files\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\nl\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Hearts\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ug\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\audio_mixer\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\Contracts\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\FreeCell\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ky\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GRAPH.EXE	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\stream_filter\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Chess\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\FAX\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mai\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\Solitaire.exe	Logo1_.exe
File created	C:\Program Files\Windows Journal\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Mozilla Firefox\gmp-clearkey\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\SIGNUP\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\XLSTART\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\bn\LC_MESSAGES\_desktop.ini	Logo1_.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	814d52765b064ee713b564ef3bbf4511a8424b3d966ece5027b48fc913350d21.exe
File created	C:\Windows\Logo1_.exe	814d52765b064ee713b564ef3bbf4511a8424b3d966ece5027b48fc913350d21.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File opened for modification	C:\Windows\WindowsUpdate.log	814d52765b064ee713b564ef3bbf4511a8424b3d966ece5027b48fc913350d21.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
860	Logo1_.exe
860	Logo1_.exe
860	Logo1_.exe
860	Logo1_.exe
860	Logo1_.exe
860	Logo1_.exe
860	Logo1_.exe
860	Logo1_.exe
860	Logo1_.exe
860	Logo1_.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2524	814d52765b064ee713b564ef3bbf4511a8424b3d966ece5027b48fc913350d21.exe
2524	814d52765b064ee713b564ef3bbf4511a8424b3d966ece5027b48fc913350d21.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 3040 wrote to memory of 2268	3040	814d52765b064ee713b564ef3bbf4511a8424b3d966ece5027b48fc913350d21.exe	28
PID 3040 wrote to memory of 2268	3040	814d52765b064ee713b564ef3bbf4511a8424b3d966ece5027b48fc913350d21.exe	28
PID 3040 wrote to memory of 2268	3040	814d52765b064ee713b564ef3bbf4511a8424b3d966ece5027b48fc913350d21.exe	28
PID 3040 wrote to memory of 2268	3040	814d52765b064ee713b564ef3bbf4511a8424b3d966ece5027b48fc913350d21.exe	28
PID 3040 wrote to memory of 860	3040	814d52765b064ee713b564ef3bbf4511a8424b3d966ece5027b48fc913350d21.exe	29
PID 3040 wrote to memory of 860	3040	814d52765b064ee713b564ef3bbf4511a8424b3d966ece5027b48fc913350d21.exe	29
PID 3040 wrote to memory of 860	3040	814d52765b064ee713b564ef3bbf4511a8424b3d966ece5027b48fc913350d21.exe	29
PID 3040 wrote to memory of 860	3040	814d52765b064ee713b564ef3bbf4511a8424b3d966ece5027b48fc913350d21.exe	29
PID 2268 wrote to memory of 2524	2268	cmd.exe	32
PID 2268 wrote to memory of 2524	2268	cmd.exe	32
PID 2268 wrote to memory of 2524	2268	cmd.exe	32
PID 2268 wrote to memory of 2524	2268	cmd.exe	32
PID 860 wrote to memory of 2256	860	Logo1_.exe	31
PID 860 wrote to memory of 2256	860	Logo1_.exe	31
PID 860 wrote to memory of 2256	860	Logo1_.exe	31
PID 860 wrote to memory of 2256	860	Logo1_.exe	31
PID 2256 wrote to memory of 2652	2256	net.exe	34
PID 2256 wrote to memory of 2652	2256	net.exe	34
PID 2256 wrote to memory of 2652	2256	net.exe	34
PID 2256 wrote to memory of 2652	2256	net.exe	34
PID 860 wrote to memory of 1368	860	Logo1_.exe	21
PID 860 wrote to memory of 1368	860	Logo1_.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1368
- C:\Users\Admin\AppData\Local\Temp\814d52765b064ee713b564ef3bbf4511a8424b3d966ece5027b48fc913350d21.exe
  "C:\Users\Admin\AppData\Local\Temp\814d52765b064ee713b564ef3bbf4511a8424b3d966ece5027b48fc913350d21.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:3040
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$a18DE.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2268
  - - C:\Users\Admin\AppData\Local\Temp\814d52765b064ee713b564ef3bbf4511a8424b3d966ece5027b48fc913350d21.exe
      "C:\Users\Admin\AppData\Local\Temp\814d52765b064ee713b564ef3bbf4511a8424b3d966ece5027b48fc913350d21.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      PID:2524
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:860
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2256
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
251KB

MD5
c66937671bd13d2952d28aac7b302977

SHA1
1a56e881f49291b5f2101af46f5797b90a33dd8f

SHA256
f623fbf43e5e7cc6f15c07ceae64c5da136fefc02394c7319181cacabe0b5f23

SHA512
750fe0a99724228d14a70597cd174d6e1c2d7a78a6d1a4318c5baf6a754ef86ad7f50e638cb92bdd350bf6e8979a6a540dc6f2ef1cc72c374e6a0b91a46598d1

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
471KB

MD5
fce01a67577fb7ed0e3e01dad325c7ea

SHA1
e120f2e97491465d6cd86700fb30830214d9f8ab

SHA256
e23cc73613a5c5ce0937c9c9b219ba3f777b7e27a385e12280b570ade7144842

SHA512
823ad15be7d6f243b35016746481e1e53714e625cc621eeb3a82163fa2402e2ea4be2c076d0f0ca178cf99537e879b8b8142a939b299b14ad4efc49db23156d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a18DE.bat

Filesize
722B

MD5
760316f9f66964a578087bb130b353e1

SHA1
2f8881649b47a46c3042619f18941e1ecb2bb79b

SHA256
20f648e87bad8cb475c15a458554922d4c3a91bfe7a04db7c252a1203b999fa9

SHA512
7161241f0ba6c40584fbc50cc48039ebbe676ab3d21ba937a04b2c24c9ff88515ea5f98a785b211ce629081dd5aac6f365547cfd7b0c72f91d8c1d54796c1d19

Download Submit
C:\Users\Admin\AppData\Local\Temp\814d52765b064ee713b564ef3bbf4511a8424b3d966ece5027b48fc913350d21.exe.exe

Filesize
793KB

MD5
9209338186015547dc9cd90258da09e4

SHA1
a6f17d98b85ae07d2962296a25a9e04f35463dae

SHA256
6be35fe8543aecfe21ece4a1077373a760e6d22012b32fb19a7a53ef15445b3d

SHA512
d7fb31b050dfa7bf31bcdf35650076ba431aca2af293efa0ff85936c387ed70eacb05820b796130b8d7e35307b7a217c1b4eed20298e1c53ed272f19c37855db

Download Submit
C:\Windows\Logo1_.exe

Filesize
26KB

MD5
bfb8bc503f044a45669e6b3df91ea121

SHA1
eb1e96b8f1744f71bfad4ef4bde77b71d43d3cb8

SHA256
79d9366d8727a8f9c3d255baea4624409cca59b9992740cc97f725cea8099619

SHA512
0862bef39adbd801aa283b3d0ab21129836b96c3753bcd79273b0b786f64ce81547a0fe9d5cbe17bc30200ed5f1c707b82aee8894958e09235e029b365cfcd8a

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3627615824-4061627003-3019543961-1000\_desktop.ini

Filesize
8B

MD5
0282826728a8bfe9c3f290391e4f323c

SHA1
ab69946ecc2824015e04a669b8434e8eb2a658aa

SHA256
0c3ddb95f5308286721e2d55c16a3170674b54fc8d17c1f02bee1b6850ce2ee9

SHA512
fde2cb3a9b14fa79fdb7615c094a85aee3baf100511872c0b3986349edefe5a2dc4513929587852c1672e9632c8a6c95284fab82397133dec597bb8fe618fb0e

Download Submit
memory/860-96-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/860-31-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/860-38-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/860-44-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/860-90-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/860-581-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/860-1850-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/860-2186-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/860-3310-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/860-18-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1368-29-0x0000000002ED0000-0x0000000002ED1000-memory.dmp

Filesize
4KB

Download
memory/3040-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3040-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download