e446e6c2dd1b3dec2cd5a4d8b397ea2683238a86786dcbc3ee2d80b36026ad0a

Analysis

max time kernel
149s
max time network
118s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
03-05-2024 21:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e446e6c2dd1b3dec2cd5a4d8b397ea2683238a86786dcbc3ee2d80b36026ad0a.exe
Size

387KB
MD5

8a0e0bfed338bd4b4a7972fdcd556f7b
SHA1

8c02962667a90024f8f72fcdfbda8e3438bac05b
SHA256

e446e6c2dd1b3dec2cd5a4d8b397ea2683238a86786dcbc3ee2d80b36026ad0a
SHA512

1b56301e8c27cdb3381b73659d88d72d51adb1b09f7b7e50cf87315df83e70c95b95216a9910cfd94db064ec733988886ed305829519bd3cf0555836fd716eed
SSDEEP

6144:7FpIP2zPVz7jUBs8hqcBCi6dbfra4erJlt9A+xX1oOAisEIWmGeNkfGuYF1moHXG:RpFahVy41

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2548	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2204	Logo1_.exe
1036	e446e6c2dd1b3dec2cd5a4d8b397ea2683238a86786dcbc3ee2d80b36026ad0a.exe

Loads dropped DLL 1 IoCs

pid	Process
2548	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Photo Viewer\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightYellow\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\az\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\he\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\nn\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\stream_extractor\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\cgg\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\br\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\wa\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ff\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GRAPH.EXE	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	Logo1_.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java-rmi.exe	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Help\1033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\my\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\pl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\uz\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ca\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\locale\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\GrayCheck\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Media Player\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSOHTMED.EXE	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Media Player\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Help\1028\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hr\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\TTS20\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\playlist\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\si\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\th\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Shared Gadgets\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe
File created	C:\Windows\rundl132.exe	e446e6c2dd1b3dec2cd5a4d8b397ea2683238a86786dcbc3ee2d80b36026ad0a.exe
File created	C:\Windows\Logo1_.exe	e446e6c2dd1b3dec2cd5a4d8b397ea2683238a86786dcbc3ee2d80b36026ad0a.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2204	Logo1_.exe
2204	Logo1_.exe
2204	Logo1_.exe
2204	Logo1_.exe
2204	Logo1_.exe
2204	Logo1_.exe
2204	Logo1_.exe
2204	Logo1_.exe
2204	Logo1_.exe
2204	Logo1_.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2972 wrote to memory of 2548	2972	e446e6c2dd1b3dec2cd5a4d8b397ea2683238a86786dcbc3ee2d80b36026ad0a.exe	28
PID 2972 wrote to memory of 2548	2972	e446e6c2dd1b3dec2cd5a4d8b397ea2683238a86786dcbc3ee2d80b36026ad0a.exe	28
PID 2972 wrote to memory of 2548	2972	e446e6c2dd1b3dec2cd5a4d8b397ea2683238a86786dcbc3ee2d80b36026ad0a.exe	28
PID 2972 wrote to memory of 2548	2972	e446e6c2dd1b3dec2cd5a4d8b397ea2683238a86786dcbc3ee2d80b36026ad0a.exe	28
PID 2972 wrote to memory of 2204	2972	e446e6c2dd1b3dec2cd5a4d8b397ea2683238a86786dcbc3ee2d80b36026ad0a.exe	29
PID 2972 wrote to memory of 2204	2972	e446e6c2dd1b3dec2cd5a4d8b397ea2683238a86786dcbc3ee2d80b36026ad0a.exe	29
PID 2972 wrote to memory of 2204	2972	e446e6c2dd1b3dec2cd5a4d8b397ea2683238a86786dcbc3ee2d80b36026ad0a.exe	29
PID 2972 wrote to memory of 2204	2972	e446e6c2dd1b3dec2cd5a4d8b397ea2683238a86786dcbc3ee2d80b36026ad0a.exe	29
PID 2548 wrote to memory of 1036	2548	cmd.exe	31
PID 2548 wrote to memory of 1036	2548	cmd.exe	31
PID 2548 wrote to memory of 1036	2548	cmd.exe	31
PID 2548 wrote to memory of 1036	2548	cmd.exe	31
PID 2204 wrote to memory of 2564	2204	Logo1_.exe	32
PID 2204 wrote to memory of 2564	2204	Logo1_.exe	32
PID 2204 wrote to memory of 2564	2204	Logo1_.exe	32
PID 2204 wrote to memory of 2564	2204	Logo1_.exe	32
PID 2564 wrote to memory of 2584	2564	net.exe	34
PID 2564 wrote to memory of 2584	2564	net.exe	34
PID 2564 wrote to memory of 2584	2564	net.exe	34
PID 2564 wrote to memory of 2584	2564	net.exe	34
PID 2204 wrote to memory of 1204	2204	Logo1_.exe	21
PID 2204 wrote to memory of 1204	2204	Logo1_.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1204
- C:\Users\Admin\AppData\Local\Temp\e446e6c2dd1b3dec2cd5a4d8b397ea2683238a86786dcbc3ee2d80b36026ad0a.exe
  "C:\Users\Admin\AppData\Local\Temp\e446e6c2dd1b3dec2cd5a4d8b397ea2683238a86786dcbc3ee2d80b36026ad0a.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2972
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$a12A6.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2548
  - - C:\Users\Admin\AppData\Local\Temp\e446e6c2dd1b3dec2cd5a4d8b397ea2683238a86786dcbc3ee2d80b36026ad0a.exe
      "C:\Users\Admin\AppData\Local\Temp\e446e6c2dd1b3dec2cd5a4d8b397ea2683238a86786dcbc3ee2d80b36026ad0a.exe"
      4⤵
      Executes dropped EXE
      PID:1036
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2204
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2564
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
252KB

MD5
4454b36e22a27b3c82699a0feb2d7f71

SHA1
ba14dc1d6897b651043e0265678e442169099f55

SHA256
f3c0364e6c6adb5c9fda63fdd0cf4a399bcf009825482f3831762d974dba1295

SHA512
b684148f5d5f1a97d7d7dff5272f9a1f44c73e98de12f3b5db28582f353c38e648fc5c3070c5f950bdcfcec768a87671821d49af42b0b81f203f7faff853f959

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
472KB

MD5
88eb1bca8c399bc3f46e99cdde2f047e

SHA1
55fafbceb011e1af2edced978686a90971bd95f2

SHA256
42fd78c05bc240d4ded16ac974f17c336f6ae3a1814d548021c48a942cc30428

SHA512
149d4de0c024e25a13a7bb17471e6f48391d4f26b1c8388672320eed1c255f84219ad7b72bbebc531ae558d5192dd4bb6d0dddd6c65a45300c8e8348a4fb3728

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a12A6.bat

Filesize
722B

MD5
a5a2646464515625ff5a86767125567a

SHA1
87cd1edcf8f2d68f659a35f33f382939c73eb605

SHA256
9432d736ad4032c02b2f190f20001a8030160e16777a8dc166f0de7bdb50b456

SHA512
f6bce320808c0f7ab65bc949da7696a5af14ae49a595f3cdc54a99933e151295962625bb00fe5ce3c93570eeb4393d93bce7b4b074fcfb08e21b8827b7dccec8

Download Submit
C:\Users\Admin\AppData\Local\Temp\e446e6c2dd1b3dec2cd5a4d8b397ea2683238a86786dcbc3ee2d80b36026ad0a.exe.exe

Filesize
360KB

MD5
5fbd45261a2de3bb42f489e825a9a935

SHA1
ff388f6e9efe651ec62c4152c1739783e7899293

SHA256
9e63701598199d5c47217e23b44d0e3ec5d53f5419166b1b6c68a7e9e8fc47a4

SHA512
7f22b1995a07016adb342c551454d602bfbe511525139aee8581b62116608e9e278fd81c26382f1333c7eccded4474196e73c093bb5cbf8e8f203e865024c058

Download Submit
C:\Windows\Logo1_.exe

Filesize
27KB

MD5
b9e22a1c417b7befad06c94c41f3d31f

SHA1
b63d12c3e0f4eba2b6b329e6e839825060fa6036

SHA256
7eb74a6fd3032fa6b334f0316736facdacae70bfea264e745fc5694fa167094e

SHA512
46d5be95fac0e3abb6eabdb413cfac120e9cdd535b60c6aa0291e2171f8bb1496581ff3a077791faaa20250cc4f21ed18a27eec0a80110b3df7a574f1482d626

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2248906074-2862704502-246302768-1000\_desktop.ini

Filesize
8B

MD5
0282826728a8bfe9c3f290391e4f323c

SHA1
ab69946ecc2824015e04a669b8434e8eb2a658aa

SHA256
0c3ddb95f5308286721e2d55c16a3170674b54fc8d17c1f02bee1b6850ce2ee9

SHA512
fde2cb3a9b14fa79fdb7615c094a85aee3baf100511872c0b3986349edefe5a2dc4513929587852c1672e9632c8a6c95284fab82397133dec597bb8fe618fb0e

Download Submit
memory/1204-30-0x0000000002550000-0x0000000002551000-memory.dmp

Filesize
4KB

Download
memory/2204-1850-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2204-32-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2204-39-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2204-45-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2204-91-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2204-97-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2204-610-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2204-2307-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2204-19-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2204-3310-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2972-17-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2972-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2972-12-0x0000000000220000-0x0000000000255000-memory.dmp

Filesize
212KB

Download