d7fe0c1d9fccb6f76e98d30e5bd60cb1160ab002de561b6208c8ea5f678034b6

Analysis

max time kernel
149s
max time network
118s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
04/05/2024, 18:16

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d7fe0c1d9fccb6f76e98d30e5bd60cb1160ab002de561b6208c8ea5f678034b6.exe
Size

1.3MB
MD5

59033e2a88aa99d28974153af52814fa
SHA1

098e86fcb4da296d2b8c27fa7e78aabcb261bd9c
SHA256

d7fe0c1d9fccb6f76e98d30e5bd60cb1160ab002de561b6208c8ea5f678034b6
SHA512

4516a6bed2104d967d1da3168a67e7578dc8c2b00aa32ea429ec2863b67b12ed80ddd000ad501bea38e85e95e61e1b1094018fe7872edd47ac0df592b16493a4
SSDEEP

24576:A6teboKwzipCcbNHjjpbYsxbL7BvwswqLDA:A6teBOFeJjt8gb5rU

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1344	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
2340	Logo1_.exe
2568	d7fe0c1d9fccb6f76e98d30e5bd60cb1160ab002de561b6208c8ea5f678034b6.exe
2560	d7fe0c1d9fccb6f76e98d30e5bd60cb1160ab002de561b6208c8ea5f678034b6.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Mail\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\hy\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\mn\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AXIS\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bn\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\META-INF\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Outlook.en-us\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BREEZE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\hu\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Defender\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\hi\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\PROPLUS\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\1033\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Defender\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMV12\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\North_Dakota\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ff\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\is\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\DAO\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Minesweeper\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PROOF\3082\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ARFR\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	d7fe0c1d9fccb6f76e98d30e5bd60cb1160ab002de561b6208c8ea5f678034b6.exe
File created	C:\Windows\Logo1_.exe	d7fe0c1d9fccb6f76e98d30e5bd60cb1160ab002de561b6208c8ea5f678034b6.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2340	Logo1_.exe
2340	Logo1_.exe
2340	Logo1_.exe
2340	Logo1_.exe
2340	Logo1_.exe
2340	Logo1_.exe
2340	Logo1_.exe
2340	Logo1_.exe
2340	Logo1_.exe
2340	Logo1_.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1460 wrote to memory of 1344	1460	d7fe0c1d9fccb6f76e98d30e5bd60cb1160ab002de561b6208c8ea5f678034b6.exe	28
PID 1460 wrote to memory of 1344	1460	d7fe0c1d9fccb6f76e98d30e5bd60cb1160ab002de561b6208c8ea5f678034b6.exe	28
PID 1460 wrote to memory of 1344	1460	d7fe0c1d9fccb6f76e98d30e5bd60cb1160ab002de561b6208c8ea5f678034b6.exe	28
PID 1460 wrote to memory of 1344	1460	d7fe0c1d9fccb6f76e98d30e5bd60cb1160ab002de561b6208c8ea5f678034b6.exe	28
PID 1460 wrote to memory of 2340	1460	d7fe0c1d9fccb6f76e98d30e5bd60cb1160ab002de561b6208c8ea5f678034b6.exe	29
PID 1460 wrote to memory of 2340	1460	d7fe0c1d9fccb6f76e98d30e5bd60cb1160ab002de561b6208c8ea5f678034b6.exe	29
PID 1460 wrote to memory of 2340	1460	d7fe0c1d9fccb6f76e98d30e5bd60cb1160ab002de561b6208c8ea5f678034b6.exe	29
PID 1460 wrote to memory of 2340	1460	d7fe0c1d9fccb6f76e98d30e5bd60cb1160ab002de561b6208c8ea5f678034b6.exe	29
PID 2340 wrote to memory of 2528	2340	Logo1_.exe	31
PID 2340 wrote to memory of 2528	2340	Logo1_.exe	31
PID 2340 wrote to memory of 2528	2340	Logo1_.exe	31
PID 2340 wrote to memory of 2528	2340	Logo1_.exe	31
PID 2528 wrote to memory of 2428	2528	net.exe	35
PID 2528 wrote to memory of 2428	2528	net.exe	35
PID 2528 wrote to memory of 2428	2528	net.exe	35
PID 2528 wrote to memory of 2428	2528	net.exe	35
PID 2340 wrote to memory of 1224	2340	Logo1_.exe	21
PID 2340 wrote to memory of 1224	2340	Logo1_.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1224
- C:\Users\Admin\AppData\Local\Temp\d7fe0c1d9fccb6f76e98d30e5bd60cb1160ab002de561b6208c8ea5f678034b6.exe
  "C:\Users\Admin\AppData\Local\Temp\d7fe0c1d9fccb6f76e98d30e5bd60cb1160ab002de561b6208c8ea5f678034b6.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1460
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$a2952.bat
    3⤵
    - Deletes itself
    PID:1344
  - - C:\Users\Admin\AppData\Local\Temp\d7fe0c1d9fccb6f76e98d30e5bd60cb1160ab002de561b6208c8ea5f678034b6.exe
      "C:\Users\Admin\AppData\Local\Temp\d7fe0c1d9fccb6f76e98d30e5bd60cb1160ab002de561b6208c8ea5f678034b6.exe"
      4⤵
      Executes dropped EXE
      PID:2568
  - - C:\Users\Admin\AppData\Local\Temp\d7fe0c1d9fccb6f76e98d30e5bd60cb1160ab002de561b6208c8ea5f678034b6.exe
      "C:\Users\Admin\AppData\Local\Temp\d7fe0c1d9fccb6f76e98d30e5bd60cb1160ab002de561b6208c8ea5f678034b6.exe"
      4⤵
      Executes dropped EXE
      PID:2560
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2340
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2528
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
254KB

MD5
182a1efac234be152c673103584b3add

SHA1
1606a8d53426ba27ede4b18d13acbbef1697efeb

SHA256
451c03fad8659d2d4599148b14036f011eee1b09148a92c788d838aa372a8ced

SHA512
da708d9792c5a1cb66113400529c8c2dc548299fe90022bde3c7c03c3e0a7c5926b8079ea3a6065801ab01e2418cbffffac667ba72bdb650f21aba9b05a0b2b8

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
474KB

MD5
8916a72b93d5fd4c6e63c8b36279b230

SHA1
83e3b1bfd579fbf998b2db5428819a10b25d0ad5

SHA256
537975086833d580dd97beff9e712f64cc41d0bf20cac16c1a04be24ed3af27b

SHA512
2c61138cc8800649890179c080c228da22ab9fe27f3fc1a83c52f57b349a5d3c61fc9d4a64ab53e362376f63edf99d30f0994b6070f97d09ec4868efaf8293b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a2952.bat

Filesize
722B

MD5
ec6259465b5c821c07e26fa0e02579ee

SHA1
04c95caf1d6b6dd4bf434c8240b4da669a644478

SHA256
f9277a919a9bab128307e9ad08427079551e9abd7780a51eea6d8e12a8d7f204

SHA512
ea3fa80af9d54b502d918182859531de514d6a8659d70a4e5f8ebbcfa29bd778c25649df72a342ce9c3570d1a72c1a99f50d733f2c2cc1ea8f1e7fe31877dd01

Download Submit
C:\Users\Admin\AppData\Local\Temp\d7fe0c1d9fccb6f76e98d30e5bd60cb1160ab002de561b6208c8ea5f678034b6.exe.exe

Filesize
1.2MB

MD5
1a9063c7e9f3d1225b07a64e3bf9c7ac

SHA1
4ebf9f7b41c73b16a220006a4ddd508d1e796095

SHA256
afb668011c09b9460981ab3c82c998b50efafbf1197cb0ca7c9e46d67c00b817

SHA512
d5e19362bf493f8783fc8b35158629405c246d8ab004be2b2141654dcd1f0048e86c2a22bfb3fbda9268b67de80c9520bbf5d14291ae9394272d5ad8730ba09c

Download Submit
C:\Windows\Logo1_.exe

Filesize
29KB

MD5
ec97bb30cb318c88de256c47be810caf

SHA1
573eaca1e8579a591e68f29ecf10f2721eb48df8

SHA256
befdbd9bbc7c5452387811839a4e884cb49b62a35b94c00b7f56ce12811ee48a

SHA512
d8123682e897720a6974a2a6fb78ec67116965859165880128433944f697791925320b818b98f95c07dcfbeeedb3b0797111c92cbfccdb2d6d29f521c577f7c0

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-1298544033-3225604241-2703760938-1000\_desktop.ini

Filesize
8B

MD5
5979a5ab5d6ce7068aff133101a79c52

SHA1
8ec7729d3782fc978cc50f9b3217fc8309ae7733

SHA256
6b009cde89047fc55503dc0b3649d341e98320a0438d044bc8fb068d0c919ef1

SHA512
213c10a6b5b394b2736619ed0418ba715e643dfa08b5827757dd64b1718ddec6a44822ff4b192bd594997cc13bc2027d03c029537ed2f12591b370ec1f242f2d

Download Submit
memory/1224-66-0x0000000002990000-0x0000000002991000-memory.dmp

Filesize
4KB

Download
memory/1344-60-0x0000000000660000-0x0000000000661000-memory.dmp

Filesize
4KB

Download
memory/1460-17-0x0000000000230000-0x0000000000266000-memory.dmp

Filesize
216KB

Download
memory/1460-16-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1460-15-0x0000000000230000-0x0000000000266000-memory.dmp

Filesize
216KB

Download
memory/1460-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2340-71-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2340-85-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2340-130-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2340-136-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2340-721-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2340-1889-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2340-78-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2340-3349-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2340-19-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download