b02a31698b1eee1b0cf4afe0e9f847c54bafa7cfbcd2def425aa185e5360da7a

Analysis

max time kernel
150s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09/05/2024, 22:15

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b02a31698b1eee1b0cf4afe0e9f847c54bafa7cfbcd2def425aa185e5360da7a.exe
Size

5.7MB
MD5

3fa64239e42ea690cf2805f0b5e1ede9
SHA1

0bb5a03c16bf965bab69e42c366cab407ba4d875
SHA256

b02a31698b1eee1b0cf4afe0e9f847c54bafa7cfbcd2def425aa185e5360da7a
SHA512

11af2196f582d8ae0a36f05bbc8280ee4b8c3af0d4c50d8de5f02d83a25d563fb820840f73000743bc43969a8d52d9fd6133d93cb34dc3e81b474f1435926ab1
SSDEEP

49152:EPv94AEsKU8ggw1g+1CART5eBiyKS3EI3wybn20DCYIHvc8ixuZm9+fWsw6dTPBJ:iKUgTH2M2m9UMpu1QfLczqssnKSk

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2724	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
1092	Logo1_.exe
2880	b02a31698b1eee1b0cf4afe0e9f847c54bafa7cfbcd2def425aa185e5360da7a.exe

Loads dropped DLL 1 IoCs

pid	Process
2724	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Windows Media Player\setup_wm.exe	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\zh_CN\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\logger\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Outlook.en-us\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\tr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\he\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Mozilla Firefox\uninstall\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\tet\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access_output\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Mail\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\zh_CN\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RADIAL\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hy\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CNFNOT32.EXE	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Network Sharing\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VBA\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\PowerPoint.en-us\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\TTS20\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\DataType\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Stationery\1033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA7\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Solitaire\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\cgg\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Esl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\Shared\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\misc\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Journal\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\lt\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\js\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	b02a31698b1eee1b0cf4afe0e9f847c54bafa7cfbcd2def425aa185e5360da7a.exe
File created	C:\Windows\Logo1_.exe	b02a31698b1eee1b0cf4afe0e9f847c54bafa7cfbcd2def425aa185e5360da7a.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1092	Logo1_.exe
1092	Logo1_.exe
1092	Logo1_.exe
1092	Logo1_.exe
1092	Logo1_.exe
1092	Logo1_.exe
1092	Logo1_.exe
1092	Logo1_.exe
1092	Logo1_.exe
1092	Logo1_.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2364 wrote to memory of 2724	2364	b02a31698b1eee1b0cf4afe0e9f847c54bafa7cfbcd2def425aa185e5360da7a.exe	28
PID 2364 wrote to memory of 2724	2364	b02a31698b1eee1b0cf4afe0e9f847c54bafa7cfbcd2def425aa185e5360da7a.exe	28
PID 2364 wrote to memory of 2724	2364	b02a31698b1eee1b0cf4afe0e9f847c54bafa7cfbcd2def425aa185e5360da7a.exe	28
PID 2364 wrote to memory of 2724	2364	b02a31698b1eee1b0cf4afe0e9f847c54bafa7cfbcd2def425aa185e5360da7a.exe	28
PID 2364 wrote to memory of 1092	2364	b02a31698b1eee1b0cf4afe0e9f847c54bafa7cfbcd2def425aa185e5360da7a.exe	30
PID 2364 wrote to memory of 1092	2364	b02a31698b1eee1b0cf4afe0e9f847c54bafa7cfbcd2def425aa185e5360da7a.exe	30
PID 2364 wrote to memory of 1092	2364	b02a31698b1eee1b0cf4afe0e9f847c54bafa7cfbcd2def425aa185e5360da7a.exe	30
PID 2364 wrote to memory of 1092	2364	b02a31698b1eee1b0cf4afe0e9f847c54bafa7cfbcd2def425aa185e5360da7a.exe	30
PID 1092 wrote to memory of 2580	1092	Logo1_.exe	31
PID 1092 wrote to memory of 2580	1092	Logo1_.exe	31
PID 1092 wrote to memory of 2580	1092	Logo1_.exe	31
PID 1092 wrote to memory of 2580	1092	Logo1_.exe	31
PID 2580 wrote to memory of 1972	2580	net.exe	34
PID 2580 wrote to memory of 1972	2580	net.exe	34
PID 2580 wrote to memory of 1972	2580	net.exe	34
PID 2580 wrote to memory of 1972	2580	net.exe	34
PID 1092 wrote to memory of 1196	1092	Logo1_.exe	21
PID 1092 wrote to memory of 1196	1092	Logo1_.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1196
- C:\Users\Admin\AppData\Local\Temp\b02a31698b1eee1b0cf4afe0e9f847c54bafa7cfbcd2def425aa185e5360da7a.exe
  "C:\Users\Admin\AppData\Local\Temp\b02a31698b1eee1b0cf4afe0e9f847c54bafa7cfbcd2def425aa185e5360da7a.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2364
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$aF9A.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    PID:2724
  - - C:\Users\Admin\AppData\Local\Temp\b02a31698b1eee1b0cf4afe0e9f847c54bafa7cfbcd2def425aa185e5360da7a.exe
      "C:\Users\Admin\AppData\Local\Temp\b02a31698b1eee1b0cf4afe0e9f847c54bafa7cfbcd2def425aa185e5360da7a.exe"
      4⤵
      Executes dropped EXE
      PID:2880
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1092
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2580
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:1972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
254KB

MD5
f35eeb93c627f1f86a3833716bd43b6f

SHA1
dad2838568e979c1cc11ec0e7d18a869c984842a

SHA256
06da7d6de7cc0bf44d747565058bec46c996dcc2d5deb48e48839459718a967b

SHA512
1344a5244733f10ff1b23ebfb448fbafb2ea34f613ba3f662699b6bdf581b8cef3a102edeb576bc0035cabd6516cb48e7635f0636dd983c04e2f04d41f7b3a0b

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
474KB

MD5
6eb372a6b143b6366ff21ee6ba5900cf

SHA1
1e733f0e538ca26417a3fc05e6de508f7e725f3a

SHA256
f598004aec912727e7ff242f5790b3055d48292472623893f19a5830d3a4c772

SHA512
196d6fc6d9cd2e7fe5a8644a87db184972c1ee0732238f2212422fe3f00e9786ae8d2f53058a78f0839aa1339414872e0953a703526206f9dc4749d868140117

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aF9A.bat

Filesize
721B

MD5
8ec8b2d65c8dbe01c09dbca8104b69b0

SHA1
5e31054712cc89c8b56da8788ed2c6de662efd5b

SHA256
30c62eeca78d21ad24c1f8b7ffc9f4ad72fe0b92e8a5a95cb84e1a22b933efc4

SHA512
121e937c908619ad63450e81992ce6cecb6b4a58dd4094284efe0c56c2fe99cdefc6d996d4de1b6ce8bcfb79c1f5e7ce1e08a55138f9d6ba4b0b82a4d864564b

Download Submit
C:\Users\Admin\AppData\Local\Temp\b02a31698b1eee1b0cf4afe0e9f847c54bafa7cfbcd2def425aa185e5360da7a.exe.exe

Filesize
5.7MB

MD5
ba18e99b3e17adb5b029eaebc457dd89

SHA1
ec0458f3c00d35b323f08d4e1cc2e72899429c38

SHA256
f5ee36de8edf9be2ac2752b219cfdcb7ca1677071b8e116cb876306e9f1b6628

SHA512
1f41929e6f5b555b60c411c7810cbf14e3af26100df5ac4533ec3739a278c1b925687284660efb4868e3741305098e2737836229efc9fe46c97a6057c10e677c

Download Submit
C:\Windows\Logo1_.exe

Filesize
29KB

MD5
c5f8315b200df9ab7e42897400c35321

SHA1
d0626edbd803f1cfa0f5ce040840b7faa79b6ac6

SHA256
e47b4419438d910621f6f96f9d0eb1c8c4c5e2804df7c9c0837081c9ae7e012f

SHA512
734c0ae7de718f6bbb85623d639c497af458615e790bbbd656b7142165df8de5d114c62b66831071a7e05684188ca7e8d57f4b545b8ab6846e1c0e3c5edf9a02

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3452737119-3959686427-228443150-1000\_desktop.ini

Filesize
8B

MD5
d970a2bfcaa076939c06270d1a48dec8

SHA1
7a558f4d64c3e98bcfd2af83f28e6fbd207a39e1

SHA256
bdc6872f9a0a011a670907f0fedad9b88e283c5af545cf9f6bd73c3709967d44

SHA512
ea4c16930628455852ce343f8ae248b6df869b8da10b10928ebb802129f73d9761971811de317c7d3121b815340027782ec15d385d1d2d7df8fd0a46b62974c2

Download Submit
memory/1092-19-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1092-849-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1092-3311-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1092-32-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1092-3184-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1092-39-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1092-1851-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1092-46-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1092-92-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1092-98-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1196-30-0x0000000002DB0000-0x0000000002DB1000-memory.dmp

Filesize
4KB

Download
memory/2364-18-0x0000000000220000-0x0000000000256000-memory.dmp

Filesize
216KB

Download
memory/2364-40-0x0000000000220000-0x0000000000256000-memory.dmp

Filesize
216KB

Download
memory/2364-17-0x0000000000220000-0x0000000000256000-memory.dmp

Filesize
216KB

Download
memory/2364-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2364-16-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download