1fe3e6deebd78029dac704c455ac6c80ec4ae3b0589313d12c4592e729f3db0c

Analysis

max time kernel
142s
max time network
118s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09/05/2024, 02:16

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

1fe3e6deebd78029dac704c455ac6c80ec4ae3b0589313d12c4592e729f3db0c.exe
Size

66KB
MD5

3264faa47240c1e10b2aeb7e66c430fe
SHA1

ba505d5a242c50cff6681aad0bf0d99c27f57a26
SHA256

1fe3e6deebd78029dac704c455ac6c80ec4ae3b0589313d12c4592e729f3db0c
SHA512

1332d768b6c79cec221f3ef372e1e4b02bff3d3e507a40a55ea184841133477c8ed2783916c7bee95503d005f58cf41c4bb7836d2f67ba2a7032fe9033081473
SSDEEP

1536:pmyEO3SHuJV9NBriw+d9bHrkT5gUHz7FxtJ:pmyEOkuJVLBrBkfkT5xHzD

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2884	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2172	Logo1_.exe
2612	1fe3e6deebd78029dac704c455ac6c80ec4ae3b0589313d12c4592e729f3db0c.exe

Loads dropped DLL 1 IoCs

pid	Process
2884	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\VideoLAN\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre7\lib\zi\Atlantic\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Help\1033\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hu\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\tl\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Notebook Templates\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\cgg\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RIPPLE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\locale\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\de\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\meta\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\SAMPLES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ach\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BREEZE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\NAMECONTROLSERVER.EXE	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMFormServices\InfoPathOMFormServicesV12\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\am\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\1031\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\lt\LC_MESSAGES\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	1fe3e6deebd78029dac704c455ac6c80ec4ae3b0589313d12c4592e729f3db0c.exe
File created	C:\Windows\Logo1_.exe	1fe3e6deebd78029dac704c455ac6c80ec4ae3b0589313d12c4592e729f3db0c.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2172	Logo1_.exe
2172	Logo1_.exe
2172	Logo1_.exe
2172	Logo1_.exe
2172	Logo1_.exe
2172	Logo1_.exe
2172	Logo1_.exe
2172	Logo1_.exe
2172	Logo1_.exe
2172	Logo1_.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1984 wrote to memory of 2884	1984	1fe3e6deebd78029dac704c455ac6c80ec4ae3b0589313d12c4592e729f3db0c.exe	28
PID 1984 wrote to memory of 2884	1984	1fe3e6deebd78029dac704c455ac6c80ec4ae3b0589313d12c4592e729f3db0c.exe	28
PID 1984 wrote to memory of 2884	1984	1fe3e6deebd78029dac704c455ac6c80ec4ae3b0589313d12c4592e729f3db0c.exe	28
PID 1984 wrote to memory of 2884	1984	1fe3e6deebd78029dac704c455ac6c80ec4ae3b0589313d12c4592e729f3db0c.exe	28
PID 1984 wrote to memory of 2172	1984	1fe3e6deebd78029dac704c455ac6c80ec4ae3b0589313d12c4592e729f3db0c.exe	30
PID 1984 wrote to memory of 2172	1984	1fe3e6deebd78029dac704c455ac6c80ec4ae3b0589313d12c4592e729f3db0c.exe	30
PID 1984 wrote to memory of 2172	1984	1fe3e6deebd78029dac704c455ac6c80ec4ae3b0589313d12c4592e729f3db0c.exe	30
PID 1984 wrote to memory of 2172	1984	1fe3e6deebd78029dac704c455ac6c80ec4ae3b0589313d12c4592e729f3db0c.exe	30
PID 2884 wrote to memory of 2612	2884	cmd.exe	32
PID 2884 wrote to memory of 2612	2884	cmd.exe	32
PID 2884 wrote to memory of 2612	2884	cmd.exe	32
PID 2884 wrote to memory of 2612	2884	cmd.exe	32
PID 2172 wrote to memory of 2976	2172	Logo1_.exe	31
PID 2172 wrote to memory of 2976	2172	Logo1_.exe	31
PID 2172 wrote to memory of 2976	2172	Logo1_.exe	31
PID 2172 wrote to memory of 2976	2172	Logo1_.exe	31
PID 2976 wrote to memory of 1708	2976	net.exe	34
PID 2976 wrote to memory of 1708	2976	net.exe	34
PID 2976 wrote to memory of 1708	2976	net.exe	34
PID 2976 wrote to memory of 1708	2976	net.exe	34
PID 2172 wrote to memory of 1208	2172	Logo1_.exe	21
PID 2172 wrote to memory of 1208	2172	Logo1_.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1208
- C:\Users\Admin\AppData\Local\Temp\1fe3e6deebd78029dac704c455ac6c80ec4ae3b0589313d12c4592e729f3db0c.exe
  "C:\Users\Admin\AppData\Local\Temp\1fe3e6deebd78029dac704c455ac6c80ec4ae3b0589313d12c4592e729f3db0c.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1984
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$a1D70.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2884
  - - C:\Users\Admin\AppData\Local\Temp\1fe3e6deebd78029dac704c455ac6c80ec4ae3b0589313d12c4592e729f3db0c.exe
      "C:\Users\Admin\AppData\Local\Temp\1fe3e6deebd78029dac704c455ac6c80ec4ae3b0589313d12c4592e729f3db0c.exe"
      4⤵
      Executes dropped EXE
      PID:2612
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2172
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2976
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:1708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
474KB

MD5
e96712cc2991fab37a21ceeeee83b1f6

SHA1
e7894f4029baf5faa81584bab7d20acb0feadf5f

SHA256
fc5ecf67ef00e72d234c1b58be4d807a7fa2603cf66085204bacabb796275153

SHA512
fd8ba411e0083b3120431f23f272daf3923c96c96a15f7f861565b4de85fce7bf5aafd42d15cf45c559b8e7192513a31b9167ec7c5b6f52823bf3dc20701a06e

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a1D70.bat

Filesize
722B

MD5
e3011eb5633807c1b464e91af4b35d06

SHA1
a6a8154a1ed0f92e244d28d98cdc99fdadc45675

SHA256
d4c9ea2f6428d885268907c65b07d2fc119b2500795c3cbec09ce448920fe270

SHA512
781a19f25cf0fc087a69a4ba9d60e8cc97f6b464d590d816c9ecf15811f830942b58346b1610f726b3a5fd6e1316511bcef051c1b5f5c6825cde0aeb9829bfde

Download Submit
C:\Users\Admin\AppData\Local\Temp\1fe3e6deebd78029dac704c455ac6c80ec4ae3b0589313d12c4592e729f3db0c.exe.exe

Filesize
36KB

MD5
9f498971cbe636662f3d210747d619e1

SHA1
44b8e2732fa1e2f204fc70eaa1cb406616250085

SHA256
8adf6748981c3e7b62f5dbca992be6675574fffbce7673743f2d7fe787d56a41

SHA512
b73083c2f7b028d2946cb8f7b4fe2289fedaa4175364a2aac37db0aeff4602aede772ccc9eba7e6dcfcb7276e52604ca45d8021952201b5834485b48bca3dc93

Download Submit
C:\Windows\Logo1_.exe

Filesize
29KB

MD5
2236c190c6eefa4f9989253ccd774f23

SHA1
b6b9ed304b1e97fd0603babb56630b579a19ce1b

SHA256
fe84771a73ad3c7ff5219a169fb089e31af2f491a4ba3a573a62f6ea57eb41be

SHA512
804c6b1458c038dbbe809775d22df84cc1bc52eead5a083887c4d426edb2a214d1d518405f99ca88cd3c58043998d8a0d5735fee884aeee98cd5cfd79b1aa976

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-1298544033-3225604241-2703760938-1000\_desktop.ini

Filesize
8B

MD5
d970a2bfcaa076939c06270d1a48dec8

SHA1
7a558f4d64c3e98bcfd2af83f28e6fbd207a39e1

SHA256
bdc6872f9a0a011a670907f0fedad9b88e283c5af545cf9f6bd73c3709967d44

SHA512
ea4c16930628455852ce343f8ae248b6df869b8da10b10928ebb802129f73d9761971811de317c7d3121b815340027782ec15d385d1d2d7df8fd0a46b62974c2

Download Submit
memory/1208-30-0x00000000025C0000-0x00000000025C1000-memory.dmp

Filesize
4KB

Download
memory/1984-12-0x0000000000220000-0x0000000000256000-memory.dmp

Filesize
216KB

Download
memory/1984-18-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1984-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2172-34-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2172-41-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2172-47-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2172-93-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2172-99-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2172-634-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2172-1852-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2172-2296-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2172-3312-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2172-22-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download