4a4e912fec20c50691bfab3e0a19f70dbf2ce58c34dc6d639bec682fcea3747d

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10/05/2024, 05:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4a4e912fec20c50691bfab3e0a19f70dbf2ce58c34dc6d639bec682fcea3747d.exe
Size

66KB
MD5

0863d3e27d2ab727f33d6eff4e5f02a6
SHA1

f7201483dd7d4ca2ac27dfe4d48a860fb19b9ea2
SHA256

4a4e912fec20c50691bfab3e0a19f70dbf2ce58c34dc6d639bec682fcea3747d
SHA512

003f0c65468d7a7df05f39cf34785e77c284c0466fa0c9d96314b952151c967fcbadea4325adf2e92d8cd0f61ceec0af335886c0000b59b60de55cd158b59bab
SSDEEP

768:p/o16GVRu1yK9fMnJG2V9dHS8HNic1iTEpgSG9TJVQBWZrvW5TNDWfKgUkKtzYiP:pi3SHuJV9NBriw+d9bHrkT5gUHz7FxtJ

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1192	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
3020	Logo1_.exe
2592	4a4e912fec20c50691bfab3e0a19f70dbf2ce58c34dc6d639bec682fcea3747d.exe

Loads dropped DLL 1 IoCs

pid	Process
1192	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\km\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Triedit\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	Logo1_.exe
File opened for modification	C:\Program Files\Windows Mail\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\tnameserv.exe	Logo1_.exe
File created	C:\Program Files\Java\jre7\lib\zi\Pacific\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\zh_CN\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Triedit\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\fonts\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\nn\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightOrange\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\el\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ka\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Google\Temp\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\am\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\HostSideAdapters\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Hearts\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Document Parts\1033\14\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Notebook Templates\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\cy\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\am\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\1.0\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\th\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Internet Explorer\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\nl\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\brx\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\en-US\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\vDll.dll	Logo1_.exe
File created	C:\Windows\rundl132.exe	4a4e912fec20c50691bfab3e0a19f70dbf2ce58c34dc6d639bec682fcea3747d.exe
File created	C:\Windows\Logo1_.exe	4a4e912fec20c50691bfab3e0a19f70dbf2ce58c34dc6d639bec682fcea3747d.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3020	Logo1_.exe
3020	Logo1_.exe
3020	Logo1_.exe
3020	Logo1_.exe
3020	Logo1_.exe
3020	Logo1_.exe
3020	Logo1_.exe
3020	Logo1_.exe
3020	Logo1_.exe
3020	Logo1_.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2128 wrote to memory of 1192	2128	4a4e912fec20c50691bfab3e0a19f70dbf2ce58c34dc6d639bec682fcea3747d.exe	28
PID 2128 wrote to memory of 1192	2128	4a4e912fec20c50691bfab3e0a19f70dbf2ce58c34dc6d639bec682fcea3747d.exe	28
PID 2128 wrote to memory of 1192	2128	4a4e912fec20c50691bfab3e0a19f70dbf2ce58c34dc6d639bec682fcea3747d.exe	28
PID 2128 wrote to memory of 1192	2128	4a4e912fec20c50691bfab3e0a19f70dbf2ce58c34dc6d639bec682fcea3747d.exe	28
PID 2128 wrote to memory of 3020	2128	4a4e912fec20c50691bfab3e0a19f70dbf2ce58c34dc6d639bec682fcea3747d.exe	30
PID 2128 wrote to memory of 3020	2128	4a4e912fec20c50691bfab3e0a19f70dbf2ce58c34dc6d639bec682fcea3747d.exe	30
PID 2128 wrote to memory of 3020	2128	4a4e912fec20c50691bfab3e0a19f70dbf2ce58c34dc6d639bec682fcea3747d.exe	30
PID 2128 wrote to memory of 3020	2128	4a4e912fec20c50691bfab3e0a19f70dbf2ce58c34dc6d639bec682fcea3747d.exe	30
PID 3020 wrote to memory of 2588	3020	Logo1_.exe	31
PID 3020 wrote to memory of 2588	3020	Logo1_.exe	31
PID 3020 wrote to memory of 2588	3020	Logo1_.exe	31
PID 3020 wrote to memory of 2588	3020	Logo1_.exe	31
PID 1192 wrote to memory of 2592	1192	cmd.exe	33
PID 1192 wrote to memory of 2592	1192	cmd.exe	33
PID 1192 wrote to memory of 2592	1192	cmd.exe	33
PID 1192 wrote to memory of 2592	1192	cmd.exe	33
PID 2588 wrote to memory of 2084	2588	net.exe	34
PID 2588 wrote to memory of 2084	2588	net.exe	34
PID 2588 wrote to memory of 2084	2588	net.exe	34
PID 2588 wrote to memory of 2084	2588	net.exe	34
PID 3020 wrote to memory of 1184	3020	Logo1_.exe	21
PID 3020 wrote to memory of 1184	3020	Logo1_.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1184
- C:\Users\Admin\AppData\Local\Temp\4a4e912fec20c50691bfab3e0a19f70dbf2ce58c34dc6d639bec682fcea3747d.exe
  "C:\Users\Admin\AppData\Local\Temp\4a4e912fec20c50691bfab3e0a19f70dbf2ce58c34dc6d639bec682fcea3747d.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2128
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$a2848.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1192
  - - C:\Users\Admin\AppData\Local\Temp\4a4e912fec20c50691bfab3e0a19f70dbf2ce58c34dc6d639bec682fcea3747d.exe
      "C:\Users\Admin\AppData\Local\Temp\4a4e912fec20c50691bfab3e0a19f70dbf2ce58c34dc6d639bec682fcea3747d.exe"
      4⤵
      Executes dropped EXE
      PID:2592
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3020
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2588
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
254KB

MD5
202549f4e2260f7a6f2663d25c5e29bf

SHA1
b77322a55629631fa7f903438b59fa573c107d2e

SHA256
6f12aa3b5d9a9fad447eeadcdae602df33146d86ee3c2bd5c6a1b1671d9e3dec

SHA512
00747844a004d8b8fde1cca2dc58df266dd582da33c3ec4bb2b108ce0709b319878e863cbc3fd9fdc442a996809c57b3b45f31952dce02424c0c46c44f47e101

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
474KB

MD5
1ca79e3c2539763b0aaac5de49795afe

SHA1
2d240aef9a2cce22578f42ebecd3058e37a404a8

SHA256
e3e49eceb810b34fc826d70c6556d927a363f29c90b347ee4cfd61d7ba3ff2d9

SHA512
4e24d3ebcefa6545d85517bbc5bff3285f85a5967da1642a6e4e53bc2c41efc8b9092a3bbb56c1670b215d623ff5c320bcb06f654ac97482a5dff0da208349e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a2848.bat

Filesize
722B

MD5
3692ac28ef60d149485d1f31dcc7a009

SHA1
84241ec13cbe525526ad4dce2e7cab6fcd680bed

SHA256
17e2be994f9451d1ff790f26530e6df7a078e023ba234e4010e4e667f2cede36

SHA512
7c3c2a7edd9c60d5a248eccc42301250523144fbb38e2baf1a7b66ce99c8436d56c127fd77a51753e00dfd8750960686c486c2b18fb3ce7242dfebd44b311dd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\4a4e912fec20c50691bfab3e0a19f70dbf2ce58c34dc6d639bec682fcea3747d.exe.exe

Filesize
36KB

MD5
9f498971cbe636662f3d210747d619e1

SHA1
44b8e2732fa1e2f204fc70eaa1cb406616250085

SHA256
8adf6748981c3e7b62f5dbca992be6675574fffbce7673743f2d7fe787d56a41

SHA512
b73083c2f7b028d2946cb8f7b4fe2289fedaa4175364a2aac37db0aeff4602aede772ccc9eba7e6dcfcb7276e52604ca45d8021952201b5834485b48bca3dc93

Download Submit
C:\Windows\Logo1_.exe

Filesize
29KB

MD5
840b9060bf14c47c1c8b284a24da715a

SHA1
291d0858b9a0539833555d4d2d75c98e9277db48

SHA256
82c884052cadc6a9357883b9a45af7a63c296543f1fcdc49f17ada771b641677

SHA512
d72759d589e2d78d1a3a0f90254d55b39ae21cff78094fb70d1ff2a3cc361ae9d9effbeab21b9717c158c813f420c1b58501ecb3b8981f215849810d0d40bf30

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-1298544033-3225604241-2703760938-1000\_desktop.ini

Filesize
9B

MD5
4d28283e4d415600ffc2f8fda6d8c91e

SHA1
053dcb8d5d84b75459bc82d8740ee4684d680016

SHA256
b855effeaf01610130d3f38de35bc7f98bfc6643d98d4198af18534f048e8df7

SHA512
73a758cd5e5ac48d62dd89719be604214895e0cc9a10ff7464a6cf9161a37fd27d15dd2d2565f18198b381ac6442bcb36f38614df7b1176061a83616517a7edb

Download Submit
memory/1184-29-0x0000000002DC0000-0x0000000002DC1000-memory.dmp

Filesize
4KB

Download
memory/2128-17-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2128-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3020-21-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3020-44-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3020-90-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3020-96-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3020-594-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3020-1849-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3020-2016-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3020-38-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3020-3309-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3020-31-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download