4c269a9225f4475cd445b31c9ff3cf6e83e73d3f37dfdb19979e8c73bc97c066

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
12/05/2024, 00:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4c269a9225f4475cd445b31c9ff3cf6e83e73d3f37dfdb19979e8c73bc97c066.exe
Size

485KB
MD5

fb2357135fd0dd6da28cbe9916e9794f
SHA1

6de04a59386997d7a72d2b5f24f89850c7277a93
SHA256

4c269a9225f4475cd445b31c9ff3cf6e83e73d3f37dfdb19979e8c73bc97c066
SHA512

6d2825bff154c9cf3a089962c6a967ff762225959da8e12a5c9789128e9d20d5779e9eac67adc40b6fb2f36a23ac7bb075ec0858d1ccd02e2bc5732e3dd74110
SSDEEP

6144:+Fpuz1gL5pRTMTTjMkId/BynSx7dEe6XwzRaktNP08NhKs39zo43fTtl1fayCV7E:Ypo1gL5pRTcAkS/3hzN8qE43fm78V

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2216	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2252	Logo1_.exe
2672	4c269a9225f4475cd445b31c9ff3cf6e83e73d3f37dfdb19979e8c73bc97c066.exe

Loads dropped DLL 1 IoCs

pid	Process
2216	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\d3d9\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\my\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Filters\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightOrange\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\STS2\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\locale\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ff\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ky\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PROOF\1033\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\id\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VC\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\SCANPST.EXE	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\hu\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Document Parts\1033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\amd64\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Help\1049\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre7\bin\dtplugin\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\gu\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\hi\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA7\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\AddInSideAdapters\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\server\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\it\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\audio_output\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ESEN\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\North_Dakota\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\on_desktop\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Computers\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\NAMECONTROLSERVER.EXE	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\es-ES\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe
File created	C:\Windows\rundl132.exe	4c269a9225f4475cd445b31c9ff3cf6e83e73d3f37dfdb19979e8c73bc97c066.exe
File created	C:\Windows\Logo1_.exe	4c269a9225f4475cd445b31c9ff3cf6e83e73d3f37dfdb19979e8c73bc97c066.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2252	Logo1_.exe
2252	Logo1_.exe
2252	Logo1_.exe
2252	Logo1_.exe
2252	Logo1_.exe
2252	Logo1_.exe
2252	Logo1_.exe
2252	Logo1_.exe
2252	Logo1_.exe
2252	Logo1_.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2796 wrote to memory of 2216	2796	4c269a9225f4475cd445b31c9ff3cf6e83e73d3f37dfdb19979e8c73bc97c066.exe	28
PID 2796 wrote to memory of 2216	2796	4c269a9225f4475cd445b31c9ff3cf6e83e73d3f37dfdb19979e8c73bc97c066.exe	28
PID 2796 wrote to memory of 2216	2796	4c269a9225f4475cd445b31c9ff3cf6e83e73d3f37dfdb19979e8c73bc97c066.exe	28
PID 2796 wrote to memory of 2216	2796	4c269a9225f4475cd445b31c9ff3cf6e83e73d3f37dfdb19979e8c73bc97c066.exe	28
PID 2796 wrote to memory of 2252	2796	4c269a9225f4475cd445b31c9ff3cf6e83e73d3f37dfdb19979e8c73bc97c066.exe	29
PID 2796 wrote to memory of 2252	2796	4c269a9225f4475cd445b31c9ff3cf6e83e73d3f37dfdb19979e8c73bc97c066.exe	29
PID 2796 wrote to memory of 2252	2796	4c269a9225f4475cd445b31c9ff3cf6e83e73d3f37dfdb19979e8c73bc97c066.exe	29
PID 2796 wrote to memory of 2252	2796	4c269a9225f4475cd445b31c9ff3cf6e83e73d3f37dfdb19979e8c73bc97c066.exe	29
PID 2216 wrote to memory of 2672	2216	cmd.exe	32
PID 2216 wrote to memory of 2672	2216	cmd.exe	32
PID 2216 wrote to memory of 2672	2216	cmd.exe	32
PID 2216 wrote to memory of 2672	2216	cmd.exe	32
PID 2252 wrote to memory of 2652	2252	Logo1_.exe	31
PID 2252 wrote to memory of 2652	2252	Logo1_.exe	31
PID 2252 wrote to memory of 2652	2252	Logo1_.exe	31
PID 2252 wrote to memory of 2652	2252	Logo1_.exe	31
PID 2652 wrote to memory of 2456	2652	net.exe	34
PID 2652 wrote to memory of 2456	2652	net.exe	34
PID 2652 wrote to memory of 2456	2652	net.exe	34
PID 2652 wrote to memory of 2456	2652	net.exe	34
PID 2252 wrote to memory of 1196	2252	Logo1_.exe	21
PID 2252 wrote to memory of 1196	2252	Logo1_.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1196
- C:\Users\Admin\AppData\Local\Temp\4c269a9225f4475cd445b31c9ff3cf6e83e73d3f37dfdb19979e8c73bc97c066.exe
  "C:\Users\Admin\AppData\Local\Temp\4c269a9225f4475cd445b31c9ff3cf6e83e73d3f37dfdb19979e8c73bc97c066.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2796
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$a147A.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2216
  - - C:\Users\Admin\AppData\Local\Temp\4c269a9225f4475cd445b31c9ff3cf6e83e73d3f37dfdb19979e8c73bc97c066.exe
      "C:\Users\Admin\AppData\Local\Temp\4c269a9225f4475cd445b31c9ff3cf6e83e73d3f37dfdb19979e8c73bc97c066.exe"
      4⤵
      Executes dropped EXE
      PID:2672
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2252
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2652
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
252KB

MD5
f0b698a8d0b18981e266778c961213e9

SHA1
e4d9e1b71ffb25109f0b2867fec168b5de1e1817

SHA256
d065ad01da4dda315895c5c13c12d45c9c9b4a846f4b3268d0cdb03d3ca6e1e5

SHA512
1c6bbdaf8af9c27bb9271ac0bbdda4ed34399e633ca90812cff6496a6678a7a08c6003b4f8838a6c66655ef5ed607518284c1caa0bd28eb52a45ceed314c27cb

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
472KB

MD5
88eb1bca8c399bc3f46e99cdde2f047e

SHA1
55fafbceb011e1af2edced978686a90971bd95f2

SHA256
42fd78c05bc240d4ded16ac974f17c336f6ae3a1814d548021c48a942cc30428

SHA512
149d4de0c024e25a13a7bb17471e6f48391d4f26b1c8388672320eed1c255f84219ad7b72bbebc531ae558d5192dd4bb6d0dddd6c65a45300c8e8348a4fb3728

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a147A.bat

Filesize
722B

MD5
07be5c9cd500dd42889dcf74605f697a

SHA1
c69a3e68166a7ced309ebec63340885619228c01

SHA256
f098908bacff12fc740ce8a81ce38359ca4d150c263c16a48afea710bb878eca

SHA512
924628e5bc6557e9fa5455ab56185fa84ab0f5ec0979a22fea48a034586214f8148ad830aff95775195501a77f4b289baa65905943a97263527e2a02bfccee88

Download Submit
C:\Users\Admin\AppData\Local\Temp\4c269a9225f4475cd445b31c9ff3cf6e83e73d3f37dfdb19979e8c73bc97c066.exe.exe

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Windows\Logo1_.exe

Filesize
27KB

MD5
02b99e6376ac7c440ada9a035d4354d6

SHA1
6f6c7b1d4145a314e724f43f0d507dcdd1b0dd9e

SHA256
aef910aaa2fe7dcb2f3aa1c3e5ea1a7a2e9b77761716968e4838ccac05726397

SHA512
6b0ce6a03e764f0b883bd4170a7d199d69105b3780ac172450986e0a8036ab18a5c63bb2d1836daf999f711a48b1a0f81b6df5a593083f21960cdb60dbe909cc

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2297530677-1229052932-2803917579-1000\_desktop.ini

Filesize
9B

MD5
3ba8d99ae07bfe971a8f27f082803beb

SHA1
dbcc6b45ae3dc7be2faab524a0fc7415146f128d

SHA256
df296de0196b4b56afab78a4a7d68c1cffc9f7f91ebb05dde41f6c382dbd9af3

SHA512
ace344b467ecbdf133c69fd4ead288213167a0cd991088b987083df9a9a5b49d9c1588343a81fea32a5e7e3e3d621beaca6924bbcf92471578133c9c111785b5

Download Submit
memory/1196-30-0x0000000002CC0000-0x0000000002CC1000-memory.dmp

Filesize
4KB

Download
memory/2252-1851-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2252-33-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2252-40-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2252-46-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2252-92-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2252-98-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2252-598-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2252-2150-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2252-3311-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2252-19-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2796-16-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2796-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2796-17-0x0000000000230000-0x0000000000265000-memory.dmp

Filesize
212KB

Download