d9321376502cd97f9f02f196c168d6a62f13ddf1408e62132180aa821476663a

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
22/05/2024, 22:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d9321376502cd97f9f02f196c168d6a62f13ddf1408e62132180aa821476663a.exe
Size

644KB
MD5

5219d2a27483ace8cb4ca13087278ba0
SHA1

00a3fb312bf43cd648065aaa87b9ad678f4813ea
SHA256

d9321376502cd97f9f02f196c168d6a62f13ddf1408e62132180aa821476663a
SHA512

990f6a8686d495c3af64d1d310c5fa2b322cf46d3b7ebc7654ff0d13c89a694d25a205a351773b5d648e6d446b632e068e8949f02447285e12880e3169248175
SSDEEP

12288:m7+xuFHpC49i82L5/2+xyhgGatNTxleYISSNPXu1cCS42G+GM:m78uFHs582RpxyhlgxleDNNPXu1IG+GM

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1676	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2216	Logo1_.exe
2680	d9321376502cd97f9f02f196c168d6a62f13ddf1408e62132180aa821476663a.exe

Loads dropped DLL 1 IoCs

pid	Process
1676	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\VideoLAN\VLC\locale\cs\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\in_sidebar\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Mail\WinMail.exe	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Reference Assemblies\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Cultures\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\REFINED\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\cy\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\zh_TW\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CNFNOT32.EXE	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\eu\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Minesweeper\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\More Games\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightYellow\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUEPRNT\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PrivateAssemblies\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Mozilla Firefox\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Desert\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Document Parts\1033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\da\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\pt_BR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightOrange\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\amd64\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\am_ET\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\More Games\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Mozilla Firefox\fonts\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	d9321376502cd97f9f02f196c168d6a62f13ddf1408e62132180aa821476663a.exe
File created	C:\Windows\Logo1_.exe	d9321376502cd97f9f02f196c168d6a62f13ddf1408e62132180aa821476663a.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2216	Logo1_.exe
2216	Logo1_.exe
2216	Logo1_.exe
2216	Logo1_.exe
2216	Logo1_.exe
2216	Logo1_.exe
2216	Logo1_.exe
2216	Logo1_.exe
2216	Logo1_.exe
2216	Logo1_.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2840 wrote to memory of 1676	2840	d9321376502cd97f9f02f196c168d6a62f13ddf1408e62132180aa821476663a.exe	28
PID 2840 wrote to memory of 1676	2840	d9321376502cd97f9f02f196c168d6a62f13ddf1408e62132180aa821476663a.exe	28
PID 2840 wrote to memory of 1676	2840	d9321376502cd97f9f02f196c168d6a62f13ddf1408e62132180aa821476663a.exe	28
PID 2840 wrote to memory of 1676	2840	d9321376502cd97f9f02f196c168d6a62f13ddf1408e62132180aa821476663a.exe	28
PID 2840 wrote to memory of 2216	2840	d9321376502cd97f9f02f196c168d6a62f13ddf1408e62132180aa821476663a.exe	29
PID 2840 wrote to memory of 2216	2840	d9321376502cd97f9f02f196c168d6a62f13ddf1408e62132180aa821476663a.exe	29
PID 2840 wrote to memory of 2216	2840	d9321376502cd97f9f02f196c168d6a62f13ddf1408e62132180aa821476663a.exe	29
PID 2840 wrote to memory of 2216	2840	d9321376502cd97f9f02f196c168d6a62f13ddf1408e62132180aa821476663a.exe	29
PID 2216 wrote to memory of 2664	2216	Logo1_.exe	30
PID 2216 wrote to memory of 2664	2216	Logo1_.exe	30
PID 2216 wrote to memory of 2664	2216	Logo1_.exe	30
PID 2216 wrote to memory of 2664	2216	Logo1_.exe	30
PID 2664 wrote to memory of 2684	2664	net.exe	33
PID 2664 wrote to memory of 2684	2664	net.exe	33
PID 2664 wrote to memory of 2684	2664	net.exe	33
PID 2664 wrote to memory of 2684	2664	net.exe	33
PID 1676 wrote to memory of 2680	1676	cmd.exe	34
PID 1676 wrote to memory of 2680	1676	cmd.exe	34
PID 1676 wrote to memory of 2680	1676	cmd.exe	34
PID 1676 wrote to memory of 2680	1676	cmd.exe	34
PID 1676 wrote to memory of 2680	1676	cmd.exe	34
PID 1676 wrote to memory of 2680	1676	cmd.exe	34
PID 1676 wrote to memory of 2680	1676	cmd.exe	34
PID 2216 wrote to memory of 1196	2216	Logo1_.exe	21
PID 2216 wrote to memory of 1196	2216	Logo1_.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1196
- C:\Users\Admin\AppData\Local\Temp\d9321376502cd97f9f02f196c168d6a62f13ddf1408e62132180aa821476663a.exe
  "C:\Users\Admin\AppData\Local\Temp\d9321376502cd97f9f02f196c168d6a62f13ddf1408e62132180aa821476663a.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2840
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$a21F2.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1676
  - - C:\Users\Admin\AppData\Local\Temp\d9321376502cd97f9f02f196c168d6a62f13ddf1408e62132180aa821476663a.exe
      "C:\Users\Admin\AppData\Local\Temp\d9321376502cd97f9f02f196c168d6a62f13ddf1408e62132180aa821476663a.exe"
      4⤵
      Executes dropped EXE
      PID:2680
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2216
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2664
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
251KB

MD5
2f18a99f6124cf7d16de19be9964fd3f

SHA1
31d0ce94d0e6ebed11ee1abf8d7cc55fe381a374

SHA256
71eebb659d211d9939123ca68fc3fa36364924abbcdcb47319ff8c1a717ab3c8

SHA512
1e6bd18609222ca21b30ca3ad980794daa003b02bcaf8444fbef949b4509ad1d2110a6b6b45afb420f67afc6f11ee637849a0f647686bd8935b1bc525abdc29f

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
471KB

MD5
4cfdb20b04aa239d6f9e83084d5d0a77

SHA1
f22863e04cc1fd4435f785993ede165bd8245ac6

SHA256
30ed17ca6ae530e8bf002bcef6048f94dba4b3b10252308147031f5c86ace1b9

SHA512
35b4c2f68a7caa45f2bb14b168947e06831f358e191478a6659b49f30ca6f538dc910fe6067448d5d8af4cb8558825d70f94d4bd67709aee414b2be37d49be86

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a21F2.bat

Filesize
722B

MD5
599316bb01831613d238148aa90fe5a6

SHA1
5d8b4355be1f2b617dc74665132c902174a7e6a2

SHA256
7683015b22a7c3528b6a0188fd306122f4923230bc920907ded43c2291d1f69a

SHA512
95d030d5871e9d2ea61d8a0750244bcf101fb3cd4251b7128f635efb18f675d8adff3de16e73584142960f09e5f9fef55f9bebffdf73f3b79c70f99f53ce74bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\d9321376502cd97f9f02f196c168d6a62f13ddf1408e62132180aa821476663a.exe.exe

Filesize
618KB

MD5
9326207f0b3a12689f85544195ebd3df

SHA1
00feb03e9eeb90eec5844e1283acf8c62ddfbfa6

SHA256
6796f8e6932b92c30bcb1bc1185bd5eb72d632e97225c0d3658f236a3f38275a

SHA512
2a1645038721d214d5860541f132773b6f5fe31a6c497688aa4cfb9565fae2fc50178f815bf7613d96698e201418fc9b69280077fce2a58b84cfd930391577cc

Download Submit
C:\Windows\rundl132.exe

Filesize
26KB

MD5
597d52ec25649c10ce174d99fd15772f

SHA1
872f839d522ba3dc5388f3d356b19c79d5f86ef5

SHA256
d051cd505ae4fbe7275ecfbb6f3fc0464428e0aac44bd7377990a0425fa768f0

SHA512
5f5a983a17bd1396bb7595d2fe44b1b3442586b855ed332ded0a76d52a9aa353854d3c0ff3f9c2010ed37f63e48a7603a1f5f4f11d28bbfaf9af3b1c0d84b31f

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-268080393-3149932598-1824759070-1000\_desktop.ini

Filesize
9B

MD5
ef2876ec14bdb3dc085fc3af9311b015

SHA1
68b64b46b1ff0fdc9f009d8fffb8ee87c597fa56

SHA256
ac2a34b4f2d44d19ca4269caf9f4e71cdb0b95ba8eb89ed52c5bc56eeeb1971c

SHA512
c9998caa062ad5b1da853fabb80e88e41d9f96109af89df0309be20469ca8f5be9dd1c08f3c97030e3a487732e82304f60ee2627462e017579da4204bc163c8f

Download Submit
memory/1196-29-0x0000000002E90000-0x0000000002E91000-memory.dmp

Filesize
4KB

Download
memory/2216-96-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2216-38-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2216-44-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2216-90-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2216-31-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2216-666-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2216-1873-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2216-21-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2216-2500-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2216-3333-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2840-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2840-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download