f4a0a84191816be014e697b62bb73b73f0029d4e9b8b0fdf1bc36b925cbe8686

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
24/05/2024, 14:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f4a0a84191816be014e697b62bb73b73f0029d4e9b8b0fdf1bc36b925cbe8686.exe
Size

548KB
MD5

29974a1c26588cd2981034475d1ba6ca
SHA1

aa5f9a6eed55cf813f485fcb846083ac3f512ce9
SHA256

f4a0a84191816be014e697b62bb73b73f0029d4e9b8b0fdf1bc36b925cbe8686
SHA512

2d406726f2b0a7fac8352e9d1405f7086bd312972ec9d492e43ed6ae051cdfa74a399fc086dfbeffdd2f675e0667d748085405fefed3635e65da1298a2794d6e
SSDEEP

12288:fpUrMIztyCK5x8CBmn+RrNbEyWYa0Ie1vUx9VQ:fpGZyCA8CBmn+RrNj9ay5IQ

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2388	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2112	Logo1_.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Portable Devices\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	Logo1_.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\is\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Mail\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Mail\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\1.7\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\services_discovery\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Triedit\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\co\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Notebook Templates\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ca\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Calendar\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fa\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\he\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\intf\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\1.0\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BOLDSTRI\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_splitter\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\14\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\mn\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\tet\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	f4a0a84191816be014e697b62bb73b73f0029d4e9b8b0fdf1bc36b925cbe8686.exe
File created	C:\Windows\Logo1_.exe	f4a0a84191816be014e697b62bb73b73f0029d4e9b8b0fdf1bc36b925cbe8686.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2112	Logo1_.exe
2112	Logo1_.exe
2112	Logo1_.exe
2112	Logo1_.exe
2112	Logo1_.exe
2112	Logo1_.exe
2112	Logo1_.exe
2112	Logo1_.exe
2112	Logo1_.exe
2112	Logo1_.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2740 wrote to memory of 2388	2740	f4a0a84191816be014e697b62bb73b73f0029d4e9b8b0fdf1bc36b925cbe8686.exe	28
PID 2740 wrote to memory of 2388	2740	f4a0a84191816be014e697b62bb73b73f0029d4e9b8b0fdf1bc36b925cbe8686.exe	28
PID 2740 wrote to memory of 2388	2740	f4a0a84191816be014e697b62bb73b73f0029d4e9b8b0fdf1bc36b925cbe8686.exe	28
PID 2740 wrote to memory of 2388	2740	f4a0a84191816be014e697b62bb73b73f0029d4e9b8b0fdf1bc36b925cbe8686.exe	28
PID 2740 wrote to memory of 2112	2740	f4a0a84191816be014e697b62bb73b73f0029d4e9b8b0fdf1bc36b925cbe8686.exe	29
PID 2740 wrote to memory of 2112	2740	f4a0a84191816be014e697b62bb73b73f0029d4e9b8b0fdf1bc36b925cbe8686.exe	29
PID 2740 wrote to memory of 2112	2740	f4a0a84191816be014e697b62bb73b73f0029d4e9b8b0fdf1bc36b925cbe8686.exe	29
PID 2740 wrote to memory of 2112	2740	f4a0a84191816be014e697b62bb73b73f0029d4e9b8b0fdf1bc36b925cbe8686.exe	29
PID 2112 wrote to memory of 2568	2112	Logo1_.exe	31
PID 2112 wrote to memory of 2568	2112	Logo1_.exe	31
PID 2112 wrote to memory of 2568	2112	Logo1_.exe	31
PID 2112 wrote to memory of 2568	2112	Logo1_.exe	31
PID 2568 wrote to memory of 2496	2568	net.exe	33
PID 2568 wrote to memory of 2496	2568	net.exe	33
PID 2568 wrote to memory of 2496	2568	net.exe	33
PID 2568 wrote to memory of 2496	2568	net.exe	33
PID 2112 wrote to memory of 1200	2112	Logo1_.exe	21
PID 2112 wrote to memory of 1200	2112	Logo1_.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1200
- C:\Users\Admin\AppData\Local\Temp\f4a0a84191816be014e697b62bb73b73f0029d4e9b8b0fdf1bc36b925cbe8686.exe
  "C:\Users\Admin\AppData\Local\Temp\f4a0a84191816be014e697b62bb73b73f0029d4e9b8b0fdf1bc36b925cbe8686.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2740
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$a1584.bat
    3⤵
    - Deletes itself
    PID:2388
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2112
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2568
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
252KB

MD5
0f097461fa47aa96a93e30f7d2035d90

SHA1
abc83b6cd09069111bec2e0a3d5fab263031eacf

SHA256
34cec2dcca6d44f6749fb03d884bef2e35afc78b9243ab2655f8571961bd045f

SHA512
63392200161e9cd6c954b562408828193d6ab6627c17338a24c805ecec673ca5841d4e12fcd75421f27bbc6849018ace4aaf676e5b27d1d8e778542db0f6d46d

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
472KB

MD5
88eb1bca8c399bc3f46e99cdde2f047e

SHA1
55fafbceb011e1af2edced978686a90971bd95f2

SHA256
42fd78c05bc240d4ded16ac974f17c336f6ae3a1814d548021c48a942cc30428

SHA512
149d4de0c024e25a13a7bb17471e6f48391d4f26b1c8388672320eed1c255f84219ad7b72bbebc531ae558d5192dd4bb6d0dddd6c65a45300c8e8348a4fb3728

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a1584.bat

Filesize
722B

MD5
bfe5ebc7699e0cdd75d985a6ad6c7725

SHA1
e25ef75684a9d9c5fec3fd84ae54743d80775eae

SHA256
e81e64735f6806f73039b17868255b0184342ed7680de6173d0fe243e406d59a

SHA512
1816bc9dc734d707e891d502809c60914f11d422d8ddfdc56d9d7015309e4440b1e9d41c42b375b9852fa468034e31dfa905f0c954facb7b5781fd8c9c8371e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\f4a0a84191816be014e697b62bb73b73f0029d4e9b8b0fdf1bc36b925cbe8686.exe.exe

Filesize
521KB

MD5
ff53be899f715d55051fe238ed2dcdee

SHA1
b038619c467b813d510d9f0b937fd393e6f45468

SHA256
bc64910c45ed35d85dfe9c4a3b47da40bfd1f7d8d9476c2fc0f6ab4a84810edd

SHA512
60c75ad01599c816b5f96438de47fd0c455572be59d6849dbf5a24f257ae9375fbf6597cc854ef8898f64360c615a22be0118712d2e136b6d8712ce772f1886c

Download Submit
C:\Windows\Logo1_.exe

Filesize
27KB

MD5
2131b24dd8f450aee38379e5f4d8e03d

SHA1
ae22b4b4341c7ac99a9a88d27722fbdb95336d03

SHA256
a67439004db54760ad766c8c5ca5f3e7ab7a207a7250c16198251c69e94cd916

SHA512
dc2dab3fb3ea7f78b2787bb5f5fc417981c5d0aa93a8b60e1bc4ec297db63bd4824fc128a332d15fef652172ba6f26cc78e43a2cfe4786c9b03b87e0ee03acf5

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3452737119-3959686427-228443150-1000\_desktop.ini

Filesize
9B

MD5
304501c003da3bc5756aa53a757c30cc

SHA1
94dfcea0ef17f89b3a60a85a07edb4c00170cc1c

SHA256
9f4b03cbd52378f329bfc7088f8242bbc1a0a2754bc2f8a40e3b74e0dedecd6e

SHA512
78cd3c2cb4cb66e41d8947e1231256c2043d71c77f97e92915e938a6c1d9a8c003512027d98bc71bf582875d269e5fbe6e134f57b25f5f79fe16f9a412387dc8

Download Submit
memory/1200-64-0x0000000002DA0000-0x0000000002DA1000-memory.dmp

Filesize
4KB

Download
memory/2112-134-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2112-1887-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2112-19-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2112-69-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2112-3347-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2112-76-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2112-83-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2112-128-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2112-2573-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2112-1018-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2388-58-0x00000000024D0000-0x00000000024D1000-memory.dmp

Filesize
4KB

Download
memory/2740-15-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2740-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2740-16-0x00000000003A0000-0x00000000003D5000-memory.dmp

Filesize
212KB

Download
memory/2740-17-0x00000000003A0000-0x00000000003D5000-memory.dmp

Filesize
212KB

Download