37149157a50d5cf19a0772e3630ad85f77164193b2e8d0fd6eeeb8bd3bbf7a8e

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
03-06-2024 22:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

37149157a50d5cf19a0772e3630ad85f77164193b2e8d0fd6eeeb8bd3bbf7a8e.exe
Size

101KB
MD5

99c3a63d1ecdd268ecded4677e785f8d
SHA1

fb9083c78e20b7cbced36047a33cabd4ecd04bfa
SHA256

37149157a50d5cf19a0772e3630ad85f77164193b2e8d0fd6eeeb8bd3bbf7a8e
SHA512

eb3a82d70eb616abbc87fac3fc0afc15f08342462cd4deb0313f326a0cf46581e04aca109de41a664543439d91960ceeb6071112a9a59e0f3a0f3af1cab53a64
SSDEEP

1536:tfgLdQAQfcfymNa2Go0VeoE4p9nV5Icq+cRXZ2N4xHuF8sQWNe5lb1PW:tftffjmNfGvE4pL4zv2NL6sRe5lxe

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2024	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
2412	Logo1_.exe
2636	37149157a50d5cf19a0772e3630ad85f77164193b2e8d0fd6eeeb8bd3bbf7a8e.exe
2968	37149157a50d5cf19a0772e3630ad85f77164193b2e8d0fd6eeeb8bd3bbf7a8e.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Sidebar\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Journal\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ADDINS\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office64.WW\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RICEPAPR\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ks_IN\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ECLIPSE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\AppInfoDocument\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\stream_out\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fi\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ast\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\More Games\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\fr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hy\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\lt\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\FREN\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office.en-us\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Discussion\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\gl\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SATIN\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	37149157a50d5cf19a0772e3630ad85f77164193b2e8d0fd6eeeb8bd3bbf7a8e.exe
File created	C:\Windows\Logo1_.exe	37149157a50d5cf19a0772e3630ad85f77164193b2e8d0fd6eeeb8bd3bbf7a8e.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2412	Logo1_.exe
2412	Logo1_.exe
2412	Logo1_.exe
2412	Logo1_.exe
2412	Logo1_.exe
2412	Logo1_.exe
2412	Logo1_.exe
2412	Logo1_.exe
2412	Logo1_.exe
2412	Logo1_.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2436 wrote to memory of 2024	2436	37149157a50d5cf19a0772e3630ad85f77164193b2e8d0fd6eeeb8bd3bbf7a8e.exe	28
PID 2436 wrote to memory of 2024	2436	37149157a50d5cf19a0772e3630ad85f77164193b2e8d0fd6eeeb8bd3bbf7a8e.exe	28
PID 2436 wrote to memory of 2024	2436	37149157a50d5cf19a0772e3630ad85f77164193b2e8d0fd6eeeb8bd3bbf7a8e.exe	28
PID 2436 wrote to memory of 2024	2436	37149157a50d5cf19a0772e3630ad85f77164193b2e8d0fd6eeeb8bd3bbf7a8e.exe	28
PID 2436 wrote to memory of 2412	2436	37149157a50d5cf19a0772e3630ad85f77164193b2e8d0fd6eeeb8bd3bbf7a8e.exe	29
PID 2436 wrote to memory of 2412	2436	37149157a50d5cf19a0772e3630ad85f77164193b2e8d0fd6eeeb8bd3bbf7a8e.exe	29
PID 2436 wrote to memory of 2412	2436	37149157a50d5cf19a0772e3630ad85f77164193b2e8d0fd6eeeb8bd3bbf7a8e.exe	29
PID 2436 wrote to memory of 2412	2436	37149157a50d5cf19a0772e3630ad85f77164193b2e8d0fd6eeeb8bd3bbf7a8e.exe	29
PID 2412 wrote to memory of 3008	2412	Logo1_.exe	31
PID 2412 wrote to memory of 3008	2412	Logo1_.exe	31
PID 2412 wrote to memory of 3008	2412	Logo1_.exe	31
PID 2412 wrote to memory of 3008	2412	Logo1_.exe	31
PID 3008 wrote to memory of 2564	3008	net.exe	35
PID 3008 wrote to memory of 2564	3008	net.exe	35
PID 3008 wrote to memory of 2564	3008	net.exe	35
PID 3008 wrote to memory of 2564	3008	net.exe	35
PID 2412 wrote to memory of 1192	2412	Logo1_.exe	21
PID 2412 wrote to memory of 1192	2412	Logo1_.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1192
- C:\Users\Admin\AppData\Local\Temp\37149157a50d5cf19a0772e3630ad85f77164193b2e8d0fd6eeeb8bd3bbf7a8e.exe
  "C:\Users\Admin\AppData\Local\Temp\37149157a50d5cf19a0772e3630ad85f77164193b2e8d0fd6eeeb8bd3bbf7a8e.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2436
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$a1600.bat
    3⤵
    - Deletes itself
    PID:2024
  - - C:\Users\Admin\AppData\Local\Temp\37149157a50d5cf19a0772e3630ad85f77164193b2e8d0fd6eeeb8bd3bbf7a8e.exe
      "C:\Users\Admin\AppData\Local\Temp\37149157a50d5cf19a0772e3630ad85f77164193b2e8d0fd6eeeb8bd3bbf7a8e.exe"
      4⤵
      Executes dropped EXE
      PID:2636
  - - C:\Users\Admin\AppData\Local\Temp\37149157a50d5cf19a0772e3630ad85f77164193b2e8d0fd6eeeb8bd3bbf7a8e.exe
      "C:\Users\Admin\AppData\Local\Temp\37149157a50d5cf19a0772e3630ad85f77164193b2e8d0fd6eeeb8bd3bbf7a8e.exe"
      4⤵
      Executes dropped EXE
      PID:2968
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2412
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3008
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
251KB

MD5
fa03025a5356ec12c1be2bf6f554120d

SHA1
2bcdaa6bbce818a1d260c4293a07b5076a104e56

SHA256
8906bb45077aeebb6eaca93bccaa133623f3b5e9dcc0b50dc4c6edcc3ea1571a

SHA512
c78ac5d658231ba4dfb54941dfd3fb6e0752d6ec6215743679d1274bd16f5e283dca110f63db3955c23091d2de3f75c2fc5b6630e0be36ea37a16eb81b8716b0

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
471KB

MD5
4cfdb20b04aa239d6f9e83084d5d0a77

SHA1
f22863e04cc1fd4435f785993ede165bd8245ac6

SHA256
30ed17ca6ae530e8bf002bcef6048f94dba4b3b10252308147031f5c86ace1b9

SHA512
35b4c2f68a7caa45f2bb14b168947e06831f358e191478a6659b49f30ca6f538dc910fe6067448d5d8af4cb8558825d70f94d4bd67709aee414b2be37d49be86

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a1600.bat

Filesize
722B

MD5
d30910b4e44c72bd8212b57baeeeae1b

SHA1
8cb8a2b15497707d24c6380e9fd574482f544e3f

SHA256
228f4112f88f68c681cf7cb85d6bd1a6fdd6597db579b1beab1855a6b0700679

SHA512
9d1623f7af915e4a2813c4b60f7de8425c12049e4bea57b7f6dd46b41854a3d2ef54cbd028255b25df1ab94505c39b497440d6f50ab7d6fd6227949905611ad0

Download Submit
C:\Users\Admin\AppData\Local\Temp\37149157a50d5cf19a0772e3630ad85f77164193b2e8d0fd6eeeb8bd3bbf7a8e.exe.exe

Filesize
75KB

MD5
a7851a05e83f42f741a804320c485083

SHA1
b76d2e6eb6d2bf289a5118c908578906851460d0

SHA256
3600ff58fdb37f53562e626fd74d6f4d8d39925d711a96f221bb4aca7992926a

SHA512
eadbfbee79aa0f34b35e0a9c9d717b3c8ac18729df8e52332b696352a2a41d0da37119ab1cb81a10bb7854b930e6479686f8fa8b5a447d48213e3c1c9304ce7b

Download Submit
C:\Windows\Logo1_.exe

Filesize
26KB

MD5
4298e0c223e6572693e5a6b29279c1da

SHA1
5bd4c027c9433de22fec622bb7b13b863cee8de4

SHA256
bfe4186213f6d4cc116612e337bbe7a4c713d4cd02155dd649b31bf93476bd43

SHA512
d5df016ba3a3bcee7370ddd2aca1518fdde68dd681a17c45c8f7cf25a780be5903d49cf03410accfd8d176ce1653d9a49eb0544f5d0d1d091aa2d99fc8186ec1

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-481678230-3773327859-3495911762-1000\_desktop.ini

Filesize
8B

MD5
a6f28952c332969f9e6d9f7d1a449737

SHA1
31c0826adb63cc03162fb9e88781f4b50da8f11b

SHA256
d9d875805581110dafdfb2ceb34c5e60f50fe720963f9813c287e4845248d208

SHA512
8187572ee8fbb9a42af34a3444be3a4309c5a798e7b1f27fce5b28b7168b72d015b1c10e611ccd3a9361af2aaeab831d2734017f77adff341c3fdb876c296eac

Download Submit
memory/1192-66-0x0000000002560000-0x0000000002561000-memory.dmp

Filesize
4KB

Download
memory/2024-60-0x0000000000550000-0x0000000000551000-memory.dmp

Filesize
4KB

Download
memory/2412-136-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2412-71-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2412-78-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2412-85-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2412-130-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2412-642-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2412-1913-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2412-3373-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2412-19-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2436-16-0x0000000000320000-0x0000000000354000-memory.dmp

Filesize
208KB

Download
memory/2436-17-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2436-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2436-18-0x0000000000320000-0x0000000000354000-memory.dmp

Filesize
208KB

Download