9a6ece168a48f14ab6bfcf695c3057efaa8000d1b69d22321c161942365ab85a

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
10-06-2024 02:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9a6ece168a48f14ab6bfcf695c3057efaa8000d1b69d22321c161942365ab85a.exe
Size

713KB
MD5

ffdbd977631c89f8ac910412721b705d
SHA1

e3adde2e079d228bd0ab7e4d82b8c998091f4c96
SHA256

9a6ece168a48f14ab6bfcf695c3057efaa8000d1b69d22321c161942365ab85a
SHA512

e30614fe558549bfc9e17eea798892d4fe13674da311724169a25250cfd80d910748ef5a4497b51301a67aab14ecb1fb1130be2c3186b02c25570724df39c7b8
SSDEEP

12288:/fC6Aj+TN5uixZN+8rKhUdTC/wE1ZD0Ca5ZIXV:XLOS2opPIXV

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2264	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
2316	Logo1_.exe
2872	9a6ece168a48f14ab6bfcf695c3057efaa8000d1b69d22321c161942365ab85a.exe
1180	Explorer.EXE

Loads dropped DLL 3 IoCs

pid	Process
2264	cmd.exe
2264	cmd.exe
1180	Explorer.EXE

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SPRING\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\audio_mixer\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PROOF\1033\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Minesweeper\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\META-INF\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Mozilla Firefox\browser\VisualElements\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\as_IN\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\images\cursors\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Notebook Templates\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Journal\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Americana\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\GrayCheck\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sm\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Americana\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Help\3082\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sv\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Internet Explorer\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\meta_engine\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Indiana\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Chess\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ug\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\css\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	9a6ece168a48f14ab6bfcf695c3057efaa8000d1b69d22321c161942365ab85a.exe
File created	C:\Windows\Logo1_.exe	9a6ece168a48f14ab6bfcf695c3057efaa8000d1b69d22321c161942365ab85a.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2316	Logo1_.exe
2316	Logo1_.exe
2316	Logo1_.exe
2316	Logo1_.exe
2316	Logo1_.exe
2316	Logo1_.exe
2316	Logo1_.exe
2316	Logo1_.exe
2316	Logo1_.exe
2316	Logo1_.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1732 wrote to memory of 2264	1732	9a6ece168a48f14ab6bfcf695c3057efaa8000d1b69d22321c161942365ab85a.exe	28
PID 1732 wrote to memory of 2264	1732	9a6ece168a48f14ab6bfcf695c3057efaa8000d1b69d22321c161942365ab85a.exe	28
PID 1732 wrote to memory of 2264	1732	9a6ece168a48f14ab6bfcf695c3057efaa8000d1b69d22321c161942365ab85a.exe	28
PID 1732 wrote to memory of 2264	1732	9a6ece168a48f14ab6bfcf695c3057efaa8000d1b69d22321c161942365ab85a.exe	28
PID 1732 wrote to memory of 2316	1732	9a6ece168a48f14ab6bfcf695c3057efaa8000d1b69d22321c161942365ab85a.exe	30
PID 1732 wrote to memory of 2316	1732	9a6ece168a48f14ab6bfcf695c3057efaa8000d1b69d22321c161942365ab85a.exe	30
PID 1732 wrote to memory of 2316	1732	9a6ece168a48f14ab6bfcf695c3057efaa8000d1b69d22321c161942365ab85a.exe	30
PID 1732 wrote to memory of 2316	1732	9a6ece168a48f14ab6bfcf695c3057efaa8000d1b69d22321c161942365ab85a.exe	30
PID 2316 wrote to memory of 2736	2316	Logo1_.exe	31
PID 2316 wrote to memory of 2736	2316	Logo1_.exe	31
PID 2316 wrote to memory of 2736	2316	Logo1_.exe	31
PID 2316 wrote to memory of 2736	2316	Logo1_.exe	31
PID 2264 wrote to memory of 2872	2264	cmd.exe	33
PID 2264 wrote to memory of 2872	2264	cmd.exe	33
PID 2264 wrote to memory of 2872	2264	cmd.exe	33
PID 2264 wrote to memory of 2872	2264	cmd.exe	33
PID 2736 wrote to memory of 2616	2736	net.exe	34
PID 2736 wrote to memory of 2616	2736	net.exe	34
PID 2736 wrote to memory of 2616	2736	net.exe	34
PID 2736 wrote to memory of 2616	2736	net.exe	34
PID 2316 wrote to memory of 1180	2316	Logo1_.exe	21
PID 2316 wrote to memory of 1180	2316	Logo1_.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1180
- C:\Users\Admin\AppData\Local\Temp\9a6ece168a48f14ab6bfcf695c3057efaa8000d1b69d22321c161942365ab85a.exe
  "C:\Users\Admin\AppData\Local\Temp\9a6ece168a48f14ab6bfcf695c3057efaa8000d1b69d22321c161942365ab85a.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1732
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$a79F.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2264
  - - C:\Users\Admin\AppData\Local\Temp\9a6ece168a48f14ab6bfcf695c3057efaa8000d1b69d22321c161942365ab85a.exe
      "C:\Users\Admin\AppData\Local\Temp\9a6ece168a48f14ab6bfcf695c3057efaa8000d1b69d22321c161942365ab85a.exe"
      4⤵
      Executes dropped EXE
      PID:2872
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2316
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2736
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
254KB

MD5
4a831cc40ad82d175a06f57036ba754e

SHA1
962730e270c20c164c76081438ecb74e944f7704

SHA256
696d3dd56ec8c3f2d858954c6995d01aaca1192d8cfea2fb9eda151111586823

SHA512
92bcd0066ed0f84c7bd35b210ca0848df96d28c8bc1d820477ddbd0166e70a511f3a03ea9e024a8994a498451f200f104c48dc9847d0e5688048b58f621b649c

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
474KB

MD5
25408b7ff8c885c99c0429788fcc1320

SHA1
e5a91f3984dd3569a32a8b82c95a5430e828eb75

SHA256
ce5b5c337e6b25e7ea60ab1a528dcf8c70e952761b99c47a5051a17aabd9462c

SHA512
680cfc4bbcf7859075dd43a4a4e3a41084cd3e4783ad3fb35f1d9ee1971a3324ef132f65bd8afd9e245eb2ffcd27e02b035f1f96a0a97a06c37b620849d68c15

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a79F.bat

Filesize
721B

MD5
0f55ecd6bed8d161f02e483f7b49b838

SHA1
cf4b1dd9b0e39e2d117eaf1897e7466ec318a6ca

SHA256
3997be0e8e0c5f20a122e1b0bd8837e6ea3841af5ff159a21887c80e02112299

SHA512
58347d28c1c97caf357ee3421cb3e489844a68f5e564b12ec0f0cce8a95c17ffba06680a60dbbbcc048472f8ba97f4bdc339bb5add7fb2b235570564147af374

Download Submit
C:\Users\Admin\AppData\Local\Temp\9a6ece168a48f14ab6bfcf695c3057efaa8000d1b69d22321c161942365ab85a.exe.exe

Filesize
684KB

MD5
50f289df0c19484e970849aac4e6f977

SHA1
3dc77c8830836ab844975eb002149b66da2e10be

SHA256
b9b179b305c5268ad428b6ae59de10b4fe99cf0199bbc89b7017181905e97305

SHA512
877d852ea1062b90e2fd2f3c4dc7d05d9697e9a9b2929c830a770b62741f6a11e06de73275eb871113f11143faf1cb40d99f7c247862ffb778d26833ed5d7e38

Download Submit
C:\Windows\Logo1_.exe

Filesize
29KB

MD5
4e1f0da433bdb4abe2de4bbd3e91fbb3

SHA1
518053cd950cb8a6b5099aa32c372c306288d67d

SHA256
73fbd4eef82cda9aee633fef1b68df03e3eacf215af0f6eb77e2c5a0bd47006f

SHA512
5a2e729d13147df4cd423d804c959d75e0b31b1cac3793f089ea6c0002d8f1b3787d14278922b9fe811cbe1a70d67af188be5e7f9c31b70b826b7a13ed570b03

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-481678230-3773327859-3495911762-1000\_desktop.ini

Filesize
9B

MD5
60b1ffe4d5892b7ae054738eec1fd425

SHA1
80d4e944617f4132b1c6917345b158f3693f35c8

SHA256
5e9944cc48c7ec641cf7b1b0125f47f26102c371a973612f0583f604bc3900d4

SHA512
7f5c200924dbb5531df997e6a35cb94f36b54f5651284b0d6404f0576301125ef72b410a170fca889d46c033063663cfc7791f9e4c3c30695af069053eee66cc

Download Submit
memory/1180-34-0x0000000002E50000-0x0000000002E51000-memory.dmp

Filesize
4KB

Download
memory/1732-19-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1732-16-0x00000000002A0000-0x00000000002D6000-memory.dmp

Filesize
216KB

Download
memory/1732-12-0x00000000002A0000-0x00000000002D6000-memory.dmp

Filesize
216KB

Download
memory/1732-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2316-101-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2316-49-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2316-95-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2316-43-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2316-557-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2316-1878-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2316-23-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2316-2468-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2316-3338-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2316-36-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download