fee338e9134422043d5867c2e51f4cf17401e4a184132447ededd7f787bd21e8

Analysis

max time kernel
149s
max time network
124s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
11/06/2024, 00:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fee338e9134422043d5867c2e51f4cf17401e4a184132447ededd7f787bd21e8.exe
Size

957KB
MD5

1c3727157c9b5c479ccac71a073f832d
SHA1

5dfa449491f69955a25477f3390c2aabd7f63129
SHA256

fee338e9134422043d5867c2e51f4cf17401e4a184132447ededd7f787bd21e8
SHA512

5444d21b138385be1d51060924747924aec6a8bb183abf924a6f1b861390eb682f8ea2c924ae4b1bd6d7ca08c0407077c5f0112ebcf11ae42275e0ded24edb3a
SSDEEP

12288:op7RKcv8Nh7py6Rmi78gkPH3aPI9vyVg/0paQuj3IdD02fKBjtp/:opEBpDRmi78gkPXlyo0G/jr

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2996	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2984	Logo1_.exe
2388	fee338e9134422043d5867c2e51f4cf17401e4a184132447ededd7f787bd21e8.exe

Loads dropped DLL 2 IoCs

pid	Process
2996	cmd.exe
2996	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\VideoLAN\VLC\locale\uz\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EDGE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTool\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CASCADE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTool\Project Report Type\Basic\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\amd64\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Notebook Templates\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\FreeCell\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fy\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sv\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\zh_CN\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\1033\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Media Player\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Mail\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\include\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\lo\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\requests\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\STS2\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ktab.exe	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\gu\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\Chess.exe	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\1033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\tr\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Defender\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java-rmi.exe	Logo1_.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmid.exe	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\VisualElements\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ro\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Lime\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Logo1_.exe	fee338e9134422043d5867c2e51f4cf17401e4a184132447ededd7f787bd21e8.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe
File created	C:\Windows\rundl132.exe	fee338e9134422043d5867c2e51f4cf17401e4a184132447ededd7f787bd21e8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2984	Logo1_.exe
2984	Logo1_.exe
2984	Logo1_.exe
2984	Logo1_.exe
2984	Logo1_.exe
2984	Logo1_.exe
2984	Logo1_.exe
2984	Logo1_.exe
2984	Logo1_.exe
2984	Logo1_.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2388	fee338e9134422043d5867c2e51f4cf17401e4a184132447ededd7f787bd21e8.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeRestorePrivilege	2388	fee338e9134422043d5867c2e51f4cf17401e4a184132447ededd7f787bd21e8.exe
Token: 35	2388	fee338e9134422043d5867c2e51f4cf17401e4a184132447ededd7f787bd21e8.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1632 wrote to memory of 2996	1632	fee338e9134422043d5867c2e51f4cf17401e4a184132447ededd7f787bd21e8.exe	28
PID 1632 wrote to memory of 2996	1632	fee338e9134422043d5867c2e51f4cf17401e4a184132447ededd7f787bd21e8.exe	28
PID 1632 wrote to memory of 2996	1632	fee338e9134422043d5867c2e51f4cf17401e4a184132447ededd7f787bd21e8.exe	28
PID 1632 wrote to memory of 2996	1632	fee338e9134422043d5867c2e51f4cf17401e4a184132447ededd7f787bd21e8.exe	28
PID 1632 wrote to memory of 2984	1632	fee338e9134422043d5867c2e51f4cf17401e4a184132447ededd7f787bd21e8.exe	29
PID 1632 wrote to memory of 2984	1632	fee338e9134422043d5867c2e51f4cf17401e4a184132447ededd7f787bd21e8.exe	29
PID 1632 wrote to memory of 2984	1632	fee338e9134422043d5867c2e51f4cf17401e4a184132447ededd7f787bd21e8.exe	29
PID 1632 wrote to memory of 2984	1632	fee338e9134422043d5867c2e51f4cf17401e4a184132447ededd7f787bd21e8.exe	29
PID 2984 wrote to memory of 2800	2984	Logo1_.exe	31
PID 2984 wrote to memory of 2800	2984	Logo1_.exe	31
PID 2984 wrote to memory of 2800	2984	Logo1_.exe	31
PID 2984 wrote to memory of 2800	2984	Logo1_.exe	31
PID 2996 wrote to memory of 2388	2996	cmd.exe	33
PID 2996 wrote to memory of 2388	2996	cmd.exe	33
PID 2996 wrote to memory of 2388	2996	cmd.exe	33
PID 2996 wrote to memory of 2388	2996	cmd.exe	33
PID 2800 wrote to memory of 2612	2800	net.exe	34
PID 2800 wrote to memory of 2612	2800	net.exe	34
PID 2800 wrote to memory of 2612	2800	net.exe	34
PID 2800 wrote to memory of 2612	2800	net.exe	34
PID 2984 wrote to memory of 1136	2984	Logo1_.exe	20
PID 2984 wrote to memory of 1136	2984	Logo1_.exe	20

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1136
- C:\Users\Admin\AppData\Local\Temp\fee338e9134422043d5867c2e51f4cf17401e4a184132447ededd7f787bd21e8.exe
  "C:\Users\Admin\AppData\Local\Temp\fee338e9134422043d5867c2e51f4cf17401e4a184132447ededd7f787bd21e8.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1632
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$aFD9.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2996
  - - C:\Users\Admin\AppData\Local\Temp\fee338e9134422043d5867c2e51f4cf17401e4a184132447ededd7f787bd21e8.exe
      "C:\Users\Admin\AppData\Local\Temp\fee338e9134422043d5867c2e51f4cf17401e4a184132447ededd7f787bd21e8.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      PID:2388
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2984
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2800
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
252KB

MD5
6d246b802cdf4b81353fe34cb221fdb8

SHA1
d92a6378a04217b940c89286a39e1eab702f47cf

SHA256
0bd01f635d432ab549a8c2d69fc98b188ab8bff1eef29f12a71cd5d93425e133

SHA512
4a7540027887a366d6d90f2ca31cd96c048e7614aa396ceb43b0574e44ab1da99c36a310141c60cadb8899056d1807b929b088c6631b4e58c9908312d70c6f87

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
472KB

MD5
88eb1bca8c399bc3f46e99cdde2f047e

SHA1
55fafbceb011e1af2edced978686a90971bd95f2

SHA256
42fd78c05bc240d4ded16ac974f17c336f6ae3a1814d548021c48a942cc30428

SHA512
149d4de0c024e25a13a7bb17471e6f48391d4f26b1c8388672320eed1c255f84219ad7b72bbebc531ae558d5192dd4bb6d0dddd6c65a45300c8e8348a4fb3728

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aFD9.bat

Filesize
721B

MD5
7fed5b94657b42873702e5e132a93e04

SHA1
148c5d67f6adee63db2201eab624eb374e64cff4

SHA256
0a65a9ced9a54ee529771a5cdb19fbdd784fd45f50f568eb1d61aa83d31caf7e

SHA512
afd5467d32d0b922d7e2bb7d3ad1afe70dc68060d8d7a50bfff3c494fcba465f237e83cebf02d66470e918a896c74dd37183a69e3cc6627488f0609f89099d42

Download Submit
C:\Users\Admin\AppData\Local\Temp\fee338e9134422043d5867c2e51f4cf17401e4a184132447ededd7f787bd21e8.exe.exe

Filesize
930KB

MD5
30ac0b832d75598fb3ec37b6f2a8c86a

SHA1
6f47dbfd6ff36df7ba581a4cef024da527dc3046

SHA256
1ea0839c8dc95ad2c060af7d042c40c0daed58ce8e4524c0fba12fd73e4afb74

SHA512
505870601a4389b7ed2c8fecf85835adfd2944cbc10801f74bc4e08f5a0d6ecc9a52052fc37e216304cd1655129021862294a698ed36b3b43d428698f7263057

Download Submit
C:\Windows\Logo1_.exe

Filesize
27KB

MD5
39e497cfe5ee1015a8eade0361e7a546

SHA1
c9b531e4401f80af45ede3a86a13e9178d937a11

SHA256
c26fde0bf11ea567a77d3c88aad819e7f61be03569cc2384709b04a8ec1286c9

SHA512
d37ffc774bf5d30277d6c7e30f192e0bb3ff41bb54d851ba817876c68cfc78e60505382f8107ea71b724161bc3158eca040ef32774337d214e01971417ac0ba2

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2737914667-933161113-3798636211-1000\_desktop.ini

Filesize
9B

MD5
3b22ce0fee2d1aaf2c66dcd142740e29

SHA1
94d542b4bb9854a9419753c38e6ffe747653d91c

SHA256
8284772f28954a109c16f1583e6e34e29f06673b34e04f268bda961b57ba9f79

SHA512
efd4900a49624170e51ea401f0845634f49484a49335845258dc3d41a12e2022bf413a6751fcbcfd1ec68cde506f3363beae57f20e8eaca8b214d28baa138c5b

Download Submit
memory/1136-29-0x0000000002520000-0x0000000002521000-memory.dmp

Filesize
4KB

Download
memory/1632-15-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1632-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2984-17-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2984-45-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2984-92-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2984-98-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2984-531-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2984-1875-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2984-1891-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2984-39-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2984-3335-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2984-32-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download