ac912296175fb6c348fbeff7431934aa203f9e26ed0ce173f99936e7ec52eaa9

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
11/06/2024, 10:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ac912296175fb6c348fbeff7431934aa203f9e26ed0ce173f99936e7ec52eaa9.exe
Size

713KB
MD5

0a03306a319e23ac41497c15246f39bd
SHA1

1b9e969bf0ef9b0ccfceddc55e586054c6c0ca1c
SHA256

ac912296175fb6c348fbeff7431934aa203f9e26ed0ce173f99936e7ec52eaa9
SHA512

f1ba471873b4c00679b070b0306ead80f532d79a2777de8b47df8173c68a9a762e7d11c2204c5f595a1784cf4b39ef6024fafa243930f5fefcb12729175a8172
SSDEEP

12288:2fC6Aj+TN5uixZN+8rKhUdTC/wE1ZD0Ca5ZIXV:KLOS2opPIXV

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3012	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
3060	Logo1_.exe
2596	ac912296175fb6c348fbeff7431934aa203f9e26ed0ce173f99936e7ec52eaa9.exe
1276	Explorer.EXE

Loads dropped DLL 2 IoCs

pid	Process
3012	cmd.exe
3012	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\nb\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk16\windows-amd64\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\People\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Desert\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\en_GB\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\7-Zip\Lang\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\hrtfs\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Journal\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ja\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\zh_TW\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\oc\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\144DPI\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Hearts\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sq\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EDGE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hi\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Mail\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Google\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ne\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Mail\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Photo Viewer\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\hy\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ko\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	ac912296175fb6c348fbeff7431934aa203f9e26ed0ce173f99936e7ec52eaa9.exe
File created	C:\Windows\Logo1_.exe	ac912296175fb6c348fbeff7431934aa203f9e26ed0ce173f99936e7ec52eaa9.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3060	Logo1_.exe
3060	Logo1_.exe
3060	Logo1_.exe
3060	Logo1_.exe
3060	Logo1_.exe
3060	Logo1_.exe
3060	Logo1_.exe
3060	Logo1_.exe
3060	Logo1_.exe
3060	Logo1_.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1372 wrote to memory of 3012	1372	ac912296175fb6c348fbeff7431934aa203f9e26ed0ce173f99936e7ec52eaa9.exe	28
PID 1372 wrote to memory of 3012	1372	ac912296175fb6c348fbeff7431934aa203f9e26ed0ce173f99936e7ec52eaa9.exe	28
PID 1372 wrote to memory of 3012	1372	ac912296175fb6c348fbeff7431934aa203f9e26ed0ce173f99936e7ec52eaa9.exe	28
PID 1372 wrote to memory of 3012	1372	ac912296175fb6c348fbeff7431934aa203f9e26ed0ce173f99936e7ec52eaa9.exe	28
PID 1372 wrote to memory of 3060	1372	ac912296175fb6c348fbeff7431934aa203f9e26ed0ce173f99936e7ec52eaa9.exe	29
PID 1372 wrote to memory of 3060	1372	ac912296175fb6c348fbeff7431934aa203f9e26ed0ce173f99936e7ec52eaa9.exe	29
PID 1372 wrote to memory of 3060	1372	ac912296175fb6c348fbeff7431934aa203f9e26ed0ce173f99936e7ec52eaa9.exe	29
PID 1372 wrote to memory of 3060	1372	ac912296175fb6c348fbeff7431934aa203f9e26ed0ce173f99936e7ec52eaa9.exe	29
PID 3012 wrote to memory of 2596	3012	cmd.exe	32
PID 3012 wrote to memory of 2596	3012	cmd.exe	32
PID 3012 wrote to memory of 2596	3012	cmd.exe	32
PID 3012 wrote to memory of 2596	3012	cmd.exe	32
PID 3060 wrote to memory of 2324	3060	Logo1_.exe	31
PID 3060 wrote to memory of 2324	3060	Logo1_.exe	31
PID 3060 wrote to memory of 2324	3060	Logo1_.exe	31
PID 3060 wrote to memory of 2324	3060	Logo1_.exe	31
PID 2324 wrote to memory of 2600	2324	net.exe	34
PID 2324 wrote to memory of 2600	2324	net.exe	34
PID 2324 wrote to memory of 2600	2324	net.exe	34
PID 2324 wrote to memory of 2600	2324	net.exe	34
PID 3060 wrote to memory of 1276	3060	Logo1_.exe	21
PID 3060 wrote to memory of 1276	3060	Logo1_.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Executes dropped EXE
PID:1276
- C:\Users\Admin\AppData\Local\Temp\ac912296175fb6c348fbeff7431934aa203f9e26ed0ce173f99936e7ec52eaa9.exe
  "C:\Users\Admin\AppData\Local\Temp\ac912296175fb6c348fbeff7431934aa203f9e26ed0ce173f99936e7ec52eaa9.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1372
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$a464.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:3012
  - - C:\Users\Admin\AppData\Local\Temp\ac912296175fb6c348fbeff7431934aa203f9e26ed0ce173f99936e7ec52eaa9.exe
      "C:\Users\Admin\AppData\Local\Temp\ac912296175fb6c348fbeff7431934aa203f9e26ed0ce173f99936e7ec52eaa9.exe"
      4⤵
      Executes dropped EXE
      PID:2596
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3060
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2324
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
254KB

MD5
e07b271414d7901d4be3fef46b6234ad

SHA1
383c79a26054fb1d00f931222e5f7fd7cdc2987b

SHA256
84bb3d64de9f9a1c3b1c2359204a1986fdbe17ef226274213bb17fbf0ca2198c

SHA512
d989a243a0c6e0f1fa1e562f49be1263fd2d7962f289d4a0108f046ef6f2cd87b262a4b2fbd4a94be3f9e39ac656b402f8d8aa40600db3ee02b24cf0d78e08e3

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
474KB

MD5
6eabc463f8025a7e6e65f38cba22f126

SHA1
3e430ee5ec01c5509ed750b88d3473e7990dfe95

SHA256
cc8da3ecd355b519d81415d279ed037c725ba221bf323d250aa92ee2b2b88ca7

SHA512
c8fde7026ac8633403bbefee4b044457184388fb7343d8c46f5f7f272724227976bf485ea91da49e2a85dd0cfb73f260ac705d8007333dd3e5539fe5ed67e3ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a464.bat

Filesize
721B

MD5
fc102f86234e2cbf4c635d1073617a53

SHA1
553d34f03ab147964bd2dce22931edc00a07759d

SHA256
b564dbee2c0341803a99a1504cdbbfbfb6ac403ccdab10945864dfad53a57c9c

SHA512
ffe5688db51a9ddb4dd7b50e5ecea128af9eae0be5f49b29575a08bd767ce82fb1a93b6812f963c9efe3e62be5c501e982febda012ab777d063ab919513fb4f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ac912296175fb6c348fbeff7431934aa203f9e26ed0ce173f99936e7ec52eaa9.exe.exe

Filesize
684KB

MD5
50f289df0c19484e970849aac4e6f977

SHA1
3dc77c8830836ab844975eb002149b66da2e10be

SHA256
b9b179b305c5268ad428b6ae59de10b4fe99cf0199bbc89b7017181905e97305

SHA512
877d852ea1062b90e2fd2f3c4dc7d05d9697e9a9b2929c830a770b62741f6a11e06de73275eb871113f11143faf1cb40d99f7c247862ffb778d26833ed5d7e38

Download Submit
C:\Windows\Logo1_.exe

Filesize
29KB

MD5
9c93f08705742f729989246ec26c3dfa

SHA1
0b2a8d41f9b2e452aeae1f720f31814d667462ec

SHA256
f27ccbe73d56d0126cac6349b6ae5143af964c093c94570890cd38a01f200679

SHA512
f5dcb1ba3ea6191dd910fe0f781992d9344b42e2ea8034ab5775489a43971c613c995869f649d5de35656ec4b8e397de51e9e9eb0070ab8705ff14b46877ee2e

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3627615824-4061627003-3019543961-1000\_desktop.ini

Filesize
9B

MD5
3b22ce0fee2d1aaf2c66dcd142740e29

SHA1
94d542b4bb9854a9419753c38e6ffe747653d91c

SHA256
8284772f28954a109c16f1583e6e34e29f06673b34e04f268bda961b57ba9f79

SHA512
efd4900a49624170e51ea401f0845634f49484a49335845258dc3d41a12e2022bf413a6751fcbcfd1ec68cde506f3363beae57f20e8eaca8b214d28baa138c5b

Download Submit
memory/1276-32-0x0000000002610000-0x0000000002611000-memory.dmp

Filesize
4KB

Download
memory/1372-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1372-17-0x0000000000220000-0x0000000000256000-memory.dmp

Filesize
216KB

Download
memory/1372-16-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3060-43-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3060-49-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3060-95-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3060-101-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3060-546-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3060-1854-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3060-2029-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3060-36-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3060-3314-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3060-19-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download