f137fca8e6bc39ce6245dd4dbc0fa4d0c009112e97745e4b8ca566306151081c

Analysis

max time kernel
150s
max time network
126s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
12-06-2024 22:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f137fca8e6bc39ce6245dd4dbc0fa4d0c009112e97745e4b8ca566306151081c.exe
Size

573KB
MD5

aaee7926f1d4dedfae7ccaea011220ed
SHA1

6962a9c655a8825f1758266a3ef73ac91dec0ed0
SHA256

f137fca8e6bc39ce6245dd4dbc0fa4d0c009112e97745e4b8ca566306151081c
SHA512

66628592bd6d2df624c0922d1c61b996a113d5e19d626b7c0b7270cdf72e3b419969dbb3c8409b8f11e7a71aad6d193c82a75a390af721948958adfb9d99974b
SSDEEP

6144:4uJpE7cV3iwbAFRWAbd4nf0H05yqE6Hl0ChW0+ksllAXBu0lWGWUJJQ4t0BHQQfu:s7a3iwbihym2g7XO3LWUQfh4Co

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2412	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2464	Logo1_.exe
2748	f137fca8e6bc39ce6245dd4dbc0fa4d0c009112e97745e4b8ca566306151081c.exe

Loads dropped DLL 1 IoCs

pid	Process
2412	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SpringGreen\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\misc\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Services\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Mozilla Firefox\browser\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Photo Viewer\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\d3d9\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ast\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Calendar\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\br\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\HWRCustomization\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\.data\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Acrobat\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Argentina\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ARCTIC\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSTORE.EXE	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Slate\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Oasis\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\js\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	f137fca8e6bc39ce6245dd4dbc0fa4d0c009112e97745e4b8ca566306151081c.exe
File created	C:\Windows\Logo1_.exe	f137fca8e6bc39ce6245dd4dbc0fa4d0c009112e97745e4b8ca566306151081c.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2464	Logo1_.exe
2464	Logo1_.exe
2464	Logo1_.exe
2464	Logo1_.exe
2464	Logo1_.exe
2464	Logo1_.exe
2464	Logo1_.exe
2464	Logo1_.exe
2464	Logo1_.exe
2464	Logo1_.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2188 wrote to memory of 2412	2188	f137fca8e6bc39ce6245dd4dbc0fa4d0c009112e97745e4b8ca566306151081c.exe	28
PID 2188 wrote to memory of 2412	2188	f137fca8e6bc39ce6245dd4dbc0fa4d0c009112e97745e4b8ca566306151081c.exe	28
PID 2188 wrote to memory of 2412	2188	f137fca8e6bc39ce6245dd4dbc0fa4d0c009112e97745e4b8ca566306151081c.exe	28
PID 2188 wrote to memory of 2412	2188	f137fca8e6bc39ce6245dd4dbc0fa4d0c009112e97745e4b8ca566306151081c.exe	28
PID 2188 wrote to memory of 2464	2188	f137fca8e6bc39ce6245dd4dbc0fa4d0c009112e97745e4b8ca566306151081c.exe	30
PID 2188 wrote to memory of 2464	2188	f137fca8e6bc39ce6245dd4dbc0fa4d0c009112e97745e4b8ca566306151081c.exe	30
PID 2188 wrote to memory of 2464	2188	f137fca8e6bc39ce6245dd4dbc0fa4d0c009112e97745e4b8ca566306151081c.exe	30
PID 2188 wrote to memory of 2464	2188	f137fca8e6bc39ce6245dd4dbc0fa4d0c009112e97745e4b8ca566306151081c.exe	30
PID 2464 wrote to memory of 3052	2464	Logo1_.exe	31
PID 2464 wrote to memory of 3052	2464	Logo1_.exe	31
PID 2464 wrote to memory of 3052	2464	Logo1_.exe	31
PID 2464 wrote to memory of 3052	2464	Logo1_.exe	31
PID 2412 wrote to memory of 2748	2412	cmd.exe	33
PID 2412 wrote to memory of 2748	2412	cmd.exe	33
PID 2412 wrote to memory of 2748	2412	cmd.exe	33
PID 2412 wrote to memory of 2748	2412	cmd.exe	33
PID 3052 wrote to memory of 2644	3052	net.exe	34
PID 3052 wrote to memory of 2644	3052	net.exe	34
PID 3052 wrote to memory of 2644	3052	net.exe	34
PID 3052 wrote to memory of 2644	3052	net.exe	34
PID 2464 wrote to memory of 1248	2464	Logo1_.exe	21
PID 2464 wrote to memory of 1248	2464	Logo1_.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1248
- C:\Users\Admin\AppData\Local\Temp\f137fca8e6bc39ce6245dd4dbc0fa4d0c009112e97745e4b8ca566306151081c.exe
  "C:\Users\Admin\AppData\Local\Temp\f137fca8e6bc39ce6245dd4dbc0fa4d0c009112e97745e4b8ca566306151081c.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2188
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$a2CDA.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2412
  - - C:\Users\Admin\AppData\Local\Temp\f137fca8e6bc39ce6245dd4dbc0fa4d0c009112e97745e4b8ca566306151081c.exe
      "C:\Users\Admin\AppData\Local\Temp\f137fca8e6bc39ce6245dd4dbc0fa4d0c009112e97745e4b8ca566306151081c.exe"
      4⤵
      Executes dropped EXE
      PID:2748
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2464
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3052
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
254KB

MD5
eaafac1d54759eb89af2aeaddcaf0828

SHA1
78f325b16ce3e651e1c7eb7c871f72a4bfd620cb

SHA256
b781177dade8538ec18a7988488fc8932e049d95823910c9615e22550ef00882

SHA512
82d9128cd9bf34f636dd76ac5fb0d02d2d5b50be03914c2d42db107cf51d3318effe50013ead12be81190abae9336ce813b07bf800c3bd82b0967cfde6acde64

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
474KB

MD5
c14a5111b798cff20d7d66b0e035d409

SHA1
29f0894552b30815fed6ad231b5721e876869552

SHA256
fd6f57dc1b82f6301cbecbf9db5728a9a69b10e3edbf4f8a1dfef571c77a6cb6

SHA512
a4d8b74216c76fa3d48ab7300452725602bc6d5bcc0e6c23d458d65362cd24751f23755180ae69633090b172e95f18f225c0cb4a71dd1e050d8b3dff466e7f1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a2CDA.bat

Filesize
722B

MD5
22d211040a176ca55a9bb10d454493e7

SHA1
c7df1efb52f1cd14be7bd704df221422ff90d218

SHA256
3b9e5b605156bdc1d7a98a43fd57618f58acb77f7cc5a8b542e05f98784d144f

SHA512
059dbafec84abdc470045146a74701c143218254ece9ea6ec441da7f1a6749e2cb01622cf408041cd3f855669feefa9649273d286378c8dcbee010890f70f4b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\f137fca8e6bc39ce6245dd4dbc0fa4d0c009112e97745e4b8ca566306151081c.exe.exe

Filesize
544KB

MD5
9a1dd1d96481d61934dcc2d568971d06

SHA1
f136ef9bf8bd2fc753292fb5b7cf173a22675fb3

SHA256
8cebb25e240db3b6986fcaed6bc0b900fa09dad763a56fb71273529266c5c525

SHA512
7ac1581f8a29e778ba1a1220670796c47fa5b838417f8f635e2cb1998a01515cff3ee57045dacb78a8ec70d43754b970743aba600379fe6d9481958d32d8a5aa

Download Submit
C:\Windows\Logo1_.exe

Filesize
29KB

MD5
4b4afa60ab9612db0737ab7239b8f929

SHA1
5f0778a55394d8b9d597e5fc31ac44fa97476add

SHA256
4ca725a5704a86df766dcff486f19f1edff6e13b5f15f7dc3c96173a80fccbe5

SHA512
11830a5968678ec86f6d39e77dc192fb0dc334ce97959ac076adeb3c27e339c328aeda64f6e3f185433a489e5dd8ea64adafc636c13b7ed93c4a73a4c0c736e8

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-268080393-3149932598-1824759070-1000\_desktop.ini

Filesize
9B

MD5
1f206a052c160fd77308863abd810887

SHA1
3b27ec1dc4b51fb7f1793a9ca9bb0d2e53e60eb1

SHA256
45129bd309ca763a88c6bf438896e82b939d6491036658c4512c57f8353938c1

SHA512
bd7857c146b01a49d34d4eb84053353eeb586bee6916426179305d5e2360559adea4040fe2184a3a803943ff4e6526cc38c665f9a808355619628868d53fbed5

Download Submit
memory/1248-29-0x0000000002640000-0x0000000002641000-memory.dmp

Filesize
4KB

Download
memory/2188-16-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2188-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2464-18-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2464-44-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2464-90-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2464-96-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2464-745-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2464-1874-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2464-38-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2464-2545-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2464-3334-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2464-31-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download