e306911d6b1b074cb04441c456100bef983ef4081997247f989a1e1b0ff0752d

Analysis

max time kernel
150s
max time network
119s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
12/06/2024, 23:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e306911d6b1b074cb04441c456100bef983ef4081997247f989a1e1b0ff0752d.exe
Size

70KB
MD5

58a2bbc5b5978fd377c9b999eb5e3aa2
SHA1

3d0d38605ae118aff018cbe57c3131ed56929a25
SHA256

e306911d6b1b074cb04441c456100bef983ef4081997247f989a1e1b0ff0752d
SHA512

929645d0cbcaaae44b0c1fe368cd565bfd76241e1e3b68bc0f800eabad8e2bf8e98f321997f4901182e850b7d52f91917cfb1bc42a773dfe5e5d59a33e07539a
SSDEEP

1536:pM93SHuJV9NdEToa9D4ZQKbgZi1dst7x9PxQ:pkkuJVLtlZQKbgZi1St7xQ

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1896	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2204	Logo1_.exe
2760	e306911d6b1b074cb04441c456100bef983ef4081997247f989a1e1b0ff0752d.exe

Loads dropped DLL 1 IoCs

pid	Process
1896	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows NT\TableTextService\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Mail\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSACCESS.EXE	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\AddInSideAdapters\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Americana\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mai\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Document Parts\1033\14\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ENES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\applet\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RICEPAPR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Indiana\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ky\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Slate\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\vi\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VC\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Reference Assemblies\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office64.en-us\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Internet Explorer\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMFormServices\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\ImagingDevices.exe	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Google\Temp\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\kab\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Library\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	e306911d6b1b074cb04441c456100bef983ef4081997247f989a1e1b0ff0752d.exe
File created	C:\Windows\Logo1_.exe	e306911d6b1b074cb04441c456100bef983ef4081997247f989a1e1b0ff0752d.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2204	Logo1_.exe
2204	Logo1_.exe
2204	Logo1_.exe
2204	Logo1_.exe
2204	Logo1_.exe
2204	Logo1_.exe
2204	Logo1_.exe
2204	Logo1_.exe
2204	Logo1_.exe
2204	Logo1_.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2644 wrote to memory of 1896	2644	e306911d6b1b074cb04441c456100bef983ef4081997247f989a1e1b0ff0752d.exe	28
PID 2644 wrote to memory of 1896	2644	e306911d6b1b074cb04441c456100bef983ef4081997247f989a1e1b0ff0752d.exe	28
PID 2644 wrote to memory of 1896	2644	e306911d6b1b074cb04441c456100bef983ef4081997247f989a1e1b0ff0752d.exe	28
PID 2644 wrote to memory of 1896	2644	e306911d6b1b074cb04441c456100bef983ef4081997247f989a1e1b0ff0752d.exe	28
PID 2644 wrote to memory of 2204	2644	e306911d6b1b074cb04441c456100bef983ef4081997247f989a1e1b0ff0752d.exe	29
PID 2644 wrote to memory of 2204	2644	e306911d6b1b074cb04441c456100bef983ef4081997247f989a1e1b0ff0752d.exe	29
PID 2644 wrote to memory of 2204	2644	e306911d6b1b074cb04441c456100bef983ef4081997247f989a1e1b0ff0752d.exe	29
PID 2644 wrote to memory of 2204	2644	e306911d6b1b074cb04441c456100bef983ef4081997247f989a1e1b0ff0752d.exe	29
PID 1896 wrote to memory of 2760	1896	cmd.exe	32
PID 1896 wrote to memory of 2760	1896	cmd.exe	32
PID 1896 wrote to memory of 2760	1896	cmd.exe	32
PID 1896 wrote to memory of 2760	1896	cmd.exe	32
PID 2204 wrote to memory of 2688	2204	Logo1_.exe	31
PID 2204 wrote to memory of 2688	2204	Logo1_.exe	31
PID 2204 wrote to memory of 2688	2204	Logo1_.exe	31
PID 2204 wrote to memory of 2688	2204	Logo1_.exe	31
PID 2688 wrote to memory of 2836	2688	net.exe	34
PID 2688 wrote to memory of 2836	2688	net.exe	34
PID 2688 wrote to memory of 2836	2688	net.exe	34
PID 2688 wrote to memory of 2836	2688	net.exe	34
PID 2204 wrote to memory of 1336	2204	Logo1_.exe	21
PID 2204 wrote to memory of 1336	2204	Logo1_.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1336
- C:\Users\Admin\AppData\Local\Temp\e306911d6b1b074cb04441c456100bef983ef4081997247f989a1e1b0ff0752d.exe
  "C:\Users\Admin\AppData\Local\Temp\e306911d6b1b074cb04441c456100bef983ef4081997247f989a1e1b0ff0752d.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2644
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$aA2E.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1896
  - - C:\Users\Admin\AppData\Local\Temp\e306911d6b1b074cb04441c456100bef983ef4081997247f989a1e1b0ff0752d.exe
      "C:\Users\Admin\AppData\Local\Temp\e306911d6b1b074cb04441c456100bef983ef4081997247f989a1e1b0ff0752d.exe"
      4⤵
      Executes dropped EXE
      PID:2760
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2204
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2688
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
254KB

MD5
9642e3981da9e800fb37f8259c2cb8b1

SHA1
502be0ef8a9a221dd1941b59d95a9a9650314f81

SHA256
e2276cd3037e9e70d361f4e9a7fe2109122597d526550851ba66e0306ddff75b

SHA512
39e93b04ba6efb002cbd674859c0201aa8a07a784a9dcfe1506025bfb75172da12b2fe9039a5ec33337ec11367ce6c65999c64325b1355f6e900c928d8139533

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
474KB

MD5
de4228cb7a5a7f082477f6a504b822a7

SHA1
dfd84f0b6f4977bfda43b1827aa747a9a5a8a38b

SHA256
8c5089a062734aa1a66e70700d4f33f2f54157c4bb3ed4d6ce1a852de8b6f90b

SHA512
a3b64b10a22dedebfa48e7705e148d50df480fa9bb0669bc06951ab0ff5f97657f72dc8b71db610499ee38ecae9ae494265841a737806bed7c061d0b634913c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aA2E.bat

Filesize
721B

MD5
e978931914bde88fcfcd77811166854b

SHA1
907216af18b091c5e0933a8d9e8b07edc13ac45b

SHA256
12d2c812d9fe3b849bb842434a00f9d287f2308c014915c2545aa2542dd0bef1

SHA512
f3bc45015d75db51dbdab82d6b3c7458023e0ebc05daa709a89d3babaeaa33d0d8092e20247bad89dc89ad028f10a3b0c10708652f223ae8ecd1552a9dead603

Download Submit
C:\Users\Admin\AppData\Local\Temp\e306911d6b1b074cb04441c456100bef983ef4081997247f989a1e1b0ff0752d.exe.exe

Filesize
41KB

MD5
977e405c109268909fd24a94cc23d4f0

SHA1
af5d032c2b6caa2164cf298e95b09060665c4188

SHA256
cd24c61fe7dc3896c6c928c92a2adc58fab0a3ff61ef7ddcac1ba794182ab12f

SHA512
12b4b59c1a8e65e72aa07ee4b6b6cd9fdedead01d5ce8e30f16ca26b5d733655e23a71c1d273a950a5b1a6cce810b696612de4a1148ac5f468ddf05d4549eed5

Download Submit
C:\Windows\Logo1_.exe

Filesize
29KB

MD5
36778acdea28f8bc397f537f4ce9e4e4

SHA1
a82a2231e67c821f729f93d8439802c9cdc5f4e2

SHA256
00863f68356325af40ccd6ac2f6b34bd28a3a931a7abf4fc50b74bef5192c1b7

SHA512
a5b6891f913984b086cb78ffe3329c704cb0a59fd5c375abdd8602d06d1f661618a9c26ed962af2e067b2b5b989d87364db21cde533b6fe9194c231d23a21dea

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2812790648-3157963462-487717889-1000\_desktop.ini

Filesize
9B

MD5
1f206a052c160fd77308863abd810887

SHA1
3b27ec1dc4b51fb7f1793a9ca9bb0d2e53e60eb1

SHA256
45129bd309ca763a88c6bf438896e82b939d6491036658c4512c57f8353938c1

SHA512
bd7857c146b01a49d34d4eb84053353eeb586bee6916426179305d5e2360559adea4040fe2184a3a803943ff4e6526cc38c665f9a808355619628868d53fbed5

Download Submit
memory/1336-30-0x0000000002090000-0x0000000002091000-memory.dmp

Filesize
4KB

Download
memory/2204-633-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2204-2336-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2204-3337-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2204-41-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2204-19-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2204-48-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2204-94-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2204-100-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2204-34-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2204-1877-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2644-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2644-42-0x0000000000220000-0x0000000000256000-memory.dmp

Filesize
216KB

Download
memory/2644-17-0x0000000000220000-0x0000000000256000-memory.dmp

Filesize
216KB

Download
memory/2644-16-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download