a766115974274a594355eea1d7dd41893bce33bc215a9593b030578891c05139

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
13/06/2024, 22:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a766115974274a594355eea1d7dd41893bce33bc215a9593b030578891c05139.exe
Size

64KB
MD5

c6e347ca31a9a297d86af103abc33c0b
SHA1

c09d25c707686a843fcfcd8f49d7c2912e79efb9
SHA256

a766115974274a594355eea1d7dd41893bce33bc215a9593b030578891c05139
SHA512

8ef3ce6810b0669e0071b967cf13b884dc68d4a2d8a77d13df10fbd5ec75f169296a25e73ec02a9369066e06f04d62d26a9abfdd1a3f7419d80232b1e22bb27f
SSDEEP

1536:or3SHmLKarIpYCriw+d9bHrkT5gUHz7FxtJ:orkF3pxrBkfkT5xHzD

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2472	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2212	Logo1_.exe
2784	a766115974274a594355eea1d7dd41893bce33bc215a9593b030578891c05139.exe

Loads dropped DLL 1 IoCs

pid	Process
2472	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ka\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ja\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\1033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\FRAR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\si\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\zu\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\1.7\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ar\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office64.WW\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\People\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_output\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Purble Place\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSPUB.EXE	Logo1_.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fy\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ky\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\ADDINS\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sv\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\1042\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre7\lib\fonts\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OneNote\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ne\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LEVEL\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SoftBlue\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft.NET\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\control\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SUMIPNTG\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightOrange\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Document Themes 14\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Calendar\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Purble Place\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\gl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\STARTUP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\ja\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\logger\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe
File created	C:\Windows\rundl132.exe	a766115974274a594355eea1d7dd41893bce33bc215a9593b030578891c05139.exe
File created	C:\Windows\Logo1_.exe	a766115974274a594355eea1d7dd41893bce33bc215a9593b030578891c05139.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2212	Logo1_.exe
2212	Logo1_.exe
2212	Logo1_.exe
2212	Logo1_.exe
2212	Logo1_.exe
2212	Logo1_.exe
2212	Logo1_.exe
2212	Logo1_.exe
2212	Logo1_.exe
2212	Logo1_.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2184 wrote to memory of 2472	2184	a766115974274a594355eea1d7dd41893bce33bc215a9593b030578891c05139.exe	28
PID 2184 wrote to memory of 2472	2184	a766115974274a594355eea1d7dd41893bce33bc215a9593b030578891c05139.exe	28
PID 2184 wrote to memory of 2472	2184	a766115974274a594355eea1d7dd41893bce33bc215a9593b030578891c05139.exe	28
PID 2184 wrote to memory of 2472	2184	a766115974274a594355eea1d7dd41893bce33bc215a9593b030578891c05139.exe	28
PID 2184 wrote to memory of 2212	2184	a766115974274a594355eea1d7dd41893bce33bc215a9593b030578891c05139.exe	29
PID 2184 wrote to memory of 2212	2184	a766115974274a594355eea1d7dd41893bce33bc215a9593b030578891c05139.exe	29
PID 2184 wrote to memory of 2212	2184	a766115974274a594355eea1d7dd41893bce33bc215a9593b030578891c05139.exe	29
PID 2184 wrote to memory of 2212	2184	a766115974274a594355eea1d7dd41893bce33bc215a9593b030578891c05139.exe	29
PID 2212 wrote to memory of 2616	2212	Logo1_.exe	31
PID 2212 wrote to memory of 2616	2212	Logo1_.exe	31
PID 2212 wrote to memory of 2616	2212	Logo1_.exe	31
PID 2212 wrote to memory of 2616	2212	Logo1_.exe	31
PID 2472 wrote to memory of 2784	2472	cmd.exe	33
PID 2472 wrote to memory of 2784	2472	cmd.exe	33
PID 2472 wrote to memory of 2784	2472	cmd.exe	33
PID 2472 wrote to memory of 2784	2472	cmd.exe	33
PID 2616 wrote to memory of 1652	2616	net.exe	34
PID 2616 wrote to memory of 1652	2616	net.exe	34
PID 2616 wrote to memory of 1652	2616	net.exe	34
PID 2616 wrote to memory of 1652	2616	net.exe	34
PID 2212 wrote to memory of 1136	2212	Logo1_.exe	20
PID 2212 wrote to memory of 1136	2212	Logo1_.exe	20

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1136
- C:\Users\Admin\AppData\Local\Temp\a766115974274a594355eea1d7dd41893bce33bc215a9593b030578891c05139.exe
  "C:\Users\Admin\AppData\Local\Temp\a766115974274a594355eea1d7dd41893bce33bc215a9593b030578891c05139.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2184
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$aF1E.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2472
  - - C:\Users\Admin\AppData\Local\Temp\a766115974274a594355eea1d7dd41893bce33bc215a9593b030578891c05139.exe
      "C:\Users\Admin\AppData\Local\Temp\a766115974274a594355eea1d7dd41893bce33bc215a9593b030578891c05139.exe"
      4⤵
      Executes dropped EXE
      PID:2784
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2212
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2616
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:1652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
252KB

MD5
07dfea84a37074ab4aeee668afefc263

SHA1
2a735d75fa11191ddec37aad6552ada029bb286d

SHA256
bc8f1ef7ad9dd42375c3841bc745155326fe7b04e5f7b258feb078a9e58a48b6

SHA512
c594c418adfff394998bd107c9c168f9dd3fbd21d2e6b24309005d126a695e4fc17fb88fb43a9a6a31197ba26e8779518e40ac360a5b7dfe53a232a4bf19076c

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
472KB

MD5
88eb1bca8c399bc3f46e99cdde2f047e

SHA1
55fafbceb011e1af2edced978686a90971bd95f2

SHA256
42fd78c05bc240d4ded16ac974f17c336f6ae3a1814d548021c48a942cc30428

SHA512
149d4de0c024e25a13a7bb17471e6f48391d4f26b1c8388672320eed1c255f84219ad7b72bbebc531ae558d5192dd4bb6d0dddd6c65a45300c8e8348a4fb3728

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aF1E.bat

Filesize
721B

MD5
ac578b0d69782bbc454dadbddb35f71c

SHA1
1b61f4541b33349257afd77efe765f7218583130

SHA256
724a4f1a62c0e22fc7130a5f1e61169ac4cb5dfa68f74e35d7ae65a00471b674

SHA512
0f3d70d449913fd3eac259c86bbaf07dbff4bec046effb036967a265a72a79152a2f50cc57905cb483bd5a748f1ed71ba597812e0d4aeda831b889a043c822c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\a766115974274a594355eea1d7dd41893bce33bc215a9593b030578891c05139.exe.exe

Filesize
36KB

MD5
9f498971cbe636662f3d210747d619e1

SHA1
44b8e2732fa1e2f204fc70eaa1cb406616250085

SHA256
8adf6748981c3e7b62f5dbca992be6675574fffbce7673743f2d7fe787d56a41

SHA512
b73083c2f7b028d2946cb8f7b4fe2289fedaa4175364a2aac37db0aeff4602aede772ccc9eba7e6dcfcb7276e52604ca45d8021952201b5834485b48bca3dc93

Download Submit
C:\Windows\Logo1_.exe

Filesize
27KB

MD5
e7022dfd7727b47fccc1c511a84e8c53

SHA1
9e258e645aa3df99b556e98bbe7390308014fbe9

SHA256
cffb794dcc2ef8b81c440fe0bc09f3172040e73d1ac9ef9e3a108ebb822a89e4

SHA512
69cb26c5dc0f6f4dd7d0ad32d921799bdba0cedfe063246a6c526872c9f211267e3e5989fcaa1f35ea19d4b06dd44f9d3d032db5b28f9a69581558d3eb2ebac9

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2721934792-624042501-2768869379-1000\_desktop.ini

Filesize
9B

MD5
4f2460b507685f7d7bfe6393f335f1c9

SHA1
378d42f114b1515872e58de6662373af31ab8c7b

SHA256
47a22297ce31d17b0f37251ce63cf2eb146700451caab6dd0aa710d2526c8e42

SHA512
75dcca6b81ac47511b847a5c35be4bddbee425436f7bfd1347115e18b84f52a16a5c517bda0a5f5d0a1f2541aab80d764932d8018538cb112fa3b6c9977e95eb

Download Submit
memory/1136-29-0x0000000002D60000-0x0000000002D61000-memory.dmp

Filesize
4KB

Download
memory/2184-16-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2184-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2212-18-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2212-44-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2212-90-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2212-96-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2212-565-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2212-1849-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2212-1979-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2212-38-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2212-3309-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2212-31-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download