28d83eb8bb7619d599db8361ca8917c6cb490bf57b33cdc43145f8b0447e7f12

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
14/06/2024, 23:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

28d83eb8bb7619d599db8361ca8917c6cb490bf57b33cdc43145f8b0447e7f12.exe
Size

40KB
MD5

1d2b84f8d068e0a06b3059d67370677a
SHA1

0ff4cc5d331b9a3e2b19ddd299237d93e6e5ba6d
SHA256

28d83eb8bb7619d599db8361ca8917c6cb490bf57b33cdc43145f8b0447e7f12
SHA512

d463518b851a5fda69565627f0d1887ffc086fdc43f08696b799184cb57657e54ea479f5c5118da6ae5ec9e5b3eb1e606a2ed5a290bf48fa503fea3cb7f2f500
SSDEEP

768:pHFc16GVRu1yK9fMnJG2V9dHS8ANlEMi2jpv8vC:pHw3SHuJV9NUNlj958K

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3008	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
3064	Logo1_.exe
2524	28d83eb8bb7619d599db8361ca8917c6cb490bf57b33cdc43145f8b0447e7f12.exe

Loads dropped DLL 7 IoCs

pid	Process
3008	cmd.exe
3008	cmd.exe
1276	WerFault.exe
1276	WerFault.exe
1276	WerFault.exe
1276	WerFault.exe
1276	WerFault.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\VideoLAN\VLC\plugins\text_renderer\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\si\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mn\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\dtplugin\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Services\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\it\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Mail\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1036\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\an\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Desert\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\klist.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\requests\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\OneNote.en-us\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Defender\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ia\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\pt_BR\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Mail\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AFTRNOON\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\de\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\or\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\control\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\in_sidebar\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	28d83eb8bb7619d599db8361ca8917c6cb490bf57b33cdc43145f8b0447e7f12.exe
File created	C:\Windows\Logo1_.exe	28d83eb8bb7619d599db8361ca8917c6cb490bf57b33cdc43145f8b0447e7f12.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1276	2524	WerFault.exe	32

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3064	Logo1_.exe
3064	Logo1_.exe
3064	Logo1_.exe
3064	Logo1_.exe
3064	Logo1_.exe
3064	Logo1_.exe
3064	Logo1_.exe
3064	Logo1_.exe
3064	Logo1_.exe
3064	Logo1_.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 2172 wrote to memory of 3008	2172	28d83eb8bb7619d599db8361ca8917c6cb490bf57b33cdc43145f8b0447e7f12.exe	28
PID 2172 wrote to memory of 3008	2172	28d83eb8bb7619d599db8361ca8917c6cb490bf57b33cdc43145f8b0447e7f12.exe	28
PID 2172 wrote to memory of 3008	2172	28d83eb8bb7619d599db8361ca8917c6cb490bf57b33cdc43145f8b0447e7f12.exe	28
PID 2172 wrote to memory of 3008	2172	28d83eb8bb7619d599db8361ca8917c6cb490bf57b33cdc43145f8b0447e7f12.exe	28
PID 2172 wrote to memory of 3064	2172	28d83eb8bb7619d599db8361ca8917c6cb490bf57b33cdc43145f8b0447e7f12.exe	29
PID 2172 wrote to memory of 3064	2172	28d83eb8bb7619d599db8361ca8917c6cb490bf57b33cdc43145f8b0447e7f12.exe	29
PID 2172 wrote to memory of 3064	2172	28d83eb8bb7619d599db8361ca8917c6cb490bf57b33cdc43145f8b0447e7f12.exe	29
PID 2172 wrote to memory of 3064	2172	28d83eb8bb7619d599db8361ca8917c6cb490bf57b33cdc43145f8b0447e7f12.exe	29
PID 3064 wrote to memory of 2620	3064	Logo1_.exe	31
PID 3064 wrote to memory of 2620	3064	Logo1_.exe	31
PID 3064 wrote to memory of 2620	3064	Logo1_.exe	31
PID 3064 wrote to memory of 2620	3064	Logo1_.exe	31
PID 3008 wrote to memory of 2524	3008	cmd.exe	32
PID 3008 wrote to memory of 2524	3008	cmd.exe	32
PID 3008 wrote to memory of 2524	3008	cmd.exe	32
PID 3008 wrote to memory of 2524	3008	cmd.exe	32
PID 2620 wrote to memory of 2420	2620	net.exe	34
PID 2620 wrote to memory of 2420	2620	net.exe	34
PID 2620 wrote to memory of 2420	2620	net.exe	34
PID 2620 wrote to memory of 2420	2620	net.exe	34
PID 2524 wrote to memory of 1276	2524	28d83eb8bb7619d599db8361ca8917c6cb490bf57b33cdc43145f8b0447e7f12.exe	35
PID 2524 wrote to memory of 1276	2524	28d83eb8bb7619d599db8361ca8917c6cb490bf57b33cdc43145f8b0447e7f12.exe	35
PID 2524 wrote to memory of 1276	2524	28d83eb8bb7619d599db8361ca8917c6cb490bf57b33cdc43145f8b0447e7f12.exe	35
PID 2524 wrote to memory of 1276	2524	28d83eb8bb7619d599db8361ca8917c6cb490bf57b33cdc43145f8b0447e7f12.exe	35
PID 3064 wrote to memory of 1112	3064	Logo1_.exe	20
PID 3064 wrote to memory of 1112	3064	Logo1_.exe	20

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1112
- C:\Users\Admin\AppData\Local\Temp\28d83eb8bb7619d599db8361ca8917c6cb490bf57b33cdc43145f8b0447e7f12.exe
  "C:\Users\Admin\AppData\Local\Temp\28d83eb8bb7619d599db8361ca8917c6cb490bf57b33cdc43145f8b0447e7f12.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2172
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$a1A25.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:3008
  - - C:\Users\Admin\AppData\Local\Temp\28d83eb8bb7619d599db8361ca8917c6cb490bf57b33cdc43145f8b0447e7f12.exe
      "C:\Users\Admin\AppData\Local\Temp\28d83eb8bb7619d599db8361ca8917c6cb490bf57b33cdc43145f8b0447e7f12.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2524
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2524 -s 532
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:1276
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3064
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2620
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
254KB

MD5
6414be365a33e0066dae1212f40e01de

SHA1
aa0f1095a9086fdaa4e76a1502458b0a62df6aea

SHA256
05fc90a578a5395b12f2493d2d81faebdd07884b9ce4338a1d9486dd4dcae695

SHA512
e5503bb8469ad664b0aa840af0f0cb83f43fe8be79bd5c8b89879d50ad3b208b2b714ceee59dbd2be8881db0ee3c36e2f4063180459cbf70f2202aae770f02ac

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
474KB

MD5
6eabc463f8025a7e6e65f38cba22f126

SHA1
3e430ee5ec01c5509ed750b88d3473e7990dfe95

SHA256
cc8da3ecd355b519d81415d279ed037c725ba221bf323d250aa92ee2b2b88ca7

SHA512
c8fde7026ac8633403bbefee4b044457184388fb7343d8c46f5f7f272724227976bf485ea91da49e2a85dd0cfb73f260ac705d8007333dd3e5539fe5ed67e3ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a1A25.bat

Filesize
722B

MD5
31d1fd1e1a20305c5e185fade6cf136c

SHA1
b59983c0abcf8db200ad744bbbc0116a4c4fbce6

SHA256
8c95c063de5e0c308f67ec84477299142f8960f3c3ce7f46c13b10a5e8252d63

SHA512
9b029eccf5347bf95df528bd87a4d0c5b2602cf8fbb142a4664d420b9b778a899d70d1f16fe4b8ac630cf78a676bc06936ea8ef06cfee67988ea8c6fece60f27

Download Submit
C:\Users\Admin\AppData\Local\Temp\28d83eb8bb7619d599db8361ca8917c6cb490bf57b33cdc43145f8b0447e7f12.exe.exe

Filesize
11KB

MD5
02be6d33b1edbc61c79882d3f556bd8a

SHA1
8d0afa78893ae5f04e505db0d76d0d50cf34e7da

SHA256
4c9f9b9de2ffeea9ccc6524d05ea5b78a14c1642cecc189fe40e7a57a6c294b3

SHA512
39949d9a14a17d7cf31aa222a6547be7663673872d5091a77c64b0cd863e399dcdfbff70443bc9a2c2dccc658a998afc5189469723bb5f4c8adeecab47b07967

Download Submit
C:\Windows\Logo1_.exe

Filesize
29KB

MD5
30b1ef69af461b95b4bc841004fc6dc3

SHA1
bd5a8b12a9a9708221f725478049463fef2cd8f0

SHA256
921368914fba3c4a879328622ab4d117b7d3211e6ed61853a2c455abb3ce09b7

SHA512
554b72cc0dede3023082e221045a361060db9d4181be32e924724c95ea273396c8d58962f1d50718cba9ee83247f0ca6d0143f3401fed5267fdb804bc52df009

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2297530677-1229052932-2803917579-1000\_desktop.ini

Filesize
9B

MD5
03c36dbecb7f35761f80ba5fc5566da6

SHA1
159b7733006187467bda251a1bbb278c141dceb6

SHA256
85a53f5b976fb1c26ce14c31e93c1f68997d2d8b09ab9aa2b7e0d32b8e50ec3b

SHA512
fe573085d2abef34adcede2f89b1c2810875ab00ef9ba27a1d95ed1dbe93e182fc53d981901a0b8048dd4eb5fdc852b8f0e0c3a0e1a404cbbe70e13a7a14104a

Download Submit
memory/1112-38-0x0000000002D30000-0x0000000002D31000-memory.dmp

Filesize
4KB

Download
memory/2172-16-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2172-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2172-17-0x0000000000220000-0x0000000000256000-memory.dmp

Filesize
216KB

Download
memory/2524-48-0x00000000744DE000-0x00000000744DF000-memory.dmp

Filesize
4KB

Download
memory/2524-30-0x00000000744DE000-0x00000000744DF000-memory.dmp

Filesize
4KB

Download
memory/2524-31-0x0000000001230000-0x0000000001238000-memory.dmp

Filesize
32KB

Download
memory/3064-40-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3064-54-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3064-100-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3064-106-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3064-659-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3064-1859-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3064-2345-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3064-47-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3064-3319-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3064-19-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download